BSA kicks multiple holes in India's Infosec rules

Digital data security has always been a concerning issue. More so when it is involved with the Government. The Software Alliance (BSA) has pointed out several such problems to the Indian Government and several issues with the infosec guidelines. These recently introduced guidelines need to work on all their flaws, inconsistencies and their impractical necessities, which can only be solved if addressed solely with an in-depth consultation.

The letter also suggested that the requirement for cloud service users to gather "Know your customer" data is unnecessary and is a form of duplication as some customers choose to pay through digital payments- which inevitably means that their personal information has already been compromised shared by card issuers.

According to the guideline, the requirement for all user IP addresses to be collected and logged in is complex as the remote workforce has dynamic IP addresses that change frequently.

As the rules are currently phrased, there remains confusion among service providers and end-users whether one of them require to report infosec incidents or both need to report. The letter was concluded by expressing that these rules would help Cert-In achieve the common goal of more security and the growth of the Indian economy.

In April, the new set of rules was announced nationwide. Implementation began later on June 27th as BSA has requested a delay. The delay was requested due to the requirement of user IP addresses as the organisations spend their time figuring out the vast complexities of matching individual IP addresses.

The letter of the new guideline hints at organisations not having much helpful information to work with once the 6-hour mark has passed. The CERT-In is present to receive reports required under the obligated rules. However, the team has been flooded with partial information that does not help them present data that needs proper action, or worse, filled with erroneous informational data, to begin with.

These detailed and half-viable data could potentially wreak havoc in the CERT-In team. This could also drag the Indian Government down and degrade the security measures.

The letter of guidelines has been polite and respectful towards the organisations. However, the conditions and challenges presented to the organisations were disrespectful even though the written information was much more polite and formal.

The rules are not currently a big mess and need to be worked on to meet the aim of developing Indian cyber security.

BSA also asked not to assert FAQs as it is problematic in and of themselves. Since CERT-In works with FAQs that are not official documents, these explanatory FAQs will only slightly soften some of the reporting requirements.

Several other calls for attention require more comprehensive consultation with BSA, such as - The express VPN server moving out of India to prevent the retention law of customer data.

Stock markets are getting 10 days deadline to file an infosec report Probing ZTE and Vivo over finances and, in turn, sparking protests among the Chinese Indian Government accusing Uber of spiking up the prices for dedicated customers.

Much of 2022 was spent by the Prime Minister of India, Mr Narendra Modi using the term" Techade" to describe the policies of developing governmental digital services. He used this term to express his plans to grow the Indian economy by drawing the attention of foreign investments to the nation's technological and manufacturing industries.

AWS, Cisco, Adobe, Intel, Microsoft, Salesforce, SAP and IBM are some offshore entity companies currently investing in India. These same companies are now complaining about India making it a hostile business environment along with inadequate infosec regulations.

With such significant flaws and potential security data breaches, BSA has requested reviewing the guidelines set to work with. This is to improve security and develop foreign investment with the national organisations and companies.