Professional Documents
Culture Documents
2
and remove all
unnecessary data
prior to use further.
6. Take necessary steps
to protect
Information Assets
from physical
damages like fire,
moisture and
magnetic
interference.
7. Storage media like
pen drive, hard-
drive, CDs etc. must
be disposed off
securely and safely
when no longer
required. Data must
be erased before any
asset such as media,
computer system
and electronic office
equipment etc., are
to be transferred or
disposed. The
method of
destruction followed
should be such that
nothing could be
recovered post-
destruction (using
either of degaussing,
physical
destruction/data
wiping etc.)
Necessary entries
should be made in
the Media Disposal
Register regarding
safe disposal of
assets.
8. In the event
exceptions are
identified, in relation
to media disposal
activities, an incident
report should be
raised in accordance
with the Information
Security Incident
Management
3
Procedure.
9. Take necessary steps
to protect media and
information assets
etc. from
unauthorized access
during their
transportation.
10. In case of transfer,
retirement,
suspension,
termination or long
leave, all Information
Assets in custody of
the officer should be
handed over to the
succeeding
incumbent and
entries for the same
should be made in
the Asset Registers.
Follow and educate the Within A set of
subordinate officials 25 days Do’s and
(including the contractual from the Don’ts in
employees) of the office in receipt of accordanc
the Acceptable Usage Policy Instructio e with the
for the Departmental ns. Departme
Assets. Ensure that the nt’s
officials paste the Do’s and Acceptable
Don’ts for use of Usage
Information Assets Policy are
(Annexure 2) at their reproduce
workstations or at d in
prominent place in their Annexure
offices for constant 2.
reminder and reference.
Human Train and educate the Within1
Resource subordinate staff regarding month
Security Information Security Policy from the
receipt of
Instructio
ns for the
existing
staff and
within 1
week
whenever
a new
staff
member
joins in
4
the office.
5
1. Identify all the ns. provided
Information Assets of in
category Hardware Annexure
assets and Software 1
assets and create an
Asset Inventory.
Officers in whose
office the asset is
being used or
whoever has been
assigned the task of
managing works
related to that asset
shall identify all the
assets and forward
the information to
the DDO to record
them in Asset
Registers.
2. All the officers shall
classify Information
Assets in their offices
and put appropriate
labels on them.
3. At the time of change
of incumbent, entry
to be made in asset
inventory register for
handing over of the
Assets to the
successor.
4. Ensure that the
portable devices are
password protected.
5. All removable media
devices need to be
scanned for
malicious threats
and remove all
unnecessary data
prior to use further.
6. Take necessary steps
to protect
Information Assets
from physical
damages like fire,
moisture and
magnetic
interference.
7. Storage media like
pen drive, hard-
6
drive, CDs etc. must
be disposed off
securely and safely
when no longer
required. Data must
be erased before any
asset such as media,
computer system
and electronic office
equipment etc., are
to be transferred or
disposed. The
method of
destruction followed
should be such that
nothing could be
recovered post-
destruction (using
either of degaussing,
physical
destruction/data
wiping etc.)
Necessary entries
should be made in
the Media Disposal
Register regarding
safe disposal of
assets.
8. In the event
exceptions are
identified, in relation
to media disposal
activities, an incident
report should be
raised in accordance
with the Information
Security Incident
Management
Procedure.
9. Take necessary steps
to protect media and
information assets
etc. from
unauthorized access
during their
transportation.
10. In case of transfer,
retirement,
suspension,
termination or long
leave, all Information
7
Assets in custody of
the officer should be
handed over to the
succeeding
incumbent and
entries for the same
should be made in
the Asset Registers.
Follow and educate the Within A set of
subordinate officials 25 days Do’s and
(including the contractual from the Don’ts in
employees) of the office in receipt of accordanc
the Acceptable Usage Policy Instructio e with the
for the Departmental ns. Departme
Assets. Ensure that the nt’s
officials paste the Do’s and Acceptable
Don’ts for use of Usage
Information Assets Policy are
(Annexure 2) at their reproduce
workstations or at d in
prominent place in their Annexure
offices for constant 2.
reminder and reference.
Human Train and educate the Within1
Resource subordinate staff regarding month
Security Information Security Policy from the
receipt of
Instructio
ns for the
existing
staff and
within 1
week
whenever
a new
staff
member
joins in
the office.
Ensure that Non-Disclosure To be Non-
Agreements are signed by implemen Disclosure
all Contractors/MSPs/sub- ted Agreement
contractors/ contractual within s
staffs working in the office one explained
month of in
receipt of Annexure
Instructio 7
ns.
8
reports of Contractual ted verificatio
employees are submitted by within n
Contractors to the DDO for two explained
all contractual employees months in
working in the office. of receipt Annexure
of 8
Instructio
ns.
Physical and All electronic office Within
Environment equipment including faxes, 25 days
al Security printers and EPABX, must from the
be physically secured to receipt of
ensure safety from Instructio
environmental hazards like ns.
rain, lightening, flood etc.
and physical hazards such
as fire.
Incident 1. Adhere to Details of
Management Information Security Informatio
Policies and n Security
Procedures. Incidents
2. Report policy and SOP
violations and to handle
information security such
incidents to incidents
BISO/LISO. provided
3. Investigate in
Information Security Annexure
Incident of the 3.
nature of Human
Resource Security
and Asset
Management with
respect to their
office.
4. Take disciplinary
action against
responsible
officers/officials for
Information Security
Incident.
9
3. Pr.CIT/Pr Asset Steps required to be taken Within Details of
.DIT/CIT Management for management of 15 days Informatio
/DIT/AD Information Assets in the from the n Assets
G office: receipt of and Asset
Instructio Registers
1. Identify all the ns. provided
Information Assets of in
category Hardware Annexure
1.
assets and Software
assets and create an
Asset Inventory.
Officers in whose
office the asset is
being used or
whoever has been
assigned the task of
managing works
related to that asset
shall identify all the
assets and forward
the information to
the DDO to record
them in Asset
Registers.
2. All the officers shall
classify Information
Assets in their offices
and put appropriate
labels on them.
3. At the time of change
of incumbent, entry
to be made in asset
inventory register for
handing over of the
Assets to the
successor.
4. Ensure that the
portable devices are
password protected.
5. All removable media
devices need to be
scanned for
malicious threats
and remove all
unnecessary data
10
prior to use further.
6. Take necessary steps
to protect
Information Assets
from physical
damages like fire,
moisture and
magnetic
interference.
7. Storage media like
pen drive, hard-
drive, CDs etc. must
be disposed off
securely and safely
when no longer
required. Data must
be erased before any
asset such as media,
computer system
and electronic office
equipment etc., are
to be transferred or
disposed. The
method of
destruction followed
should be such that
nothing could be
recovered post-
destruction (using
either of degaussing,
physical
destruction/data
wiping etc.)
Necessary entries
should be made in
the Media Disposal
Register regarding
safe disposal of
assets.
