Вы находитесь на странице: 1из 128

Guidelines on Information and Cyber Security for Insurers

GUIDELINES ON INFORMATION AND CYBER SECURITY


FOR INSURERS

Insurance Regulatory and Development Authority of India (IRDAI) Page 1 of 80


Guidelines on Information and Cyber Security for Insurers

Table of Content
1. Introduction ......................................................................................................................... 5
2. Vision and Objective ........................................................................................................... 7
3. Applicability ......................................................................................................................... 8
4. Terms &Definitions ............................................................................................................. 9
5. Enterprise Security ........................................................................................................... 10
5.1 Governance, Policy & Standards, Strategy ................................................................................ 10
5.2 Establishment of governance framework ................................................................................... 10
5.3 Chief Information Security Officer (CISO) .................................................................................. 10
5.4 Roles and responsibilities of CISO............................................................................................. 10
5.5 Information Security Committee (ISC) ....................................................................................... 11
5.6 Role of the Board....................................................................................................................... 12
5.7 Heads of functional Departments ............................................................................................... 12
5.8 Information Security Team ......................................................................................................... 12
5.9 Implementation .......................................................................................................................... 13
5.10 Conformance ........................................................................................................................... 15
5.11 Enforcement ............................................................................................................................ 15
5.12 Awareness............................................................................................................................... 16
5.13 Training ................................................................................................................................... 16
5.14 Identity and Access Management ............................................................................................ 17
5.15 Change Management .............................................................................................................. 18
5.16 Change Implementation ........................................................................................................... 19
5.17 Vendor/Third party Risk Management ..................................................................................... 19
5.18 Business Continuity Plan ......................................................................................................... 22
6. Information Asset Management ....................................................................................... 23
7. Physical and environmental security .............................................................................. 24
8. Human resource security ................................................................................................. 25
9. System acquisition, development and maintenance ..................................................... 26
10. Information Security Risk Management ........................................................................ 27
10.1 Managing Information Security Risk Assessment .................................................................... 27
10.2 Information Security Policy - Acceptable Use .......................................................................... 28
10.3 Business Continuity & Disaster Recovery Framework ............................................................. 29
11. Data Security ................................................................................................................... 31
11.1 Scheme of the data security policy .......................................................................................... 31
12. Application Security........................................................................................................ 34
12.1 Each application to have an owner. ......................................................................................... 34
12.2 Information security requirements analysis and specification ................................................... 35
12.3 Technical review of applications after operating platform changes........................................... 35
12.4 Secure system engineering principles ..................................................................................... 35
Insurance Regulatory and Development Authority of India (IRDAI) Page 2 of 80
Guidelines on Information and Cyber Security for Insurers
12.5 Secure development environment ........................................................................................... 36
12.6 Outsourced development ......................................................................................................... 36
12.7 System functionality and security testing ................................................................................. 36
12.8 Others ..................................................................................................................................... 37
13. Cyber Security ................................................................................................................. 38
13.1 Classification of Critical Systems and Cyber Security Incidents: .............................................. 38
13.2 Organization’s Cyber Resilience program ................................................................................ 38
13.3 Identification ............................................................................................................................ 38
13.4 Protection ................................................................................................................................ 39
13.5 Detection ................................................................................................................................. 39
13.6 Response and Recovery ......................................................................................................... 39
13.7 Testing .................................................................................................................................... 39
13.8 Situational Awareness ............................................................................................................. 40
13.9 Learning and Reporting ........................................................................................................... 40
14. Platform/Infrastructure Security .................................................................................... 41
14.1 Secure Configuration Documents & Periodic Assessments ..................................................... 41
14.2 Patch Management ................................................................................................................. 42
15. Network Security ............................................................................................................. 43
16. Cryptography & Key Management ................................................................................. 44
16.1 General directives on keys....................................................................................................... 44
16.2 Retention of electronic keys ..................................................................................................... 44
17. Security Logging & Monitoring ...................................................................................... 45
17.1 Logging & Monitoring ............................................................................................................... 45
18. Incident Management ...................................................................................................... 46
18.1 Incident Reporting & Escalation handling Processes & Procedures ......................................... 47
18.2 Review of the functioning of the preventive and detective controls .......................................... 47
19. Endpoint Security............................................................................................................ 48
19.1 Objective Endpoint Security ..................................................................................................... 48
19.2 Identity and access to end points ............................................................................................. 48
19.3 Network access control............................................................................................................ 48
19.4 Remote access ........................................................................................................................ 48
19.5 Application Control .................................................................................................................. 49
19.6 Device control .......................................................................................................................... 49
20.Virtualization ..................................................................................................................... 50
20.1 Access Control ........................................................................................................................ 50
20.2 Hardening of Operating Systems ............................................................................................. 50
20.3 Partitioning and resource allocation....................................................................................... 51
20.4 File Sharing ............................................................................................................................. 51
20.5 Back up ................................................................................................................................... 51
20.6 Monitoring................................................................................................................................ 51

Insurance Regulatory and Development Authority of India (IRDAI) Page 3 of 80


Guidelines on Information and Cyber Security for Insurers
21. Cloud Security ................................................................................................................. 52
21.1 Service Level Agreements ....................................................................................................... 52
21.2 Cloud Access Control .............................................................................................................. 53
21.3 Cloud Data Security ................................................................................................................. 53
22. Mobile Security ................................................................................................................ 55
22.1 Approved Devices/Services ..................................................................................................... 55
22.2 Incident Management: ............................................................................................................. 55
22.3 Remote Blocking and Remote Wiping ..................................................................................... 55
22.4 Network Access Control .......................................................................................................... 56
22.5 Mobile Data Security................................................................................................................ 56
23. Information System Audit ............................................................................................... 57
23.1 Eligibility & Selection of Auditor: .............................................................................................. 57
23.2 Scope/Type Audit: ................................................................................................................... 57
23.3 Frequency: .............................................................................................................................. 57
23.4 Executing IS Audit ................................................................................................................... 57
23.5 Reporting and Follow-up actions ............................................................................................. 57
23.6 Review..................................................................................................................................... 58
24. Legal References on Information and Cyber Security ................................................. 59
Annexure B: Legal references for Information and Cyber Security .................................. 60

Insurance Regulatory and Development Authority of India (IRDAI) Page 4 of 80


Guidelines on Information and Cyber Security for Insurers

1. Introduction

All insurers regardless of size, complexity, or lines of business, collect, store, and share with
various third-parties (e.g., service providers, reinsurers etc.), substantial amounts of personal
and confidential policyholder information, including in some instances sensitive health-related
information.

Insurance repositories, call centers, Common Service Centers etc. also have access to
policyholders’ data.

While Information sharing is essential for conducting the business operations, it is essential to
ensure that adequate systems and procedures are in place for ensuing that there is no leakage
of information and information is shared only on need-to-know basis.

Further, due to rapid development Information Technology, there are many challenges in
maintaining confidentiality of information. The technology even though has many advantages,
brings in risks associated with it like any other technology. With the fast growth of web based
applications, cyber threat landscape has been growing and there is concern across all sectors.
Cyber risks have grown and cyber criminals have become increasingly sophisticated. For
insurers, cyber security incidents can harm the ability to conduct business, compromise the
protection of personal and proprietary data, and undermine confidence in the sector. It is
observed that the level of awareness of cyber threats and cyber security within the insurance
sector, as well as supervisory approaches to combat the risks, appear to vary across
organizations.

Information obtained from regulated entities through cyber-crime may be used for financial gain
through extortion, identity theft, misappropriation of intellectual property, or other criminal
activities. Exposure of personal data can potentially result in severe harm for the affected
policyholders, as well as reputational damage to insurance sector participants. Similarly,
malicious cyber-attacks against an insurer’s and Insurance Intermediaries’ critical systems may
impede its ability to conduct business.

Insurance Regulatory and Development Authority of India (IRDAI) Page 5 of 80


Guidelines on Information and Cyber Security for Insurers

Such security related issues have the potential to undermine public confidence and may lead to
reputation risks to insurers. Hence, it is essential to ensure that a uniform framework for
information and cyber security is implemented for insurers and an in-built governance
mechanism is in place within the regulated entities in order to make sure that all such security
related issues are addressed time to time.

Insurance Regulatory and Development Authority of India (IRDAI) Page 6 of 80


Guidelines on Information and Cyber Security for Insurers

2. Vision and Objective

(i) To ensure that a Board approved Information and Cyber Security policy is in place with all
insurers.

(ii) To ensure that necessary implementation procedures are laid down by insurers for
Information and Cyber Security related issues.

(iii) To ensure that insurers are adequately prepared to mitigate Information and cyber security
related risks.

(iv) To ensure that an in-built governance mechanism is in place for effective implementation of
Information and cyber security frame work.

Insurance Regulatory and Development Authority of India (IRDAI) Page 7 of 80


Guidelines on Information and Cyber Security for Insurers

3. Applicability

This guidelines document is applicable to all insurers regulated by Insurance Regulatory and
Development Authority of India (IRDAI).

These guidelines are applicable to all data created, received or maintained by insurers wherever
these data records are and whatever form they are in, in the course of carrying out their
designated duties and functions.

The “Control Check List” is provided in Annexure A.

Insurance Regulatory and Development Authority of India (IRDAI) Page 8 of 80


Guidelines on Information and Cyber Security for Insurers

4. Terms &Definitions
Admin Administration
BCM/BCP –. Business Continuity Management/Plan
BYOD Bring Your Own Device
CA Certification Authority
CCA Controller of Certifying Authority
CERT In Computer Emergency Response Team - India
CCMP Comprehensive Cyber crisis Management Plan
CIO Chief Information Officer
CIA Confidentiality, Integrity and Availability
CISA Certified Information Systems Auditor
CISO Chief Information Security Officer
CRO Chief Risk Officer
DDoS Distributed Denial of Service
DISA Diploma in Information Systems Audit
DLP Data Loss Prevention
DR Disaster Recovery
HR Human Resource
IDS Intruder Detection System
IMEI International Mobile Equipment Identity
IPS Intruder Prevention System
IRDAI Insurance Regulatory and Development Authority of India.
IRM Information Risk Management
ISC Information Security Committee.
MAC Media access control
NCIIPC National Critical Information Infrastructure Protection
Centre
NDA Non -Disclosure Agreement
OEM Original Equipment Manufacturer
Organization Insurance company registered with IRDAI
PII Personally identifiable information
SCD Secure Configuration Document
SLA Service Level Agreement
SOC Security Operations Centre
SOP Standard Operating Procedure
VLAN Virtual Local Area Network
VM Virtual Machine
VPN Virtual Private Network

Insurance Regulatory and Development Authority of India (IRDAI) Page 9 of 80


Guidelines on Information and Cyber Security for Insurers

5. Enterprise Security
5.1 Governance, Policy & Standards, Strategy

The organization shall adopt, direct, monitor and communicate an information and Cyber
security policy/policies (herein after referred to as ‘IS Policy’), approved by the Board in order
to ensure that the organization’s overall objective to information security is achieved.

5.2 Establishment of governance framework

The Framework for information security governance shall be established by the organization.

5.3 Chief Information Security Officer (CISO)

Every Organization shall appoint/ designate a suitably qualified and experienced Senior Level
Officer exclusively as Chief Information Security Officer (CISO) who will be responsible for
articulating and enforcing the policies to protect their information assets.

5.4 Roles and responsibilities of CISO

a) Responsible for articulating Information and Cyber Security policy for the
Organisation
b) Be responsible for providing advice and support to management and information
users in the implementation of Information and Cyber Security Policy.
c) Build and lead the information security team with appropriate competencies and
attitude to deliver the information security program.
d) Promote user awareness initiatives within the organization.
e) Propose Information and Cyber Security Policy to the ISC, incorporate feedback
on the implications of the policy from the ISC and other business areas into the
policy-making process.
f) Be responsible for providing advice and support to management and information
users in the implementation of Information and Cyber Security Policy.
g) Build and lead the information security team with appropriate competencies and
attitude to deliver the information security program.
h) Promote user awareness initiatives within the organization .
Insurance Regulatory and Development Authority of India (IRDAI) Page 10 of 80
Guidelines on Information and Cyber Security for Insurers

The CISO shall to report to the Head of Risk Management and will have a working relationship
with the CIO to develop the required rapport to understand the IT infrastructure and operations,
to build effective security in IT across the organization, in tune with business requirements and
objectives. The organization shall ensure segregation of duties for Information Security & IT
operations.

5.5 Information Security Committee (ISC)

The organization shall form an Information Security Committee (ISC) headed by a senior level
executive with a reporting line to the Board to take overall responsibility for the information
security governance framework.

Members of ISC shall include functional heads from Operations, Information Technology, Legal,
Compliance, Finance, HR, Risk etc.

The Information Security Committee (ISC) shall:

a) Review and recommend to the Board necessary changes to the high level IS
Policy. The Committee shall approve standards and procedures in line with the
Board-approved IS policy. Individual business functions should create and get
their SOP’s approved (in line with above standards & procedures) by the
respective functional heads.

b) Review and approve exceptions to the Information Security Policy, any significant
risk to be reported to the Board. However Operational level exceptions can be
approved by Respective Business owner in consultation with CISO.

c) Recommend changes to the constitution and functioning of the committee.

d) Review, discuss and direct information security risk mitigation (which includes
reporting security incidents) and ensure that risks are accurately reported and
appropriately dealt with.

e) Ensure compliance to regulatory and statutory requirements related Information


Security.
Insurance Regulatory and Development Authority of India (IRDAI) Page 11 of 80
Guidelines on Information and Cyber Security for Insurers

f) Be responsible to ensure management of cyber security initiatives and incident


management.

g) The ISC shall ensure that the information security governance framework is supported by
an information security assurance programme (Implementation Plan).

h) ISC should report to Risk Management Committee of the Board a minimum of two
times in a year.

i) CISO shall be convener of the Information Security Committee.

5.6 Role of the Board

The Board shall demonstrate their commitment by approving:


 The overall framework to information and cyber security policy and strategy
 The information and cyber security assurance programme.

5.7 Heads of functional Departments

Each functional Head shall provide leadership and sponsorship to the agreed security
program by driving the same to the teams under their management and mandate
compliance. Individual functional head will be responsible for implementation of
information and cyber security management related policies.

5.8 Information Security Team

Organizations shall form a separate information security Team to focus exclusively on


information security management. There should be segregation of the duties of officials
dealing exclusively with information systems security and the Information Technology
Division which actually implements Information Security controls at operational level. The
organization of the information security function should be commensurate with the nature
and size of activities of the organization. The information security team should be adequately
resourced in terms of the number of staff, level of skills and tools or techniques like risk
Insurance Regulatory and Development Authority of India (IRDAI) Page 12 of 80
Guidelines on Information and Cyber Security for Insurers
assessment, security architecture, vulnerability assessment, forensic assessment, etc.
While the information security team, its functions and information security governance
related structures should not be outsourced, specific operational components relating to
information security may be outsourced, if required resources are not available within an
Organization. However, the ultimate control and responsibility rests with the organization.

Information Security team shall: -

a) Develop and maintain IS policy, standards, procedures and guidelines to support


the organizations’ information security program.
b) Translate the information security program into specific actions which shall include
awareness, security infrastructure, security incident response and risk
management.
c) Work closely with IT and other functional teams and monitor implementation of
information security projects and controls for new or identified deficiencies.
d) Identify current and potential legal and regulatory issues affecting information
security and assess their impact in conjunction with legal and compliance team.
e) Act as consultants and advisors to different stakeholders for information security
matters.
f) Perform information security risk assessments on an ongoing basis and report any
significant risks to ISC.
g) Monitor information security incident management i.e. identification, response,
remediation and reporting.

5.9 Implementation
5.9.1 Technology/Operations/Admin/HR/ Functional teams shall –
a) Have primary responsibility for ensuring that appropriate and adequate security
mechanisms are provided in the systems and network infrastructure shared across
systems and business units.
b) Be responsible for agreeing to security classification of all infrastructure components
in agreement with the business owners.
c) Have primary ownership to comply with specific security policies, which will be
applicable for systems development and acquisition.
d) Be responsible for maintenance of the various security tools and solutions.
e) Be responsible for monitoring of secure status on each system and network within its
control. Report on weaknesses or breaches of security to be made to the relevant
Insurance Regulatory and Development Authority of India (IRDAI) Page 13 of 80
Guidelines on Information and Cyber Security for Insurers
Business owners or Infrastructure owners and to the CISO, who shall in turn co-
ordinate, the incident response.
f) Technology/Operations/Admin/HR/ functional teams shall designate a suitable and
qualified team member who will be responsible for reporting the incidents &
effectiveness of security control to CISO /Information Security Team/ CIO.
g) Legal Team — Legal Team is responsible for Engagement with Cyber security police
officials, lawyers and Government agencies as required. Necessary details with
regards to the incident are provided by information security team.
h) Users and Information Owners — System users and data owners are responsible for
the application of the policies relating to the systems, data, and other information
resources under their care or control. They are also responsible for reporting any
suspected cyber security incident to Information Security Team/IT Head.
5.9.2 Responsibilities of Business Owners:

Business owners shall

a) Hold the primary responsibility for defining the value and classification of assets
within their control by participating in the risk management process and
undertaking business impact assessment. b) Be responsible for authorizing access
and segregation of duties for individual users and groups including Third parties to
the information contained within the applications.

b) Ensure that appropriate access of administration roles or teams exist for their
applications to administer access in accordance with the IS Policy.

c) Ensure implementation and compliance to Information Security Policies as


applicable for their business units.

d) Be primarily responsible for risk, data security and access of Third party partners
and vendors to whom line of business has been outsourced

e) Review the self-assessment of Third parties at defined frequency to whom line of


business has been outsourced.

f) Be responsible for conducting security assessments and audits of Third party


processes / sites)

Insurance Regulatory and Development Authority of India (IRDAI) Page 14 of 80


Guidelines on Information and Cyber Security for Insurers

g) Define Information Security requirements for third parties in concurrence with the
Information Security team of the organization

5.10 Conformance

Users of following category shall be responsible for complying with the IS Policy

a) Senior management's primary responsibility shall be to develop a clear business aligned


program for information security, assign roles and responsibilities, support the lS Policy
and provide sponsorship and budget to ensure it is successfully practiced.

b) Information user's primary responsibility shall be to practice information security by


working within the lS Policy and report promptly any unusual suspected or detected
attempts to breach security.

