Security Guidelines for Certifying Authorities

Cyber Crime,Cyber Security,Cyber Law

 Under Information Technology (Certifying Authorities) Rules, 2000

SCHEDULE-III

[See rule 19(2)]

Index

1. Introduction
2. Security Management
3. Physical controls – site location, construction and physical access 57
4. Media Storage
5. Waste Disposal
6. Off-site Backup
7. Change and Configuration Management
8. Network and Communications Security
9. System Security Audit Procedures
9.1 Types of event recorded
9.2 Frequency of Audit Log Monitoring
9.3 Retention Period for Audit Log
9.4 Protection of Audit Log
9.5 Audit Log Backup Procedures
9.6 Vulnerability Assessments
10. Records Archival
11. Compromise and Disaster Recovery
11.1 Computing Resources, Software and/or Data are Corrupted
11.2 Secure facility after a natural or other type of disaster
11.3 Incident Management Plan
12. Number of Persons required per task
13. Identification and Authentication for each role
14. Personnel Security Controls
15. Training Requirements
16. Retaining Frequency and Requirements
17. Documentation supplied to Personnel
18. Key Management
18.1 Generation
18.2 Distribution of keys
18.3 Storage
18.4 Usage
18.5 Certifying Authority’s Public Key Delivery to Users
19. Private Key Protection and Backup
20. Method of Destroying Private Key
21. Usage Periods for the Public and Private Keys
21.1 Key Change
21.2 Destruction
21.3 Key Compromise
22. Confidentiality of Subscriber’s Information

Security Guidelines for Certifying Authorities

1. Introduction

This document prescribes security guidelines for the management and operation of Certifying Authorities (CAs) and is aimed at protecting the integrity, confidentiality and availability of their services, data and systems. These guidelines apply to Certifying Authorities that perform all the functions associated with generation, issue and management of Digital Signature Certificate such as:
(1) Verification of registration, suspension and revocation request;
(2) Generation, issuance, suspension and revocation of Digital Signature Certificates; and
(3) Publication and archival of Digital Signature Certificates, suspension and revocation of information.

2. Security Management

The Certifying Authority shall define Information Technology security policies for its operation on the lines defined in Schedule-II and Schedule-III. The policy shall be communicated to all personnel and widely published throughout the organisation to ensure that the personnel follow the policies.

3. Physical controls – site location, construction and physical access
(1) The site location, design, construction and physical security of the operational site of Certifying Authority shall be in accordance with para 4 of the Information Technology Security Guidelines given at Schedule-II.
(2) Physical access to the operational site housing computer servers, PKI server, communications and network devices shall be controlled and restricted to the authorized individuals only in accordance with para 4.4 of the Information Technology Security Guidelines given at Schedule-II.

(3) A Certifying Authority must:
(i) ensure that the operational site housing PKI servers, communications and networks is protected with fire suppression system in accordance with para 4.2 of the Information Technology Security Guidelines given at Schedule-II.
(ii) ensure that power and air-conditioning facilities are installed in accordance with para 4.1 of the Information Technology Security Guidelines given at Schedule-II.
(iii) ensure that all removable media and papers containing sensitive or plain text information are listed, documented and stored in a container properly identified.
(iv) ensure unescorted access to Certifying Authority’s server is limited to those personnel identified on an access list.
(v) ensure that the exact location of Digital Signature Certification System shall not be publicly identified.
(vi) ensure that access security system is installed to control and audit access to the Digital Signature Certification System.
(vii) ensure that dual control over the inventory and access cards/keys are in place.
(viii) ensure that up-to-date list of personnel who possess the access cards/keys is maintained at the Certifying Authority’s operational site. Loss of access cards/keys shall be reported immediately to the Security Administrator; who shall take appropriate actions to prevent unauthorised access.
(ix) ensure personnel not on the access list are properly escorted and supervised.
(x) ensure a site access log is maintained at the Certifying Authority’s operational site and inspected periodically.
(4) Multi-tiered access mechanism must be installed at the Certifying Authority’s operational site. The facility should have clearly laid out security zones within its facility with well-defined access rights to each security zone. Each security zone must be separated from the other by floor to ceiling concrete reinforced walls. Alarm and intrusion detection system must be installed at every stage with adequate power backup capable of continuing operation even in the event of loss of main power. Electrical/Electronic circuits to external security alarm monitoring service (if used) must be supervised. No single person must have complete access to PKI Server, root keys or any computer system or network device on his/her own.
(5) Entrance to the main building where the Certifying Authority’s facilities such as Data Centre, PKI Server and Network devices are housed and entrance to each security zone must be video recorded round the clock. The recording should be carefully scrutinized and maintained for at least one year.
(6) A Certifying Authority site must be manually or electronically monitored for unauthorised intrusion at all times in accordance with the Information Technology Security Guidelines given at Schedule-II.
(7) Computer System/PKI Server performing Digital Signature Certification function shall be located in a dedicated room or partition to facilitate enforcement of physical access control. The entry and exit of the said room or partition shall be automatically locked with time stamps and shall be reviewed daily by the Security Administrator.
(8) Access to infrastructure components essential to operation of Certifying Authority such as power control panels, communication infrastructure, Digital Signature Certification system, cabling, etc. shall be restricted to authorised personnel.
(9) By-pass or deactivation of normal physical security arrangements shall be authorised and documented by security personnel.
(10) Intrusion detection systems shall be used to monitor and record physical access to the Digital Signature Certification system during and after office hours.
(11) Computer System or PKI Server performing the Digital Signature Certification functions shall be dedicated to those functions and should not be used for any other purposes.
(12) System software shall be verified for integrity in accordance with para 15 of the Information Technology Security Guidelines given at Schedule-II.