8. In the event
exceptions are
identified, in relation
to media disposal
activities, an incident
report should be
raised in accordance
with the Information
Security Incident
11
Management
Procedure.
9. Take necessary steps
to protect media and
information assets
etc. from
unauthorized access
during their
transportation.
10. In case of transfer,
retirement,
suspension,
termination or long
leave, all Information
Assets in custody of
the officer should be
handed over to the
succeeding
incumbent and
entries for the same
should be made in
the Asset Registers.
HoDs (PDIT/PCIT/DIT/CIT) Within Details of
to ensure that the Asset 15 days Informatio
Registers are created by from the n Assets
DDO and all Hardware and receipt of and Asset
Software Assets are enlisted Instructio Registers
in the Registers. ns. provided
in
Annexure
1.
Asset Registers must be Periodical
reviewed by the ly every
HoD(PDIT/PCIT/DIT/CIT) six-
on a half yearly basis to months.
ensure it is current and up
to date. Suitable entry may
be made in the Registers
indicating the date of review
and observations of the
officer.
12
Follow and educate the Within A set of
subordinate officials 25 days Do’s and
(including the contractual from the Don’ts in
employees) of the office in receipt of accordanc
the Acceptable Usage Policy Instructio e with the
for the Departmental ns. Departme
Assets. Ensure that the nt’s
officials paste the Do’s and Acceptable
Don’ts for use of Usage
Information Assets Policy are
(Annexure 2) at their reproduce
workstations or at d in
prominent place in their Annexure
offices for constant 2.
reminder and reference.
Physical and All electronic office Within
Environment equipment including faxes, 25 days
al Security printers and EPABX, must from the
be physically secured to receipt of
ensure safety from Instructio
environmental hazards like ns.
rain, lightening, flood etc.
and physical hazards such
as fire.
Human Train and educate the Within1
Resource subordinate staff regarding month
Security Information Security Policy from the
receipt of
Instructio
ns for the
existing
staff and
within 1
week
whenever
a new
staff
member
joins in
the office
Ensure that Non-Disclosure To be Non-
Agreements are signed by implemen Disclosure
all Contractors/MSPs/sub- ted Agreement
contractors/ contractual within s
staffs working under the one explained
hierarchy of HoD. month of in
receipt of Annexure
Instructio 7
ns.
13
Ensure that appropriate To be Backgrou
Background verification implemen nd
reports of Contractual ted verificatio
employees are submitted by within n
Contractors to the DDO for two explained
all contractual employees months in
working under the of receipt Annexure
hierarchy of HoD. of 8
Instructio
ns.
The HoD must ensure that Within 1
the access rights of all month
contractors/MSPs/ from the
contractual staffs to receipt of
information and Instructio
information processing ns.
facilities must be removed
upon termination of their
contractor agreement
Incident 1. Adhere to Details of
Management Information Security Informatio
Policies and n Security
Procedures. Incidents
2. Report policy and SOP
violations and to handle
information security such
incidents to incidents
BISO/LISO. provided
3. Provide monthly in
reports to the Annexure
Commissioner 3.
(Admn. & TPS) on
the status of
information security,
policy violations and
information security
incidents.
4. Investigate
Information Security
Incident of the
nature of Human
Resource Security
and Asset
Management.
5. Take disciplinary
action against
responsible
officers/officials for
Information Security
Incident.
14
4. CIT(Admi Asset LISO shall be responsible Details of
n) cum Management for preparing a list of Asset Informatio
LISO Owners in his jurisdiction. n Assets
Each Asset Owner shall be Nomenclat
given a Code. This code ure and
shall form first 7 characters Asset Id
of the Asset Id in the provided
following manner: in
Annexure
(i) First three letters
1.
shall indicate the
city where the
Asset is present
e.g. MUM for
Mumbai or DEL
for Delhi.
(ii) Next four letters
shall indicate the
Asset Owners
office where the
Asset is stationed
e.g. Investigation
Unit 10(1) may be
indicated by I101
or Jurisdictional
Circle-46(1) by
J461.
15
Physical and Physical Security Perimeter: In case
Environment not in
al Security 1. All the Department place, to
areas must be be
logically divided into ensured
different physical within 2
zones. Each zone months
must have of receipt
appropriate level of of
access restrictions Instructio
and access ns.
authorization
requirements.
2. Areas containing
critical IT equipment
or handling sensitive
information such as
information received
from foreign
jurisdictions or
information related
to an investigation
matter must be
designated as High
Security Zones.
Critical or sensitive
information
processing facilities
must be protected by
defined security
perimeters, with
appropriate security
barriers and entry
controls.
3. Server room or other
areas containing
critical IT equipment
must be secured
using biometric
access control
mechanism.
16
Physical Access Control: In case To be
not in ensured
1. For Contractual place, to by
employees- creation be Building
of I-cards/Access ensured In-charge
cards at the time of within 1 Officer of
hiring, Provisioning month of the
access in the access receipt of concerned
control system, Instructio building.
allotted cards to be ns.
updated periodically
and to be obtained
back/ disabled at the
time of removal/ end
of contract
2. Visitors’ entry into
the premises must be
restricted by
appropriate security
validations like
checking the identity
(company ID, driving
license, voter’s ID,
etc.) of the visitor,
random frisking of
visitors, checking
their belongings and
bags, etc.
3. A confirmation from
the visited employee
must be taken before
allowing a visitor
inside the
Department
premises.
4. All movement of
material going in and
out of premises must
be duly authorized
and tracked.
17
Protecting against External In case To be
and Environmental not in ensured
Hazards: place, to by
be Building
1. The Department’s ensured In-charge
offices must be fitted within 2 Officer of
with appropriate months the
firefighting devices at of receipt concerned
critical locations in of building.
order to arrest the Instructio
fire and to avoid ns.
damage to the
various resources of
the Department.
Selected Department
employees must
know how to use
these firefighting
devices.
2. Monitoring of fire
sensors, smoke
sensors, and other
fire safety alarms be
done regularly.
3. Safety measures like
fire and earthquake
evacuation drills
must be practiced
regularly.
4. Appropriate safety
measure must be
taken to avoid loss
and damage due to
Water flooding or
inappropriate
drainage system
within the premises
of the Department.
5. Physical protection
against damage from
natural or man-made
disaster must be
designed and
applied.
18
CCTV cameras. month of the
2. There should be receipt of concerned
restricted entry to Instructio building.
CCTV control room. ns.
3. Monitoring of CCTV
should be done by
departmental
employees.
Incident
Management 1. Provide monthly
reports to the LISC
on the status of
information security,
policy violations and
information security
incidents in the
region.
2. If required, the LISO
shall contact
authorities outside
the Department like
police, fire brigade
etc. for resolution of
Information Security
Incidents.
3. LISO should send a
monthly Incidents
report to the CISO
with respect to the
Information Security
Incidents.
Human 1. Ensure that ongoing
Resource information security
Security awareness education
and training is
provided to all
employees and users
in the region.
2. Communicate
Information Security
Policies and
Procedures to all
employees in the
region.
