Schedule2 – CERTIFYING AUTHORITIES RULES

SCHEDULE-II

[See rule 19(2)]

Information Technology (IT) Security Guidelines

Index

Page

1.Introduction….………………………………………………………………………………………27

2.Implementation of an Information Security Programme……… ……………………………….27

3.Information Classification …………………………………………………………………………….28

4.Physical and Operational Security……………………………………………………………….30

4.1Site Design .……………….…   ……………………………………………………………….30

4.2Fire Protection………………………………………………………………………………..31

4.3Environmental Protection………………….…………………………………………………..31

4.4Physical Access..……………….……………………………………………………………..32

5.Information Management…………………….……………………………………………………33

5.1System Administration………..………………………………………………………………33

5.2Sensitive Information Control……………………………………………………………….34

5.3Sensitive Information Security……………………………………..….….………………….35

5.4Third Party Access……………………………………………………………………………..35

5.5Prevention of Computer Misuse………………………………………………………..36

6.System integrity and security measures…………………………………………………36

6.1Use of Security Systems or Facilities ………………………………………………….36

6.2System Access Control…………………….……………………………………………….37

6.3Password Management………………………………………………………………………..38

6.4Privileged User’s Management…………………….………………………………………..39

6.5User’s Account Management…………………….………………………………………….39

6.6Data and Resource Protection………………….….…………………. …………………..40

7.Sensitive Systems Protection………………….….……………………………………………..41

8.Data Centre Operations Security…………………..……………… ……………………………41

8.1Job Scheduling…………………….………….………….…………………………………..41

8.2System Operations Procedure………. …………………………………………………..41

8.3Media Management………………………………………………………………………….42

8.4Media Movement……………..……………………………………………………………….42

9.Data Backup and Off-site Retention. ……………………………………………………43

10.Audit Trails and Verification………………….…………………………………………………..44

11.Measures to Handle Computer Virus………………….…………. …………………………..45

12.Relocation of Hardware and Software……………………………………………….46

13.Hardware and Software Maintenance ………………………………………………..46

14.Purchase and Licensing of Hardware and Software……………………………….47

15.System Software….……………………………………………………..
……………..48

16.Documentation Security………………………………………………………………..49

17.Network Communication Security………………………………………………………49

18.Firewalls………………….………………………………………………………………………..50

19.Connectivity…………………….…………………………………………………………………..51

20.Network Administrator..………………….……… ……………………………………………..51

21.Change Management…………..……………………………………………………………52

21.1Change Control……………………………………………………………………………..52

21.2Testing of Changes to Production System…………………………………………………..52

21.3Review of Changes…………………….…………………….………………………………….53

22.Problem Management and Reporting……………………………………………………53

23.Emergency Preparedness……………………………………………………………………53

24.Contingency Recovery Equipment and Services…………………………………………54

25.Security Incident Reporting and Response…………….…………………………………..54

26.Disaster Recovery/Management……………………………………………………………..54

Information Technology (IT) Security Guidelines

1. Introduction 

This document provides guidelines for the implementation and management of Information Technology Security. Due to the inherent dynamism of the security requirements, this document does not provide an exact template for the organizations to follow. However, appropriate suitable samples of security process are provided for guidelines. It is the responsibility of the organizations to develop internal processes that meet the guidelines set forth in this document. The following words used in the Information Technology Security Guidelines shall be interpreted as follows:

shall: The guideline defined is a mandatory requirement, and therefore must be complied with. 

should: The guideline defined is a recommended requirement. Non-compliance shall be documented and approved by the management. Where appropriate, compensating controls shall be implemented. 

must: The guideline defined is a mandatory requirement, and therefore must be complied with. 

may: The guideline defined is an optional requirement. The implementation of this guideline is determined by the organization’s requirement. 

