Introduction to CERT-In
CERT-In (the Indian Computer Emergency Response Team) is a government empowered information technology agency responsible for computer security incidents, vulnerability reporting and running safe IT security practices throughout the nation. The organization got developed by the Department of Information Technology in 2004, operating under its guidance and principles. The statutory body is held responsible for overseeing the administration of the Information Technology Amendment Act of 2008.
As a part of running the objectives and ensuring information security best practices, CERT-In has an enclosed and limited list of certified and authorized security auditors. CEREIV Advisory LLP, with immense expertise in conducting security audits, figures as one of the top cyber security auditing organizations empanelled by CERT-In to conduct IT security audits. The nodal agency unfolds major process guidelines for conducting security audits, and every CERT-In empanelled company must adhere to the same.
Process Guidelines for CERT-IN empanelled auditing organizations
- A formal binding contract (Non-Disclosure Agreement) should get signed between the auditor and auditee before starting the security audit process.
- Beyond the contract, the auditing organization should display ethical behaviour and ensure confidentiality, non-exposure of auditee information and testing results.
- The auditing organization must keep the clock in line with the commitments made to the auditee.
- Make sure that there is zero expectation gap in conducting audits.
- All audit findings and conclusions should be reflected on objective proofs and require proper inclusion in the report.
- All observations and evidence must be well presented and documented so that the auditee can utilize them to make credible risk-based decisions.
- Ensure data confidentiality is well-maintained and followed precisely with the aid of defined and documented procedures during and after the security audits.
- Before the formal initiation of the audit, the auditing organization should produce sufficient information on the team selected for the audit process to the auditee and acquire documented approval for the same.
- CERT-In holds the right to seek/investigate information from the auditing organization for any project produced within the time of empanelment.
- The auditing organization should make sure that all security controls and action plans are practically effective and deployable.
- The auditing organization can request auditees to send audit feedback to CERT-In, and back to yourself upon successful process completion.
- CERT-In should not be a part of the audit contract between the auditor and the auditee.
- The auditing organization should be conscious that CERT-In could be a part of the audit process to ensure process quality. The information must be well transferred to the auditee end also.
- The auditing organization should not use the CERT-In logo or references stating its connection on any public or promotional material without CERT-In’s prior consent.
- The auditing organization can use the words; “Empanelled by CERT-In for providing information Security Auditing Service”.
- The auditing organization should not use the CERT-In logo or the name for any activities that could hinder CERT-In reputation.
- CERT-In requires auditors to furnish half-yearly reports on generic audit information, the number of audits performed, audit sector details, high-level findings, and new approaching areas for audits.
- An empanelled auditor requires to keep CERT-In posted with snapshot information.
- An auditing organization should maintain a good relationship with the auditee even after the audit process completion. They should set up different communication mediums to notify/ alert newer information security advancements that are feasible to the auditee environment.
- Auditee information storage requires secure systems located in India with adequate security controls. The auditee data shouldn’t be exposed to any foreign partners unless specifically authorized by the auditee.
- The audit outcomes or reflections need to be within the specified point of contact of the auditing organization. Secure methods of encryption are required while sharing this information.
- The auditing organization should only use the official email id for sharing audit reports/information with the auditee.
- Organizations must have a well-organized incident management policy with clear cut procedures to deal with non-compliance. The process of incident handling is to be shared with the auditee.
- In case of incidents that lead to leakage of audit data, the organization must inform the auditee, and take the necessary action to address the incident as may be required.