4. Media Storage
A Certifying Authority must ensure that storage media used by his system are protected from environment threats such as temperature, humidity and magnetic and are transported and managed in accordance with para 8.3 and para 8.4 of the Information Technology Security Guidelines given at Schedule-II.

5. Waste Disposal
All media used for storage of information pertaining to all functions associated with generation, production, issue and management of Digital Signature Certificate shall be scrutinized before being destroyed or released for disposal.

6. Off-site Backup
A Certifying Authority must ensure that facility used for off-site backup, if any, shall be within the country and shall have the same level of security as the primary Certifying Authority site.

7. Change and Configuration Management
(1) The components of the Certifying Authority infrastructure (e.g. cryptographic algorithm and its key parameters, operating system, system software, computer system, PKI server, firewalls, physical security, system security etc.) shall be reviewed every year for new technology risks and appropriate action plan shall be developed to manage the risks identified for each component.
(2) The application software, system software and hardware, which are procured from questionable sources, shall not be installed and used for any function associated with generation and management of Digital Signature Certificate.
(3) Software updates and patches shall be reviewed for security implications before being implemented on Certifying Authority’s system.
(4) Software updates and patches to rectify security vulnerability in critical systems used for Certifying Authority’s operation shall be promptly reviewed and implemented.
(5) Information on the software updates and patches and their implementation on Certifying Authority’s system shall be clearly and properly documented.

8. Network and Communications Security
(1) Certifying Authority’s systems shall be protected to ensure network access control to critical systems and services from other systems in accordance with para 17, para 18, para 19 and para 20 of the Information Technology Security Guidelines given at Schedule-II.
(2) Network connections from the Certifying Authority’s system to external networks shall be restricted to only those connections which are essential to facilitate Certifying Authority’s functional processes and services. Such network connections to the external network shall be properly secured and monitored regularly.
(3) Network connections should be initiated by the systems performing the functions of generation and management of Digital Signature Certificate to connect those systems performing the registration and repository functions but not vice versa. If this is not possible, compensating controls (e.g. use of proxy servers) shall be implemented to protect the systems performing the function of generation and management of Digital Signature Certificate from potential attacks.
(4) Systems performing the Digital Signature Certification function should be isolated to minimise their exposure to attempts to compromise the confidentiality, integrity and availability of the certification function.
(5) Communication between the Certifying Authority systems connected on a network shall be secure to ensure confidentiality and integrity of the information. For example, communications between the Certifying Authority’s systems connected on a network should be encrypted and digitally signed.
(6) Intrusion detection tools should be deployed to monitor critical networks and perimeter networks and alert administrators of network intrusions and penetration attempts in a timely manner.

9. System Security Audit Procedures

9.1 Types of event recorded

(1) The Certifying Authority shall maintain record of all events relating to the security of his system. The records should be maintained in audit log file and shall include such events as:
(i) System start-up and shutdown;
(ii) Certifying Authority’s application start-up and shutdown;
(iii) Attempts to create, remove, set passwords or change the system privileges of the PKI Master Officer, PKI Officer, or PKI Administrator;
(iv) Changes to keys of the Certifying Authority or any of his other details;
(v) Changes to Digital Signature Certificate creation policies, e.g. validity period;
(vi) Login and logoff attempts;
(vii) Unauthorised attempts at network access to the Certifying Authority’s system;
(viii) Unauthorised attempts to access system files;
(ix) Generation of own keys;
(x) Creation and revocation of Digital Signature Certificates;
(xi) Attempts to initialize remove, enable, and disable subscribers, and update and recover their keys;
(xii) Failed read-and-write operations on the Digital Signature Certificate and Certificate Revocation List (CRL) directory.
(2) Monitoring and Audit Logs
(i) A Certifying Authority should consider the use of automated security management and monitoring tools providing an integrated view of the security situation at any point in time.

