0

MARCH 2014

1

DGQA CYBER SECURITY POLICY

2014

2

DGQA CYBER SECURITY POLICY 2014

All Rights Reserved.

Issued vide DGQA /SDCC Letter NO : 91459/1/DGQA/SDCC/ Cyber Security dated : 19 Mar 2014

No information given in this document is to be published or communicated either directly or indirectly to the press or to any person not authorized to receive it.

3

CONTENTS CHAPTER SUBJECT PAGE I Introduction a) Preamble 6 b) Aim 6 c) Objective 6 d) Scope 7 e) Information Security Organization 7 f) Standards 8 g) Review 9

II Asset Management and Handling of Classified Information

(a) Asset Management 10 (b) Classification of Information 10 (c) Isolation of Computer Processing Classified Information 10 (d) Handling and Management of Classified Information

10

(e) Information up to confidential in Electronic form

11 (f) Possession and Loss of Soft Copies of Documents 12 III Physical and Environmental Security (a) Physical Security 14 (b) Personal Security 14 c) Equipment Security 14 (d) Security Against Fire 15

IV Communications and Operations Control

(a) Operational Procedures and Responsibilities 16 (b) Protection against Malicious Software and Open Ports 16 (c) Installation / Configuration of Applications / Devices 17 (d) Information Back up 17 (e) Handling of removable storage media 17 (f) Monitoring 18 (g) VoIP Security 18 (h) Cellular Devices / Phones 18 (j) Management of USB Ports on Computers 19 (k) Management of CD Writers on Computers 19 (l) Security of System Documentation 19 V Network Security Management

(a) Network Controls 20 (b) Applications/Services based on Network 21 (C) Security of Servers 21 (d) Administration of Servers 22

4

VI Internet (a) Maintenance of Air Gap 23 (b) Data leakage Prevention 23

(c) Wired Connectivity for Internet 23 (d) Wireless Connectivity for Internet 23

(e) Social Networking 23 (f) E-Mail Accounts 24 (g) Online Trading 24 (h) Accountability of Mobile Computing Devices 24 (j) Secure Storage 24 (k) Laptop 24 (l) Guidelines for Computer Users Secure Storage 25 VII Authentication and Access Control

(a) Authentication 26 (b) User Access Control 26 (c) Network Access Control 27 (d) Operating System Access Control 27 (e) Application Access Control 28

VIII Acquisition and Development of Information Systems (a) Authorization Process 29 (b) Correct Processing of Data by Applications 29 (c) Security of System Files 29 (d) Security in Development and Support Processes 30 (e) Embedded Software 30 IX Conclusion 30

5

References :- (a) IT Act 2000 and IT (Amendment) Act 2008. (b) ISO 27001 and ISO /IEC 17799. (c) CHCD 2001. (d) Advisory No 02/2008 on Security measures while using e-mail on internet dated 05 Sep 2008. (e) MI Dte Letter No A/38024/1/MI-11 dated 03 Oct 2011. ` (f) MO Dte Letter No A/12108/MO 12 dated 30 Dec 2011. (g) MO Dte Letter No A/12108/MO 12 dated 13 Jan 2012. (h) Integrated HQ of MOD (ARMY) Letter No A/12/08/M012/ dt 14 Mar 2012 (j) DGQA Cyber Security Instruction Feb 2010 Appendices :- A - Glossary of Important Terms. B - DOs & DONTs

6

CHAPTER I

INTRODUCTION

Preamble 1. Information and Communication Technologies (ICT) follow open-system architect-tures and standard communication protocols which are a public domain knowledge. Therefore, computers and computing devices based networks and systems are vulnerable to eavesdropping, compromise and denial of information/service unless appropriately secured. Formulation of comprehensive cyber security policy, covering people, processes and technology is the starting point in establishing Information Security Management System (ISMS) in the DGQA Organization. The Cyber Security Standard Operating Procedures (SOPs) and guidelines will emerge from this Policy and will form the basis for other important documents for implementing cyber security at all levels. 2. The networks in DGQA Organization are based on both wired and radiating media. Several classified and general use applications will be riding on such media for operational as well as routine functioning. In addition to the ‘Confidentiality’, ‘Integrity’ and ‘Availability’ of information flowing on these networks; ‘Authentication’ and ‘Non Repudiation’ of information will form important key security features. Implementation of cyber security is based on the guiding principle that “the head of the establishment will be the owner/holder of the information assets” of the establishment. In order to protect information assets, the owner/ holder will assign security classification to all the information assets and appropriate clearance levels for the staff accessing these assets. 3. All users of information, computing resources, systems and communication networks based on computers as well as personnel tasked to undertake the administration of information systems and such resources (to include media, voice, video, surveillance and satellite resources) will be governed by the ‘DGQA Cyber Security Policy 2014’. All Directorates, Controllerates / SQAE’s / QAE’S & Training Establishments etc will adhere to the directions given in this policy. Any violation to any clause in this Policy will be dealt strictly by HOE’s at all levels. Aim 4. To lay down policy for implementing cyber security in order to establish, control, monitor, review and manage computers and computing devices, infrastructure and computer/ communication networks, in the DGQA Organization. Objectives 5. The objectives of this Policy are:-

(a) To provide directions and support for Information Assurance (I A) and Risk Management (RM) in the DGQA Organization. (b) To prevent unauthorised access, damage and interference to the information infrastructure of the DGQA Organization. (c) To prevent loss, modification or misuse of military information. (d) To lay down the guidelines for incident response within the DGQA Organization. (e) To plan and implement new IT / communications projects.

7

6. Scope : This Policy will be read in conjunction with other instructions on the subject issued by Ministry of Defence, Government of India from time to time. All efforts have been made to make this policy comprehensive. However, Directorates/Establishments may incorporate any instructions / guidelines which they feel are relevant in their environment and requirement pertaining to computer security. 7. These Instructions supersede the following:

(a) Internet Security Instructions Forwarded vide DGQA/SDCC letter No. B/91451/ DGQA/SDCC/ Internet dated 22 Nov 2000.

(b) Computer Security Instructions forwarded vide Addl DGQA Sectt letter No. B/891451/DGQA/SDCC/Security dated 26 Dec 2003

(c) Cyber Security Instruction -2010. 8. Information Security Organization .

Information Security Organization of DGQA will be as follows:- (a) Chief information Security Officer (CISO) – ADGQA (L), New Delhi. (b) Information Security Officers (ISO) – One Director grade officer

from each Directorate (c) Technical Advisor -- Project Leader SDCC 9. The CISO, DGQA will ensure implementation of this Policy in HQ DGQA & all DGQA Directorates /DIQA through respective information Security Officers. Technical Advisor will assist the CISO on all Technical Issues related to Information Security. 10. All Functionaries of Information Security Organization will acquaint themselves with “Crisis Management Plan for Countering Cyber Attacks and Cyber Terrorism dated January 2009, issued by Ministry of Communication & Information Technology, Government of India” so as to facilitate it’s implementation in DGQA. A Sector Crisis Management Plan will be prepared by the DGQA Information Security Organization once the higher level Plan is received from Department of Defence Production. Implementation of any other directions received from Department of Defence Production from time to time will be the responsibility of CISO, DGQA. The salient contents of above refered documents are:

(a) Types of Cyber Crises.

(i) Scanning / Probing of Networks. (ii) Defacement of Website (iii) Malicious Code Attacks (iv) Large Scale SPAM (v) Identity theft (vi) Phishing (vii) Social Engineering (viii) Denial of Service (ix) DNS Attacks (x) Application Level Attacks (xi) Infrastructure Attacks (xii) Compound Attacks (xiii) Router Level Attacks.

8

(b) Incident Prevention .

(i) Formulate Information Security Policy suited to own needs. (ii) Implement Information Security Management System (ISMS) as per ISO

27001. (iii) Practice Information Security Management in line with ISO 17799. (iv) Define Business Continuity Plan to counteract interruptions. (v) Organize Security Training & Awareness Drive.

