II-FRS87AK-v1_0

Version 1.0

February 2017
 ITER-India IT (Information Technology) Security Policy

Contents

PART- I

1. What is Information?....................................................................................................03
2. Why Information Security? ..........................................................................................03
3. Objectives of Information Security Policy ....................................................................03
4. Scope of Information Security Policy............................................................................04
5. Information Security Terms & Definitions....................................................................04
6. IT Security and Advisory Committee ............................................................................05
7. Information Security Policy Framework .......................................................................07

PART- II

8. IT Asset Policy ...............................................................................................................11

9. Acceptable Use Policy (AUP) ........................................................................................11
10. Email Policy...................................................................................................................12
11. Internet Configuration & Usage Policy .........................................................................13
12. Wireless (Wi-Fi) Security Policy ....................................................................................14
13. VPN use Policy ..............................................................................................................15
14. Third Party Service Providers Policy .............................................................................15
15. Password Policy ............................................................................................................16
16. Intranet Security Policy.................................................................................................16
17. Routers & Switches Security Policy ..............................................................................17
18. Servers Security Policy ..................................................................................................17
19. Log Maintenance Policy................................................................................................18
20. Network Management Policy .......................................................................................18
21. Disk & Removable Media Security Policy .....................................................................18
22. Data Center / Server Room Security Policy ..................................................................19
23. Security Incident Handling Policy .................................................................................19
24. Disaster Recovery Policy...............................................................................................20
25. Security Audit Policy .....................................................................................................21
26. IT Security Policy Review Policy ....................................................................................21

Annexures

Annexure-I (IT Asset Procurement Policy) ...................................................................... A-1

Annexure-II (NDA Non-Disclosure Agreement) ............................................................. A-2

IT Security Policy Version 1.0 Page 2 of 21

 ITER-India IT (Information Technology) Security Policy

PART I
1. What is information?

Information is an asset which, like other important institutional assets, has value to an organization and
consequently needs to be suitably protected.

Information can be created, stored, destroyed, transmitted, used (for proper & improper purposes), corrupted,
lost, stolen, printed or written on paper, stored electronically, transmitted by post or using electronics means,
shown on corporate videos, displayed or published on web, verbal (spoken in conversation). Whatever form
the information takes, or means by which it is shared or stored, it should always be appropriately protected
(ISO 27002:2005)

2. Why information security?

The explosive and phenomenal growth of IT infrastructure including servers, clients, networks and applications
has offered enormous benefits to the Organization and has made the exchange of information very easy and
fast. However, the connectivity poses severe risks because of valuable assets being exposed or accessible across
the network. The Organization is seriously concerned about protecting their internal systems, assets and
information from threats, both internal and external. An effective security policy covering the security issues and
its faithful compliance will immensely help to prevent attacks and protect the assets through appropriate
mechanisms.

Information Security is about protecting Information through selection of appropriate Security Controls

3. Objectives

An objective of this policy is to establish and maintain the security of information, information systems,
applications and networks, held and owned by the Organization.

The main objective of Information Security Policy is preservation of:

3.1 Confidentiality:
Ensuring the information is available to only those authorized to have access.
3.2 Integrity:
Safeguarding the accuracy and completeness of Information & processing methods
3.3 Availability:
Ensuring that information and vital services are available to authorized users when required.

3.4 To describe the principles of security and explain as to how they shall be implemented within the
Organization.
3.5 To introduce a consistent approach to security, ensuring that all employees become fully aware of
their respective responsibility and accountability and comply with the relevant policies as described
in this document.
3.6 To create and constantly maintain within the Organization a level of awareness of the need
for Information Security as an integral part of the day-to-day activity and transaction.
IT Security Policy Version 1.0 Page 3 of 21
 ITER-India IT (Information Technology) Security Policy

4. Scope of the IT Security Policy

This policy is applicable for ITER-India work centres (office and laboratory)

5. Information security terms and definitions

5.1 Information security: The protection of information and Organization assets against unauthorized
disclosure, transfer, modification, or destruction, whether accidental or intentional, either from
Internal or External users without compromising on the availability of the data to the authorized
users.

5.2 Security Policy: A security policy is a formal statement of the rules by which people that are given
access to an Organization's technology and information assets must abide. It also contains the
procedures to be fallowed in case of any security incident either by Internal or external sources.
The Organizations management should approve the Security policy.

