Explained: Social Media Security Norms for Indian Govt. entities
By Jayshree Navin Chandra, and Anisha Jhawar of ZEUS Law Associates
Recently, Guidelines on Information Security Practices for Government Entities (‘Guidelines’) have been issued by the Indian Computer Emergency Response Team (CERT-In), an organ of the Ministry of Electronics and Information Technology (MeitY).
The Guidelines apply to the ministries, departments, secretariats, and offices and entities associated with these government organisations. Apart from providing a legal blueprint for cyber resilience, security measures, and the controls required to be adopted by government organisations and associated entities, the Guidelines also provide for the list of social media-related security measures required to be adopted by such organisations and entities which include the following:
- Restricting access to official social media accounts and limiting the same to designated officials and systems only;
- Using a dedicated/separate email account for operating the social media platform accounts and the credentials used for the official social media platform account should be different from the credentials for the official email account;
- Specifying a password policy for usage of the credentials;
- Prohibiting usage of personal email account for operating official social media account;
- Enabling multi-factor authentication for all social media accounts;
- Approving the content to be posted on social media handles by the appropriate authority within the organisation;
- Ensuring operation of the social media accounts by the designated officials, on trusted devices only (and not on public/unauthorised devices) and ensuring log out the same immediately after usage;
- Disabling the Geolocation (GPS) access feature for official social media platforms;
- Ensuring that the social media platform software/application used is updated to the latest available version, available security patches as well as security and privacy settings related to such software;
- Revoking access by an employee to social media account with immediate effect in case he/she switches the role or his/her employment terminates or he leaves the organisation;
- Enabling account security logs along with periodically monitoring the log-in attempts from untrusted devices or log-in attempts from geographical regions other than the usual;
- Enabling all alerts for unrecognized login attempts of social media platforms/applications;
- Exercising caution for usage of all third-party applications used for managing social media platform accounts;
- Regularly monitoring e-mail accounts associated with official social media accounts for any alerts received related to account activities.
The Guidelines reflect a stringent approach adopted by Cert-In as social media have increasingly become extremely vulnerable, being prone to cyber-attacks that may affect an organisation’s information systems and thus, compromising the confidentiality to far-reaching consequences.
To continue their engagement and dealings with government organisations and associated entities, the contracting party(ies) providing third-party applications and rendering software services will be required to ramp up with the demands of government organisations and associated entities. The need of the hour emphasises for developing better security and privacy features in the applications and software.
(This Article is solely for information purposes, does not constitute legal or professional advisory, and should not be relied upon or used as a substitute for legal advice from attorney.)
About the Authors: Jayshree Navin Chandra, Senior Partner at ZEUS Law, has been a practicing lawyer since 2001 with extensive corporate and transactional advisory experience. She advises and represents clients ranging from Fortune 500 companies to start-ups as well as Central and State Government departments and public bodies in a wide range of domestic and cross-border transactions, across industries in practice areas including Corporate and Company Law, M&A and Joint Venture, Private Equity, FDI & FII, Real Estate and Infrastructure, Data privacy and protection, Intellectual Property & Commercial Law Advisory.
Ms. Anisha Jhawar is an Associate at ZEUS Law and works in the Corporate and Commercial practice vertical.
ZEUS Law Associates is an ISO-certified full-service corporate commercial law firm with a team of dedicated and experienced lawyers well-versed in handling domestic and cross-border transactions across sectors, jurisdictions, and regulatory landscapes. The firm’s practice areas include Corporate and Company Law, M&A and Joint Venture, Private Equity, FDI & FII, Real Estate and Infrastructure, Intellectual Property & Commercial Law, Litigation, Alternate Dispute Resolution, Indirect Tax and NRI Services.