(c) Crises Management Organisation

In the context of DGQA, incident reporting will be to the Control Room established by DDP which in turn reports to Crises Management Group at MoD. The highest entity in the setup for Crises Management for countering Cyber Attacks & Cyber Terrorism is the National Crises Management Committee headed by the Cabinet Secretary, Govt of India. Information flow between various entities is shown in the following diagram:- NCMC – National Crisis Management Committee. CMG -- Crisis Management Group NTRO – National Technical Research Organization. IDS (DIARA) – Integrated Defence Staff (Defence Information Assurance & Research Agency) CERT (In) – Computer Emergency Response Team (India)

11. At Establishment Level, HOEs shall inspect each and every computer regarding implementation of Computer Security instructions at least twice a year.

Standards

12. This Policy is based on International Standard ISO/IEC 27001/27002 and ISO/IEC 17799 and Information Technology Act 2000, IT (Amendment) Act 2008 and Policy letters issued by Directorate General of Military Operations, IHQ of MOD (Army) from time to time.

SHARE

INFO

INCIDENT INFO

INCIDENT INFO

C O O R D I N A T E D F U N C T I O N I N G

DGQA CMG CONTROL ROOM DDP

NCMC

CERT-in

IDS (DIARA)

MITIGATION ADVICE CONSULT

SHARE INFO

NTRO

CONSULT

M o D

REPORT DEVELOPMENTS

9

Review 13. This Policy will be reviewed every three years. However, due to the fast changing pace of the cyber space, addendums to this Policy will be issued on as required basis. 14. This Policy is to be read in Conjunction with: Integrated HQ of MOD (Army) letter No. A/12108/MO12 dated 14 Mar 2012.

10

CHAPTER II

ASSET MANAGEMENT AND HANDLING OF CLASSIFIED INFORMATION

Asset Management 15. Ownership of Assets. All assets associated with information processing facility shall be owned by a designated appointment/user. 16. Inventory of Assets. All IT assets will be clearly identified and inventory of the same will be maintained at all times. These will be updated periodically based on laid down SOPs and guidelines to ensure their correctness at all times. 17. Accountability of Assets. The owner will be responsible for labeling and handling of all information and information assets like Computers, Laptops, Personal Digital Assistant (PDA) and other authorized handheld devices, removable media, printers, scanners, CDs/DVDs and data contained in various types of media. It should be ensured that these are accounted for correctly and theft/loss is reported promptly to avert any cyber security lapses. Classification of Information 18. Information Classification. Information in electronic form will be classified as per Classification and Handling of Classified Documents (CHCD)-2001. Security Classification of a digital document needs to be mentioned in a bold font on top and bottom of the page. This is applicable to all file formats including PowerPoint presentations, word files, pdf files, text files, excel sheets, database reports etc. For all such classified files/presentations, the rank/ designation, name and unit/ establishment of the author along with date of creation will be mentioned on all the pages/slides. Numbering of the pages/slides will be incorporated including the title page/slide. 19. Security classification must be given to all classified documents even at draft stage and once the document is finalized, all drafts must be deleted securely. Any draft or final official data whether restricted, confidential or secret will never be copied on personal laptop/CD/DVD or external HDD or any such media. Isolation of Computers Processing Classified Information 20. Computers and computer network used for creating, processing and storing classified information with security classification of CONFIDENTIAL and above will be standalone and dedicated. All such computers will be housed in a secure area with stringent physical as well as logical access control mechanisms in place. Minimum two factor authentication will be ensured for all such computers/servers. These computers or Computer networks will not be connected to ( WAN/LAN/ Army One Network etc) or any other network. Handling and Management of Classified Information 21. TOP SECRET and SECRET Information in Electronic Form.

(a) Classified information of SECRET and above will not be stored permanently on a computer. An exclusive standalone computer along with exclusive printer under the ownership of an officer will be used for creating such document and will be securely erased after printing required number of copies. It will be ensured that there is no data remaining in the originating computer including page files, swap areas, slack areas, RAM etc.

11

(b) A register will be maintained for this exclusive printer to record number of copies printed. (c) Under NO circumstances, SECRET and above data will be typed or viewed on Computers of PA/Steno or computers connected on WAN/LAN/ Army One Network etc (d) Secure erasing software’s like ERASER (latest version) or Secure Desk V2.0 may be used to securely delete such classified data files from the originating computer.

22. Instructions for Backup of SECRET Digital Documents. It is advisable to keep only hard copies of SECRET and above documents. However, in case it is inescapable, it should be stored on CD/DVD or any other authorized external storage media and kept under lock and key. The procedure for ensuring the data integrity of the classified information is as under: - (a) A hash signature of the secret digital document along with the document will be encrypted and then burnt to the CD/DVD. (b) The password for encryption will be sealed in an envelope and will be handled in accordance with the security classification of the document concerned. (c) Record of all such CDs along with hash signatures (numbered and stamped) will be maintained in a register by the originating officer. 23. Information up to CONFIDENTIAL in Electronic Form.

(a) All documents/presentations will only be created and processed on standalone computer of the branch/department. Confidential data will not be created on computers connected to WAN/LAN/ Army One Network etc

(b) All classified information up to CONFIDENTIAL when stored on hard disks or any other secondary memory device will be encrypted using encryption software like Secure Desk version 2.0, STEGANOS, True Crypt etc. Data or any information when encrypted will not reside in plain as well as encrypted form in the same media at any point of time.

(c) Eraser (latest version) or Secure Desk version 2.0 will be used for secure deletion of files of such security classification. (d) For secure archival, encryption software and encryption keys used for archival

data will be stored separately and securely to prevent compromise of data and its restoration.

(e) The device or partition of a hard disk which will host the data will be separate from the device or partition of hard disk on which operating system and applications are installed.

12

Secure Transfer of Information 24. The information owners will ensure that the security classification of the information required to be transferred over a network must commensurate with the security classification of the network/ media. No information will be transferred over any network/media if its security classification is higher than the security classification of network/media. 25. For secure exchange of classified information, commensurate with or lower than that of the network/media, following additional cryptographic measures will be incorporated by the owners of such information:-

(a) Network/Transport Layer Security. The applications developed will include mechanisms to secure classified information through network/transport Layer, Virtual Private Network (VPN), implementations such as Secure Socket Layer (SSL)/Transport Layer Security (TLS) between the information processing nodes / endpoints.

(b) Application Layer Security. Application level encryption will be ensured during development of applications between end users (i.e. desktop to desktop application security). Application level security between end users will be applicable to all types of media i.e. both radiating as well as non-radiating. Application layer security design for customised software applications must include commercially available Public Key Infrastructure (PKI) solutions in the initial framework itself. As and when customised and SAG evaluated PKI solution is available, the same must be integrated in this framework of design for application level security by replacing the commercial PKI Solution.

Possession and Loss of Soft Copies of Document 26. Classified document in its soft form, if lost will be treated as loss of document and actions will be taken as per Classification and Handling of Classified Document (CHCD) 2001.To prevent unauthorised possession and loss of information/ documents /presentations in soft form, following measures will be instituted:-

(a) The under mentioned certificate will be rendered on a yearly basis to headquarters (one up) by all concerned persons along with The ‘Official Secrets Act 1923’ and records maintained thereof. These records will be checked during Annual Administration Inspection and Cyber Security Audits:

(i) In my personal capacity I, Rank / Designation Name hereby certify that I am not in possession of any information/data in either soft/hard form which is classified/ unauthorised. (ii) I am aware that violation of above declaration will render me liable to disciplinary action.

(b) The under mentioned sentence will be added in the clearance certificate of students on termination of courses at Trg Establishment / other Establishments:- I am not carrying any information/data other than officially issued by Establishment in either soft/hard form. (Applicable for DIQA/ Other Establishments /Controllerates).

13

(c) Under mentioned sentence will be added in the Handing Taking Over Certificate of officers on being posted out:- “I am not carrying any information/data in either soft/hard form which is classified/ unauthorised”. (d) If an officer is found in possession of any such document/data/presentation thereafter, it will render him liable to disciplinary action.

