Cyber Security Advisory of Nepal

The Government of Nepal, through the Ministry of Communication and Information Technology and the National Cyber Security Centre (NCSC), has released a comprehensive advisory to enhance the security of government information technology systems. This advisory outlines essential measures to secure websites, applications, servers, networks, and other IT infrastructure. Below is a summary of the key recommendations:

General IT System Security

1. Regular Updates and Security Audits

   • Keep websites and applications updated.
   • Conduct regular security audits and promptly address identified vulnerabilities.

2. Data Backup and Continuity

   • Perform regular data backups and maintain archives.
   • Develop and implement a Business Continuity Plan (BCP).

3. Licensed Software

   • Use only genuine hardware and software with valid licenses.

4. System Updates and Scans

   • Regularly scan and update antivirus software, operating systems, databases, and network devices.

5. Device Security Configuration

   • Configure security devices (e.g., Firewalls, WAF, IPS/IDS) with strong security settings.

6. Password Management

   • Enforce complex password policies and mandate periodic password changes (every three months).

7. Security Testing

   • Conduct security tests at every development stage of new IT systems before implementation.

8. Audit Logs

   • Maintain system audit logs and perform security audits at least once a year.

9. Multi-factor Authentication (MFA)

   • Implement MFA for accessing emails and other critical systems.

10. Access Control

    • Apply the principles of ‘Need to Know’ and ‘Least Privilege’ to restrict information access.

11. Centralized Management

    • Use Domain Controllers or Active Directory to manage office devices centrally.

12. Network Segmentation

    • Protect critical systems by segmenting networks.

13. SSL Certificates

    • Install SSL certificates on websites and applications for secure communication.

14. Physical Security

    • Implement access control systems and IP surveillance cameras for sensitive areas like data centers.

15. Employee Training

    • Provide regular cybersecurity training covering topics like data, application, and network security.

Desktop, Laptop, and Printer Security

1. User Accounts and Passwords

   • Use standard (non-administrator) accounts for daily operations.
   • Set strong passwords for all accounts.

2. Automatic Updates

   • Configure operating systems and firmware to update automatically.

3. Antivirus Protection

   • Install antivirus software and update virus definitions regularly.

4. Device Lockdown

   • Lock or log off devices when not in use and shut them down properly when leaving the office.

5. Printer Security

   • Use unique passwords for shared printers and ensure printers are not connected to the internet.

6. Removable Media Scanning

   • Scan removable media for malware before use.

7. VPN for Remote Access

   • Use secure VPNs for accessing data centers remotely.

Password Management

1. Complex Passwords

   • Create passwords with a combination of upper and lower case letters, numbers, and symbols, with a minimum length of 8 characters.

2. Avoid Reuse

   • Do not reuse old passwords or use the same password across multiple systems.

3. Password Sharing

   • Never share passwords over social media or communication platforms.

4. MFA for Critical Systems

   • Use multi-factor authentication to enhance security.

Internet Browsing Security

1. Private Browsing

   • Use private or incognito mode for accessing sensitive systems.

2. Avoid Shortened Links

   • Be cautious when clicking on shortened URLs to avoid phishing pages.

3. Browser Security

   • Keep browsers updated and avoid saving passwords or payment information.

4. No Unauthorized Tools

   • Avoid using third-party tools, such as download managers or unauthorized VPNs.

Email and Phishing Security

1. Do Not Open Suspicious Emails

   • Avoid opening emails, attachments, or links from unknown senders.

2. Report and Delete Spam

   • Mark suspicious emails as spam and delete them promptly.

3. Secure Communication

   • Use encryption (e.g., PGP) for transmitting sensitive information via email.

4. Check Login History

   • Regularly review email login history for any anomalies.

5. Avoid Public Wi-Fi

   • Do not access business emails over unsecured public Wi-Fi networks.

Removable Media Security

1. Low-Level Formatting

   • Format removable media before use to ensure security.

2. Encrypt Sensitive Files

   • Protect sensitive data with encryption and strong passwords.

3. Avoid Unauthorized Devices

   • Use only approved or office-issued removable media.

Social Media Security

1. Limit Information Sharing

   • Share personal and official information sparingly on social media platforms.

2. Verify Requests

   • Verify friend or follow requests before accepting.

3. MFA for Social Accounts

   • Enable multi-factor authentication on all social media accounts.

Mobile Device Security

1. Keep Software Updated

   • Regularly update mobile operating systems and applications.

2. Review App Permissions

   • Carefully analyze the permissions requested by apps and allow only relevant access.

3. Use Official App Stores

   • Download apps only from trusted sources like Google Play Store or Apple App Store.

4. Backup Data

   • Regularly back up mobile data offline.

5. Disable Unnecessary Features

   • Turn off GPS, Bluetooth, and NFC when not in use.

This advisory provides a robust framework for securing government IT systems and devices. By following these guidelines, agencies can strengthen their cybersecurity posture, protect sensitive information, and ensure the safe operation of critical systems. Need Expert Guidance? Adinovi provides ISO 27001 certification services to help organizations implement security best practices. Additionally, Cybersuraksha, our cybersecurity awareness course, equips employees with the knowledge to prevent cyber threats. Contact us today to strengthen your cybersecurity framework!