5.3 Internal Network: The network comprising of the internal staff member
desktops/laptops/workstations/mobiles.

5.4 External Network: The Networks resides outside the Firewall.

5.5 De-Militarized zone (DMZ): The Servers that has exposure to the Internet will be placed in this zone.
External users can access the servers in the DMZ but not the computers inside the Internal Network.

5.6 Vulnerability: I n formation security vulnerability refers to any flaw or weakness in the
Network/Program/Application/Operating system or in the process itself.

5.7 Risk Assessment: Risk Assessment is a systematic consideration of the repercussions likely to result
from a security failure vs. realistic likelihood of such a failure. The results of this comparison will
help the management and concerned for appropriate decisions and to implement the necessary
controls.

5.8 Vulnerability assessment: The systematic examination of an Information system or product to

identify the adequacy of security measures, identify the security deficiencies and determination of
the appropriate procedures that can be implemented to eliminate or reduce the risk.

5.9 Security Audit: An independent review and examination of system records and activities to (a)
determine the adequacy of system controls (b) ensure compliance with established security policy
and operational procedures, (c) detect breaches in security, and (d) recommend any indicated
changes in any of the foregoing.

5.10 Intrusion/Hacking: This is an attempt by unauthorized user either Internal/External,

intentionally/Accidentally access or attempts to access the data/component/Services, which do not
belong to him or for which he is not authorized to use.

5.11 Acceptable Usage Policy (AUP): The rules and regulations defined which all the staff members of the
organization to utilize the resources must obey.

5.12 Asset means Information Technology (IT) hardware, software, application or data held and
owned by the Organization.
IT Security Policy Version 1.0 Page 4 of 21
 ITER-India IT (Information Technology) Security Policy

5.13 Custodian means the employee/division/group in the Organization responsible for ownership
of asset and its security.

5.14 External Agency any individual or a firm outside the Organization responsible for delivery of
services including software development, under a contractual agreement, and also those who
are authorized to use the IT assets of the Organization.

5.15 Information Security Officer (ISO) means the employee in the Organization who has been
designated and adequately empowered for managing and implementing the information security
policy and related procedures at their respective Centre/Unit and shall include the Chief
Information Security Officer (CISO), unless otherwise stated.

5.16 Organization means Organization for ITER-India including all its Groups, Divisions and Sections.

5.17 Originator means the individual/division/group from which the information has originated
responsible for classifying the assets based on the classification scheme.

5.18 System Manager means the employee/division/group in the Organization responsible for
administration and management of information and infrastructure assets.

5.19 User means the employee in the Organization authorized to use the asset consistent with the
security policy.

6. IT Security/ Cyber Crisis Management Committee

While the robust network and Security Infrastructure will take care of the Intrusions, IT is also required to have
an Institutional security policy which contains a set of procedures and guidelines the users, administrators about
their dos and donts while using the ITER-INDIA assets. This security policy is transparent to all the users
using ITER-INDIA assets must adhere to.

In this regard, an IT Security and Advisory Committee is formed by management of ITER-India headed by
Information Security Officer (ISO) who in turn reports to the CISO (Chief Information Security Officer). This
committee will also be a Cyber Crisis Management Committee

While the ultimate responsibility for formulation, its effective implementation and compliance of the IT Security
Policy vests with the IT Security Committee, the Information Security Officer (ISO) shall be enabled and
empowered for managing and implementing the policy and related procedures at their respective Groups /
Divisions.
Responsibilities of the IT Security and Advisory Committee

6.1 Ensure the Institutional IT Security Policy is effectively implemented and followed.
6.2 Monitoring the security incidents, preventive and corrective actions.
6.3 Submission of respective reports to the CISO or authorized representative of CISO.
6.4 Periodic risk assessment and vulnerability assessment.
6.5 Periodic review of IT security policy and procedures. Upgradation/New technology implementation
to ensure the network is strong enough to handle current vulnerabilities.
6.6 Conducting the user awareness programs to ensure the users are updated with information security
threats and concerns.
6.7 System Managers / Administrators shall be specifically responsible for the security of the physical
environment where information is processed or stored.
IT Security Policy Version 1.0 Page 5 of 21
 ITER-India IT (Information Technology) Security Policy

6.8 Carry out periodic IT security risk assessments and determine acceptable level of risks, consistent
with criticality of functional requirements, likely impact on functions and achievement of
Institutional goals / objectives.
6.9 Periodically test and evaluate the adequacy and effectiveness of technical security control
measures implemented for IT systems and networks. Especially, Test and evaluation may become
necessary after each significant change to the IT applications / Systems / Networks and can include,
as appropriate the following:
6.9.1 Penetration Testing (both announced as well as unannounced)
6.9.2 Vulnerability Assessment
6.9.3 Application Security Testing
6.9.4 Web Security Testing
6.10 Ensure that all users shall comply with information security procedures including the maintenance
of data confidentiality and data integrity.
6.11 Non-Disclosure Agreement (NDA) shall be obtained from the external agency or signed before
allowing access to the Institutions information systems. The agreement with the external agency
shall contain a clause to ensure and make it obligatory for the employee or sub-contractors of the
establishments of the external agency to essentially comply with all appropriate security
requirements.

