O/o I.G of Registration.
Chennai – 28
NO:..53161/CS1/2003 dt. 6 .11.03
Circular
Sub: - Security policy – Instructions issued.
Ref: 1) Information Technology Act 2000 .
2) Information Technology Rules 2000 Dated 17.10.2000
- - -
The main responsibility of the department is to preserve documents and information for ages. Any loss of data will damage the credibility of the department. Hence the following security measures are to be adopted in every office.
1)Hardware Level measures :
“BIOS” Password must be activitated on every machine.
Supervisory passwords should be used by system administrator alone.
Floppy access should be denied( BIOS/ Physical lock) in all systems except one.
Boot preference must be only from ‘C’ Drive(Hard Disk).
2)OS Level measures:
“Administrator Password” must be used only by the System Administrator.
The user id ‘Administrator ‘ should be renamed.
CD access can be restricted to specific user.
Sharing of hard disks (Excepting the scan system drives) should be revoked(Even default share).
Every user must have a distinct user id and password.
3)Antivirus :
The latest version of Antivirus software and fire wall should be installed. The contractor should ensure compliances.
Updation of virus definitions/signatures atleast weekly once should be ensured.
Updation of service packs to Operating Sytem and other application software should be carried out as and when required.
Security patches should be applied as and when such threats break out.
4)Module level Measures:
In the “STAR” Module every, employee should be given a distinct user id for access.
Administrator password must be known exclusively to SA.
Modification and deletion of records(if required) should be done only by the administrator with the permission of the authority concerned.
In the “Scan” Module, access rights to view Book III and Book IV images must be restricted to Head of office alone.
5) Back up process
There are two distinct domain for backups.
- Database Back up
- Images Back up
- Database back- up i.e., backup of all working databases should be done on a daily basis.
- Images back-up should be taken in a CD media apart from regular archival on a hard disk on a daily basis.
- The back-ups must be kept in an area physically separate from the server. The back-ups must be taken to an off-site storage location.
- All the back-ups must be verified for retreivability of data.
- Critical files of the server/client should be taken as back-up by using the ‘NTBACKUP’, an option of creating Emergency rescue diskettes once in a month.
- Back-up registers must be maintained to ensure adherence to safe frequency of backups and should be signed by the Head of Office.
General :
Password Management :
Passwords should have minimum of eight characters without leading or trailing blanks.
Passwords shall be changed at least once every 90 days
Passwords, which are easy to guess should be avoided.
Passwords used must be resistant to dictionary attacks and all known password cracking algorithms.
It should be a combination of numeric and alphanumeric characters.
Media Management:
The media used should be of good quality.
Unknown brands / makes should be avoided for critical data storage.
Labeling of archival CDs must be done with felt- tip-pens(OHP pen)
The media itself should be labeled along with the CD box label.
The Head of Office should affix signature on the CD(s) to ensure its authenticity.
The media (CD) movement should be recorded by making in registers to enable tracking at a later date.
Responsibilities for media management and protection shall be clearly defined and assigned.
All media containing sensitive data shall be stored in a locked cabinet / almirah.
Physical check of all media shall be conducted by the Head of Office at least once in a month.
Disaster recovery / management:
In case of hard disk failure amounting to data loss (scan machine / server) the following steps are to be taken.
1)The system must be shutdown immediately and turned off.
2)On no account should the contractor / Head of Office should try to recover the data.
3)Key Resource Persons must be informed either through mail or phone about the happening.
4)Technical staff from headquarters will assist in this regard.
Inventory management
An inventory register should be maintained by the Head of Office for the system and peripherals in use to avoid any possible misplacement.
A collective inventory of the systems at SRO level shall be maintained in the DR Office detailing the number and make of hardware. Likewise a collective inventory of systems at the district level shall be maintained at the DIG office.
Periodical inspection of inventories shall be made by the DR and the DIG atleast once in 3 months.
Charts detailing the configuration of the systems should be displayed for ready reference in every office.
The systems should be labeled with their network name for ease of use.
Maintenance
All updates such as service packs for OS, virus definitions & security updates will be provided by the contractors. Contractors will also be held responsible for the loss of data during Installation /
re-installation/repair.
No software other than what is officially permitted should be installed.
Any failure in maintenance of hardware / antivirus / software should be attended by the contractors within the stipulated time as in the agreement. Failing to do so , will attract penalty as stated in the agreement or may also lead to cancellation of agreement. The head of offices concerned should report to the DR and DIG regarding any breach of agreement clause, so that penalty can be imposed against the contractor(s).
Network Security:
Passwords for digital signature should not be shared with anyone,as the IT Act legalises direct responsibility of holder of signature in case of any failure / mistake.
Password should be changed once in 30 days.
Any information relating to password, public key should not be stored in the system. It should be stored only in CD / /smartcard.
Sd/- Inspector General of Regn
6.11.03
/by order/
for Inspector General of Regn
To
All DRs, DIGs,RTI,
copy to SF, all officers.