14

CHAPTER III

PHYSICAL AND ENVIRONMENTAL SECURITY

Physical Security 27. Secure Areas. Classified information processing facilities will be housed in secure areas, protected by a well defined security perimeter implemented through state of the art physical security systems. Entry to secure areas will be controlled, regulated and monitored to ensure that only authorised personnel are allowed access. 28. Physical Security Perimeter. Security perimeters (such as access card, controlled entry points or manned reception desks) will be used to protect areas that contain information and information processing facilities. 29. Protection against External and Environmental Threats. Physical protection against damage from fire, flood, lightning and other forms of natural or man-made disasters will be applied. Fire detection and suppression systems will be provided in compliance with existing orders at all information and network nodes. Lightning protection system will be installed in all premises housing critical information processing facilities. Personal Security 30. Most of the breaches of information security occur through insiders, who by design or default have access to sensitive info. The following safeguards are to be taken: - (a) Officials at all levels are responsible for strict observance of the security guidelines and enforcement of security policy. (b) User name, ID and password protection will be used by all users and access Password/passphrase should be changed periodically as per the SOPs. (c) Adequate separation of duties and restriction of access will be ensured so that no single person can individually compromise the entire system/data.

(d) Official laptops/computers provided to specific appointments should be kept in the personal custody of the appointment concerned under lock and key. System specific laptop provided for operation and maintenance activities should be kept in personal custody of the nominated appointment. It will be ensured that these official laptops are not moved out of the office premises without explicit permission of appropriate authority.

Equipment Security 31. Power Supply. Equipment will be protected from power failures and other disruptions by having adequate standby arrangements in terms of Uninterrupted Power Supplies and backup power generators. 32. Air Conditioning. Adequate air conditioning will be catered for fluctuations in temperature and humidity. 33. Network Cabling. All network cabling and test points will be protected from unauthorised interception and damage. Any unused network sockets should be sealed off and their status formally documented. Physical check of cables to detect tampering will be carried out as part of the existing security checks at all levels. BICSI (Building Industry Consultancy Services International) standards of structured network cabling will be followed for all networks.

15

34. Equipment Maintenance and Repair. Equipment will be adequately maintained to ensure its continued availability and integrity. Before sending a computing device for repair or maintenance, all storage media like hard-disks, CD/DVD, etc will be removed from the computer system and kept at secure location with the user or persons nominated within an establishment. The repair and maintenance will be carried out and tested using test drives available with such repair and maintenance agencies in the presence of an IT skilled nominated person of the establishment. Internal drives will be securely erased and formatted when relocated for fresh installation. Usernames and Passwords have no bearing if hard disk has been removed, however, the power on password will be reset. In case of replacement of faulty hard disk under warranty/AMC, hard disk will not be returned to the OEM / Civil repair agency, but be destroyed as per existing instructions. In case the vendor insists, only the details of the hard disk i.e. the photocopy of the outer label containing the serial no. will be given to the vendor. A clause to this effect will be included in RFPs of all projects. In case of handheld PDAs and tablet PCs, the secondary storage media will be removed prior to handing over to repair agency. 35. Secure Disposal or Re-Use of Equipment. Devices containing information will be securely disposed off. Prior to disposal or reuse of an equipment the information will be destroyed, securely deleted or overwritten to make the original information non-retrievable rather than using the standard delete or format function. 36. Tempest Proofing. Construction design of specific buildings housing highly classified systems should preferably incorporate measures so as to prevent eavesdropping through capture and processing of electromagnetic radiation. 37. Security Against Fire. It will be ensured that all data processing facilities / complexes are equipped with adequate fire fighting systems, automatic smoke detection alarms including temperature monitoring sensors to prevent fire hazards.

16

CHAPTER IV

COMMUNICATIONS AND OPERATIONS CONTROL

Operational Procedures and Responsibilities 38. Standard Operating Procedures. SOPs will be developed and documented by all Establishments to ensure adequate responsibilities and accountability for implementation and monitoring of cyber security measures. 39. SOPs covering following important controls will be maintained by each establishment specific to their functioning:-

(a) Maintain of air gap while using internet. (b) Handling and storage of soft copies of classified documents. (c) Possession and loss of soft copies of document. (d) Internal and external cyber security audits. (e) Handling of removable media and portable computing devices. (f) Responsibility for cyber security. (g) Repair and maintenance of IT hardware. (h) Change management. (i) Installation of software and patch management. (j) User access management. (k) Network access control. (l) Starting and stopping of classified applications and security solutions. (m) Incident reporting and handling. (n) Key management. (o) Development and acquisition of new hardware or software.

40. Segregation of Duties. Duties and areas of responsibility will be segregated to reduce opportunities for unauthorised or intentional modification or misuse of the information in an Establishment. Protection against Malicious Software and Open Ports Controls against Malicious Code . 41. Anti Malware Suites. Prevention, detection and recovery measures to protect against all types of malware like virus, spyware, etc. will be implemented on all desktops, servers and at the gateways to the internal networks. 42. Patch and Signature Management. All devices and system software will be kept updated with the latest patches and signatures to ensure protection against known vulnerabilities at all times. 43. Disabling Non-Essential Services. Each Operating system provides several basic and advanced features to the users. These features can be enabled or disabled based on specific services which run in the operating system (OS). By default a number of services automatically start in the computer after installing an OS thereby opening a number of ports on the computer. Users will manually configure their systems to enable only essential services. All non-essential services from cyber security point of view must be disabled on given operating system.

17

Installation/Configuration of Applications/Devices 44. Following will be ensured to prevent loss of information/data:-

(a) Virtual Network Computing (VNC). The software should not be used on official computers.

(b) File Sharing. ‘File and printer sharing’ facility for sharing data will be used with access control and authentication mechanism. (c) Surveillance Devices. Access control of surveillance devices on network should be configured properly to prevent its access and control by un-authorised user. (d) Skype Software. Since these services are offered by foreign based servers, they constitute a security risk. Therefore, Skype and other software such as Yahoo messenger, Google talk etc will not be used for official communication. (e) Updation of Web Browsers. Web browser is the most commonly exploited software and therefore, users must use the latest web browsers and keep them updated to prevent loss of information.

Information Back-Up 45. Back-up of information and software will be taken and tested regularly in accordance with the backup policy of the establishment and criticality of information. Apart from a soft copy, a hard copy of the backup should be maintained in case of critical info (e.g. Server Configuration). Off-site backup should be maintained for sensitive data. Handling of Removable Storage Media 46. Use of Pen/thumb drives is banned in the Indian Army. Hence all types of memory sticks including external USB based hard disks, SD/mini SD/ MMC cards and PDAs/ mobile phones with memory cards etc also come under purview of this ban. . 47. All secondary mass storage devices such as CD/DVD writers, removable ethernet based hard drives, etc when authorised for use will be properly controlled and accounted for by the nominated controlling officer. Any data to be copied from a computer into a secondary storage device will have the authorisation of a nominated controlling officer and records of the same maintained. 48. Transfer of Data. Transfer of data between networked computers will be done through the network only. In addition the following needs to be ensured:-

(a) No single storage device should be used on both internet and intranet to maintain complete isolation between them. (b) For all computers on internet, CD/DVD drives with ‘read and write access’ is to be provided. (c) Use of secondary storage device as well as their access points both on Internet and Intranet domain are to be restricted to a barest minimum. (d) Auto run should be disabled for all secondary storage devices.

