[To be published in the Gazette of India, Extraordinary, Part II, Section 3, Sub-section (i)]
Government of India Ministry of Information Technology
New Delhi, the 17th October, 2000
NOTIFICATION
G.S.R 788 (E) In exercise of the powers conferred by sub-section (3) of section 1 of the Information Technology Act, 2000 (21 of 2000), the Central Government hereby appoints 17th Day of October 2000 as the date on which the provisions of the said Act comes into force.
[ No. 1(20)/97-IID(NII)/F6]
(P.M.Singh) Joint Secretary
[To be published in the Gazette of India, Extraordinary, Part II, Section 3, Sub-section (i)]
Government of India Ministry of Information Technology
New Delhi, the 17th October, 2000
NOTIFICATION
G.S.R 789 (E) In exercise of the powers conferred by section 87 of the Information Technology Act, 2000 (21 of 2000), the Central Government hereby makes the following rules regulating the application and other guidelines for Certifying Authorities, namely:
1. Short title and commencement.- (1) These Rules may be called Information
Technology (Certifying Authorities) Rules, 2000.
(2) They shall come into force on the date of their publication in the Official Gazette.
2. Definitions.- In these Rules, unless the context otherwise requires,–
any person requesting a Digital Signature Certificate from a licensed Certifying Authority), creation of private keys or administration of a Certifying Authority's computing facilities.
(m) words and expressions used herein and not defined but defined in Schedule-IV shall have the meaning respectively assigned to them in that schedule.
the process termed as hash function shall be used in both creating and verifying a Digital Signature. Explanation: Computer equipment and software utilizing two such keys are often termed as “asymmetric cryptography”.
(a)the signer’s private key was used to digitally sign the electronic record, which is known to be the case if the signer’s public key was used to verify the signature because the signer’s public key will verify only a Digital Signature created with the signer’s private key; and
(b) the electronic record was unaltered, which is known to be the case if the hash result computed by the verifier is identical to the hash result extracted from the Digital Signature during the verification process.
6. Standards.-The Information Technology (IT) architecture for Certifying Authorities may support open standards and accepted de facto standards; the most important standards that may be considered for different activities associated with the Certifying Authority’s functions are as under:
The product | The standard |
Public Key Infrastructure | PKIX |
Digital Signature Certificates and Digital Signature revocation list | X.509. version 3 certificates as specified in ITU RFC 1422 |
Directory (DAP and LDAP) | X500 for publication of certificates and Certification Revocation Lists (CRLs) |
Database Management Operations | Use of generic SQL |
Public Key algorithm | DSA and RSA |
Digital Hash Function | MD5 and SHA-1 |
RSA Public Key Technology | PKCS#1 RSA Encryption Standard (512, 1024, 2048 bit) PKCS#5 Password Based Encryption Standard PKCS#7 Cryptographic Message Syntax standard PKCS#8 Private Key Information Syntax standard PKCS#9 Selected Attribute Types PKCS#10 RSA Certification Request PKCS#12 Portable format for storing/transporting a user’s private keys and certificates |
Distinguished name | X.520 |
Digital Encryption and Digital Signature | PKCS#7 |
Digital Signature Request Format | PKCS#10 |
7. Digital Signature Certificate Standard.- All Digital Signature Certificates issued by the Certifying Authorities shall conform to ITU X.509 version 3 standard as per rule 6 and shall inter alia contain the following data, namely:
and (f)Public Key information of the subscriber.
8. Licensing of Certifying Authorities.- (1) The following persons may apply for grant of a licence to issue Digital Signature Certificates, namely :
Provided that no company in which the equity share capital held in aggregate by the Non-resident Indians, Foreign Institutional Investors, or foreign companies, exceeds forty-nine per cent of its capital, shall be eligible for grant of licence:
Provided further that in a case where the company has been registered under the Companies Act, 1956 (1 of 1956) during the preceding financial year or in the financial year during which it applies for grant of licence under the Act and whose main object is to act as Certifying Authority, the net worth referred to in sub-clause (ii) of this clause shall be the aggregate net worth of its majority shareholders holding at least 51% of paid equity capital, being the Hindu Undivided Family, firm or company:
Provided also that the majority shareholders referred to in the second proviso shall not include Non-resident Indian, foreign national, Foreign Institutional Investor and foreign company:
Provided also that the majority shareholders of a company referred to in the second proviso whose net worth has been determined on the basis of such majority shareholders, shall not sell or transfer its equity shares held in such company
(ii) net worth of not less than fifty crores of rupees:
Provided that no firm, in which the capital held in aggregate by any Non-resident Indian, and foreign national, exceeds forty-nine per cent of its capital, shall be eligible for grant of licence:
Provided further that in a case where the firm has been registered under the Indian Partnership Act, 1932 (9 of 1932) during the preceding financial year or in the financial year during which it applies for grant of licence under the Act and whose main object is to act as Certifying Authority, the net worth referred to in sub-clause (ii) of this clause shall be the aggregate net worth of all of its partners:
Provided also that the partners referred to in the second proviso shall not include Non-resident Indian and foreign national:
Provided also that the partners of a firm referred to in the second proviso whose net worth has been determined on the basis of such partners, shall not sell or transfer its capital held in such firm
(iii) “foreign company” shall have the meaning assigned to it in clause (23A) of section 2 of the Income-tax Act,1961 (43 of 1961);
Provided that the company and firm referred to in the second proviso to clause (b) and the second proviso to clause (c) of sub-rule (1) shall submit a performance bond or furnish a banker’s guarantee for ten crores of rupees:
Provided further that nothing in the first proviso shall apply to the company or firm after it has acquired or has its net worth of fifty crores of rupees.
Explanation.- “transfer of operation” shall have the meaning assigned to it in clause (47) of section 2 of the Income-tax Act, 1961 (43 of 1961).
supported by such documents and information as the Controller may require and it shall inter alia include
(f)an undertaking by the applicant that to its best knowledge and belief
it can and will comply with the requirements of its Certification Practice
Statement;
(i)any other information required by the Controller.
11. Fee.-(1) The application for the grant of a licence shall be accompanied by a non-refundable fee of twenty-five thousand rupees payable by a bank draft or by a pay order drawn in the name of the Controller.
12. Cross Certification.-(1) The licensed Certifying Authority shall have arrangement for cross certification with other licensed Certifying Authorities within India which shall be submitted to the Controller before the commencement of their operations as per rule 20:
Provided that any dispute arising as a result of any such arrangement between the Certifying Authorities; or between Certifying Authorities or Certifying Authority and the Subscriber, shall be referred to the Controller for arbitration or resolution.
(2) The arrangement for Cross Certification by the licensed Certifying Authority with a Foreign Certifying Authority along with the application, shall be submitted to the Controller in such form and in such manner as may be provided in the regulations made by the Controller; and the licensed Certifying Authority shall not commence cross certification operations unless it has obtained the written or digital signature approval from the Controller.
13. Validity of licence.- (1) A licence shall be valid for a period of five years from the date of its issue.
(2) The licence shall not be transferable.
14. Suspension of Licence.-(1) The Controller may by order suspend the licence in accordance with the provisions contained in sub-section (2) of section 25 of the Act.
(2) The licence granted to the persons referred to in clauses (a) to (c) of sub-rule (1) of rule 8 shall stand suspended when the performance bond submitted or the banker’s guarantee furnished by such persons is invoked under sub-rule (2) of that rule.
15. Renewal of licence.- (1) The provisions of rule 8 to rule 13, shall apply in the case of an application for renewal of a licence as it applies to a fresh application for licensed Certifying Authority.
16. Issuance of Licence.- (1) The Controller may, within four weeks from the date of receipt of the application, after considering the documents accompanying the application and such other factors, as he may deem fit, grant or renew the licence or reject the application:
Provided that in exceptional circumstances and for reasons to be recorded in writing, the period of four weeks may be extended to such period, not exceeding eight weeks in all as the Controller may deem fit.
17. Refusal of Licence.-The Controller may refuse to grant or renew a licence if
(iii) a receiver has, or a receiver and manager have, been appointed by the court in respect of the applicant; or
(vii) a Certifying Authority fails to conduct, or does not submit, the returns of the audit in accordance with rule 31; or
(viii) the audit report recommends that the Certifying Authority is not worthy of continuing Certifying Authority’s operation; or
(ix) a Certifying Authority fails to comply with the directions of the Controller.
Provided that any change made by the Certifying Authority in the Information Technology and Security Policy shall be submitted by it within two weeks to the Controller.
20. Commencement of Operation by Licensed Certifying Authorities.-The licensed Certifying Authority shall commence its commercial operation of generation and issue of Digital Signature only after
21. Requirements Prior to Cessation as Certifying Authority.-Before ceasing to act as a Certifying Authority, a Certifying Authority shall,
Provided that the notice shall be given sixty days before ceasing to act as a Certifying Authority or sixty days before the date of expiry of unrevoked or unexpired Digital Signature Certificate, as the case may be;
22. Database of Certifying Authorities.-The Controller shall maintain a database of the disclosure record of every Certifying Authority, Cross Certifying Authority and Foreign Certifying Authority, containing inter alia the following details:
(iii) commencement of commercial operations of generation and issue of Digital Signature Certificate by the Certifying Authority;
(vii) revocation or suspension of recognition of foreign Certifying Authority.
23. Digital Signature Certificate.-The Certifying Authority shall, for issuing the Digital Signature Certificates, while complying with the provisions of section 35 of the Act, also comply with the following, namely:
(a) the Digital Signature Certificate shall be issued only after a Digital Signature Certificate application in the form provided by the Certifying Authority has been submitted by the subscriber to the Certifying Authority and the same has been approved by it:
Provided that the application Form contains, inter alia, the particulars given in the modal Form given in Schedule-IV;
24. Generation of Digital Signature Certificate.-The generation of the Digital Signature Certificate shall involve:
25. Issue of Digital Signature Certificate.-Before the issue of the Digital Signature Certificate, the Certifying Authority shall:
(iii) comply with all privacy requirements;
(iv)obtain a consent of the person requesting the Digital Signature Certificate, that the details of such Digital Signature Certificate can be published on a directory service.
