It is more than evident that connecting to the world with the latest IT resources not only creates massive opportunities for businesses, but also brings huge risks in terms of cybersecurity. And in the challenging times of the COVID-19 pandemic, such risks of cyberattacks have increased by more than 80%.
Security audits, on the other hand, could measure the level of protection that your existing security checkpoints offer and let your business revamp its security resources based on the latest security trends. And who could do it better than the auditors who are empanelled by CERT-In.
What is CERT-In?
CERT-In or the Indian Computer Emergency Response Team was created by the Department of Electronics and Information Technology, Government of India, in 2004 to handle the excruciating challenges in the domain of information security. As a National Incident Response Centre for the Indian cyberspace, CERT-In plays an important role in tackling the countrywide data security vulnerabilities and incidences as and when they happen.
Recognized as a flag bearer of cybersecurity in India, CERT-In’s primary role is to increase the awareness in the Indian cyber community regarding the criticality of security and also assist and advise stakeholders on preventing and mitigating security incidents. It also provides expert security advice to users and system administrators on how to efficiently utilize the security infrastructure they have in place.
What is CERT-In Empanelment?
CERT-In empanelment is a kind of approval or acknowledgment regarding the domain knowledge and expertise an auditing organization has in terms of data and information security. CERT-In empanels organizations to conduct IT security audits which includes penetration testing and vulnerability assessment of security systems, applications, and networks belonging to auditee businesses and other critical sectors including the government.
The auditing organizations which are empanelled by CERT-In to conduct security audits assess the performance and effectiveness of security controls placed in the auditee organizations. They also determine the health of other information resources that play a major role in the organization’s performance and check their systems for potential vulnerabilities.
Now that we know about CERT-In and CERT-In empanelment, let’s discuss why CERT-In is so important for businesses across India before moving forward with the requirements and guidelines regarding CERT-In empanelment.
The Role of CERT-In according to the Information Technology Amendment Act 2008
According to the Indian Government’s Information Technology Amendment Act 2008, CERT-In has been designated to perform the following major security functions:
1. To Forecast Cybersecurity Alerts and Report Incidents
CERT-In has been recognized as the National Incident Response Centre in the Indian cybersecurity ecosystem and one of its major roles is to report cybersecurity incidents to the general public. Also, on a regular basis, CERT-In alerts businesses and government agencies about the latest cybersecurity trends and prevailing threats.
2. To Set Up Emergency Protocols for Tackling Cybersecurity Incidents
An important role of CERT-In, as established by the act, is to set up emergency guidelines and security protocols in order to handle the aftermath of cybersecurity incidents. These protocols include steps that must be taken for the containment, mitigation, and recovery from the security incidents and minimize the losses incurred.
3. To Collect, Analyze and Broadcast Critical Information on Cybersecurity
As a primary cybersecurity research organization, CERT-In also collects, analyzes, and passes on the important insights in terms of security controls to businesses and agencies across India.
4. To Co-ordinate Response Activities After Cyber Incidents
Several organizations may not have the required expertise and in-house capabilities to carry out response activities after a security incident. CERT-In draws up the incident response plan for such an organization and lays out and co-ordinates the critical response activities which must be carried out after the incidents.
5. To Issue Guidelines Regarding the Prevention and Reporting of Cyber Incidents
CERT-In is designated by the information security act to issue guidelines, whitepapers, and guidance regarding the vulnerabilities related to cybersecurity. The agency is also responsible for laying out the procedures and practices to prevent and report incidents as and when they are recorded.
Now let’s skim through the requirements set up by CERT-In for auditing organizations.
Requirements of IT Security Audit for Auditing your Organization
There are certain requirements that IT security auditing organizations must follow before conducting a security audit of your organization. Some of them include:
● The auditing organization must perform a detailed ‘Risk Assessment’ and document the mapping of all system and network ‘Vulnerabilities’. The documentation of present security measures and the level of protection they provide should also be done.
● The documentation of ‘Penetration Tests’ and the exploitation of possible ‘Vulnerabilities’ in the systems and networks should also be done.
● The auditing organization also needs to prepare a detailed ‘IT Security Audit Report’ bringing out all the action items clearly.
● The ‘IT Security Audit Methodology’ being followed should also be defined by the auditors. They should also ensure optimum levels of compliance with the described methodologies.
● The auditors are required to review the auditee’s existing IT Security Policy. They should also ensure that the security controls are adequate as per the established best practices and standard security frameworks like the cybersecurity framework, COBIT, ITIL, and ISO 27001 among others.
