The Ministry of Home Affairs and Information Security (CIS) Division have released a 24-page Cyber Security Guideline for the benefit of Government Officials of India.
The guidelines comprise a list of basic minimum precautions to be taken by the Government officials. However, each organization will be required to identify additional measures for information security in accordance with their use scenarios, sensitivity of data, business continuity and other relevant factors.
General Computer Usage
While using a computer, officials are required a few things in mind. All classified work should be strictly carried out only in a standalone computer which is not connected to the internet. Computers should be protected from viruses using an Antivirus software permitted for use by your organization. One is required to treat sensitive data very carefully and use encryption to securely encode sensitive information. One should always back up important files at regular intervals to avoid unexpected loss. Unnecessary programs or services from the computer which are not required for day to day operation should also be removed. Most importantly one is also warned to not leave the computer unattended with sensitive materials onscreen.
General Internet Browsing
General precautions should be taken while browsing the internet, the guidelines say. One should be careful when clicking on links or downloading. If it‟s unexpected or suspicious for any reason, one should not click on it. One should not download any type of files or software from any source other than those allowed by your system administrator and department. One should use a web browser which has been permitted by your Organization. One should also make it a habit of not sharing any sensitive information on any device that is connected to the Internet. One should also make it a habit of clearing history from the browser after each logout session.
Unauthorized access is a major problem for anyone who uses a computer or devices such as smartphones or tablets. The consequences for victims of these break-ins can include the loss of valuable data such as classified information, personal data etc. One of the most common ways that hackers break into computers is by guessing passwords. Thus it is important to take the following safety measures: It is necessary to create a strong password with a minimum length of ideally 10 characters and comprising of mix of alphabets, numbers and characters. All passwords (e.g., email, computer, etc.) should be changed periodically at least once every three months. Passwords should not be stored in readable form in computers, notebook, notice board or in any other location where unauthorized persons might discover it.
Removable Information Storage Media
One of today's biggest security concerns is the use of removable storage devices (USB devices such as pen drives, CD-RW, DVD-RW, Blu-ray discs, Media cards etc.,) in their networks. The amount of data that can be quickly copied to removable storage devices is increasing every day. While these devices can significantly boost productivity, they can also cause dangerously high risks in data security and control policies. The following measures should be observed, Autorun and Autoplay feature must be disabled for all removable media. The classified data should be encrypted before copying into the removable storage media designated to store classified information. The Classified information should be stored only on organization allocated removable storage media for work purpose. The computers should be enabled with “Show hidden file and folders” option to view hidden malicious files in USB storage devices.
One should use only the Government provided an email address for official communications. The system administrator may deploy appropriate controls to restrict the use of personal email address for any official communications. One should avoid downloading email attachments or clicking on suspicious links received in emails from unknown or untrusted sources. In the case of emergent requirements to do so, the approval of competent authority should be obtained. One should never forget to logout from mail accounts after your work is done.
Home Wi-Fi Network
Insecure wireless configuration can provide an easy open door for malicious threat actors. Government officials may use their home Wi-Fi network to do office work and in order to secure their home WiFi network, they should observe certain practices. One should turn on WPA2 or higher encryption feature in wireless routers. One should turn off your wireless router when not needed for any extended period of time. It is important to update the firmware of wireless devices regularly as it will reduce the number of security loop holes in the device. One should not forget to disable remote management feature in routers to protect against unauthorized access.
Use of Social Media by Government Officers/Officials
All personnel including employees, contractual staff, consultants, partners, third-party staff, etc who manage, operate or support information systems, facilities, communication networks; and information created, accessed, stored and processed by or on behalf of the Government of India, unless authorized to do so, shall not access social media on any official device (computer, mobile etc.). Disclosing of official information on social media or social networking portals or applications should also be prevented.
Avoiding Social Engineering Attacks
One should be careful of unsolicited phone calls, visits, or email messages from individuals asking about personal or other Government information. If an unknown individual claim to be from a legitimate organization, try to verify his or her identity directly with the company. Phishing is one of the common type of social engineering scam whereby the hacker typically sends an email or text to the target, seeking information that might help with a more significant crime.
Thorough implementation of these guidelines will ensure that the officials are able to carry out their duties with ease and efficiency and will also be effective in checking cyber-related crime.