18

49. Disposal of Storage Media. Storage media will be disposed off securely when planned for reuse/recycle or no longer required. If media is not intended for reuse, the simplest and most cost effective method of control is destruction. Physical destruction can be accomplished using a variety of methods including disintegration, incineration, melting and shredding. Monitoring 50. Integrity Management. The integrity of system hardware configuration information and critical software files will be maintained and monitored/tracked to prevent any unauthorised activity on the systems and networks. 51. Audit Logging. Audit logs recording user activities, exceptions, and information security events will be maintained to enable forensic trials and access control monitoring. 52. Monitoring System Use. Procedures for monitoring use of information processing facilities will be established and the results of the monitoring activities reviewed regularly. 53 Protection of Log Information. The log information will be protected against tampering and unauthorised access. 54. Administrator Logs. Administrator activities will be logged. 55. Fault Logging. Faults will be logged, analysed, and appropriate action will be taken. 56. Log Compression. All logs being exchanged on the network must be compressed prior to transmission to centralized nodes, in order to conserve bandwidth. 57. Clock Synchronization. All nodes in the network must have synchronised clock to ensure correct time stamping of all data and transmissions as well as for tracking and log analysis VoIP Security 58. Voice communication networks are subjected to wide range of security issues, including eavesdropping, call misdirection, identity misrepresentation and information theft. Authentication and encryption of data from IP telephones and terminals to servers will be implemented to secure VoIP communication. Cellular Devices/Phones 59. Cellular phones with 3G facilities can be tracked within the network in real time even if switched off. The risk is proportionate with the advanced features available on the device/phone such as camera, memory card, Bluetooth, Wi-Fi, GPS and internet. Thus, all the Establishments will formulate Standard Operating Procedures (SOPs) on banning the usage of such devices within office premises.

19

Management of USB Ports on Computers 60. In order to prevent information theft, USB Ports etc will be disabled using appropriate software on all computers (only for disabling access to mass storage media),including stand alone computers held with the clerical staff. Management of CD Writers on Computers 61. When authorised by the appropriate authority due to need for data backup and/or emergency transfer of data, CD writers will be configured only on computers of nominated officers in a given establishment for the specific period only. In addition, computers having classified information will not have internal CD writers. Based on the minimum inescapable requirement, a given establishment will have only a few external CD writers held with the nominated controlling officer. Similarly, a minimum number of Internal CD writers, if required, will be retained only with the nominated officers in the establishment. Access to such devices will be controlled by means of appropriate hardware and software mechanisms. A record of data burnt on CDs will be maintained. Security of System Documentation 62. System documentation (such as configuration files of exchanges, routers etc) stored on computers will be protected against unauthorised access.

20

CHAPTER V

NETWORK SECURITY MANAGEMENT Network Controls 63. Various types of networks that can be envisaged in the DGQA environment can be broadly clubbed into user managed networks and centrally managed networks. At a certain interface these will join together to offer information exchange, translation and flow. The types of networks can be enumerated as:-

(a) At Estt/ Controllerate LANs. (b) At Directorate HQ LANs. (c) Station Access Networks. (d) Communication networks managed and configured through computers. (e) OIS/MIS networks.

64. Networks will be adequately managed and controlled, in order to be protected from threats, by incorporating appropriate security solutions at physical, network, transport and application layers. 65. Network Configuration. The network must be designed and configured to deliver high performance and reliability whilst providing a high degree of access control and range of privilege restrictions. With the rapid growth of network services, new networks will keep getting connected. However, interconnecting the networks must not weaken the exiting security level or compromise the security of information. The network architecture must always separate the internal network from the external one. Lack of appropriate protection at the gateway may leave the internal networks vulnerable. Gateway devices isolate and protect a network from external threat. Essential components of perimeter defenses that must be present are a firewall, IDS/IPS and antivirus. Details are as under;-

(a) Firewall. The internal network of any formation/unit will be physically and logically isolated by using a firewall. The rules for the firewall will be based on the explicit directions from the system administrator. All firewalls activities will be logged and analysed by the system administrator on periodic basis. (b) Antivirus. Antivirus mechanisms will be in place to limit the spread of viruses and other malware. An antivirus system will function in conjunction with a firewall to check all incoming traffic for any viruses or malicious code. In addition, antivirus software will also be installed on individual servers (server version) and host machines.

66. UTM/IDS/IPS. Unified Threat Management Systems, Intrusion Detection Systems and Intrusion Prevention Systems (IDS/IPS) will be in place to passively monitor traffic by listening to and examining the packets entering or exiting a backbone/access network. 67. Network Management. Suitably qualified System Administrator will manage the network and ensure that the network is available and appropriately configured to perform the required task. 68. Remote Access of Network.Remote access to the Organisation’s/ Establishment network and resources will only be permitted provided that authorised users are authenticated, data is encrypted across the network and privileges are restricted.

21

69. Accessories on Network Computers. Networked computers will preferably have only network printers and network scanners. Depending on the sensitivity of the data being handled, the printer/scanner will be shared among a defined close user group. Standalone printers and scanners required in case of non networked environments will be appropriately monitored. In addition, networked computers will not have writing devices like CD/DVD writers, floppies etc. All computers on the networks will have their floppy drives and CD/DVD writers removed and USB ports disabled. 70. Controls Against Malicious Hardware/Software. Only licensed and legal hardware/software will be used which will be regularly updated. System hardware, operating and application software, the networks and communication systems must all be adequately configured and safeguarded against both physical intrusion and unauthorised network intrusion. 71. IP Version 6. IP version 6 (IPv6) is a new version of the Internet Protocol, designed as a successor to the current IP version 4 (IPv 4). IPv6 will not only solve the problem for address space shortages but also provides efficient management of address space, enhanced security support and elimination of network address translation. All network devices procured by establishment will incorporate IPv6 protocol suite for ease of migration to IPv6 in a phased manner. 72. Applications/Services Based on Networks. A number of applications/services based on computers networks are available to the users. The following guidelines will be adhered to in respect of all these applications/services:-

(a) Dial up Access. Dial up access will not be permitted on the Network.

(b) Hosting of Blogs, Forums and Chat Servers. Blogs, forums and chat servers will not be hosted by the Establishments.

(c) Hosting of File Transfer Protocol (FTP) and E-mail Servers. Only secure FTP is allowed. Email servers can be established if the utility is procured from reputed vendors with licensed software and regular updates.

(d) Electronic Messaging. Information sent through electronic messaging will be appropriately protected against incomplete transmission, mis-routing, unauthorised message alteration, unauthorised disclosure, unauthorised message duplication or replay and denial of service. E-mail attachment will not be opened directly. It will be saved on the media and duly scanned for malware before use.

73. Security of Servers.

(a) Configuration. Separate servers will be configured to cater for each role i.e. web application, database, authentication, application etc. All servers will be placed in conjunction with the firewall. In addition the database servers will always be behind another dedicated firewall. (b) Updation. Server operating system and server applications will be regularly updated. The OS and applications should under no circumstances try to access the internet for automatic updation.

22

(c) Server Hardening. No server software and application will be run with administrator privilege. All non-essential services, applications or protocols running on the servers will be prohibited. All unused accounts, default or sample files will be removed. (d) Audit logs will be activated in all servers. Logs will be regularly analysed for any anomalies and properly documented. Logs (CD/DVD) will be kept in a secure place for at least a week. Logs showing intrusion and attacks must be kept permanently for investigation.

(e) All servers will be loaded with server grade personal firewall and anti-malware software which will be regularly updated.

(f) Physical and Logical Access Control to all servers will be ensured. Two-factor authentication along with primary and secondary administrators will be used. (g) Unnecessary contents such as platform information in server banners, help database, and default or sample files will be removed from the servers to avoid disclosure of system information.

74. Administration of Servers.

(a) Direct access to the servers will be explicitly debarred. Administration tools for the server applications will be accessed only through administrative console placed in a physically separate room from the server room by means of partitioning. (b) Authentication passwords for the administrative tools must be changed periodically. Default passwords of the administrative tools will be reconfigured.

(c) Proper content management procedures will be established for updating the servers and applications.For forms or applications that accept user input, all input data will be properly checked and validated before passing to the backend application.

75. Data Base Security.

(a) Default Accounts and Password. It must be ensured that all default passwords for the default accounts are changed. If the default accounts are not in use, they need to be locked. (b) Default Roles. No default roles will be implemented. Roles of data base users will be defined and allocated by data base administrator. (c) Failed Login Attempts. Logs of all failed login attempts will be reviewed daily. Database account lock out should be configured after three failed attempts.

