Security Audit & VAPT Assessment Initiation Document

Madhya Pradesh Agency for Promotion of Information Technology

(A CERT-In Empanelled organisation of Govt. M.P Under Dept. of Science & Technology)

Security Audit & VAPT Assessment

Initiation Document

For

Auditee Organisation

Version 1.4

Prepared By:

Software Testing & Audit Team

Center of Excellence, MAPIT

(A CERT-IN Empanelled Organisation of Govt. of Madhya Pradesh)

Document Control

Document Title: Security Audit & VAPT Assessment Initiation Document

Document Revision History:

Version No.

Release Date

Author

Section/Page No. changed

Details of Changes

Reviewed by

Approved By

Initial

Final

1.1

5/3/17

Priyank Soni

Initial Draft

Viral Tripathi

Roopak Srivastava

Smt. Sanhita Pendse

1.1

1.2

7/3/17

Priyank Soni

Document Control

Removed Internal Price Matrix, Added Version number in Header

Viral Tripathi Roopak Srivastava

Smt. Sanhita Pendse

1.2

1.3

8/3/17

Priyank Soni

Policy Guidelines

Policy Guidelines Section Added

Viral Tripathi

Roopak Srivastava

Smt. Sanhita Pendse

1.3

1.4

9/3/17

Priyank Soni

MAPIT Policy Guidelines

Policy Guidelines Points Added

Viral Tripathi,

Roopak Srivastava

Smt. Sanhita Pendse

Disclaimer:

This document has been prepared solely for MAP_IT. MAP_IT does not accept or assume any liability, responsibility or duty of care for any use of or reliance on this document by anyone, other than (i) MAP_IT, to the extent agreed in relevant agreement/contract for the matter to which this document relates, or (ii) or expressly agreed by MAP_IT in writing in advance. Any quotation, citation, or attribution of this publication, or any extract from it, is strictly prohibited without MAP_IT’s prior written permission.

Centre of Excellence, Madhya Pradesh Agency for Promotion of Information Technology (MAP_IT), State IT Center, 47-A, Arera Hills, Bhopal, M.P. – 462011

1. Introduction- Cyber Security & Risk

In today’s information-age is as such where everyone shares a common cyberspace with ever increasing penetration of internet technology in the day to day affairs of one’s life. The world has become an interconnected village and everyone is connected via common cyberspace. This global interconnection has provided us with many opportunities on one hand & at the same time it has increasingly posed risk of cyber security and governance. Cyber Security is an important vertical of organisations working under various domain such as government, non-government, corporates, financial, educational institutes, defence etc. An organization’s dependence on cyberspace is becoming an ever increasing important aspect pertaining organizational security. As different organizational infrastructure are introduced into cyberspace or a limited intranet/cloud, the level of risk exposure increased to a level where national security concerns start to weigh in. The threat to cyber security is ever growing with varied landscape and attack/threat surface. Globally cyber risk is of great concern for all the enterprises which make use of it. Almost 42 % of the organizations globally rank Cyber Security as their top concern and priority, even more so than the natural disasters, terrorism and traditional crime. The industries such as banking and economy, defence, information and energy, healthcare are the core targets of the cybercrime. The government sector witnessed 136% increase in cyber threats and the financial organizations witnessed a 126% increase in last 5 years.

2. Global Scenario for Cyber Threats

Cyber security can pose a major threat to our social, personal and professional spheres of life. The intruders might tamper with the websites and can view the confidential data in our system without our consent. They can also steal our valuable information like passwords, ID’s etc. Cyber risk is not only limited to social networking sites or global enterprises, it is rather a big threat for the government as well as for the society too. The crimes like cyber trafficking, online gambling, forgery, financial crimes, cyber trespass, industrial espionage etc. is going viral in the World Wide Web all around the world. The expansion of connectivity offers abundant opportunities for businesses, governments, and individuals, but also significant risks, especially those related to cyber security. In 2014, Microsoft produced a report called Cyberspace 2025: Today’s Decisions, Tomorrow’s Terrain, which examines the complex relationship between policies and the development of ICT. The report forecasts the challenges and risk that cyberspace and cyber security might unfold over the next decade. Thus, it is very important for government & non-government organizations to take Cyber Security as a serious issue.