The following is the IT Security Committees hierarchal structure

IT Security Policy Version 1.0 Page 6 of 21

 ITER-India IT (Information Technology) Security Policy

7. Information security policy framework

7.1 Management of Information Security

The IT Security Committee shall be responsible for defining and prescribing the overall Information
security policy. This committee shall periodically review the implementation of Information security
at Institutional level and also update the policy document.
Chief Information Security Officer (CISO) at ITER-India and Information Security Officer (ISO)
shall be responsible for communicating, implementing and monitoring security requirements for
the Organization.
Each Group/Division/Section shall have an Information Security Representative (Member in figure
1.1), which will implement and monitor security processes within that Group / Division / Section.

7.2 Information Security Awareness Training

Inclusion of Information security awareness training in the employee induction process shall be
mandatory.
An ongoing awareness program shall be established and maintained in order to ensure that
employee awareness is refreshed and updated constantly.

7.3 Contracts of Employment

Employee specific security requirements shall be addressed at the recruitment stage and all
contracts of employment shall contain a confidentiality clause.
Information security obligations on employees shall be included within appropriate job definitions.

7.4 Security Control of Assets

Each IT asset, (hardware, software, application or data) shall have a named custodian who shall be
responsible for the information security of that asset.

7.5 Area Access Control

Authorized personnel who have a bona-fide and approved official business alone shall be given
access to restricted areas containing information systems or stored data.

7.6 User Access Control

Access to information shall be restricted to authorized users who have bona-fide official business
need to access the information.

7.7 Computer Access Control

Access to computer facilities shall be restricted to authorized users who have bona-fide official
business need to use the facilities.

7.8 Application Access Control

Access to data, system utilities and program source libraries shall be controlled and restricted to
those authorized users who have a legitimate business needs.

IT Security Policy Version 1.0 Page 7 of 21

 ITER-India IT (Information Technology) Security Policy

7.9 Equipment Security

In order to prevent loss of or damage to all assets, all IT equipment shall be physically protected
from threats and environmental hazards.

7.10 Computer and Network Procedures

Management of computers and networks shall be controlled through standard documented
procedures that have been authorized by the IT Security Committee.

7.11 Information Risk Assessment

The core principle of risk assessment and management requires the identification and analysis of
information security risks in terms of the likelihood of occurrence and severity of impact.

Once identified, information security risks shall be managed on a formal basis. They shall be
recorded within a baseline risk register and action plans shall be put in place to effectively manage
those risks. The risk register and all associated actions shall be reviewed at regular intervals. The
information security arrangements implemented shall also be regularly reviewed as a part of risk
management program. These reviews shall help to identify areas of best practices and possible
weaknesses, as well as potential risks that may have arisen since the last review was completed.

7.12 Information Security Incidents and Weaknesses

All information security incidents and suspected weaknesses shall be reported to the ISO. Every
information security incident shall be thoroughly investigated by the ISO to establish its cause and
impacts with a view to prevent recurrence.

7.13 Security Classification of Sensitive Information

Government of India has prescribed the following four types of security classification with regard
to security of sensitive information and material:
Top Secret shall be applied to information and material, the unauthorized disclosure of which
could be expected to cause exceptionally grave damage to the national security or national interest.
(Note: This category is reserved for the Nations closest secret and is to be used with great reserve).

Secret shall be applied to information and material, the unauthorized disclosure of which could
be expected to cause serious damage to the national security or national interests or cause serious
embarrassment to the Government in its functioning. (Note: This classification should be used for
highly important matters and is the highest classification normally used).

Confidential shall be applied to information and material, the unauthorized disclosure of which
could be expected to cause damage to the national security or would be prejudicial to the national
interests or would embarrass the Government in its functioning. (Note: Most matters, on proper
analysis, will be classified no higher than Confidential).