5.11 Enforcement

5.11.1 Internal Audit Shall

a) Internal Audit plan of the organization shall have a separate IS audit plan covering
IT/Technology infrastructure and applications. The audit plan and the reports shall be
presented to the Audit Committee of the Board
b) Conduct audit for third party /vendors handling critical data on planned and ad hoc basis
to measure the effectiveness of the third party security controls implemented.
c) All instances of non-compliance related to Information security shall be communicated
and discussed with relevant line management and CISO.

5.11.2 CISO shall

a) Provide the management and Users assistance in correcting deficiencies.


b) Bring significant issues on non-compliance to the attention of the ISC for review and
remediation.
c) Initiate / undertake an ongoing or ad hoc third party review/assessment of a specific
function or a product to measure the effectiveness of the controls implemented and
highlight any vulnerability that needs to be fixed.
Insurance Regulatory and Development Authority of India (IRDAI) Page 15 of 80
Guidelines on Information and Cyber Security for Insurers

5.11.3 Functional technology teams shall –

a) Be responsible for undertaking regular monitoring of secure status on each system and
network within its control.
b) Report on weaknesses or breaches of security to the relevant Business Owners or
Infrastructure Owners and to the CISO, who shall be responsible to manage the incident
response.
c) Responsible for driving end point system and server security.

5.12 Awareness
All stakeholders (employees, contract staff etc.) are made aware of organizational
information security policies, procedures and guidelines, threat exposures etc. They
should be aware of their roles, responsibilities and abide by them to reduce the risk of
human error.

5.12.1 Information Security Awareness: -

a) Sufficient means including technology shall be employed to create an understanding,


familiarity and recognition of the business & Information security objectives and
direction, as captured in the IS Policy, through communication to appropriate
stakeholders and users throughout the organization.
b) Educating vendors and employees on information security do’s and don’ts when using
technology facilities and delivery channels.
c) Provide general and specific information about cyber security risk trends, types or
controls and make them aware of their responsibilities in relation to fraud prevention.

5.13 Training

The organization shall ensure that all personnel who are assigned the responsibilities are
competent to perform the required tasks and provided with regular training.

5.13.1 Information Security Training Goals

All employees and, where applicable, contract staff, 3rd party service providers and
vendors shall receive appropriate information security awareness training or periodic
updates as relevant to their function to ensure secure business operations
Insurance Regulatory and Development Authority of India (IRDAI) Page 16 of 80
Guidelines on Information and Cyber Security for Insurers

5.14 Identity and Access Management


Identity management and access control arrangements shall be established to provide
effective and consistent user administration by establishing identity accountability and
authentication to allow business applications/systems/ networks/computing devices
access to only authorized 'users'.

5.14.1 Establish security and access control policies & procedure

a) Access control mechanisms should:


I. Limit access in line with access policies set by owners of business applications and
systems.
II. Restrict the business application/system/ network/computing device capabilities that can
be accessed (e.g. by providing menus /groups that enable access only to the particular
capabilities needed to fulfill a defined role)
III. Supplement passwords (e.g. by using strong authentication such as smartcards,
biometrics or tokens), if and when necessary.
IV. Minimize the need for special access privileges (e.g. User IDs that have additional
capabilities, such as 'Administrator', or special capabilities, such as User IDs that can be
used to authorize payments)
V. Require approval/s business application/system/ network/ computing device from
appropriate authority to provide access privileges for both business users and computer
staff.
VI. Have a process for terminating the access of normal users as well as privileged users.
VII. Be reviewed on Periodic basis
VIII. Details of Business owner, approvers and their delegated authority shall be maintained
and be re-certified and updated periodically. The authorization process shall include
process for granting emergency access

b) Privileged access -
Additional controls should be applied to special access privileges, including high level
privileges (e.g. 'root' in Unix or ‘Administrator' in Windows systems/powerful utilities and
privileges that can be used to authorize payments or perform financial transactions)

(c) Authentication & password synchronization


All ‘Users’ shall be authenticated at a minimum by using User IDs and passwords, before
they can gain access to target systems to prevent Unauthorized access to the
Organization’s information assets.
Insurance Regulatory and Development Authority of India (IRDAI) Page 17 of 80
Guidelines on Information and Cyber Security for Insurers

(d) Provisioning and de-provisioning


Repository for all users including third parties should be maintained.

5.14.2 Effective user group management –

a) Modification/ Deletions-group: -
i) Access shall be timely modified as required when 'Users' moves internally
ii) Access shall be timely revoked when 'Users' exits
b) Re-certifications -
i) All user-IDs and their access right shall be reviewed by the respective functional
business owner on a regular basis to avoid existence of stray/orphan user accounts
and ensuring that access rights are based on the need to know basis principle.
ii) The review shall include verification that the user's access rights and privileges are
still in line with job requirements.
c) Generic IDs-
i) Generic User-Ids/Service IDs shall be avoided and where no alternative exists, it
shall be controlled, authorized by Business/Asset Owner, to avoid misuse to
compromise user accountability.
ii) Privilege generic user-IDs shall allow the user to only perform the intended activities
for which the user-IDs was created. Such IDs shall be authorized by business/Asset
owners
d) Remote Access-
i) Remote access to the Organization’s infrastructure shall be highly restricted and
controlled to prevent unauthorized access to the Organization’s infrastructure from
untrusted networks
ii) 'Users' seeking to gain privileged access to the Organization’s IT facilities via public or
other external networks shall do so via two factor authentications.

5.15 Change Management


Changes to business applications, computer Systems and networks shall follow a change
management process covering associated Risks, Change authorization, Business Continuity
and impact.
a. A change management process shall be established, which covers all types of change
(e.g. upgrades and modifications to application and software, modifications to business

Insurance Regulatory and Development Authority of India (IRDAI) Page 18 of 80


Guidelines on Information and Cyber Security for Insurers
information, emergency 'fixes' and changes to computer systems and networks).
b. The change management process shall be documented, and include approving and
testing changes to ensure that:
i) They are made correctly and securely
ii) They do not compromise security controls
iii) No unauthorized changes have been made and only approved changes are
released in production
iv) Version control is maintained so that it can be rolled back if required.
v) Authorized person should be allowed to make changes on the production system.

5.16 Change Implementation


a) There shall be implementation plan for executing a change that includes but not limited to:
i) Implementation steps
ii) Downtime requirements/Project plan.
iii) Test plan
iv) Roll back Plan
b) All changes shall be monitored and reviewed for successful implementation and documented,
they shall:
i) Be performed by skilled and competent individuals who are capable of making changes
correctly and securely. Developer and Release Manager / Deployment team access
should be segregated.
ii) Be signed off by appropriate business owners.
iii) Have a record of version control and capture what was changed when and by whom.
iv) Have communication of details to relevant individuals and checks be performed to confirm
that only intended changes have been made
v) Ensure that documents associated with computer systems and networks are updated.
c) Adequate control shall be implanted to ensure data integrity and confidentiality during/after
data migration and its completeness shall be verified.
d) Digital records created are to be adequately preserved over time and remain accessible and
functional, even over successive changes in technology.

5.17 Vendor/Third party Risk Management


Information security requirements shall be considered at all stages throughout third
party/vendors having access/handling the organizational system/data.
Insurance Regulatory and Development Authority of India (IRDAI) Page 19 of 80
Guidelines on Information and Cyber Security for Insurers

5.17.1 External party management

There shall be a process for managing the security of relationships with external parties. The
vendor risk management process shall involve the information security function, and include
i. Agreeing security arrangements (e.g. based on business security requirements and the
relationship with third compliance needs) for each external party with security team.
ii. All arrangements with external party/vendors shall have a well-defined service level
agreement (SLA) that shall specify information security requirements and controls,
service levels and liability of suppliers in case of SLA violations, non-mitigation of IS
vulnerabilities, IS incidents etc. External party shall demonstrate compliance with all SLA
requirements.
iii. Validating security arrangements for each vendor.
iv. Handling termination of a relationship with a vendor.
v. Sub-contracting arrangements should cover due diligence aspects
vi. Right to audit /inspection.
However, the ultimate responsibility lies with the organization.

5.17.2 Addressing risks related to external Parties

The risks to the Organization’s information and related information processing facilities from
business processes involving external parties shall be identified and appropriate controls
implemented in following scenarios.

5.17.2.1 Prior to Engagement

i) External parties shall be subject to a relationship assessment (sometimes referred to


as due diligence review) shall cover:
a) Dealing with the said party (e.g. details of provider history, previous and current
business arrangement and dispute information)
b) Contract requirements shall include non-disclosure agreements, sub-contracting, roles
and responsibilities, and termination clauses and right to inspect/audit by
Organization, Law enforcement agencies and regulating agencies including IRDAI
c) Third party demonstrable level of maturity in relation to information security and their
degree of commitment to information security. This is via a self-assessment checklist
covering their maturity in the area
ii) Risk assessment shall be conducted for determining the risks involved in granting access
Insurance Regulatory and Development Authority of India (IRDAI) Page 20 of 80
Guidelines on Information and Cyber Security for Insurers
to third parties to Organization’s information/information systems.
iii) The list of security controls shall be determined to be implemented based on the type
of engagement and nature of information sharing requirement.
iv) Data should be shared ONLY on “Need to know” basis

5.17.2.2 During Engagement

Security Performance and Access Management:


i. Confidentiality and non-disclosure agreements with third parties shall be reviewed
periodically and whenever the service terms and conditions are changed.
ii. Access management for third parties including granting access, review of user access
rights shall be periodically assessed and changed as applicable.
iii. In case of third party including Call Centre operations, the Operating system has to be
hardened to prevent data leakages.
iv. External Party Internal Controls Review:
a) External parties requiring review of internal control shall be identified on a periodic
basis
b) Review findings shall be communicated to external party and corrective action shall
be monitored.

5.17.2.3 Termination or renewal of Engagement

i) A consistent method for securely handling the termination of relationships with


Parties shall be established which shall include:
a) Designating individuals responsible for managing the termination
b) Revocation of physical and logical access rights to the organization’s information
c) Return, transfer or secure destruction of assets (e.g.' back-up media storage'
documentation, hardware and data.)
d) Coverage of license agreements and intellectual property rights
ii) In case of renewal, revisit the security considerations in line with the Prior to
engagement scenario.

Insurance Regulatory and Development Authority of India (IRDAI) Page 21 of 80


Guidelines on Information and Cyber Security for Insurers

5.18 Business Continuity Plan

Alternative (contingency) arrangements shall be established to ensure that the organization’s


business processes can continue in the event that the external party is not available (e.g. due
to contract termination or a disaster or a dispute with the external supplier or the entry ceases
its operations). This arrangement shall be based on the results of a risk assessment:
The provision of alternative, secure facilities for business processes to continue
i. Organization to evaluate Escrow for information systems source code for and end of
support / proprietary technologies (e.g.' application source code and cryptographic keys)
using a trusted external party, such as a legal representative, lawyer or equivalent.
ii. Recovery arrangement to ensure continued availability of information stored at an
outsource Provider.
iii. Alignment with the organization’s business continuity program .

Insurance Regulatory and Development Authority of India (IRDAI) Page 22 of 80


Guidelines on Information and Cyber Security for Insurers

6. Information Asset Management

Objective: To identify organizational assets, define appropriate protection and responsibilities.


Assets associated with information and information processing facilities should be identified and
an inventory of these assets should be drawn up and maintained. The asset inventory should
be accurate, up to date.

For each of the identified assets, ownership of the asset should be assigned and the
classification should be identified.

The asset owner should:


a. Ensure that assets are inventoried;
b. Ensure that assets are appropriately classified and protected;
c. Define and periodically review access restrictions and classifications to important assets,
taking into account applicable access control policies;
d. Ensure proper handling when the asset is deleted or destroyed.

All employees and external party users should return all of the organizational assets in their
possession upon termination of their employment, contract or agreement.

The termination process should be formalized to include the return of all previously issued
physical and electronic assets owned by or entrusted to the organization.

In cases where an employee or external party user purchases the organization’s equipment or
uses their own personal equipment, procedures should be followed to ensure that all relevant
information is transferred to the organization and securely erased from the equipment.

An appropriate set of procedures for information labeling should be developed and implemented
in accordance with the information classification scheme adopted by the organization.

Media should be disposed of securely when no longer required, using formal procedures.

Insurance Regulatory and Development Authority of India (IRDAI) Page 23 of 80


Guidelines on Information and Cyber Security for Insurers

7. Physical and environmental security


Objective: To prevent unauthorized physical access, damage and interference to the
organization’s information and information processing facilities.

Security perimeters should be defined and used to protect areas that contain either sensitive or
critical information, and information processing facilities.

Physical barriers should, where applicable, be built to prevent unauthorized physical access.

Surveillance systems shall be in place and regularly monitored to cover all major areas

Secure areas should be protected by appropriate entry controls to ensure that only authorized
personnel are allowed access.

Access rights to secure areas should be regularly reviewed and updated, and revoked when
necessary.

Appropriate controls shall be implemented to manage calamities like fire, flood, earthquake,
explosion, civil unrest and other forms of natural or man-made disaster.

Mock drills shall be conducted periodically to test the effectiveness of the controls.

IT equipment should be protected from power failures and other disruptions caused by failures
in supporting utilities.

Users should ensure that unattended equipment has appropriate protection.

Secure computers or mobile devices from unauthorized use by a key lock or an equivalent
control, e.g. password access, when not in use.

A clear desk policy for papers and removable storage media and a clear screen policy for
information processing facilities should be adopted.

Insurance Regulatory and Development Authority of India (IRDAI) Page 24 of 80


Guidelines on Information and Cyber Security for Insurers

8. Human resource security


Objective: To ensure that employees and contractors understand their responsibilities and are
suitable for the roles for which they are considered.

Background verification checks on all candidates for employment should be carried out in
accordance with relevant laws, regulations and ethics and should be proportional to the
business requirements, the classification of the information to be accessed and the perceived
risks.

Information security roles and responsibilities should be communicated to job candidates during
the pre-employment process.

A code of conduct may be used to state the employee’s or contractor’s information security
responsibilities regarding confidentiality, data protection, ethics, appropriate use of the
organization’s equipment and facilities, as well as reputable practices expected by the
organization.

Awareness, education and training activities should be suitable and relevant to the individual’s
roles, responsibilities and skills.

There should be a formal and communicated disciplinary process in place to take action against
employees who have committed an information security breach.

Insurance Regulatory and Development Authority of India (IRDAI) Page 25 of 80


Guidelines on Information and Cyber Security for Insurers

9. System acquisition, development and maintenance


Objective: To ensure that information security is an integral part of information systems across
the system development lifecycle.

Identification and management of information security requirements and associated processes


should be integrated in early stages of information systems projects. Early consideration of
information security requirements, e.g. at the design stage can lead to more effective and cost
efficient solutions.

Criteria for accepting products (software & solutions) should be defined e.g. in terms of their
functionality, which will give assurance that the identified security requirements are met.
Products should be evaluated against these criteria before acquisition.

Insurance Regulatory and Development Authority of India (IRDAI) Page 26 of 80


Guidelines on Information and Cyber Security for Insurers

10. Information Security Risk Management


Objective: To enable individuals who are responsible for target environments to identify key
information risks and determine the controls required to keep those risks within acceptable
limits.

Policy Procedure and Guidelines: The Organization should have a risk management program
to undertake information security risk assessment for target environments (e.g. critical business
environments, business processes, business applications, computer systems and networks) on
a periodic basis

10.1 Managing Information Security Risk Assessment

10.1.1 There shall be formal, documented standard/procedures for performing information risk
assessments, which apply across the organization. Standards procedures to cover
a. Need for information security risk assessment
b. Types of target environment that would be assessed for information risks, e.g. IT
Applications, hardware and software, vendors, etc.
c. Circumstances in which information assessments will be performed
d. Individuals that need to be involved and their specific responsibilities – business owners,
experts in risk assessment, IT, etc.
e. Method of managing and mitigating to the results of information risk assessments

10.1.2 Results from information security risk assessments conducted across the organization
to be:

a. Reported to business owners and senior management or equivalent


b. Used to help in information security program
c. Integrated with wider risk management activities
d. Establish Information Security Risk Management
e. Define the scope of Information Risk Management(IRM)
f. Define a systematic approach to risk assessment
g. Identify the risk to assets within the scope of IRM
h. Assess the risks, Identify and evaluate options for the treatment/remediation o frisks
i. Select control objectives and controls for the treatment of risk Implement and Operate
Information Risk Management
Insurance Regulatory and Development Authority of India (IRDAI) Page 27 of 80
Guidelines on Information and Cyber Security for Insurers
j. Formulate and implement a risk treatment plan
k. Implement the controls selected to meet the control objectives.
l. Manage the IRM related operations and resources
m. Implement procedures and other controls to detect and respond to the security incidents
n. Monitor and Review Information Risk Management

10.1.3 Execute monitoring procedures and other controls to:

a. Detect errors in the results of processing promptly


b. Identify failed and successful security breaches and incidents promptly
c. Enable management to determine whether the security activities delegated to people or
implemented by information technology are performing as expected
d. Determine the actions taken to resolve a breach of security, reflecting business priorities
e. Undertake regular reviews of the effectiveness of the IRM work plan
f. Review the level of residual risk and acceptable risk
g. Maintain and Improve Information Risk Management
h. Implement the identified improvements in the IRM work plan
i. Take appropriate corrective and preventive actions
j. Communicate the results and actions to concerned teams and consult with CISO on
improvement plans
k. Ensure that the improvements achieve their intended objective

10.2 Information Security Policy - Acceptable Use


Information, regardless of its form, is a valuable asset for the organization. The objective of the
information security policy is to ensure confidentiality, integrity and availability of information. To
instill security culture among all employees that supports the organization’s information security
policy and information security strategy. The information security policy shall cover elements on
the acceptable use for the end users which will help build a secure environment across the
organization.
The acceptable use policy shall cover:
 Information classification and labeling
 Password management
 Endpoints (desktop/laptop and mobile devices)
o Standard configuration disabling vulnerable services and resources Virus/Malware
protection

Insurance Regulatory and Development Authority of India (IRDAI) Page 28 of 80


Guidelines on Information and Cyber Security for Insurers
o Controls to prevent installation unauthorized/non- standard software
 Logical access
 Clear desk
 Internet access policy
 Email policy
 Usage of external/portable storage devices
 Instant messaging and social media
 Remote access
 Wireless access

10.3 Business Continuity & Disaster Recovery Framework

10.3.1 Business continuity policy& Management


a. The Organization shall have a Business continuity policy, with clearly identified
responsibilities
b. BCP should be a key aspect of the Organization’s Risk Management
c. The Policy shall be communicated to all the persons involved with or responsible for
business continuity at various levels in the Organization
d. The Policy shall be reviewed at periodically or in case of any significant changes
e. Necessary resources like work area and manpower, etc. to be provided for effective
BC implementation and operation
10.3.2 Business continuity awareness
a. The BC policy to be communicated and available to the employees
b. Staff training programs for the concerned employees
10.3.3 The BCP should contain the following:
a. Business impact analysis
b. Business continuity strategy/plan
c. Emergency response plan
d. BCP testing reports
10.3.4 Business impact analysis to be conducted to identify the critical business processes,
resources needed to support them and the impact measurement in time in case of
unavailability
10.3.5 There shall be a defined method for determining the impact of any disruption to key
business processes
10.3.6 The Organization shall identify suitable Business Continuity arrangements to recover
identified critical activities within acceptable time.
Insurance Regulatory and Development Authority of India (IRDAI) Page 29 of 80
Guidelines on Information and Cyber Security for Insurers
10.3.7 Supporting systems or processes (Non-Critical) required at DR should be identified and
recovery planned with acceptable tolerance levels.
10.3.8 The Organization shall develop Emergency response structure that will manage
incident and ensure continuity of its critical activities
10.3.9 The Organization shall validate the on-going effectiveness of its Business Continuity
planning via periodic testing and Prepare the report of the exercise, outcome and learning
including required actions
10.3.10 The Management shall review the Organization’s business continuity
preparedness at planned intervals or when significant changes occur

Insurance Regulatory and Development Authority of India (IRDAI) Page 30 of 80


Guidelines on Information and Cyber Security for Insurers

11. Data Security


Objective: Organizations shall recognize that the efficient management of its data security is
necessary to support its core functions, to comply with its statutory and regulatory obligations
and to contribute to the effective overall management.