2. Implementation of an Information Security Programme

Successful implementation of a meaningful Information Security Programme rests with the support of the top management. Until and unless the senior managers of the organization understand and concur with the objectives of the information security programme its ultimate success is in question. 
The Information Security Programme should be broken down into specific stages as follows:

a. Adoption of a security policy; 

b.Security risk analysis; 

c.Development and implementation of a information classification system; 

d.Development and implementation of the security standards manual; 

e.Implementation of the management security self-assessment process; 

f.On-going security programme maintenance and enforcement; and 

g.Training. 

The principal task of the security implementation is to define the responsibilities of persons within the organization. The implementation should be based on the general principle that the
person who is generating the information is also responsible for its security. However, in order to enable him to carry out his responsibilities in this regard, proper tools, and environment need to be established. When different pieces of information at one level are integrated to form higher value information, the responsibility for its security needs also should go up in the hierarchy to the integrator and should require higher level of authority for its access. It should be absolutely clear with respect to each information as to who is its owner, its custodian, and its users. It is the duty of the owner to assign the right classification to the information so that the required level of security can be enforced. The custodian of information is responsible for the proper implementation of security guidelines and making the information available to the users on a need to know basis. 

3. Information Classification

Information assets must be classified according to their sensitivity and their importance to the organization. Since it is unrealistic to expect managers and employees to maintain absolute control over all information within the boundaries of the organization, it is necessary to advise them on which types of information are considered more sensitive, and how the organization would like the sensitive information handled and protected. Classification, declassification, labeling, storage, access, destruction and reproduction of classified data and the administrative overhead this process will create must be considered. Failure to maintain a balance between the value of the information classified and the administrative burden the classification system places on the organization will result in long-term difficulties in achieving success. Confidential is that classification of information of which unauthorized disclosure/use could cause serious damage to the organization, e.g. strategic planning documents.  

 

Restricted is that classification of information of which unauthorized disclosure/use would not be in the best interest of the organization and/or its customers, e.g. design details, computer software (programs, utilities), documentation, organization personnel data, budget information .Internal use is that classification of information that does not require any degree of protection against disclosure within the company, e.g. operating procedures, policies and standards inter office memorandums. 

Unclassified is that classification of information that requires no protection against disclosure e.g. published annual reports, periodicals. 

While the above classifications are appropriate for a general organization view point, the following classifications may be considered :

Top Secret: It shall be applied to information unauthorized disclosure of which could be expected to cause exceptionally grave damage to the national security or national interest. This category is reserved for Nation’s closest secrets and to be used with great reserve.  

Secret: This shall be applied to information unauthorized disclosure of which could be expected to cause serious damage to the national security or national interest or cause serious embarrassment in its functioning. This classification should be used for highly important information and is the highest classification normally used. 

Confidentiality: This shall be applied to information unauthorized disclosure of which could be expected to cause damage to the security of the organization or could be prejudicial to the interest of the organization, or could affect the organization in its functioning. Most information will on proper analysis be classified no higher than confidential. 

Restricted: This shall be applied to information which is essentially meant for official use only and which would not be published or communicate
d to anyone except for official purpose.  

Unclassified: This is the classification of information that requires no protection against disclosure. 

4. Physical and Operational Security

4.1 Site Design 

 

1.The site shall not be in locations that are prone to natural or man-made disasters, like flood, fire, chemical contamination and explosions. 

 

2.As per nature of the operations, suitable floor structuring, lighting, power and water damage protection requirements shall be provided. 

3.Construction shall comply with all applicable building and safety regulations as laid down by the relevant Government agencies. Further, the construction must be tamper-evident. 

 

4.Materials used for the construction of the operational site shall be fire-resistant and free of toxic chemicals. 

5.External walls shall be constructed of brick or reinforced concrete of sufficient thickness to resist forcible attack. Ground level windows shall be fortified with sturdy mild steel grills or impact-resistant laminated security glass. All internal walls must be from the floor to the ceiling and must be tamper-evident. 

6.Air-conditioning system, power supply system and uninterrupted power supply unit with proper backup shall be installed depending upon the nature of operation. All ducting holes of the air-conditioning system must be designed so as to prevent intrusion of any kind. 