Records of the following application transactions shall be maintained:
(a) Registration;
(b) Certification;
(c) Publication;
(d) Suspension; and
(e) Revocation.
(ii) Records and log files shall be reviewed regularly for the following activities:
(a) Misuse;
(b) Errors;
(c) Security violations;
(d) Execution of privileged functions;
(e) Change in access control lists;
(f) Change in system configuration.
(3) All logs, whether maintained through electronic or manual means, should contain the date and time of the event, and the identity of the subscriber/subordinate/entity which caused the event.
(4) A Certifying Authority should also collect and consolidate, either electronically or manually, security information which may not be generated by his system, such as:
(i) Physical access logs;
(ii) System configuration changes and maintenance;
(iii) Personnel changes;
(iv) Discrepancy and compromise reports;
(v) Records of the destruction of media containing key material, activation data, or personal subscriber information.
(5) To facilitate decision-making, all agreements and correspondence relating to services provided by Certifying Authority should be collected and consolidated, either electronically or manually, at a single location.

9.2 Frequency of Audit Log Monitoring
The Certifying Authority must ensure that its audit logs are reviewed by its personnel at least once every two weeks and all significant events are detailed in an audit log summary. Such reviews should involve verifying that the log has not been tampered with, and then briefly inspecting all log entries, with a more thorough investigation of any alerts or irregularities in the logs. Action taken following these reviews must be documented.

9.3 Retention Period for Audit Log
The Certifying Authority must retain its audit logs onsite for at least twelve months and subsequently retain them in the manner described in para 10 of the Information Technology Security Guidelines as given in Schedule-II.

9.4 Protection of Audit Log
The electronic audit log system must include mechanisms to protect the log files from unauthorized viewing, modification, and deletion.
Manual audit information must be protected from unauthorised viewing, modification and destruction.

9.5 Audit Log Backup Procedures
Audit logs and audit summaries must be backed up or copied if in manual form.

9.6 Vulnerability Assessments
Events in the audit process are logged, in part, to monitor system vulnerabilities. The Certifying Authority must ensure that a vulnerability assessment is performed, reviewed and revised, if necessary, following an examination of these monitored events.

10. Records Archival
(1) Digital Signature Certificates stored and generated by the Certifying Authority must be retained for at least seven year after the date of its expiration. This requirement does not include the backup of private signature keys.
(2) Audit information as detailed in para 9, subscriber agreements, verification, identification and authentication information in respect of subscriber shall be retained for at least seven years.
(3) A second copy of all information retained or backed up must be stored at three locations within the country including the Certifying Authority site and must be protected either by physical security alone, or a combination of physical and cryptographic protection. These secondary sites must provide adequate protection from environmental threats such as temperature, humidity and magnetism. The secondary site should be reachable in few hours.
(4) All information pertaining to Certifying Authority’s operation, Subscriber’s application, verification, identification, authentication and Subscriber agreement shall be stored within the country. This information shall be taken out of the country only with the permission of Controller and where a properly constitutional warrant or such other legally enforceable document is produced.
(5) The Certifying Authority should verify the integrity of the backups at least once every six months.
(6) Information stored off-site must be periodically verified for data integrity.

11. Compromise and Disaster Recovery
11.1 Computing Resources, Software and/or Data are Corrupted
The Certifying Authority must establish business continuity procedures that outline the steps to be taken in the event of the corruption or loss of computing and networking resources, nominated website, repository, software and/or data. Where a repository is not under the control of the Certifying Authority, the Certifying Authority must ensure that any agreement with the repository provides for business continuity procedures.

11.2 Secure facility after a natural or other type of disaster
The Certifying Authority must establish a disaster recovery plan outlining the steps to be taken to re-establish a secure facility in the event of a natural or other type of disaster. Where a repository is not under the control of the Certifying Authority, the Certifying Authority must ensure that any agreement with the repository provides that a disaster recovery plan be established and documented by the repository.

11.3 Incident Management Plan
An incident management plan shall be developed and approved by the management. The plan shall include the following areas:
(i) Certifying Authority’s certification key compromise;
(ii) Hacking of systems and network;
(iii) Breach of physical security;
(iv) Infrastructure availability;
(v) Fraudulent registration and generation of Digital Signature Certificates; and
(vi) Digital Signature Certificate suspension and revocation information.

An incident response action plan shall be established to ensure the readiness of the Certifying Authority to respond to incidents.

The plan should include the following areas:

(i) Compromise control;
(ii) Notification to user community; (if applicable)
(iii) Revocation of affected Digital Signature Certificates; (if applicable)
(iv) Responsibilities of personnel handling incidents;
(v) Investigation of service disruption;
(vi) Service restoration procedure;
(vii) Monitoring and audit trail analysis; and
(viii) Media and public relations.

12. Number of Persons Required Per Task
The Certifying Authority must ensure that no single individual may gain access to the Digital Signature Certificate server and the computer server maintaining all information associated with generation, issue and management of Digital Signature Certificate and private keys of the Certifying Authority. Minimum two individuals, preferably using a split-knowledge technique, such as twin passwords, must perform any operation associated with generation, issue and management of Digital Signature Certificate and application of private key of the Certifying Authority.

