Indian stock markets given ten day deadline to file infosec report, secure board signoff

Another rush job for busy Indian IT shops


Indian IT shops have been handed another extraordinarily short deadline within which to perform significant infosec work.

This time the source of the edict is the Securities and Exchange Board of India, which on May 20 published a modified version of the "Cyber Security and Cyber Resilience framework" that applies to market infrastructure institutions (MIIs) – or stock exchanges, clearing corporations and depositories – that it published in 2015.

Among the modifications, equipment rated "critical" and therefore subject to regular security review and testing has been expanded to any internet-facing application, and any system that stores personally identifiable information. Anything that interacts with other critical systems for operations or maintenance is now also classified as critical.

MII boards must sign off on lists of critical systems.

Stock exchanges and other entities mentioned above have also been told to "maintain up-to-date inventory of … hardware and systems, software and information assets (internal and external), details of … network resources, connections to … network and data flows."

The update also orders increased frequency of security audits, and requires they be undertaken only by organizations approved by the Indian Computer Emergency Response Team.

And the sting in the tail?

"All MIIs are directed to communicate the status of the implementation of the provisions of this circular to SEBI within 10 days from the date of this circular."

Just how one gets a board up to speed to sign off on a list of critical infrastructure ten days after the issuance of a circular is anyone's guess. The Register imagines many boards will push back – their duty of care precludes rushing to judgement. Especially because the modified rules were published on Friday, May 20, meaning the ten-day deadline spans two weekends.

The modified rules will likely be most unwelcome at MIIs, as they and all other Indian IT shops are already facing a 60-day deadline to adopt new rules that require reporting of many infosec incidents within six hours of detection, log file retention, and collection of records of customer activities. Those rules have met with considerable opposition. India's government slightly reduced the reporting requirements, but the list of information Indian organizsations are required to collect is still long – and the 60-day deadline to be ready for the new reporting requirements was not extended. ®

Broader topics


Other stories you might like

  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • India shares its e-government tools with all as India Stack
    Identity, payments, data management – the lot – as digital public goods

    The Indian government has decided to share with the world the many e-governance tools it has created to run the country, under the name Indiastack.global.

    Prime minister Narendra Modi announced the stack yesterday, declaring "This offering of India to the Global Public Digital Goods repository will help position India as the leader in building Digital Transformation projects at a population scale and prove to be of immense help to other countries which are looking for such technology solutions."

    Such nations can now get their hands on India's identity service Aadhaar, the DigiLocker cloud storage locker, the CoWin Vaccination Platform, the Government e-Marketplace, and the Ayushman Bharat Digital Health Mission.

    Continue reading
  • Indian government signals changes to infosec rules after industry consultation
    Reports suggest SMBs will get more time, but core elements including six-hour reporting requirement remain

    Indian media is reporting that the government has consulted with industry about its controversial infosec reporting rules, possibly resulting in concessions that slightly ease requirements for some businesses.

    The rules, introduced on April 29 with no warning and a sixty-day compliance deadline, require organizations operating in India to report 22 different types of information security incidents within six hours of detection, maintain extensive logs of their own and customers' activities and provide that info to authorities as required, and use only network time protocol (NTP) servers provided by Indian authorities or synced to those servers.

    The rules generated swift and widespread opposition on grounds that they were loosely worded, imposed enormous compliance burdens, made India less attractive to foreign tech companies, and would harm privacy. The requirement to report even trivial incidents within six hours was criticized as likely delivering a deluge of reports that would contribute little to the stated goal of securing intelligence with which to defend the nation. The Internet Society warned that insistence on using Indian NTP servers would create an unhelpful reliance on that infrastructure.

    Continue reading

Biting the hand that feeds IT © 1998–2022