7.Automatic fire detection, fire suppression systems and equipment in compliance with requirement specified by the Fire Brigade or any other agencies of the Central or State Government shall be installed at the operational site. 

8.Media library, electrical and mechanical control rooms shall be housed in separate isolated areas, with access granted only to specific, named individuals on a need basis. 

 

9.Any facility that supports mission-critical and sensitive applications must be located and designed for reparability, relocation and reconfiguration. The ability to relocate, reconstitute and reconfigure these applications must be tested as part of the business continuity/ disaster recovery plan. 

4.2 Fire Protection

1.Combustible materials shall not be stored within hundred meters of the operational site. 

 

2.Automatic fire detection, fire suppression systems and audible alarms as prescribed by the Fire Brigade or any other agency of the Central or State Government shall be installed at the operational site. 

3.Fire extinguishers shall be installed at the operational site and their locations clearly marked with appropriate signs. 

4.Periodic testing, inspection and maintenance of the fire equipment and fire suppression systems shall be carried out. 

5.Procedures for the safe evacuation of personnel in an emergency shall be visibly pasted/displayed at prominent places at the operational site. Periodic training and fire drills shall be conducted. 

6.There shall be no eating, drinking or smoking in the operational site. The work areas shall be kept clean at all times. 

4.3 Environmental Protection

1.Water detectors shall be installed under the raised floors throughout the operational site and shall be connected to audible alarms. 

2.The temperature and humidity condition in the operational site shall be monitored and controlled periodically. 

 

3.Personnel at the operational site shall be trained to monitor and control the various equipment and devices installed at the operational site for the purpose of fire and environment protection. 

4.P
eriodic inspection, testing and maintenance of the equipment and systems shall be scheduled. 

4.4 Physical Access

1.Responsibilities round the clock, seven days a week, three hundred sixty five days a year for physical security of the systems used for operation and also actual physical layout at the site of operation shall be defined and assigned to named individuals. 

2.Biometric physical access security systems shall be installed to control and audit access to the operational site. 

3.Physical access to the operational site at all times shall be controlled and restricted to authorized personnel only. Personnel authorized for limited physical access shall not be allowed to gain unauthorized access to restricted area within operational site. 

4.Dual control over the inventory and issue of access cards/keys during normal business hours to the Data Centre shall be in place. An up-to-date list of personnel who possess the cards/keys shall be regularly maintained and archived for a period of three years. 

5.Loss of access cards/keys must be immediately reported to the security supervisor of the operational site who shall take appropriate action to prevent unauthorized access. 

6.All individuals, other than operations staff, shall sign in and sign out of the operational site and shall be accompanied by operations staff. 

7.Emergency exits shall be tested periodically to ensure that the access security systems are operational. 

 

8.All opening of the Data Centre should be monitored round the clock by surveillance video cameras. 

5. Information Management 


5.1 System Administration 

1.Each organization shall designate a properly trained “System Administrator” who will ensure that the protective security measures of the system are functional and who will maintain its security posture. Depending upon the complexity and security needs of a system or application, the System Administrator may have a designated System Security Administrator who will assume security responsibilities and provide physical, logical and procedural safeguards for information. 

2.Organisations shall ensure that only a properly trained System Security Administrator is assigned the system security responsibilities. 

3.The responsibility to create, classify, retrieve, modify, delete or archive information must rest only with the System Administrator. 

4.Any password used for the system administration and operation of trusted services must not be written down (in paper or electronic form) or shared with any one. A system for password management should be put in place to cover the eventualities such as forgotten password or changeover to another person in case of System Administrator (or System Security Administrator) leaving the organization. Every instance of usage of administrator’s passwords must be documented. 

5.Periodic review of the access rights of all users must be performed. 

6.The System Administrator must promptly disable access to a user’s account if the user is identified as having left the Data Centre, changed assignments, or is no longer requiring system access. Reactivation of the user’s account must be authorized in writing by the System Administrator (Digitally signed e-mail may be acceptable). 

7.The System Administrator must take steps to safeguards classified information as prescribed by its owner. 

