A new body — Computer Emergency Response Team – Tamil Nadu (CERT-TN) — will be responsible for implementing the state’s new cybersecurity policy. CERT-TN will also be responsible for the cybersecurity hygiene of all the departments and agencies under the administrative control of the state government. It will act as a statutory body whose advisories, guidelines and instructions will be applicable to them.
Under Tamil Nadu government’s new cybersecurity policy, released on September 19, all government state departments will have to nominate a senior officer, preferably with IT experience, as the chief information security officer (CISO). The CISO will identify and secure information assets, and apply advisories given by the state Information Technology (IT) Department. In addition, each organisation will have a Crisis Management Cell (CMC) to deal with potential cyber attacks.
CERT-TN will onboard the departments through an Initial Cyber Security Preparedness and Maturity Assessment where they will be graded on key performance indicators.
The policy has prescribed an email retention policy after which emails must be automatically deleted. Interestingly, the cybersecurity policy also has a section on social media to determine how employees “should conduct themselves via the Web” to “protect the online reputation of the Department”. The social media policy encourages the principle of data minimisation when it comes to collecting data on social media. It also discourages departments from reusing old passwords and instead recommends technological constraints to prevent individuals from doing so.
CERT-TN will be the first state-level CERT in India. In an interview with MediaNama, India’s National Cyber Security Coordinator Lt Gen. (Dr) Rajesh Pant had emphasised on the need for state level security operations centres (SOC) and CSIRTs (Cyber Security Incident Response Teams). “One CERT-In cannot look after such a large nation as ours,” he had said. Establishing a state-level CERT, like Tamil Nadu plans to, will divide the volume of incidents, data, responses and plans that CERT-In needs to deal with. The policy makes it clear that all state government IT assets will be within the purview of CERT-TN while central government assets will remain with CERT-In. In case of crises, CERT-TN will defer to CERT-In for direction and guidance.
Despite establishing an SOC within its cybersecurity architecture, the Tamil Nadu government does not define its role, and how it would interact with CERT-TN. The policy also does not set any security safeguards for data processing and storage. The composition of CERT-TN and SOC-TN have also not been specified
Whom is it applicable to?
- All state government departments and associated agencies
- All central government infrastructure and personnel who give services to the Tamil Nadu government
- All information assets including hardware, applications, services that the government provides to other government departments, industry or citizens.
- All private companies that work for Tamil Nadu government, and all data of government/citizens that is in control of such an agency. In case of doubt, the private company will contact the contracting government agency or the IT Department of Tamil Nadu government.
Functionally, information security management activities include:
- Security Architecture Framework (SAF-TN)
- Best practices for governance, risk management and compliance (GRC)
- Security operations (SOC-TN)
- Incident management (CERT-TN)
- Awareness training and capacity building
- Situational awareness and information sharing
Role of the IT Department, the nodal department for state cyber security
The Information Technology Department within the government of Tamil Nadu will be the nodal department for cybersecurity. Apart from conducting training and awareness programmes for government and citizens on cybersecurity, it will
- Provide safe hosting for servers, apps, and data of different departments and agencies
- Advise departments on procurement of IT equipment or services
- Establish the Cyber Security Architecture of Tamil Nadu (CSA-TN) (more on that below)
- Formulate and issue cybersecurity related policies for TN government along with the laws to buttress them
Components of the Cyber Security Architecture
The Cyber Security Architecture of Tamil Nadu (CSA-TN) will be executed by the Electronics Corporation of Tamil Nadu Limited (ELCOT), a public sector undertaking by the TN government, and the Centre for Development of Advanced Computing (C-DAC), Chennai, a research and development organisation under MEITY.
The architecture will also give the government departments access to “Central Resources of Audit, Compliance, Incident Handling Assistance and Monitoring” without restricting their ownership and handling of resources.