Scope: Organizations need to define and implement procedures to ensure the Confidentiality,
Integrity, Availability and Consistency of all data stored in different forms. These guidelines are
applicable to all information/records/data created, received or maintained by all permanent and
temporary employees and consultants (collectively “the employees”), third party vendors of the
organization and business distributors who have access to the organization’s data, wherever
this data records are and whatever form they are in, in the course of carrying out their designated
duties and functions

11.1 Scheme of the data security policy


An overview of recent megatrends like emerging consumerization, the rise of cloud computing,
increased importance of business continuity, enhanced persistence of cybercrime and
increased exposure to internal threats shows that data protection will continue to be a significant
challenge for organizations resulting in increasing data risk.
Information as data has a natural lifecycle, from creation and origination through storage,

processing, use and transmission to its eventual destruction or decay. The value of, and risks
to, data assets may vary during their lifetime, but data security remains important to some extent
at all stages.
Hence at every stages of data life cycle, organizations shall ensure due care of security to the
Confidentiality, integrity and availability. Following data security controls to be considered as
Insurance Regulatory and Development Authority of India (IRDAI) Page 31 of 80
Guidelines on Information and Cyber Security for Insurers
mentioned below:
 Consistency & accuracy of data entered into the system should be verified through a
maker checker process wherever applicable. There should be a process to ensure that
such maker/ checker functions for conflicting roles follow segregation of duties and the
same user cannot perform both the functions
 Audit trail of critical data access shall be maintained. Audit trails should be secured to
ensure the integrity of the information captured, including the preservation of evidence.
Retention of audit trails should be in line with business, regulatory and legal
requirements.
 Access should be provided on “Need to Know” or “Least Privileges” based to ensure that
necessary personnel (Employee) have access to essential system & this access should
be reviewed periodically.
 For data generated /created on paper, user shall ensure that it follows data classification
policy, stores it in a safe place in the office and maintain the CIA of data.
 Organizations should have a process to verify job application information on all new
employees. Organizations should verify that contractors are also subject to similar
screening procedures
 When deciding upon protection of specific organizational data records, their
corresponding classification based on the organizations classification scheme, should be
considered. Once the data is classified, it shall be the responsibility of users to ensure
that adequate controls followed as per policy and an inventory of critical data storage
locations shall be identified & documented
 In order to secure business sensitive/ critical data, a mechanism to identify critical data
based on its impact to the business shall be defined.
 Regular awareness program to the users about handling of the critical data, classification
levels of data shall be imparted on regular basis.
 Confidentiality undertaking shall be obtained from the users
 The critical data on the laptops and other mobile devices shall be protected to avoid
disclosure of data in case of loss of the laptop or other devices.
 There should be secure storage of media. Controls could include physical and
environmental controls such as fire and flood protection, limiting access by means like
physical locks, keypad, passwords, biometrics, etc., labeling, and logged access.
 Cryptographic/password management techniques need to be used to control access to
critical and sensitive data/information in transit and storage.

Insurance Regulatory and Development Authority of India (IRDAI) Page 32 of 80


Guidelines on Information and Cyber Security for Insurers
 Sensitive data if required to be sent to outsource services provider, third party for
business purpose, shall be approved by the information/ business owner and controls
are designed to ensure that data shall not be misused by the third party. (NDA, right
protected email, etc.)
 Adequate controls to maintain data integrity and confidentiality while data is being
archived shall be maintained. When archived in storage, the data should have proper
access controls.
Disposal mechanisms should ensure the effective destruction of data. Such mechanisms
include digital file shredding, degaussing (i.e. the process of demagnetizing magnetic media to
erase recorded data) and physical destruction of storage media (e.g. pulverization, incineration
or shredding). Reformatting may also be used as a method of destruction if it can be guaranteed
that the process cannot be reversed. To ensure the complete destruction of a digital record, all
extant copies should be located and destroyed. This includes removing and destroying copies
contained in system backups and offsite storage.

Insurance Regulatory and Development Authority of India (IRDAI) Page 33 of 80


Guidelines on Information and Cyber Security for Insurers

12. Application Security


Objective: To ensure that information security is an integral part of information systems across
the entire lifecycle and also includes the requirements for information systems which provide
services over public networks.

The following are the important Application control and risk mitigation measures which should
be considered for implementation by the Organization:
12.1 Each application to have an owner.

Some of the roles of application/business owners shall include:


a) Prioritizing any changes to be made to the application and authorizing the changes
b) Deciding on data classification/de-classification and archival/purging procedures for the
data pertaining to an application as per relevant policies/regulatory/statutory
requirements in agreement with business owners
c) Ensuring that adequate controls are built into the application through active involvement
in the application design, development, testing and change process
d) Ensuring that the Change Management process is followed for any changes in the
application
e) Ensuring that the application meets the business/functional needs of the users
f) Ensuring that the security of the application has been reviewed
g) Taking decisions on any new applications to be acquired / developed or any old
applications to be discarded
h) Informing the information security team regarding purchase of an application and
assessing the application based on the security policy requirements
i) Ensuring that the new applications being purchased/developed follow the Information
Security policy
j) Ensuring that logs or audit trails, as required, are enabled and monitored for the
applications. Logs should at least meet who-when-what-where criteria based on
criticality.
k) Maintain last login details for all internet portal applications
l) Ensure review of access and roles are conducted periodically

Insurance Regulatory and Development Authority of India (IRDAI) Page 34 of 80


Guidelines on Information and Cyber Security for Insurers
12.2 Information security requirements analysis and specification
a) The information security related requirements are included in the requirements for the
development of the new information systems or enhancements in the existing information
systems
b) Besides business functionalities, security requirements relating to system access control,
authentication, transaction authorization, data integrity, system activity logging, audit trail,
security event tracking and exception handling are required to be clearly specified at the
initial stages of system development/acquisition
c) There should be a proper linkage between a change request and the corresponding action
taken
d) Any changes to an application system/data need to be justified by genuine business need
and approvals supported by documentation and subjected to a robust change
management process.

12.3 Technical review of applications after operating platform changes


When operating platforms are changed, business critical applications to be reviewed and tested
to ensure that there is no adverse impact on organizational operations or security

12.4 Secure system engineering principles


a. Principles for engineering secure systems shall be established, documented, maintained
and applied to any information system implementation efforts
b. There should be documented standards/procedures for administering the application and
updated periodically
c. Potential security weaknesses / breaches should be identified. There should be
measures to reduce the risk of theft, fraud, error and unauthorized changes to information
through measures like supervision of activities and segregation of duties
d. Applications must not allow unauthorized entries to be updated in the database. Similarly,
applications must not allow any modifications to be made after an entry is authorized.
Any subsequent changes must be made only by reversing the original authorized entry
and passing a fresh entry.
e. Robust input validation controls, processing and output controls needs to be built in to
the application. Validations should be included on all critical pages so that attacks are
minimized and no manipulation can be allowed to change data at source
f. Critical Applications to provide for, logging unsuccessful logon attempts, access to
sensitive options in the application, e.g., master record changes, granting of access
rights, use of system utilities, changes in system configuration, etc.
Insurance Regulatory and Development Authority of India (IRDAI) Page 35 of 80
Guidelines on Information and Cyber Security for Insurers
g. The audit trails need to be stored as per a defined period as per any
internal/regulatory/statutory requirements and it should be ensured that they are not
tampered with

12.5 Secure development environment


a. Organizations shall establish and appropriately protect secure development
environments for system development and integration efforts that cover the entire system
development life-cycle
b. The development, test and production environments need to be properly segregated, any
exceptions to be signed off by the ISC.
c. Access should be based on the principle of least privilege and “need to know”
commensurate with the job responsibilities. Adequate segregation of duties needs to
be enforced

12.6 Outsourced development


The IT/Business team should review the activity of outsourced system development.
Organization may obtain application integrity statements in writing from the application
system vendors providing for reasonable level of assurance about the application being free
of malware at the time of sale, free of any obvious bugs, and free of any covert channels in the
code (of the version of the application being delivered as well as any subsequent
versions/modifications done).

12.7 System functionality and security testing


Testing of security functionality to be carried out

a. All application systems to be tested during the implementation in a robust manner regarding
functionality controls to ensure that they satisfy business policies/rules of the organization
and regulatory and legal prescriptions/requirements
b. Robust system based controls need to be built into the system and thereby reducing the
reliance on any manual controls
c. All applications to be tested for security controls to check for known vulnerabilities initially
and during major changes.
d. Before the system is live, there should be clarity on the audit trails and the specific fields that
are required to be captured as part of audit trails and an audit trail or log monitoring process
including personnel responsible for the same.

Insurance Regulatory and Development Authority of India (IRDAI) Page 36 of 80


Guidelines on Information and Cyber Security for Insurers

12.8 Others
a. Direct back-end updates to database should not be allowed except during exigencies,
with a clear business need and after due authorization as per the relevant policy.
b. Applications should be configured to logout the users after a specific period of inactivity
c. There should be suitable interface controls in place to prevent any unauthorized
modification
d. Establish a suitable backup policy for the application

Insurance Regulatory and Development Authority of India (IRDAI) Page 37 of 80


Guidelines on Information and Cyber Security for Insurers

13. Cyber Security


Objective: To raise awareness and provide guidelines to organizations for addressing cyber
security and related risks to the insurance sector and the mitigation of such risks.

13.1 Classification of Critical Systems and Cyber Security Incidents:


Systems should be classified under categories based on criticality and Severity.

13.2 Organization’s Cyber Resilience program


The varied challenges presented by cyber risk should be met with a broad response by insurers
and Insurance Intermediaries. Appropriately high-level management’s attention is a necessity,
as is an effective governance structure able to understand, prevent, detect, respond to, and
address Cyber security incidents. In addition, a well-functioning cyber security management
program consistent with cyber resilience best practices should be in place and verified through
supervisory review. As described below, this level of response is consistent with the Insurance
Core Principles.

To be effective, cyber security needs to be addressed at all levels of an institution. Generally, a


cyber-security management program includes on-going process and control improvements,
incident management procedures such as response and disaster recovery, state-of-the-art
network policies and procedures, rigorous management and control of user privileges, secure
configuration guidance, appropriate malware protection procedures, consistent control of
removable media usage, monitoring of mobile and home working procedures, and ongoing
awareness and educational initiatives for all personnel

It is generally recognized that best practices for cyber resilience should include but not limited
to below key areas:

13.3 Identification
a. Identification means identifying critical assets, business functions and processes that
should be protected against compromise.
b. Information assets (including sensitive personal information) and related system access
should be part of the identification process.
c. Business process or Vendor risk should be identified and assessed as a part of on-

Insurance Regulatory and Development Authority of India (IRDAI) Page 38 of 80


Guidelines on Information and Cyber Security for Insurers
boarding and operations process.
d. Regular reviews and updates are key factors, as cyber risk is constantly evolving and
“hidden risks” can emerge.
13.4 Protection
a. Controls should be in line with leading technical standards. Resilience can be provided
by design. Comprehensive protection entails protecting interconnections and other
means of access to insider and outsider threats. When designing protection, the “human
factor” should be taken into consideration. Therefore, training is also an essential part of
the safety net against cyber risk. Appropriate degree of IT controls shall be ensured for
outsourced activities.
b. Availability factor of portals should be part of contracting and sourcing. Protection from
DDoS Vectors needs to be part of sourcing and monitoring.
c. Appropriate access controls along with restriction based on least privileges roles should
be part of application and access control design.
13.5 Detection
For critical systems cyber security monitoring is essential, as performing security events
monitoring and or analytics would assist in detection and mitigation cyber incidents. These
may include third party providers.

13.6 Response and Recovery


It is not always possible to detect or prevent cyber incidents before they happen, even with the
best processes in place. For this reason, incident response planning is of great importance.
Resumption of services (if interrupted) should be achieved within a reasonable timeframe,
depending on the impact of the incidents and the criticality of the service. Contingency planning,
design, and business integration as well as data integrity (also in the case of data sharing
agreements) are key enablers for fast resumption. To make contingency planning effective, it is
recommended to have a regular testing. Forensic readiness is essential to facilitate the
investigations.

13.7 Testing
Testing programmes, vulnerability assessments and penetration tests are cornerstones in the
testing phase. Testing should be included when systems are specified, developed, and
integrated.

Insurance Regulatory and Development Authority of India (IRDAI) Page 39 of 80


Guidelines on Information and Cyber Security for Insurers
13.8 Situational Awareness
Awareness contributes to the identification of cyber threats. Accordingly, the establishment of a
threat intelligence process helps to mitigate cyber risk. In this regard, organizations should
participate in established information sharing initiatives.

13.9 Learning and Reporting


Organizations should continually re-evaluate the effectiveness of Cyber security management.
Lessons learned from cyber events and cyber incidents contribute to improved planning. New
developments in technology should be monitored.

Cyber security incidents which are critically affecting the business operations and large number
of customers should be reported to IRDAI within a Maximum period of 48 hours, upon
knowledge.

Organizations must report information security incidents, where the confidentiality, integrity, or
availability of critical information is potentially compromised, to the IRDAI and Cert-Fin with the
required data elements, as well as any other available information, within 48 hours of being
identified by the Organization’s Information Security Team, Security Operations Center (SOC),
or information technology department. In some cases, it may not be feasible to have complete
and validated information prior to reporting. Organizations should provide their best estimate at
the time of notification and report updated information as it becomes available

Insurance Regulatory and Development Authority of India (IRDAI) Page 40 of 80


Guidelines on Information and Cyber Security for Insurers

14. Platform/Infrastructure Security


Objective: Organization’s IT infrastructure including servers, applications, and network and
security devices shall be configured to ensure security, reliability and stability.

14.1 Secure Configuration Documents & Periodic Assessments


The configuration shall be based on Secure Configuration Documents (SCD). Organization
shall develop baseline SCD based on OEM’s recommendations and industry best practices.
SCDs should be prepared for the following list (but not limited to) of components
 Operating Systems (Servers & End points – Laptop, Desktops)
 Web Server software (Tomcat, IIS, Apache HTTP, IBM HTTP and Oracle HTTP, etc.)
 Application Server software (Weblogic, etc.)
 Database Servers (Oracle, MS-SQL, MySQL, PostgreSQL,etc.)
 Network Components (Routers, Wireless Access Points, etc.)
 Security Devices (Firewalls, VPNs, IDS, IPS, etc.)
 Wireless

SCD should be reviewed for currency on a periodic basis by Information Security Team. The
exceptions to configurations as recommended in SCDs owning to certain business
requirements/limitations should be approved through formal exception process after adequate
risk assessment.

The IT infrastructure should be subject to configuration review (vulnerability


assessment/penetration tests) against defined SCDs on a periodic basis.

Regular scheduled assessments, such as internal and external vulnerability scans should be
conducted for the IT Infrastructure including but not limited to software, applications, server,
network, database, operating system, wireless devices, and other network equipment.
Frequency of conducting vulnerability assessment shall depend upon the criticality of the
Information Asset (application, software, database, operating system, network devices and
wireless networks). All Internet facing applications shall undergo vulnerability assessments
before deployment in the production environment.

Insurance Regulatory and Development Authority of India (IRDAI) Page 41 of 80


Guidelines on Information and Cyber Security for Insurers
14.2 Patch Management
Organization’s IT infrastructure should be updated with the supported, tested and reasonably
latest OS and database patches including security patches and upgradation patches. Impact
analysis and testing shall be performed for the recommended new patches, before deploying
those in production environment. For the patches causing adverse impact or non-availability
of business applications, exception approval documents should be maintained for future
reference and audit purpose.
Patches for end-points may be tested in test environment before implementation on the user
machines.

Insurance Regulatory and Development Authority of India (IRDAI) Page 42 of 80


Guidelines on Information and Cyber Security for Insurers

15. Network Security


Objective: The information transmitted across the Organization through its network shall be
protected by deploying adequate network security controls.

