India's absurd infosec reporting rules get just 15 followers

2023-03-22 03:30

India's rules requiring local organizations to report infosec incidents within six hours of detection have been observed by a mere 15 entities/.

Analysts quickly pointed out that requiring organizations to report an incident just six hours after detecting it would likely lead to poor-quality reports being filed.

The rules also used unhelpfully vague wording - such as "Unauthorized access of IT systems/data" - to describe reportable incidents, leaving Indian organizations unsure of what they were required to report.

CERT-In also dodged questions - The Register has received no response to multiple inquiries - regarding how it would ingest and analyze the flood of reports its rules would generate, and therefore how they would represent useful intelligence.

International criticism of the scheme followed, as multinational entities complained the rules required them to store more data in India.

While the parliamentary answer doesn't reveal how many entities suffered the reported attacks, 15 entities reporting within the six-hour deadline surely represents a tiny proportion of those required to observe the reporting rules.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/03/22/cert_in_cyber_reporting_ignored/

#india #infosec