 

8.The System Administrator must authorize privileged access to users only on a need-to-know and need-to-do basis and also only after the authorization is documented. 

9.Criteria for the review of audit trails/access logs, reporting of acce
ss violations and procedures to ensure timely management action/response shall be established and documented. 

10.All security violations must be recorded, investigated, and periodic status reports compiled for review by the management. 

11.The System Administrator together with the system support staff, shall conduct a regular analysis of problems reported to and identify any weaknesses in protection of the information. 

12.The System Administrator shall ensure that the data, file and Public Key Infrastructure (PKI) servers are not left unmonitored while these systems are powered on.

13.The System Administrator should ensure that no generic user is enabled or active on the system. 

5.2 Sensitive Information Control

1.Information assets shall be classified and protected according to their sensitivity and criticality to the organization. 

 

2.Procedures in accordance with Para 8.3 of these Guidelines must be in place to handle the storage media, which has sensitive and classified information. 

3.All sensitive information stored in any media shall bear or be assigned an appropriate security classification. 

4.All sensitive material shall be stamped or labeled accordingly. 

5.Storage media (i.e. floppy diskettes, magnetic tapes, portable hard disks, optical disks, etc.) containing sensitive information shall be secured according to their classification. 

6.Electronic communication systems, such as router, switches, network device and computers, used for transmission of sensitive information should be equipped or installed with suitable security software and if necessary with an encryptor or encryption software. The appropriate procedure in this regard should be documented.  

7.Procedures shall be in place to ensure the secure disposal of sensitive information assets on all corrupted/damaged or affected media both internal (e.g. hard disk/optical disk) and external (e.g. diskette, disk drive, tapes etc.) to the system. Preferably such affected/corrupted/damaged media both internal and external to the system shall be destroyed. 

5.3 Sensitive Information Security

1.Highly sensitive information assets shall be stored on secure removable media and should be in an encrypted format to avoid compromise by unauthorized persons. 

2.Highly sensitive information shall be classified in accordance with Para 3. 

3.Sensitive information and data, which are stored on the fixed disk of a computer shared by more than one person, must be protected by access control software (e.g., password). Security packages must be installed which partition or provide authorization to segregated directories/files. 

4.Removable electronic storage media must be removed from the computer and properly secured at the end of the work session or workday. 

5.Removable electronic storage media containing sensitive information and data must be clearly labeled and secured. 

6.Hard disks containing sensitive information and data must be securely erased prior to giving the computer system to another internal or external department or for maintenance. 

5.4 Third Party Access

1.Access to the computer systems by other organizations shall be subjected to a similar level of security protection and controls as in these Information Technology security guidelines. 

 

2.In case the Data Centre uses the facilities of external service/facility provider (outsourcer) for any of their operations, the use of external service/facility providers (e.g. outsourcer) shall be evaluated in light of the possible security exposures and risks involved and
all such agreements shall be approved by the information asset owner. The external service or facility provider shall also sign non-disclosure agreements with the management of the Data Centre/operational site. 

3.The external service/facility provider (e.g. outsourcer) shall provide an equivalent level of security controls as required by these Information Technology Security Guidelines. 

5.5 Prevention of Computer Misuse

1.Prevention, detection, and deterrence measures shall be implemented to safeguard the security of computers and computer information from misuse. The measures taken shall be properly documented and reviewed regularly.  

 

2.Each organization shall provide adequate information to all persons, including management, systems developers and programmers, end-users, and third party users warning them against misuse of computers. 

3.Effective measures to deal expeditiously with breaches of security shall be established within each organization. Such measures shall include : 

i.Prompt reporting of suspected breach; 

ii.Proper investigation and assessment of the nature of suspected breach; 

iii.Secure evidence and preserve integrity of such material as relates to the discovery of any breach; 

iv.Remedial measures. 

1.All incidents related to breaches shall be reported to the System Administrator or System Security Administrator for appropriate action to prevent future occurrence. 