IT Security Policy Version 1.0 Page 8 of 21

 ITER-India IT (Information Technology) Security Policy

Restricted shall be applied to information and material, which is essentially meant for official use
only and which should not be published or communicated to anyone except for official purpose.

7.14 Employees Authorized to Classify

To ensure proper classification of documents, only employees who are of the position of Project
Manager/Dy. Project Manager/Project Coordinator/Group Leader shall classify the documents as
Top Secret/Secret/Confidential.

7.15 Protection from Malicious Software

The organization shall use software countermeasures and management procedures to protect
itself against the threat of malicious software. All users shall be expected to co-operate fully with
this policy. No user shall install software on the Institutions property without specific permission
from the appropriate authority of and above the level of Divisional Head.

7.16 Removable Media

Removable media of all types that contain software or data from external sources, or that have
been used on external equipment, must be fully virus checked before they are used in
organizations systems.

7.17 Monitoring System Access and Usage

Appropriate audit trail of system access and data usage by employee shall be maintained and
reviewed on a regular basis by System Managers / Administrators which should be approved by IT
security Committee or CISO.
Procedures should be in place to regularly audit compliance of this and other policies. In addition,
it reserves the right to monitor activity where it suspects that there has been a breach of policy.
The monitoring and recording of employees electronic communications shall be made for,

1.1.1. Establishing the existence of facts.

1.1.2. Investigating or detecting unauthorized use of the system.
1.1.3. Preventing or detecting crime.
1.1.4. Ascertaining compliance with regulatory or self-regulatory practices or procedures.
1.1.5. Ensuring the effective operation of the system.

7.18 Accreditation of Information Systems

All new information systems, applications and networks in the Organization shall include a security
plan and shall be approved by the ISO /CISO before they commence operation.

7.19 System Change Control

Changes to information systems, applications or networks shall be reviewed and approved by the
ISO.

IT Security Policy Version 1.0 Page 9 of 21

 ITER-India IT (Information Technology) Security Policy

7.20 Anti-Piracy compliance

The Organization shall ensure that all information products are properly licensed and approved by the
CISO.

7.21 Reporting
The Information Security Officer shall keep the Chief Information Security Officer informed of the
information security status and severe security incidents of the Centre/Unit by means of regular
reports and presentations.

7.22 Policy Audit

This policy shall be subject to audit for compliance. Information Security Committee shall issue
guidelines on security audit by internal or external agencies. External agencies should be
empaneled with CERT-In (Indian Computer Emergency Response Team)

7.23 Further Information

Further information and advice on this policy can be obtained from, Chief Information Security
Officer, ITER-India

IT Security Policy Version 1.0 Page 10 of 21

 ITER-India IT (Information Technology) Security Policy

PART II

8. IT Assets Policy:
8.1. Information assets may generally be categorised as Critical and Non-critical based on the guidelines as
follows:
8.1.1. Critical assets: Assets handling information that must be essentially available, to effectively perform
the mission.
8.1.2. Non-critical assets: Assets handling information that are not sensitive to the function or the activities.

8.2. Inventory of all Critical Assets associated with information systems must be documented and maintained.
The term Critical Assets covers production servers, central computing facility, services related to intranet
and internet, data assets like databases critical to functioning of the activities, documents related to
design information (drawings, design data, initialization data etc.), operational or support procedures,
network infrastructure diagrams, continuity plans, critical application software and backup information.

8.3. Custodians (individual or an entity) must be designated for all critical assets.

8.4. The assets should be used as per the Acceptable Usage Policy provided in this document.

8.5. Minimal information like type of the asset, ownership, location, backup details, licensing details and AMC
information shall be maintained for critical assets.

8.6. Assets shall be classified by the originator taking into account value, sensitivity and the intended use of the
information for effectively performing Organizations mission

8.7. User entrusted with the usage of critical assets shall be responsible for protecting the data consistent
with security requirements defined by the custodian.

8.8. All groups/divisions should follow the IT assets procurement policy as per Annexure I. This includes
procurement of any IT assets (PC, Laptop, Server, Software, Etc.). This policy will be updated as per
suggestions from the IT-NAC (Information Technology Need Aspect Committee).

9. Acceptable Usage Policy (for Desktops/Laptops/Workstations/Servers:

9.1. The basic responsibility for complying with the security measures shall lie with the specific user for
desktops that are provided for individual usage.

9.2. Systems shall be used primarily for official use as relevant to the Organizations goals and objectives.

9.3. For security and network maintenance purposes, IT Security Committee shall monitor the desktop usage
and network traffic as per the security policy.