19
Ensure that Non-Disclosure To be Non-
Agreements are signed by implemen Disclosure
all Contractors/MSPs/sub- ted Agreement
contractors/ contractual within s
staffs working in the region. one explained
month of in
receipt of Annexure
Instructio 7
ns.
20
defined and
*BISO implemented.
will be 2. Oversee
nominate implementation of
d by Information Security
LISO for Policies and
each Procedures related to
building. environmental and
BISO will physical security in
be an the building.
officer Incident 1. In case an Details of
not below Management Information Security Informatio
the rank Incident is reported n Security
of CIT or observed, the Incidents
who is BISO should conduct and SOP
stationed an inquiry into the to handle
in the breach to give a such
building preliminary report to incidents
concerne the LISO within 24 provided
d. If there hours of the incident. in
is no The preliminary Annexure
officer of report should 3.
the rank identify relevant
CIT and stakeholders who
above in need to be
a immediately
building informed of the
then the incident, to
senior- safeguard further
most data loss.
officer 2. The BISO should
posted in safeguard the area of
the incident in such a
building way that data loss
may be can be minimized.
appointe 3. If the Information
d as Security Incident is
BISO. of the nature of a
The cyber security
building incident then BISO
in-charge shall intimate
of the AD(Systems)/DD(Sys
building tems)/JD(Systems)
will in the office of
report to Pr.CCIT(CCA).
the BISO 4. BISO shall ensure
with that the
respect to AD(Systems)/DD(Sys
the tems)/JD(Systems)
matters are given full access
of and cooperation to
21
Informati resolve an issue of
on cyber security.
Security 5. If the Information
which Security Incident is
includes of the nature of a
physical physical or
and environmental
environm security incident
ental then BISO shall
security. intimate LISO
regarding the
incident.
6. If the Information
Security Incident is
of the nature of a
human resource
security incident or
asset management
security incident
then BISO shall
intimate the HoD
(PCIT/PDIT/CIT/DIT
/ADG) regarding the
incident.
7. Once an incident is
resolved, the BISO
shall send a report to
the LISO describing
the incident and its
resolution.
8. BISO should send a
monthly Incidents
report to the LISO
with respect to the
Information Security
Incidents.
22
7. Addl.CIT Asset Steps required to be taken Within Details of
/Addl.DI Management for management of 15 days Informatio
T/Jt.CIT Information Assets in the from the n Assets
/Jt.DIT office: receipt of and Asset
Instructio Registers
1. Identify all the ns. provided
Information Assets of in
category Hardware Annexure
1.
assets and Software
assets and create an
Asset Inventory.
Officers in whose
office the asset is
being used or
whoever has been
assigned the task of
managing works
related to that asset
shall identify all the
assets and forward
the information to
the DDO to record
them in Asset
Registers.
2. All the officers shall
classify Information
Assets in their offices
and put appropriate
labels on them.
3. At the time of change
of incumbent, entry
to be made in asset
inventory register for
handing over of the
Assets to the
successor.
4. Ensure that the
portable devices are
password protected.
5. All removable media
devices need to be
scanned for
malicious threats
and remove all
unnecessary data
23
prior to use further.
6. Take necessary steps
to protect
Information Assets
from physical
damages like fire,
moisture and
magnetic
interference.
7. Storage media like
pen drive, hard-
drive, CDs etc. must
be disposed off
securely and safely
when no longer
required. Data must
be erased before any
asset such as media,
computer system
and electronic office
equipment etc., are
to be transferred or
disposed. The
method of
destruction followed
should be such that
nothing could be
recovered post-
destruction (using
either of degaussing,
physical
destruction/data
wiping etc.)
Necessary entries
should be made in
the Media Disposal
Register regarding
safe disposal of
assets.
8. In the event
exceptions are
identified, in relation
to media disposal
activities, an incident
report should be
raised in accordance
with the Information
Security Incident
24
Management
Procedure.
9. Take necessary steps
to protect media and
information assets
etc. from
unauthorized access
during their
transportation.
10. In case of transfer,
retirement,
suspension,
termination or long
leave, all Information
Assets in custody of
the officer should be
handed over to the
succeeding
incumbent and
entries for the same
should be made in
the Asset Registers.
Follow and educate the Within A set of
subordinate officials 25 days Do’s and
(including the contractual from the Don’ts in
employees) of the office in receipt of accordanc
the Acceptable Usage Policy Instructio e with the
for the Departmental ns. Departme
Assets. Ensure that the nt’s
officials paste the Do’s and Acceptable
Don’ts for use of Usage
Information Assets Policy are
(Annexure 2) at their reproduce
workstations or at d in
prominent place in their Annexure
offices for constant 2.
reminder and reference.
Physical and All electronic office Within
Environment equipment including faxes, 25 days
al Security printers and EPABX, must from the
be physically secured to receipt of
ensure safety from Instructio
environmental hazards like ns.
rain, lightening, flood etc.
and physical hazards such
as fire.
25
Incident 1. Adhere to Details of
Management Information Security Informatio
Policies and n Security
Procedures. Incidents
2. Report policy provided
violations and in
information security Annexure
incidents to higher 3.
authorities.
26
then that shall be
done by the AMC
vendor of the affected
system.
3. The
AD(Systems)/DD(Sys
tems)/JD(Systems)
shall ensure that
resolution happens
in accordance with
the Information
Security Policy.
4. The
AD(Systems)/DD(Sys
tems)/JD(Systems)
shall take steps to
preserve logs,
safeguard evidence,
classify incident and
do root cause
analysis in
accordance with the
Information Security
Policy for cyber
security incidents.
9. DCIT/DD Asset Steps required to be taken Within Details of
IT/ACIT/ Management for management of
15 days Informatio
ADIT/ITO Information Assets in the from the n Assets
office: receipt of and Asset
Instructio Registers
1. Identify all the ns. provided
Information Assets of in
category Hardware Annexure
1.
assets and Software
assets and create an
Asset Inventory.
Officers in whose
office the asset is
being used or
whoever has been
assigned the task of
managing works
related to that asset
shall identify all the
assets and forward
the information to
the DDO to record
them in Asset
27
Registers.
2. All the officers shall
classify Information
Assets in their offices
and put appropriate
labels on them.
3. At the time of change
of incumbent, entry
to be made in asset
inventory register for
handing over of the
Assets to the
successor.
4. Ensure that the
portable devices are
password protected.
5. All removable media
devices need to be
scanned for
malicious threats
and remove all
unnecessary data
prior to use further.
6. Take necessary steps
to protect
Information Assets
from physical
damages like fire,
moisture and
magnetic
interference.
7. Storage media like
pen drive, hard-
drive, CDs etc. must
be disposed off
securely and safely
when no longer
required. Data must
be erased before any
asset such as media,
computer system
and electronic office
equipment etc., are
to be transferred or
disposed. The
method of
destruction followed
28
should be such that
nothing could be
recovered post-
destruction (using
either of degaussing,
physical
destruction/data
wiping etc.)
Necessary entries
should be made in
the Media Disposal
Register regarding
safe disposal of
assets.