3. Cyber Security Scenario in India

As we grow more dependent on the Internet for our daily activities, we also become more vulnerable to any disruptions caused in and through cyberspace. The rapidity with which this sector has grown has meant that governments and private companies are still stuck in a catchup mode for both the scope and meaning of security in cyberspace and apportioning the responsibility accordingly.

Cyber Security in India

India has observed a significant increase in cyber-attacks against financials and government organizations with 34% and 43% increase in both of these respectively, up from last year’s 15% and 19%, as revealed in the latest CERT-In report. National security has traditionally been the sole responsibility of governments. But as the world transitioned into the information age, with increased dependence on information infrastructure for the production and delivery of products and services, the new responsibility of securing the critical information infrastructure (CII) against the rising number of cyber-attacks has come within the ambit of national security. This new responsibility is not, however, solely that of the government; but the private sector now has a major role to play as more and more CII are found to be owned and operated by the Dept. of IT (DIT). Various critical IT-dependent infrastructure have been identified as such, namely Defense, Finance, Energy, Transportation and Telecommunications. The IT Act, 2000, as amended in 2008, provides for protection of CII under section 70A. The government will designate an organization as the national nodal agency for CII protection, which will be responsible for all measures to protect CII.

Cyber Security in Government Context

At the National level CERT-In (Computer Emergency Response Team of India) is working closely together with their empaneled partner organizations to ensure that a continuous and acceptable security posture of all the identified Critical IT Infrastructures and systems is maintained. CII in India as of now comprises of around 150 Internet and telecom service providers, offering Internet, mobile and wireless connectivity to a user base of nearly 800 million. CERT-In is mandated under the IT Amendment Act, 2008 to serve as the national agency in charge of cyber security. In the meantime, real oversight over cyber security may be said to be distributed amongst the Ministries of Communication and Technology, Home Affairs and Defense, and the office of the NSA. However, to safeguard the whole nation and ensure safety of CIIs across the national, the IT Amendment Act, 2008 clearly defines the proactive role of sectorial CERTs, Regional CERTs and State wide CERTs on the lines of CERT-In.

Cyber Security - Legal Provision

The IT Act of 2008 covers all actions in Cyber Security domain. Sections 69, 69A and 69B contain provisions for intercepting, monitoring or blocking traffic where, amongst other reasons, there is a threat to national security. Section 70A covers protection of critical infrastructure. There is a need to prioritize and protect critical infrastructure. In the USA 18 sectors have been identified. In India’s case, the sectors of power, water supply, communications, transportation, defense and finance have been identified as vital constituents primed for national security. These critical sectors need to be defined and suitable protection measures ensured as laid down in the IT Act in a periodic and continuous manner.

4. Security Testing Government of India initiatives –IT Act/CII/CERT-IN

The success of a security programme lies in the ability of an organisation to swiftly respond to security threats and attacks. This requires more proactive delivery of security intelligence. The Government of India has initiated the following measures to counter Cyber Security:

1. The Information Technology Act, 2000 as amended by the Information Technology (Amendment) Act, 2008 has been enforced on 27.10.2009. The Act provides legal framework to address the issues connected with hacking and security breaches of information technology infrastructure.

2. Section 70 of the Act provides to declare any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure, to be a protected system. Further, Section 70B has empowered Indian Computer Emergency Response Team (CERT-IN) to serve as national nodal agency in the area of cyber security.

3. National Critical Information Infrastructure Protection Centre(NCIIPC) has been designated by the Government of India as the nodal agency for the protection of CIIs including associated Research and Development, under Section 70A(1) of the Act.