9.4. IT Security Committee reserves the right to audit the system, on a periodic basis for checking of virus,
malfunctioning and OS inconsistency and for ensuring compliance.

IT Security Policy Version 1.0 Page 11 of 21

 ITER-India IT (Information Technology) Security Policy

9.5. All PCs and workstations shall have a protection mechanism (e.g. screensaver password, or manually
locking) when unattended.

9.6. Only approved systems shall be connected to the network.

9.7. Systems/Devices which are not registered with IT group are not allowed to be used at ITER-India (either
on network or offline), except for reasons approved by Competent Authority.

9.8. Appropriate security controls shall be in place while connecting PCs/Servers/Workstations through a
wireless infrastructure.

9.9. All PCs/Laptops/Servers/Workstations hosts should have the approved anti-virus/anti-spyware software
installed that offers real time scanning protection to files and applications running on the target systems.

9.10. Software and virus/spyware definition database must be kept up-to- date. Infected systems should be
isolated and removed from the network.

9.11. For systems that are provided in common areas like Central Computing facility, Central File Server etc.,
only those who are authorized shall be allowed to use respective services and such access shall be
regulated through appropriate access control mechanism.

The following activities are prohibited.

9.12. Introduction of viruses, Trojans, etc. into the network.

9.13. Executing any form of network monitoring which will intercept data not intended for employee host.

9.14. Circumventing user authentication or any other security mechanism of a host, network or account.

9.15. Using any program/script/command or sending messages of any kind that will interfere or disable
another host session.

10. Email Policy

10.1. All persons who join ITER-India shall be provided with an e-mail ID on submission of a request in the
prescribed form and subject to approval from ITER-India Administration or a competent authority
decided by the Director.

10.2. The ITER-India email id should be used only for the purposes of official communication, the user shall
not utilize the official email id for personal/unofficial communication.

10.3. All users should be able to communicate with employees from other Centres/Units through e-mail over
internal network infrastructure

10.4. External staff shall not be allotted name-specific email ID, but upon approval shall be provided with
group-specific IDs. (for e.g. groupname.engineer1@iter-india.org)

IT Security Policy Version 1.0 Page 12 of 21

 ITER-India IT (Information Technology) Security Policy

10.5. Upper limit on the size of the e-mail may be implemented by IT based on available storage on the server

10.6. Users should be made to change their login password at least once in 6 months.

10.7. Common shared email accounts should be avoided

10.8. Authentication should be enforced on mail servers for sending emails.

10.9. E-Mail access should be through web interface, the Zimbra Mail client and Microsoft Outlook via Zimbra
Outlook Connector plugin only. ITER-India mail access through POP3, POP3s, IMAP and IMAPs has been
disabled by default for security reasons.

10.10. E-Mail system shall not be used for sending offensive or disruptive messages.

10.11. Sending chain letters or joke e-mails shall not be permitted.

10.12. For justified reasons, e.g. tracing of official records, the Competent Authority may issue order for
monitoring of individual email accounts of existing or ex-employees.

10.13. E-Mails shall be backed up through a duly approved archival procedure. The procedure shall be decided
by the System Manager / Administrator.

10.14. Once an employee retires or resigns, the corresponding e-mail ID shall be retained for a specific period,
as decided by respective Group / Division Head, and the user-id shall stand removed from the system on
expiry of that period.

10.15. Auto-forwarding of e-mails from official mail-box to public mail system should not be allowed except for
specific requirements for which explicit permission is granted by competent authority.

10.16. Effective spam control techniques in detecting and controlling spam mails shall be in place.

10.17. Public e-mail systems like Yahoo, Gmail, etc. should never be used for official information exchange/
communication. Exceptions can be only with specific approval from competent authority.

10.18. In the case of group-based mail ID, when there is a transfer of role from one employee to another, provision
shall be made available for transfer of all relevant mails.

11. Internet Configuration and Usage Policy

11.1. Internet segment shall have no direct connectivity to intranet segment, except e-mail and
documentation server.
11.2. System Manager / Administrator shall monitor the usage of systems connected to the internet network.
General trending and activity reporting should be prepared using available tools. For all network traffics,
monitoring system should record the source IP, URL, date, time, protocol and destination address.
Wherever possible, the system should record the identity of the person initiating the traffic. Internet logs
are to be preserved for analysis and monitoring.