● The auditing organizations should recognize the following practices as ‘IT Security Audit:
7. Malware or Backdoor Detection
8. Incidence Response, Forensic Auditing, and Log Review
Guidelines for CERT-In Empanelled Information Security Auditing Organizations
Before empanelling any organization for conducting audits, CERT-In takes several criteria into account and there are some serious guidelines that must be followed before any auditing organization gets approval. The guidelines include:
1. People in the auditing organization must have undergone a proper background check before getting employed in the auditing organization. In the case of migration of an employee from one CERT-In empanelled organization to another, a relieving letter or NOC must be presented during the background check.
2. In case the organization performs audits for government and other critical sectors, it must declare its deployed manpower to CERT-In in the required information form. CERT-In has the right to verify or audit such information anytime either from the auditing organization or the auditee organization.
3. Employees must have signed a proper Non-Disclosure Agreement (NDA) at the time of joining with the auditing organization.
4. All the hired employees must have required competency in the fields of security processes, security technology, security controls, and a proper awareness about the ongoing trends in cybersecurity.
5. The auditing organization must have at least 5 employees with the required technical skill set to perform security testing, penetration tests, and thorough vulnerability assessment and possess the ability to evaluate and analyze the results of the tests.
6. There must be a team (known as the Red Team) that can verify the results of the tests conducted by the auditing team (known as the White Team) in the organization.
7. Employees must have good ethics and morals and should be capable of interacting efficiently with senior management and create a relationship of trust.
8. Before issuing the audit certificate, the auditors must audit and test the website of the auditee organization of the prescribed staging server or testing environment which is generally provided by the hosting service provider.
1. After the completion of CERT-In empanelment, the security auditing organizations follow and undertaking that they would render their IT security auditing services to an auditee organization in accordance with the conditions outlined in a commercial contract.
2. This contract would be solely executed between the auditing and the auditee organizations.
3. CERT-In is not a party in any such commercial contract. Moreover, CERT-In is not obliged to assist the empanelled IT security auditing organization in obtaining such a contract.
Quality of Audits
The empanelment status of the IT security auditing organizations largely depends on the quality of the auditing service provided by them. Also, the feedback received by CERT-In also determines the status of empanelment as it might reflect the level of satisfaction or dissatisfaction experienced by the auditee organizations.
In order to monitor the quality of service provided by the empanelled organizations, CERT-In generally:
● Carries out a simple or detailed analysis of the IT security auditing task completed by the organization.
● Sends expert security representatives during an ongoing IT security audit to witness and monitor the quality of service.
● Asks the auditee organization to express their opinion and feedback on the quality of the audit.
After thoroughly analyzing the quality parameters and assessing the outcomes of the audits, CERT-In may choose to:
● Put on hold or temporarily withdraw the empanelment status of the IT security auditing organization.
● Offer an opportunity for the organization to improve upon their services by taking necessary corrective action and showcase the quality of service through evidence.
The Procedure to be Followed for Empanelment
1. Organizations applying for empanelment are evaluated by a Technical Evaluation Committee (TEC) on the basis of certain pre-defined criteria in the documentation round. Many-a-times, TEC calls the applicant organizations for presentation also.
2. The capabilities of the applicant organization regarding vulnerability assessment and penetration testing are also evaluated by CERT-In through specially designed skill tests.
3. After all the evaluations, CERT-In publishes the list of all the successfully empanelled organizations on its website.
4. An auditee organization can select any IT security auditing organization from CERT-In’s list without any hassle from CERT-In’s side. Moreover, the format of the security audit report and other conditions are communicated to the auditee organization.
5. While CERT-In doesn’t award any security audit assignments to the auditing organizations, it keeps a track of the quality of auditing services provided in order to comply with the internationally established best practices.
6. Any organization which clears all the required steps of empanelment becomes eligible for empanelment given that it has cleared the required background checks and received clearance from a suitable government agency.
7. An organization which has not received clearance after the background check will not be empanelled by CERT-In even after clearing the 4 steps of empanelment described in the next section.
8. In case of any exceptional circumstance, CERT-In has the right to give relaxation regarding any required qualification.
9. Those organizations who have been empanelled for IT security auditing must follow an undertaking so as to keep all the accessible information confidential.
10. The empanelled organizations should also adhere to the applicable codes of conduct and comply with auditing standards with full professionalism.
Detailed Steps of Empanelment
Empanelment of security audit organizations consists of 4 steps. These steps are followed by detailed background verification and government clearance. We have described the steps here in detail.
In a prescribed format, an application form for empanelment has to be submitted by the auditing organization for 3 years with respect to the year of empanelment. This is subject to complying with the terms and conditions of empanelment and other conditions including the following annexures:
● Annexure-I: The organization has to present a background verification certificate.