8. In the event
exceptions are
identified, in relation
to media disposal
activities, an incident
report should be
raised in accordance
with the Information
Security Incident
Management
Procedure.
9. Take necessary steps
to protect media and
information assets
etc. from
unauthorized access
during their
transportation.
10. In case of transfer,
retirement,
suspension,
termination or long
leave, all Information
Assets in custody of
the officer should be
handed over to the
succeeding
incumbent and
entries for the same
should be made in
the Asset Registers.
29
Follow and educate the Within A set of
subordinate officials 25 days Do’s and
(including the contractual from the Don’ts in
employees) of the office in receipt of accordanc
the Acceptable Usage Policy Instructio e with the
for the Departmental ns. Departme
Assets. Ensure that the nt’s
officials paste the Do’s and Acceptable
Don’ts for use of Usage
Information Assets Policy are
(Annexure 2) at their reproduce
workstations or at d in
prominent place in their Annexure
offices for constant 2.
reminder and reference.
Physical and All electronic office Within
Environment equipment including faxes, 25 days
al Security printers and EPABX, must from the
be physically secured to receipt of
ensure safety from Instructio
environmental hazards like ns.
rain, lightening, flood etc.
and physical hazards such
as fire.
Incident 1. Adhere to Details of
Management Information Security Informatio
Policies and n Security
Procedures. Incidents
2. Report policy provided
violations and in
information security Annexure
incidents to higher 3.
authorities.
30
10. DDO Physical and All electronic office Within
Environment equipment including faxes, 25 days
al Security printers and EPABX, must from the
be physically secured to receipt of
ensure safety from Instructio
environmental hazards like ns.
rain, lightening, flood etc.
and physical hazards such
as fire.
Access to delivery and To be To be
loading areas: implemen implement
1. Ensuring that no ted ed by the
unauthorised person within DDO with
can enter the one assistance
delivery/ loading month of of security
areas receipt of personnel.
2. Inspection of goods Instructio
received in the ns.
delivery area for
potential threats
3. Entry in separate
registers of items
received for delivery/
dispatch.
Movement of goods/ To be To be
equipment: implemen implement
1. Ensuring that no ted ed by the
unauthorised person within DDO with
can enter/ exit the one assistance
building for month of of security
movement of goods receipt of personnel
2. Examination/ Instructio
verification of goods ns.
with the invoice/
gate-pass
3. Entry in separate
registers of items
incoming/ outgoing.
31
Ensure that appropriate To be Backgrou
Background verification implemen nd
reports of Contractual ted verificatio
employees are submitted by within n
Contractors for all two explained
contractual employees. months in
of receipt Annexure
of 8
Instructio
ns.
Asset 1. Create Asset Within Details of
Management Registers and enlist 25 days Informatio
all Hardware and from the n Assets
Software Assets in receipt of and Asset
the Registers in the Instructio Registers
prescribed format. ns. provided
2. Obtain periodic in
information Annexure
regarding 1
Information Assets
from the
officers/officials
using these assets
and update the Asset
Registers
accordingly.
3. All computer,
communication,
security, backup
power etc. equipment
must be brought
under AMC after
initial warranty is
over. AMC may be
given only to
trustworthy vendors
after due background
verification.
4. Timely renew all
necessary licenses of
software, anti-virus
etc.Ensure that only
licensed and valid
software should be
installed.
5. Ensure that
contractual
employees return the
Department’s
Information Assets in
case of transfer or
32
termination of
employment.
33
Incident 1. Adhere to Details of
Management Information Security Informatio
Policies and n Security
Procedures. Incidents
2. Report policy provided
violations and in
information security Annexure
incidents to higher 3.
authorities.
34
information security Annexure
incidents to higher 3.
authorities.
35
suppliers to supply items to implemen
the DDO. Verification from ted
the DDO and other process within
to be same as in the case of one
Visitor/ Maintenance month of
Personnel. receipt of
Instructio
ns.
Access to delivery and To be To be
loading areas: implemen implement
1. Ensuring that no ted ed by the
unauthorised person within DDO with
can enter the one assistance
delivery/ loading month of of security
areas receipt of personnel.
2. Inspection of goods Instructio
received in the ns.
delivery area for
potential threats
3. Entry in separate
registers of items
received for delivery/
dispatch.
Movement of goods/ To be To be
equipment: implemen implement
1. Ensuring that no ted ed by the
unauthorised person within DDO with
can enter/ exit the one assistance
building for month of of security
movement of goods receipt of personnel
2. Examination/ Instructio
verification of goods ns.
with the invoice/
gate-pass
3. Entry in separate
registers of items
incoming/ outgoing.
Asset 1. No contractual To be
Management employee and implemen
Departmental ted
employees below the within 15
rank of ITO be days of
allowed to carry any receipt of
electronic device Instructio
(except mobile) in ns.
and out of the
premise, without
entry in the log
register
2. Incoming material
36
log register to be
filled before any
media enters ITD
premises.
3. Outgoing material log
to be maintained
when physical media
is transported out of
ITD premises.
Incident 1. Adhere to Details of
Management Information Security Informatio
Policies and n Security
Procedures. Incidents
2. Report policy provided
violations and in
information security Annexure
incidents to higher 3.
authorities.
Annexure-1
A. Information Assets
The CISO Instruction No. 2/2022 Dated: 21-01-2022 defines the term information
asset as follows:
“An information asset is a discrete set of information resources organized for the
collection, processing, maintenance, use, sharing, dissemination, or disposition of
information. Information resources include information and related resources, such as
personnel, equipment, funds and information technology.”
Examples of Information Assets included in the CISO Instruction No. 2/2022 are:
o Information assets: databases and data files, contracts and agreements,
system documentation, research information, user manuals, training material,
operational or support procedures, business continuity plans, fallback
arrangements, audit trails, and archived information;
37
o Software assets: application software, system software, development tools,
and utilities;
o Hardware assets: computer equipment, communications equipment,
removable media, and other equipment.
The Information Security Guidelines also mention non-IT Assets as an Information
Assets.
For the sake of simplicity and ease of Information Asset Management, three broad
category of Assets need to be identified, inventorized and handled from various
perspectives.
1. Information Technology Hardware Assets: These include:
a. Computer equipment like Desktops, Laptops, Servers etc.
b. Communications equipment like Mobile Phones, Routers, etc
c. Removable media like pen-drives, flash drives, tape-drives, CDs, Portable
Hard Drives etc
d. Other equipment like webcams, scanners, printers, network printers etc.
2. Information Technology Software Assets: These include:
a. Operating Systems like Windows, Mac OS, Linux, etc
b. Departmental Software Systems like ITBA/Efiling/ Project Insight etc..
c. Word Processors and Spread Sheets like MS Word and Excel
d. Databases and data files
3. Non-IT Assets: These include:
a. Files/Folders like Assessment Records, Appeal Records, CSR Folders,
Administrative Records, Service Books.
b. Reports like Appraisal Reports, Investigation Reports, Reports of
Committees and Working Groups etc.