4. Computer Emergency Response Team India (CERT-In) scans the Indian Cyber Space to detect traces of any untoward incident that poses a threat to the cyber space. CERT-In performs both proactive and reactive roles in computer security incidents prevention, identification of solution to security problems, analysing product vulnerabilities, malicious codes, web defacements, open proxy servers and in carrying out relevant research and development.

5. CERT-In has published several Security Guidelines for safeguarding computer systems from hacking and these have been widely circulated. All Government Departments/ Ministries, their subordinate offices and public sector undertakings have been advised to implement these guidelines to secure their computer systems and information technology infrastructure.

6. Formulation of National Cyber Security Policy- the Government as formulated Crisis Management Plan for countering cyber-attacks and cyber terrorism for implementation by all Ministries/ Departments of Central Government, State Governments and their organizations and critical sectors.

7. CIIs Action Plan: An information security action plan for protection of critical information infrastructure is in place. The plan is aimed at enabling Government and the identified Critical sectors in improving the security of their CIIs & Information Technology systems and networks and it’s verification through periodic risk assessments and annual audits by CERT-In & their empanelled auditing organizations.

5. MAP_IT Cyber Security Audit & Testing- An Introduction

Madhya Pradesh is one of the first states in the country to set up its own State Data Center (SDC) for all govt. websites and data. As per IT Act 2008, it is mandatory to have security audit of all the application and web services to be eligible to be hosted in SDC. Since there are constant changes being done in the solution deployed at SDC it is recommended that post successful hosting a periodic security audit per the required frequency is executed for same. With, MAP_IT (Madhya Pradesh Agency for Promotion of IT) becoming the first organization in MP to be CERT-In empanelled, MP has taken a giant step forward in comparison to other states in the direction of State wide CERT. The setting up of MP-CERT (Madhya Pradesh Computer Emergency Response Team) can now be realized. It is to be noted that not only first in MP rather MAP_IT is the first state organization pan India to claim the coveted accolade.

After achieving the momentous and herculean task of getting empaneled with CERT-IN, the first task cut out for the MP-CERT team is to ramp up the IT Infrastructure and ratify the policies which shall be adhered to by the MP-CERT team personnel tasked for the various objectives under the CERT-IN mandate.

Objectives of MAP_IT Cyber Security & Testing Team

The main objective of setting up the MP Cyber Security Lab is to create a unit to mitigate the risk of cyber threats within the govt. of MP framework. The MP-CERT will have both anticipatory and reactive approach towards the cyber issues wherein it will not just monitor the threats but also ensure that timely audits are done to all the information systems categorized as Critical Infrastructure. The following are the main objectives of MP-CERT:

· To help identify CII and to set guidelines & procedures for CII to follow.

· To assist Government of Madhya Pradesh to prepare protocols to manage CII.

· To keep a watch on the security preparedness of Govt IT systems.

· To act as a nodal agency for security audit & cyber security related issues for Govt. of MP departments.

· To conduct security audit of IT systems and to establish and manage relationship with CERT-IN for co-ordination and response during cyber threats.

· Being a govt. back body MP-CERT will act to mitigate the time lag on conducting the security audit of systems of govt. of MP depts. And other organizations.

· MP-CERT will issue guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents.

· It is very important to note here that this setup shall not go into cyber crimes investigations and its management.

Services to be provided by MP Cyber Security Lab

· Proactive services in the nature of Advisories, Security Alerts, Vulnerability Notes, and Security Guidelines to help organizations secure their systems and networks.

· Reactive services when security incidents occur so as to minimize damage.

· Security Quality management services in the form of cyber security audits, promotion of best practices and cyber security exercises/drills.

· To perform Security Audit & VAPT Assessment for 3rd party organizations & other state govt. depts.

· To issue Security Testing Certification & Assessment Report as per CERT-In mandate.

6. CERT-In Guidelines on Information Security for Protection of CII

In order to reduce the risk of cyber attack and improve upon the security posture of critical information infrastructure, Govt. and critical sector organisations are required to do the following on priority:

· CISO: Identify a member of senior management as Chief Information Security Officer (CISO) and designate him/her as a ‘point of contact’ responsible for coordinating security policies and compliance efforts and to regularly interact with Indian Computer Emergency Response Team (CERT-In), Dept. of Information Technology (DIT), which is the nodal agency for coordinating all actions pertaining to cyber security.