Policy, Procedures & Guidelines:

a. Network shall be segmented into zones/subnets based on function and possibly location.
Each of the zone/subnet may be further segregated into separate VLANs based on
business and security requirements.
b. All network devices should be HARDENED based on their respective secure configuration
documents before being deployed in production.
c. Logical position of firewall in network architecture should ensure that firewall is not
bypassed. Defence-in-depth through placement of IDS/IPS solution shall be implemented
to further control the internet traffic passing through these networks. These solutions shall
be regularly updated with current signatures / characteristics of threats.
d. Remote access to organization’s network resources over an un-trusted network
(Internet/Extranet) shall be integrated into the overall network security management.
e. Clocks of all relevant information processing systems within an organization or security
domain shall be synchronized with an agreed accurate time source.
f. Routing controls should be implemented for networks to ensure that computer connections
and information flows do not breach the access control system of the business applications.
g. There should be segregation of duties for approval and implementation of configurations
for network devices.
h. Adequate redundancy should be provided for network links and network devices.
REDUNDANT NETWORK LINKS AND DEVICES SHOULD HAVE THE SAME LEVEL OF
SECURITY AS THE PRIMARY LINKS. All single points of failure within the
organization network shall be identified and the risks in such a design shall be
assessed. Where possible, failover technologies shall be in place to address network
failure. Network diagram (including wireless network) shall be documented and kept up to
date.
i. Logs generated by critical network devices shall be collected and analyzed to identify
threats and exceptions. Network security shall be monitored through a Security Operations
Centre (SOC) to provide immediate response to threats.

Insurance Regulatory and Development Authority of India (IRDAI) Page 43 of 80


Guidelines on Information and Cyber Security for Insurers

16. Cryptography & Key Management


Objective: Organization shall protect the confidentiality, authenticity and integrity of information
by cryptographic means wherever necessary. The level of protection applied using
cryptographic keys shall be commensurate with the sensitivity and frequency of use of the
information along with the environment where it resides/used.
Policy, Procedures & Guidelines:
16.1 General directives on keys
a. Digital signatures/certificates shall be acquired from the Certificate Authority (CA) licensed
by the Controller of Certifying Authorities (CCA) India.
b. Accountability / responsibility for management of master keys shall be formally assigned
within the organization in case of internal CA.
c. Key custodians must be made aware of their role and they shall formally acknowledge their
obligations in administering the security of the keys.
d. Master keys for symmetric key/asymmetric key pair generation must be secured in a
manner such that no one individual party is privy to the entire master key, wherever
e. applicable.
f. Keys/asymmetric key pairs shall be changed whenever a compromise occurs (or thought
to occur), and whenever a party who is privy to a key/the private key component of the key
pair, leaves the organization or changes role. A formal process must exist to revoke
symmetric keys/asymmetric key pairs in a timely and effective manner. Revoked keys shall
be destroyed.
g. Key backup process shall enable key recovery, but should not compromise key
confidentiality and integrity. Request for recovery of keys/key pairs shall be made via a
formal process that includes approval from competent authority.
16.2 Retention of electronic keys
a) Data encryption keys – symmetric/asymmetric keys used for encryption shall be
available as long as any information protected (encrypted) by the keys needs to be
decrypted.
b) Digital certificate verification – a public key shall be available as long as any information
signed with the associated private key is maintained.
c) Master key used to derive other keys – master keys shall be available as long as there
is a requirement to recreate derived keys in the future.
d) Keys used to generate hash algorithms – keys used to generate hash algorithms shall
be available as long as there is a requirement to prove or otherwise the validity of a
previously generated hash value.
Insurance Regulatory and Development Authority of India (IRDAI) Page 44 of 80
Guidelines on Information and Cyber Security for Insurers

17. Security Logging & Monitoring

Objective: Organizations shall establish logging and monitoring capabilities to detect security
events in timely manner.

Policy, Procedures & Guidelines


17.1 Logging & Monitoring
a. Security logs shall be enabled on all critical information assets. A centralized approach
to logging & monitoring (SOC set up) should be implemented.
b. Security Logs generated by different systems and devices shall be collected such that
linking (correlating) events generated across these systems and devices is possible and
should be maintained for a minimum period of six months and meet other specific
regulatory stipulations as applicable.
c. Security logs shall be made available to the Law enforcement agencies, IRDAI and Cert-
Fin as and when required.
d. Logging shall be enabled to track critical system activities which shall include:
 User account management
 Privileged user activities
 Changes in OS configuration
 Multiple authentication failures/simultaneous logins
 Access to audit trail
e. All information systems including application, operating system, database, network and
security devices shall maintain time synchronization with a standard time device/ server
(NTP) to provide an accurate and traceable record of logged events.
f. Log Retention schedule should be compliant with Organization’s record retention policy.
All the logs and logging facilities should be protected against tampering and unauthorized
access.
g. Monitoring reports should be published based on the management requirements.
Periodic review of logs and monitoring reports for adequacy and contents should be
performed.
h. Incidents reported should be closed within defined timelines.

Insurance Regulatory and Development Authority of India (IRDAI) Page 45 of 80


Guidelines on Information and Cyber Security for Insurers

18. Incident Management


Objective: To ensure information security and cyber security events and weaknesses
associated with the information systems are communicated and corrective actions are taken in
a timely manner.
i. Policy, Procedures and Guidelines for information security and cyber security incident
management shall be prepared and implemented to discover, record, response, escalate
and prevent information security events and weaknesses effectively.
ii. There should be a system in place to ensure information security events and weaknesses
associated with the information assets are communicated and corrective actions are taken
in a timely manner.
iii. An incident management process shall be established, documented, implemented and
maintained by the organization. It shall include security Incident and weakness
identification, reporting, recording, analysis, response, recovery and mitigation procedures.
Roles and responsibilities of all the stakeholders of the incident management process shall
be defined.
iv. Incident management team shall be established to take all incident related decisions. A
communication channel shall be set up with internal parties and external organizations
(e.g., regulator, media, law enforcement, customers).
v. Monitoring system should be in place so that proactive action is taken to avoid security
incidents and malfunctions.
vi. The Information security and Cyber security incident classification criteria shall be
documented. Security incidents shall be classified based on the criticality and severity.
vii. A process to assess the root cause of the incident and identifying the corrective and
preventive measures shall be defined.
viii. For Incident and Cyber Crisis; a comprehensive cyber security response plan needs to be
developed and referred.
ix. For Incident and Cyber Crisis; a comprehensive cyber crisis management plan (CCMP)
needs to be developed and referred. The Organization will need to take effective measures
to prevent cyber-attacks and to promptly detect any cyber-intrusions so as to respond /
recover/ contain the fall out.
x.CERT-In/NCIIPC guidance may be referred by the organizations while formulating the
CCMP.

Insurance Regulatory and Development Authority of India (IRDAI) Page 46 of 80


Guidelines on Information and Cyber Security for Insurers
18.1 Incident Reporting & Escalation handling Processes & Procedures
a. Deployment of suitable technology for incident reporting and guidelines and procedures
for timely escalation and action incidents reported.
b. The logging, classification, diagnosis and rectification procedures for incident
management shall be laid out in detail.
c. Incidents, classified as High or Critical, should be reported to CISO, CIO, CRO and
other relevant stakeholders including CERT-in & CERT-Fin.
I. Need for a knowledge base, which allows new incidents to be compared with
logged and resolved incidents.
II. Security incidents having noticeable impact on customer service, or requiring
reporting of incidents to external entities, in terms of any legal, regulatory and / or
statutory requirement should be reported only by the respective designated
official.
18.2 Review of the functioning of the preventive and detective controls
a. The organizations are expected to be well prepared to face emerging cyber- threats
such as ‘zero-day’ attacks, remote access threats, and targeted attacks.
b. The incident monitoring system should have a procedure to monitor, measure and
review the effectiveness of the controls deployed.

Insurance Regulatory and Development Authority of India (IRDAI) Page 47 of 80


Guidelines on Information and Cyber Security for Insurers

19. Endpoint Security


Policy, Procedures & Guidelines: Policy, Standards, Procedures and Guidelines shall be
developed to address the threats to endpoints in information system infrastructure and to
prevent unauthorized access to endpoints.

19.1 Objective Endpoint Security


a. To ensure that endpoint has an updated (patched) operating system and anti-virus
software has the latest virus definitions, etc.
b. To ensure system configurations are accurate and do not compromise the security
requirements.
c. To prevent unauthorized external users and network traffic from gaining access to
network.
d. To prevent unauthorized devices and other portable storage devices connecting to
endpoint.
e. To prevent/detect any unauthorized software on the endpoints.
f. To address technical system and software vulnerabilities quickly and effectively.
g. Build capability to quarantine systems / devices if found to be non-compliant or
infected.

19.2 Identity and access to end points

a. Endpoint device should be allowed to comply with Organization’s “Acceptable Usage


Policy” before allowing access to Organization’s network.

b. User rights should be allocated based on the principle of least privilege in accordance
with their business/functional requirements. User rights should be based on a “NEED
TO HAVE” AND “NEED TO KNOW BASIS”.

19.3 Network access control

Authentication mechanism for end points connecting from Organization WAN or external
network shall be implemented to ensure entry of only authorized users.
19.4 Remote access
a. Organization should regularly review remote access approvals and revoke those that
no longer have a compelling business justification
b. Organization should ensure appropriate and timely patching, updating and maintaining
Insurance Regulatory and Development Authority of India (IRDAI) Page 48 of 80
Guidelines on Information and Cyber Security for Insurers
all software on remote access devices
c. Encryption should be used to protect communications of critical data between the
access device and the organization

d. VLANs, network segments, directories, and other techniques should be used to restrict
remote access to authorized network areas and applications within the organization

e. While using TCP/IP Internet-based remote access, Organization needs to establish a


VPN/Appropriate Communication channel over the Internet to securely communicate
data packets over this public infrastructure.

19.5 Application Control

a. Organization can evaluate the likelihood associated with the threat agent, attack vector,
and security weakness and combine it with an estimate of the technical and business
impact to the Organization.

b. All endpoints/workstations owned by the organization shall be loaded with pre-approved


licensed software. Any unauthorized installation of non-standard software on the
workstation for personal or official use should be prohibited.

19.6 Device control


a. Appropriate controls shall be in place to control the risks arising out of usage of mobile
storage devices such as USB’s, CD-ROMs, RW-CD, external hard drives, cameras,
portable media players, card readers, mobile phones etc.
b. IT Support team should configure all endpoint devices as per the baseline secure
configuration documents provided by Information Security Team. Unlicensed or doubtful
software/ applications should not be installed.

c. Whenever connecting to the LAN, it must be ensured that anti-virus agent is installed
with latest signatures on the device.

d. Organization may consider to deploy security software like Data Loss Prevention (DLP)
to identify, monitor and protect data in use, data in motion and data at rest.

Insurance Regulatory and Development Authority of India (IRDAI) Page 49 of 80


Guidelines on Information and Cyber Security for Insurers

20.Virtualization
Objective: To ensure protection of information during use of virtual environment within the IT
infrastructure of the company.

Policy, Procedures & Guidelines: Approved Policy, Procedures & Guidelines for Virtualization
of the systems shall be in place, which will detail, at least, the following:
 Centralized Administration of virtualized systems
 Provisioning and allocation of resources between different systems in virtualized
machine
 Securing information resides in the host and virtualized machines

20.1 Access Control


a. Access Control shall be implemented and adequate process shall be in place to ensure
no unauthorized virtual hosts or guests are created. Access from and to the host should
be allowed through a firewall controls to restrict access to the necessary services only.
b. Network Access for the host OS should be restricted to management services and
if required, to storage.
c. Administrative access for management of virtual networks, virtual servers and back
up should be segregated.
d. Host OS to guest OS communications should be secured.
e. VMs should not be able to access or view the resources used by the kernel or host.
These resources include storage and networks.
f. Access to virtual environment management console should be through centralized
administrative console with audit logging capability.
g. If production and non – production VMs are hosted on the same host OS, adequate
security controls should be in place to ensure logical segregation.

20.2 Hardening of Operating Systems


a. Appropriate hardening shall be implemented to prevent unauthorized file sharing, time
synchronization.
b. All unnecessary programs shall be uninstalled, and all unnecessary services should be
disabled.
c. Host OS must be patched regularly and in a timely fashion to ensure that the host OS
is protecting the system itself and guest OSs properly. In addition, the same patching
Insurance Regulatory and Development Authority of India (IRDAI) Page 50 of 80
Guidelines on Information and Cyber Security for Insurers
requirements apply to the virtualization software.
d. VMs shall be configured by default to disable connections to peripheral devices.
Connections to peripheral devices shall be approved.

20.3 Partitioning and resource allocation


Volumes or disk partitioning should be used and role-based access controls should be
placed individually on each virtual machine.

20.4 File Sharing


File Sharing shall not be allowed between the host and the guest in order to keep the host
OS files integrity.

20.5 Back up
Virtual systems shall need to be regularly backed-up for error recovery and continuity of
operations.

20.6 Monitoring
Appropriate mechanism for monitoring the operations between the host and the guest
should be put in place to ensure no unauthorized operations or no malicious operations or
no resource monopoly happens between the VMs.

Insurance Regulatory and Development Authority of India (IRDAI) Page 51 of 80


Guidelines on Information and Cyber Security for Insurers

21. Cloud Security


Objective: To ensure that information processed, transmitted and stored on the cloud
architecture is secure.

Policy, Procedures & Guidelines: Policy, Procedures & Guidelines shall be framed to provide
direction for hosting the type of information, its criticality and the level of security controls to be
adopted, on cloud or on any external hosting infrastructure
 With reference to the Electronic maintenance of core business records, records shall be
hosted within India.
 The selection of cloud hosting model shall depend on the criticality of the information
being hosted
 Wherever application/data/system hosting in a cloud is considered inevitable -for
commercial, business, regulatory, legal or other reasons, approvals should be obtained
by the organization from their respective senior management.
 Business justification for considering inevitable to host the data and system in Cloud.
Classification of data to be hosted on Cloud Viz. Secret/Highly Confidential, Confidential,
Public, Internal, etc.
 It should cover:
o Security Control measures to be implemented by Cloud service provider/ Application
Service Provider/Any Third-Party/Company for guarding against Data leakage /
Data corruption /Security breach etc. as well as control measures in place to prevent,
detect and react to breaches including data leakage
o Due diligence process for selecting a suitable service provider

21.1 Service Level Agreements


a. An appropriate service level agreement shall be in place to address
I. Sustainability, support for fail safe operations
II. Data Retrieval time, protection of IPR, etc.
III. Security control measures to prevent, detect and react to breaches including
data leakage and demonstration of the same
IV. Unilateral contract termination/exit clause
V. Right to Audit for IRDAI /Law enforcement agencies and Cert-fin to access information
/ log
b. Service Provider’s contract shall include clauses to ensure confidentiality, integrity,

Insurance Regulatory and Development Authority of India (IRDAI) Page 52 of 80


Guidelines on Information and Cyber Security for Insurers
availability and privacy of the data collected, processed, stored and disposed through
cloud services.
c. Contracts with service provider shall include but not limited to following in addition to
the other contractual requirement:
i. SLA
ii. Compliance to applicable laws & regulations
iii. Data ownership
iv. Authentication controls
v. Log retrievals
vi. Patch Management
vii. Configuration Management
viii. Application/System Security Testing
ix. Data Recovery plan
x. Data Deletion at separation or expiry of contract
21.2 Cloud Access Control
Appropriate Access control mechanism shall be implemented with reliable
authentication mechanism to ensure
a. Data is not shared accidentally with other customers on the cloud
b. Cloud service provider/Application service provider/any third-party personnel
controls are in place to provide a logical segregation of duties.
c. Logging and monitoring of privilege access shall be carried out
21.3 Cloud Data Security
a. Controls related to Operations Security shall be implemented for ensuring Secure
Configuration, Application, OS, DB, Web Server, Back-up & Recovery, Change
Management, Capacity & Demand Management, Protection against Malicious Code and
Monitoring, Auditing & Logging security requirements on cloud.
b. D-in-transition cloud shall be in encrypted form, as appropriate to the information
classification.
c. The Encryption techniques shall be implemented for cloud data hosting like Data in Transit
and Data-at-rest for PII.
d. It is recommended to use appropriate Data Loss Prevention (DLP) solution to identify,
monitor and protect sensitive data and manage the data risk for the organization.
e. Data retention and destruction schedules should be defined by the organization and
service provider should be made responsible to destroy the data upon request, with
special emphasis on destroying all data in all locations including slack in data structures
Insurance Regulatory and Development Authority of India (IRDAI) Page 53 of 80
Guidelines on Information and Cyber Security for Insurers
and on the media. The company should audit this practice, wherever applicable.
f. Data retention controls should also ensure that the multiple copies of the data stored in
different locations are also destroyed post the retention timeframe.

Insurance Regulatory and Development Authority of India (IRDAI) Page 54 of 80


Guidelines on Information and Cyber Security for Insurers

22. Mobile Security


Objective: To ensure the security of information assets while tele-working and using the mobile
devices by implementation of appropriate security measures to manage the risks associated
with the usage of mobile computing devices and communication facilities.

Policy, Procedures & Guidelines:


Policy, Procedures and Guidelines shall be prepared and implemented to provide direction to
the users of mobile computing so that corporate network remains secure.
The Policy, Procedures and Guidelines shall also cover:
a. Security measures for the organization’s information processed using BYOD (Bring
Your Own Device) and tele-working sites.
b. All employees, interns and externals using devices falling into the category “mobile
devices” such as mobile phones, smart phones, portable devices, etc. shall
acknowledge the security policy and the associated procedures & guidelines before
they are allowed to use organization’s network using mobile devices.
22.1 Approved Devices/Services
a. An inventory should be maintained of mobile devices in use, either owned by the
organization devices or BYOD, associating owner name and identity for network
access control shall be made mandatory. This inventory shall take into account at least
but not limited to the list of identifiers such as device name, owner’s ID, device serial
number, device IMEI, device’s MAC address, device capabilities, etc.
b. IT department of the organization shall prepare a list of authorized applications and
shall have a documented process on management of such a list. This process shall
cover the review mechanism for approved applications as well as approved
devices/services on a periodic basis taking into account new devices/services
available, new capabilities of devices and new threats.