CSA-TN will include:
- Security Architecture Framework (SAF-TN)
- Security Operations Centre (SOC-TN)
- Cyber Crisis Management Plan (CCMP-TN)
- Computer Emergency Response Team (CERT-TN)
CERT-TN: The centre of all action
The SAF-TN will be implemented by CERT-TN. CERT-TN will monitor, detect, assess and respond to cyber vulnerabilities, events that threaten cybersecurity, and any incidents. CERT-TN will be the statutory body that issues directives, guidelines and advisories for government departments to follow and to enforce cybersecurity practices.
All external disclosures of security incidents (such as breaches) will be reviewed by the competent authority. It is not clear who this authority is.
CERT-TN will coordinate with state or national Computer Security Incident Response Teams (CSIRTs), government agencies, law enforcement agencies, research labs or information analysis centres. After specific approval from the TN state government, CERT-TN can share vulnerability, incident or artefact that identifies information asset of the government departments.
How to deal with security incidents?
CERT-TN will handle all cyber incidents — via Incident Response and Handling (IRH) — using “appropriate level of expertise for Receipt, Ticketing, Triage, Analysis and develop Containment or Response Plan”. A Standard Operating Process Manual must be documented, reviewed, approved, and updated to help with incident response.
Standards to prioritise cyber incidents will be defined on the basis of the criticality of the affected resource and its impact. “Response Expectation should be stated by the Incident Priority Level”. Data that is collected for incident analysis must maintain a foolproof chain of custody. This data will vary across incidents but only relevant data must be collected.
Automated vulnerability scanning: CERT-TN will also regularly scan all IT assets for vulnerabilities in an automated, non-intrusive manner. Reports from these scans will be validated by experts manually.
How to report a vulnerability?
If it is a vulnerability that affects any software, hardware, online application or service that affects government departments, it can be reported to either CERT-TN or to the respective vendor. In case the vulnerability affects an e-governance service offered by the TN government, it can only be reported to the CERT-TN or to the relevant government department. To report the vulnerability, its evidence must be shared securely.
The incident reporter is not allowed to publish the vulnerability publicly until the situation has been resolved and the systems fixed. A good faith incident reported will not be penalised and their contribution in discovery and resolution will be publicly credited by CERT-TN. Good faith here means cooperating with stakeholders in resolving the vulnerability and minimising its impact. The reporter is not allowed to compromise the system, exfiltrate data, or carry out actions that affect the system availability or are intrusive in nature. It is not clear if actions of ethical hackers, who usually discover vulnerabilities by attacking the systems in good faith, will be protected.
The life cycle of a vulnerability
After the vulnerability is reported, a receipt and ticket will be generated, the report will be triaged and analysed for criticality, and a containment or response plan will be developed. CERT-TN will work with a “suitable” agency to patch, update, remove or mitigate the vulnerability. It is not clear if this “agency” includes private companies. The government department or vendor should ideally patch the vulnerability within 30 days.
Assess critical information infrastructure (CII): CERT-TN will regularly assess government’s CII for security and resilience maturity through both announced and unannounced engagements. For that, the department’s nodal officer will coordinate with the CERT-TN to provide user/system level to any “computing, processing, storing or communication devices, access to log traffic, records or to monitor access to work areas or premises”.
Spread information: CERT-TN will release timely alerts, advisories, announcements, news bulletins, tips and periodic reports on its website and social media handles.
A coordination centre (CoC) will be the nodal intermediary between CERT-TN and the state government departments, CERT-IN, state CERTs, law enforcement agencies, media and other stakeholders. CoC is a department within the CERT-TN.
The help desk will validate contacts of nodal officers of departments, state CERTs, CERT-In and update them monthly. Incident or vulnerability reports will be recorded and accepted at the help desk and for “non-serving requests”, it can redirect them to relevant sources or send “out of scope” as a response.
Dealing with cyber attacks, cyber terrorism: Cyber Crisis Management Plan
To deal with cyber attacks and cyber terrorism, CERT-In has proposed a Cyber Crisis Management Plan (CCMP) that gives guidelines for dealing with them. The three components of CERT-TN — incident response and handling (IHR), help desk and coordination centre — will address the plan.