· Prepare information security plan and implement the security control measures as per IS/ISO/IEC 27001:2005 and other guidelines/standards as appropriate

· Carry out periodic IT Security Risk Assessments and determine acceptable level of risks consistent with criticality of business/functional requirement likely impact on business/functions and achievement of organisational goals /objectives.

· Periodic test and evaluate the adequacy and effectiveness of technical security control measures implemented for IT systems and networks.

· Especially, Test and evaluation may become necessary after each significant change to the IT application/system/networks.

· Carry out Audit of Information Infrastructure on an annual basis and when there is a major Upgradation or change in the information Technology infrastructure or code level change in the application.

(Sources: http://cert-in.org.in/)

7. CERT-In Guideline for Auditee/ Customer Organisation

CERT-In clearly defines guidelines for Auditee or Customer Organisations in order to carry out IT Security Audits. These Guidelines are issued and communicated from time to time and are mandatory to be followed as far as Security Audit are concerned. Any violation or incident pertaining violation of these can cause unpleasant outcome to both the Auditee and Auditor organisation as far as CERT-In empanelment is concerned. The following are the gist of some important guidelines issued by CERT-In for Auditee / Customer Organisation. The major points covered in the guidelines doc as follow (the number specified are the section & clauses mentioned in the Guidelines)

B. The auditor will need clear and unambiguous direction from auditee management (written rules of engagement), clearly defined scope for security audit and input on what is required for planning & assessment, requirement analysis, test execution & analysis, results and documentation.

B.2 Audit Environment: Describes the environment in which the auditor will perform the audit including the physical location, hardware/software being used, policy and procedures the auditor will need to follow. Key components are:

2.2.1 Entities and Locations

2.2.2 Facilities at each location

2.2.3 Equipment at each location

2.2.4 Policies, Procedures and Standards

2.2.5 Agreement and Licenses

B.3 Roles and Responsibility: In case any of the activities to be audited in the auditee organization are outsourced, auditee must ensure that relevant personnel from outsourced organization are available at the time of audit. The auditor’s responsibilities need to articulate not just the audit tasks, but also the documentation of their activities, reporting their actions and modus operandi.

B.3.1Auditor Organization Responsibilities: The contract should include clear identification of the following:

B.3.1.1 Audit Checklist (Mutually agreed upon by the Parties)

B.3.1.2 Audit Plan with timelines (Mutually agreed upon by the Parties)

B.3.1.1 Audit tasks

B.3.1.2 Documentation requirements

B.3.1.3 Audit Support requirements

B.3.1.4 Reporting Requirements: Structure, Content and secure handling of final deliverable (Such as Audit Reports) should be mutually agreed by the auditee and auditing organization.

B.3.1.5 For critical and government sector organizations, Auditor must only deploy the manpower with background verification check done from suitable Law Enforcement Agency.

B.3.2Auditee Organization Responsibilities: Besides the conditions that get specified in the contract, the following form part of auditee obligations:

B.3.2.1Auditee refrains from carrying out any unusual or major network changes during auditing/testing.

B.3.2.2To prevent temporary raise in security only for the duration of the test, the auditee notifies only key people about the auditing/testing. It is the auditee’s judgment, which discerns who the key people are; however, it is assumed that they will be people at policy making level, managers of security processesincident response, and security operations.

B.3.2.3If necessary for privileged testing, the auditee must only provide temporary access tokens, login credentials, certificates, secure ID numbers etc. and ensure that privilege is removed after the audit.

B.3.2.4 A Technical team should be assigned as point of contact by the auditee organization for assisting and monitoring the auditors during the audit and the details of the technical team should be shared with the concerned auditors. Auditee should assure and schedule regular interaction of technical team with auditors.