22.2 Incident Management:


Appropriate authority shall be notified immediately on suspicion of a security incident,
especially when a mobile device may have been lost or stolen

22.3 Remote Blocking and Remote Wiping


a. Remote device wiping or blocking mechanism for all devices accessing Organization’s
internal networks should be appropriately implemented to protect a data in case of
Insurance Regulatory and Development Authority of India (IRDAI) Page 55 of 80
Guidelines on Information and Cyber Security for Insurers
loss/theft of devices or change in employment status of staff member.
b. Controls should be in place to prevent devices from accessing the enterprise network
if the devices have been rooted or jail-broken.

22.4 Network Access Control


a. Mobile Devices/Tele-working shall be allowed to connect to internal network to access
corporate services with prior approval.
b. Appropriate secure authentication and authorization mechanism shall be put in place for
providing access to the mobile devices/Tele-working into the organization’s network.
Wireless connectivity shall be permitted only with organization’s approved encryption
standards.

22.5 Mobile Data Security

a. Mobile devices containing confidential, personal, sensitive and generally all information
belonging to company, except public information, shall employ encryption or equally
strong measures to protect the corporate data stored on the device.
b. All mobile computing devices and all information assets used in tele-working, using
corporate applications shall have anti-virus and/or anti-malware software installed and
running.

Insurance Regulatory and Development Authority of India (IRDAI) Page 56 of 80


Guidelines on Information and Cyber Security for Insurers

23. Information System Audit

23.1 Eligibility & Selection of Auditor:

Independent Assurance Audit shall be carried out by qualified external systems Auditor holding
certifications like CISA/ DISA/Cert-in empaneled Auditor.

23.2 Scope/Type Audit:

a. Scope of Audit shall include controls defined as per the annexure enclosed with this
document.
b. Annual IS Audits should also cover branches on sample basis, with focus on large and
medium branches, in critical areas like password controls, control of user ids, operating
system security, anti-malware controls, maker-checker controls, Identity & Access
management, physical security, review of exception reports/audit trails, BCP policy and
testing etc.
c. This Assurance Audit shall be driven by the Information Security Team.

23.3 Frequency:

Audit shall be carried out for every financial year.

23.4 Executing IS Audit

During audit, auditors should obtain evidences, perform test procedures, appropriately
document the findings, and conclude a report.

23.5 Reporting and Follow-up actions

a. There should be proper reporting of the findings of the auditors. For this purpose, each
Organization should prepare a structured format.
b. The major deficiencies/aberrations noticed during audit should be highlighted in a special
note and given immediately to the ISC and IT Department.
c. Minor irregularities pointed out by the auditors are to be rectified immediately.
d. Follow-up action on the audit reports should be given high priority and rectification should
be done without any loss of time.
e. Audit reports need to be presented to the Risk Management Committee of the Board.
f. A copy of executive summary of the Audit report along with action taken note should be
submitted to IRDAI within 30 days of completion of Audit

Insurance Regulatory and Development Authority of India (IRDAI) Page 57 of 80


Guidelines on Information and Cyber Security for Insurers
23.6 Review

Organization is advised to:

a. Review the selection and performance of auditor.


b. Ensure that the work of auditors is properly documented.
c. Be responsible for the follow-up on audit reports and the presentation of the
quarterly review to the ISC.
d. Rotation of Auditors: Once in three years.

A Control Check List covering the domains specified in this report is provided in Annexure A

Insurance Regulatory and Development Authority of India (IRDAI) Page 58 of 80


Guidelines on Information and Cyber Security for Insurers

24. Legal References on Information and Cyber Security

This section may provide the organizations a broad idea about various statutory provisions
available for Information and Cyber Security. An attempt has been made here to consolidate
various legal provisions available on Information Technology, Cyber Security and Information
Security for reference. While these consolidated provisions in Annexure B may be used for
reference, the same may not be treated as exhaustive. The Organizations are requested to refer
the relevant Act/regulation/rules/Amendments for updates/latest provisions.

***********

Insurance Regulatory and Development Authority of India (IRDAI) Page 59 of 80


Guidelines on Information and Cyber Security for Insurers

Annexure B: Legal references for Information and Cyber Security


Information and Cyber Security
Cyberspace and cyber laws are emerging trends so far as the issue of legal jurisprudence is
concerned. Unlike the traditional offline issues, which have developed and matured over a
period of time; cyber laws, action and protection are at an evolving stage. Largely the basic
principle of offline world would also apply in online world. However, given the intricacies of online
world, there is definitely a need for special provisions of law and legal enforcement to deal with
the issues of cyber space and virtual world.

The critical issues which revolve around with the legal aspects of transactions in cyber space
would mainly evolve around the following:
 e- contracts and authentication
 e-signature and digital signature
 privacy and data protection
 Data retention and retrieval
 Electronic Evidence and admissibility
 Intermediary liability
 IP protection
 Dispute Resolution
 Jurisdiction and
 Cyber Crimes and enforcement

India’s legislative framework to deal with the internet laws and online world is enshrined in the
Information Technology Act, 2000 and Rules made there under. This was later amended by
Information Technology (Amendment) Act 2008. It also leads to in the amendment in Indian
Penal Code 1860, Indian Evidence Act 1872, the Bankers’ Book Evidence Act, 1891 and the
RBI Act, 1934 and related matters.

The IT Act and various Rules there under have provided the legal framework for storing,
dissemination, processing and retrieval of electronic data. The Act also lays down guidelines
and responsibility of conducting due diligence by body corporates and Insurance Intermediaries
and adoption of reasonable security practices while handling information and data including
sensitive personal data and information. There are also obligations entrusted for reporting of
cyber security incidences to government authorities. Violation of these provisions can lead to
Insurance Regulatory and Development Authority of India (IRDAI) Page 60 of 80
Guidelines on Information and Cyber Security for Insurers
offences and penalties.

The definition of Information is quite wide under the IT Act and it means as under:

“Information” includes data, message, text, images, sound, voice, codes, computer
programmes, software and databases or micro film or computer generated microfiche”
The term Data as defined under IT Act means as under:

"Data" means a representation of information, knowledge, facts, concepts or instructions which


are being prepared or have been prepared in a formalized manner, and is intended to be
processed, is being processed or has been processed in a computer system or computer
network and may be in any form (including computer printouts magnetic or optical storage
media, punched cards, punched tapes) or stored internally in the memory of the computer;

The term "Cyber Security" as defined under Section 2(nb) of the IT Act means
“protecting information, equipment, devices, computer, computer resource, communication
device and information stored therein from unauthorized access, use, disclosure, disruption,
modification or destruction”.
Cyber Crimes can be classified into two broad categories:

Computer Assisted Cyber Crimes:


Spam, Phishing, identity theft, credit card fraud, Intellectual property violation on online space,
pornography, unauthorized access are typical examples of Computer Assisted Cyber Crimes.
Here computer is instrumental in committing the crime.

Computer Oriented Cyber Crimes:


Use of malicious software, Trojan, spyware, cyber terrorism, worm are typical examples of
computer oriented cybercrimes. Here, the computer is the target of the crime.

Protection of Personal Information and Reasonable Security Practice


Bodies Corporate handling and dealing with personal information as well as dealing in online
world are required to ensure that reasonable security practices and procedures are maintained.
Where a body corporate, possessing, dealing or handling any sensitive personal data or
information in a computer resource which it owns, controls or operates, is negligent in
implementing and maintaining reasonable security practices and procedures and thereby
Insurance Regulatory and Development Authority of India (IRDAI) Page 61 of 80
Guidelines on Information and Cyber Security for Insurers
causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay
damages by way of compensation, to the person so affected.
"Reasonable security practices and procedures" means security practices and procedures
designed to protect such information from unauthorized access, damage, use, modification,
disclosure or impairment, as may be specified in an agreement between the parties or as may
be specified in any law for the time being in force and in the absence of such agreement or any
law, such reasonable security practices and procedures, as may be prescribed by the Central
Government in consultation with such professional bodies or associations as it may deem fit.

In this regard, the Government has notified The Information Technology (Reasonable Security
Practice and Procedure and Sensitive Personal Data or Information) Rules 2011.
Pursuant to the above rules, Bodies corporate possessing, dealing or handling any sensitive
personal data or information are required to observe following compliance requirements:

Key Obligations and Adherence

The following table lists out the key requirements and actionable for compliance of SPDI rules

OBLIGATIONS ACTIONABLE
Policy for privacy and  Provide a privacy policy for handling of or dealing in
disclosure of information personal information including sensitive personal data or
information. The policy shall provide for:
 Clear and easily accessible statements of its practices
and policies;
 type of personal or sensitive personal data or
information collected;
 purpose of collection and usage of such information;
 disclosure of information including sensitive personal
data or information;
 reasonable security practices and procedures
 Policy shall be published on website
Collection of information  Consent for collection should be obtained in writing. The
information so collected should only be
 for a lawful purpose,
 considered necessary and

Insurance Regulatory and Development Authority of India (IRDAI) Page 62 of 80


Guidelines on Information and Cyber Security for Insurers
OBLIGATIONS ACTIONABLE
 connected with a function or activity of the body
corporate or any person on its behalf.
 The provider of information at the same time should have

 knowledge of the fact that the information is being


collected,
 the purpose for which the information is being collected,
 the intended recipients of the information,
 the name and address of the agency that is collecting
the information, and
 the agency that will retain the information.

 The provider of information should be permitted to review


the information so provided and to correct / amend if
found inaccurate or deficient.
 Provider of information has an option

• Not to provide the data or information sought to be


collected.
• option to withdraw its consent given earlier
• Such withdrawal of the consent shall be sent in writing
to the body corporate.

 The Information not to be retained for longer than is


required for the purposes for which the information may
lawfully be used or is otherwise required under any other
law for the time being in force.
Disclosure of information  Prior permission of the provider of information must be
obtained in case of disclosure to any third party either in
form of the contract or otherwise obtained specifically for
disclosing the same.
 Such consent would be not be necessary in case of
sharing with Government agencies or where such

Insurance Regulatory and Development Authority of India (IRDAI) Page 63 of 80


Guidelines on Information and Cyber Security for Insurers
OBLIGATIONS ACTIONABLE
disclosure is necessary for compliance of a legal
obligation
Transfer of information  The following conditions must be satisfied while
undertaking the transfer:
• The same level of data protection that is adhered to by
the body corporate (transferor) is adhered to by the
receiving party (transferee)
• it is necessary for the performance of the lawful
contract between the body corporate or any person on
its behalf and provider of information
• Such person has consented to data transfer.
Grievance handling  Body corporate to designate a Grievance Officer
 Publish his name and contact details on its website
 Grievances to be resolved within one month
Reasonable security  Implement security practices and standards
practices and procedures.  IS/ISO/IEC 27001
 Documentation of Practices and standards in the form
of information security programme that contain
o managerial,
o technical,
o operational and physical security control
measures
 the codes of best practices (by any industry association
or an entity formed by such an association, whose
members are self-regulating by following other than
IS/ISO/IEC codes of best practices) for data protection.
 Such standard or the codes of best practices to be
certified or audited at least once a year , through
independent auditor, duly approved by the Central
Government, or as and when there is a significant up
gradation of its process and computer resource.

Insurance Regulatory and Development Authority of India (IRDAI) Page 64 of 80


Guidelines on Information and Cyber Security for Insurers
IT Service Provider’s (IT intermediary) Liability

In order to ensure the intermediary handling and processing information remain protected
against the liability, they shall ensure adequate due diligence while handling third party
information. Section 79 of the IT Act, 2000 provides for the liability of Insurance Intermediaries
including internet service providers. Section 79 of the IT Act was amended by the IT
(Amendment) Act 2008. Pursuant to the said amendment, an Intermediary shall not be liable for
any third party information, data or communication link made available or hosted by them if:
 the function of the Intermediary is limited to providing access to a communication system
over which information made available by third parties is transmitted or temporarily
stored;
 the Intermediary does not initiate the transmission or select the receiver of the
transmission, and select or modify the information contained in the transmission
 the Intermediary observes due diligence while discharging its duties and also observes
such other guidelines as the Central Government may prescribe in this behalf.

It may be noted that the Intermediary shall lose the above immunity if the Intermediary is found
to have conspired or abetted or aided or induced whether by threats or promise or otherwise in
the commission of the unlawful act. Further, if the Intermediary upon receiving actual
knowledge, or on being notified that any information, data or communication link residing in or
connected to a computer resource controlled by the Intermediary is being used to commit the
unlawful act, the Intermediary fails to expeditiously remove or disable access to that material
on that resource without vitiating the evidence in any manner.

The Information Technology (Intermediaries guidelines) Rules, 2011

The Central Government additionally has notified The Information Technology (Intermediaries
guidelines) Rules, 2011 vide notification dated 11th April, 2011. These rules provide the
guidelines and procedure to be dealt by Intermediaries as part of the due diligence and
administration of takedown and procedural obligations by intermediaries.

Due diligence to the observed by Actionable


intermediary
Publish the rules and regulations, Such rules and regulations, terms and conditions
privacy policy and user agreement for or user agreement shall inform the users of

Insurance Regulatory and Development Authority of India (IRDAI) Page 65 of 80


Guidelines on Information and Cyber Security for Insurers
Due diligence to the observed by Actionable
intermediary
access - or usage of the intermediary's computer resource not to host, display, upload,
computer resource by any person. modify, publish, transmit, update or share any
information that:
 belongs to another person and to which the
user does not have any right to;
 is grossly harmful, harassing, blasphemous,
defamatory, obscene, pornographic,
paedophilic, libellous, invasive of another's
privacy, hateful, or racially, ethnically
objectionable, disparaging, relating or
encouraging money laundering or gambling,
or otherwise unlawful in any manner whatever;
 harm minors in any way;
 infringes any patent, trademark, copyright or
other proprietary rights;
 violates any law for the time being in force;
 deceives or misleads the addressee about the
origin of such messages or communicates any
information which is grossly offensive or
menacing in nature;
 impersonate another person;
 contains software viruses or any other
computer code, files or programs designed to
interrupt, destroy or limit the functionality of
any computer resource
threatens the unity, integrity, defence, security
or sovereignty of India, friendly relations with
foreign states, or public order or causes
incitement to the commission of any
cognizable offence or prevents investigation
of any offence or is insulting any other nation
Obligation on hosting/transmission The Intermediary shall not ‘knowingly’ host or

Insurance Regulatory and Development Authority of India (IRDAI) Page 66 of 80


Guidelines on Information and Cyber Security for Insurers
Due diligence to the observed by Actionable
intermediary
publish any information or shall not initiate the
transmission, select the receiver of
transmission, and select or modify the
information contained in the transmission.
Take Down obligation The Intermediary is required to disable such
information that is in contravention of above,
within 36 hrs. of knowing. Intermediary shall also
preserve such information and associated
records for at least ninety days for investigation
purposes.
Right to terminate The Intermediary shall have the right to
immediately terminate the access or usage of the
users to the computer resource of Intermediary in
case of noncompliance with rules and
regulations, user agreement and privacy policy.
Obligation to Report The Intermediary shall be required to report cyber
security incidents and also share cyber security
incidents related information with the Indian
Computer Emergency Response Team.
Obligation to Provide Information The Intermediary shall provide information or
offer assistance to Government Agencies for
investigative, protective, cyber security activity.
Reasonable Measures The Intermediary shall at times be required to
have all reasonable measures to secure its
computer resource and information contained
therein following the reasonable security
practices and procedures as prescribed in the
Information Technology (Reasonable security
practices and procedures and sensitive personal
Information) Rules, 2011.
Grievance Officer Intermediary is required to appoint a Grievance
Officer and his contact details as well as

Insurance Regulatory and Development Authority of India (IRDAI) Page 67 of 80


Guidelines on Information and Cyber Security for Insurers
Due diligence to the observed by Actionable
intermediary
mechanism by which any victim can notify their
complaints. The Grievance Officer shall redress
the complaints within one month from the date of
receipt of complaint.

The Indian Computer Emergency Response Team

The Government of India has notified The Information Technology (The Indian Computer
Emergency Response Team and manner of performing functions and duties) Rules, 2013.

As per Rule 12 (1) (a) of IT (The Indian Computer Emergency Response Team and Manner of
Performing Functions and Duties) Rules, 2013 any individual, organization or corporate entity
affected by cyber security incidents may report the incident to CERT-In. Service Providers,
intermediaries, data centers and body corporate shall report the cyber security incidents to
CERT- In within a reasonable time of occurrence on noticing the incident to have scope for
timely action.

The following type of cyber security incidents shall be mandatorily reported to CERT-In as early
as possible to leave scope of action.
 Targeted scanning/probing of critical networks/systems
 Compromise of critical systems/information
 Unauthorized access of IT systems/data
 Defacement of website or intrusion into a website and unauthorized changes such as
inserting malicious codes, link to external websites etc.
 Malicious code attacks such as spreading of virus/worm/Trojan/Botnets/spyware
 Attacks on servers such as Database, Mail and DNS and network devices such as
Routers
 Identity Theft, Spoofing and Phishing attacks
 Denial of Service (DOS) and Distributed Denial of Service (DDOS) attacks
 Attacks on Critical Infrastructure, SCADA Systems and Wireless networks
 Attacks on Applications such as E-Governance, E-Commerce etc.

Insurance Regulatory and Development Authority of India (IRDAI) Page 68 of 80


Guidelines on Information and Cyber Security for Insurers
Data Theft

Data theft involves issues of copyright violation, violation of privacy under IT Act 2000, as well
criminal breach of trust and dishonest misappropriation under Indian Penal Code, 1860.

Section 43(b), read with Section 66 of the Information Technology Act 2000 and Section 379,
405 & 420 of Indian Penal Code deals with framework of data theft and penal provisions thereto.