Miscellaneous Records: Any other non-IT Assets not falling in the above categories.
Information Assets like Hardware and Software which are procured or maintained by
the DDO shall be recorded in three Asset Registers maintained by the DDO.
Information Assets which are in the nature of files, documents, papers etc. which
belong to any office shall be inventoried and maintained by the concerned
officers/officials.
The primary responsibility of maintenance and upkeep of registers lies with the DDO
under the supervision of the concerned HoD. The DDO will seek the information to be
filled in Asset registers from the concerned officers who are using that particular
Asset.
38
research information, user manuals,
training material, operational or support
procedures, business continuity plans,
fallback arrangements, audit trails, and
archived information
Software assets: application software, DDO
system software, development tools, and
utilities
Hardware assets: computer equipment, DDO
communications equipment, removable
media, and other equipment
39
B. Formats for Asset Registers (as specified in CISO Instruction No. 2(2022).
These are the three registers which are required to be maintained by DDOs.
Hardware Asset
Asset Asset Asset IP Asset Asset Asset Asset Functi Storage Asset Classification Controls Remarks
Category Name Id Address Addition Removal Owner User on location Criticality in Place
Date Date
Software Assets
Asset Asset Asset IP Asset Asset Removal Asset Asset Storage Classification Controls in Remarks
Category Name Id Address Addition Date/License Owner User location Place
Date End Date
Sr. No. Type of Asset Quantity Department Date of Disposal Approved by Remarks
Media Criticality
40
C. Assigning Asset Id to Information Assets
i. First three letters shall indicate the city where the Asset is present e.g. MUM
for Mumbai or DEL for Delhi. These letter codes for each city shall be decided
by the LISO and communicated to all offices in the region.
ii. Next four letters shall indicate the Asset Owners office where the Asset is
stationed e.g. Investigation Unit 10(1) may be indicated by I101 or
Jurisdictional Circle-46(1) by J461. LISO will have to map all asset owners in
his region and shall issue these codes for reference of all Asset Owners mapped
under him
iii. One number for the classification of the Asset e.g. 0 for unclassified, 1 for
Restricted, 2 for Confidential, 3 for Secret and 4 for Top Secret.
iv. One number (3 or 2 or 1) for criticality of the Asset as per criticality guidelines.
v. Last 4 letters shall be number indicating the unique no. for Information Asset
in that particular office.
LISO shall be responsible for preparing a list of Asset Owners in his jurisdiction. Each
Asset Owner shall be given a Code. This code shall form first 7 characters of the Asset
Id in the following manner:
(iii) First three letters shall indicate the city where the Asset is present e.g. MUM
for Mumbai or DEL for Delhi.
(iv) Next four letters shall indicate the Asset Owners office where the Asset is
stationed e.g. Investigation Unit 10(1) may be indicated by I101 or
Jurisdictional Circle-46(1) by J461.
LISO will have to map all asset owners in his region and shall issue these codes for
reference of all Asset Owners mapped under him.
D. Guidelines for classification of Information Assets and their labeling and
other security measures
(as specified in CISO Instruction No. 2(2022))
All the Department information must be classified into one of the following categories:-
42
Tunneling Protocol (PPTP) or Internet Protocol
Security (IPSEC) both within and outside the
network.
Hard copy Information should be stored in secure
areas with access logged.
iv. Restricted: Information which is essentially meant for official use only and
which would not be published or communicated to anyone except for official
purpose. o Unclassified: Information that requires no protection against
disclosure. E.g. Public releases.
Attribute Guidelines
Labelling “Restricted" should appear on the bottom of each
page and on removable media labels.
“Restricted” should be added on the Document
Control Table.
Security Controls Information should only be exchanged with
members of ITD, MSP and authorized stakeholders,
through official emails only.
Access only after due approval from Information
Owner.
43
Information to be stored on a restricted access
folder/SharePoint.
Restriction on read, download, print, write, delete
etc.
Permissions to modify limited to authorized users
Confidentiality
Rating Impact
3 Unauthorized disclosure or loss of information or assets containing
information that could adversely impact the Department, resulting
in identity theft, fraud, financial damages, loss of public
confidence, breach of a contract clause, or may lead to a legal
action.
2 Unauthorized disclosure or loss of information and assets could
result in operational setbacks.
1 The information and asset is easily available/ accessible by
employees and, if disclosed, would have negligible/ acceptable
financial, operational or legal impact on the organization.
Integrity
Rating Impact
3 Modification of the asset's accuracy and completeness has severe
impact.
2 Modification of the asset's accuracy and completeness has
moderate impact.
1 Modification of the asset's accuracy and completeness has
negligible/ minor impact.
Availability
Rating Impact
3 Unavailability of asset would result in very high consequences /
severe loss to ITD.
2 Unavailability of asset may cause some impact to ITD.
1 No/ insignificant impact if the asset is not available.
44
Once the asset is rated based on the CIA values, then the asset is given an Asset
Criticality Rating which is determined on the basis of the Asset Value. Asset Criticality
Rating is calculated as follows:
45
Annexure-2
Do’s and Don’ts for the use of Information Assets of the Income Tax Department
(in accordance with Acceptable Usage Policy circulated vide CISO Instruction No. 2 (2020))
The purpose of this document is to educate the Department’s officers and officials
including the contractual staff in acceptable and unacceptable use of Information and
Information Assets of Income Tax Department. These instructions apply to all officers,
officials, contractors, sub-contractors, contractual staff and their associates having
access to Income Tax Department’s resources.
Do’s:
6. Always shut down the workstation properly before leaving it unattended for a
long duration or at the end of work for the day.
8. Hand over the assets which are not in use / pertaining to any separated
employee to the authorized person.
Don’ts:
1. Do not create, use or distribute copies of such software that are not in
compliance with the license agreement for the software.
3. Do not share password/OTP/RSA Token No. with anyone except the person
authorized to access them.
46
4. Do not try to install, modify or uninstall any software by your own. If required
to do so, seek prior approval and seek assistance of authorized personnel.
7. Do not connect personal devices like computer, laptop or smart devices to the
organization’s network.
8. Do not try to tamper with network settings and LAN cables / devices in the
event of inaccessibility to the organization’s network.
9. Do not switch off the network devices like network switches, routers, Wi-Fi
access point etc.
10. Do not share Wireless Access Point passwords with unauthorized persons.
12. In the event that the user is aware / suspects that his / her system is
compromised / affected by any malware, he/she should not connect the system
to the organization’s network.
13. Any personal use of the network for commercial, illegal or unethical purposes is
strictly prohibited.
18. Do not download unnecessary software, songs, and videos from the internet.
19. Do not open any email unless user is confident that it is coming from legitimate
source and the communication is expected.
22. Do not leave any sensitive info or document lying around in the office.
23. Do not try to access any restricted areas where you do not have access.
47
24. Do not copy or send Department’s data to external devices / entities (e-mail,
Internet, Pen Drives etc.) if you are not authorized to do so.
