Indian IT shops have been handed another extraordinarily short deadline within which to perform significant infosec work.
This time the source of the edict is the Securities and Exchange Board of India, which on May 20 published a modified version of the “Cyber Security and Cyber Resilience framework” that applies to market infrastructure institutions (MIIs) – or stock exchanges, clearing corporations and depositories – that it published in 2015.
Among the modifications, equipment rated “critical” and therefore subject to regular security review and testing has been expanded to any internet-facing application, and any system that stores personally identifiable information. Anything that interacts with other critical systems for operations or maintenance is now also classified as critical.
MII boards must sign off on lists of critical systems.
Stock exchanges and other entities mentioned above have also been told to “maintain up-to-date inventory of … hardware and systems, software and information assets (internal and external), details of … network resources, connections to … network and data flows.”
The update also orders increased frequency of security audits, and requires they be undertaken only by organizations approved by the Indian Computer Emergency Response Team.
And the sting in the tail?
“All MIIs are directed to communicate the status of the implementation of the provisions of this circular to SEBI within 10 days from the date of this circular.”
Just how one gets a board up to speed to sign off on a list of critical infrastructure ten days after the issuance of a circular is anyone’s guess. The Register imagines many boards will push back – their duty of care precludes rushing to judgement. Especially because the modified rules were published on Friday, May 20, meaning the ten-day deadline spans two weekends.
The modified rules will likely be most unwelcome at MIIs, as they and all other Indian IT shops are already facing a 60-day deadline to adopt new rules that require reporting of many infosec incidents within six hours of detection, log file retention, and collection of records of customer activities. Those rules have met with considerable opposition. India’s government slightly reduced the reporting requirements, but the list of information Indian organizsations are required to collect is still long – and the 60-day deadline to be ready for the new reporting requirements was not extended. ®