26. Certificate Lifetime.- (1) A Digital Signature Certificate,
(c) shall expire automatically upon reaching the designated expiry date at which time the Digital Signature Certificate shall be archived;
28. Compromise of Digital Signature Certificate.- Digital Signature Certificates in operational use that become compromised shall be revoked in accordance with the procedure defined in the Certification Practice Statement of Certifying Authority.
Explanation : Digital Signature Certificates shall,
(a) be deemed to be compromised where the integrity of:
29. Revocation of Digital Signature Certificate.-(1) Digital Signature Certificate shall be revoked and become invalid for any trusted use, where
30. Fees for issue of Digital Signature Certificate.-(1) The Certifying Authority shall charge such fee for the issue of Digital Signature Certificate as may be prescribed by the Central Government under sub-section (2) of section 35 of the Act.
31. Audit.- (1) The Certifying Authority shall get its operations audited annually by an auditor and such audit shall include inter alia,
(iii) technology evaluation;
(vii) contracts/agreements;
(viii) regulations prescribed by the Controller;
(3) The Certifying Authority shall submit copy of each audit report to the Controller within four weeks of the completion of such audit and where irregularities are found, the Certifying Authority shall take immediate appropriate action to remove such irregularities.
32. Auditor’s relationship with Certifying Authority.- (1) The auditor shall be independent of the Certifying Authority being audited and shall not be a software or hardware vendor which is, or has been providing services or supplying equipment to the said Certifying Authority.
(2) The auditor and the Certifying Authority shall not have any current or planned financial, legal or other relationship, other than that of an auditor and the audited party.
33. Confidential Information.- The following information shall be confidential namely:-
(a) Digital Signature Certificate application, whether approved or rejected;
34. Access to Confidential Information.-(1) Access to confidential information by Certifying Authority’s operational staff shall be on a “need-to-know” and “need-touse” basis.
SCHEDULE-I
[See rule 10]
Form for Application for grant of Licence to be a Certifying Authority
1. Full Name * Last Name/Surname __________________________________ First Name ___________________________________ Middle Name ___________________________________
A. Residential Address * Flat/Door/Block No. ___________________________________ Name of Premises/Building/Village ___________________________________ Road/Street/Lane/Post Office ___________________________________
Area/Locality/Taluka/Sub-Division ___________________________________
Town/City/District ___________________________________ State/Union Territory __________________ Pin : __________ Telephone No. ___________________________________ Fax ___________________________________ Mobile Phone No. ___________________________________
B. Office Address *
Name of Office ___________________________________ Flat/Door/Block No. ___________________________________ Name of Premises/Building/Village ___________________________________ Road/Street/Lane/Post Office ___________________________________ Area/Locality/Taluka/Sub-Division ___________________________________ Town/City/District ___________________________________ State/Union Territory __________________ Pin : __________ Telephone No. ___________________________________ Fax ___________________________________
4. Address for Communication * Tick √ as applicable A
B
5. Father’s Name * Last Name/Surname __________________________________ First Name ___________________________________ Middle Name ___________________________________
9. Credit Card Details Credit Card Type Credit Card No. Issued By
--/--/---
--/--/---
___________________________________
Rs. ________________________________
20. Particulars of Business, if any: * Head Office ___________________________________ Name of Office ___________________________________ Flat/Door/Block No. ___________________________________ Name of Premises/Building/Village ___________________________________ Road/Street/Lane/Post Office ___________________________________ Area/Locality/Taluka/Sub-Division ___________________________________ Town/City/District ______________________ Pin _________ State/Union Territory ___________________________________ Telephone No. ___________________________________ Fax ___________________________________
Web page URL address, if any ___________________________________ No. of Branches ___________________________________ Nature of Business ___________________________________
No. of Partners/Members/Directors ___________________________________
Details of Partners/Members/Directors
A. Full Name Last Name/Surname __________________________________ First Name ___________________________________
Middle Name ___________________________________
B. Address
Flat/Door/Block No. ________________________________ Name of Premises/Building/Village ________________________________ Road/Street/Lane/Post Office ________________________________ In case of foreign national, Visa details_______________________________
Area/Locality/Taluka/Sub-Division | ________________________________ |
Town/City/District | ________________________________ |
State/Union Territory Pin | ________________________________ |
Telephone No. | ________________________________ |
Fax No. | ________________________________ |
Mobile Phone No. | ________________________________ |
C. Nationality | ________________________________ |
D. Passport Details # Passport No. ___________________________________ Passport issuing authority ___________________________________ Passport expiry date ___________________________________
E. Voter’s Identity Card No. # ___________________________________
F. Income Tax PAN no. # ___________________________________
G. E-mail Address ___________________________________
H. Personal Web page URL, if any ___________________________________
27. Authorised Representative *
Name ___________________________________ Flat/Door/Block No. ___________________________________ Name of Premises/Building/Village ___________________________________ Road/Street/Lane/Post Office ___________________________________ Area/Locality/Taluka/Sub-Division ___________________________________ Town/City/District ___________________ Pin ____________ State/Union Territory ___________________________________ Telephone No. ___________________________________ Fax ___________________________________
Nature of Business ___________________________________
28. Particulars of Organisation: * Name of Organisation ___________________________________ Administrative Ministry/Department ___________________________________ Under State/Central Government ___________________________________
Flat/Door/Block No. ___________________________________ Name of Premises/Building/Village ___________________________________ Road/Street/Lane/Post Office ___________________________________ Area/Locality/Taluka/Sub-Division ___________________________________ Town/City/District ____________________ Pin __________ State/Union Territory ___________________________________ Telephone No. ___________________________________ Fax No. ___________________________________ Web page URL Address ___________________________________ Name of the Head of Organisation ___________________________________ Designation ___________________________________ E-mail Address ___________________________________
29. Bank Details Bank Name * ___________________________________ Branch * ___________________________________ Bank Account No. * ___________________________________ Type of Bank Account * ___________________________________
________________________________ | |
---|---|
Draft/pay order No. | ________________________________ |
Date of Issue | ________________________________ |
Amount | ________________________________ |
(Not applicable if the applicant is a Government Ministry/Department/Agency/ Authority)
If yes, the documents attached:
ii) …………………………
iii) …………………………
iv) …………………………
36. Any other information _________________________________
Date Signature of the Applicant
SCHEDULE-II
[See rule 19(2)]
Index
Page
1. Introduction ….………………………………………………………. 27
4. Physical and Operational Security……………………………….. 30
4.2 Fire Protection…………………….…………………………………… 31
4.3 Environmental Protection…………………….………………………. 31
4.4 Physical Access…………………….…………………….…………… 32
5. Information Management…………………….…………………….. 33
5.1 System Administration…………………….………………………….. 33
5.2 Sensitive Information Control…………………….…………………... 34
5.3 Sensitive Information Security…………………….…………………. 35
5.4 Third Party Access…………………….…………………….………… 35
5.5 Prevention of Computer Misuse…………………….……………….. 36
6. System integrity and security measures……..………….……… 36
6.1 Use of Security Systems or Facilities…………………….…………. 36
6.3 Password Management…………………….………………………… 38
6.4 Privileged User’s Management…………………….………………… 39
6.5 User’s Account Management…………………….…………………... 39
6.6 Data and Resource Protection…………………….…………………. 40
7. Sensitive Systems Protection………………….………………….. 41
8. Data Centre Operations Security………………….……………… 41
8.1 Job Scheduling…………………….…………………….…………….. 41
8.2 System Operations Procedure…………………….…………………. 41
8.3 Media Management…………………….…………………….……… . 42
8.4 Media Movement…………………….…………………….………….. 42
9. Data Backup and Off-site Retention………………….…………... 43
10. Audit Trails and Verification………………….……………………. 44
11. Measures to Handle Computer Virus………………….…………. 45
12. Relocation of Hardware and Software…………………….……… 46
13. Hardware and Software Maintenance………………….………… 46
14. Purchase and Licensing of Hardware and Software………..… 47
15. System Software….……………….…………………….………….. 48
16. Documentation Security….…………..….………………………… 49
17. Network Communication Security………………….…………….. 49
18. Firewalls…………………….…………………….…………………… 50
19. Connectivity…………………….…………………….………… 51
20. Network Administrator..………………….……….………….……. 51
21. Change Management…………………….…………………..…….. 52
21.1 Change Control…………………….…………………….……………. 52
21.2 Testing of Changes to Production System…………………………. 52
21.3 Review of Changes…………………….…………………….………. 53
22. Problem Management and Reporting…………………….……… 53
23. Emergency Preparedness…………………….……………………. 53
24. Contingency Recovery Equipment and Services……………... 54
25. Security Incident Reporting and Response………………..…… 54
26. Disaster Recovery/Management………………..………………. . 54
Information Technology (IT) Security Guidelines
1. Introduction
This document provides guidelines for the implementation and management of Information Technology Security. Due to the inherent dynamism of the security requirements, this document does not provide an exact template for the organizations to follow. However, appropriate suitable samples of security process are provided for guidelines. It is the responsibility of the organizations to develop internal processes that meet the guidelines set forth in this document.
The following words used in the Information Technology Security Guidelines shall be interpreted as follows:
2. Implementation of an Information Security Programme
Successful implementation of a meaningful Information Security Programme rests with the support of the top management. Until and unless the senior managers of the organization understand and concur with the objectives of the information security programme its ultimate success is in question.
The Information Security Programme should be broken down into specific stages as follows:
The principal task of the security implementation is to define the responsibilities of persons within the organization. The implementation should be based on the general principle that the person who is generating the information is also responsible for its security. However, in order to enable him to carry out his responsibilities in this regard, proper tools, and environment need to be established.
When different pieces of information at one level are integrated to form higher value information, the responsibility for its security needs also should go up in the hierarchy to the integrator and should require higher level of authority for its access. It should be absolutely clear with respect to each information as to who is its owner, its custodian, and its users. It is the duty of the owner to assign the right classification to the information so that the required level of security can be enforced. The custodian of information is responsible for the proper implementation of security guidelines and making the information available to the users on a need to know basis.
