Indian government’s confidential infosec guidance leaks • The Register
India’s government last week issued confidential information security guidelines to the 30 million plus workers it employs – and as if to prove a point, the document quickly leaked on a government website.
The document, and the measures it contains, suggest infosec could be somewhat loose across India’s government sector.
“The increasing adoption and use of ICT has increased the attack surface and threat perception to government, due to lack of proper cyber security practices followed on the ground,” the document opens.
“In order to sensitize government employees and contractual/outsourced resources and build awareness amongst them on what to do and what not to do from a cyber security perspective, these guidelines have been compiled.”
Ironically, the document proves why it’s needed. Despite being marked “Restricted” and for access only within Indian government departments and ministries – and including an exhortation that those sent the document “should honor this access right by preventing intentional or accidental access outside the access scope” – The Register was able to find it on an Indian government website with minimal effort.
Whoever posted it there probably needs to re-read the document. One of the instructions it includes is “Don’t share any sensitive information with any unauthorized or unknown person over telephone or through any other medium.”
That instruction is one of 24 “Cyber Security Don’ts” that includes measures such as not re-using passwords or writing them on sticky notes left around the office, running only supported operating systems, and not using browser plug-ins. Users are not to save data to local drives, or click on links or attachments emailed by unknown parties.
“Don’t install or use any pirated software (ex: cracks, keygen, etc.)” is another directive, as is a proscription on jailbreaking…