13. Identification and Authentication for Each Role
All Certifying Authority personnel must have their identity and authorization verified before they are:
(i) included in the access list for the Certifying Authority’s site;
(ii) included in the access list for physical access to the Certifying Authority’s system;
(iii) given a certificate for the performance of their Certifying Authority role;
(iv) given an account on the PKI system.

Each of these certificates and accounts (with the exception of Certifying Authority’s signing certificates) must:
(i) be directly attributable to an individual;
(ii) not be shared;
(iii) be restricted to actions authorized for that role; and
(iv) procedural controls.

Certifying Authority’s operations must be secured using techniques of authentication and encryption, when accessed across-a shared network.

14. Personnel Security Controls
The Certifying Authority must ensure that all personnel performing duties with respect to its operation must:
(i) be appointed in writing;
(ii) be bound by contract or statute to the terms and conditions of the position they are to fill;
(iii) have received comprehensive training with respect to the duties they are to perform;
(iv) be bound by statute or contract not to disclose sensitive Certifying Authority’s security related information or subscriber information;
(v) not be assigned duties that may cause a conflict of interest with their Certifying Authority’s duties; and
(vi) be aware and trained in the relevant aspects of the Information Technology Security Policy and Security Guidelines framed for carrying out Certifying Authority’s operation.

15. Training Requirements
A Certifying Authority shall ensure that all personnel performing duties with respect to its operation, must receive comprehensive training in:
(i) relevant aspects of the Information Technology Security Policy and Security Guidelines framed by the Certifying Authority;
(ii) all PKI software versions in use on the Certifying Authority’s system;
(iii) all PKI duties they are expected to perform; and
(iv) disaster recovery and business continuity procedures.

16. Retraining Frequency and Requirements
The requirements of para 15 must be kept current to accommodate changes in the Certifying Authority’s system. Refresher training must be conducted as and when required, and the Certifying Authority must review these requirements at least once a year.

17. Documentation Supplied to Personnel
A Certifying Authority must make available to his personnel the Digital Signature Certificate policies it supports, its Certification Practice Statement, Information Technology Security Policy and any specific statutes, policies or contracts relevant to their position.

18. Key Management

18.1 Generation

(1) The subscriber’s key pair shall be generated by the subscriber or on a key generation system in the presence of the subscriber.
(2) The key generation process shall generate statistically random key values that are resistant to known attacks.

18.1 Distribution of Keys
Keys shall be transferred from the key generation system to the storage device (if the keys are not stored on the key generation system) using a secure mechanism that ensures confidentiality and integrity.

18.2 Storage

(1) Certifying Authority’s keys shall be stored in tamper-resistant devices and can only be activated under split-control by parties who are not involved in the set-up and maintenance of the systems and operations of the Certifying Authority. The key of the Certifying Authority may be stored in a tamper-resistant cryptographic module or split into sub-keys stored in tamper-resistant devices under the custody of the key custodians.
(2) The Certifying Authority’s key custodians shall ensure that the Certifying Authority’s key component or the activation code is always under his sole custody. Change of key custodians shall be approved by the Certifying Authority’s management and documented.

18.3 Usage

(1) A system and software integrity check shall be performed prior to Certifying Authority’s key loading.
(2) Custody of and access to the Certifying Authority’s keys shall be under split control. In particular, Certifying Authority’s key loading shall be performed under split control.

18.5 Certifying Authority’s Public Key Delivery to Users
The Certifying Authority’s public verification key must be delivered to the prospective Digital Signature Certificate holder in an on-line transaction in accordance with PKIX-3 Certificate Management Protocol, or via an equally secure manner.

19. Private Key Protection and Backup
(1) The Certifying Authority must protect its private keys from disclosure.
(2) The Certifying Authority must back-up its private keys. Backed-up keys must be stored in encrypted form and protected at a level no lower than those followed for storing the primary version of the key.
(3) The Certifying Authority’s private key backups should be stored in a secure storage facility, away from where the original key is stored.

20. Method of Destroying Private Key
Upon termination of use of a private key, all copies of the private key in computer memory and shared disk space must be securely destroyed by over-writing. Private key destruction procedures must be described in the Certification Practice Statement or other publicly available document.

21. Usage Periods for the Public and Private Keys
21.1 Key Change

(1) Certifying Authority and Subscriber keys shall be changed periodically.
(2) Key change shall be processed as per Key Generation guidelines.
(3) The Certifying Authority shall provide reasonable notice to the Subscriber’s relying parties of any change to a new key pair used by the Certifying Authority to sign Digital Signature Certificates.
(4) The Certifying Authority shall define its key change process that ensures reliability of the process by showing how the generation of key interlocks – such as signing a hash of the new key with the old key.