IT Security Policy Version 1.0 Page 13 of 21

 ITER-India IT (Information Technology) Security Policy

11.3. Viewing of inappropriate contents is prohibited.

11.4. Access shall be blocked for websites and protocols deemed inappropriate for official use.

11.5. If there is a genuine requirement for accessing blocked site for official use, the System Manager shall
review the position on a case-to-case basis and take appropriate steps on obtaining clearance from the
IT Security Committee.

11.6. User should be careful in visiting less reputable websites as this can lead to downloading of Trojans,
Viruses, Spy ware, etc.

11.7. Large downloads and streaming audio/video shall not be permitted, except for official or academic
purpose.

11.8. FTP download and HTTP download for smaller file size shall be allowed, but huge FTP upload shall
generally be not permitted, except for official or academic purpose

11.9. Use of personal wireless/wired cards/devices/routers to access Internet from within the Organizations
systems shall be strictly prohibited. This does not apply to internet devices officially provided by the
Organization.

11.10. Sharing of official internet access through hot-spot softwares, USB tethering or wireless tethering is not
allowed.

11.11. Log of website accessed by users to be maintained for the specific period as may be statutorily required.

11.12. Internet distribution and control will adhere to the time-to-time guidelines from CIASG (Computer and
Information Security Advisory Group) under DAE.

12. Wireless (Wi-Fi) Security

Wi-Fi if need to be used should be configured as below:
12.1. Default username and administrator password should be changed
12.2. Latest encryption should be enabled.
12.3. MAC address filtering should be enabled
12.4. Wi-Fi networks should be registered with Organizations Internal IT agency i.e. Computer Division
12.5. Password for user wi-fi access shall be communicated by IT to staff, this password shall be changed every 6
months and communicated accordingly.
12.6. Wifi-access is strictly for official email, ITER and ITER-India documentation server and official
communications.

13. VPN Use Policy

13.1. The VPN users should not share their VPN Login, Password information with anybody for any reason.

IT Security Policy Version 1.0 Page 14 of 21

 ITER-India IT (Information Technology) Security Policy

13.2. Care should be exercised while logging into the VPN from public networks which could be insecure.

13.3. The user must ensure his/her desktop is not connected to any other network while connecting to the
Organizations private network (Intranet).

14. Third Party Service Providers Policy

Access given to people outside the Organization (Third Party Service providers) deserves special
attention, including: physical access to offices, computer rooms or filing cabinets Logical access to ITER-
INDIA databases or information systems across a network connection.
Objective of this policy is to implement and maintain the appropriate level of information security and
service delivery in line with third party service delivery agreements.
Physical or logical access may be granted access to off-site service providers for several reasons, including the
need for:
to exchange information, access information systems or share databases Hardware and software support
staff to access system or low-level application functionality.
Types of access needed
Value of the information
Controls used by the third party
Implications of access on the organizations information security
Records should be maintained to provide adequate evidence of Third party access to ITER-India
Information facilities.

Non-disclosure agreement (NDA) shall be signed before allowing access to the Institutions
information systems. The agreement with the external agency shall contain a clause to ensure and
make it obligatory for the employee or sub-contractors of the establishments of the external
agency to essentially comply with all appropriate security requirements.

The latest available template of Non-Disclosure Agreement shall be followed.

IT Security Policy Version 1.0 Page 15 of 21

 ITER-India IT (Information Technology) Security Policy

15. Password Policy

15.1. Passwords shall be kept secure and accounts shall not be shared. Users shall be responsible for security
of their respective passwords and accounts.

15.2. All system level passwords for production servers shall be changed at least on a quarterly basis. The
password changed shall not be same as the previous password. These policies should preferably be
enforced using available options and password control mechanisms.

15.3. Change of user level passwords (mail, web, desktop) every six months is recommended.

15.4. Default password after creation of account shall be provided to the user by IT, this password shall be
changed immediately by the user after which the respective email account shall be accessible.

15.5. Use of strong passwords shall be encouraged. The length should be minimum eights characters and
should be a mix of lower case, upper case, numerals and special characters.

15.6. Weak passwords like known names, personal information, patterns are not secure and should not be
used.

15.7. The remember password feature provided by certain applications should not be used from security
point of view.

15.8. Application developers should ensure the following to the extent possible:

15.8.1. Support for individual user login.

15.8.2. Should not display password in clear text during login.

15.9. Multiple users shall be configurable for applications for smooth operations in such a way that alternate
user can take over the role easily.

15.10. Wherever role based logins are provided for applications, the login ID shall explicitly identify the role.

16. Intranet Security Policy:

16.1. The critical network devices such as routers, switches and modems should be protected from physical
damage and unauthorised access.