48
Annexure-3
“An Incident is defined as the occurrence of any exceptional situation that could
compromise the Confidentiality, Integrity or Availability of Information and
Information Systems of the Income Tax Department. Security weaknesses
(vulnerability in the information system, which could be exploited to compromise the
Confidentiality, Integrity or Availability of the Information and Information system),
software malfunctions (any abnormality or deviation in the functioning of a software
application) and violations of the Department’s security policies and procedures must
also be considered an incident.”
An indicative list of possible Information Security Incidents is as follows (the list is not
exhaustive):
50
Unauthorized access or tampering
to media during transportation
Removal of Information Assets
without permission of the Asset
owner.
Repair of Information Assets by
unauthorized vendors
51
5. If the Information Security Incident is of the nature of a physical or
environmental security incident then:
a. BISO shall intimate LISO regarding the incident.
b. LISO shall take steps to resolve the incident. If required, the LISO shall
contact authorities outside the Department like police, fire brigade etc.
for resolution.
c. Once the incident is resolved, the BISO shall send a report to the LISO
describing the incident and its resolution in the prescribed format
given in Annexure 3.2.
6. If the Information Security Incident is of the nature of a human resource
security incident or asset management security incident then:
a. BISO shall intimate the HoD (PCIT/PDIT/CIT/DIT/ADG) or CCIT or DGIT
regarding the incident.
b. The HoD or CCIT or DGIT shall investigate the incident and set
responsibility.
c. The HoD or CCIT or DGIT may take disciplinary action against the
concerned officer/official if deemed necessary.
d. Once the incident is resolved, the HoD or CCIT or DGIT shall intimate
the BISO in the prescribed format given in Annexure 3.2.
e. The BISO shall send a report to the LISO describing the incident and the
action taken on it.
52
Annexure 3.1
Incident Details
Incident No. Incident Start
Date
Incident* Incident Priority*
Classification
Affected Service
Number of
Employees /User(s)
Impacted
Description
Status
Annexure 3.2
Recommendation
Prepared By Remarks
Approved By Approval Date
53
* As per the scheme given in Annexure 3.3
Annexure 3.3
54
Annexure-4
55
1. LISO to follow up on Audit 15 days
report of non-compliances and
get them rectified in
accordance with Information
Security Policy.
56
Annexure-5
Purpose
1. The ITD Information Security Policy circulated vide CISO Instruction No. 2
dated 27.11.2020 mandates that Department shall establish and maintain
Information Security Risk Management procedure covering Risk Assessment and
treatment of identified Risks on continual basis.
ii. Trivial assets are not over protected and important assets are not under
protected.
iii. Controls selected for risk mitigation are compatible with existing ones,
which not only complement each other but also produce synergetic effect.
57
Table 1:
# Activity
1. Risk Identification
2. Risk Analysis
3. Risk Evaluation
4. Risk Treatment
Risk Criteria
Risk Criteria is the terms of reference used in deciding on the significance of risks to
be assessed. The terms of reference include inter alia, associated cost and benefits,
legal and statutory requirements and best practices. Risk criteria define the Risk
Ratings and the Risk Acceptance criteria for assessment and adequate treatment of
the risks.
1. Risk Identification
58
important to properly identify risks pertaining to identified threats, vulnerabilities and
potential impact. It is the responsibility of the LISO to identify risks associated with
the loss of confidentiality, integrity and availability of information/assets.
2. Risk Analysis
Risk analysis is the process in which identified risks and existing controls are
evaluated. This process involves various activities listed as follows:
b) Assess the realistic likelihood of the threat. Calculate the risk value.
Vulnerability Rating
The weakness in the system which might be exploited by a threat and the effectiveness
of the control in preventing the vulnerability from being exploited is estimated in this
step. During Risk rating evaluation, more weightage is given to the vulnerability than
likelihood of occurrence. The following matrix shown in Table 2 is used for
determining the scale of Vulnerability rating.
Threat Likelihood
59
The likelihood with which a threat can exploit vulnerabilities is estimated in this step.
The following matrix shown in Table 3 should be used for determining the scale of
Threat likelihood:
60
minimal efforts required to repair / recover.
Risk Rating
Risk rating is determined based on the risk value. Risk value is a product of
vulnerability rating, threat likelihood and the potential impact. The risk rating also
takes into consideration the controls implemented in the environment. The
vulnerability value carries more weightage than the threat likelihood. Based on this
product, Table 5 shows the risk rating classifications. Refer the Annexure 6 for an
indicative list of threats and vulnerabilities.
Unauthorized
access to
These risks will have a
confidential
huge impact leading to
taxpayer data
significant effect on the
entire information security Breach/Loss of
High (71-125)
environment. Risk Taxpayer Data
treatment need to be
considered with high Major Service
priority. Interruption
61
These risks will have a Unauthorised
considerable amount of access/attack due to
Medium (36-70) impact leading to major un-patched
issue on information software/applications
security.
Unauthorised access
These risks will have some
Low (16-35) due to lack of clear
minor amount of impact.
desk policy
3. Risk Evaluation
Risk should be evaluated by comparing the results of risk analysis and risk
acceptance criteria and prioritized based on risk rating.
4. Risk Treatment
Risk treatment is the process of determining the treatment options for the identified
risks and development of an action plan for treatment of these risks. It includes the
following key activities:
Risk treatment involves identifying the range of options for treating risk, assessing
those options, preparing risk treatment plans and implementing them. The risk
treatment plan should first identify the selected options for the treatment of risks.
62
Table 6: Risk Treatment Options
Treatment
Description
Option
Chosen action when the risks are treated by hedging the impact
Transfer
to a third party
Chosen action when the controls identified to treat the risk are
Accept
not considered feasible
Risk acceptance refers to the decision in which identified risk is accepted and normal
procedures are continued with the accepted risk. In such cases, the reasons for
acceptance of the risk shall be documented along with appropriate justifications.
Risk shall be accepted for several reasons including, but not limited to:
a) The potential impact is low and cost of further protection against risk is not
worthwhile;
Risk acceptance criteria is decided based on the risk rating also. The risk acceptance
criteria shown in the Table7 below:
63
Risk Rating Description
These risks can be accepted eg. Risk below risk value <=
Insignificant
15.
Risk mitigation is the process of reducing a specific risk (or a set of risk) to an
acceptable level by changing the operational environment and/ or applying technical
or non-technical counter measures.
Risk transfer involves a decision to share certain risks with external parties. Risk
transfer can create new risks or modify existing, identified risks. Therefore, additional
risk assessment followed by risk treatment may be necessary. Transfer can be done by
insurance that shall support the consequences, or by sub-contracting a third party
whose role shall be to monitor the information system and take immediate actions to
stop an attack before it makes a defined level of damage.
Risk can be terminated by taking into consideration various means listed below:
c) Relocating assets away from known areas of physical risk, such as flood
zones.
Risk Communication
Residual Risk
64
Residual risk is the risk remaining after risk treatment. Efforts will be made to treat
the high risks to an acceptable risk value by implementing any of the risk treatment
plan. The residual risk shall be accepted as per the risks acceptance criteria defined.