3. Information Classification Information assets must be classified according to their sensitivity and their importance to the organization. Since it is unrealistic to expect managers and employees to maintain absolute control over all information within the boundaries of the organization, it is necessary to advise them on which types of information are considered more sensitive, and how the organization would like the sensitive information handled and protected. Classification, declassification, labeling, storage, access, destruction and reproduction of classified data and the administrative overhead this process will create must be considered. Failure to maintain a balance between the value of the information classified and the administrative burden the classification system places on the organization will result in long-term difficulties in achieving success.
Confidential is that classification of information of which unauthorized disclosure/use could cause serious damage to the organization, e.g. strategic planning documents. Restricted is that classification of information of which unauthorized disclosure/use would not be in the best interest of the organization and/or its customers, e.g. design details, computer software (programs, utilities), documentation, organization personnel data, budget information. Internal use is that classification of information that does not require any degree of protection against disclosure within the company, e.g. operating procedures, policies and standards inter office memorandums. Unclassified is that classification of information that requires no protection against disclosure e.g. published annual reports, periodicals.
While the above classifications are appropriate for a general organization view point, the following classifications may be considered : Top Secret: It shall be applied to information unauthorized disclosure of which could be expected to cause exceptionally grave damage to the national security or national interest. This category is reserved for Nation’s closest secrets and to be used with great reserve. Secret: This shall be applied to information unauthorized disclosure of which could be expected to cause serious damage to the national security or national interest or cause serious embarrassment in its functioning. This classification should be used for highly important information and is the highest classification normally used.
Confidentiality: This shall be applied to information unauthorized disclosure of which could be expected to cause damage to the security of the organisation or could be prejudicial to the interest of the organisation, or could affect the organisation in its functioning. Most information will on proper analysis be classified no higher than confidential. Restricted: This shall be applied to information which is essentially meant for official use only and which would not be published or communicated to anyone except for official purpose. Unclassified: This is the classification of information that requires no protection against disclosure.
4. Physical and Operational Security
4.1 Site Design
4.2 Fire Protection
4.3 Environmental Protection
4.4 Physical Access
5. Information Management
5.1 System Administration
5.3 Sensitive Information Security
5.4 Third Party Access
5.5 Prevention of Computer Misuse
(iii) Secure evidence and preserve integrity of such material as relates to the discovery of any breach;
(iii) Areas for security review; and
(iv) Subsequent follow-up action.
6. System integrity and security measures
6.1 Use of Security Systems or Facilities
(1) Security controls shall be installed and maintained on each computer system or computer node to prevent unauthorised users from gaining entry to the information system and to prevent unauthorised access to data.
(2) Any system software or resource of the computer system should only be accessible after being authenticated by access control system.
6.2 System Access Control
6.3 Password Management
(iii) Shall be changed at least once every ninety days; for sensitive system, password shall be changed at least once every thirty days; and
6.4 Privileged User’s Management
6.5 User’s Account Management
(1) Procedures for user account management shall be established to control access to application systems and data. The procedures shall include the following:
(iii) All users shall be required to sign an undertaking to acknowledge that they understand the conditions of access.
(vii) A periodic check shall be carried out for redundant user accounts and access rights that are no longer required.
(viii) Ensure that redundant user accounts are not re-issued to another user.
(iii) suspended or inactive accounts shall be deleted after a two months period. In case of protected computer systems, the limit of two months may be reduced to one month.
6.6 Data and Resource Protection
7. Sensitive Systems Protection
8. Data Centre Operations Security
8.1 Job Scheduling
8.2 System Operations Procedure
8.3 Media Management
8.4 Media Movement
9. Data Backup and Off-site Retention
(1) Back-up procedures shall be documented, scheduled and monitored.
(2) Up-to-date backups of all critical items shall be maintained to ensure the continued provision of the minimum essential level of service. These items include:
(iii) Databases
(vii) Pre-printed forms
(viii) Documentation (including a copy of the business continuity plans)
10. Audit Trails and Verification
(1) Transactions that meet exception criteria shall be completely and accurately highlighted and reviewed by personnel independent of those that initiate the transaction.
(iii) Actions taken by computer operations, system administrators, system programmers, and/or security administrators
11. Measures to Handle Computer Virus
(iii) Incident report must be documented and communicated per established procedures.
(6) An awareness and training programme shall be established to communicate virus protection practices, available controls, areas of high risk to virus infection and responsibilities.
12. Relocation of Hardware and Software Whenever computers or computer peripherals are relocated (e.g. for maintenance, installation at different sites or storage), the following guidelines shall apply:
(iii) If applicable, ribbons will be removed from printers.
(iv) All paper will be removed from printers.
13. Hardware and Software Maintenance Whenever, the hardware and software maintenance of the computer or computer network is being carried out, the following should be considered:
14. Purchase and Licensing of Hardware and Software
15. System Software
16. Documentation Security
17. Network Communication Security
– System Access Control.
18. Firewalls
19. Connectivity
20. Network Administrator
21. Change Management
21.1 Change Control
21.2 Testing Of Changes To Production System
21.3 Review Of Changes
22. Problem Management and Reporting
23. Emergency Preparedness
(1) Emergency response procedures for all activities connected with computer operation shall be developed and documented. These procedures should be reviewed periodically.
(2) Emergency drills should be held periodically to ensure that the documented emergency procedures are effective.
24. Contingency Recovery Equipment and Services
(1) Commitment shall be obtained in writing from computer equipment and supplies vendors to replace critical equipment and supplies within a specified period of time following a destruction of the computing facility.
25. Security Incident Reporting and Response
(1) All security related incidents must be reported to a central coordinator, appointed by the management to coordinate and handle security related incidents. This central coordinator shall be the single point of contact at the organization.
networks, software bugs which compromised the security of the system.
26. Disaster Recovery/Management
SCHEDULE-III
[See rule 19(2)]
Security Guidelines for Certifying Authorities
Index
Page
1. Introduction …………………………………………………………………. 57
2. Security Management……………………………………………………… 57
3. Physical controls – site location, construction and physical access 57
4. Media Storage………………………………………………………………. 60
5. Waste Disposal…………………………………………………………….. 60
6. Off-site Backup…………………………………………………………….. 60
7. Change and Configuration Management……………………………… 60
8. Network and Communications Security………………………………. 61
9. System Security Audit Procedures……………………………………. 61
9.1 Types of event recorded…………………………………..……………….. 61
9.2 Frequency of Audit Log Monitoring…………………………..……………. 63
9.3 Retention Period for Audit Log…………………………………..…………. 63
9.4 Protection of Audit Log………………………………………………..…….. 63
9.5 Audit Log Backup Procedures……………………………………………… 64
9.6 Vulnerability Assessments………………………………………………….. 64
10. Records Archival.………………………………………………………….. 64
11. Compromise and Disaster Recovery…………………………………… 65
11.1 Computing Resources, Software and/or Data are Corrupted……..…….. 65
11.2 Secure facility after a natural or other type of disaster……………….. … 65
11.3 Incident Management Plan……………….…………………………………. 65
12. Number of Persons required per task………………………………….. 66
13. Identification and Authentication for each role………………………. 66
14. Personnel Security Controls…………………………………………….. 67
15. Training Requirements…………………………………………………… 67
16. Retaining Frequency and Requirements ……………………………… 67
17. Documentation supplied to Personnel………………………………… 68
18. Key Management………………………………………………………….. 68
18.1 Generation……………………………………………………………………. 68
18.2 Distribution of keys………………………………………………………….. 68
18.3 Storage……………………………………………………………………….. 68
18.4 Usage…………………………………….…………………………………… 68
18.5 Certifying Authority’s Public Key Delivery to Users..……………………. 69
19. Private Key Protection and Backup……………………………………. 69
20. Method of Destroying Private Key………………………………………. 69
21. Usage Periods for the Public and Private Keys………………………. 69
21.1 Key Change………………………………………………………………….. 69
21.2 Destruction……………………………………………………………………. 70
21.3 Key Compromise……………………………………………………….……. 70
22. Confidentiality of Subscriber’s Information…………………………… 70
Security Guidelines for Certifying Authorities
1. Introduction
This document prescribes security guidelines for the management and operation of Certifying Authorities (CAs) and is aimed at protecting the integrity, confidentiality and availability of their services, data and systems. These guidelines apply to Certifying Authorities that perform all the functions associated with generation, issue and management of Digital Signature Certificate such as:
2. Security Management The Certifying Authority shall define Information Technology security policies for its operation on the lines defined in Schedule-II and Schedule-III. The policy shall be communicated to all personnel and widely published throughout the organisation to ensure that the personnel follow the policies.
3. Physical controls – site location, construction and physical access
(1) The site location, design, construction and physical
security of the operational site of Certifying Authority shall be in
accordance with para 4 of the Information Technology Security
Guidelines given at Schedule-II.
(2) Physical access to the operational site housing
computer servers, PKI server, communications and network devices
shall be controlled and restricted to the authorized individuals only in
accordance with para 4.4 of the Information Technology Security
Guidelines given at Schedule-II.
communications and networks is protected with fire suppression
system in accordance with para 4.2 of the Information Technology
Security Guidelines given at Schedule-II.
(ii) ensure that power and air-conditioning facilities are installed in accordance with para 4.1 of the Information Technology Security Guidelines given at Schedule-II.
(iii) ensure that all removable media and papers containing sensitive or plain text information are listed, documented and stored in a container properly identified.
(vii) ensure that dual control over the inventory and access cards/keys are in place.
(viii) ensure that up-to-date list of personnel who possess the access cards/keys is maintained at the Certifying Authority’s operational site. Loss of access cards/keys shall be reported immediately to the Security Administrator; who shall take appropriate actions to prevent unauthorised access.
4. Media Storage A Certifying Authority must ensure that storage media used by his system are protected from environment threats such as temperature, humidity and magnetic and are transported and managed in accordance with para 8.3 and para 8.4 of the Information Technology Security Guidelines given at Schedule-II.
5. Waste Disposal All media used for storage of information pertaining to all functions associated with generation, production, issue and management of Digital Signature Certificate shall be scrutinized before being destroyed or released for disposal.
6. Off-site Backup A Certifying Authority must ensure that facility used for off-site backup, if any, shall be within the country and shall have the same level of security as the primary Certifying Authority site.