IT Security Policy Version 1.0 Page 16 of 21

 ITER-India IT (Information Technology) Security Policy

16.2. The network configuration and inventories shall be documented and maintained.

16.3. Suitable Network Management System should be implemented to monitor the functioning of the
computer network. Wide Area Networks that operate between Centres/units shall be subjected to
vulnerability analysis and tests.
16.4.

16.5. Networks that operate at varying security levels shall be isolated from each other by appropriate
firewalls.

17. Routers & Switches Security Policy

17.1. Router should be configured to permit only appropriate traffic to specific systems.
17.2. AAA authentication should be enabled for all Routers with the levels of access defined.
17.3. The SSH access to the Router, Switch should be restricted to ITER-Indias internal network.
17.4. The default SNMP community string should be removed and password should be changed as per the
password policy.
17.5. The regular back up of the router and switches configuration has to be taken as per back-up policy.
17.6. Only manageable switches should be allowed in the Network.

18. Server Security Policy

18.1. All servers must be owned by an entity responsible for system administration and management.

18.2. The following minimum information must be maintained:

18.2.1. Server configuration.

18.2.2. Hardware and OS versions.
18.2.3. AMC or Warranty details.
18.2.4. Main functions and application.

18.3. Configuration changes for production servers must follow appropriate change control procedures.

18.4. Services and applications not in use must be disabled wherever possible. Only minimum required ports
should be opened.

18.5. Systems shall be hardened to the maximum extent possible. Firewall should be configured separately in
all servers.

18.6. Most recent security patches must be installed wherever practical, exception being where application
functioning would get affected.

IT Security Policy Version 1.0 Page 17 of 21

 ITER-India IT (Information Technology) Security Policy

18.7. Root ID should not be used where a less privileged access shall serve the purpose.

18.8. If a methodology for secured channel is available, privileged access should be performed over secured
channels (SSH, IPSec).

18.9. All security related incidents should be logged and audit trails saved by System Manager.

18.10. Security related events should be reported to Information Security Team. The incidents could be, but not
limited to, port scanning, unauthorized access to privileged accounts and anomalous occurrences that
are not related to specific applications.

18.11. Production servers shall be kept in an access controlled environment.

18.12. Separate servers should be used for each function viz. DNS, MX, WWW, documentation server? etc.

18.13. A system of updating critical software and applying security patches on a regular basis should be in place.

19. Log Maintenance Policy

19.1. Logs of all email transfers, system messages, web servers access in the domain should be backed up for
life.
19.2. The log files should be analyzed in a systematic manner on a regular basis in order to generate statistics
and detect any abnormal events.

20. Network Management Policy

20.1. It should have tools to monitor and control the Network traffic status of LAN
20.2. It should monitor Internet traffic through a suitable software in a systematic manner
20.3. It should have ability/tools to selectively control/monitor Internet access of users.
20.4. PCs connected to Internet should not be connected to Intranet segment.

21. Disk and Removable Media Policy

21.1. In the case of AMC or warranty, defective and damaged hard disks removed from the system are to be
retained as property of the Organization or returned to the vendor after totally erasing the contents
through sanitization or by degaussing. In the case of condemnation, the entire information in the hard disk
should be completely destroyed under proper authorization and record.

21.2. In case systems are to be transferred devoid of information for use by another external agency, disk
should be totally erased through sanitization or by degaussing.

IT Security Policy Version 1.0 Page 18 of 21

 ITER-India IT (Information Technology) Security Policy

21.3. Removable media shall be used only in cases where data is required to be transferred and provided to
external agency purely for official purpose.

21.4. Removable media used for sensitive information should be fully accounted for, with maintenance of full
log and strict authentication control.

21.5. Before connecting removable media like USB drives, floppy or CDs, it shall be mandatory to check for
viruses and ensure that they are virus free.

21.6. All computer devices (laptops, PCs, workstations, tablets) used by officials should have antivirus protection
installed and updated.

21.7. Movement of media such as pen drives, CDs, mobiles, removable disks, notebook PCs etc. should be
mandatorily controlled. Only authorized Officials should be permitted to carry in/out such
media/equipment. The equipment allowed to be carried in/out should be properly marked or sealed so
that it can be identified by the Organizations security personnel

21.8. User must exercise caution while storing official/sensitive information on public cloud based storage
systems like Dropbox, Google drive etc.

