INFORMATION TECHNOLOGY

rules · 2000 · State unknown

Download PDF Parent Act Back to Subordinates

Parent: THE INFORMATION TECHNOLOGY ACT, 2000 (7ddd5401b153a812d4edd5d8ac2a6a13a204d4d1)

Text

INFORMATION TECHNOLOGY (CERTIFYING AUTHORITIES) RULES, 2000 Effective from 17th October;, 2000 Reproduced by Office of Controller of Certifying Authorities Department of Information Technology Ministry of Communications and Information Technology Government of India Electronics Niketan, 6 CGO Complex New Delhi-110 003 Note Every care has been taken to avoid errors or omissions in printing of this booklet: The Office of Controller of Certifying Authorities will not be held responsible for discrepancies, if any: For authoritative information please refer to the Gazette Notification: [Part II Sec. 3(i)] THE GAZETTE OF INDIA EXTRAORDINARY 53 REGD No: DL-33004/99 IR;esot;rs The Gazette of India EXTRAORDINARY PART II-_Section 3- ~Sub-section PUBLISHED BY AUTHORITY No 553 ] NEW DELHI; TUESDAY, OCTOBER 17, 20OO/ASVINA 25, 1922 MINISTRY OF INFORMATION TECHNOLOGY NOTIFICATION New Delhi, the 17th October; 2000 GS.R: 788(E) ~ In exercise of the powers conferred by sub-section (3) of section of the Information Technology Act, 2000 (21 of 2000) , the Central Government hereby appoints 17th day of October; 2000 as the date on which the provisions of the said Act comes into force. [No: 1(20)/97-IID(NII)/F 6()] PM. SINGH, Jt. Secy: NOTIFICATION New Delhi, the 17th October; 2000 GS.R.789(E) In exercise of the powers conferred by section 87 of the Information Technology Act; 2000 (21 of 2000) , the Central Government hereby makes the following rules regulating the application and other guidelines for Certifying Authorities, namely:- 1_ Short title and commencement: (1) These Rules may be called Information Technology (Certifying Authorities) Rules, 2000. (2) They shall come into force on the date of their publication in the Official Gazette_ 2 Definitions In these Rules, unless the contex

Rule TOC

11 · Fee .

16 ·

17 ·

23 · .

25 ·

26 ·

30 ·

33 ·

6 · Sex (For Individual Applicant only) Female 7 . Date of Birth (ddlmmlyyyy) 8 Nationality

11 ·

12 ·

15 · ISP Details ISP Name

17 · . Capital in the business or profession R S (Attach documentary proof)

21 · _

22 · . Turnover in the last financial year R S

29 · .

31 · _

32 · .

33 · . Whether undertaking for Bank GuaranteelPerformance Bond attached Y / N (Not applicable if the applicant is a Government Ministry/Department/Agencyl Authority) 34. Whether Certification Practice Statement is enclosed Y N 35. Whether certified copies of business registration document are enclosed Y / N (For Company/Firm/Body of Individuals/Association of Persons/Local Authority) If yes, the documents attached: ii) iii) iv) 36. Any other information

2 · 3 4 _

5 · .

4 · 4

5 · 2 Sensitive Information Control

5 · 3 Sensitive Information Security 5.4 Third Party Access_ 5.5 Prevention of Computer Misuse System integrity and security measures 6.1 Use of Security Systems or Facilities 6.2 System Access Control 6.3 Password Management 6.4 Privileged User's Management 6.5 User's Account Management

6 · 6

11 ·

19 · Connectivity

21 · Change Management 21.1 Change Control 21.2 Testing of Changes to Production System 21.3 Review of Changes 22 Problem Management and Reporting_ 23 _ Emergency Preparedness 24 Contingency Recovery Equipment and Services 25 . Security Incident Reporting and Response

26 ·

4 · 4

10 ·

18 ·

19 ·

21 · 3 Review Of Changes Procedures shall be established for an independent review of programme changes before they are moved into a production environment to detect unauthorised or malicious codes.

11 ·

21 ·

10 · Records Archival (1) Digital Signature Certificates stored and generated by the Certifying Authority must be retained for at least seven years after the date of its expiration: This requirement does not include the backup of private signature keys: (2) Audit information as detailed in para 9, subscriber agreements, verification; identification and authentication information in respect of subscriber shall be retained for at least seven years. (3) A second copy of all information retained or backed up must be stored at three locations within the country including the Certifying Authority site and must be protected either by physical security alone, or a combination of physical and cryptographic protection. These secondary sites must provide adequate protection from environmental threats such as temperature, humidity and magnetism. The secondary site should be reachable in few hours_ 4 All information pertaining to Certifying Authority's operation, Subscriber's application, verification, identification, authentication and Subscriber agreement shall be stored within the country: This information shall be taken out of the country only with the permission of Controller and where a properly constitutional warrant or such other legally enforceable document is produced: (5) The Certifying Authority should verify the integrity of the backups at least once every six months: (6) Information stored off-site must be periodically verified for data integrity: 11. Compromise and Disaster Recovery 11.1 Computing Resources, Software andlor Data are Corrupted The Certifying Authority must establish business continuity procedures that outline the steps to be taken in the event of the corruption or loss of computing and networking resources, nominated website, repository; software andlor data: Where a repository is not under the control of the Certifying Authority, the Certifying Authority must ensure that any agreement with the repository provides for business continuity procedures. 11.2 Secure facility after a natural or other type of disaster The Certifying Authority must establish a disaster recovery plan outlining the steps to be taken to re-establish a secure facility in the event of a natural or other type of disaster: Where a repository is not under the control of the Certifying Authority,

13 · Identification and Authentication for Each Role AlI Certifying Authority personnel must have their identity and authorization verified before they are: included in the access list for the Certifying Authority's site; (ii) included in the access list for physical access to the Certifying Authority's system; (iii) given a certificate for the performance of their Certifying Authority role; (iv) given an account on the PKI system. Each of these certificates and accounts (with the exception of Certifying Authority's signing certificates) must: be directly attributable to an individual; (ii) not be shared; (iii) be restricted to actions authorized for that role; and (iv) procedural controls. Certifying Authority's operations must be secured using techniques of authentication and encryption; when accessed across-a shared network: 14. Personnel Security Controls The Certifying Authority must ensure that all personnel performing duties with respect to its operation must: be appointed in writing; (ii) be bound by contract or statute to the terms and conditions of the position they are to fill; (iii) have received comprehensive training with respect to the duties they are to perform; (iv) be bound by statute or contract not to disclose sensitive Certifying Authority's security related information or subscriber information; not be assigned duties that may cause a conflict of interest with their Certifying Authority's duties; and (vi) be aware and trained in the relevant aspects of the Information Technology Security Policy and Security Guidelines framed for carrying out Certifying

18 · 2 Distribution of Keys Keys shall be transferred from the key generation system to the storage device (if the keys are not stored on the key generation system) using a secure mechanism that ensures confidentiality and integrity: 18.3 Storage

6 · Sex (For Individual Applicant only) Female 7 . Date of Birth (ddlmmlyyyy) 8 Nationality

11 ·

12 ·

13 · Passport Details # Passport No.

16 · ISP Details

17 · .

19 ·

22 · .

25 · .

26 ·

2 · 3 4

5 · . 6