B.3.2.5 A Formal Confidentiality & Non-disclosure agreement must be signed with the auditor before starting of the work.

B.3.2.6 There should be a well defined escalation matrix both for the auditee and auditing organization for addressing any problem encountered during the audit process which should be shared with respective authorities.

B.3.2.7 A well defined mechanism must be in place which clearly states the procedure in which the report would be stored and destroyed after the completion of audit by the auditing organization. Thus, the mechanism should be designed in such a way that it confirms the following:

· Secure handling of report at transit.

· Secure handling of report at rest.

· Disposal time of report and related information by auditor.

C.AUDITEE EXPECTATIONS

The following are the expectations of auditee organization from an auditor:

C.1 Verifying possible vulnerable services only with explicit written permission from the auditee.

C.2 Auditors must verify the existing policies of the organization against the industry standards and best practices and suggest the necessary improvements if required.

C.3 Refrain from security testing of obviously highly insecure and unstable systems, locations, and processes until the security has been put in place.

C.4 A formal Confidentiality & Non-disclosure agreement should be signed by the IT Security auditing organization prior to commencing the cyber security auditing work. The auditing organization and its auditors are ethically bound to maintain confidentiality, non-disclosure of auditee information, and security testing results.

C.5 The security auditor always assumes a limited amount of liability as per responsibility. Acceptable limited liability could be equal to the cost of service (this includes both malicious and non-malicious errors and project mismanagement).

C.6 Clarity in explaining the limits and dangers of the security test.

C.7 In the case of remote testing, the origin of the testers by telephone numbers and/or IP addresses is made known and a formal written permission with a clear definition of the tasks to be performed should be taken.

C.8 Seeking specific permissions for tests involving survivability failures, denial of service, process testing, or social engineering.

C.9 The scope is clearly defined contractually before verifying vulnerable services.

C.10 The scope clearly explains the limits of the security test.

C.11 The test plan includes both calendar time and man-hours.

C.12 The test plan includes hours of testing.

C.13 The security auditors know their tools, where the tools came from, how the tools work, and have them tested in a restricted test area before using the tools on the customer organization and the result of such testing should be approved formally by the authorized person of auditee organization.

C.14 The exploitation of Denial of Service tests is done only with explicit permission.

C.15 Social engineering and process testing are performed in non-identifying statistical means against untrained or non-security personnel.

C.16 Social engineering and process testing are performed on personnel identified in the scope and may not include customers, partners, associates, or other external entities.

C.17 High risk vulnerabilities such as discovered breaches, vulnerabilities with known, high exploitation rates, vulnerabilities which are exploitable for full, unmonitored or untraceable access, or which may put immediate lives at risk, discovered during testing are reported immediately to the customer with a practical solution as soon as they are found.

C.18 Refrain from carrying out Distributed Denial of Service testing over the Internet.

C.19 Refrain from any form of flood testing where a person, network, system, or service, is overwhelmed from a larger and stronger source.

C.20 Notify the auditee whenever the auditor changes the auditing plan, changes the source test venue, has high risk findings, previous to running new, high risk or high traffic tests, and if any testing problems have occurred. Additionally, the customer is notified with progress updates at reasonable intervals.

C.21 Reports include all unknowns clearly marked as unknowns.

C.22 All conclusion should be clearly stated in the report with the clear objective evidence for each conclusion drawn.

C.23 Reports use only qualitative metrics for gauging risks based on industry-accepted methods.

C.24 Auditee is notified when the report is being sent as to expect its arrival and to confirm receipt of delivery.

C.25 All communication channels for delivery of report are end to end confidential.

D. GENERAL GUIDELINES

D.1 Auditee must implement the guidelines and advisories issued by CERT-In and/or suitable Government Agency time to time in their auditing program.

D.2 Regular interaction framework during audit should be setup.

D.3 Auditee should interview manpower deployed by auditor for conducting the audit.

D.4 Ensure that auditor is utilizing industry standard methodologies, best practices for security testing.