The TN government has also constituted two committees for this purpose:
- High Level Security Governance Committee
- Technical Committee for Security Governance
Under the CCMP, each state government department will have a Crisis Management Group (CMG) which includes:
- Secretary to Government as chairperson
- Heads of all organisations under the administrative control of the department
- CISOs/deputy CISOs within the department
The CMG will coordinate with CERT-TN during a crisis, deal with cyber crisis at Level 3 and report the developments to the State Crisis Management Committee (SCMC), seek directions from SCMC and ensure their implementation, prepare a contingency plan with CERT-TN which will be submitted to the SCMC and CERT-In on revision. The CMG will also ensure that the Crisis Management Cell (CMC) — a body in each organisation that includes its head, CISO, head of HR/administration, head of IT department — implements the given directions.
Best practices defined in the IT security policy are minimum mandatory requirements
The CISO of each government department will formulate the security policy for assets under their control. They may seek the help of the TN IT Department, if required. These will be formulated on the basis of latest guidelines and best practices made available on the CERT-TN website. These will act as the minimum mandatory requirement for the government department.
These departmental security policies will only deal with IT security aspects, not with other related concerns such as procurement, email retention, social media, etc. Policies that need regulations to enforce them will be added after approval via due process.
Procurement policy will highlight trusted vendors
The procurement policy will:
- Create and maintain testing infrastructure and facilities for IT Security Product Evaluation and Compliance Verification according to global standards and practices
- Build relationships with product/system vendors and service providers to improve supply chain security visibility
- Create awareness of threats, vulnerabilities and consequences of breach of security among entities to manage supply chain risks related to IT
- Encourage entities to adopt Guidelines for Procurement of Trustworthy ICT Products
- Provide for procurement of indigenously manufactured ICT products that have security implications
It is not clear if this is the procurement policy for all the state government departments, or guiding principles for the CISO to formulate one.
Emails to be automatically deleted after retention period lapses
All servers of SOC-TN will retain:
- general emails for 5 years
- administrative and human resource emails for 7 years
- invoices, sales records and CEO correspondence for 10 years of forever
- never retain spam emails
After the retention period lapses, the systems needs to be set up in such a way that emails are automatically deleted. This way, the data will not “become an unnecessary liability”.
The policy acknowledged that a harmonised email retention policy is important to save space on email servers and to comply with federal and industry record-keeping regulations. “Proper” email retention policies will help the state government track outbound, inbound and internal communication to ensure compliance.
‘Don’t react’: Social media policy
- Let subject matter experts respond to negative posts: Only “certified” online spokespersons should respond to negative posts online. If a TN state government employee sees such a post, they should pass it to the official spokespersons “who are trained to address such comments”.
- Organisation’s media accounts shouldn’t be linked to individual email accounts: The policy recommends that the organisation’s social media profile/site/page should be linked to a general work email address that can be made accessible to anyone in the team. This way, individual privacy will not be compromised.
- Clearly define social media account ownership: Citing legal disputes over who owns an organisation’s social media account and its followers in the past, the policy recommends clear boundaries around account ownership.
- Disclose if the department is collecting personal information on social media: For instance, during a public consultation, it is not necessary to save the email address of every respondent; just saving the responses may suffice.
Passwords should not be repeated, must be changed regularly
Different servers in the government should have different passwords since all systems with the same password “will only be as secure as the Least Secured System”. Similarly, to prevent individuals from reusing old passwords, the policy recommends using a password history that remembers at least 10 previous passwords.
Passwords must be changed: To prevent people from circumventing the 10-password history, the policy has also recommended a minimum password age policy that prevents users from changing to a new password and then changing to an older, more comfortable one. Similarly, it has recommended a maximum password age policy after which passwords must be mandatorily changed. For network security, the prescribed duration is 90 days for passwords and 180 days for passphrases. Local administrator password would need to be reset every 180 days and service account password every year, during maintenance. From a nudging perspective, it has recommended that users be reminded of password expiry via email notifications.
It has also recommended a minimum password length policy of at least eight characters that could be increased to 14 characters with complexity guidelines:
- Passwords cannot contain user name or part of the user’s full name
- Passwords must contain three of the following: lowercase letters, uppercase letters, numbers, symbols