7. Change and Configuration Management
8. Network and Communications Security
9. System Security Audit Procedures
9.1 Types of event recorded
(1) The Certifying Authority shall maintain record of all events relating to the security of his system. The records should be maintained in audit log file and shall include such events as:
(i) | System start-up and shutdown; | |
---|---|---|
(ii) | Certifying Authority’s application start-up and shutdown; | |
(iii) | Attempts to create, remove, set passwords or change | the |
system privileges of the PKI Master Officer, PKI Officer, or PKI | ||
Administrator; | ||
(iv) | Changes to keys of the Certifying Authority or any of his other | |
details; | ||
(v) | Changes to Digital Signature Certificate creation policies, e.g. | |
validity period; | ||
(vi) | Login and logoff attempts; | |
(vii) | Unauthorised attempts at network access to the Certifying | |
Authority’s system; |
(viii) Unauthorised attempts to access system files;
(xii) Failed read-and-write operations on the Digital Signature Certificate and Certificate Revocation List (CRL) directory.
(ii) Records and log files shall be reviewed regularly for the following activities:
(iii) Personnel changes;
9.2 Frequency of Audit Log Monitoring The Certifying Authority must ensure that its audit logs are reviewed by its personnel at least once every two weeks and all significant events are detailed in an audit log summary. Such reviews should involve verifying that the log has not been tampered with, and then briefly inspecting all log entries, with a more thorough investigation of any alerts or irregularities in the logs. Action taken following these reviews must be documented.
9.3 Retention Period for Audit Log The Certifying Authority must retain its audit logs onsite for at least twelve months and subsequently retain them in the manner described in para 10 of the Information Technology Security Guidelines as given in Schedule-II.
9.4 Protection of Audit Log The electronic audit log system must include mechanisms to protect the log files from unauthorized viewing, modification, and deletion.
Manual audit information must be protected from unauthorised viewing, modification and destruction.
9.5 Audit Log Backup Procedures
Audit logs and audit summaries must be backed up or copied if in manual form.
9.6 Vulnerability Assessments Events in the audit process are logged, in part, to monitor system vulnerabilities. The Certifying Authority must ensure that a vulnerability assessment is performed, reviewed and revised, if necessary, following an examination of these monitored events.
10. Records Archival
(1) Digital Signature Certificates stored and generated by the Certifying Authority must be retained for at least seven year after the date of its expiration. This requirement does not include the backup of private signature keys.
11. Compromise and Disaster Recovery
11.1 Computing Resources, Software and/or Data are Corrupted The Certifying Authority must establish business continuity procedures that outline the steps to be taken in the event of the corruption or loss of computing and networking resources, nominated website, repository, software and/or data. Where a repository is not under the control of the Certifying Authority, the Certifying Authority must ensure that any agreement with the repository provides for business continuity procedures.
11.2 Secure facility after a natural or other type of disaster The Certifying Authority must establish a disaster recovery plan outlining the steps to be taken to re-establish a secure facility in the event of a natural or other type of disaster. Where a repository is not under the control of the Certifying Authority, the Certifying Authority must ensure that any agreement with the repository provides that a disaster recovery plan be established and documented by the repository.
11.3 Incident Management Plan An incident management plan shall be developed and approved by the management. The plan shall include the following areas:
(iii) Breach of physical security;
An incident response action plan shall be established to ensure the
readiness of the Certifying Authority to respond to incidents. The plan should
include the following areas:
(iii) Revocation of affected Digital Signature Certificates; (if applicable)
(vii) Monitoring and audit trail analysis; and
(viii) Media and public relations.
12. Number of Persons Required Per Task The Certifying Authority must ensure that no single individual may gain access to the Digital Signature Certificate server and the computer server maintaining all information associated with generation, issue and management of Digital Signature Certificate and private keys of the Certifying Authority. Minimum two individuals, preferably using a split-knowledge technique, such as twin passwords, must perform any operation associated with generation, issue and management of Digital Signature Certificate and application of private key of the Certifying Authority.
13. Identification and Authentication for Each Role All Certifying Authority personnel must have their identity and authorization verified before they are:
(iii) given a certificate for the performance of their Certifying Authority role;
(iii) be restricted to actions authorized for that role; and (iv) procedural controls.
Certifying Authority’s operations must be secured using techniques of authentication and encryption, when accessed across-a shared network.
14. Personnel Security Controls The Certifying Authority must ensure that all personnel performing duties with respect to its operation must:
(iii) have received comprehensive training with respect to the duties they are to perform;
15. Training Requirements A Certifying Authority shall ensure that all personnel performing duties with respect to its operation, must receive comprehensive training in:
(iii) all PKI duties they are expected to perform; and
(iv) disaster recovery and business continuity procedures.
16. Retraining Frequency and Requirements The requirements of para 15 must be kept current to accommodate changes in the Certifying Authority’s system. Refresher training must be conducted as and when required, and the Certifying Authority must review these requirements at least once a year.
17. Documentation Supplied to Personnel A Certifying Authority must make available to his personnel the Digital Signature Certificate policies it supports, its Certification Practice Statement, Information Technology Security Policy and any specific statutes, policies or contracts relevant to their position.
18. Key Management
18.1 Generation
18.1 Distribution of Keys Keys shall be transferred from the key generation system to the storage device (if the keys are not stored on the key generation system) using a secure mechanism that ensures confidentiality and integrity.
18.2 Storage
18.3 Usage
18.5 Certifying Authority’s Public Key Delivery to Users The Certifying Authority’s public verification key must be delivered to the prospective Digital Signature Certificate holder in an on-line transaction in accordance with PKIX-3 Certificate Management Protocol, or via an equally secure manner.
19. Private Key Protection and Backup
20. Method of Destroying Private Key Upon termination of use of a private key, all copies of the private key in computer memory and shared disk space must be securely destroyed by over-writing. Private key destruction procedures must be described in the Certification Practice Statement or other publicly available document.
21. Usage Periods for the Public and Private Keys
21.1 Key Change
All keys must have validity periods of no more than five years. Suggested validity period:
( c) Subscriber Digital Signature Certificate key – three years;
(d) Subscriber private key – three years. Use of particular key lengths should be determined in accordance with departmental Threat-Risk Assessments.
21.2 Destruction
Upon termination of use of a Certifying Authority signature private key, all components of the private key and all its backup copies shall be securely destroyed.
21.3 Key Compromise
22. Confidentiality of Subscriber’s Information
SCHEDULE-IV
[See rule 23]
Form for Application for issue of Digital Signature Certificate
For Individual/Hindu Undivided Family Applicant
1. Full Name * [Name of the Karta in case of Hindu Undivided Family] Last Name/Surname __________________________________ First Name ___________________________________ Middle Name ___________________________________
Residential Address * Flat/Door/Block No. ___________________________________ Name of Premises/Building/Village ___________________________________ Road/Street/Lane/Post Office ___________________________________
Area/Locality/Taluka/Sub-Division ___________________________________
Town/City/District ___________________________________ State/Union Territory __________________ Pin : __________ Telephone No. ___________________________________ Fax ___________________________________ Mobile Phone No. ___________________________________
Office Address *
Name of Office ___________________________________ Flat/Door/Block No. ___________________________________ Name of Premises/Building/Village ___________________________________ Road/Street/Lane/Post Office ___________________________________ Area/Locality/Taluka/Sub-Division ___________________________________ Town/City/District ___________________________________ State/Union Territory __________________ Pin : __________ Telephone No. ___________________________________ Fax ___________________________________
4. Address for Communication * Tick √ as applicable A B
5. Father’s Name * Last Name/Surname __________________________________ First Name ___________________________________ Middle Name ___________________________________
9. In case of foreign national, visa details ___________________________________
___________________________________ | |
10. Credit Card Details | |
Credit Card Type | ___________________________________ |
Credit Card No. | ___________________________________ |
Issued By | ___________________________________ |
11. E-mail Address | ___________________________________ |
12. Web URL address | ___________________________________ |
13. Passport Details # | |
Passport No. | ___________________________________ |
Passport issuing authority | ___________________________________ |
Passport expiry date | ___________________________________ |
14. Voter’s Identity Card No. # | ___________________________________ |
15. Income Tax PAN no. # | ___________________________________ |
16. ISP Details | |
ISP Name * | ___________________________________ |
ISP’s Website Address, if any ___________________________________ Your User Name at ISP, if any ___________________________________
17. Personal Web page URL, if any ___________________________________
For Company /Firm/Body of Individuals/Association of Persons/ Local Authority
20. Particulars of Business, if any: * Head Office ___________________________________ Name of Office ___________________________________ Flat/Door/Block No. ___________________________________ Name of Premises/Building/Village ___________________________________ Road/Street/Lane/Post Office ___________________________________ Area/Locality/Taluka/Sub-Division ___________________________________ Town/City/District ______________________ Pin _________ State/Union Territory ___________________________________ Telephone No. ___________________________________ Fax ___________________________________
Web page URL, if any ___________________________________ No. of Branches ___________________________________ Nature of Business ___________________________________
Details of Partners/Members/Directors
No. of Partners/Members/Directors | ___________________________________ |
Full Name | |
Last Name/Surname | __________________________________ |
First Name | ___________________________________ |
Middle Name | ___________________________________ |
Address | |
Flat/Door/Block No. | ___________________________________ |
Name of Premises/Building/Village ___________________________________ Road/Street/Lane/Post Office ___________________________________ Area/Locality/Taluka/Sub-Division ___________________________________ Town/City/District ___________________________________ State/Union Territory Pin ___________________________________ Telephone No. ___________________________________ Fax No. ___________________________________ Mobile Phone No. ___________________________________
Nationality ________________________________ In case of foreign national, Visa details_______________________________
Passport Details #
Passport No. ___________________________________
Passport issuing authority ___________________________________
Passport expiry date ___________________________________
Voter’s Identity Card No. # ___________________________________
Income Tax PAN no. # ___________________________________
E-mail Address ___________________________________
Personal Web page URL, if any ___________________________________
For Government Organisations/Agencies
24. Particulars of Organisation/Agency : * Name of Organisation ___________________________________ Administrative Ministry/Department ___________________________________ Under State/Central Government ___________________________________ Flat/Door/Block No. ___________________________________ Name of Premises/Building/Village ___________________________________ Road/Street/Lane/Post Office ___________________________________ Area/Locality/Taluka/Sub-Division ___________________________________ Town/City/District ____________________ Pin __________ State/Union Territory ___________________________________ Telephone No. ___________________________________ Fax No. ___________________________________ Name of the Head of Organisation ___________________________________ Designation ___________________________________ E-mail Address ___________________________________
25. Bank Details Bank Name * ___________________________________ Branch * ___________________________________ Bank Account No. * ___________________________________ Type of Bank Account * ___________________________________
Date Signature of the Applicant
Instructions : 1. Columns marked with * are mandatory as applicable.