Penalty and Compensation for damage to computer, computer system

Section 43 clearly provides for the provisions of damages by way of compensation against the
person who without the permission of the owner or any other person who is in charge of a
computer, computer system or computer network

(a) accesses or secures access to such computer, computer system or computer network or
computer resource
(b) downloads, copies or extracts any data, computer data base or information from such
computer, computer system or computer network including information or data held or stored in
any removable storage medium;
(c) introduces or causes to be introduced any computer contaminant or computer virus into any
computer, computer system or computer network;
(d) damages or causes to be damaged any computer, computer system or computer network,
data, computer data base or any other programmes residing in such computer,
computer system or computer network;
(e) disrupts or causes disruption of any computer, computer system or computer network;
(f) denies or causes the denial of access to any person authorized to access any computer,
computer system or computer network by any means;
(g) provides any assistance to any person to facilitate access to a computer, computer system
or computer network in contravention of the provisions of this Act, rules or regulations made
there under,
(h) charges the services availed of by a person to the account of another person by tampering
with or manipulating any computer, computer system, or computer network,
(i) destroys, deletes or alters any information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
(j) Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter
any computer source code used for a computer resource with an intention to cause damage.

Insurance Regulatory and Development Authority of India (IRDAI) Page 69 of 80


Guidelines on Information and Cyber Security for Insurers

Confidentiality and Privacy

Section 72A provides obligation to ensure confidentiality and privacy of electronic records or
information to which any person has secured access. No such information/record can be
disclosed without the consent of the person concerned, to any other person. Failure to maintain
confidentiality and privacy shall make the person liable.

Similarly, Section 72A also provides obligation to person including intermediary who while
providing the services has secured access under the terms of lawful contract to any material
containing personal information about another person, discloses, without the consent of the
person concerned, or in breach of a lawful contract, such person shall be liable.

Penal Provisions

The following chart captures the gist of penal provisions as applicable under the Information
Technology Act 2000 dealing with the consequences of violations

Adjudication Officer

As per Section 46, the central government / state government can appoint an officer not below
the rank of a Director to be an adjudication officer to hold enquiry in the matter with the power
to decide if any person has committed any contravention of the Act or any rules, direction or
order under the Act. The pecuniary jurisdiction is Rs 5 Crore.

Cyber Appellant Tribunal

The Government has constituted CAT to whom the appeals from the decisions of an AO may
be preferred. Appeal against the decision of CAT can be made before the High Court.

Penal Provisions

The following chart captures the gist of penal provisions as applicable under the Information
Technology Act 2000 dealing with the consequences of violations

Insurance Regulatory and Development Authority of India (IRDAI) Page 70 of 80


Guidelines on Information and Cyber Security for Insurers
Section Penalties
43A (failure to protect data) Damages by way of compensation to the
person so affected.
• Upto Rs. 5 crore (adjudicating officer)
• Above Rs. 5 crore (civil court)
65 (hacking / tampering) imprisonment up to three years, or with fine
which may extend up to two lakh rupees, or
with both.
66 (computer related offences) Punishable with imprisonment for a term
which may extend to three years or with fine
which may extend to five lakhs or with both
66B (dishonestly receiving stolen computer Punishable with imprisonment for a term of
resource) which may extend to three years or with fine
which may extend to rupees one lakh or with
both
66C(identity theft) Imprisonment for a term that may extend to
three years and shall also be liable to fine
which may extend to rupees one lakh.
66E (Punishment for violation of privacy.) imprisonment which may extend to three
years or with fine not exceeding two lakh
rupees, or with both
66F(cyber terrorism) Imprisonment for life
67C (Preservation and Retention of information imprisonment for a term which may extend to
by intermediaries) three years and shall also be liable to fine.
71 (misrepresentation of material fact with Punished with imprisonment for a term which
Controller or the Certifying Authority) may extend to two years or with fine which
may extend to Rs.1 lakh or with both
72 (Breach of confidentiality and privacy) imprisonment for a term which may extend to
2 years, or with fine which may extend to one
lakh rupees, or with both.
72A (Disclosure of information in breach of Imprisonment for a term, which may extend to
lawful contract) 3 years or with fine, which may extend to five
lakh rupees, or with both.

Insurance Regulatory and Development Authority of India (IRDAI) Page 71 of 80


Guidelines on Information and Cyber Security for Insurers
Section Penalties
73 (publishing false electronic Signature punished with imprisonment for a term which
Certificate) may extend to two years, or with fine which
may extend to one lakh rupees, or with both.
74 (Publication for fraudulent purpose) imprisonment for a term which may extend to
two years, or with fine which may extend to
one lakh rupees, or with both
85 (Offences by Companies) every person who, at the time the
contravention was committed, was in charge
of, shall be guilty of the contravention. Where
a contravention has been committed by a
company and it is proved that the
contravention has taken place with the
consent or connivance of, any director,
manager, secretary or other officer of the
company, such director, manager, secretary
or other officer shall also be deemed to be
guilty of the contravention

Insurance Regulatory and Development Authority of India (IRDAI) Page 72 of 80


Guidelines on Information and Cyber Security for Insurers
Act/Statute Requirement
Information  Authentication of Electronic  The authentication of electronic
Technology Records & Electronic Signature records should be done through
Act, 2000 (Sec. 3 & 3A) digital signature in which case it
(E- should be using asymmetric
Governance crypto system and hash function
Framework for using PKI infrastructure with a
Electronic private key and a public key. This
Records and essentially include use of DSC for
Electronic electronic signature.
Signature)  An authentication of electronic
record can also be done by using a
technique which is reliable and as
specified in the second schedule of
the Act.
 Legal Recognition of electronic  Whenever law requires an
record and electronic signature information in writing such
(Sec. 4 & 5) requirement shall be deemed to
be satisfied if the information is
rendered or made available in
electronic form and accessible so
as to be usable for a subsequent
reference
 Whenever any law requires any
information to be signed by a
person then such requirement
shall be deemed to be satisfied it
is electronically signed.
 Retention of Electronic Record  Electronic records can be
and Audit of Documents (Sec. 7 retained electronically when any
&7A) law requires a document or
information to be retained for a
specified period. Audit of
document preserved in

Insurance Regulatory and Development Authority of India (IRDAI) Page 73 of 80


Guidelines on Information and Cyber Security for Insurers
Act/Statute Requirement
electronic form, however no
period for retention specified.
 Validity of Contracts through  Contract established by way of
electronic means (Sec. 10A) proposals and acceptance in
electronic form is enforceable
 Attribution of electronic records,  Electronic record attributed to the
acknowledgement and time and originator in case it was sent by
place of dispatch of electronic the originator or by authorized
records (Sec. 11, 12 & 13) person or by an information
system
 Acknowledgment of receipt takes
places by originator in the form or
method specified.
 Electronic record is dispatched at
the time when it enters the
computer resource outside the
control of the originator.
 The time of receipt shall be
based on the principle - the
receipt occurs when the
electronic record enters the
designated computer in case
specified. In other cases, the
receipt occurs at the time
electronic record is retrieved by
the addressee.
 Secure electronic record,  Security procedure to be used in
electronic signature and security connection with the electronic
procedure (Sec 14, 15 & 16) record then such electronic
record shall be considered as
Secure

Insurance Regulatory and Development Authority of India (IRDAI) Page 74 of 80


Guidelines on Information and Cyber Security for Insurers
Act/Statute Requirement
Information  Damage to computer and Covered above
Technology computer system due to
Act, 2000 unauthorized access (Sec. 43)
(Penalties and  Failure to protect data
Compensation compensation (Sec. 43A)
and Offences)  Cyber Crime related offences
(Sec. 65,66,67)
 Breach of Confidentiality and
Privacy (Sec. 72)
 Punishment for disclosure of
information and breach of lawful
contract (Sec 72A)
 Offences by Companies (Sec 85)

Act/Statute Requirement
The Information  Procedure for collection, Covered above
Technology transfer, storing, disclosure &
(Reasonable processing of sensitive
Security Practice personal data and information
and Procedure  Implementation of reasonable
and Sensitive security practices & code of
Personal Data or best practices
Information)  Certification/Audit on a regular
basis through independent
Auditor once in a year
The Information  Due diligence by Intermediary  Covered above
Technology and their liability
(Intermediary  Implementation of reasonable
Guidelines) security practices by
Rules, 2011 Intermediary
 Reporting of Cyber Security
Incident to ICERT

Insurance Regulatory and Development Authority of India (IRDAI) Page 75 of 80


Guidelines on Information and Cyber Security for Insurers
The Information  Requirements to be fulfilled to  Rules for authentication of secure
Technology constitute a secure Digital electronic records by means of
(Security Signature secure digital signature.
Procedure)  Public Key / Private Key/Smart card
Rules, 2004
The Information
Interception and decryption of Authorization to Govt. Agency to
Technology ( information intercept, monitor or decrypt
Procedure and information generated, transmitted,
Safeguards for received or stored in computer
Interception, resources
monitoring of
Information)
Rules 2009
Procedure for  Government notification dated  India (CERT-IND) shall be the
blocking of February 27, 2003, G.S.R. single authority for issue of
website 18(E) instructions in the context of
blocking of websites.
The Telecom  Procedure for dealing with  Privacy for numbers registered
Unsolicited Unsolicited Commercial under DND.
Commercial Communications and  No call or SMS possible which are
Communications Obligations of access providers opted out
Regulations, and tele marketers  140 series number only to be used
2007 for telemarketing.
and
The Telecom
Commercial
Communications
Customer
Preference
Regulations,
2010
.IN Domain  Procedure related to .in Internet  types of disputes can be brought,
Name Dispute Domain Names disputes and the criteria that will be
Resolution considered by the arbitrators.

Insurance Regulatory and Development Authority of India (IRDAI) Page 76 of 80


Guidelines on Information and Cyber Security for Insurers
Policy and between registrar and  INDRP Rules of Procedure. These
Procedure complainant Rules describe how to file a
(INDRP) complaint, how to respond to a
complaint, the fees,
communications, and the other
procedures that will be used.
Insurance Act  Regulation on Issuance of e-  Guidelines for issuance of policies
Insurance Policies in electronic form and also policy for
 Regulation on maintenance of maintaining insurance records
Insurance Record including claims records in e- form.
 eiA to be maintained for issuance of
e policies
Central KYC  File electronic copy of the  Enabling the central KYC through
Record Registry clients KYC Central KYC
 Electronic copy to be uploaded in
the central KYC
Indian Evidence Admission of electronic records  Electronic record accepted as an
Act, 1872 evidence (Sec 3)
 Sec 65A & 65B Provides the
procedures, standards for providing
electronic evidence (Authenticity of
records to be established as per the
IT Act, 2000)
 Sec 85A, 85B, 85C & 88A provide
the provision for presumptions
regarding electronic agreements,
electronic records & digital
signatures/digital signature
certificates
 Sec 34 and 35 provide for
maintenance of records in
electronic form
Companies Act,  Books of accounts and other  Books of account allowed to be
2013 and rules relevant books maintained in maintained in electronic form,

Insurance Regulatory and Development Authority of India (IRDAI) Page 77 of 80


Guidelines on Information and Cyber Security for Insurers
made electronic form shall remain however adequate process and
thereunder accessible in India. system available for its accessibility
 Back up of the books of in India including for back-up in
Section 2(42), accounts maintained in case records are kept outside India.
Companies electronic form including any  In case books of accounts are
Accounts Rules place outside India, back-up maintained at other locations than
should be kept on servers the Required office location, the
physically located in India on details of server to be provided to
periodic basis ROC

Trademark  Protection against cyber  Legal remedies available for


squatting infringement and passing off
 Infringement of  Caution while linking of website etc.
trademark/Passing of Sec 135  Relief can be obtained under
TM Act ICANN in case
 ICANN domain name dispute (i) respondent domain name is identical
resolution policy (ii) respondent has no legitimate
 Meta tagging and hyper linking interest
(iii) respondent domain name was
registered in bad faith
 IP risk to be assessed and
appropriate strategy to be adopted
to deal with IP infringement
Copyright Law  Protection of data base  Data bases are protected as literally
work Sec 13 CA Act
 Software programmes can be
protected under CA Act. Literary
work includes computer
programme Sec 2(1)(o)
 Reverse engineering permitted sec
51(1)(A)(c) of CA Act (for
identification of identification of
user)

Insurance Regulatory and Development Authority of India (IRDAI) Page 78 of 80


Guidelines on Information and Cyber Security for Insurers
 Unauthorized access to data base
punishable u/s43(b) of IT Act
Privacy and  Inherently protected under National Cyber Policy 2013 has been
surveillance article 21 of the Constitution i.e. framed with the following objectives
right to privacy
Creating a national level nodal agency
 Reasonable surveillance
that will co-ordinate all matters related
permitted as per IT policy as
to cyber security in the country
defined
 Encourage organizations to
 Data protection and privacy
develop their own security
also protected under IPC, 1860,
policies as per international
Indian Contract Act, 1871,
best practices. The policy will
Specific Relief Act 1963 &
ensure that all organizations
Credit Information Companies
earmark a specific budget to
(Regulation) Act, 2005
implement their security
policies and initiatives and
create an assurance
framework,

 Certification of compliance to
cyber security best practices,
standards and guidelines

 legal framework will be created


to address cyber security
challenges arising out of
technological developments in
cyber space.

 24X7 operational national level


computer emergency response
team (CERT-in)

Indian Penal  Forgery of Electronic Records  Enabling provision on falsification of


Code 1860 – Sec 463 & 468 electronic records as provided
offences  Making False Electronic Record under IPC
Sec 464

Insurance Regulatory and Development Authority of India (IRDAI) Page 79 of 80


Guidelines on Information and Cyber Security for Insurers
 Fabricating false in electronic  The relevant provisions of IT Act
records Sec 192 given effect in the enforcement law
 Possession of Forged for trying of offences
Electronic Record Sec 474

**************************

Insurance Regulatory and Development Authority of India (IRDAI) Page 80 of 80


A: CONTROL CHECKLIST ON IMPLEMENTATION OF INFORMATION AND CYBER SECURITY GU
Sno. Domain
1 Information security policy

2 Information security policy

3 Information security policy


4 Information security policy
5 Information security policy
6 Information security policy

7 Information security policy

8 Information security policy


9 Information security policy
10 Information security policy
11 Information security policy
12 Information security policy

13 Information security policy


14 Information security policy
15 Information security policy
16 Information security policy

17 Information security policy


18 Information security policy
19 Information security policy
20 Information security policy
21 Information security policy
22 Information security policy

23 Information security policy

24 Organization of information security

25 Organization of information security

26 Organization of information security

27 Organization of information security


28 Organization of information security

29 Organization of information security

30 Organization of information security

31 Organization of information security


32 Organization of information security
33 Organization of information security
34 Organization of information security
35 Organization of information security
36 Organization of information security
37 Organization of information security

38 Organization of information security

39 Organization of information security

40 Organization of information security

41 Organization of information security

42 Organization of information security


43 Organization of information security
44 Organization of information security
45 Organization of information security

46 Organization of information security

47 Human resource security

48 Human resource security

49 Human resource security

50 Human resource security

51 Human resource security

52 Human resource security

53 Human resource security


54 Human resource security

55 Human resource security

56 Human resource security

57 Human resource security

58 Human resource security

59 Human resource security

60 Human resource security

61 Asset Management
62 Asset Management
63  Asset Management
64  Asset Management
65 Asset Management
66 Asset Management
67 Asset Management
68 Asset Management
69 Asset Management

70 Asset Management

71 Asset Management
72 Asset Management
73 Asset Management
74 Asset Management

75 Asset Management
76 Asset Management
77 Asset Management
78 Asset Management
79 Asset Management
80 Access Control

81 Access Control
82 Access Control

83 Access Control

84 Access Control

85 Access Control
86 Access Control

87 Access Control

88 Access Control

89 Access Control
90 Access Control

91 Access Control

92 Access Control

93 Access Control

94 Access Control

95 Access Control

96 Access Control

97 Access Control

98 Access Control
99 Access Control
100 Access Control
101 Access Control

102 Access Control

103 Access Control

104 Access Control

105 Access Control

106 Access Control

107 Access Control

108 Access Control


109 Access Control

110 Access Control


111 Access Control

112 Access Control

113 Access Control

114 Access Control

115 Access Control

116 Access Control

117 Access Control

118 Access Control

119 cryptography

120 Physical Access and Environmental controls

121 Physical Access and Environmental controls


122 Physical Access and Environmental controls

123 Physical Access and Environmental controls

124 Physical Access and Environmental controls


125 Physical Access and Environmental controls
126 Physical Access and Environmental controls

127 Physical Access and Environmental controls


128 Physical Access and Environmental controls
129 Physical Access and Environmental controls

130 Physical Access and Environmental controls

131 Physical Access and Environmental controls


132 Physical Access and Environmental controls
133 Physical Access and Environmental controls
134 Physical Access and Environmental controls

135 Physical Access and Environmental controls

136 Physical Access and Environmental controls

137 Physical Access and Environmental controls

138 Physical Access and Environmental controls

139 Physical Access and Environmental controls

140 Physical Access and Environmental controls

141 Physical Access and Environmental controls


142 Physical Access and Environmental controls
143 Physical Access and Environmental controls

144 Physical Access and Environmental controls

145 Physical Access and Environmental controls


146 Physical Access and Environmental controls
147 Physical access and Environmental controls
148 Physical access and Environmental controls
149 Physical access and Environmental controls
150 Physical access and Environmental controls
151 Physical access and Environmental controls
152 Physical access and Environmental controls

153 Physical access and Environmental controls

154 Physical access and Environmental controls

155 Operations security

156 Operations security

157 Operations security

158 Operations security

159 Operations security

160 Operations security

161 Operations security

162 Operations security

163 Operations security

164 Operations security

165 Operations security

166 Operations security

167 Operations security

168 Operations security

169 Operations security


170 Operations security
171 Operations security
172 Operations security
173 Operations security
174 Operations security
175 Operations security
176 Operations security

