Security gaps in ICMR system as per Cert-In, reveals House panel report
In the Tuesday report, the committee said that it wants to be informed about the security practices adopted by ministry of electronics and information technology (Meity).
The Indian Council of Medical Research (ICMR) had multiple security gaps including insecure application design and inadequate security controls, the Indian Computer Emergency Response Team (Cert-In) found after it received threat intelligence reports about the sale of personal data from ICMR in October 2023, the IT ministry had informed the parliamentary standing committee on communications and information technology in its Action Taken Notes submitted on January 7, according to the report tabled by the committee on Tuesday.
The committee, in turn, wants to know about the analysis report shared with law enforcement agency for investigation, and if the security gaps have been addressed and the number of data breaches have reduced.
The Cert-In had recommended to ICMR that it should, among other things, have a clear and documented security policy, adopt a risk-based approach to security, conduct regular risk assessments, ensure security by design for application development and operations, and conduct a security audit of the entire ICMR ecosystem.
In the Tuesday report, the committee said that it wants to be informed about the security practices adopted by ministry of electronics and information technology (Meity) to ensure “fool proof security measures during the entire data life cycle and steps taken for its effective monitoring and enforcement”.
To address frauds related to Aadhaar-enabled Payment System (AePS), the committee wants to know the preventive measures that have been taken by Cert-In, UIDAI, and acquirer banks, and the hurdles they are facing in implementation. It also wants to know the outcome of the collaboration between Aadhaar and NPCI to check financial frauds carried out using the AePS.
Meity had also informed the committee in the January 7 Action Taken Notes that more than 250 Android and banking related malware, that are usually sideloaded (that is, not downloaded from the official Google Play Store) have been blocked at the recommendation of the Indian Cyber Crime Coordination Centre (I4C). I4C had also recommended that more that 130 suspicious loan apps be suspended for violating Google’s policy.
The committee now sought to know if the information about such malware is only shared with Big Tech companies such as Google or if it has been shared with “local and indigenous search engines, if any, or with the agencies working for Digital Connectivity in rural areas of the Country”.
I4C has also requested RBI to whitelist all mobile apps for instant loans. I4C has also asked RBI to identify all non-active, defunct and non-compliant NBFCs as they are used to commit cyber frauds by unregistered entities. The committee now wants to know about the action taken by RBI and of any delays. It also wants to know about the action taken by law enforcement agencies under MHA related to fraudulent lending apps.