2.Procedure shall be set-up to establish the nature of any alleged abuse and determine the subsequent action required to be taken to prevent its future occurrence. Such procedures shall include: 

 

i.The role of the System Administrator, System Security Administrator and management; 

 

ii.Procedure for investigation; 

iii.Areas for security review; and 

iv.Subsequent follow-up action. 

6. System integrity and security measures


6.1 Use of Security Systems or Facilities

1.Security controls shall be installed and maintained on each computer system or computer node to prevent unauthorized users from gaining entry to the information system and to prevent unauthorized access to data. 

2.Any system software or resource of the computer system should only be accessible after being authenticated by access control system. 

6.2 System Access Control 

1.Access control software and system software security features shall be implemented to protect resources. Management approval is required to authorize issuance of user identification (ID) and resource privileges.  

 

2.Access to information system resources like memory, storage devices etc., sensitive utilities and data resources and programme files shall be controlled and restricted based on a “need-to-use” basis with proper segregation of duties. 

3.The access control software or operating system of the computer system shall provide features to restrict access to the system and data resources. The use of common passwords such as “administrator” or “president” or “game” etc. to protect access to the system and data resources represent a security exposure and shall be avoided. All passwords used must be resistant to dictionary attacks. 

4.Appropriate approval for the request to access system resources shall be obtained from the System Administrator. Guidelines and procedures governing access authorizations shall be developed, documented and implemented. 

5.An Access Control System manual documenting the access granted to different level of users shall be prepared to provide guidance to the System Admin
istrator for grant of access. 

6.Each user shall be assigned a unique user ID. Adequate user education shall be provided to help users in password choice and password protection. Sharing of user IDs shall not be allowed. 

7.Stored passwords shall be encrypted using internationally proven encryption techniques to prevent unauthorized disclosure and modification. 

8.Stored passwords shall be protected by access controls from unauthorized disclosure and modification. 

9.Automatic time-out for terminal inactivity should be implemented. 

10.Audit trail of security-sensitive access and actions taken shall be logged. 

11.All forms of audit trail shall be appropriately protected against unauthorized modification or deletion.

12.Where a second level access control is implemented through the application system, password controls similar to those implemented for the computer system shall be in place.

13.Activities of all remote users shall be logged and monitored closely. 

14.The facility to login as another user from one user’s login shall be denied. However, the system should prohibit direct login as a trusted user (e.g. root in Unix, administrator in Windows NT or Windows 2000). This means that there must be a user account configured for the trusted administrator. The system requires trusted users to change their effective username to gain access to root and to re-authenticate themselves before requesting access to privileged functions.  

15.The startup and shutdown procedure of the security software must be automated. 

16.Sensitive Operating System files, which are more prone to hackers must be protected against all known attacks using proven tools and techniques. That is to say no user will be able to modify them except with the permission of System Administrator. 

6.3 Password Management 

(1) Certain minimum quality standards for password shall be enforced. The quality level shall be increased progressively. The following control features shall be implemented for passwords:

 

i.Minimum of eight characters without leading or trailing blanks; 

 

ii.Shall be different from the existing password and the two previous ones; 

iii.Shall be changed at least once every ninety days; for sensitive system, password shall be changed at least once every thirty days; and 

iv.Shall not be shared, displayed or printed. 

1.Password retries shall be limited to a maximum of three attempted logons after which the user ID shall then be revoked; for sensitive systems, the number of password retries should be limited to a maximum of two. 

2.Passwords which are easy-to-guess (e.g. user name, birth date, month, standard words etc.) should be avoided. 

3.Initial or reset passwords must be changed by the user upon first use. 

4.Passwords shall always be encrypted in storage to prevent unauthorized disclosure. 

5.All passwords used must be resistant to dictionary attacks and all known password cracking algorithms. 

 

6.4 Privileged User’s Management

1.System privileges shall be granted to users only on a need-to-use basis. 

2.Login privileges for highly privileged accounts should be available only from Console and terminals situated within Console room. 

3.An audit trail of activities conducted by highly privileged users shall be maintained for two years and reviewed periodically at least every week by operator who is independent of System Administrator. 