D.5 Scope of audit (in case of VA/PT) should not be limited to the few lists like OWASP top 10 or SANS Top 25 programming errors, it must include discovery of all known vulnerabilities.

D.6 Auditee must demand for the working notes upon completion of the audit (provisions for this must be made in the audit contract itself) and should ask for audit evidences collected to be submitted as appendix along with the final audit report.

D.7 Audit report format should be mutually agreed upon (Auditee and Auditor) and finalized before commencement of the audit. A sample web-application audit report for reference is available at Annexure-I.

D.8 Regular meetings should be held between the auditor and auditee representatives (SPOCs) to review the progress of the audit in order to assess and improve the audit efficiency.

D.9 Auditee must ensure that the tests agreed upon in the audit contract are actually being conducted by the auditor and also that the prescribed timeline is being followed, through the aforementioned meetings.

D.10 CERT-In empanelled auditors are selected after much scrutiny and testing but it is vital to understand that while the list of empanelled auditors is true and accurate, CERT-In cannot guarantee the authenticity of audit details provided by these organizations.

D.11 While selecting an auditor, it is the responsibility of the auditee to check the domain audit conducted, previous audits conducted and other relevant details. An auditee should have a clear understanding of the auditor’s audit methodology, tools use, experience in the relevant domain and all available alternatives like other competent organizations before selecting.

D.12 If the credibility of the auditor is unclear, auditee must make sure that the contractual agreement allows the auditee to stop the audit and choose another auditor within a reasonable duration of time in order to avoid financial losses on both ends.

D.13 Feedbacks/complaints to CERT-In help improve the quality of selecting auditing organizations in future, thus, it is both an auditee’s right and duty to provide relevant feedbacks. All feedbacks/complaints are kept confidential and are acted upon promptly with utmost importance.

D.14 The Auditee shall not use the CERT-In logo in any circumstances that would bring the Audit Service or CERT-In into disrepute.

D.15 The Auditee shall indemnify, and keep indemnified CERT-In against all claims, demands, actions, costs, expenses, (including without limitation, damages for any loss of business, business interruption, loss of business information or other indirect loss), arising from or incurred by reason of any third party claims against CERT-In relating to or arising from the performance or non-performance by the Auditor of any or all of its obligations under this terms and conditions as well as his Contract with the auditee.

D.16 Last but not least, the auditee must act upon the relevant audit findings and strive to improve the IT security.

(Sources: http://cert-in.org.in/)

8. CERT-In Guideline for Auditor Organisation

1. Have undergone a background check before employment. In case of employees moving from one CERT-In empanelled organization to another, a NOC / Relieving Letter shall be required from the previous organization as part of background check.

2. For Government and critical sector audits, Organization must deploy manpower declared to CERT-In in snapshot information form. CERT-In reserves the right to verify/audit such information independently or from the auditing organization or the auditee organization.

3. During and after the audit assignment are aware of information classification and know how to maintain confidentiality, security and privacy (such as collection, use, release, disclosure) of information and audit including but not limited to protecting against theft and damage of such information.

4. Have signed Non-disclosure agreement(NDA) with the organization at the time of joining

5. May need to sign NDA with the auditee organization depending upon the requirement of project under information to its employer organization.

6. Auditors should help auditee organization in identifying the scope of work.

7. Auditors must utilize industry standard methodologies, best practices for security testing. Solely tools based testing should be discouraged.

8. Auditors should deploy a verification team (Red Team) to verify the work performed by their audit team (White Team).

9. Auditor should clearly mention the environment in which the web application/ application has been tested in case of web application/ application security audit.

10. Auditor will be required to audit and test the website on the staging server/testing environment provided by hosting service provider before issuing the audit certificate.

11. Structure and Contents of final deliverable of the audit/testing (like vulnerability assessment report) should be finalized with the auditee organization before commencement of project.

12. Refrain from carrying out Distributed Denial of Service testing over the Internet.

13. Refrain from any form of flood testing where a person, network, system, or service, is overwhelmed from a larger and stronger source.