All keys must have validity periods of no more than five years.
Suggested validity period:
(a) Certifying Authority’s root keys and associated certificates – five years;
(b) Certifying Authority’s private signing key – two years;
( c) Subscriber Digital Signature Certificate key – three years;
(d) Subscriber private key – three years.
Use of particular key lengths should be determined in accordance with departmental Threat-Risk Assessments.

21.2 Destruction

Upon termination of use of a Certifying Authority signature private key, all components of the private key and all its backup copies shall be securely destroyed.

21.3 Key Compromise

(1) A procedure shall be pre-established to handle cases where a compromise of the Certifying Authority’s Digital Signature private key has occurred. In such case, the Certifying Authority shall immediately revoke all affected Subscriber Digital Signature Certificates.
(2) The Certifying Authority should immediately revoke the affected keys and Digital Signature Certificates in the case of Subscriber private key compromise.
(3) The Certifying Authority’s public keys shall be archived permanently to facilitate audit or investigation requirements.
(4) Archives of Certifying Authority’s public keys shall be protected from unauthorised modification.

22. Confidentiality of Subscriber’s Information

(1) Procedures and security controls to protect the privacy and confidentiality of the subscribers’ data under the Certifying Authority’s custody shall be implemented. Confidential information provided by the subscriber must not be disclosed to a third party without the subscribers’ consent, unless the information is required to be disclosed under the law or a court order.
(2) Data on the usage of the Digital Signature Certificates by the subscribers and other transactional data relating to the subscribers’ activities generated by the Certifying Authority in the course of its operation shall be protected to ensure the subscribers’ privacy.
(3) A secure communication channel between the Certifying Authority and its subscribers shall be established to ensure the authenticity, integrity and confidentiality of the exchanges (e.g. transmission of Digital Signature Certificate, password, private key) during the Digital Signature Certificate issuance process.


 

Cyber Regulation Advisory Committee

Cyber Crime,Cyber Security,Cyber Law

Cyber Regulation Advisory Committee [India]

Under section 88 of the Information Technology Act, 2000 (21 of 2000)

[ No. 1(20)/97-IID(NII)/F6]

(P.M.Singh)
Joint Secretary
To,
The Manager
Govt. of India Press
Mayapuri
New Delhi

[To be published in the Gazette of India, Extraordinary, Part II, Section 3, Sub-section (i)]

Government of India
Ministry of Information Technology

New Delhi, the 17th October, 2000

NOTIFICATION

G.S.R 790 (E) In exercise of the powers conferred by section 88 of the Information Technology Act, 2000 (21 of 2000), the Central Government hereby constitute the “Cyber Regulation Advisory Committee”, consisting of the following, namely:-

1. Minister, Information Technology Chairman
2. Secretary, Legislative Department Member
3. Secretary, Ministry of Information Technology Member
4. Secretary, Department of Telecommunications Member
5. Finance Secretary Member
6. Secretary, Ministry of Defence Member
7. Secretary, Ministry of Home Affairs Member
8. Secretary, Ministry of Commerce Member
9. Deputy Governor, Reserve Bank of India Member
10. Shri T K Vishwanathan,
Presently Member Secretary, Law Commission Member
11. President, NASSCOM Member
12. President, Internet Service Providers Association Member
13. Director, Central Bureau of Investigation Member
14. Controller of Certifying Authority Member
15. Information Technology Secretary by rotation from the States Member
16. Director General of Police by rotation from the States Member
17. Director, IIT by rotation from the IITs Member
18. Representative of CII Member
19. Representative of FICCI Member
20. Representative of ASSOCHAM Member
21. Senior Director, Ministry of Information Technology Member Secretary

2. Travelling Allowance/Dearness Allowance, as per the Central Government rules, for the non-official members shall be borne by the Ministry of Information Technology.

3. The Committee may co-opt any person as member based on specific meetings.

[ No. 1(20)/97-IID(NII)/F6]

(P.M.Singh)
Joint Secretary


Information Technology (Intermediaries guidelines) Rules, 2011

Cyber Crime,Cyber Security,Cyber Law

“Intermediary”, with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecoms service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes;

MINISTRY OF COMMUNICATIONS AND INFORMATION TECHNOLOGY
(Department of Information Technology)
NOTIFICATION

New Delhi, the 11th April, 2011
G.S.R. 314(E).— In exercise of the powers conferred by clause (zg) of subsection (2) of section 87 read with sub-section (2) of section 79 of the Information Technology Act, 2000 (21 of 2000), the Central Government hereby makes the following rules, namely.-


1. Short title and commencement — (1) These rules may be called the Information Technology (Intermediaries guidelines) Rules, 2011.
(2) They shall come into force on the date of their publication in the Official Gazette

2. Definitions — (1) In these rules, unless the context otherwise requires,–

(a) “Act” means the Information Technology Act, 2000 (21 of 2000);

(b) “Communication link” means a connection between a hyperlink
or graphical element (button, drawing, image) and one or more
such items in the same or different electronic document wherein
upon clicking on a hyperlinked item, the user is automatically
transferred to the other end of the hyperlink which could be another document website or graphical element.

