One month time fixed for completion of mandatory exercise
*Services to be shut from SDC in case of further inaction
JAMMU, Sept 14: At a time when the Government of Union Territory of Jammu and Kashmir has made most of the services online, majority of the departments have not conducted security audit of the websites and applications from the Computer Emergency Response Team (CERT) empanelled agencies thereby leaving potential weaknesses that hackers can exploit.
Taking serious note of this slackness, the Government has made it clear that in case the security audit is not completed within next one month the services will be shut from the State Data Centre and no further websites/applications will be hosted without the “Safe to Host” certificate from the concerned departments.
As per the officers of the Jammu and Kashmir e-Governance Agency (JAKeGA), website security audit is a process that assesses website/application for vulnerabilities and loopholes and audit scans website and its server for existing or potential weaknesses that hackers can exploit.
For full circular visit
“The purpose of the website security audit is to proactively look for discrepancies in website’s architecture and eliminates them before hackers can notice it with malicious intent”, they said, adding “even as per the Information Technology Act, 2008, it is mandatory to have security audit of all the applications and web services to be eligible for hosting in the State Data Centre (SDC)”.
They further said, “since constant changes are being done in the solutions deployed at State Data Centre, it is strongly recommended that post successful hosting of a website in State Data Centre, a periodic security audit, as per the required frequency, should be executed for the same”.
Keeping all these aspects in view, the JAKeGA vide Circular No.2 dated March 28, 2022 directed all the departments/offices of UT of J&K which have or are intending to host respective websites/applications in the State Data Centre that they should get security audit done from CERT-In, Government of India based certified empanelled agency and submit “Safe to Host” certificate to State Data Centre team as such a certificate is mandatory to avail the continuous hosting of services.
Through the circular all the departments and officers were conveyed that the security audit of websites/applications already hosted at State Data Centre may be completed within two months time failing which the hosting services will be stopped.
However, even more than one and half year after the issuance of circular instructions, majority of the departments have not shown compliance and this is evident from the latest circular of JAKeGA. “It is really a matter of concern that at a time when Government has made hundreds of services online the departments are not paying serious attention towards security audit”, sources said.
The latest circular of JAKeGA read: “It is regretfully intimated that only few departments have got the mandatory exercise completed. To protect Government data hosted in State Data Centre, it is imperative that websites and applications are audited and updated with latest security certificates on periodic basis as per the guidelines issued by the CERT-In. Moreover, as per the IT Act, it is mandatory to have security audit of all the applications and web services done in order to be eligible for hosting in State Data Centre”.
Taking serious note of the non-compliance, the JAKeGA has made it clear that security audit of the websites and applications be completed within one month failing which the services will be shut from State Data Centre.
No further websites/applications will be hosted at State Data Centre without the ‘Safe to Host’ certificate, which is mandatory in order to avail the continuous hosting services of State Data Centre, read the latest circular.
Moreover, the departments have also been requested to follow the advisory as per which the website should be audited by the CERT-In empanelled agencies and it should be cleared for the security audit to be finally host on J&K State Data Centre servers.
“The required changes suggested in the audit report should be carried out by the developing agency to remove all the identified vulnerabilities”, the JAKeGA said, adding “the security audit should be done as and when any changes are made in the source code and it should be ensured that all the websites/applications, their respective Content Management System, 3rd party plug-ins, codes etc are updated to the latest versions.
It has further been directed that all the websites/applications should be monitored on daily basis for ruling out any security compromise and websites/applications integrated with any 3rd party applications or using APIs for external communication should be allowed through encrypted channel only.