4.Privileged user shall not be allowed to log in to th
e computer system from remote terminal. The usage of the computer system by the privilege user shall be allowed during a certain time period. 

5.Separate user IDs shall be allowed to the user for performing privileged and normal (non-privileged) activities. 

6.The use of user IDs for emergency use shall be recorded and approved. The passwords shall be reset after use. 

6.5 User’s Account Management 

1.Procedures for user account management shall be established to control access to application systems and data. The procedures shall include the following: 

i.Users shall be authorized by the computer system owner to access the computer services. 

 

ii.A written statement of access rights shall be given to all users. 

iii.All users shall be required to sign an undertaking to acknowledge that they understand the conditions of access. 

iv.Where access to computer services is administered by service providers, ensure that the service providers do not provide access until the authorization procedures have been completed. This includes the acknowledgement of receipt of the accounts by the users. 

v.A formal record of all registered users of the computer services shall be maintained. 

vi.Access rights of users who have been transferred, or left the organization shall be removed immediately. 

vii.A periodic check shall be carried out for redundant user accounts and access rights that are no longer required. 

viii.Ensure that redundant user accounts are not re-issued to another user. 

1.User accounts shall be suspended under the following conditions: 

(i) when an individual is on extended leave or inactive use of over thirty days. In case of protected computer system, the limit of thirty days may be reduced to fifteen days by the System Administrator.

(ii) immediately upon the termination of the services of an individual.

(iii) suspended or inactive accounts shall be deleted after a two months period. In case of protected computer systems, the limit of two months may be reduced to one month.

6.6 Data and Resource Protection

1.All information assets shall be assigned an “owner” responsible for the integrity of that data/resource. Custodians shall be assigned and shall be jointly responsible for information assets by providing computer controls to assist owners. 

 

2.The operating system or security system of the computer system shall: 

(i) Define user authority and enforce access control to data within the computer system;

(ii) Be capable of specifying, for each named individual, a list of named data objects (e.g. file, programme) or groups of named objects, and the type of access allowed.

3.For networked or shared computer systems, system users shall be limited to a profile of data objects required to perform their needed tasks. 

4.Access controls for any data and/or resources shall be determined as part of the systems analysis and design process. 

5.Application Programmer shall not be allowed to access the production system. 

7. Sensitive Systems Protection 


1.Security tokens/smart cards/bio-metric technologies such as Iris recognition, finger print verification technologies etc. shall be used to complement the usage of passwords to access the computer system. 

2.For computer system processing sensitive data, access by other organizations shall be prohibited or strictly controlled. 

3.For sensitive data, encryption of data in storage shall be considered to protect its confid
entiality and integrity. 

8. Data Centre Operations Security 

8.1 Job Scheduling

 

1.Procedures shall be established to ensure that all changes to the job schedules are appropriately approved. The authority to approve changes to job schedules shall be clearly assigned. 

2.As far as possible, automated job scheduling should be used. Manual job scheduling should require prior approval from the competent authority. 

 

8.2 System Operations Procedure 

1.Procedures shall be established to ensure that only authorized and correct job stream and parameter changes are made. 

2.Procedures shall be established to maintain logs of system activities. Such logs shall be reviewed by a competent independent party for indications of dubious activities. Appropriate retention
periods shall be set for such logs. 

3.Procedures shall be established to ensure that people other than well-trained computer operators are prohibited from operating the computer equipment. 

 

4.Procedures shall be implemented to ensure the secure storage or distribution of all outputs/reports, in accordance with procedures defined by the owners for each system. 

8.3 Media Management


1.Responsibilities for media library management and protection shall be clearly defined and assigned.  

2.All media containing sensitive data shall be stored in a locked room or cabinets, which must be fire resistant and free of toxic chemicals. 

3.Access to the media library (both on-site and off-site) shall be restricted to the authorized persons only. A list of personnel authorized to enter the library shall be maintained. 

4.The media containing sensitive and back up data must be stored at three different physical locations in the country, which can be reached in few hours. 

5.A media management system shall be in place to account for all media stored on-site and off-site. 

