Cyber Security Guidelines for Government Employees…!

©MINISTRY OF ELECTRONICS & INFORMATION TECHNOLOGY

Indian Government has released some guidelines for all Government Employees and strictly mentioned that all the government employees are bound to follow these guidelines no matter what.

The government has banned many third-party apps and services like Google Drive, Dropbox, and VPN.

Toolbars, Proxy, Outdated software and pirated software for government workers.

Information and communication technologies (ICT) have become ubiquitous amongst government ministries and departments across the country.

The increasing adoption and use of ICT have increased the attack surface and threat perception to the government, due to the lack of proper cyber security practices followed on the ground.

In order to sensitize the government employees and contractual /outsourced resources and build awareness amongst them on what to do and what not to do from a cyber security perspective, these guidelines have been compiled.

By following uniform cyber security guidelines in government offices across the country, the security posture of the government can be improved.

CYBER SECURITY DO’S

1. Use complex passwords with a minimum length of 8 characters, using a combination of capital letters, small letters, numbers and special characters.

2. Change your passwords at least once in 45 days.

3. Use multi-factor authentication, wherever available.

4. Save your data and files on the secondary drive (ex: d:\).

5. Maintain an offline backup of your critical data.

6. Keep your Operating System and BIOS firmware updated with the latest updates/patches.

7. Install the enterprise antivirus clients offered by the government on your official desktops/laptops. Ensure that the antivirus client is updated with the latest virus definitions, signatures and patches.

8. Configure NIC’s DNS Server IP (IPv4: 1.10.10.10 / IPv6: 2409::1) in your system’s DNS Settings.

9. Configure NIC’s NTP Service (samay1.nic.in, samay2.nic.in) in your system’s NTP Settings for time synchronization.

10. Use authorized and licensed software only.

11. Ensure that proper security hardening is done on the systems.

12. When you leave your desk temporarily, always lock/log off from your computer session.

13. When you leave the office, ensure that your computer and printers are properly shut down.

14. Keep your printer’s software updated with the latest updates/patches.

15. Setup unique passcodes for shared printers.

16. Use a Hardware Virtual Private Network (VPN) Token for connecting privately to any IT assets located in the Data Centres.

17. Keep the GPS, Bluetooth, NFC and other sensors disabled on your computers and mobile phones. They may be enabled only when required.

18. Download Apps from the official app stores of google (for android) and apple (for iOS).

19. Before downloading an App, check the popularity of the app and read the user reviews. Observe caution before downloading any app which has a bad reputation or less user base, etc.

20. Use a Standard User (non-administrator) account for accessing your computer/laptops for regular work.

21. While sending any important information or document over an electronic medium, kindly encrypt the data before transmission. You can use licensed encryption software or Open PGP-based encryption or add the files to a compressed zip and protect the zip with a password. The password for opening the protected files should be shared with the recipient through an alternative communication medium like SMS, Sandes, etc.

22. Observe caution while opening any shortened uniform resource locator (URLs) (ex: tinyurl.com/ab534/). Many malwares and phishing sites abuse URL shortener services.

23. Observe caution while opening any links shared through SMS or social media, etc., where the links are preceded by exciting offers/discounts, etc., or may claim to provide details about any current affairs. Such links may lead to a phishing/malware webpage, which could compromise your device.

24. Adhere to the security advisories published by NIC-CERT and CERT-In.

CYBER SECURITY DO’S

CYBER SECURITY DON’TS

1. Don’t use the same password in multiple services/websites/apps.

2. Don’t save your passwords in the browser or in any unprotected documents.

3. Don’t write down any passwords, IP addresses, network diagrams or other sensitive information on any unsecured material (ex: sticky/post-it notes, plain paper pinned or posted on your table, etc.)

4. Don’t save your data and files on the system drive (Ex: c:\ or root).

5. Don’t upload or save any internal/restricted/confidential government data or files on any non-government cloud service (ex: google drive, dropbox, etc.).

6. Don’t use obsolete or unsupported Operating Systems.

7. Don’t use any 3rd party DNS Service or NTP Service.

8. Don’t use any 3rd party anonymization services (ex: Nord VPN, Express VPN, Tor, Proxies, etc.).

9. Don’t use any 3rd party toolbars (ex: download manager, weather toolbar, AskMe toolbar, etc.) in your internet browser.

10. Don’t install or use any pirated software (ex: cracks, keygen, etc.).

11. Don’t open any links or attachments contained in the emails sent by any unknown sender.

12. Don’t share system passwords or printer passcode or Wi-Fi passwords with any unauthorized persons.

13. Don’t allow internet access to the printer.

14. Don’t allow the printer to store its print history.

15. Don’t disclose any sensitive details on social media or 3rd party messaging apps.

16. Don’t plug in any unauthorized external devices, including USB drives shared by any unknown person

17. Don’t use any unauthorized remote administration tools (ex: Teamviewer, Ammy admin, any desk, etc.)

18. Don’t use any unauthorized 3rd party video conferencing or collaboration tools for conducting sensitive internal meetings and discussions.

19. Don’t use any external email services for official communication.

20. Don’t jailbreak or root your mobile phone.

21. Don’t use an administrator account or any other account with administrative privilege for your regular work.

22. Don’t use any external mobile App based scanner services (ex: Camscanner) for scanning internal government documents.

23. Don’t use any external websites or cloud-based services for converting/compressing a government document (ex: word to pdf or file size compression)

24. Don’t share any sensitive information with any unauthorized or unknown person over the telephone or through any other medium.

CYBER SECURITY DON’TS

Disclaimer: This article is just for providing knowledge and updates to readers, this content is made through internet research, this article has no intention to the heart or promotes any brand/company/startup, this article is only made for knowledge, education, and there is no promotion at all. “This blog and I do not claim any right over any of the graphics, or images used in this article“.

“All rights reserved to the respective copyright owners.” Copyright Disclaimer under Section 107 of the copyright act 1976, allowance is made for fair use for purposes such as news reporting, scholarship, and research. Fair use is a use permitted by copyright statute that might otherwise be infringing.

Free VPN वापरणाऱ्यांनो सावधान भारत सरकारने दिले हे निर्देश….!(Opens in a new browser tab)

Beware VPN customers: Indian authorities makes VPN person information assortment obligatory…!(Opens in a new browser tab)