14. Refrain from testing and exploiting high risk vulnerabilities such as discovered breaches or which may put immediate lives at risk.

15. Ensure appropriate approvals have been received in writing prior to carrying out any penetration tests and installation of tools and install tools in the presence of auditee system administrator.

16. Ensure removal of tools after the completion of task and do not install any other software or damage any existing auditee software. Get acceptance of auditee for removal of tools in the presence of auditee system administrator.

17. Ensure you provide a list of tools planned to be installed to auditee and provide a written confirmation to the auditee that you are not violating any IPR or license norms while using and installing the tools.

18. Ensure a Formal Non-disclosure agreement is signed with the auditee and is in place prior to start of work.

19. With or without a Non-Disclosure Agreement contract, the security auditor is ethically bound to confidentiality, non-disclosure of auditee information, and security testing results.

20. Provide half-yearly report to CERT-In regarding generic information related to information security audits, number of audits carried out, the sector in which the audit has been carried out, the high level findings, new areas emerging for audit.

21. It is responsibility of empanelled organization to keep CERT-In updated with snapshot information.

22. Ensure to maintain a regular contact with the auditee after the audit has been completed and assignment is over, as a good business relationship. Auditors should setup a communication channel to inform/alert auditee about information security related latest development feasible to auditee environment.

23. Auditing organization should prefer only official email id for sharing of audit report/data with auditee.

24. Organization should have Incident Management Policy and related processes in place with clearly defined escalation matrix and procedures to deal with non-compliance. This process for dealing with incidents should be shared with the auditee.

25. In case of the incidents where client audit related data is leaked to unauthorized entity (intentionally or unintentionally) , the auditing organization should inform the auditee of incident and take all necessary actions to address the incident as may be required.

(Sources: http://cert-in.org.in/)

9. MAPIT Information Guidelines for Security Audit as per CERT-In Mandate

1. As per Section B.3.2.5 of Auditee Guidelines, MAPIT can not initiate any Security Audit or Security Testing unless a formal request is initiated from the Auditee Organisation in form of a Request letter or mail. A Non-Disclosure Agreement (NDA) between MAPIT and Auditee also needs to be signed before testing.

2. As per Section B.3.2.6 of Auditee Guidelines, there should be a well defined escalation matrix between auditee and MAPIT for addressing any issues or problem.

3. As per Section B of Auditee Guidelines, MAPIT will need clear and unambiguous direction from auditee management (written rules of engagement) which will clearly defined scope for security audit and input on what is required for planning & assessment, requirement analysis, test execution & analysis, results and documentation. This also include the phases of application to be tested and modules included in the testing.

4. As per Section B of Auditee Guidelines & Section C.3, MAPIT shall not Test or Audit in parts or Modules, However as per letter from the dept. Security Testing in different phases can be initiated. The Certificate issued by MAPIT will mention the phase and URL for which the application is Tested or Audited.

5. As per Section B 3.2.1 & B 3.2.2 of Auditee Guidelines, there should not be any changes in the application during testing or Audit and any change in the source code of application for which audit was performed, shall be considered as violation of Security and the issued certificate shall stand void and null.

6. As per Section C.3 of Auditee Guidelines, unstable, incomplete, broken and application still under developing phase will be neither tested nor audited nor can a request for the same be entertained.

7. As per Section C.9 & C.10 of Auditee Guidelines, the scope of testing should be well defined and no request to scale up the scope to further modules or parts of application during the testing will be entertained.

8. As per Section C.13 of Auditee Guidelines, the tool details to be used for testing and audit will not be shared with the Auditee and no request to use a particular tool will be entertained.

9. As per Section C.25 of Auditee Guidelines, All communication channels for delivery of report are end to end confidential and any communication to auditee will be done through the authorized mail id only. (Please refrain from using 3rd part mail services such as Gmail or yahoo mail etc.)