SCHEDULE—V Glossary
ACCEPT (A DIGITAL SIGNATURE CERTIFICATE)
To demonstrate approval of a Digital Signature Certificate by a Digital Signature Certificate applicant while knowing or having notice of its informational contents.
ACCESS
Gaining entry into, instructing or communicating with the logical, arithmetical, or memory function resources of a computer, computer system or computer network;
ACCESS CONTROL
The process of limiting access to the resources of a computer system only to authorized users, programs or other computer systems.
ACCREDITATION
A formal declaration by the Controller that a particular information system, professional or other employee or contractor, or organization is approved to perform certain duties and to operate in a specific security mode, using a prescribed set of safeguards.
AUTHORITY REVOCATION LIST (ARL)
A list of revoked Certifying Authority certificates. An ARL is a CRL for Certifying Authority cross-certificates.
ADDRESSEE
A person who is intended by the originator to receive the electronic record but does not include any intermediary.
AFFILIATED CERTIFICATE
A certificate issued to an affiliated individual. (See also AFFILIATED INDIVIDUAL)
AFFIRM / AFFIRMATION
To state or indicate by conduct that data is correct or information is true.
AFFIXING DIGITAL SIGNATURE
With its grammatical variations and cognate expressions means adoption of any methodology or procedure by a person for the purpose of authenticating an electronic record by means of digital signature;
ALIAS
A pseudonym.
APPLICANT (See CA APPLICANT; CERTIFICATE APPLICANT)
APPLICATION SOFTWARE
A software that is specific to the solution of an application problem. It is the software coded by or for an end user that performs a service or relates to the user’s work.
APPLICATION SYSTEM
A family of products designed to offer solutions for commercial data processing, office, and communications environments, as well as to provide simple, consistent programmer and end user interfaces for businesses of all sizes.
ARCHIVE
To store records and associated journals for a given period of time for security, backup, or auditing purposes.
ASSURANCES
Statements or conduct intended to convey a general intention, supported by a good-faith effort, to provide and maintain a specified service. “Assurances” does not necessarily imply a guarantee that the services will be performed fully and satisfactorily. Assurances are distinct from insurance, promises, guarantees, and warranties, unless otherwise expressly indicated.
ASYMMETRIC CRYPTO SYSTEM
A system of a secure key pair consisting of a private key for creating a digital signature and a public key to verify the digital signature.
AUDIT
A procedure used to validate that controls are in place and adequate for their purposes. Includes recording and analyzing activities to detect intrusions or abuses into an information system. Inadequacies found by an audit are reported to appropriate management personnel.
AUDIT TRAIL
A chronological record of system activities providing documentary evidence of processing that
enables management staff to reconstruct, review, and examine the sequence of states and activities
surrounding or leading to each event in the path of a transaction from its inception to output of fi9nal
results.
AUTHENTICATED RECORD
A signed document with appropriate assurances of authentication or a message with a digital signature verified by a relying party. However, for suspension and revocation notification purposes, the digital signature contained in such notification message must have been created by the private key corresponding to the public key contained in the Digital Signature Certificate.
AUTHENTICATION
A process used to confirm the identity of a person or to prove the integrity of specific information. Message authentication involves determining its source and verifying that it has not been modified or replaced in transit. (See also VERIFY (a DIGITAL SIGNATURE))
AUTHORIZATION
The granting of rights, including the ability to access specific information or resources.
AVAILABILITY
The extent to which information or processes are reasonably accessible and usable, upon demand, by an authorized entity, allowing authorized access to resources and timely performance of time-critical operations.
BACKUP
The process of copying critical information, data and software for the purpose of recovering essential processing back to the time the backup was taken.
BINDING
An affirmation by a Certifying Authority of the relationship between a named entity and its public key.
CERTIFICATE
A Digital Signature Certificate issued by Certifying Authority.
CERTIFICATE CHAIN
An ordered list of certificates containing an end-user subscriber certificate and Certifying Authority certificates (See VALID CERTIFICATE).
CERTIFICATE EXPIRATION
The time and date specified in the Digital Signature Certificate when the operational period ends, without regard to any earlier suspension or revocation.
CERTIFICATE EXTENSION
An extension field to a Digital Signature Certificate which may convey additional information about the public key being certified, the certified subscriber, the Digital Signature Certificate issuer, and/or the certification process. Standard extensions are defined in Amendment 1 to ISO/IEC 95948:1995 (X.509). Custom extensions can also be defined by communities of interest.
CERTIFICATE ISSUANCE
The actions performed by a Certifying Authority in creating a Digital Signature Certificate and notifying the Digital Signature Certificate applicant (anticipated to become a subscriber) listed in the Digital Signature Certificate of its contents.
CERTIFICATE MANAGEMENT [MANAGEMENT OF DIGITAL SIGNATURE CERTIFICATE]
Certificate management includes, but is not limited to, storage, distribution, dissemination, accounting, publication, compromise, recovery, revocation, suspension and administration of Digital Signature Certificates. A Certifying Authority undertakes Digital Signature Certificate management functions by serving as a registration authority for subscriber Digital Signature Certificates. A Certifying Authority designates issued and accepted Digital Signature Certificates as valid by publication.
CERTIFICATE POLICY
A specialized form of administrative policy tuned to electronic transactions performed during Digital Signature Certificate management. A Certificate Policy addresses all aspects associated with the generation, production, distribution, accounting, compromise recovery and administration of digital certificates. Indirectly, a certificate policy can also govern the transactions conducted using a communications system protected by a certificate-based security system. By controlling critical certificate extensions, such policies and associated enforcement technology can support provision of the security services required by particular applications.
CERTIFICATE REVOCATION (SEE REVOKE A CERTIFICATE)
CERTIFICATE REVOCATION LIST (CRL)
A periodically (or exigently) issued list, digitally signed by a Certifying Authority, of identified Digital Signature Certificates that have been suspended or revoked prior to their expiration dates. The list generally indicates the CRL issuer's name, the date of issue, the date of the next scheduled CRL issue, the suspended or revoked Digital Signature Certificates' serial numbers, and the specific times and reasons for suspension and revocation.
CERTIFICATE SERIAL NUMBER
A value that unambiguously identifies a Digital Signature Certificate generated by a Certifying Authority.
CERTIFICATE SIGNING REQUEST (CSR) A machine-readable form of a Digital Signature Certificate application.
CERTIFICATE SUSPENSION (SEE SUSPEND A CERTIFICATE)
CERTIFICATION / CERTIFY
The process of issuing a Digital Signature Certificate by a Certifying Authority.
CERTIFYING AUTHORITY (CA)
A person who has been granted a licence to issue a Digital Signature Certificate under section 24 of Information Technology Act, 2000.
CERTIFYING AUTHORITY SOFTWARE
The cryptographic software required to manage the keys of end entities.
CERTIFYING AUTHORITY SYSTEM
All the hardware and software system (e.g. Computer, PKI servers, network devices etc.) used by the Certifying Authority for generation, production, issue and management of Digital Signature Certificate.
CERTIFICATION PRACTICE STATEMENT (CPS)
A statement issued by a Certifying Authority to specify the practices that the Certifying Authority employs in issuing Digital Signature Certificates.
CERTIFIER (See ISSUING AUTHORITY)
CHALLENGE PHRASE
A set of numbers and/or letters that are chosen by a Digital Signature Certificate applicant, communicated to the Certifying Authority with a Digital Signature Certificate application, and used by the Certifying Authority to authenticate the subscriber for various purposes as required by the Certification Practice Statement. A challenge phrase is also used by a secret share holder to authenticate himself, herself, or itself to a secret share issuer.
CERTIFICATE CLASS
A Digital Signature Certificate of a specified level of trust.
CLIENT APPLICATION
An application that runs on a personal computer or workstation and relies on a server to perform some operation.
COMMON KEY
Some systems of cryptographic hardware require arming through a secret-sharing process and require that the last of these shares remain physically attached to the hardware in order for it to stay armed. In this case, “common key” refers to this last share. It is not assumed to be secret as it is not continually in an individual’s possession.
COMMUNICATION/NETWORK SYSTEM
A set of related, remotely connected devices and communications facilities including more than one computer system with the capability to transmit data among them through the communications facilities (covering ISDN, lease lines, dial-up, LAN, WAN, etc.).
COMPROMISE
A violation (or suspected violation) of a security policy, in which an unauthorized disclosure of, or loss of control over, sensitive information may have occurred. (Cf., DATA INTEGRITY)
COMPUTER
Any electronic, magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network.
COMPUTER CENTRE (See DATA CENTRE)
COMPUTER DATA BASE
Means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepared in a formalised manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network.
COMPUTER NETWORK
Interconnection of one or more computers through—
COMPUTER PERIPHERAL
Means equipment that works in conjunction with a computer but is not a part of the main computer itself, such as printer, magnetic tape reader, etc.
COMPUTER RESOURCE
Means computer, computer system, computer network, data, computer database or software.
COMPUTER SYSTEM
A device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, which contain computer programmes, electronic instructions, input data and output data, that performs logic, arithmetic, data storage and retrieval, communication control and other functions.
COMPUTER VIRUS (See VIRUS) CONFIDENTIALITY
The condition in which sensitive data is kept secret and disclosed only to authorized parties.
CONFIRM
To ascertain through appropriate inquiry and investigation. (See also AUTHENTICATION; VERIFY A DIGITAL SIGNATURE)
CONFIRMATION OF DIGITAL SIGNATURE CERTIFICATE CHAIN
The process of validating a Digital Signature Certificate chain and subsequently validating an end-user subscriber Digital Signature Certificate.
CONTINGENCY PLANS
The establishment of emergency response, back up operation, and post-disaster recovery processes maintained by an information processing facility or for an information system.
