Cyber Security Guidelines for Government Employees
Information Communication Technology (ICT) has become ubiquitous amongst government ministries and departments across the country. The adoption and use of ICT has increased the attack surface and threat perception to government, due to lack of proper cyber security practices followed on the ground.
This guideline has been complied with the objective to ensure a sanitized and secure framework in the Ministries. CISO is required to sensitize the government employees, contractual/outsourced manpower and build awareness from a cyber security perspective as per the Cyber security guidelines for Government Employees.
The ownership of Compliance of this guideline rests with the CISO of each Ministry/Department.
Cyber Security Guidelines For Government Employees
1. SCOPE AND TARGET AUDIENCE
The following guidelines are to be adhered to by all government employees, including outsourced/contractual/temporary employees, who work for government Ministry/Department.
2. DESKTOP/LAPTOP AND PRINTER SECURITY AT OFFICE
- Use only Standard User (non-administrator) account for accessing the computer/laptops for regular work. Admin access to be given to users with approval of CISO only.
- Set BIOS Password for booting.
- Ensure that the Operating System and BIOS firmware are updated with the latest updates/patches.
- Set Operating System updates to auto-updated from a trusted source.
- Ensure that the Antivirus client installed on your systems are updated with the latest virus definitions, signatures and patches.
- Only Applications/software’s, which are part of the allowed list authorized by CISO, shall be used; any application/software which is not part of the authorized list approved by CISO, shall not be used.
- Always lock/log off from the desktop when not in use.
- Shutdown the desktop before leaving the office.
- Keep printer’s software updated with the latest updates/patches.
- Setup unique pass codes for shared printers.
- Internet access to the printer should not be allowed.
- Printer to be configured to disallow storing of print history.
- Enable Desktop Firewall for controlling information access.
- Keep the GPS, Bluetooth, NFC and other sensors disabled on the desktops /laptops and mobile phones. They may be enabled only when required.
- Use a Hardware VPN Token for connecting to any IT Assets located in Data Centre.
- Do not write passwords, IP addresses, network diagrams or other sensitive information on any unsecured material (ex: sticky/post-it notes, plain paper pinned or posted on users table etc.).
- Do not use any external mobile App based scanner services (ex: Cam scanner) for scanning internal government documents.
- Use of all pirated Operating systems and other software/applications that are not part of the authorized list of software’s should be immediately deleted.
3. PASSWORD MANAGEMENT
- Use complex passwords with a minimum length of 8 characters, using a combination of capital letters, small letters, numbers and special characters.
- Change passwords at least once in 30 days.
- Use Multi-Factor Authentication, wherever available.
- Don’t use the same password in multiple services/websites/apps.
- Don’t save passwords in the browser or in any unprotected documents.
- Don’t write down any passwords, IP addresses, network diagrams or other sensitive information on any unsecured material (ex: sticky/post-it notes, plain paper pinned or posted on your table).
- Don’t share system passwords or printer pass code or Wi-Fi passwords with any unauthorized persons.
4. INTERNET BROWSING SECURITY
- While accessing Government applications/services, email services or banking/payment related services or any other important application/services, always use Private Browsing/Incognito Mode in your browser.
- While accessing sites where user login is required, always type the site’s domain name/URL, manually on the browser’s address bar, rather than clicking on any link.
- Use the latest version of the internet browser and ensure that the browser is updated with the latest updates/patches.
- Don’t store any usernames and passwords on the internet browser.
- Don’t store any payment related information on the internet browser.
- Don’t use any 3rd party anonymization services (ex: Nord VPN, Express VPN, Tor, Proxies etc).
- Don’t use any 3rd party toolbars (ex: download manager, weather tool bar, ask me tool bar etc.) in your internet browser.
- Don’t download any unauthorized or pirated content /software from the internet (ex: pirated - movies, songs, e-books, software’s).
- Don’t use your official systems for installing or playing any Games.
- Observe caution while opening any shortened URLs (ex: tinyurl.com/ab534/). Many malwares and phishing sites abuse URL shortener services. Such links may lead to a phishing/malware webpage, which could compromise your device.
5. MOBILE SECURITY
- Ensure that the mobile operating system is updated with the
latest available updates/patches.
- Don’t root or jailbreak your mobile device. Rooting or Jail breaking process disables many in-built security protections and could leave your device vulnerable to security threats.
- Keep the Wi-Fi, GPS, Bluetooth, NFC and other sensors disabled on the mobile phones. They may be enabled only when required.