22. Data Centre / Server Room Security Policy:

22.1. Access to Data Centre / Server Room should be through access-controlled environment.

22.2. Proper environmental protection like fire protection systems, UPS infrastructure, backup power,
temperature control and monitoring systems should be established to ensure round the clock operations.

22.3. Servers should be managed as per server security policy.

22.4. Backup/Recovery system including Disaster Recovery should be in place as per an approved backup
procedure (procedure may vary between Centres/Units).

22.5. Classified printouts shall be properly secured to obviate unauthorised access.

23. Security Incident Handling

23.1. The team should provide reactive services related to security incidents like viruses, denial of service,
system malfunctioning (security related), and vulnerability analysis by establishing suitable mechanism
for user reporting or by monitoring of logs, alerts and by deploying intrusion detection systems.

23.2. If any security incident happens, it shall be reported to the ISO for necessary corrective action. Where
the ISO is of the opinion that the incident is of serious nature, he shall immediately report the matter to
the Director of the respective Centre/Unit and, simultaneously, report the matter to the CISO who shall
IT Security Policy Version 1.0 Page 20 of 21
 ITER-India IT (Information Technology) Security Policy

conduct further investigation and take remedial action, as deemed necessary.

23.3. The severity classification and declaration:
Minor:

The security incident, which does not disturb the normal operations of ITER-INDIA.
Unsuccessful attempts which are not the signs of future attacks.
Unintentional misuse of facilities by internal users.
The security incident, which does not disturb the security of the data.

Major:

Security incident, which impacts the Organizations normal operations.

Security incident, which degrades the reputation of the Organization.
Successful Unauthorized access to the system(s)/Network(s) which may impact Organizations
operations in future.
The security incident, which violates the security policy of ITER-INDIA.
Unauthorized access attempts to the systems by internal user.
DDOS attempts, Port scans, sniffing and installation of software which is intrusive in nature by
unauthorized internal users.
The security alerts reported by IDS.
Misuse of the privileges by administrators.

23.4. Incident Handling Procedure:

Identification of attack.
Collect all the Information and evidences about the Intrusion with the help of system logs, firewall and
IDS logs and vendors.
Disconnect the system from the network or shutdown the services of compromised system.
Take the appropriate measures.
Connect the system to the network or start the services.
Report to the IT Security Committee about the incident for further action.

24. Disaster Recovery / Business Continuity Policy

24.1. All groups / divisions shall have established procedures for business continuity/disaster recovery. The IT
Security Committee shall identify mission critical IT services, risks from disruption of such services,
develop and implement procedures for minimizing disruption of critical services, loss of critical data and
resuming timely operations of such services in case of a disaster, so as to enable continuity of business
in line with service level agreements. The procedure shall be tailored to meet the respective groups
requirements. The procedure shall clearly specify the minimum services that will be operational in case
of disasters and also specifies the time frame of recovery from different types of disasters.

24.2. The Computer Division shall plan to set up a disaster recovery site to mitigate risks due to disasters.

IT Security Policy Version 1.0 Page 20 of 21

 ITER-India IT (Information Technology) Security Policy

24.3. At the minimum level, there shall be an established backup/recovery mechanism, details related to
critical information assets and contact information of System Managers / Administrators.

24.4. Organization should have Crisis Management Plan for critical infrastructure as recommended by CERT-In,
with details of response mechanism and contingency plans

25. IT Security Audit Policy

25.1. The IT Security Committee should periodically (at least quarterly) review the information security in the
Centre/Unit by way of conducting internal audits, awareness building and initiate steps to improve
information security in line with the IT Security Policy.

25.2. Information Security Team shall conduct periodic audits (at least once a year) to detect and prevent
intrusion of information assets and to reveal usages that relate to misuse and violation of the policy
compliance. Audits may be conducted by experts,

25.2.1. To ensure confidentiality, integrity and availability of information by reviewing procedures and logs.

25.2.2. To investigate security incidents and ensure compliance of security policy.

25.2.3. To monitor system or user activity to prevent unauthorized access.

25.3. Organization should conduct 6-months audits and submit a report to the Competent Authority on
vulnerabilities detected and actions taken.

26. IT Security Policy Review Policy

The Organization should have an IT Security Policy prepared in line with ISO 27001 standards and as
per guidelines received from DAE (Department of Atomic Energy) and CERT-In (Indian Computer
Emergency Response Team). The policy should be reviewed once a year by an IT Security Committee
represented by top management, and changes to be made in the policy, (if any)

IT Security Policy Version 1.0 Page 21 of 21