177 Operations security

178 Operations security

179 Operations security


180 Operations security
181 Operations security
182 Operations security

183 Operations security

184 Operations security

185 Operations security

186 Operations security

187 Operations security

188 Operations security

189 Operations security

190 Operations security

191 Operations security


192 Operations security

193 Operations security

194 Operations security

195 Operations security


196 Operations security
197 Operations security
198 Operations security

199 Operations security

200 Operations security


201 Operations security
202 Operations security

203 Operations security

204 Operations security


205 Operations security
206 Operations security

207 Operations security

208 Operations security

209 Operations security

210 Operations security

211 Operations security

212 Operations security

213 Operations security

214 Operations security

215 Communication Security

216 Communication Security

217 Communication Security


218 Communication Security

219 Communication Security

220 Communication Security

221 Communication Security

222 Communication Security

223 Communication Security

224 Communication Security

225 Communication Security

226 Communication Security

227 Communication Security

228 Communication Security

229 Communication Security

230 Communication Security

231 Communication Security


System acquisition, development and
232
maintenance
System acquisition, development and
233
maintenance

System acquisition, development and


234
maintenance

System acquisition, development and


235
maintenance
System acquisition, development and
236
maintenance

System acquisition, development and


237
maintenance

System acquisition, development and


238
maintenance
System acquisition, development and
239
maintenance
System acquisition, development and
240
maintenance
System acquisition, development and
241
maintenance
System acquisition, development and
242
maintenance
System acquisition, development and
243
maintenance
System acquisition, development and
244
maintenance
System acquisition, development and
245
maintenance
System acquisition, development and
246
maintenance
System acquisition, development and
247
maintenance
System acquisition, development and
248
maintenance
System acquisition, development and
249
maintenance
250 Information security in supplier relationships

251 Information security in supplier relationships

252 Information security in supplier relationships

253 Information security in supplier relationships

254 Information security in supplier relationships

255 Information security in supplier relationships

256 Information security incident management


257 Information security incident management

258 Information security incident management

259 Information security incident management

260 Information security incident management

261 Information security incident management


262 Information security incident management

263 Information security incident management

264 Information security incident management

265 Information security incident management

266 Information security incident management

267 Compliance with legal requirements

268 Compliance with legal requirements

269 Compliance with legal requirements

270 Compliance with legal requirements

271 Compliance with legal requirements

272 Compliance with legal requirements

273 Compliance with legal requirements

274 Compliance with legal requirements

275 Compliance with legal requirements

276 Business Continuity Management

277 Business Continuity Management


278 Business Continuity Management

279 Business Continuity Management

280 Business Continuity Management

281 Business Continuity Management

282 Business Continuity Management

283 Business Continuity Management

284 Business Continuity Management

285 Business Continuity Management

286 Business Continuity Management

287 Business Continuity Management

288 Compliance

289 Compliance

290 Compliance

291 Compliance

292 Compliance

293 Compliance

294 Compliance

295 Compliance

296 Compliance

297 Compliance

298 Compliance
299 Compliance

300 Compliance

301 Compliance

302 Compliance

303 Compliance with legal requirements

304 Compliance with legal requirements

305 Cloud Security

306 Cloud Security


307 Cloud Security
ATION OF INFORMATION AND CYBER SECURITY GUIDELINES
Sub Domain
Policy for information security

Policy for information security

Policy for information security


Policy for information security
Policy for information security
Policy for information security

Policy for information security

Policy for information security


Policy for information security
Policy for information security
Policy for information security
Policy for information security

Policy for information security


Policy for information security
Review of policy for information security
Policy for information security

Policy for information security


Policy for information security
Policy for information security
Policy for information security
Policy for information security
Policy for information security

Policy for information security

Information security roles & responsibilities

Contact with authorities

Contact with special interest group

Contact with special interest group


Segregation of duties

Segregation of duties

Segregation of duties

Information security in project management


Information security in project management
Information security in project management
Information security in project management
Information security in project management
Information security in project management
Information security in project management

Information security in project management

Information security in project management

Information security in project management

Mobile device policy

Mobile device policy


Mobile device policy
Mobile device policy
Mobile device policy

Teleworking
Prior to employment - Roles and
responsibilities
Prior to employment - Roles and
responsibilities

Prior to employment - Terms and conditions


of employment

Prior to employment - Terms and conditions


of employment

During Employment - Management


Responsibilities

During Employment - Information security


awareness, education and training

During Employment - Disciplinary process


Termination and change of employment -
Termination responsibilities
Termination and change of employment -
Termination responsibilities
Termination and change of employment -
Termination responsibilities
Termination and change of employment -
Return of assets

Termination and change of employment -


Termination responsibilities

Termination and change of employment -


Removal of Access Rights

Termination and change of employment -


Removal of Access Rights
Inventory of assets
Inventory of assets
Inventory of assets
Inventory of assets
Inventory of assets
Ownership of asset
Ownership of asset
Acceptable use of assets
Acceptable use of assets

Return of asset

Labelling of information
Management of removable media
Management of removable media
Handling of asset

Management of removable media


Management of removable media
Disposal of media
Disposal of media
Physical media transfer
Access Control Policy

Access Control Policy


Access Control Policy

Access Control Policy


User Access Management - User
Registration
User Access Management - User
Registration
User Access Management -Privilege
Management

User Access Management -Privilege


Management
User Access Management -User Password
Management
Operating system access control - Secure
log-on procedures
User Responsibilities - Password use

Password Management system

User Access Management -Review of user


access rights

User Access Management -Review of user


access rights
User Access Management -Review of user
access rights
Operating system access control - User
Identification and authentication
Operating system access control - User
Identification and authentication
Application access Control - Error Message
handling
Application access Control -Login Time
stamp
Application access Control
Access control to Program source code
Application access Control
Operating system access control - Use of
system utilities

User Responsibilities - Unattended user


equipment

Application access Control - Unattended


user equipment
Application access Control - Session time-
out
User Responsibilities - Clear desk and
clear screen policy
User Responsibilities - Clear desk and
clear screen policy
Application and Information access control -
Information access restriction
Application access Control

Password Management System


Password Management System

Password Management System

Communication security

Communication security

Mobile computing and communications

Mobile computing and communications

Teleworking

Teleworking

Policy on use of cryptographic controls

Secure areas

Secure areas
Securing the offices, room and facility

Securing the offices, room and facility

Secure areas
Secure areas
Secure areas

Working in secure area


Secure areas
Secure areas

Secure areas

Cabling security
Secure areas
Secure areas
Securing the offices, room and facility

Secure areas

Physical Security

Physical Security

Physical Security

Physical Security

Physical Security

Physical Security
Physical Security
Secure areas

Secure areas

Physical Security
Physical Security
Unattended user equipment
Secure disposal or re-use of equipment
Equipment Maintenance
Security of equipment off-premises
Security of equipment off-premises
Secure disposal or re-use of equipment

Removal of assets

Disposal of media

Operating Procedures

Change management

Capacity Management

Capacity Management

Control against malware

Control against malware

Control against malware

Control against malware

Control against malware

Control against malware

Control against malware

Control against malware

Control against malware

Control against malware

Control against malware


Information backup
Information backup
Information backup
Information backup
Information backup
Information backup
Information backup

Information backup

Information backup

Information backup
Information backup
Information backup
Information backup

Information backup

Information backup

Information backup

Event logging

Event logging

Event logging

Protection of log information

Protection of log information - Operating


System Servers

Protection of log information


Administrator and operator logs

Administrator and operator logs

Administrator and operator logs

Clock synchronization
Clock synchronization
Clock synchronization
Separation of development, testing &
operational environments
Separation of development, testing &
operational environments
Change management
Change management
Change management

Change management

Change management
Change management
Change management

Change management

Change management

Change management

Installation of software on operating system


Separation of development, testing &
operational environments
Management of technical vulnerabilities

Management of technical vulnerabilities

Restrictions on software installation


Network Security Management- Network
Controls
Network Security Management - Security of
network services
Network Security Management - Security of
network services
Network Security Management - Security of
network services
Network Security Management -
Segregation in networks
Network Security Management -
Segregation in networks
Network Security Management -
Segregation in networks
Exchange of information -Information
Transfer Policies and Procedures
Exchange of information -Information
Transfer Policies and Procedures
Exchange of information -Information
Transfer Policies and Procedures
Exchange of information -Information
Transfer Policies and Procedures
Exchange of information -Information
Transfer Policies and Procedures
Exchange of information - Exchange
Agreements
Exchange of information - Electronic
Messaging
Exchange of information - Business
Information systems
Confidentiality or Non Disclosure
agreements
Confidentiality or Non Disclosure
agreements
Securing application services on public
networks
Security Requirements Analysis And
Specification

Security Requirements Analysis And


Specification

Correct processing in applications - Input


data validation
Correct processing in applications - Input
data validation

Correct processing in applications - Control


of internal processing

Correct processing in applications - Control


of internal processing
Correct processing in applications - Output
data validation
Security In Development And Support
Processes
Security In Development And Support
Processes
Security In Development And Support
Processes
Security In Development And Support
Processes
Security In Development And Support
Processes
System change control procedures.

Technical review of applications after


operating platform changes.

Outsourced development.

System security testing.

System acceptance testing.


Addressing security within supplier
agreements - Service delivery
Addressing security within supplier
agreements

Information and communication technology


supply chain

Monitoring and review of supplier services

Monitoring and review of supplier services

Managing changes to supplier services


Information security incident management -
Responsibilities and procedures
Information security incident management

Reporting Information Security Events

Reporting Information Security Events

Reporting security weaknesses

Reporting Information Security Events


Reporting Information Security Events

Management of information security


incidents and improvements -
Responsibilities and procedures

Management of information security


incidents and improvements -
Responsibilities and procedures
Response to information security incidents

Collection of evidence
Compliance with legal and contractual
requirements
Intellectual property rights (IPR)

Protection Of Organizational Records

Protection Of Organizational Records

Protection Of Organizational Records

Protection Of Organizational Records

Protection Of Organizational Records


Prevention of misuse of information
processing facilities
Prevention of misuse of information
processing facilities

Planning of information security

Planning of information security


Implementing the information continuity

Business Continuity Risks

Business Continuity Risks

Business Continuity Risks


Verify & review & evaluate information
security continuity
Verify & review & evaluate information
security continuity
Planning of information security

Availability of information processing facility

Implementing the information continuity

Planning of information security

Information security co-ordination

Compliance with legal and contractual


requirements

Intellectual Property Rights (Pier)

Protection Of Organizational Records

Compliance With Security Policies And


Standards

Compliance With Security Policies And


Standards

Technical Compliance Checking


Information systems audit considerations -
Information systems audit control
Information systems audit considerations -
Information systems audit control
Information systems audit considerations -
Information systems audit control
Information systems audit considerations -
Protection Of Information Systems Audit
Tools
Information systems audit considerations -
Protection Of Information Systems Audit
Tools
Privacy and protection of personally
identifiable information

Compliance with security policies and


standards

Technical compliance review

Identification of applicable legislation

Identification of applicable legislation


CURITY GUIDELINES (ANNEXURE-A)
Control Checkpoints
Is the information security policy defined, published, approved by management
and communicated to employees & relevant external parties ?
Does it state the management commitment and set out the organizational
approach in managing information security?
Has the role of CISO with responsibilities for implementation of the Security Policy
been assigned?
Does the information security policy include system acceptance policy ?
Does the information security policy include operation security policy ?
Does the information security policy include physical and environmental security
Does the information security policy include end user oriented topics such as:
1) acceptable use of assets 2)
clear desk and clear screen 3)
information transfer 4)
mobile devices and teleworking 5)
restrictions on software installations and use
Does the information security policy include backup requirement?
Does the information security policy include protection from malware?
Does the information security policy include management of technical
vulnerabilities?
Does the information security policy include cryptographic controls requirements?
Does the information security policy include communications of security
guidelines?
Does the information security policy include protection of personally identifiable
information?
Does the information security policy include vendor relationships requirements?
Is the Information security policy reviewed at plan interval by management?
Does information security Policy contain Responsibilities for information security
management?
Does information security Policy contain Application security controls to ensure
access to program that can bypass the security of the system ?
Is the Information (data) classification criteria identified?
Is the information (data) been classified accordingly?
Are network security controls documented in the Information Security Policy?
Is there a policy documented for Information security incident management?
Is there a process to approve exceptions to the defined information security
policy?
Is the information security policy communicated to Part time users, Contractors,
Temporary workers?
Are the key roles and responsibility identified in Information security process for
everyone in organization/ BU/ Territory/ Concept?
Is there an information security incident procedure documented and are the
information security incidents reported in a timely manner?
Are organization/ BU/ Territory/ Concept receive early warnings of Alerts,
advisories and patches pertaining to attacks and vulnerabilities?
Is the risk assessment performed on third parties / vendors who involved in
providing various services to organization/ BU/ Territory/ Concept? Are the third
party audits conducted regularly within the organization?
Is the process in place for notification and reporting of unauthorized disclosure or
confidential information breaches?
Is there any authorization required for an Individual to access, modify or use
<<Org Name>> information asset?
Is the person's activity monitored or maintain any audit trails or logs while
accessing the <<Org Name>> information asset?
Is change management defined and followed for any changes in third party
contract?
Are Confidentiality requirements mentioned in third party agreement?
Does the third party agreements include the Dispute resolution?
Is the Data ownership Criteria mentioned in third party agreements?
Has ownership of intellectual property addressed in the third party agreements?
Has the sub-contracting clause included for projects which are subcontracted?
Does the third party agreement include Termination/exit clause and right to audit
clause?
Is their any Contingency plan in case either party wishes to terminate the
relationship before the end of the agreements?
Are the information security requirements assessed before and during the project
execution?
Is the provision for Renegotiation of agreements if the requirements of the
organization change in between a running contract?
Are any mobile computing devices (notebooks, PDA, smart cards, etc.) used for
accessing / processing / storing any business data?
Are mobile devices are registered and approve by <<Org Name>> Management
before use?
Are mobile devices are restricted of software installation?
Are mobile devices restricted for access to critical systems ?
Is the remotely disabling the mobile device, erasure or lockout features are
configured?
Is there an access restriction on visitor/employee personal devices to <<Org
Name>> assets or network?
Are security roles and responsibilities of users defined and documented in
accordance with the organization’s information security policy?
Were the roles and responsibilities defined and clearly communicated to job
candidates during joining/induction ?
Whether employee, contractors and third party users are asked to sign
confidentiality or non-disclosure agreement as a part of their initial terms and
conditions of the employment contract ? If yes, does it include: Acceptable Use,
Code of Conduct / Ethics, Non-Disclosure Agreement, Confidentiality Agreement?
Whether the above mentioned agreement covers the information security
responsibility of the organization and the employee, third party users and
contractors.
Whether the management requires employees, contractors and third party users to
apply security in accordance with the established policies and procedures of the
organization.
Whether all employees in the organization and relevant, contractors and third
party users; receive appropriate security awareness training or regular updates in
organizational policies and procedures as it pertains to their job function.
Whether there is a formal disciplinary process for the employees who have
committed a security breach.
Is there a employee termination or change of status process?
Whether responsibilities for performing employment termination, or change of
employment, are clearly defined and assigned ?
Does HR notify security / access administration of employee termination / change
of Status. For access rights removal?
Whether there is a process in place that ensures all employees, contractors and
third party users surrender all of the organization’s assets in their possession upon
termination of their employment, contract or agreement ?
Also are employee required to return organisational assets (laptop, desktop, PDA,
cell phones, access cards, tokens, smart cards, keys, proprietary documentation)
upon: Termination / Change of Status.
Whether access rights of all employees, contractors and third party users, to
information and information processing facilities, removed upon termination of
their employment, contract or agreement, or will be adjusted upon change.
Are Information security responsibilities and duties that remain valid after
termination or change of employment are defined, communicated to the employee
or contractor and enforced?
Is an inventory of all information assets maintained?
Is the asset register completed with all the required information as per the
template provided by Information Security team?
Are all the system configurations properly documented?
Is the configuration document regularly updated as per a fixed schedule?
Are user devices configured to lockout after a defined number of failed logon
attempts? Is there a time period set for unlocking locked out accounts?
Are the assets appropriately classified in asset register ?
Are the IT assets disposed / destroyed as per organization destruction policy?
Is there an acceptable usage policy?
Is sign off obtained from employees, contractors and third party users for the
acceptable usage policy?
Is there any procedure in place to ensure the return of <<Org Name>> information
assets like Laptop, Portable device etc. upon employee termination or retirement?
Are the IT assets appropriately labeled (bar code) / tag?
Is there any process to make contents of any re-usable media unrecoverable if no
longer required by organization?
Is authorization required for media removed from the organization?
Are critical user data encrypted wherever required based on the criticality of
data ?
If the stored data required to retain for a longer time, are the data transferred to
new or fresh media?
Is the transfer of information to and from removable media being monitored?
Is there any procedure in place to identify the assets that require secure disposal?
Are record/details maintained for disposal of sensitive items ?
Are the offsite media movement happening?
Whether an access control policy is developed and reviewed based on the
business and security requirements.
Whether both logical and physical access control are taken into consideration in
the policy
Whether the users and service providers are given access as per the access
control matrix if any approved by Business.
Is there an access control (including remote access) policy that has been
approved by management, communicated to the users?
Whether there is any formal user registration and de-registration procedure for
granting access to all information systems and services.
Is authorization from information owner taken before assigning user access to the
information system?
Whether the allocation and use of any privileges in information system
environment are restricted and controlled i.e., Privileges are allocated on need-to-
use basis, privileges are allocated only after formal authorization process.
Whether the allocation and use of any privileges in information system
environment are restricted and controlled i.e., Privileges are allocated on need-to-
use basis, privileges are allocated only after formal authorization process.
Whether the allocation and use of any privileges in information system
environment are restricted and controlled i.e., Privileges are allocated on need-to-
use basis, privileges are allocated only after formal authorization process.
Whether the allocation and use of any privileges in information system
environment are restricted and controlled i.e., Privileges are allocated on need-to-
use basis, privileges are allocated only after formal authorization process.
Whether the allocation and use of any privileges in information system
environment are restricted and controlled i.e., Privileges are allocated on need-to-
use basis, privileges are allocated only after formal authorization process.
Whether the allocation and use of any privileges in information system
environment are restricted and controlled i.e., Privileges are allocated on need-to-
use basis, privileges are allocated only after formal authorization process.
Whether the allocation and use of any privileges in information system
environment are restricted and controlled i.e., Privileges are allocated on need-to-
use basis, privileges are allocated only after formal authorization process.
Whether the allocation and use of any privileges in information system
environment are restricted and controlled i.e., Privileges are allocated on need-to-
use basis, privileges are allocated only after formal authorization process.
Whether the allocation and use of any privileges in information system
environment are restricted and controlled i.e., Privileges are allocated on need-to-
use basis, privileges are allocated only after formal authorization process.
Whether the allocation and use of any privileges in information system
environment are restricted and controlled i.e., Privileges are allocated on need-to-
use basis, privileges are allocated only after formal authorization process.
Whether the allocation and use of any privileges in information system
environment are restricted and controlled i.e., Privileges are allocated on need-to-
use basis, privileges are allocated only after formal authorization process.
Whether the allocation and use of any privileges in information system
environment are restricted and controlled i.e., Privileges are allocated on need-to-
use basis, privileges are allocated only after formal authorization process.
Whether the allocation and use of any privileges in information system
environment are restricted and controlled i.e., Privileges are allocated on need-to-
use basis, privileges are allocated only after formal authorization process.
Whether the allocation and use of any privileges in information system
environment are restricted and controlled i.e., Privileges are allocated on need-to-
use basis, privileges are allocated only after formal authorization process.
Whether the allocation and use of any privileges in information system
environment are restricted and controlled i.e., Privileges are allocated on need-to-
use basis, privileges are allocated only after formal authorization process.
Are unique user IDs used for access to Information systems such as server,
desktops, network devices etc.?
Is there a process to communicate userid and password (temporary) in a secure
manner? Is the initial user password unique?
Are logon banners configured for all systems access ? Also whether access to
operating system is controlled by secure log-on procedure.
Whether there are any security practice in place to guide users in selecting and
maintaining secure passwords
Whether there exists a password management system that enforces various
password controls such as: individual password for accountability, enforce
password changes, password storage in encrypted form, masking of passwords
on screen etc.,
Is there a password vault to store critical user credentials (e.g. system master
credentials) for use in an emergency? Is there an approval process for use of
these credentials? Is there a process to update the credentials periodically? Are
the password updated after every checkout and use?
Whether there exists a process to review user access rights at regular intervals.
Is allocation and use of privileged access rights restricted and controlled (logged
and reviewed)?
Whether unique identifier (user ID) is provided to every user such as operators,
system administrators and all other staff including technical.
Whether generic user accounts are supplied only under exceptional circumstances
where there is a clear business benefit.
Upon logon failure, does the error message describe the cause of the failure to the
user (Invalid password, invalid user ID, etc.)?
Upon successful logon, does a message indicate the last time of successful logon
for Portals?
Is two factor authentication deployed for “high-risk” environments?
Access to program source code shall be restricted
Is there a process to temporarily disable or suspend user access for users are on
temporary leave ?
Is the use of system utilities (administrative and troubleshooting tools) restricted to
authorized users only)
Whether the users and internal contractors are made aware of the security
requirements and procedures for protecting unattended equipment. Example:
Logoff when session is finished or set up auto log off, terminate sessions when
finished etc.,
Do inactive workstation lock within 15 minutes?

