CERT-IN stand for Computer Emergency Responses Team- India.
It is a government approved organization which is responsible for upholding the Information Technology Security and is responsible for protection against, detection of and response to an organization's cybersecurity incidents.
It was initiated in 2004 by the Department of Information Technology for implementing the provisions of the 2008 Information Technology Amendment Act.
How qSEAp Can help you to get CERT-In Audit?
qSEAp is a CERT-IN empanelled organization which means our security audit methodology has been assessed and approved by CERT India. Hence we can help you conduct a detailed security audit of your organization's IT network which includes web applications, mobile applications, network devices, operating systems , servers and other support systems. The entire audit process is conducted according to guidelines which have been provided by CERT-IN.
Process to get your Application CERT-in security clearance.
Below is the basic overview of steps you can expect to get Cert-in security clearance.
-
1. Detailed security audit of the application or system in scope:
The auditor will carry out a detailed security audit of your applications/Network components/System under the scope and identify any security issues related to the same.
A detailed security audit report (First Audit Report) will be given as a deliverable.
- Confirmatory Audit: Once the vulnerabilities discovered in the First Audit report are patched, then a second round of re-testing will be performed to check closure of the reported issues .Also we check if any new issues have been discovered due to the patching process and add it as part of second Audit report. We might have to perform 2-3 rounds of such retesting till the entire application is free from vulnerabilities.
- Issuance of Certificate: Once all the security issues have been patched , Qseap can issue a security clearance certificate for the applications/systems in scope of security Audit. Along with the certificate a Final Report stating the closure of reported issues is also given to the organizations. Since Qseap is CERT empanelled, our certificate can be showcased to regulatory bodies/client before making your application/system live on production.
When should we go for CERT-In Audit?
Cert-in audits are a way of attesting the security of an organization’s application/IT Infra.
India, below are the list of organization’s who must go for CERT Audits before making their applications/IT systems live on production.
-
RBI and Banks – Companies or those who use the software as mandated by:
RBI – Cybersecurity Framework for Banks
RBI – Cybersecurity Framework for Urban Cooperative Banks
RBI Guidelines for Cybersecurity in the NBFC sector - and online payments – Companies and software that come under RBI Guidelines for Payment Aggregators and Payment Gateways Companies who conduct business related to software, hardware, or other related
- Companies who conduct business related to software, hardware, or other related cyber services with the Government of India
- SEBI and companies – Companies and related software that fall under the rulebook of SEBI Cybersecurity and Cyber Resilience Framework
- •Those companies hosting applications or portals online using the National Informatics Center (NIC)
- Companies or those using software that follow the rules of the UADAI – AUA KUA Compliance
-
If you’re selling, providing licenses, or just deploying relevant software and services for organizations for the
ISNP Security Audit (under the IRDA mandate).
Note:ISNP Security Audit is for insurance companies attempting to set electronic platforms for their services. This is in accordance with the rules and regulations of the Insurance Regulatory and Development Authority of India (IRDAI).
(Got this from get Astra website)
For How much time CERT-In security clearance Certificate is Valid?
Validity of the security clearance certificate is for 1 year provided no dynamic changes are done in the application/IT system. In case the application code or configuration of a system is changed, the organization must conduct another round of CERT-IN Audit for the modified part of application/IT system.