Cyber Security Guidelines from Government

INTRODUCTION: Information and communication technologies (ICT) have become ubiquitous  amongst government ministries and departments across the country. The increasing adoption and use of ICT has increased the attack surface and threat perception to  government, due to lack of proper cyber security practices followed on the ground.  In order to sensitize the government employees and contractual/outsourced  resources and build awareness amongst them on what to do and what not to do  from a cyber security perspective, these guidelines have been compiled. By  following uniform cyber security guidelines in government offices across the  country, the security posture of the government can be improved.

WHAT HAVE TO DO ?

• Use complex passwords with a minimum length of 8 characters, using a combination of capital letters, small letters, numbers and special characters.
• Change your passwords at least once in 45 days.
• Use multi-factor authentication, wherever available.
• Save your data and files on the secondary drive (ex: d:\).
• Maintain an offline backup of your critical data.
• keep your Operating System and BIOS firmware updated with the latest updates/patches.
• Install enterprise antivirus client offered by the government on your official desktops/laptops. Ensure that the antivirus client is updated with the latest virus definitions, signatures and patches.
• Configure NIC’s DNS Server IP (IPv4: 1.10.10.10 / IPv6: 2409::1) in your system’s DNS Settings. RESTRICTED Government of India Cyber Security Do’s & Don’ts National Informatics Centre 6
• Configure NIC’s NTP Service (samay1.nic.in, samay2.nic.in) in your system’s NTP Settings for time synchronization.
• Use authorized and licensed software only.
• Ensure that proper security hardening is done on the systems.
• when you leave your desk temporarily, always lock/log-off from your computer session.
• When you leave office, ensure that your computer and printers are properly shutdown.
• Keep your printer’s software updated with the latest updates/patches.
• Setup unique passcodes for shared printers.
• Use a Hardware Virtual Private Network (VPN) Token for connecting privately to any IT assets located in the Data Centres.
• Keep the GPS, bluetooth, NFC and other sensors disabled on your computers and mobile phones. They maybe enabled only when required.
• Download Apps from official app stores of google (for android) and apple (for iOS).
• Before downloading an App, check the popularity of the app and read the user reviews. Observe caution before downloading any app which has a bad reputation or less user base, etc.
• Use a Standard User (non-administrator) account for accessing your computer/laptops for regular work.
• While sending any important information or document over electronic medium, kindly encrypt the data before transmission. You can use a licensed RESTRICTED Government of India Cyber Security Do’s & Don’ts National Informatics Centre 7 encryption software or an Open PGP based encryption or add the files to a compressed zip and protect the zip with a password. The password for opening the protected files should be shared with the recipient through an alternative communication medium like SMS, Sandes, etc.
• Observe caution while opening any shortened uniform resource locator (URLs) (ex: tinyurl.com/ab534/). Many malwares and phishing sites abuse URL shortener services.
• Observe caution while opening any links shared through SMS or social media, etc., where the links are preceded by exciting offers/discounts, etc., or may claim to provide details about any current affairs. Such links may lead to a phishing/malware webpage, which could compromise your device.
• Report suspicious emails or any security incident to incident@cert-in.org.in and incident@nic-cert.nic.in. 25.Adhere to the security advisories published by NIC-CERT (https://niccert.nic.in/advisories.jsp ) and CERT-In (https://www.cert-in.org.in).

WHAT HAVE TO DON'T DO ?

• Don’t use the same password in multiple services/websites/apps.
• Don’t save your passwords in the browser or in any unprotected documents.
• Don’t write down any passwords, IP addresses, network diagrams or other sensitive information on any unsecured material (ex: sticky/post-it notes, plain paper pinned or posted on your table, etc.) RESTRICTED Government of India Cyber Security Do’s & Don’ts National Informatics Centre
• Don’t save your data and files on the system drive (Ex: c:\ or root).
• Don’t upload or save any internal/restricted/confidential government data or files on any non-government cloud service (ex: google drive, dropbox, etc.).
• Don’t use obsolete or unsupported Operating Systems.
• Don’t use any 3rd party DNS Service or NTP Service.
• Don’t use any 3rd party anonymization services (ex: Nord VPN, Express VPN, Tor, Proxies, etc.).
• Don’t use any 3rd party toolbars (ex: download manager, weather tool bar, askme tool bar, etc.) in your internet browser.
• Don’t install or use any pirated software (ex: cracks, keygen, etc.).
• Don’t open any links or attachments contained in the emails sent by any unknown sender.
• Don’t share system passwords or printer passcode or Wi-Fi passwords with any unauthorized persons.
• Don’t allow internet access to the printer.
• Don’t allow printer to store its print history.
• Don’t disclose any sensitive details on social media or 3rd party messaging apps.
• Don’t plug-in any unauthorized external devices, including USB drives shared by any unknown person
• Don’t use any unauthorized remote administration tools (ex: Teamviewer, Ammy admin, anydesk, etc.)
• Don’t use any unauthorized 3rd party video conferencing or collaboration tools for conducting sensitive internal meetings and discussions.
• Don’t use any external email services for official communication.
• Don’t jailbreak or root your mobile phone.
• Don’t use administrator account or any other account with administrative privilege for your regular work.
• Don’t use any external mobile App based scanner services (ex: Camscanner) for scanning internal government documents.
• Don’t use any external websites or cloud-based services for converting/compressing a government document (ex: word to pdf or file size compression)
• Don’t share any sensitive information with any unauthorized or unknown person over telephone or through any other medium.