(c) “Computer resource” means computer resources as defined in clause (k) of sub- section (1) of section 2 of the Act;

(d) “Cyber security incident” means any real or suspected adverse event in relation to cyber security that violates an explicity or implicity applicable security policy resulting in unauthotrised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation;

(e) “Data” means data as defined in clause (o) of sub-section (1) of section 2 of the Act;

f) “Electronic Signature” means electronic signature as defined in clause (ta) of subsection (1) of section 2 of the Act;

g) “Indian Computer Emergency Response Team” means the Indian Computer
Emergency Response Team appointed under sub section (1) section 70 (B) of the Act;

h) “Information” means information as defined in clause (v) of sub-section (1) of section 2 of the Act;

i) “Intermediary” means an intermediary as defined in clause (w) of sub-section (1) of section 2 of the Act;

j) “User” means any person who access or avail any computer resource of intermediary for the purpose of hosting, publishing, sharing, transacting, displaying or uploading information or views and includes other persons jointly participating in using the computer resource of an intermediary.

(2) All other words and expressions used and not defined in these rules but defined in the Act shall have the meanings respectively assigned to them in the Act.

3. Due diligence to he observed by intermediary — The intermediary shall observe following due diligence while discharging his duties, namely : —

(1) The intermediary shall publish the rules and regulations, privacy policy and
user agreement for access-or usage of the intermediary’s computer resource by any person.

(2) Such rules and regulations, terms and conditions or user agreement shall inform the
users of computer resource not to host, display, upload, modify, publish, transmit, update or share any information that —
a) belongs to another person and to which the user does not have any right to;
b) is grossly harmful, harassing, blasphemous defamatory, obscene,
pornographic, paedophilic, libellous, invasive of another’s privacy, hateful, or
racially, ethnically objectionable, disparaging, relating or encouraging money
laundering or gambling, or otherwise unlawful in any manner whatever;
c) harm minors in any way;
d) infringes any patent, trademark, copyright or other proprietary rights; (e) violates
any law for the time being in force;
e) deceives or misleads the addressee about the origin of such messages or
communicates any information which is grossly offensive or menacing in nature;
f) impersonate another person;

h) contains software viruses or any other computer code, files or programs
designed to interrupt, destroy or limit the functionality of any computer
resource;
i) threatens the unity, integrity, defence, security or sovereignty of India, friendly
relations with foreign states, or public order or causes incitement to the commission
of any cognisable offence or prevents investigation of any offence or is insulting any
other nation
(3) The intermediary shall not knowingly host or publish any information or shall not
initiate the transmission, select the receiver of transmission, and select or modify the
information contained in the transmission as specified in sub-rule (2):
provided that the following actions by an intermediary shall not amount to hosing, publishing, editing or storing of any such information as specified in
sub-rule: (2) —
(a) temporary or transient or intermediate storage of information automatically within
the computer resource as an intrinsic feature of such computer resource, involving no
exercise of any human editorial control, for onward transmission or communication to
another computer resource;
(b) removal of access to any information, data or communication link by an
intermediary after such information, data or communication link comes to the actual
knowledge of a person authorised by the intermediary pursuant to any order or direction as per the provisions of the Act;

(4) The intermediary, on whose computer system the information is stored or hosted or
published, upon obtaining knowledge by itself or been brought to actual knowledge by an affected person in writing or through email signed with electronic signature about any such information as mentioned in sub-rule (2) above, shall act within thirty six hours and where applicable, work with user or owner of such information to disable such information that is in contravention of sub-rule (2). Further the intermediary shall preserve such information and associated records for at least ninety days for investigation purposes,

(5) The Intermediary shall inform its users that in case of non-compliance with rules and
regulations, user agreement and privacy policy for access or usage of intermediary
computer resource, the Intermediary has the right to immediately terminate the access or usage lights of the users to the computer resource of Intermediary and remove noncompliant information..

(6) The intermediary shall strictly follow the provisions of the Act or any other laws for the time being in force.

(7) When required by lawful order, the intermediary shall provide information or any such assistance to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a request in writing staling clearly the purpose of seeking such information or any such assistance.

(8) The intermediary shall take all reasonable measures to secure its computer
resource and information contained therein following the reasonable security practices andprocedures as prescribed in the Information Technology (Reasonable security practicesand procedures and sensitive personal Information) Rules, 2011.

(9) The intermediary shall report cyber security incidents and also share cyber
security incidents related information with the Indian Computer Emergency Response
Team.

