GSTN to form security monitoring and analytics centre

GST-Network, the firm providing IT backbone for GST, will set up a hi-tech security monitoring and analytics centre to forewarn on cyber threats and secure the IT system handling over 300 crore invoices a month, a top official said.

GSTN, which had previously assured of security of data under the Goods and Services Tax (GST), is going the extra mile in getting its software security audited by government's IT certification arm, STQC, its CEO Prakash Kumar told PTI here.

With the impending rollout of GST next month, the GSTN has taken note of possible ransomware attacks and decided to build a cyber security unit, he said.

However, GSTN itself has not yet received security clearance from the home ministry.

Kumar said that in addition to the Security Operation Centre (SOC) being built by Infosys, a Security Management and Analytics Centre (SMAC) is in the works to keep a watch on the ongoing security operations."We are paranoid about security," Kumar told PTI. GSTN, a non-government, private limited company, was incorporated on March 28, 2013. The Government of India holds 24.5 per cent equity in GSTN and all States, including NCT of Delhi and Puducherry, and the Empowered Committee of State Finance Ministers, together hold another 24.5 per cent.

The balance 51 per cent equity is with non-government financial institutions -- HDFC, HDFC Bank, ICICI Bank, NSE Strategic Investment Co and LIC Housing Finance Ltd.

However, BJP MP Subramanian Swamy has on multiple occasions raised concerns over GSTN's shareholding pattern, and said it might compromise data security.

The SMAC will not just ward off potential security threats but also conduct fraud investigations and forensics.

GSTN will appoint security companies by August which will set up the SMAC and GSTN officers would man it.

"It is more of a proactive thing. Before anything happens, the SMAC will tell us what kind of things are happening around. There are two kind of policing that you do-- one is preventive and other is reactive. SMAC is preventive part where it will examine feed and information from the world which are things going to come," Kumar said.

The SMAC will conduct detailed analytics to forewarn and prevent threats to GST System, implementing tools and appliances, monitoring the security operations, assess, continually enhance and improve the security posture of the GST ecosystem."

It is also meant to "carry out certain on-demand services (e.g. fraud investigations, forensics, etc.)".

Successful bidder will be required to assess and review the GST system for its security design and architecture and implementation of the threat prevention, detection capabilities and monitoring

capabilities.

Based on this review, it will be involved in the design and implementation of the Security Analytics Platform.

It would be responsible for operations (including maintenance) of the solutions as also for activities required to close the gaps in the

security system.