Panel Discussion: Complying With CERT-In's Directives of Breach Reporting and Log Retention: Where Are the Hiccups?
The Indian Computer Emergency Response Team (CERT-In) has issued directives under section 70B of the IT Act, 2000, that both government and private organizations in the country must inform the agency within six hours of discovering a cybersecurity incident. In case of non-compliance, the company is liable to pay a maximum penalty of about INR 1 lakh.
While the new guidelines are designed to tackle cybercrime effectively, they are likely to pose challenges to companies in terms of adhering to the six-hour rule. In addition, it has directed all service providers, intermediaries, data centers, corporate bodies and government organizations to retain the logs securely for a period of 180 days within the Indian jurisdiction.
What does this directive mean to the security practitioners, and what are the ways to comply with this? How are CISOs complying with this directive and where are the bottlenecks?
The session will cover:
- The practical challenges of complying with these directives
- How can practitioners reset their internal structure?
- Consequences of retaining logs for the specified time period