 "Cyber security agency cautions govt over engaging foreign IT audit firms")
India's cyber security nodal agency Cert-in has issued an advisory to government organisations over the hiring of foreign companies for their IT security audit and asked them to take clearance from the Home Ministry before roping in such firms.
The Indian Computer Emergency Response Team (Cert-In) in a letter dated November 21 to public organisations said that engaging foreign firms for auditing system of government organisations and critical sectors may expose sensitive information to entities or individuals with foreign links.
"In relation to the process of engaging the CERT-in empanelled IT security auditing organisations, on the advice of Intelligence Bureau/MHA, it is felt necessary to issue the following advisories to ensure that the engagement process is secure and does pose a threat to sensitive date/information belonging to the government and critical sectors," CERT-In said.
Cert-in, which is under the electronics and IT ministry, is the national nodal agency to secure Indian cyber space. It alerts about cyber security incidents and threats, provides emergency measures to handle cyber threats and issues guidelines and advisories relating to security practices and reporting of cyber incidents.
The agency has empanelled around 90 organisations, including foreign companies like KPMG, PricewaterhouseCoopers and Indian companies with foreign partnerships, for the audit of IT systems.
"Since engaging non-Indian firms for auditing requirements by the government organisations and critical sections may involve exposing sensitive information to non-Indian persons/entities or having foreign links, the concerned government ministries/organisations should obtain NOC from MHA before engaging any non-Indian firm," the advisory note said.
CERT-in has asked organisations to ensure that every audit firm and its auditors engaged should sign non-disclosure agreements before being allowed to commence the cyber security audit work.
"To the extent feasible, it may be ensured that any data collected during the auditing work and report prepared thereof is not allowed to be taken out of the government premises by such auditors or firms," the note said.
The cyber security watchdog has asked organisations to exercise caution even while engaging audit firms empanelled by it.
You’ve reached your limit of {{free_limit}} free articles this month.
Subscribe now for unlimited access.
Already subscribed? Log in
Subscribe to read the full story →
Smart Quarterly
₹900
3 Months
₹300/Month
Smart Essential
₹2,700
1 Year
₹225/Month
Super Saver
₹3,900
2 Years
₹162/Month
Renews automatically, cancel anytime
Here’s what’s included in our digital subscription plans
Exclusive premium stories online
Over 30 premium stories daily, handpicked by our editors
Complimentary Access to The New York Times
News, Games, Cooking, Audio, Wirecutter & The Athletic
Business Standard Epaper
Digital replica of our daily newspaper — with options to read, save, and share
Curated Newsletters
Insights on markets, finance, politics, tech, and more delivered to your inbox
Market Analysis & Investment Insights
In-depth market analysis & insights with access to The Smart Investor
Archives
Repository of articles and publications dating back to 1997
Ad-free Reading
Uninterrupted reading experience with no advertisements
Seamless Access Across All Devices
Access Business Standard across devices — mobile, tablet, or PC, via web or app