6.All incoming/outgoing media transfers shall be authorized by management and users. 

7.An independent physical inventory check of all media shall be conducted at least every six months. 

8.All media shall have external volume identification. Internal labels shall be fixed, where available. 

9.Procedures shall be in place to ensure that only authorized addition/removal of media from the library is allowed. 

10.Media retention periods shall be established and approved by management in accordance with legal/regulatory and user requirements.

8.4 Media Movement

1.Proper records of all movements of computer tapes/disks between on-site and off-site media library must be maintained. 

2.There shall be procedures to ensure the authorized and secure transfer to media to/from external parties and the off-site location. A means to authenticate the receipt shall be in place.

3.Computer media that are being transported to off-site data backup locations should be stored in locked carrying cases that provide magnetic field protection and protection from impact while loading and unloading and during transportation. 

9. Data Backup and Off-site Retention

1.Back-up procedures shall be documented, scheduled and monitored. 

2.Up-to-date backups of all critical items shall be maintained to ensure the continued provision of the minimum essential level of service. These items include: 

i. Data files 

ii. Utilities programmes 

iii. Databases 

iv. Operating system software 

v. Applications system software 

vi. Encryption keys 

vii. Pre-printed forms 

viii. Documentation (including a copy of the business continuity plans) 

3. One set of the original disks for all operating system and application software must be maintained to ensure that a valid, virus-free backup exists and is available for use at any time. 

4. Backups of the system, application and data shall be performed on a regular basis. Backups should also be made for application under development and data conversion efforts. 

5. Data backup is required for all systems including personal computers, servers and distributed systems and databases. 

6. Critical system data and file server software must have full backups taken weekly. 

7. The backups must be kept in an area physically separate from the server. If critical system data on the LAN represents unique versions of the information assets, then the information backups must be rotated on a periodic basis to an off-site storage location. 

8. Critical system data and file server software must have incremental backups taken daily. 

9. Systems that are completely static may not require periodic backup, but shall be backed up after changes or updates in the information. 

 

10. Each LAN/system should have a primary and backup operator to ensure continuity of business operations. 

11. The business recovery plan should be prepared and tested on an annual basis. 

10. Audit Trails and Verification 

1.Transactions that meet exception criteria shall be completely and accurately highlighted and reviewed by personnel independent of those that initiate the transaction. 

2.Adequate audit trails shall be captured and certain information needed to determine sensitive events and pattern analysis that would indicate possible fraudulent use of the system (e.g. repeated unsuccessful logons, access attempts over a series of days) shall be analyzed. This information includes such information as who, what, when, where, and any special information such as: 

i. Success or failure of the event 

ii. Use of authentication keys, where applicable 

1.Automated or manual procedures shall be used to monitor and promptly report all significant security events, such as accesses, which are out-of-pattern relative to time, volume, frequency, type of information asset, and redundancy. Other areas of analysis include:  

(i) Significant computer system events (e.g. configuration updates, system crashes)

(ii) Security profile changes

(iii) Actions taken by computer operations, system administrators, system programmers, and/or security administrators

2.The real time clock of the computer system shall be set accurately to ensure the accuracy of audit logs, which may be required for investigations or as evidence in legal or disciplinary cases. 

3.The real time clock of the computer or communications device shall be set to Indian Standard Time (IST). Further there shall be a procedure that checks and corrects drift in the real time clock. 

4.Computer system access records shall be kept for a minimum of two years, in either hard copy or electronic form. Records, which are of legal nature and necessary for any legal or regulation requirement or investigation of criminal behavior, shall be retained as per laws of the land. 

5.Computer records of applications transactions and significant events must be retained for a minimum period of two years or longer depending on specific record retention requirements. 

11. M
easures to Handle Computer Virus 

(1) Responsibilities and duties shall be assigned to ensure that all file servers and personal computers are equipped with up-to-date virus protection and detection software.

(2) Virus detection software must be used to check storage drives both internal and external to the system on a periodic basis.