23

CHAPTER VI

INTERNET

Maintenance of Air Gap 76. Strict air-gap between Internet and Networks will be ensured at all times by the Establishments. Internet computers will be housed in a separate room. A physical partitioning of a room with different access door will be provisioned where a separate room cannot be provided for Internet. A computer used for creating and storing official documents/information or a networked computer will not be connected or used to access the Internet. Any computer being used for official purposes will not be connected to mobile phones with internet facilities, ‘Plug and Surf’ USB modems. WiFi or Wireless Access Points (WAP) for surfing the Internet will also not be connected to official computers. Removable media like thumb drives etc will not be exchanged between internet and LAN/official PCs, etc. Data Leakage Prevention 77. Computer name of the Internet computer shall not reveal the appointment or the establishment’s identity. All downloaded data will be duly scanned with an updated version of antivirus before use in order to avoid introduction of trojans, backdoors, key loggers or other malware. At any time if an official work computer is to be shifted for Internet use, all data on it will be removed using secure delete and formatting before connecting to Internet. Wired Connectivity to the Internet 78. Internet to authorised subscribers will normally be provisioned on any wired media. However, if a network is established to distribute the Internet connection leased form a service provider, it will be adequately protected in terms of proxying, firewalls and Intrusion Detection Systems. Such a network will be purely utilized for provision/distribution on Internet connectivity and in no case be used for internal communication between the networked computers/end point users. Wireless Connectivity for Internet 79. Wireless connectivity for Internet is not permitted. 80. Clearance of Information/Data The information/data to be hosted on internet needs to be correct in all respects and should be approved by the head of the directorates/branches/ establishments. Social Networking 81. Social networking sites like Face book, Twitter, Orkut, groups, technical forums, security forums, education and research forums, blog sites, photo sharing sites etc. will not be accessed using official communication devices/ computer systems in office premises. The user will neither create nor join any community, group etc that is related to terrorism, anti-national elements, political groups etc. Creation or joining of communities/ groups/

24

email-IDs revealing course, batch, unit, etc revealing any affiliation with Army, for e.g. NDA 53, YO 120, tiger36sikh@rediffmail.com, awwalrisala@gmail.com, wecandoit.com etc is prohibited. Any online participation, polling, campaign etc related to Armed Forces or Govt of India, online interaction with media houses, foreign nationals and/agencies/organisations, retired service personnel over official matters is also restricted. No individual will reveal personal identity by way of ranks, appointments, official address or photographs in uniform on the internet. Detailed instructions have been disseminated to the environment for implementations vide Military Intelligence Directorate Letter No A/38024/1/MI-11 dated 03 Oct 2011. E-Mail Accounts 82. Use of internet for official communication is a serious security risk as information sent through e-mail IDs based on foreign mail servers (Yahoomail, Hotmail etc) can be accessed by service provider at any time. Thus, only NIC e-mail IDs (which are based on Indian server) when authorised by appropriate authority will be used for official Communication of UNCLASSIFIED nature. Online Trading 83. No person will use official communication devices/computers located within office premises for online trading. In office premises, even personal computers/laptops or any internet enabled device will not be used for online trading. Accountability of Mobile Computing Devices 84. When using mobile computing devices (for official purposes) such as notebooks, palmtops, laptops, and PDAs etc, special care will be taken to ensure that information is not compromised or lost due to theft. Appropriate operating procedures will be established at all levels based on this policy for accounting and protection of mobile computing devices from damage, theft and unauthorised access. These mobile computing devices will not be connected to the Internet at any point of time. To maintain strict air-gap, removable writeable media will not be shared between official mobile devices and Internet enabled devices. Wireless access like Bluetooth, Wi-Fi etc on such devices will be disabled. Secure Storage 85. All classified information stored/kept on portable media will be in encrypted form. Secure erasing of files on mobile computing devices will be ensured before reuse. Internet connected Computers will not be used for drafting, storing official documents. Laptops 86. The following will be ensured while using official laptops:-

(a) Official laptops containing classified/official data will be handled in accordance with the instruction in Vogue. (b) Bluetooth, WLAN and Wi-Fi will always be disabled in all official laptops. (c) No personal laptop/palmtop/electronic note book are permitted to be brought into office.

25

87. Standalone official laptop, to be used for presentation in other offices/stations will not contain any data beyond CONFIDENTIAL classification. Such classified/ official data will always be encrypted while in storage. Such laptops will NOT be connected to Internet/ any other network. Required cyber security audit of such laptops will be carried out periodically. Guidelines for Computer Users 88. The responsibility to ensure prevention of any cyber security breach from the client PC lies with the user who will ensure that all laid down instructions on cyber security are followed in letter and spirit. In case of internet computer at home, it will be ensured that sufficient safeguards are in place and the family members are well informed on cyber security related issues. Under NO circumstances will the official computer/Laptop be carried home for work and vice versa.

26

CHAPTER VII

AUTHENTICATION AND ACCESS CONTROL

Authentication 89. All systems and devices will implement strong pass phrase based authentication. In addition, the classified systems will have two/three factor authentication implemented to prevent un-authorised access to systems and devices based on the classification of information/data being handled. User Access Control 90. The access control policy will ensure ‘Role Based Access Control’. Information systems that process classified data will have ‘Mandatory Access Controls’ in place. Following additional measures will be adopted:-

(a) User Registration There will be a formal user registration and de-registration procedure in place for granting and revoking access to information systems and resources. (b) Privilege Management. The allocation and use of privileges will be restricted and controlled. Principle of least privileges will be followed while using systems and services. Multi-user systems that require protection against unauthorised access will have allocation of privileges controlled through a formal authorization process. (c) Review of User Access Rights The access control rules and rights will be periodically reviewed and redundant user IDs and accounts will be investigated and removed. (d) User Password Management. The allocation of passwords will be controlled through a formal password management process. Users will follow password guidelines in the selection and use of passwords. (e) Password Level. System software security features such as Basic Input Output System (BIOS), user level password, screen-saver passwords etc will be implemented to protect resources. Where application software is hosted, application level passwords will also be used. (f) Password Strength. A strong and effective password requires a degree of complexity. Passwords will be of minimum 10 characters in length, alphanumeric characters with atleast two being special characters. Pass-phrase should be used instead of password since they are easier to remember and afford greater complexity (e.g. My 3rd Dog is a Golden Retriever - M3DiaGR). (g) Unattended User Equipment. Users will ensure that unattended equipment has appropriate physical and logical protection.

27

(h) Clear Desk and Clear Screen Policy. No removable storage media will be left unattended in office desks and work areas. All desktops and servers will have clear screen policy when not in use.

Network Access Control 91. Access to both internal and external network services/resources will be controlled as under:-

(a) Policy on Use of Network Services. SOP on the use of networks and network services/resources will be formulated by all Estt which must be consistent with the Cyber Security Policy. The SOP must clearly specify the networks and network services/resources which are allowed to be accessed.

(b) User Authentication for External Connections. Appropriate identification, authentication and authorisation methods will be used to control access by remote users.

(c) Equipment Identification in Networks. Equipment identification will be implemented to authenticate connections from specific locations and devices. Default passwords on all equipment will be reconfigured and administrator accounts renamed.

(d) Remote Diagnostic and Configuration Port Protection. Many information processing facilities and systems require remote diagnostics by maintenance engineers. Physical and logical access to diagnostic and configuration ports will be controlled and monitored. Remote management of network devices will be done only through secure communication channels and on specific written orders for particular software applications. (e) Segregation in Networks. Groups of information services, users and information systems will be segregated by deploying secure gateway devices.

(f) Network Connection Control. For shared networks, the capability of users to connect to the network will be restricted, in line with the access control policy and requirements of the applications. The connection capability of users will be restricted through network gateways that filter traffic by means of pre-defined tables or rules. (g) Network Routing Control. Routing controls will be implemented for networks to ensure that computer connections and information flows do not breach the access control policy.

Operating System Access Control

92. Un-authorised access to Operating Systems will be prevented by:- (a) Secure Log-on Procedures. Access to operating systems will be controlled by a secure log-on procedure. Log on credentials will neither be transmitted nor stored in clear. Multi factor authentication mechanisms based on the principal of ‘something you know’ (Password, pass-phrase, PIN etc), ‘something you have’ (Token, memory card, smart card etc) and ‘something you are’ (Biometric devices) will be incorporated for critical systems.