(10) The intermediary shall not knowingly deploy or install or modify the
technical configuration of computer resource or become party to any such act which may change or has the potential to change the normal course of operation of the computer resource than what it is supposed to “perform thereby circumventing any law for the time being in force:
provided that the intermediary may develop, produce, distribute or employ
technological means for the sole purpose of performing the acts of securing the
computer resource and information contained therein.

(11) The intermediary shall publish on its website the name of the Grievance Officer
and his contact details as well as mechanism by which users or any victim who suffers as a result of access or usage of computer resource by any person in violation of rule 3 can
notify their complaints against such access or usage of computer resource of the
intermediary or other matters pertaining to the computer resources made available by it. The Grievance Officer shall redress the complaints within one month from the date of
receipt of complaint.


 

Electronic Evidence in Indian Law

Cyber Crime,Cyber Security,Cyber Law

Section 3. EVIDENCE”.— “ Evidence” means and includes—

(1) all statements which the Court permits or requires to be made before it by witnesses, in relation to matters of fact under inquiry, such statements are called oral evidence;
(2) all documents including electronic records produced for the inspection of the Court,
such documents are called documentary evidence.

The expressions “Certifying Authority”, electronic signature, Electronic Signature Certificate, “electronic form”, “electronic records”, “information”, “secure electronic record”, “secure digital signature” and “subscriber” shall have the meanings respectively assigned to them in the Information Technology Act, 2000 (21 of 2000)


 Controller of Certifying Authorities(CCA

As per Section 18 of The Information Technology Act, 2000 provides the required legal sanctity to the digital signatures based on asymmetric cryptosystems. The digital signatures are now accepted at par with handwritten signatures and the electronic documents that have been digitally signed are treated at par with paper documents.


22A. When oral admissions as to contents of electronic records are relevant

Oral admissions as to the contents of electronic records are not relevant, unless the genuineness of the electronic record produced is in question.

39. What evidence to be given when statement forms part of a conversation, document, electronic record, book or series of letters or papers

When any statement of which evidence is given forms part of a longer statement, or of a conversation or part of an isolated document, or is contained in a document which forms part of a book, or is contained in part of electronic record or of a connected series of letters or papers, evidence shall be given of so much and no more of the statement, conversation, document, electronic record, book or series of letters or papers as the Court considers necessary in that particular case to the full understanding of the nature and effect of the statement, and of the circumstances under which it was made.

45A. OPINION OF EXAMINER OF ELECTRONIC EVIDENCE—

When in a proceeding, the court has to form an opinion on any matter relating to any information transmitted or stored in any computer resource or any other electronic or digital form, the opinion of the Examiner of Electronic Evidence referred to in section 79A of the Information Technology Act, 2000 (21 of 2000) is a relevant fact.
Explanation.— For the purposes of this section, an Examiner of Electronic Evidence shall be an expert;

47A. OPINION AS TO ELECTRONIC SIGNATURE WHEN RELEVANT —

When the Court has to form an opinion as to the electronic signature of any person, the opinion of the Certifying Authority which has issued the Electronic Signature Certificate is a relevant fact.

65A. SPECIAL PROVISIONS AS TO EVIDENCE RELATING TO ELECTRONIC RECORD —

The contents of electronic records may be proved in accordance with the provisions of section 65B.

65B. ADMISSIBILITY OF ELECTRONIC RECORDS —

(1) Notwithstanding anything contained in this Act, any information contained in an electronic record which is printed on a paper, stored, recorded or copied in optical or magnetic media produced by a computer (hereinafter referred to as the computer output) shall be deemed to be also a document, if the conditions mentioned in this section are satisfied in relation to the information and computer in question and shall be admissible in any proceedings, without further proof or production of the original, as evidence of any contents of the original or of any fact stated therein of which direct evidence would be admissible.

(2) The conditions referred to in sub-section (1) in respect of a computer output shall be the following, namely:—
(a)the computer output containing the information was produced by the computer during the period over which the computer was used regularly to store or process information for the purposes of any activities regularly carried on over that period by the person having lawful control over the use of the computer;
(b)during the said period, information of the kind contained in the electronic record or of the kind from which the information so contained is derived was regularly fed into the computer in the ordinary course of the said activities;
(c)throughout the material part of the said period, the computer was operating properly or, if not, then in respect of any period in which it was not operating properly or was out of operation during that part of the period, was not such as to affect the electronic record or the accuracy of its contents; and
(d)the information contained in the electronic record reproduces or is derived from such information fed into the computer in the ordinary course of the said activities.
(3) Where over any period, the function of storing or processing information for the purposes of any activities regularly carried on over that period as mentioned in clause (a) of sub-section (2) was regularly performed by computers, whether—
(a)by a combination of computers operating over that period; or
(b)by different computers operating in succession over that period; or
(c)by different combinations of computers operating in succession over that period; or
(d)in any other manner involving the successive operation over that period, in whatever order, of one or more computers and one or more combinations of computers,
all the computers used for that purpose during that period shall be treated for the purposes of this section as constituting a single computer; and references in this section to a computer shall be construed accordingly.