- Download Apps from official app stores of Google (for android) and apple (for iOS).
- Before downloading an App, check the popularity of the app and read the user reviews.
- Observe caution before downloading any apps which has a bad reputation or less user base etc.
- While participating in any sensitive discussions, switch-off the mobile phone or leave the mobile in a secured area outside the discussion room.
- Don’t accept any unknown request for Bluetooth pairing or file sharing.
- Before installing an App, to carefully read and understand the device permissions required by the App along with the purpose of each permission.
- In case of any disparity between the permissions requested and the functionality provided by an app, users to be advised not to install the App (Ex: A calculator app requesting GPS and Bluetooth permission).
- Note down the unique 15-digit IMEI number of the mobile device and keep it offline. It can be useful for reporting in case of physical loss of mobile device.
- Use auto lock to automatically lock the phone or keypad lock protected by pass code/ security patterns to restrict access to your mobile phone.
- Use the feature of Mobile Tracking which automatically sends messages to two preselected phone numbers of your choice which could help if the mobile phone is lost/ stolen.
- Take regular offline backup of your phone and external/internal memory card.
- Before transferring the data to Mobile from computer, the data should be scanned with Antivirus having the latest updates.
- Observe caution while opening any links shared through SMS or social media etc., where the links are preceded by exciting offers/discounts etc., or may claim to provide details about any latest news. Such links may lead to a phishing/malware webpage, which could compromise your device.
- Report lost or stolen devices immediately to the nearest Police Station and concerned service provider.
- Disable automatic downloads in your phone.
- Always keep an updated antivirus security solution installed.
6. EMAIL SECURITY
- Ensure that Kavach Multi-Factor Authentication is configured on the NIC Email Account.
- Download kavach app from valid mobile app stores only. Do not download from any website.
- Do not share the email password or Kavach OTP with any unauthorized persons.
- Don’t use any unauthorized/external email services for official communication.
- Don’t click/open any link or attachment contained in mails sent by unknown sender.
- Regularly review the past login activities on NIC’s Email service by clicking on the "login history” tab. If any discrepancy is observed in the login history, then the same should be immediately reported to NIC-CERT.
- Use PGP or digital certificate to encrypt e-mails that contains important information.
- Observe caution with documents containing macros while downloading attachments, always select the “disable macros” option and ensure that protected mode is enabled on your office productivity applications like MS Office.
7. REMOVABLE MEDIA SECURITY
- Perform a low format of the removable media before the firsttime usage.
- Perform a secure wipe to delete the contents of the removable media.
- Scan the removable media with Antivirus software before accessing it.
- Encrypt the files /folders on the removable media.
- Always protect your documents with strong password.
- Don’t plug-in the removable media on any unauthorized devices.
8. SOCIAL MEDIA SECURITY
- Limit and control the use/exposure of personal information while accessing social media and networking sites.
- Always check the authenticity of the person before accepting a request as friend/contact.
- Use Multi-Factor authentication to secure the social media accounts.
- Do not click on the links or files sent by any unknown contact/user.
- Do not publish or post or share any internal government documents or information on social media.
- Do not publish or post or share any unverified information through social media.
- Do not give share the @firstname.lastname@example.org email address on any social media platform.
- It is recommended to use NIC’s Sandes App instead of any 3rd party messaging app, for official communication.
9. SECURITY ADVISORY AND INCIDENT REPORTING
- Adhere to the security advisories published by NIC-CERT (https://nic-cert.nic.in/advisories.jsp ) and CERT-In (https://www.cert-in.org.in).
- Report any cyber security incident, including suspicious mails and phishing mails to NIC-CERT (email@example.com) and CERT-In (firstname.lastname@example.org).
10. CYBER SECURITY RESOURCES
The following resources may be referred for more details regarding the cyber security related notifications/information published by Government of India:
|1||https://www.meity.gov.in/cyber-security-division||Laws, Policies & Guidelines|
|2||https://www.cert-in.org.in||Security Advisories, Guidelines & Alerts|
|3||https://nic-cert.nic.in||Security Advisories, Guidelines & Alerts|
|4||https://www.csk.gov.in||Security Tools & Best Practices|
|5||https://infosecawareness.in/||Security Awareness Materials|
|6||http://cybercrime.gov.in||Report Cyber Crime, Cyber Safety Tips|
All government employees, including temporary, contractual/outsourced resources are required to strictly adhere to the guidelines mentioned in this document. Any non-compliance may be acted upon by the respective CISOs/Department heads.