Aadhaar (Data Security) Regulations, 2016
Regulation 3 Measures for ensuring information security
(1) The Authority may specify an information security policy setting out inter alia the technical and organisational measures to be adopted by the Authority and its personnel, and also security measures to be adopted by agencies, advisors, consultants and other service providers engaged by the Authority, registrar, enrolling agency, requesting entities, and Authentication Service Agencies.
(2) Such information security policy may provide for:—
(a) identifying and maintaining an inventory of assets associated with the information and information processing facilities;
(b) implementing controls to prevent and detect any loss, damage, theft or compromise of the assets;
(c) allowing only controlled access to confidential information;
(d) implementing controls to detect and protect against virus/malwares;
(e) a change management process to ensure information security is maintained during changes;
(f) a patch management process to protect information systems from vulnerabilities and security risks;
(g) a robust monitoring process to identify unusual events and patterns that could impact security and performance of information systems and a proper reporting and mitigation process;
(h) encryption of data packets containing biometrics, and enabling decryption only in secured locations;
(i) partitioning of CIDR network into zones based on risk and trust;
(j) deploying necessary technical controls for protecting CIDR network;
(k) service continuity in case of a disaster;
(l) monitoring of equipment, systems and networks;
(m) measures for fraud prevention and effective remedies in case of fraud;
(n) requirement of entering into non-disclosure agreements with the personnel;
(o) provisions for audit of internal systems and networks;
(p) restrictions on personnel relating to processes, systems and networks.
(q) inclusion of security and confidentiality obligations in the agreements or arrangements with the agencies, consultants, advisors or other persons engaged by the Authority.
(3) The Authority shall monitor compliance with the information security policy and other security requirements through internal audits or through independent agencies.
(4) The Authority shall designate an officer as Chief Information Security Officer for disseminating and monitoring the information security policy and other security-related programmes and initiatives of the Authority.
Source: Wayback Machine snapshot of UIDAI's original publication.
(1) The Authority may specify an information security policy setting out inter alia the technical and organisational measures to be adopted by the Authority and its personnel, and also security measures to be adopted by agencies, advisors, consultants and other service providers engaged by the Authority, registrar, enrolling agency, requesting entities, and Authentication Service Agencies. ¹Hkkx IIIµ[k.M 4º Hkkjr dk jkti=k % vlk/kj.k 71
(2) Such information security policy may provide for:—
(a) identifying and maintaining an inventory of assets associated with the information and information processing facilities;
(b) implementing controls to prevent and detect any loss, damage, theft or compromise of the assets;
(c) allowing only controlled access to confidential information;
(d) implementing controls to detect and protect against virus/malwares;
(e) a change management process to ensure information security is maintained during changes;
(f) a patch management process to protect information systems from vulnerabilities and security risks;
(g) a robust monitoring process to identify unusual events and patterns that could impact security and performance of information systems and a proper reporting and mitigation process;
(h) encryption of data packets containing biometrics, and enabling decryption only in secured locations;
(i) partitioning of CIDR network into zones based on risk and trust;
(j) deploying necessary technical controls for protecting CIDR network;
(k) service continuity in case of a disaster;
(l) monitoring of equipment, systems and networks;
(m) measures for fraud prevention and effective remedies in case of fraud;
(n) requirement of entering into non-disclosure agreements with the personnel;
(o) provisions for audit of internal systems and networks;
(p) restrictions on personnel relating to processes, systems and networks.
(q) inclusion of security and confidentiality obligations in the agreements or arrangements with the agencies, consultants, advisors or other persons engaged by the Authority.
(3) The Authority shall monitor compliance with the information security policy and other security requirements through internal audits or through independent agencies.
(4) The Authority shall designate an officer as Chief Information Security Officer for disseminating and monitoring the information security policy and other security-related programmes and initiatives of the Authority. 4. Security obligations of the personnel —
(1) The personnel shall comply with the information security policy, and other policies, guidelines, procedures, etc. issued by the Authority from time to time.
(2) Without prejudice to any action that may be taken under the Act, personnel may be liable to action in accordance with procedures specified by the Authority for this purpose:
Provided that no such action shall be taken without giving the concerned personnel a reasonable opportunity of being heard.