(4) In any proceedings where it is desired to give a statement in evidence by virtue of this section, a certificate doing any of the following things, that is to say,—
(a)identifying the electronic record containing the statement and describing the manner in which it was produced;
(b)giving such particulars of any device involved in the production of that electronic record as may be appropriate for the purpose of showing that the electronic record was produced by a computer;
(c)dealing with any of the matters to which the conditions mentioned in sub-section (2) relate,
and purporting to be signed by a person occupying a responsible official position in relation to the operation of the relevant device or the management of the relevant activities (whichever is appropriate) shall be evidence of any matter stated in the certificate; and for the purposes of this sub-section it shall be sufficient for a matter to be stated to the best of the knowledge and belief of the person stating it.

(5) For the purposes of this section,—
(a)infomation shall be taken to be supplied to a computer if it is supplied thereto in any appropriate form and whether it is so supplied directly or (with or without human intervention) by means of any appropriate equipment;
(b)whether in the course of activities carried on by any official information is supplied with a view to its being stored or processed for the purposes of those activities by a computer operated otherwise than in the course of those activities, that information, if duly supplied to that computer, shall be taken to be supplied to it in the course of those activities;
(c)a computer output shall be taken to have been produced by a computer whether it was produced by it directly or (with or without human intervention) by means of any appropriate equipment.
Explanation.— For the purposes of this section any reference to information being derived from other information shall be a reference to its being derived therefrom by calculation, comparison or any other process.

67A. PROOF AS TO ELECTRONIC SIGNATURE —

Except in the case of a secure electronic signature, if the electronic signature of any subscriber is alleged to have been affixed to an electronic record the fact that such electronic signature is the electronic signature of the subscriber must be proved.

81A. Presumption as to Gazettes in electronic forms.

The Court shall presume the genuineness of every electronic record purporting to be the Official Gazette or purporting to be electronic record directed by any law to be kept by any person, if such electronic record is kept substantially in the form required by law and is produced from proper custody.

85A. Presumption as to electronic agreements —

The Court shall presume that every electronic record purporting to be an agreement containing the electronic signature of the parties was so concluded by affixing the electronic signature of the parties.
85B. Presumption as to electronic records and 6 electronic signatures. —
(1) In any proceedings involving a secure electronic record, the Court shall presume unless contrary is proved, that the secure electronic record has not been altered since the specific point of time to which the secure status relates.
(2) In any proceedings, involving secure electronic signature, the Court shall presume unless the contrary is proved that—
(a)the secure electronic signature is affixed by subscriber with the intention of signing or approving the electronic record;
(b)except in the case of a secure electronic record or a secure electronic signature, nothing in this section shall create any presumption, relating to authenticity and integrity of the electronic record or any electronic signature.

85C. Presumption as to Electronic Signature Certificates.— 

The Court shall presume, unless contrary is proved, that the information listed in a Electronic Signature Certificate is correct, except for information specified as subscriber information which has not been verified, if the certificate was accepted by the subscriber.

88A. Presumption as to electronic messages.—

The Court may presume that an electronic message, forwarded by the originator through an electronic mail server to the addressee to whom the message purports to be addressed corresponds with the message as fed into his computer for transmission; but the Court shall not make any presumption as to the person by whom such message was sent.
Explanation.— For the purposes of this section, the expressions “addressee” and “originator” shall have the same meanings respectively assigned to them in clauses (b) and (za) of sub-section (1) of section 2 of the Information Technology Act, 2000.

90A. Presumption as to electronic records five years old—

Where any electronic record, purporting or proved to be five years old, is produced from any custody which the Court in the particular case considers proper, the Court may presume that the electronic signature which purports to be the electronic signature of any particular person was so affixed by him or any person authorised by him in this behalf.
Explanation. —Electronic records are said to be in proper custody if they are in the place in which, and under the care of the person with whom, they naturally be; but no custody is improper if it is proved to have had a legitimate origin, or the circumstances of the particular case are such as to render such an origin probable.
This Explanation applies also to section 81A.

131. PRODUCTION OF DOCUMENTS OR ELECTRONIC RECORDS WHICH ANOTHER PERSON, HAVING POSSESSION, COULD REFUSE TO PRODUCE

No one shall be compelled to produce documents in his possession or electronic records under his control, which any other person would be entitled to refuse to produce if they were in his possession, or control, unless such last-mentioned person consents to their production.


  • Tomso Bruno and anr. V. State of U.P. on Dt. 20/01/2015
  •  Anvar v. P. K. Basheer (Civil Appeal 4226 of 2012)
  • State (NCT of Delhi) v. Navjot Sandhu alias Afsan Guru(2005) 11 SCC 600
  • State of Maharashtra V. Dr. Praful Desai AIR 2003 S.C. 2053

Go Back