28

(b) Use of Unlicensed Software. No unlicensed/pirated software will be used by users in official systems as they may contain malicious code. (c) Session Time Out. Inactive sessions will be made to shut down after a defined period of inactivity. The sessions should be shut down to prevent access by unauthorised persons and denial of service attacks. Time-outs can be tuned to clear the session screen and also, possibly later, close both application and network sessions after a defined period of inactivity. (d) Limitation of Connection Time. Restrictions on connection times will be used to provide additional security for high-risk applications. Such critical applications must have multi-layered authentication mechanisms incorporated.

Application Access Control 93. Application Access Restriction. Logical access to application software and information will be restricted to authorised users only. 94. Security Classification of Application Software. The classification of an application system will be explicitly identified and documented by the application owner. Classified systems above CONFIDENTIAL will have a dedicated and isolated computing environment.

29

CHAPTER VIII

ACQUISITION AND DEVELOPMENT OF INFORMATION SYSTEMS

Authorisation Process 95. An authorisation process for new information processing facilities like procurement of hardware/software, establishment of LAN/WAN, development of software, automation etc. will take into account the existing cyber security policies/guidelines before authorising the induction of such IT infrastructure to ensure that all relevant cyber security requirements are met. 96. A clear and complete description of physical, electrical and mechanical aspects, protocols, interfaces of various components needs to be specified and given during the development process. Correct Processing of Data by Applications 97. To minimise the application level vulnerabilities, all application development will address the security issues at each stage of Software Development Life Cycle (SDLC). Following issues will be addressed during software development:-

(a) Determining Level of Security Required. Based on the confidentiality of the application and data handled, the level of security required will be Specified clearly and incorporated from design stage itself. (b) Input Data Validation. Data input to applications must be validated to ensure that this data is correct and appropriate. (c) Output Data Validation. Data output from an application must be validated to ensure that the processing of stored information is correct and appropriate to the circumstances. (d) Control of Internal Processing. Validation checks will be incorporated into applications to detect any corruption of information through processing errors or deliberate acts. (e) Message Integrity. Requirements for ensuring authenticity and protecting message integrity in applications will be identified, and appropriate security measures identified and implemented.

Security of System Files 98. Access Control to Program Source Code. During software development access to program source code and associated designs, specifications, verification and validation plans etc will be strictly controlled to prevent introduction of un-authorised functionality and to avoid unintentional changes. 99. Protection of System Test Data. During software development activity the test data will be carefully selected and protected. Information/ sensitive data etc. will not be permitted to be copied on vendor’s storage media.

30

Security in Development and Support Processes 100. Change Control Procedures. The implementation of changes will be controlled through formal change control procedures. Introduction of new systems and major changes to existing systems will be properly documented. The process will ensure that existing security and control procedures are not compromised. 101. Technical Review of Applications after Operating System Changes. Application control and integrity procedures will be reviewed to ensure that they have not been compromised by the operating system changes. 102. File Integrity. File integrity check for both operating system and application software will be implemented. 103. Controlling Non-Essential Services. The application should not enable services that are not required for the functioning of that application by default. 104. Authorised Software. Only authorised, licensed, updated and supported software will be used. 105. Outsourced Software Development. Outsourced software development will be supervised and monitored by the concerned establishment. Embedded Software 106. While procuring hardware and software, Original Equipment Manufacturers (OEM) / Licensed Software suppliers will certify that the product being supplied is free from embedded/malicious hardware and software. Source codes for the embedded software should be made available and incorporated as part of contract while procuring systems, wherever feasible. CONCLUSION 107. Information has been an important part of our day to day functioning . With ever increasing dependence on information and communication technologies (ICT), conduct of QA activities and the emerging threats in cyberspace, security of information is the greatest challenge. However, adoption of secure technologies, with proper configuration and use of encryption technologies along with procedural control will make deployment of networks and information systems for conduct of network centric operations more efficient. 108. This policy is a step to ensure implementation of securely designed and developed systems and networks in DGQA .

31

Appendix “A”

GLOSSARY OF IMPORTANT TERMS Access 1. Gaining entry into, instructing or communicating with the logical, arithmetical or memory function resources of a computer system or computer network. Access Control 2. The process of limiting access to the resources of a computer system only to authorised users, programs or other computer systems. Addressee 3. A person who is intended, by the originator to receive the electronic record but does not include any intermediary. Affixing Digital Signature 4. With its grammatical variations and cognate expressions means adoption of any methodology or procedure by a person for the purpose of authenticating an electronic record by means of digital signature. Alias 5. A pseudonym. Anti-Virus Program 6. Software designed to detect, and potentially eliminate, viruses before they have had a chance to wreak havoc within the system, as well as repairing or quarantining files which have already been infected by virus activity. Application Software 7. A software that is specific to the solution of an application problem. It is the software coded by or for an end user that performs a service or relates to the user's work. Audit 8. A procedure used to validate that controls are in place and adequate for their purposes. Includes recording and analysis of activities to detect intrusions into or abuse of an information system. Inadequacies found by an audit are reported to appropriate authorities. Audit Log 9. Computer files containing details of amendments to records, which may be used in the event of system recovery being required. The majority of commercial systems feature the creation of an audit log. Enabling this feature incurs some system overhead, but it does permit subsequent review of all system activity, and provide details of: which User ID performed which action to which files when etc. Failing to produce an audit log means that the activities on the system are ‘lost’. Audit Trail 10. A chronological record of system activities providing documentary evidence of processing that enables management staff to reconstruct, review, and examine the sequence of states and activities surrounding or leading to each event in the path of a transaction from its inception to output of final results. Auditor 11. Person employed to verify, independently, the quality and integrity of the work that has been undertaken within a particular area, with reference to accepted procedures. Authentication 12. A process used to confirm the identity of a person or to prove the integrity of specific information. Message authentication involves determining its source and verifying that it has not been modified or replaced in transit. (See also DIGITAL SIGNATURE)

32

Authorisation 13. The granting of rights, including the ability to access specific information or resources: Availability 14. The extent to which information or processes are reasonably accessible and usable upon demand, by an authorised entity, allowing authorised access to resources and timely performance of time-critical operations. Backup 15. The process of copying critical information, data and software for the purpose of recovering essential processing back to the time the backup was taken. Biometric Access Controls 16. Security Access control systems which authenticate (verify the identity of) users by means of physical characteristics, e.g. face, fingerprints, voice, or retina pattern BIOS 17. BIOS, the Basic Input Output System of a personal computer. The BIOS contains the code which results in the loading (booting) of a computer’s operating system e.g. Microsoft Windows®. The BIOS also controls the flow of data to/from the operating system and peripheral devices, such as printer, hard disk, keyboard and mouse. Bot 18. Short for Robot, the term describes little programs designed to perform automated tasks on the Internet such as indexing, looking/watching for message contents, or to act as avatars (human surrogates). There are hundreds of different types of Bots including, by some definitions, Agents and Crawlers. Clear Desk Policy 19. A Policy of the organisation which directs all personnel to clear their desks at the end of each working day, and file everything appropriately. Desks should be cleared of all documents and papers, including the contents of the ‘in’ and ‘out’ trays! The purpose of the Clear Desk Policy is to ensure that sensitive papers and documents are not exposed to unauthorised persons out of working hours. Clear Screen Policy 20. A Policy of the organisation which directs all computer users to ensure that the contents of the screen are protected from prying eyes and opportunistic breaches of confidentially. Typically, the easiest means of compliance is to use a screen saver which will engage, either on request, or after a specified time. Compromise 21. A violation (or suspected violation) of a security policy, in which an unauthorised disclosure of, or loss of control over, sensitive information may have occurred. (See also, DATA INTEGRITY) Computer 22. Any electronic, magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network. Computer Database 23. Means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepared in a formalized manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network. Computer Network 24. Interconnection of one or more computers through:-

(a) The use of satellite, microwave, terrestrial line or other communication media. (b) Terminals or a complex consisting of two or more interconnected computers whether or not the interconnection is continuously maintained.

