INFORMATION TECHNOLOGY (CERTIFYING AUTHORITIES) RULES, 2000

7190ee4051fbc77daeffa26ac5c5f60929719e57 · 2000 · State unknown

Download PDF Parent Act Back to Subordinates

Parent: THE INFORMATION TECHNOLOGY ACT, 2000 (7ddd5401b153a812d4edd5d8ac2a6a13a204d4d1)

Text

INFORMATION TECHNOLOGY (CERTIFYING AUTHORITIES) RULES, 2000 Effective from 17th October, 2000 Reproduced by : Office of Controller of Certifying Authorities Department of Information Technology Ministry of Communications and Information Technology Government of India Electronics Niketan, 6 CGO Complex New Delhi-110 003 Note : Every care has been taken to avoid errors or omissions in printing of this booklet. The Office of Controller of Certifying Authorities will not be held responsible for discrepancies, if any. For authoritative information please refer to the Gazette Notification. lR;eso t;rs The Gazette of India EXTRAORDINARY PART II—Section 3—Sub-section (i) PUBLISHED BY AUTHORITY No. 553 ] NEW DELHI, TUESDAY, OCTOBER 17, 2000/ASVINA 25, 1922 MINISTRY OF INFORMATION TECHNOLOGY NOTIFICATION New Delhi, the 17th October, 2000 G.S.R. 788(E).— In exercise of the powers conferred by sub-section (3) of section 1 of the Information Technology Act, 2000 (21 of 2000), the Central Government hereby appoints 17th day of October, 2000 as the date on which the provisions of the said Act comes into force. [No. 1(20)/97-IID(NII)/F 6(i)] P.M. SINGH, Jt. Secy. NOTIFICATION REGD. No. D.L.-33004/99 New Delhi, the 17th October, 2000 G.S.R.789(E) — In exercise of the powers conferred by section 87 of the Information Technology Act, 2000 (21 of 2000), the Central Government hereby makes the following rules regulating the application and other guidelines for Certifying Authorities, namely:- 1. Short title and commencement.— These Rules may be called Information Technology (Certifying Authorities) Rules, 2000. They shall come into force on the date of their publication in the Official Gazette. 2. Definitions.— In these Rules, unless the context otherwise requires,– (a) "Act" means the Info

Rule TOC

1 · Short title and commencement.—

2 · Definitions.—

3 · The manner in which information be authenticated by means of Digital Signature.—

4 · Creation of Digital Signature.—

5 · Verification of Digital Signature.—

6 · Standards.—

7 · Digital Signature Certificate Standard.—

8 · Licensing of Certifying Authorities.—

9 · Location of the Facilities.—

10 · Submission of Application.—

11 · Fee.—

12 · Cross Certification—

13 · Validity of licence.—

14 · Suspension of Licence.—

15 · Renewal of licence.—

16 · Issuance of Licence.—

17 · Refusal of Licence.—

18 · Governing Laws.—

19 · Security Guidelines for Certifying Authorities.—

20 · Commencement of Operation by Licensed Certifying Authorities.—

21 · Requirements Prior to Cessation as Certifying Authority.—

22 · Database of Certifying Authorities.—

23 · Digital Signature Certificate.—

24 · Generation of Digital Signature Certificate.—

25 · Issue of Digital Signature Certificate.—

26 · Certificate Lifetime.—

27 · Archival of Digital Signature Certificate.—

28 · Compromise of Digital Signature Certificate.—

29 · Revocation of Digital Signature Certificate.—

30 · Fees for issue of Digital Signature Certificate.—

31 · Audit.—

32 · Auditor's relationship with Certifying Authority.—

33 · Confidential Information.—

34 · Access to Confidential Information.—

26 · Disaster Recovery/Management ............................................................ 106