10. As per Section D.5 of Auditee Guidelines, scope of testing while VAPT will cover OWASP Top 10, SANS Top 25 programming errors and also GIGW Compliance for all Govt. related websites and application. Incompliance to any of the above shall have bearing on Security Testing or Audit Certificate.

11. As per Rule 20, 21, 22 of Auditor Guidelines, the Security Testing Certificate will be valid for a period of 1 year from the date of issue OR till date when a change (minor or major) is made in the Source Code of Application or Build. The Certificate shall stand Void & Null. It will be the responsibility of Auditee to inform MAPIT for any scheduled change or maintenance mentioned henceforth and initiate new request for security audit.

12. As per Section D.14 & D. 15 of Auditee Guidelines, the Auditee must refrain from using ‘CERT-In’ or ‘MAP_IT’ Logos in any business or communication activities. Any unforeseen incident of Auditee using the same shall have bearing on Security Certification by MAPIT.

13. As per Section 5.3 of Policy Guidelines for Data Handling, a secure and authorized communication should exits between Auditee Organisation and MAPIT resource engage in Testing. The Auditee Organisation should not contact with other teams and employees of MAPIT for Security Audit or Testing related issues.

14. As per Sections of Policy Guidelines for Data Handling, the auditee organisation must follow the agreement as mentioned in the Non-Disclosure Agreement.

15. It is mandatory to follow all the points mentioned under Policy Guidelines for Data Handling, before and post Security Audit.

10. Questionnaire by Auditee Organisation before Security Audit

The following questionnaire must be answered by the Auditee Organisation before Security Audit of the Web application or Mobile Application can be initiated.

ORGANISATION DETAILS

Name Of Organization :

 

Application Testing URL :

 

Application Login Credentials :

 

S.No.

QUESTION

RESPONSE

1

What is the website development platform?

 

2

Is the web application internet facing?

 

3

Are Rich Internet Applications (RIA) used in the application? E.g. Flash, Silverlight, etc.

 

4

Is payment gateway integrated with the application? If yes, how many?

 

5

Are web services integrated with the application? If yes, how many?

 

6

How many authorization levels are there?

 

7

User Id and Passwords for each authorization level.

 

8

How many dynamic pages/Input Pages does the application has? (approx)

 

9

Which database used?

 

10

Any special functionality in the application.

 

11

How many static pages does the application has? (approx)

 

Details of Contact Person at Auditee Organization

Name

 

Address

 

Email

 

Website Name

 

Mobile

 

Telephone

 

Fax

 

11. Artifacts Required from Auditee Organisation for Security Audit

The following Action-Items are necessary to be submitted before any Security Audit Exercise is initiated by MAP_IT.

1. The NDA between CERT-In Empanelled Auditor & Auditee Organisation can be fetched from the following URLs; this needs to be Signed & Sealed on the Letter Head of the Auditee/Customer and sent to competent authority of MAP-IT.

http://cert-in.org.in/PDF/NON-Disclosure_Agreement.pdf

2. The Questionnaire Section mentioned in Section 9 of the document needs to be send along with Request letter.

3. Request letter/mail from concerned dept. to competent authority of MAPIT for Security Audit.

12. Document Repository from CERT-In Website

The mandatory Guidelines and Artifacts as mandated by CERT-In can be fetched from the following URLs.

1. The Guidelines for Auditee Organisation can be fetched from the following URLs;

http://cert-in.org.in/PDF/guideline_auditee.pdf

2. The NDA between CERT-In Empanelled Auditor & Auditee Organisation can be fetched from the following URLs;

http://cert-in.org.in/PDF/NON-Disclosure_Agreement.pdf

3. The Policy Guideline for Handling Audit related Data between CERT-In Empanelled Auditor & Auditee Organisation can be fetched from the following URLs;

http://cert-in.org.in/PDF/Policy_Guidelines_%20Handling.pdf

State IT Center, 47-A, Arera Hills, Bhopal -462011, Tel: +91-755-2518702

Website: www.mapit.gov.in|| Email: info@mapit.gov.in