Establish the strategy for recovering from unplanned disruption of information processing operations. The strategy includes the identification and priority of what must be done, who performs the required action, and what tools must be used.
A document, developed in conjunction with application owners and maintained at the primary and backup computer installation, which describes procedures and identifies the personnel necessary to respond to abnormal situations such as disasters. Contingency plans help managers ensure that computer application owners continue to process (with or without computers) mission-critical applications in the event that computer support is interrupted.
CONTROLS
Measures taken to ensure the integrity and quality of a process.
CORRESPOND
To belong to the same key pair. (See also PUBLIC KEY; PRIVATE KEY)
CRITICAL INFORMATION
Data determined by the data owner as mission critical or essential to business purposes.
CROSS-CERTIFICATE
A Certificate used to establish a trust relationship between two Certifying Authorities.
CRYPTOGRAPHIC ALGORITHM
A clearly specified mathematical process for computation; a set of rules that produce a prescribed result.
CRYPTOGRAPHY (See also PUBLIC KEY CRYPTOGRAPHY)
DAMAGE
Means to destroy, alter, delete, add, modify or rearrange any computer resource by any means.
DATA
Means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.
DATA BASE (See COMPUTER DATABASE)
DATA CENTRE (as also COMPUTER CENTRE)
The facility covering the computer room, media library, network area, server area, programming and administration areas, other storage and support areas used to carry out the computer processing functions. Usually refers to the computer room and media library.
DATA CONFIDENTIALITY (See CONFIDENTIALITY)
DATA INTEGRITY
A condition in which data has not been altered or destroyed in an unauthorized manner. (See also THREAT; COMPROMISE)
DATA SECURITY
The practice of protecting data from accidental or malicious modification, destruction, or disclosure.
DEMO CERTIFICATE
A Digital Signature Certificate issued by a Certifying Authority to be used exclusively for demonstration and presentation purposes and not for any secure or confidential communications. Demo Digital Signature Certificates may be used by authorized persons only.
DIGITAL CERTIFICATE APPLICANT
A person that requests the issuance of a public key Digital Signature Certificate by a Certifying Authority. (See also CA APPLICANT; SUBSCRIBER)
DIGITAL CERTIFICATE APPLICATION
A request from a Digital Signature Certificate applicant (or authorized agent) to a Certifying Authority for the issuance of a Digital Signature Certificate. (See also CERTIFICATE APPLICANT; CERTIFICATE SIGNING REQUEST)
DIGITAL SIGNATURE
Means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of section 3 of the Information Technology Act, 2000.
DIGITAL SIGNATURE CERTIFICATE
Means a Digital Signature Certificate issued under sub-section (4) of section 35 of the Information Technology Act, 2000.
DISTINGUISHED NAME
A set of data that identifies a real-world entity, such as a person in a computer-based context.
DOCUMENT
A record consisting of information inscribed on a tangible medium such as paper rather than computer-based information. (See also MESSAGE; RECORD)
ELECTRONIC FORM
With reference to information means any information generated, sent, received or stored in media, magnetic, optical, computer memory, micro-film, computer generated micro fiche or similar device.
ELECTRONIC MAIL (“E-MAIL”)
Messages sent, received or forwarded in digital form via a computer-based communication mechanism.
ELECTRONIC RECORD
Means data, record or data generated, image or sound stored, received or sent in an electronic form or microfilm or computer generated micro-fiche.
ENCRYPTION
The process of transforming plaintext data into an unintelligible form (cipher text) such that the original data either cannot be recovered (one-way encryption) or cannot be recovered without using an inverse decryption process (two-way encryption).
EXTENSIONS
Extension fields in X.509 v3 certificates. (See X.509)
FIREWALL/DOUBLE FIREWALL
One of several types of intelligent devices (such as routers or gateways) used to isolate networks. Firewalls make it difficult for attackers to jump from network to network. A double firewall is two firewalls connected together. Double firewalls are used to minimise risk if one firewall gets compromised or provide address translation functions.
FILE TRANSFER PROTOCOL (FTP)The application protocol that offers file system access from the Internet suite of protocols.
FUNCTION
In relation to a computer, includes logic, control, arithmetical process, deletion, storage and retrieval and communication or telecommunication from or within a computer.
GATEWAY
Hardware or software that is used to translate protocols between two or more systems.
GENERATE A KEY PAIR
A trustworthy process of creating private keys during Digital Signature Certificate application whose corresponding public keys are submitted to the applicable Certifying Authority during Digital Signature Certificate application in a manner that demonstrates the applicant’s capacity to use the private key.
HARD COPY
A copy of computer output that is printed on paper in a visually readable form; e.g. printed reports, listing, and documents.
HASH (HASH FUNCTION)
An algorithm that maps or translates one set of bits into another (generally smaller) set in such a way that : i) A message yields the same result every time the algorithm is executed using the same message as input. ii) ii) It is computationally infeasible for a message to be derived or reconstituted from the result produced by the algorithm. iii) It is computationally infeasible to find two different messages that produce the same hash result using the same algorithm.
HIGH-SECURITY ZONE
An area to which access is controlled through an entry point and limited to authorized, appropriately screened personnel and properly escorted visitors. High-Security Zones should be accessible only from Security Zones, and are separated from Security Zones and Operations Zones by a perimeter. High-Security Zones are monitored 24 hours a day a week by security staff, other personnel or electronic means.
IDENTIFICATION / IDENTIFY
The process of confirming the identity of a person. Identification is facilitated in public key cryptography by means of certificates.
IDENTITY
A unique piece of information that marks or signifies a particular entity within a domain. Such information is only unique within a particular domain.
INFORMATION
Includes data, text, images, sound, voice, codes, computer programmes, software and databases or micro-film or computer generated micro fiche.
INFORMATION ASSETS
Means all information resources utilized in the course of any organisation’s business and includes all information, application software (developed or purchased), and technology (hardware, system software and networks).
INTERMEDIARY
With respect to any particular electronic message means any person who on behalf of another person receives, stores or transmits that message or provides any service with respect to that message.
INFORMATION TECHNOLOGY SECURITY
All aspects related to defining, achieving, and maintaining confidentiality, integrity, availability, accountability, authenticity, and reliability.
INFORMATION TECHNOLOGY SECURITY POLICY
Rules, directives and practices that govern how information assets, including sensitive information, are managed, protected and distributed within an organization and its Information Technology systems.
KEY
A sequence of symbols that controls the operation of a cryptographic transformation (e.g. encipherment, decipherment, cryptographic check function computation, signature generation, or signature verification).
KEY GENERATION
The trustworthy process of creating a private key/public key pair.
KEY MANAGEMENT
The administration and use of the generation, registration, certification, deregistration, distribution, installation, storage, archiving, revocation, derivation and destruction of keying material in accordance with a security policy.
KEY PAIR
In an asymmetric crypto system, means a private key and its mathematically related public key, which are so related that the public key can verify a digital signature created by the private key.
LICENCE
Means a licence granted to a Certifying Authority.
LOCAL AREA NETWORK (LAN)
A geographically small network of computers and supporting components used by a group or department to share related software and hardware resources.
LOW-SENSITIVE
Applies to information that, if compromised, could reasonably be expected to cause injury outside the national interest, for example, disclosure of an exact salary figure.
MANAGEMENT OF DIGITAL SIGNATURE CERTIFICATE [SEE CERTIFICATE MANAGEMENT]
MEDIA
The material or configuration on which data is recorded. Examples include magnetic taps and disks.
MESSAGE
A digital representation of information; a computer-based record. A subset of RECORD. (See also RECORD)
NAME
A set of identifying attributes purported to describe an entity of a certain type.
NETWORK
A set of related, remotely connected devices and communications facilities including more than one computer system with the capability to transmit data among them through the communications facilities.
NETWORK ADMINISTRATOR
The person at a computer network installation who designs, controls, and manages the use of the computer network.
NODE
In a network, a point at which one or more functional units connect channels or data circuits.
NOMINATED WEBSITE
A website designated by the Certifying Authority for display of information such as fee schedule, Certification Practice Statement, Certificate Policy etc.
NONREPUDIATION
Provides proof of the origin or delivery of data in order to protect the sender against a false denial by the recipient that the data has been received or to protect the recipient against false denial by the sender that the data has been sent. Note: Only a trier of fact (someone with the authority to resolve disputes) can make an ultimate determination of non-repudiation. By way of illustration, a digital signature verified pursuant to this Certification Practice Statement can provide proof in support of a determination of non-repudiation by a trier of fact, but does not by itself constitute non-repudiation.
NOTARY
A natural person authorized by an executive governmental agency to perform notarial services such as taking acknowledgments, administering oaths or affirmations, witnessing or attesting signatures, and noting protests of negotiable instruments.
ON-LINE
Communications that provide a real-time connection.
OPERATIONS ZONE
An area where access is limited to personnel who work there and to properly escorted visitors. Operations Zones should be monitored at least periodically, based on a threat risk assessment (TRA), and should preferably be accessible from a Reception Zone.
OPERATIONAL CERTIFICATE
A Digital Signature Certificate which is within its operational period at the present date and time or at a different specified date and time, depending on the context.
OPERATIONAL MANAGEMENT
Refers to all business/service unit management (i.e. the user management) as well as Information Technology management.
OPERATIONAL PERIOD
The period starting with the date and time a Digital Signature Certificate is issued (or on a later date and time certain if stated in the Digital Signature Certificate) and ending with the date and time on which the Digital Signature Certificate expires or is earlier suspended or revoked.
ORGANIZATION
An entity with which a user is affiliated. An organization may also be a user.
ORIGINATOR
A person who sends, generates, stores or transmits any electronic message or causes any electronic message to be sent, generated, stored or transmitted to any other person but does not include an intermediary.
PASSWORD (PASS PHRASE; PIN NUMBER)
Confidential authentication information usually composed of a string of characters used to provide access to a computer resource.
PARTICULARLY SENSITIVE
Applies to information that, if compromised, could reasonably be expected to cause serious injury outside the national interest, for example loss of reputation or competitive advantage.
PC CARD (SEE ALSO SMART CARD)
A hardware token compliant with standards promulgated by the Personal Computer Memory Card International Association (PCMCIA) providing expansion capabilities to computers, including the facilitation of information security.
