भाग 13.7 / 7

Compliance और Penalties

CERT-In Non-compliance के परिणाम, IT Act Section 70B Penalties, Audit Framework, और Best Practices।

13.7.1 IT Act Section 70B - Penalties

CERT-In Directions का पालन न करने पर IT Act 2000 की धारा 70B(7) के तहत Criminal Liability है।

Section 70B(7) - Penalty

  • Imprisonment: 1 वर्ष तक की कैद
  • Fine: 1 लाख रुपये तक जुर्माना
  • Both: कैद और जुर्माना दोनों
  • Cognizable: बिना Warrant के Arrest हो सकती है
Criminal Liability

यह Civil Penalty नहीं, Criminal Offence है। Company के Responsible Officers पर भी Liability आ सकती है।

Non-compliance Scenarios

ViolationConsequence
6 Hours में Report नहीं कियाSection 70B(7) Applicable
180 Days Logs नहीं रखेSection 70B(7) Applicable
POC Designate नहीं कियाSection 70B(7) Applicable
NTP Sync नहीं हैSection 70B(7) Applicable
CERT-In Request का Response नहींSection 70B(7) Applicable
VPN KYC नहीं रखाSection 70B(7) Applicable

13.7.2 Other Relevant IT Act Sections

Section 70 - Protected Systems

  • Offence: Protected System में Unauthorized Access
  • Penalty: 10 वर्ष तक की कैद और जुर्माना

Section 66 - Computer Related Offences

  • Offence: Unauthorized Access, Data Theft आदि
  • Penalty: 3 वर्ष तक की कैद या 5 लाख जुर्माना या दोनों

Section 66F - Cyber Terrorism

  • Offence: Critical Infrastructure पर Attack जो National Security प्रभावित करे
  • Penalty: Imprisonment for Life

Section 43 - Civil Liability

  • Applicability: Computer System को Damage पहुंचाना
  • Compensation: Affected Party को Compensation

13.7.3 Audit Framework

CERT-In Empanelled Auditors

  • Empanelment: CERT-In Auditors को Empanel करता है
  • Categories: Different Categories based on Scope
  • Renewal: Periodic Renewal Required
  • Standards: CERT-In Guidelines Follow करना होगा

Audit Scope

  • Compliance Audit: CERT-In Directions Compliance Check
  • Security Audit: Technical Security Assessment
  • VAPT: Vulnerability Assessment and Penetration Testing
  • Process Audit: Security Processes और Procedures

Audit Frequency

Entity TypeRecommended Frequency
CII OrganizationsAnnual या NCIIPC के अनुसार
Government EntitiesAnnual
Financial SectorRBI/SEBI Guidelines के अनुसार
Other Covered EntitiesAnnual Recommended

13.7.4 Compliance Checklist

CERT-In Directions Compliance

RequirementActionStatus
POC DesignationPOC नियुक्त और Register करें[ ]
Incident Reporting6-hour Reporting Process स्थापित[ ]
Log Retention180 Days Logs India में Store[ ]
NTP Syncसभी Systems NTP से Synchronized[ ]
VPN KYC5 Years KYC Records (यदि VPN Provider)[ ]
Cloud KYCCustomer Records (यदि Cloud Provider)[ ]
SIEM/Log ManagementCentralized Log Collection[ ]
Incident Response PlanDocumented IR Plan[ ]

13.7.5 Best Practices

Organizational Measures

  • CISO Appointment: Dedicated CISO या Security Head
  • Security Policy: Documented और Approved Security Policy
  • Training: Regular Security Awareness Training
  • Governance: Security Governance Framework

Technical Measures

  • Defense in Depth: Multiple Layers of Security
  • Patch Management: Regular और Timely Patching
  • Access Control: Least Privilege Principle
  • Encryption: Data at Rest और Transit में Encrypt
  • Backup: Regular और Tested Backups

Process Measures

  • Risk Assessment: Annual या Periodic Risk Assessment
  • Incident Response: Documented और Tested IR Plan
  • BCP/DR: Business Continuity और Disaster Recovery Plans
  • Change Management: Formal Change Process
  • Vendor Management: Third Party Risk Assessment
Proactive Approach

Compliance को Checkbox Exercise न समझें। Security एक Continuous Process है। Proactive Approach अपनाएं - Reactive होने से बचें।

13.7.6 Useful Resources

Official Resources

  • CERT-In Website: cert-in.org.in
  • NCIIPC Website: nciipc.gov.in
  • MeitY: meity.gov.in
  • NIC: nic.in

Reporting Channels

  • Email: incident@cert-in.org.in
  • Toll Free: 1800-11-4949
  • Website: CERT-In Incident Reporting Portal

Standards और Frameworks

  • ISO 27001: Information Security Management
  • NIST CSF: Cybersecurity Framework
  • CIS Controls: Center for Internet Security
  • OWASP: Web Application Security

मुख्य बिंदु (Key Takeaways)

  • Criminal Liability: CERT-In Non-compliance पर 1 वर्ष कैद या 1 लाख जुर्माना
  • Section 70: Protected System Unauthorized Access पर 10 वर्ष
  • Section 66F: Cyber Terrorism पर Life Imprisonment
  • Audit: CERT-In Empanelled Auditors से Annual Audit
  • Best Practices: Defense in Depth, Least Privilege, Regular Training
  • Proactive: Compliance को Continuous Process समझें