According to an internal document by National Informatics Centre (NIC) titled ‘Cyber Security Guidelines for Government Employees’, the government has prohibited its employees from using third-party virtual private network (VPN) and anonymisation services. The development comes in the backdrop of a directive issued by the Indian Computer Emergency Response Team (Cert-In) for regulating VPN companies in India. The directive also urges government employees not to save any internal, restricted or confidential government data files on any non-government cloud service such as Google Drive or Dropbox.
The NIC, under the Ministry of Electronics and Information Technology (MeitY), asserted that it had put out the guidelines to improve the security posture of the government. Meanwhile, NIC has also warned the government employees against resorting to ‘jailbreak’ or ‘root’ their mobile phones or use any external mobile app-based scanner services such as CamScanner to scan internal government documents.
The directive further noted that in case of any non-compliance might be acted upon by the respective CISOs/department heads. Cert-In, India’s nodal cyber security agency, had on April 28, 2022, mandated that VPN companies operating in India must maintain a log of their customers’ details, including names, addresses, and the purpose for which the VPN service was being used.