1 · Introduction

2 · Implementation of an Information Security Programme

3 · Information Classification

4 · 1 Site Design

4 · 2 Fire Protection

4 · 3 Environmental Protection

4 · 4 Physical Access

5 · Information Management

5 · 1 System Administration

5 · 2 Sensitive Information Control

5 · 3 Sensitive Information Security

5 · 4 Third Party Access

5 · 5 Prevention of Computer Misuse

6 · System integrity and security measures

6 · 1 Use of Security Systems or Facilities

6 · 2 System Access Control

6 · 3 Password Management

6 · 4 Privileged User's Management

6 · 5 User's Account Management

6 · 6 Data and Resource Protection

7 · Sensitive Systems Protection

8 · Data Centre Operations Security

8 · 1 Job Scheduling

8 · 2 System Operations Procedure

8 · 3 Media Management

8 · 4 Media Movement

9 · Data Backup and Off-site Retention

10 · Audit Trails and Verification

11 · Measures to Handle Computer Virus

12 · Relocation of Hardware and Software

13 · Hardware and Software Maintenance

14 · Purchase and Licensing of Hardware and Software

15 · System Software

16 · Documentation Security

17 · Network Communication Security

18 · Firewalls

19 · Connectivity

20 · Network Administrator

21 · Change Management

21 · 1 Change Control

21 · 2 Testing Of Changes To Production System

21 · 3 Review Of Changes

22 · Problem Management and Reporting

23 · Emergency Preparedness

24 · Contingency Recovery Equipment and Services

25 · Security Incident Reporting and Response

26 · Disaster Recovery/Management

1 · Introduction

2 · Security Management

3 · Physical controls – site location, construction and physical access

4 · Media Storage

5 · Waste Disposal

6 · Off-site Backup

7 · Change and Configuration Management

8 · Network and Communications Security

9 · System Security Audit Procedures

9 · 1 Types of event recorded

9 · 2 Frequency of Audit Log Monitoring

9 · 3 Retention Period for Audit Log

9 · 4 Protection of Audit Log

9 · 5 Audit Log Backup Procedures

9 · 6 Vulnerability Assessments

10 · Records Archival

11 · Compromise and Disaster Recovery

11 · 1 Computing Resources, Software and/or Data are Corrupted

11 · 2 Secure facility after a natural or other type of disaster

11 · 3 Incident Management Plan

12 · Number of Persons Required Per Task

13 · Identification and Authentication for Each Role

14 · Personnel Security Controls

15 · Training Requirements

16 · Retraining Frequency and Requirements

17 · Documentation Supplied to Personnel

18 · Key Management

18 · 1 Generation

18 · 2 Distribution of Keys

18 · 3 Storage

18 · 4 Usage

18 · 5 Certifying Authority's Public Key Delivery to Users

19 · Private Key Protection and Backup

20 · Method of Destroying Private Key

21 · Usage Periods for the Public and Private Keys

21 · 1 Key Change

21 · 2 Destruction

21 · 3 Key Compromise

22 · Confidentiality of Subscriber's Information

4 · Address for Communication * Tick ✓ as applicable A

5 · Father's Name *

17 · Personal Web page URL, if any

1 · Short title and commencement.—

2 · Definitions.—

3 · Procedure for filing applications.—

4 · Presentation and scrutiny of applications.—

5 · Place of filing application.—

6 · Application fee.—

7 · Contents of application.—

8 · Paper book, etc. to accompany the application.—

9 · Plural remedies.—

10 · Service of notice of application on the respondents.—

11 · Filing of reply and other documents by the respondent.—

12 · Date and place of hearing to be notified.—

13 · Sittings of the Tribunal.—

14 · Decision on applications.—

15 · Action on application for applicant's default.—

16 · Hearing on application ex-parte.—

17 · Adjournment of application.—

18 · Order to be signed and dated—

19 · Publication of orders.—

20 · Communication of orders to parties.—

21 · No fee for inspection of records.—

22 · Orders and directions in certain cases.—

23 · Registration of legal practitioners clerks:—

24 · Working hours of the Tribunal—

25 · Sitting hours of the Tribunal.—

26 · Powers and functions of the Registrar:—

27 · Additional powers and duties of Registrar:—