Transcription
Best Practices for Use of IT DevicesOnGovernment NetworkApril 2014Version 1.0Department of Electronics and Information TechnologyMinistry of Communications and Information TechnologyGovernment of IndiaNew Delhi - 1100031
Contents1. Introduction: . 32. Desktop Devices . 32.1 Use and Ownership . 32.2 Security and Proprietary Information . 32.3 Use of software on Desktop systems . 42.4 Sharing of data . 52.5 Use of network printers and scanners . 53. Use of Portable devices . 54.0 External Storage Media: . 74.1 Use of External storage media by a visitor . 8GLOSSARY. 92
1. Introduction:Government of India has formulated the “Policy on Use of ITResources”. This document supports the implementation of thispolicy by providing the best practices related to use of desktopdevices, portable devices , external storage media and peripheraldevices such as printers and scanners.2. Desktop Devices2.1 Use and OwnershipDesktops shall normally be used only for transacting governmentwork. Users[1] shall exercise their own good judgement anddiscretion towards use of desktop devices for personal use to theminimum extent possible.2.2 Security and Proprietary Informationa. User shall take prior approval from the competentauthority[2]of their respective organizations[3]toconnect any access device to the Government network.b.User shall keep their passwords secure and not sharetheir account details. Users shall keep strong and securepasswords as per the password policy available es underthe caption “Policy of Use of IT Resources”.c. All active desktop computers shall be secured with apassword-protected screensaver which should be set withautomatic activation at 10 minutes or less, or log-offwhen the system is unattended.d.Users shall ensure that updated virus-scanning softwareis running in all systems. Users shall exercise due nown senders as they may contain viruses, e-mailbombs, or Trojan horse code.3
e.User shall report any loss of data or accessories to thecompetent authority of their respective organization.f.User shall obtain authorization from the competentauthority before taking any Government issued desktopoutside the premises of their organization.g.Users shall properly shut down the systems beforeleaving the office.h.In case an organization does not have two networks, asrecommended in the Policy on “Use of IT Resources”Classified/ sensitive data shall not be stored on thedesktop connected to the nwhilestoring it on the desktop.j.By default all interfaces on the client system shall bedisabled and those interfaces that are required areenabled.k.Booting from removable media shall be disabledl.Users shall be given an account with limited privileges onthe client systems. User shall not be given administratorprivileges.m. Users shall abide by instructions or procedures asdirected by the IAn.[4]/Nodal agency[5]from time to time.If users suspect that their computer has been infectedwith a virus (e.g. it might have become erratic or slow inresponse), it should be reported to the IA/Nodal Agencyfor corrective action.2.3 Use of software on Desktop systemsa. Users shall not copy or install any software on their own ontheirdesktopsystems,includingprivatelyowned4
shareware and freeware without the approval of thecompetent authority.b. A list of allowed softwares shall be made available by theIA. Apart from the Software’s mentioned in the list, noother software’s will be installed on the client systems. Anyaddition to the list by the respective organizations shouldbe done under intimation to IA.2.4 Sharing of dataUsers shall not share their account(s), passwords, securitytokens (i.e. smartcard), Personal Identification Numbers(PIN), digital signatures certificate or similar information ordevices which is used for identification and authorizationpurposes.2.5 Use of network printers and scannersa. User shall use a strong administrator password on thedevice to help defend against attacks and to prevent reconfiguration by an unauthorized user.b. Where the device supports Access Control Lists (ACLs), thedevices shall be configured to block all traffic from outsidethe Organization’s IP range.c. FTP and telnet server on the printer shall be disabled.d. User shall disable any protocol or service not required.3. Use of Portable devicesDevices covered under this section include Government issuedlaptops, mobiles, iPads, tablets, PDAs etc. Use of the devices shallbe governed by the following:a. User shall be held responsible for any unauthorised usageof their Government issued access device by a third party5
b. Users shall keep the Government issued devices with themat all times or store them in a secured location when not inuse.User should not leave the devices unattended inpublic locations (e.g. airport lounges, meeting rooms,restaurants, etc.).c. User shall ensure that the portable devices are passwordprotected and auto lockout enabled.The password usedshould be as strong as the device may support and shouldbe as per the password policy available in ent/policiesguidelinesunderthe caption “Policy of Use of IT Resources”.d. User shall ensure that remote wipe feature is enabled sible. Users shall not circumvent security features ontheir devices.e. User shall ensure that the device has latest operatingsystem, anti-virus and application patches. Firewalls shallbe enabled, if possible.f. Users shall wipe or securely delete data from the devicebefore returning/ disposing it of.g. Lost, stolen, or misplaced devices shall be immediatelyreported to the IA/Nodal agency and the competentauthority of the organization.h. Data transmissions from devices to the services on theGovernment network shall be over an encrypted channel.i. When installing software, user shall review the ionregarding the user is not shared with the applicationprovider.6
4.0 External Storage Media:Devices covered under this section include Government issued CD/DVD’s,USB storage devices etc. Use of these devices shall be governed by thefollowing:a. Use of external storage[6]media, by default shall not beallowed in the Government network. If the use of externalstorage is necessary, due approval from the competentauthority of that respective organization shall be taken.b. Blocking access to external storage on a Governmentissued access devices like desktop/laptop etc shall beimplemented at all organizations within the Government.Users authorised by the competent authority of theorganization to use the external storage will be allowed asper the policies configured by the IA/Nodal agency.c. Users shall use only the media issued by the organization.The user shall be responsible for the safe custody ofdevices and contents stored in the devices which are intheir possession.d. Classified data shall be encrypted before transferring tothe designated USB device. The decrypting key shall notexist on the same device where encryption data exists.e. rate portable media. User shall exercise extremecaution while handling such media.f. Unused data on USB devices shall be cleaned throughmultiple pass process (like wipe/eraser software)g. Users shall not allow USB device belonging to outsiders tobe mounted on Government systems.7
4.1 Use of External storage media by a visitora. Competent authority shall ensure that process isin place that visitors to an organization shall notbe allowed to carry any portable media withoutpermission.b. If it is necessary to allow the visitor to use a USBmemory device for any reason, it shall be pose. Under no circumstancesthe USB device belonging to visitors shall bemounted on systems that are connected andbelong to the Government network.4.2 Authority issuing External storage devices of eachorganization shall adhere to the following:a. Competent Authority of an organization shallensure that process is in place to maintain recordsfor procurement, issue, return, movement anddestruction of the storage devicesb. AllobsoleteUSBdevicesshallbephysicallydestroyed to avoid misuse.c. Self-certification for verification of USB devices byindividuals at regular intervals of 6 months shallbe carried out by issuing authority to ensure thatdevices issued to them are under their safecustody.8
GLOSSARYS.noTermDefinition1UsersRefers to Government/State/UT employeesaccessing the Government services.whoare2CompetentAuthorityOfficer responsible for taking and approving all decisionsrelating to this policy in his tory Body/Autonomousunder Central and State Government4ImplementingAgency (IA)A Body which will be responsible for ensuring compliancewith this policy with reference to network services includingpower to take precautionary and penal actions as specifiedin this policy.5Nodal compliance with this policy with respect to use of Itresources except network services.6ExternalStorageIn computing, external storage comprises devices thattemporarily store information for transporting fromcomputer to computer. Such devices are not permanentlyfixed inside a computer.body9
policy by providing the best practices related to use of desktop devices, portable devices , external storage media and peripheral devices such as printers and scanners. 2. Desktop Devices 2.1 Use and Ownership Desktops shall normally be used only for transacting government work. Users[1] shall exercise their own good judgement and