PERSON
Means any company or association or individual or body of individuals, whether incorporated or not.
PERSONAL PRESENCE
The act of appearing (physically rather than virtually or figuratively) before a Certifying Authority or its designee and proving one's identity as a prerequisite to Digital Signature Certificate issuance under certain circumstances.
PKI (PUBLIC KEY INFRASTRUCTURE) / PKI SERVER
A set of policies, processes, server platforms, software and workstations used for the purpose of administering Digital Signature Certificates and public-private key pairs, including the ability to generate, issue, maintain, and revoke public key certificates.
PKI HIERARCHY
A set of Certifying Authorities whose functions are organized according to the principle of delegation of authority and related to each other as subordinate and superior Certifying Authority.
PLEDGE (See SOFTWARE PUBLISHER’S PLEDGE)
POLICY
A brief document that states the high-level organization position, states the scope, and establishes who is responsible for compliance with the policy and the corresponding standards. Following is an abbreviated example of what a policy may contain
PRIVATE KEY
The key of a key pair used to create a digital signature.
PROCEDURE
A set of steps performed to ensure that a guideline is met.
PROGRAM
A detailed and explicit set of instructions for accomplishing some purpose, the set being expressed in some language suitable for input to a computer, or in machine language.
PROXY SERVER
A server that sits between a client application such as a web browser and a real server. It intercepts all requests to the real server to see if it can fulfill the request itself. If not, it forwards the request to the real server.
PUBLIC ACCESS ZONE
Generally surrounds or forms part of a government facility. Examples include the grounds surrounding a building, and public corridors and elevator lobbies in multiple-occupancy buildings. Boundary designators such as signs and direct or remote surveillance may be used to discourage unauthorized activity.
PUBLIC KEY
The key of a key pair used to verify a digital signature and listed in the Digital Signature Certificate.
PUBLIC KEY CERTIFICATE (See CERTIFICATE)
PUBLIC KEY CRYPTOGRAPHY (See CRYPTOGRAPHY)
A type of cryptography that uses a key pair of mathematically related cryptographic keys. The public key can be made available to anyone who wishes to use it and can encrypt information or verify a digital signature; the private key is kept secret by its holder and can decrypt information or generate a digital signature.
PUBLIC KEY INFRASTRUCTURE (PKI)
The architecture, organization, techniques, practices, and procedures that collectively support the implementation and operation of a certificate-based public key cryptographic system. It includes a set of policies, processes, server platforms, software and workstations, used for the purpose of administering Digital Signature Certificates and keys.
PUBLIC/PRIVATE KEY PAIR (See PUBLIC KEY; PRIVATE KEY; KEY PAIR)
RECIPIENT (of a DIGITAL SIGNATURE)
A person who receives a digital signature and who is in a position to rely on it, whether or not such reliance occurs. (See also RELYING PARTY)
RECORD
Information that is inscribed on a tangible medium (a document) or stored in an electronic or other medium and retrievable in perceivable form. The term “record” is a superset of the two terms “document” and “message”. (See also DOCUMENT; MESSAGE)
RE-ENROLLMENT (See also RENEWAL)
RELY / RELIANCE (on a CERTIFICATE and DIGITAL SIGNATURE)
To accept a digital signature and act in a manner that could be detrimental to oneself were the digital signature to be ineffective. (See also RELYING PARTY; RECIPIENT)
RELYING PARTY
A recipient who acts in reliance on a certificate and digital signature. (See also RECIPIENT; RELY OR RELIANCE (on a CERTIFICATE and DIGITAL SIGNATURE))
RENEWAL
The process of obtaining a new Digital Signature Certificate of the same class and type for the same subject once an existing Digital Signature Certificate has expired.
REPOSITORY
A database of Digital Signature Certificates and other relevant information accessible on-line.
REPUDIATION (See also NONREPUDIATION)
The denial or attempted denial by an entity involved in a communication of having participated in all or part of the communication.
REVOKE A CERTIFICATE
The process of permanently ending the operational period of a Digital Signature Certificate from a specified time forward.
RISK
The potential of damage to a system or associated assets that exists as a result of the combination of security threat and vulnerability.
RISK ANALYSIS
The process of identifying security risks, determining their magnitude, and identifying areas needing safeguards.
RISK ASSESSMENT
An analysis of system assets and vulnerabilities to establish an expected loss from certain events based on estimated probabilities of the occurrence of those events.
RISK MANAGEMENT
The total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect Information Technology system resources.
RSA
A public key cryptographic system invented by Rivest, Shamir & Adelman.
SECRET SHARE
A portion of a cryptographic secret split among a number of physical tokens.
SECRET SHARE HOLDER
An authorized holder of a physical token containing a secret share.
SECURE CHANNEL
A cryptographically enhanced communications path that protects messages against perceived security threats.
SECURE SYSTEM
Means computer hardware, software, and procedure that—
SECURITY PROCEDURE
Means the security procedure prescribed under section 16 of the Information Technology Act, 2000.
SECURITY
The quality or state of being protected from unauthorized access or uncontrolled losses or effects. Absolute security is impossible to achieve in practice and the quality of a given security system is relative. Within a state-model security system, security is a specific "state" to be preserved under various operations.
SECURITY POLICY
A document which articulates requirements and good practices regarding the protections maintained by a trustworthy system.
SECURITY SERVICES
Services provided by a set of security frameworks and performed by means of certain security mechanisms. Such services include, but are not limited to, access control, data confidentiality, and data integrity.
SECURITY ZONE
An area to which access is limited to authorised personnel and to authorised and properly escorted visitors. Security Zones should preferably be accessible from an Operations Zone, and through a specific entry point. A Security Zone need not be separated from an Operations Zone by a secure perimeter. A Security Zone should be monitored 24 hours a day and 7 week by security staff, other personnel or electronic means.
SELF-SIGNED PUBLIC KEY
A data structure that is constructed the same as a Digital Signature Certificate but that is signed by its subject. Unlike a Digital Signature Certificate, a self-signed public key cannot be used in a trustworthy manner to authenticate a public key to other parties.
SERIAL NUMBER (See CERTIFICATE SERIAL NUMBER)
SERVER
A computer system that responds to requests from client systems.
SIGN
To create a digital signature for a message, or to affix a signature to a document, depending upon the context.
SIGNATURE (See DIGITAL SIGNATURE)
SIGNER
A person who creates a digital signature for a message, or a signature for a document.
SMART CARD
A hardware token that incorporates one or more integrated circuit (IC) chips to implement cryptographic functions and that possesses some inherent resistance to tampering.
S/MIME
A specification for E-mail security exploiting a cryptographic message syntax in an Internet MIME environment.
SUBJECT (OF A CERTIFICATE)
The holder of a private key corresponding to a public key. The term “subject” can refer to both the equipment or device that holds a private key and to the individual person, if any, who controls that equipment or device. A subject is assigned an unambiguous name, which is bound to the public key contained in the subject’s Digital Signature Certificate.
SUBJECT NAME
The unambiguous value in the subject name field of a Digital Signature Certificate, which is bound to the public key.
SUBSCRIBER
A person in whose name the Digital Signature Certificate is issued.
SUBSCRIBER AGREEMENT
The agreement executed between a subscriber and a Certifying Authority for the provision of designated public certification services in accordance with this Certification Practice Statement.
SUBSCRIBER INFORMATION
Information supplied to a certification authority as part of a Digital Signature Certificate application. (See also CERTIFICATE APPLICATION)
SUSPEND A CERTIFICATE
A temporary "hold" placed on the effectiveness of the operational period of a Digital Signature Certificate without permanently revoking the Digital Signature Certificate. A Digital Signature Certificate suspension is invoked by, e.g., a CRL entry with a reason code. (See also REVOKE A CERTIFICATE)
SYSTEM ADMINISTRATOR
The person at a computer installation who designs, controls, and manages the use of the computer system.
SYSTEM SECURITY
A system function that restricts the use of objects to certain users.
SYSTEM SOFTWARE
Application-independent software that supports the running of application software. It is a software that is part of or made available with a computer system and that determines how application programs are run; for example, an operating system.
TEST CERTIFICATE
A Digital Signature Certificate issued by a Certifying Authority for the limited purpose of internal technical testing. Test certificates may be used by authorized persons only.
THREAT
A circumstance or event with the potential to cause harm to a system, including the destruction, unauthorized disclosure, or modification of data and/or denial of service.
TIME-OUT
A security feature that logs off a user if any entry is not made at the terminal within a specified period of time.
TIME STAMP
A notation that indicates (at least) the correct date and time of an action, and identity of the person or device that sent or received the time stamp.
TOKEN
A hardware security token containing a user’s private key(s), public key certificate, and, optionally, a cache of other certificates, including all certificates in the user’s certification chain.
TRANSACTION
A computer-based transfer of business information, which consists of specific processes to facilitate communication over global networks.
TRUST
Generally, the assumption that an entity will behave substantially as expected. Trust may apply only for a specific function. The key role of this term in an authentication framework is to describe the relationship between an authenticating entity and a Certifying Authority. An authenticating entity must be certain that it can trust the Certifying Authority to create only valid and reliable Digital Signature Certificates, and users of those Digital Signature Certificates rely upon the authenticating entity’s determination of trust.
TRUSTED POSITION
A role that includes access to or control over cryptographic operations that may materially affect the issuance, use, suspension, or revocation of Digital Signature Certificates, including operations that restrict access to a repository.
TRUSTED THIRD PARTY
In general, an independent, unbiased third party that contributes to the ultimate security and trustworthiness of computer-based information transfers. A trusted third party does not connote the existence of a trustor-trustee or other fiduciary relationship. (Cf., TRUST)
TRUSTWORTHY SYSTEM
Computer hardware, software, and procedures that are reasonably secure from intrusion and misuse; provide a reasonable level of availability, reliability, and correct operation; are reasonably suited to performing their intended functions; and enforce the applicable security policy. A trustworthy system is not necessarily a “trusted system” as recognized in classified government nomenclature.
TYPE (OF CERTIFICATE)
The defining properties of a Digital Signature Certificate, which limit its intended purpose to a class of applications uniquely, associated with that type.
UNAMBIGUOUS NAME (See DISTINGUISHED NAME)
UNIFORM RESOURCE LOCATOR (URL)
A standardized device for identifying and locating certain records and other resources located on the World Wide Web.
