The Indian government has issued new directives requiring organizations to report cybersecurity incidents to CERT-IN within six hours, even if those incidents are port or vulnerability scans of computer systems.
This requirement was promoted by India’s Computer Emergency Response Team (CERT-In), which states that it has identified specific gaps causing difficulties in security incident analysis and response, and to address them, it needs to impose more aggressive measures.
These measures and various other provisions were published via a notice yesterday and were integrated into section 70B of the Information Technology (IT) Act, 2000, so they are part of the Indian law, entering into force in 60 days.
The new guidelines also include a section on VPS (virtual private server) and VPN (virtual private network) service providers, who will now be obliged to maintain a record of their users.
Related Readings:
- https://www.pib.gov.in/PressReleasePage.aspx?PRID=1820904
- https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