33

Computer Peripheral 25. Means equipment that works in conjunction with a computer but is not a part of the main computer itself, such as printer, magnetic tape reader, etc. Computer Resource 26. Means computer, computer system, computer network, data, computer database or software. Computer System 27. A device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, which contain computer programs, electronic instructions, input data and output data, that performs logic, arithmetic, data storage and retrieval, communication control and other functions. Confidentiality 28. The condition in which sensitive data is kept secret and disclosed only to authorised parties Contingency Plans 29. The establishment of emergency response, back up operation, .and post-disaster recovery processes maintained by an information processing facility or for an information system. 30. Establish the strategy for recovering from unplanned disruption of information processing operations. The strategy includes the identification and priority of what must be done who performs the required action, and what tools must be used. 31. A document, developed in conjunction with application owners and maintained at the primary and backup computer installation, which describes procedures and identifies the personnel necessary to respond to abnormal situations such as disasters. Contingency plans help managers ensure that computer application owners continue to process (with or without computers) mission-critical applications in the event that computer support is interrupted. Controls 32. Measures taken to ensure the integrity and quality of a process. Damage 33. Means to destroy, alter, delete, add, modify or rearrange any computer resource by any means. Data 34. Means a representation of information knowledge, facts, concepts-or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer. Data Centre 35. The facility covering the computer room, media library, network area, server area, programming and administration areas, other storage and support areas used to carry out the computer processing functions. Usually refers to the computer room and media library. Data Integrity 36. A condition in which data has not been altered or destroyed in an unauthorised manner. (See also THREAT; COMPROMISE) Data Security 37. The practice of protecting data from accidental or malicious modification, destruction or disclosure.

34

Default Password 38. The password installed by a manufacturer and required to access a computer system when it is initially delivered, or a password required by software (typically shareware) to prove that the user is registered with the software vendor. Default passwords are not normally encountered on new PCs and have become relatively rare, but, in cases where such a password has been installed, the new owner of the equipment should change it at the earliest opportunity, to avoid it being known to third parties. Denial of Service 39. Denial of Service (DoS) attack, is an Internet attack against a Web site whereby a client is denied the level of service expected. In a mild case, the impact can be unexpectedly poor performance. In the worst case, the server can become so overloaded as to cause a crash of the system. Digital Signature 40. Means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of section 3 of the I T Act, 2000. Digital Signature Certificate 41. Means a Digital Signature Certificate issued under sub-section (4) of section 3S of the I T Act, 2000. Digital Watermark 42. A unique identifier that becomes part of a digital document and cannot be removed. The watermark is invisible to the human eye but a computer can analyse the document and extract the hidden data. Digital watermarks are being used for Classified/Top Secret documents. The primary use of such marks is to allow different marks to be used when the document is copied to different persons and thereby establish an Audit Trail should there be any leakage of information. DMZ 43. A DMZ – De-Militarised Zone, is a separate part of an organisation’s network which is shielded and 'cut off ' from the main corporate network and its systems. The DMZ contains technical equipment to prevent access from external parties (say on the Internet) from gaining access to your main systems. Document 44. A record consisting of information inscribed on a tangible medium such as paper rather than computer based information. (See also, ELECTRONIC RECORD) Electronic Mail 45. Messages sent, received or forwarded in digital form via a computer-based communication mechanism. Electronic Record 46. Means data, record or data generated, image or sound stored, received or sent in an electronic form or microfilm or computer generated microfiche. Encryption 47. The process of transforming plaintext data into an unintelligible form (cipher text) such that the original data either cannot be recovered (one-way encryption) or cannot be recovered without using an inverse decryption process (two-way encryption). Firewall 48. One of several types of intelligent devices (such as routers or gateways) used to isolate networks. Firewalls make it difficult for attackers to jump from network to network. A double firewall is two firewalls connected together. Double firewalls are used to minimise risk if one firewall gets compromised or provide address translation functions. File Transfer Protocol 49. The application protocol that offers file system access from the Internet suite of protocols.

35

Form 50. With reference to information means any information generated, sent, received or stored in media, magnetic, optical, computer memory, micro-film, computer generated micro fiche or similar device Function 51. In relation to a computer, includes logic, control, arithmetical process, deletion, storage and retrieval and communication or telecommunication from or within a computer. Gateway 52. Hardware or software that is used to translate protocols between two or more systems. Hard Copy 53. A copy of computer output that is printed on paper in a visually readable form e.g. printed reports, listing and documents. Information 54. Includes data, text, images, sound, voice, codes, computer program, software and databases or micro-film or computer generated micro fiche. Information Assets 55. Means all information resources utilized in the course of any organisation's business and includes all information, application software (developed or purchased), and technology (hardware, system software and networks). Information Technology Security 56. All aspects related to defining, achieving and maintaining confidentiality, integrity, availability, accountability, authenticity, and reliability. Intrusion 57. The IT equivalent of trespassing. An uninvited and unwelcome entry into a system by an unauthorised source. While Incursions are always seen as Hostile, Intrusions may well be innocent, having occurred in error. Strong ID and password systems can minimise intrusions. Intrusion Detection System IDS 58. Intrusion Detection Systems are complex software applications, which monitor network activity using various techniques, such as ‘intelligent agents’. Many current applications will not only detect misuse but also identify a known pattern of attack, or attack scenario. The IDS can then automatically terminate the offending session and send an alert to the Systems Administrator. License 59. Means a license granted to a C A. Local Area Network 60. A geographically small network of computers and supporting components department to share related software and hardware resources used by a group. Malicious Code 61. Malicious code includes all and any programs (including macros and scripts) which are deliberately coded in order to cause an unexpected (and usually, unwanted) event on a user’s PC. Network 62. A set of related, remotely connected devices and communications facilities including more than one computer system with the capability to transmit data among them through the communications facilities. Network Administrator 63. The person at a computer network installation who designs, controls, and manages the use of the computer network.

36

Node 64. In a network, a point at which one or more functional units connect channels or data circuits. Non Disclosure Agreement – NDA 65. A Non Disclosure Agreement (NDA) is a legally binding document which protects the confidentiality of ideas, designs, plans, concepts or other material. Most often, NDA’s are signed by vendors, contractors, consultants and other non-employees who may come into contact with such material. Non-repudiation 66. Provides proof of the origin or delivery of data in order to protect the sender against a false denial by the recipient that the data has been received or to protect the recipient against false denial by the sender that the data has been sent. Note: Only a trier of fact (someone with the authority to resolve disputes) can make an ultimate determination of non-repudiation. By way of illustration, a digital signature verified pursuant to this Certification Practice Statement can provide proof in support of a determination of non- repudiation by a trier of fact, but does not by itself constitute non-repudiation. Operating System 67. Computer programs that are primarily or entirely concerned with controlling the computer and its associated hardware, rather than with processing work for users. Computers can operate without application software, but cannot run without an operating system. Operating System Hardening 68. Hardening of operating systems is the first step towards safeguarding systems from intrusion. Workstations and servers typically arrive from the vendor, installed with a multitude of development tools and utilities, which, although beneficial to the new user, also provide potential back-door access to an organisation’s systems. Hardening of an operating system involves the removal of all non essential tools, utilities and other systems administration options, any of which could be used to ease a hacker’s path to your systems. Following this, the hardening process will ensure that all appropriate security features are activated and configured correctly. Again, ‘out of the box’ systems will likely be set up for ease of access with access to ‘root’ / Administrator account. Out-Sourcing 69. Having some or all of an organisation’s computer processing performed by a separate specialist organisation, such as a computer payroll bureau.This approach can generate savings in resource, but rarely operates in real time and carries a high risk of breach of confidentiality. On-line 70. Communications that provide a real-time connection. Password 71. Confidential authentication information usually composed of a string of characters used to provide access to a computer resource. Patch 72. Similar to a ‘Fix’, a Patch is a temporary arrangement used to overcome software problems or glitches. A patch will normally be released as a ‘quick fix’ prior to the next formal release of the software. Patches are usually (but not always) available on-line from the vendor’s Web site. Penetration 73. Intrusion, trespassing, or unauthorised entry into a system is called penetration. Merely contacting system or using a key board to enter a password is not penetration, but gaining access to the contents of the data files by these or other means does constitute Penetration. Penetration Testing, is the execution of a testing plan, the sole purpose of which, is to attempt to hack into a system using known tools and techniques.

