Ever come across the term ‘CERT-IN certification’ and wondered about its implications for your company’s cybersecurity policies? CERT-IN, or the Indian Computer Emergency Response Team, is a government-approved organization for upholding information technology (IT) security. It was initiated in 2004 by the Department of Information Technology to implement the provisions of the 2008 Information Technology Amendment Act.
CERT-IN is majorly responsible for:
- Responding to incidents of computer security
- Collecting, analyzing, and distributing information on cybersecurity attacks and vulnerabilities
- Putting in place emergency responses for handling cybersecurity attacks
- Preparing forecasts and alerts for any security problems observed
- Heading cyber incident response activities and their coordination
- Issuing notices, guidelines on dealing with attacks, advisories, or whitepapers. This could be in the fields of information security, prevention of attacks, responses, and reporting practices
- Vulnerability reporting and management
- Ensuring holistic and efficient IT security policies throughout India.
CERT organizations are present throughout the world, with the first one being formed in the USA. They mostly function independently with only a few coordinated activities reported.
What does CERT-IN certification entail?
In simple words, a CERT-IN certification is a certificate provided by a CERT Empanelled Security Auditor after conducting a detailed security audit. Such an audit will necessarily include all components of the organization’s network – websites, systems, applications, etc. The entire process will be conducted according to the rules and regulations under specific guidelines for CERT-IN tests in IT security audits. After completion of the testing procedure, the certificate is provided to show that all requirements were met.
What do CERT-IN guidelines talk about?
There are some official rules on how security auditors should deal with companies seeking CERT-IN certification. Some of the parameters of the auditing process are:
- Components of the audit – with characteristics
- Expectations of the company getting audited
- General rules of the process
- Snapshot – includes information of the process and details on technical manpower
- Details of the third-party hosting service provider
- Define the relationship between the auditor and the auditee
- Disclaimers (if applicable)
When looking to obtain CERT-IN certification, ensure that your security auditor meets world-class standards and follows best practices. There are certain benchmarks that your company may require under the CERT-IN guidelines, which your auditor should be aware of.
The ideal solution would be to conduct adequate research on both your company’s requirements and the auditor’s credentials and expertise. Certain standards you may look out for include ISO 27001 (for data security measures) and ISO 9001 (quality management). Other features that they should offer within the testing can include:
- Technical testing for internal vulnerabilities – This specific kind of vulnerability assessment works best on your networks, devices, and servers. They will correctly recognize the loopholes within the IT infrastructure for further remediation.
- Auditing for penetration testing – The auditor must include penetration testing of web applications, networks of the company, government, and other stakeholders, etc. It is best to include the networks and servers of organizations that undergo Information Security audits annually.
- Boosting client credibility – Obtaining CERT-IN certification from reputed security auditors allows them to remain on top. Routinely identifying possible security risks and rectifying them increases customer and partner trust.
Types of organizations that require CERT-IN certification
CERT-IN certifications are one of the efficient ways to attest to the security of Indian organizations, and hence are beneficial to most Indian organizations. Here’s a list of organizations that can particularly gain from this certification standard:
- RBI and Banks – Companies or those who use the software as mandated by:
RBI – Cybersecurity Framework for Banks
RBI – Cybersecurity Framework for Urban Cooperative Banks
RBI Guidelines for Cybersecurity in the NBFC sector
- RBI and online payments – Companies and software that come under RBI Guidelines for Payment Aggregators and Payment Gateways
- Companies who conduct business related to software, hardware, or other related cyber services with the Government of India
- SEBI and companies – Companies and related software that fall under the rulebook of SEBI Cybersecurity and Cyber Resilience Framework
- Those companies hosting applications or portals online using the National Informatics Center (NIC)
- Companies or those using software that follow the rules of the UIDAI – AUA KUA Compliance
- If you’re selling, providing licenses, or just deploying relevant software and services for organizations for the ISNP Security Audit (under the IRDA mandate).
NOTE: ISNP Security Audit is for insurance companies attempting to set electronic platforms for their services. This is in accordance with the rules and regulations of the Insurance Regulatory and Development Authority of India (IRDAI).
What’s the process to get a CERT-IN Certificate?
Here’s a basic overview of the steps you can expect from a basic CERT-IN certification process:
Basic and detailed audit of the system
The security auditor will conduct a comprehensive level 1 audit of all aspects of your organization including – websites, applications, and the entire network. Once this is done, a detailed VAPT report covering all strategies and results is submitted.
When the vulnerabilities discovered from the level 1 auditing of the entire system are patched, we move onto level 2. This will include testing the system again to find out if the patches and fixes have worked out fine. It will also cover new vulnerabilities that may have popped up and anything else that was missed.
Issuing the certificate after the final checks
After verifying that everything has gone according to plan, the CERT-IN Security Certificate is issued. There will be supporting documentation along with the certificate and compliance reports that your customers and/or partners could request.
While the entire process may seem to concisely fit into three steps, it should not be forgotten that vulnerabilities are many, unique, and hidden. Instead of taking this exercise as a mandatory burden, companies should take the opportunity to strengthen their system. This will help them build long-term security.
The CERT-IN department under the Government of India deals with a variety of topics related to cybersecurity. As such, gaining certification from such reputed organizations will definitely increase the security barriers of your organization. In fact, in some cases, it is mandatory to obtain a CERT-IN certificate for legal reasons. However, the testing process is delicate and needs to be handled by certified auditors with adequate expertise. Astra Security is empanelled by CERT-In for providing information security auditing service. Issues that may compromise the system can be detected and the right steps can be taken to address and remedy them.