(3) All diskettes and software shall be screened and verified by virus detection software before being loaded onto the computer system. No magnetic media like tape cartridge, floppies etc. brought from outside shall be used on the data, file, PKI or computer server or personal computer on Intranet and Internet without proper screening and verification by virus detection software.

(4) A team shall be designated to deal with reported or suspected incidents of computer virus. The designated team shall ensure that latest version of anti-virus software is loaded on all data, file, PKI servers and personal computers.

(5) Procedures shall be established to limit the spread of viruses to other organization information assets. Such procedures inter alia shall include:

i.Communication to other business partners and users who may be at risk from an infected resource 

ii.Eradication and recovery procedures 

iii.Incident report must be documented and communicated per established procedures. 

(6) An awareness and training programme shall be established to communicate virus protection practices, available controls, areas of high risk to virus infection and responsibilities.

12. Relocation of Hardware and Software 


Whenever computers or computer peripherals are relocated (e.g. for maintenance, installation at different sites or storage), the following guidelines shall apply:

i.All removable media will be removed from the computer system and kept at secure location. 

 

ii.Internal drives will be overwritten, reformatted or removed as the situation may be. 

iii.If applicable, ribbons will be removed from printers. 

iv.All paper will be removed from printers. 

 

13. Hardware and Software Maintenance

Whenever, the hardware and software maintenance of the computer or computer network is being carried out, the following should be considered:

1.Proper placement and installation of Information Technology equipment to reduce the effects of interference due to electromagnetic emanations.

2.Maintenance of an inventory and configuration chart of hardware. 

3.Identification and use of security features implemented within hardware. 

4.Authorization, documentation, and control of change made to the hardware. 

5.Identification of support facilities including power and air conditioning. 

6.Provision of an uninterruptible power supply. 

7.Maintenance of equipment and services. 

8.Organisation must make proper arrangements for maintenance of computer hardware, software (both system and application) and firmware installed and used by them. It shall be the responsibility of the officer in charge of the operational site to ensure that contract for annual maintenance of hardware is always in place. 

9.Organisation must enter into maintenance agreements, if necessary, with the supplier of computer and communication hardware, software (both system and application) and firmware.

10.Maintenance personnel will sign non-disclosure agreements. 

11.The identities of all hardware and software vendor maintenance staff should be verified before allowing them to carry out maintenance wor
k. 

12.All maintenance personnel should be escorted within the operational site/computer system and network installation room by the authorized personnel of the organization. 

13.After maintenance, any exposed security parameters such as passwords, user IDs, and accounts will be changed or reset to eliminate any potential security exposures. 

14.If the computer system, computer network or any of its devices is vulnerable to computer viruses as a result of performing maintenance, system managers or users shall scan the computer system and its devices and any media affected for viruses as a result of maintenance. 

14. Purchase and Licensing of Hardware and Software

1.Hardware and software products that contain or are to be used to enforce security, and intended for use or interface into any organization system or network, must be verified to comply with these Information Technology Security Guidelines prior to the signing of any contract, purchase or lease. 

2.Software, which is capable of bypassing or modifying the security system or operating system, integrity features, must be verified to determine that they conform to these Information Technology Security Guidelines. Where such compliance is not possible, then procedures shall be in place to ensure that the implementation and operation of that software does not compromise the security of the system.

3.There shall be procedures to identify, select, implement and control software (system and application software) acquisition and installation to ensure compliance with the Indian Copyright Act and Information Technology Security Guidelines. 

4.It is prohibited to knowingly install on any system whether test or production, any software which is not licensed for use on the specific systems or networks. 

5.No software will be installed and used on the system when appropriate licensing agreements do not exist, except during evaluation periods for which the user has documented permission to install and test the software under evaluation. 

6.Illegally acquired or unauthorized software must not be used on any computer, computer network or data communication equipment. In the event that any illegally acquired or unauthorized software is detected by the System Administrator or Network Administrator, the same must be removed immediately. 

Main Index

Rules and Regulations of India

MyNation

Leave a Comment

Your email address will not be published. Required fields are marked *