37

Proxy Server 74. A server that sits between a client application such as a web browser and a real server. It intercepts all requests to the real server to see if it can fulfill the request by itself. If not, it forwards the request to the real server. Privileged User 75. A User who, by virtue of function, and/or seniority, has been allocated powers within the computer system, which are significantly greater than those available to the majority of users. Risk 76. The potential of damage to a system or associated assets that exists as a result of the combination of security threat and vulnerability. Risk Analysis 77. The process of identifying security risks, determining their magnitude, and identifying areas needing safeguards. Risk Assessment 78. An analysis of system assets and vulnerabilities to establish an expected loss from certain events based on estimated probabilities of the occurrence of those events. Risk Management 79. The total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect I T system resources. Secure System 80. Means computer hardware, software, and procedure that:-

(a) Are reasonably secure from unauthorised access and misuse. (b) Provide a reasonable level of reliability and correct operation. (c) Are reasonably suited to performing the intended functions. (d) Adhere to generally accepted security procedures.

Security Procedure 81. Means the security procedure prescribed under section 16 of the I T Act, 2000. Security 82. The quality or state of being protected from unauthorised access or uncontrolled losses or effects. Absolute security is impossible to achieve in practice and the quality of a given security system is relative. Within a state-model security system, security is a specific ‘state’ to be preserved under various operations. Security Policy 83. A document which articulates requirements and good practices regarding the protections maintained by a trustworthy system. Security Services 84. Services provided by a set of security frameworks and performed by means of certain security mechanisms. Such services include, but are not limited to, access control, data confidentiality, and data integrity. Server 85. A computer system that responds to requests from client systems. Service Level Agreement – SLA 86. A Service Level Agreement (SLA) is a contract between your organisation and the vendor of your system(s) to provide a range of support services, up to an agreed minimum standard. SLAs will usually specific precisely what the support procedures are to be and the way in which a support call will be escalated through the vendor’s support organisation to achieve resolution. Shoulder Surfing 87. Looking over a user’s shoulder as they enter a password is termed as Shoulder Surfing. This is one of the easiest ways of obtaining a password to breach system security. The practice is not restricted to office computers, it is used wherever passwords, PINs, or other ID codes are used.

38

Sign 88. To create a digital signature for a message, or to affix a signature to a document, depending upon the context. Smart Card 89. A hardware token that incorporates one or more Integrated Circuit chips to implement cryptographic functions and that possesses some inherent resistance to tampering. System Administrator 90. The person at a computer installation who designs, controls, and manages the use of computer system. System Security 91. A system function that restricts the use of objects to certain users. System Software 92. Application-independent software that supports the running of application software. It is a software that is part of or made available with a computer system and that determines how application programs are run; for example, an operating system. Threat 93. A circumstance or event with the potential to cause harm to a system, including the destruction, unauthorised disclosure, or modification of data and/or denial of service. Trustworthy System 94. Computer hardware, software, and procedures that are reasonably secure from intrusion and misuse; provide a reasonable level of availability, reliability, and correct operation; are reasonably suited to performing their intended functions; and enforce the applicable security policy. A trustworthy system is not necessarily a ‘trusted system’ as recognized in classified government nomenclature. Uniform Resource Locator 95. A standardized device for identifying and locating certain records and other resources located on the World Wide Web. User 96. An authorised entity that uses a certificate as applicant, subscriber, recipient or relying party, but not including the CA issuing the Digital Signature Certificate. Virtual Private Network – VPN 97. A Virtual Private Network – or VPN, is a network which emulates a private network, although runs over public network lines and infrastructure. Using specialist hardware and software, a VPN may be established running over the Internet/Intranet. The use of encryption and a ‘tunnelling protocol’ maintains privacy. Virus 98. Means any computer instruction, information, data or program that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operate when a program, data or instruction is executed or some other event takes place in that computer resource. Vulnerability 99. A weakness that could be exploited to cause damage to the system or the assets it contains. Web browser 100. A software application used to locate and display web pages. World Wide Web 101. A hypertext-based, distributed information system in which users may create, edit, or browse hypertext documents. A collection of linked documents that reside on the Internet.

39

APPENDIX ‘B’

DOs & DONTs DOs

(a) Adopt information Security measures as part of daily life . Information Security is not a Static entity, it has to be continuously monitored and updated to meet the threat environment. (b) Understand the importance of your information. More critical the information, more are the chances that it will be targeted. (c) Understand and comply with current information Security Policy, Always be current with the promulgated instructions and guidelines.

(d) Suggest Security improvements. Feedback is essential to meet New threats.

(e) Report Unauthorised change to your data . Be alert to any incidents and report them to enable tracing and proper investigations.

(f) Report loss of information. Damage control is essential to information security, hence any incident of this nature must be immediately reported.

(g) Report questionable files/databases. Your system should have only the authorized files. (h) Use strong Passwords and protect the security of Passwords. Passwords should be alphanumerical Characters of at least 6 characters length. Pass phrases should preferably be used. For example, password formed by first letter of each word in the sentence “DGQA” means Quality 4 Defence Forces” will be DmQ4DF. Minimum two levels of passwords should be used –one each as BIOS & Operating System Level. (i) Change your Password’s frequently. (k) Beware of shoulder surfers. People glancing over your shoulder can easily guess your login Password. (l) Log off on completion of using your terminal or workstation. (m) Encrypt sensitive files using encryption software. (n) Erase all unwanted files. (o) Label all removable media and store those with sensitive information as per security instructions. (p) Take backups of important files regularly and frequently. (q) Store backups in a safe and secure place.

40

(r) Protect against malware. Use a reputed AntiVirus program, and regularly update the virus-signature database. (s) Ensure handling, care and custody of printed documents as per classification. (t) Suspect any person who asks you to type a command. The “let’s see” person can be assumed to be trying out means to circumvent the system access control. Avoid them and report about them. (u) Keep unauthorised people away from your computer /peripherals and removable storage media.

DONTs

(v) Do not share Login IDs and Passwords. Sharing of login IDs and Passwords is akin to giving away the keys of cupboards and safes. (w) Do not use simple, obvious, predictable password like Name of Spouse / Children, Registration Number Car/ Scooter etc. (x) Do not write your Passwords. (y) Do not leave your terminal /node unattended without logging –off. Do not enable Windows Guest Account. (z) Do not use removable media such as Pen Drives, CD s etc from unauthorized sources.

41

INDEX

A N Acces…………………………………….. 31 Network Cabling ………………………. 14 Antivirus Programe...…………………… 31 Application Access Control …………… 28 O Audit Logs………………………….……. 31 Online Trading ………………..…….. ... 24 Authentication…………………………… 31 Operating System ……………………... 36 B P Back-Up …………………………… 32 Password …………………….…….…... 36 Patch ……………………….…………... 36 C Power Supply ……………….…………. 14 Compromise …………………………… 32 Physical Security Perimeter ………….. 14 Computer Network ……………..……… 32 Protection of System Test Data………. 29 D S Database Security……………………… 22 Secure Transfer of Information ……..... 12 Social Networking……………….…… 23 E Security in Development and Support

Processes ……………………………… 30

Embedded Software …………………… 30 Security of System Files ……………. .. 29 Equipment Security…………………….. 14 W F Wired Connectivity to the Internet …… 23 Firewall ………………………..………. . 34 Wireless connectivity for Internet…….. 23 G U Gateway………………………………… 35 Use of Unlicensed Software ………….. 28 User Access Control ………………….. 26 H User Password Management ……..…. 26 Hosting of FTP and E-mail Servers …. 21 I IDS/IPS ………………………………… 20 Internet ………………………………… 23 IP Version 6…………………………….. 21 L Laptops ………………………........…. . 24 M Monitoring ……………………………… 18