Risk monitoring and review process is aimed at providing assurance that risks have
been adequately identified and prioritized and that significant risks are well managed
by implementing adequate controls. This process helps in determining whether:
Procedures adopted and information gathered for identifying the risks were
appropriate, and whether significant risks have been identified
Mitigation controls put in place are appropriate for the current scenario and
lead to reduction of future risk exposure.
Any of the below may be considered for the re-assessment of risks apart from the
annual review cycle:
Any of the above can be considered for the re-assessment of the risks apart from the
annual review cycle.
65
Risk Register Template
Actual
Risk Potenti Ris Existi Risk Closur
Threat Potenti Vulnerabil Threat Risk Risk Risk Risk Closur
Sr Thre Vulnerabil Respon Ris Assessm al k ng Treatme e Residu Remar
Catego al ity Likeliho Ratin Identifi Treatme Own e
. at ity se k ent Impact valu contro nt Timeli al Risk ks
ry Impact Rating od g ed date nt Plan er Timeli
Standard Rating e ls Option ne
ne
1
2
3
66
Sample filled out Risk Register for Pr.CCIT(CCA) region (This sample is only for reference. Risk register for every charge should be prepared after identifying the risks which
are specific to that charge)
Risk Identified
Residual Risk
Impact Rating
Vulnerability
Assessment
Risk Rating
Risk Owner
Vulnerability
Likelihood
Risk value
Treatment
Treatment
Response
Category
Standard
Remarks
Potential
Potential
Timeline
Timeline
controls
Existing
Closure
Closure
Sr. No.
Option
Impact
Rating
Actual
Threat
Threat
Threat
Risk
Risk
date
Risk
Risk
Plan
Additional Staff
Lack of proper to be deployed
rain water at all entry exit
drainage system points.
and low plinth Adequate
level of the maintenance of
Building may water drainage
cause flooding in Water pumps system be
Damage to
the ground floor of installed at entry ensured before
property and Building
office premises in and exit gates in the rainy
1 Environmental Flooding Medium hinderance to entry 3 2 2 12 Insignificant Mitigate In-
rainy season, addition to the season. Pumps
of officers/officials charge
leading to damage drainage system installed shall be
in the Building
to records, in the Building in working
systems, condition and
electronic devices regular
and may further maintenance
lead to power and pump
failure/short operator shall
circuit. be made
available.
Fire sensors
and Public
announcement
system shall be
Fire Extinguishers installed in
Systems & Probable spread of and Wet risers entire Building
equipments used fire/crisis/disruption are in Place; including rooms.
Fire / Short are susceptible to to all section of Adequate fire Fire Safety Drill
2 Physical Medium Mitigate
Circuit damage by short building, Data exits available in and Awareness
circuit/ voltage Loss. Human the Building of Staff be
fluctuation etc. Lives Loss Security guards in conducted at
place. regular intervals.
Fire exits shall
be kept open Building
and free from In-
3 3 3 27 Low encumberances. charge
Regular
inspection of
Systems & Lightening lightening
equipments in the conductors are conductors at
Building and installed and the roof be
structure of the Damage to maintained at the conducted and Building
3 Environmental Lightening building are Low property and loss 2 1 2 4 Insignificant roof of the Mitigate faults noticed In-
susceptible to of human life Building. shall be repaired charge
damage by fire Adequate fire immediately.
incidence caused exits available in Fire exits shall
by lightening the Building be kept open
and free from
encumberances.
Security guards,
earthquake
SOPs shall be
publicised, mock
drills, First Aid
Systems & training shall be
equipments in the ensured. Public
Public
Building and announcement
Announcement
structure of the Damage to system shall be Building
System, open
4 Environmental Earthquake building are Medium property and loss 3 3 3 27 Low Mitigate in place In-
space, sufficient
susceptible to of human life covering entire charge
entry exit are in
damage and area in the
place.
human life may be Building.
at risk Provision for
adequate
entry/exit points
and open space
shall be made
available.
First Aid kit, wheel Close
chair, stretcher is monitoring of
available in office. Ministry of
Some reputed Health
Building
human life may be hospitals are in guidelines
5 Environmental Epidemic Medium loss of human life 3 2 2 12 Insignificant Mitigate In-
at risk close vicinity. regarding
charge
Proper sanitation spread of any
measures and epidemic in the
mosquitoes area. Proper
breeding control restricing
67
sprays are done guidelines be
at regular followed.
intervals.
some common
places in the CCTV regular
building are monitoring is in
CCTVs installed
allowed to be place.
in the Building.
used for some Additional Staff
Entry in the
non-departmental Probable to be deployed
Building restricted Building
events like CAs / unauthorised entry at all entry exit
6 Physical Unauthorized entry High 4 4 4 64 Medium through valid Mitigate In-
Advocates general during office & points.
identity cards and charge
body non-office hours Entry & exit
visitor's pass.
elections/meetings points to be
Security guards in
and publicity minimised
place
campaign by during time of
banks/other such events.
institutions.
Additional
secure doors be
24x7 Security installed,
Bags of Private loss of assets and
guard on duty. Effective CCTV
and Contractual confidential data Building
Gate pass is monitoring be
8 Physical Theft of equipment Staff are not High contained in the 3 2 4 24 Low Terminate In-
mandatory to take ensured.
checked on daily equipment/system charge
out any Biometric
basis may be at risk
equipment/system access control
gates shall be
installed
CCTVs installed
any person in the Building. CCTV regular
authorized to visit Entry in the monitoring is in
Probable
Sharing of Building other department Building restricted place. Building
unauthorised entry
9 Physical premises with other may have High 4 4 4 64 Medium through valid Mitigate Additional Staff In-
during office &
organizations/institutions unauthoried identity cards and to be deployed charge
non-office hours
access in the visitor's pass. at all entry exit
office Security guards in points.
place
CCTVs installed
in the Building. CCTV regular
Entry in the monitoring is in
human life and Building restricted place. Building
loss of human life
10 Physical Terrorist Attack property may be Low 2 1 3 6 Insignificant through valid Mitigate Armed security In-
and assets
at risk identity cards and guards to be charge
visitor's pass. deployed at all
Security guards in entry exit points.
place
Regular
Regular monitoring and
maintenace and inspection of the
inspection of Building be
building is ensured. Timely
ensured through minor repair and
any weak
external maintenace
structure may fall Loss of Human
specialized work be
11 Physical Old building structures and cause Medium Lives and Mitigate
agency. The performed.
damage to human property/assets
necessary Major repair
life and assets
approvals and works be
budgetary identified and be
allocations are performed as
ensured for major per prevailing Building
repairs. rules and In-
3 3 3 27 Low regulations charge
Proper CCTV
monitoring be
ensured.