USER
An authorized entity that uses a certificate as applicant, subscriber, recipient or relying party, but not including the Certifying Authority issuing the Digital Signature Certificate. (See also CERTIFICATE APPLICANT; ENTITY; PERSON; SUBSCRIBER)
VALID CERTIFICATE
A Digital Signature Certificate issued by a Certifying Authority and accepted by the subscriber listed in it.
VALIDATE A CERTIFICATE (i.e., of an END-USER SUBSCRIBER CERTIFICATE)
The process performed by a recipient or relying party to confirm that an end-user subscriber Digital Signature Certificate is valid and was operational at the date and time a pertinent digital signature was created.
VALIDATION (OF CERTIFICATE APPLICATION)
The process performed by the Certifying Authority or its agent following submission of a Digital Signature Certificate application as a prerequisite to approval of the application and the issuance of a Digital Signature Certificate. (See also AUTHENTICATION; SOFTWARE VALIDATION) VALIDATION (OF SOFTWARE) (See SOFTWARE VALIDATION)
VERIFY (A DIGITAL SIGNATURE)
In relation to a digital signature, electronic record or public key, with its grammatical variations and cognate expressions means to determine whether —
VIRUS
Means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, data or instruction is executed or some other event takes place in that computer resource.
VULNERABILITY
A weakness that could be exploited to cause damage to the system or the assets it contains.
WEB BROWSER
A software application used to locate and display web pages.
WORLD WIDE WEB (WWW)
A hypertext-based, distributed information system in which users may create, edit, or browse
hypertext documents. A graphical document publishing and retrieval medium; a collection of linked
documents that reside on the Internet.
WRITING
Information in a record that is accessible and usable for subsequent reference.
The ITU-T (International Telecommunications Union-T) standard for Digital Signature Certificates. X.509 v3 refers to certificates containing or capable of containing extensions.
ACRONYMS
ARL Authority Revocation List CA Certification Authority CP Certificate Policy CPS Certification Practice Statement CRL Certificate Revocation List CSR Certificate Signing Request DN Distinguished Name e-mail Electronic Mail FTP File Transfer Protocol ISDN Integrated Service Digital Network ITU International Telecommunications Union LAN Local Area Network PIN Personal Identification Number PKI Public Key Infrastructure PKIX Public Key Infrastructure X.509 URL Uniform Resource Locator WAN Wide Area Network
[ No. 1(20)/97-IID(NII)/F6]
(P.M.Singh) Joint Secretary
To, The Manager Govt. of India Press Mayapuri New Delhi
[To be published in the Gazette of India, Extraordinary, Part II, Section 3, Sub-section (i)]
Government of India Ministry of Information Technology
New Delhi, the 17th October, 2000
NOTIFICATION
G.S.R 790 (E) In exercise of the powers conferred by section 88 of the Information Technology Act, 2000 (21 of 2000), the Central Government hereby constitute the “Cyber Regulation Advisory Committee”, consisting of the following, namely:
1.Minister, Information Technology Chairman
2. Travelling Allowance/Dearness Allowance, as per the Central Government rules, for the non-official members shall be borne by the Ministry of Information Technology.
3. The Committee may co-opt any person as member based on specific meetings.
[ No. 1(20)/97-IID(NII)/F6]
(P.M.Singh) Joint Secretary
To, The Manager Govt. of India Press Mayapuri New Delhi
[To be published in the Gazette of India, Extraordinary, Part II, Section 3, Sub-section (i)]
Government of India
Ministry of Information Technology
New Delhi, the 17th October, 2000
NOTIFICATION
G.S.R 791 (E) In exercise of the powers conferred by section 87 of the Information Technology Act, 2000 (21 of 2000), the Central Government hereby makes the following rules, namely:
1. Short title and commencement.- (1) These rules may be called the Cyber Regulations Appellate Tribunal (Procedure) Rules, 2000.
(2) They shall come into force on the date of publication in the Official Gazette.
2. Definitions.—In these rules, unless the context otherwise requires.—
3. Procedure for filing applications.- (1) An application to the Tribunal shall be presented in Form-1 annexed to these rules by the applicant in person or by an agent or by a duly authorized legal practitioner, to the Registrar or sent by registered post addressed to the Registrar.
satisfied, having regard to the cause of action and the nature of relief prayed
for, that they have the same interest in the service matter; or
(b) an Association representing the persons desirous of joining in a single application provided, however, that the application shall disclose the names of all the persons on whose behalf it has been filed.
4. Presentation and scrutiny of applications.— (1) The Registrar, or the officer authorised by the Registrar shall endorse on every application the date on which it is presented or deemed to have been presented under that rule and shall sign the endorsement.
8. Paper book, etc. to accompany the application.- (1) Every application shall be accompanied by a paper book containing:—
(iii) an index of documents.
Provided that where an application is filed by an advocate it shall be accompanied by
a duly executed ‘vakalatname’.
(iii) the Tribunal is satisfied that the interests of the respondents on whom notice of the application has not been served are adequately and sufficiently represented by the respondents on whom notice of the application has been served.
11. Filing of reply and other documents by the respondent.- (I) The respondent shall file six complete sets containing the reply to the application alongwith the documents in a paper-book form with the Registrar within one month of the date of service of the notice of the application on him.
(2) The respondent shall also serve a copy of the reply along with copies of documents as mentioned in sub rule (1) to the applicant or his advocate, if any, and file proof of such service with the Registrar. The Tribunal may, on application by the respondent, allow filing of the reply after the expiry of the period of one month.
15. Action on application for applicant's default.—(I) Where on the date fixed for hearing of the application or on any other date to which such hearing may be adjourned, the applicant does not appear when the application is called on for hearing, the Tribunal may, in its discretion, either dismiss the application for default or hear and decide it on merit.
(2) Where an application has been dismissed for default and the applicant appears afterwards and satisfies the Tribunal that there was sufficient cause for his non-appearance when the application was called on for hearing, the Tribunal shall make an order setting aside the order dismissing the application and restore the same.
16. Hearing on application ex-parte.— (1) Where on the date fixed for hearing the application or on any other date to which hearing is adjourned, the applicant appears and the respondent does not appear when the application is called on for hearing, the Tribunal may, in its discretion, adjourn or hear and decide the application ex-parte.
(2) Where an application has been heard ex-parte against a respondent or respondents, such respondent or respondents may apply to the Tribunal for an order to set it aside and if such respondent or respondents satisfy the Tribunal that the notice was not duly served, or that he or they were prevented by any sufficient cause from appearing when the application was called on for hearing, the Tribunal may make an order setting aside the ex-parte hearing as against him or them upon such terms as it thinks fit, and shall appoint a day for proceeding with the application:
Provided that where the ex-parte hearing of the application is of such nature that it
cannot be set aside as against one respondent only, it may be set aside as against all or
any of the other respondents also:
Provided further that Tribunal shall not set aside ex-parte hearing of an application merely on the ground that there has been an irregularity in the service of notice, if it is satisfied that the respondent had notice of the date of hearing and had sufficient time to appear and answer the applicant's claim.
27. Additional powers and duties of Regstrar.- In addition to the powers conferred elsewhere in these rules, the Registrar shall have the following powers and duties subject to any general or special order of the Presiding Officer namely:—
(iii) to require any application presented to the Tribunal to be amended in accordance with the Act and the rules;
(vii) to dispose of all matters, relating to the service of notices of other processes, applications for the issue of fresh notices or for extending the time therefore;
(viii) to requisition records from the custody of any court or other authority;
28. Seal and emblem—-The official seal and emblem of the Tribunal shall be such as the Government may specify.
FORM-1
(See rule 4)
APPLICATION UNDER SECTION 57 OF THE INFORMATION TECHNOLOGY ACT, 2000
For use in Tribunal's Oflice
Date of Filing -——-—-----------------------------------------------------OR
Date of Receipt By post ———————----------------------------------
Registration No. ------------------------------------------------------
Signature of Registrar
IN THE CYBER REGULATIONS APPELLATE TRIBUNAL
BETWEEN
A | B | APPLICANT | ||
---|---|---|---|---|
AND | ||||
C | D | RESPONDENT |
Details of Application :
1. Particulars of the applicant:—
(iii) Designation and office in which employed
2. Particulars of the respondent :
(iii) Address for service of all notices
3. Particulars of the Order against which application is made : The application is against the following order:
(iii) Passed by
(iv) Subject in brief
4. Jurisdiction of the Tribunal:
The applicant declares that the subject matter of the order against wihch he wants redressal is within the jurisdiction of the Tribunal.
5. Limitation.—
The applicant further declares that the application is within the limitation prescribed in section 57 of the Information Technology Act, 2000.
6. Fact of the case:— The facts of the case are given below:— (Give here a concise statement of facts in a choronological order, each paragaph con
taining as nearly as possible a separate issue, fact or otherwise).
Verification : I, ________________________________________ (name of the applicant), S/o, D/o, W/o _______________________________ age ——————— working as _____________________ resident of _______________________
hereby verify that the contents from 1 to 13 are true to my personal knowledge and belief and that I have not suppressed any material facts.
Place : Date :
Signature of applicant
To
The Registrar, Cyber Regulation Appellate Tribunal New Delhi
RECEIPT SLIP
Receipt of the application filed in the Cyber Regulation Appellate Tribunal by Shri/Smt. ____________________________ working as ______________________ in the Office of _______________________________________________ residing ______________________________________ acknowledged.
FORM – 2
(See Rule 24)
APPLICATION FOR THE REGISTRATION OF A CLERK
(iii) Age and date of birth
(vii) Particulars of previous employment, if any.
I, ______________ (clerk above named) do hereby affirm that that the particulars relating to me are true.
any other legal practitioner and if so, the name of such practitioner. I, __________________________________ (legal practitioner) certify that the
particulars given above are true to the best of my information and belief and
that I am not aware of any facts which would render undesirable the
registration of the said ____________________________ (name) as a clerk.
Date:
Signature of legal practitioner
To
The Registrar of the Tribunal
[ No. 1(20)/97-IID(NII)/F6]
(P.M.Singh) Joint Secretary
To, The Manager Govt. of India Press Mayapuri New Delhi