● Annexure-II: The organization has to present a consent form.
● Annexure-III: The organization has to present an undertaking regarding the code of conduct.
● Annexure-A: The organization has to present detailed information regarding the last 5 IT security audits conducted during the last 3 years and also submit the copies of any 2 audit reports out of the 5 audits.
After the verification and a detailed assessment of the documents submitted, CERT-In will decide whether the organization was successful in step 1 or not. Only those organizations that were successful in step 1 are considered for step 2.
The organizations successful in step 1 are given virtual test scenarios in DVDs with some applications installed in them. These applications have some known vulnerabilities and penetrations built specifically for in-house and offline tests. The auditing organizations can test these applications at their own premises and are expected to report at least 90% of the known vulnerabilities and penetration test results.
Organizations then report their assessment report to CERT-In. Those organizations that score 90% or more in this step are considered for step 3. Organizations are given a maximum of two attempts in this step.
After clearing the second step, successful organizations are required to take an online VAPT PST (Practical Skills Test) and look out for potential vulnerabilities and known penetrations in real-time. The security testing challenges are declared online in real-time to the organizations participating in the PST.
After the organizations submit their VAPT reports, the results are declared by CERT-In. On the basis of the submitted report, those scoring 90% or more are considered for step 4. Similar to step 2, in step 3 also the organizations are given a maximum of 2 attempts.
Step 4 is basically a Personal Interaction Session where the TEC meets the participating organizations who cleared step 3 in Delhi as well as in Bangalore to have a formal interaction. This step generally includes:
● In-person meeting with the eligible auditor team of a given size. According to the information form submitted to CERT-In, this team must include technical personnel with some formal security testing background.
● A thorough interpretation of the vulnerabilities found and means of exploiting used by the auditing organization.
● A step called Technical Competence Verification is also carried out at CERT-In or IISc Bangalore, whichever is suitable.
Some other important guidelines for auditors and auditee organizations include:
● The auditing organization should help the auditee business in the identification of the scope of the security audit.
● The auditors are advised to employ industry-standard techniques and other recommended best practices to conduct security testing. Strictly tool based testing must be avoided.
● The environment in which the application is tested in the case of web application security audit must be mentioned clearly.
● The auditing organization must ask the auditees to provide suitable feedback on the conducted audit. The feedback should be given to CERT-In as well as the auditing organization.
● CERT-In’s logo should not be used by the security auditors under any circumstances so that any case of dispute can be avoided.
● Auditors should provide quarterly reports to CERT-In about information related to IT security audits, the sector, and the number of audits carried out and the related findings and emerging security threats in the information security landscape.
● The disclosure and sharing of any auditee related information should only be done if the auditee organization permits the auditors to do so.
Benefits of CERT-In Empanelled Information Security Audit for your Organization
Now that we know how organizations get empanelled by CERT-In to carry out security audits for businesses like yours. Let’s why such audits can be so beneficial for your organization:
1. Security audits help safeguard your data and keep you compliant with regulations
Audits by CERT-In empanelled organizations utilize the adequate standards to assess your position in terms and data security and where does your organization lie in terms of compliance. Just because those regulations are mandatory, it doesn’t mean that they have to be troublesome. Such audits help you keep on track with regard to such regulations and assist you in keeping a check on your data security practices.
2. Audits help you improve your security posture at minimal costs
CERT-In empanelled IT security audits help you achieve your security goals at minimal costs. By finding out the most efficient ways to enhance the security posture of your current infrastructure and minimizing the waste of your resources on ineffective and outdated practices, these audits help you protect your security infrastructure in the best way possible.
3. They help you identify gaps in your current practices
The most important aspect of getting a security audit done is to determine the current pain points and gaps in the existing security controls and practices. If you go for a standard security audit, you won’t have to wonder whether your systems will remain robust in case of a security incident but you can know for sure where the gaps lie in your system and think of ways to fix them in advance.
Under the ongoing circumstances, security specialties across businesses are continuously bracing themselves against probable security incidents. Practically you and your business can’t afford such serious problems that can hamper your resources and business competitiveness to a great extent. And that is why you need a standard IT security audit to act as a proper defense system against the ongoing cybercrimes and highlight loopholes in your current system.
CERT-In’s rigorous empanelment process ensures that such audits are conducted with the required level of expertise and technical skills and the best results are achieved. These audits can not only give you important insights and assist you with strategic solutions but also enhance your overall security posture and help you get ready to fight with the security vulnerabilities in the current landscape.