Awareness
campaign
Regular meetings regarding
are arranged with relevant conduct
the rules be
employees may Loss to representatives of arranged.
go on strike on property/assets the employees' Regular
12 Physical Strike by Employees Medium Mitigate
call of their and delay in office associations. meetings be
associations work CCTVs installed arranged with
in the Building. the employees'
Security guards in associations
place and their valid
grievances be
addressed as
per prevailing Building
rules. Security In-
3 3 3 27 Low guards in place charge
68
Annexure-6
Lists of Threats
69
▪ Theft of sensitive data 5
▪ Unauthorised access to the information system 3
▪ Unauthorised access to the network 3
▪ Unauthorised changes of records 4
▪ Unauthorised physical access 2
▪ Unauthorised use of copyright material 4
70
Lists of Vulnerabilities
Vulnerability is an organisational flaw that can be exploited by a threat to destroy,
damage or compromise an asset. It is the is the susceptibility or weakness of a
resource or asset to any negative impact from hazardous events, i.e., a weakness or
flaw that enables a threat to attack an asset. Following is a tentative list of
vulnerabilities that an organisation may encounter. This further needs to be
augmented based on actual situation in the organisation.
Vulnerability Indicative
Risk rating
(1 low - 5
high)
Employees not receiving adequate training 3
▪ Equipment not being replaced when it is no longer fit 2
for purpose
▪ Hard drives being disposed of without sensitive data 4
having been deleted
▪ Improper cabling security and management 2
▪ Improper change management 2
▪ Improper internal audit 3
▪ Improper network management 3
▪ Improper validation of the processed data 2
▪ Inadequate or irregular system backups 3
▪ Inadequate physical security controls 3
▪ Insufficient processes or technologies to prevent 4
malicious files from being downloaded
▪ Insufficient processes or technologies to prevent 4
sensitive data from being copied
▪ Insufficient software testing 3
▪ Insufficient processes or technologies to prevent users 3
from downloading unapproved software
▪ Inadequate protection of cryptographic keys 3
▪ Lack of systems for identification and authentication 2
▪ No procedure for removing access rights upon 3
termination of employment
▪ No protection for mobile equipment 3
▪ Passwords not being changed from default settings 4
▪ Passwords not being strong enough 3
▪ Poor or non-existent access control policy 4
▪ Poor or non-existent clean desk and clear screen policy 3
▪ Poor or non-existent of internal documentation 2
▪ Poor staff morale and potential for malicious action 4
▪ Premises is vulnerable to flooding, fire or other 4
disruptive event
▪ Sensitive data not being properly classified 4
▪ Staff duties not being properly segregated 2
71
▪ Staff not receiving security awareness training 3
▪ User rights are not reviewed regularly 3
▪ Unprotected public networks 3
▪ Water or heat damage to equipment 2
· Non updating of anti-virus 3
· Expired fire extinguisher 4
· Expired fire alarm 4
· Expired fire safety certificate 2
· Non signing of Non-Disclosure agreement by 3
employees/contractors
· No police verification of contractors/ employees 3
72
Annexure-7
2. WHEREAS, it is anticipated that the receiving party may get access to confidential
information with respect to their engagement with ___________________________________
________ ___________________________________________________(“Disclosing Party”) for
the purpose of _______________________________________________ (“Purpose”).
3. For the purpose of this Declaration "Confidential Information" shall mean any and
all information and data, including but not limited to any kind of any product, service,
process, invention, improvement or development carried on or used, discoveries, ideas,
concepts, know-how (whether patentable or copyrightable or not), research,
development, designs, specifications, drawings, blueprints, tracings, diagrams,
models, samples, flow charts, computer programs, algorithms, marketing plans or
techniques, budgets, costs, profits, prices, discounts, mark-ups, strategies, tenders
and any price sensitive information, whether or not labelled as “Confidential
Information” and disclosed in connection with the Purpose, irrespective of the medium
in which such information or data is embedded. Confidential Information shall include
any copies, abstracts, reports, work products or any derivatives made or derived there
from.
a. shall be used exclusively for the Purpose of this Declaration, and the
receiving party shall be permitted to use Confidential Information disclosed only
for such sole Purpose and for no other purpose, unless otherwise expressly
agreed to in writing by disclosing party;
73
b. shall not be distributed, disclosed, or disseminated in any way or form by the
receiving party to anyone except parties who have the reasonable need to know
the Confidential Information and who are bound to confidentiality by their
employment agreement;
c. shall not be disclosed to any other third party without the prior written
approval from disclosing party;
d. Shall not be used for personal purpose or for the benefit of anyone other than
the disclosing party.
5. It is understood that no license or right of use or any other right in respect of the
Confidential Information is granted or conveyed by this Declaration. The disclosure of
Confidential Information and materials shall not result in any obligation to grant the
receiving party any such rights therein.
6. Receiving party agrees that it shall treat Confidential Information disclosed under
this Declaration as strictly confidential perpetually.
10. If any term, clause or provision of this Declaration shall be judged to be invalid for
any reason whatsoever, such invalidity shall not affect the validity or operation of any
other term, clause or provision of this Declaration and such invalid term clause or
provision shall be deemed to have been deleted from this Declaration.
11. The provisions of this Declaration may not be modified, amended, nor waived,
except by a written instrument duly executed by the Parties hereto. The requirement
of written form can only be waived in writing.
NAME:
ID.:
74
SIGNATURE
75
Annexure-8
1. The HoD (PCIT/ PDIT/ CIT/ DIT) or DDO should ensure that a formal contract
should be entered between the Department and all third parties providing
service to the Department or using the Department’s information systems. The
services to be provided by the outsourced party must be covered by a strong
Service Level Agreement (‘SLA’) that takes into consideration expected levels of
service, security, monitoring, contingency and other stipulations as appropriate.
2. In the Contract the HoD or the DDO should ensure that following clauses have
been kept:
a. clause regarding subcontractors that all contractors must be required to
provide information to the Department about related subcontractors and
obtain the Department’s permission for the subcontracting, prior to
initiation of work by the subcontractor.
b. clause regarding responsibilities towards information security: all
contractors/MSPs/ contractual staffs must sign and agree with the
terms and conditions of their contract. These terms and conditions must
include the responsibilities towards Information Security.
3. The above clauses may be added to the existing contracts by making the
necessary addendums.
4. The HoD should ensure that the Security controls and service levels, associated
reports and records of contract/third party service providers should be
independently assessed, reviewed and monitored.
B.Background check:
a) Identity
76
b) Address
c) Criminal Records
d) Employment History
e) Promoters History
f) ITR/PAN
g) CIBIL score
h) Reputation: 360-degree profiling
i) Experience
j) Feedback/Reference from past and current clients
k) Reference from 2 credible persons.
A report in this regard, after due verification, must be kept in the records of the HoD
or the DDO concerned.
Contactor/MSP would be responsible for Background check of all the contractual staff
that are being deployed in the Department through the contractor/MSP. The
Background check of the staff would include:
a) Identity
b) Address
c) Criminal Records
d) Employment History/ Experience
e) ADHAAR
f) Education
g) Reference from 02 credible persons
Background check report of the contractual staffs should be made part of the
individual staff file in the records of the HoD or the DDO.
77