Whether inactive session is disconnected after a defined period of inactivity.


Whether the organization has adopted clear desk policy with regards to papers
and removable storage media
Whether the organization has adopted clear screen policy with regards to
information processing facility
Whether access to information and application system functions by users and
support personnel is restricted in accordance with the defined access control
policy.
Developers are provided read access for debugging.
Is the Release manager and Developer role segregated?Developers are provided
read access for debugging.
Is the Release manager and Developer role segregated?Developers are provided
read access for debugging.
Is the Release manager and Developer role segregated?Developers are provided
read access for debugging.
Is the Release manager and Developer role segregated?Developers are provided
read access for debugging.
Is the Release manager and Developer role segregated?Developers are provided
read access for debugging.
Is the Release manager and Developer role segregated?Developers are provided
read access for debugging.
Is the Release manager and Developer role segregated?Developers are provided
read access for debugging.
Is the Release manager and Developer role segregated?Developers are provided
read access for debugging.
Is the Release manager and Developer role segregated?Developers are provided
read access for debugging.
Is the Release manager and Developer role segregated?Developers are provided
read access for debugging.
Is the Release manager and Developer role segregated?Developers are provided
read access for debugging.
Is the Release manager and Developer role segregated?Developers are provided
read access for debugging.
Is the Release manager and Developer role segregated?Developers are provided
read access for debugging.
Is the Release manager and Developer role segregated?
Are strong passwords required on Information systems?
Are new users issued random initial single use passwords and user ID and
passwords communicated/distributed via separate media (e-mail and phone)?
Are vendor default passwords removed, disabled or changed prior to placing the
device or system into production?
Is Remote access to the Organization’s infrastructure shall be highly restricted and
controlled to prevent unauthorized access to the Organization’s infrastructure from
untrusted networks
Is two factor authentication required for remote access such as VPN?
Whether a formal policy is in place, and appropriate security measures are
adopted to protect against the risk of using mobile computing and communication
facilities.
Whether risks such as working in unprotected environment is taken into account
by Mobile computing policy.
Whether policy, operational plan and procedures are developed and implemented
for teleworking activities.
Whether teleworking activity is authorized and controlled by management and
does it ensure that suitable arrangements are in place for this way of working.
Are all passwords rendered unreadable during transmission and storage on all
system components using strong cryptography for Portals?
Are there sufficient controls in place for physical protection against damage from
fire, earthquake, explosion, civil unrest and other forms of natural or man-made
disaster ?
Are Security perimeter defined and used to protect areas that contain either
sensitive or critical information processing facilities.
Are Smoke detectors and fire alarms installed ? Do they undergo a periodic
preventive maintenance @ DC?
Are the fire extinguishers installed at easily visible and accessible locations? Are
they adequate in number for the area to be covered
Are the physical security personnel trained in use of fire extinguishers and basic
first aid ?
Are any Mock Fire Evacuation Drills/Emergency Evacuation Drills conducted ?
Are Emergency telephone numbers (Ambulance, Hospital, Police Station, Fire
Brigade) put up at critical locations ?
Is the overall diagram of the floor layout and safe assembly point kept put up at
appropriate places @DC ?
Are the Emergency exits made visible and properly labeled ?
Air conditioning systems shall be implemented to ensure that the operational
environmental conforms to the equipment manufacturer’s specifications.
Are there procedures in place to monitor humidity and temperature levels in the
data center/server room remain within the limits prescribed by the
manufacturer/OEMs etc. ? Ensure that water alarm system is configured to
detect water in high risk areas of the data center
Are cables clearly labeled and documented to minimize handling errors such as
accidental patching of wrong network cables or electrical power surges@ DC?
Is Physical access to the datacenter controlled using two-factor authentication ?
Are visitors required to make entry in visitor register ?
Are continuous monitoring systems (viz. CCTV’s) installed to monitor critical
facilities on a 24 x 7 basis ?
Are critical system, service, or infrastructure, or any physical location areas such
as Datacenter post a sign to indicate that only authorized personnel are allowed ?

Is the access to restricted zone granted on the principle of need-to-access basis ?


Is the Periodic access rights review conducted for access granted to employees,
contractors and third parties for <<Org Name>>?
Are visitors accompanied by organization staff when entering/working in critical
systems, service, or infrastructure, or any physical location facilities such as Data
Centre ?
Is there an access control register maintained at entry point of Data Centre ? Is
date and time of entry and departure recorded for all visitors?
Are the racks in server room locked and access to these racks restricted to
authorized personnel only ?
Is identification card for contractors, visitors or temporary employees physically
different from regular employees?
Are the visitors always escorted @ DC?
Are access rights to secure areas regularly reviewed and updated? Like DC,
critical office area
Are Access points such as delivery and loading areas and other points where
unauthorised person could enter the premises shall be controlled and if possible
isolated from information processing facilities' to avoid unauthorised access.
Is there a designated site owner and backup site owner?
Do access request require approval of the site owner?
Are incoming and outgoing mail points and unattended fax, telex and Xerox
machines protected?
Are printers cleared of sensitive information immediately?
Is the maintenance of equipment done by authorized personnel only?
Is the use of any information equipment outside an organization’s premises
authorized by the management?
Is there adequate insurance cover for critical equipment ?
Is sensitive data and licensed software securely erased from equipment prior to
disposal? Is the erasure mechanism secure ?
Whether procedures exist for management of removable media, such as tapes,
memory cards, and reports ? Whether equipment, information or software are
taken off-site with prior authorisation ?
Whether the media that are no longer required are disposed of securely and
safely, as per formal procedures ?
Whether operating procedures are documented and made available to all users
who need it
Whether changes to the organisation's business processes, information
processing facilities and systems that affect information security are controlled ?
Is there procedure for decommissioning of applications, systems, databases or
environments etc.?
Are capacity requirements monitored to ensure that adequate resources are
available?
Are the Anti-virus agents configured to scan all removable disks, agents, devices
before use?
Are the Anti-virus agents configured to scan all BO servers, store servers and
store manager machines ?
Is the Anti-virus software configured to scan all internet and email traffic for
viruses or mobile codes ? Is the software configured to scan the system
periodically?
Do all desktops, laptops, mobile device and server in the organization having an
anti-virus software / agent installed which is periodically updated with the latest
signatures ?
Is the Anti-Virus servers configured as per the latest secure configuration
document (hardening policy) ?
Do the critical changes regarding the anti-virus application and configuration
settings follow the organization's Change Management policy ?
Are the incidents related to anti-virus software non-functioning or virus outbreak
reported to appropriate team for taking remedial actions ?
Are appropriate management procedures and responsibilities exist for the
reporting of, and recovering from, virus attacks?
Are Service Level Agreements maintained with the vendor for software
upgrade and technical support for the anti-virus software ?
Is there a formal policy requiring compliance with software licenses and prohibiting
the use of unauthorized software?
Do the end users of laptops/desktops have rights/privileges to change anti virus
agent settings or turn off the anti virus ?
Is there a documented backup policy and procedure ?
Is the Back-up schedule of business applications documented ?
Is there a defined retention period of backup to ensure backup data is retained for
the period necessary to satisfy business, regulatory and legal requirements ?
Is the backup data encrypted ?
Is the backup media stored in fire resistant cabinet in line with the OEM
specifications and accessible to only authorized personnel ?
Are all backup media properly labeled for identification and information
classification ?
Is a copy of the backup stored offsite, for critical business applications ?
Is media transported securely to offsite location and the media is protected from
unauthorized tampering or information disclosure during transportation to offsite
location ?
If back up sent in any external removable media ? If yes is there an NDA signed
with the courier service ? Also is the data in external removable media encrypted ?
Is the backup media securely disposed?
Is there a tape movement register maintained to track the movement of backup
media i.e. incoming and outgoing tapes?
Are there any procedures to review the backup tape inventory periodically ?
If backup software is used to take data backup, are there security measures in
place to protect the backup software ?
Is the access to the backup software and systems restricted only to authorized
personnel ?
Is recovery testing done periodically for Critical systems where synchronized data
backup at DR site is not available to ensure that data can be recovered from the
backup media.
How regularly are the data restorations done for the backed up data and its
frequency ?
Are Event logs enabled and record the user activities, exceptions, faults and
information security events produced, kept and regularly reviewed? (viz. access
control devices)
Are Event logs are enable and record the user activities, exceptions, faults and
information security events produced, kept and regularly reviewed for all database
system servers?
Are Event logs are enable and record the user activities, exceptions, faults and
information security events produced, kept and regularly reviewed for network
devices?
Are logging facilities and log information protected against tampering and
unauthorized access for access control devices? -
Are there mechanism to detect and prevent, -
alterations to the message types that are recorded - log
files being edited or deleted - storage
capacity of the log file media being exceeded
Are logs enabled for all the operating system servers?
Also are logging facilities and log information protected against tampering and
unauthorized access at operating system level? -
Are there mechanism to detect and prevent, -
alterations to the message types that are recorded - log
files being edited or deleted - storage
capacity of the log file media being exceeded
Are logs enabled for all the networking devices?
Also are logging facilities and log information protected against tampering and
unauthorized access at network level? - Are
there mechanism to detect and prevent, -
alterations to the message types that are recorded - log
files being edited or deleted - storage
capacity of the log file media being exceeded
Are the all Critical systems activities carried out by system administrator and
system operator are logged and protected?
Are the all Critical systems activities carried out by system administrator and
system operator reviewed on regular basis?
Do logs include following information, - the
time at which an event (success or failure) occurred -
information about the event -
which account and which administrator or operator was involved
Is there an NTP server in use ?
Are all information systems in sync with the NTP server ?
Is the NTP server maintained in High Availability mode?
Are all critical changes to operational systems and applications tested in a testing
or staging environment prior to being applied to operational systems?
Is there a defined process for source code movement from development, test to
production environment ?
Does the change management process require identification and recording of
significant changes?
Does the change management process include planning and testing of changes?
Is the change management process do an assessment of the potential impacts,
including information security impacts, of such changes?
Do the change management process follow formal approval procedure for
proposed changes?
Do the change management process verify that information security requirements
have been met?
Are change details are communicated to all relevant persons?
Does fallback procedures, including procedures and responsibilities for aborting
and recovering from unsuccessful changes and unforeseen events?
Is there a provision of an emergency change process to enable quick and
controlled implementation of changes?
Whether all changes to any system, service, infrastructure and physical location
facilities are controlled ?
Whether procedures were included within the organisations change
management programme to ensure that Business continuity matters are
appropriately addressed.
Are the version control methods implemented for any changes / modification in
software?
Whether the testing of security functionality is carried out during the
development ?
Are timeline been defined to react on notifications of potentially relevant technical
vulnerabilities?
Is the evaluation of risks relating to the known vulnerability and define appropriate
detective and corrective actions?
Is the list of permitted software or type of software which allowed to installed on
desktop, laptop or servers is maintain?
Are appropriate network controls implemented for the security of information and
information in transit?
Whether controls were implemented to ensure the security of the information in
networks, and the protection of the connected services from threats, such as
unauthorized access.
Are Security mechanisms, service levels and management requirements of all
network services identified and included in network services agreements ?
Is there an Intruder Detection System (IDS)/Intruder Prevention System (IPS)
implemented? Does it cover all external connections?
Are the responsibilities and procedures defined for the managing of networking
equipment ?
Are firewalls in use for both internal and external connections?

Is every connection to an external network terminated at a firewall?


Do the firewalls have any rules that permit 'any' network, sub network, host,
protocol or port on any of the firewalls (internal or external)?
Is the Firewall rule base treated as a sensitive information and is knowledge of the
same restricted to only authorized officials in the IT / Computer operations
department?
Whether there is a formal transfer (exchange) policy, procedure and control in
place to ensure the protection of information.
Is there a policy or guidelines available outlining acceptable use of communication
facilities?
Are there any procedures designed to protect transferred information from
interception, copying, modification, misrouting and destruction.
Whether agreements are established concerning exchange of information and
software between the organization and external parties.
Whether media containing information is protected against unauthorized access,
misuse or corruption during transportation beyond the organization’s physical
boundary.
Whether the information involved in electronic messaging is well protected.
Whether policies and procedures are developed and enforced to protect
information associated with the interconnection of business information systems.
Is there a process to ensure that Confidentiality and non-disclosure agreements
comply with all applicable laws and regulations?
Is there a process to review requirements for confidentiality and non-disclosure
agreements periodically and when changes occur?
Does information involved in application services passing over public networks are
protected from fraudulent activity, contract dispute and unauthorized disclosure
and modification? For e.g. authentication, cryptographic controls etc.
Whether security requirements for new information systems and enhancement to
existing information system specify the requirements at time of implementation/
design for security controls.
Whether system requirements for information security and processes for
implementing security is integrated in the early stages of information system
projects.
Whether data input to application system is validated to ensure that it is correct
and appropriate.
Whether the controls such as: Different types of inputs to check for error
messages, Procedures for responding to validation errors, defining responsibilities
of all personnel involved in data input process etc., are considered.
Whether validation checks are incorporated into applications to detect any
corruption of information through processing errors or deliberate acts.
Whether an security risk assessment was carried out to determine if message
integrity is required, and to identify the most appropriate method of
implementation.
Is there a formal Software Development Life Cycle (SDLC) process?
Is change management process followed for the application changes and are the
change records maintained?
Are secure system engineering principles followed for development and
implementation of software applications ?
Are there access controls to protect source code and test data? Does the version
management system provide segregation of code, data and environments?
Do changes to applications or application code go through a risk assessment
including application testing?
Whether changes to systems within the development lifecycle are controlled by the
use of formal change control procedures.
When operating platforms are changed, whether business critical applications are
reviewed and tested to ensure there is no adverse impact to organizational
operations or security.
Whether the organization supervise and monitor the activity of out sourced system
development.
Whether testing of security functionality are carried out during development.
Whether Acceptance testing programs and related criteria are established for new
information systems, upgrades and new versions.
Is there a policy available to address information security requirements for
mitigating risks associated with suppliers?
Are there processes and procedures established for information security
requirements for each type of vendor and type of access based on the
organization’s business needs and the risk profile?
Does the supplier agreements include legal and regulatory requirements, data
protection, intellectual property rights and copyright, and a description of how it will
be ensured that they are met?
Do the supplier agreements include organization’s security requirements
throughout the supply chain; if suppliers subcontract for parts of information and
communication technology ?
Whether the services, reports and records provided by third party are regularly
monitored and reviewed.
Whether audits are conducted on the above third party services, reports and
records, on regular interval.
Does it take into account criticality of business systems, processes involved and
re-assessment of risks
Is there an Incident Management program?
Is there a documented policy for incident management that has been approved by
management, communicated to appropriate constituents and an owner to maintain
and review the policy?
Whether information security events are reported through appropriate
management channels as quickly as possible.
Whether formal information security event reporting procedure, Incident response
and escalation procedure is developed and implemented.
Whether there exists a procedure that ensures all employees of information
systems and services are required to note and report any observed or suspected
security weakness in the system or services.
Is there a formal Incident Response Plan ? If yes, does it include: Is
Incident Management team with defined roles and response available 24x7x365.
- Procedures to
collect and maintain a chain of custody for evidence during incident investigation.
- Feedback process to ensure
that the person reporting information security events are notified of the results after
the issue has been dealt with and closed. Does it consider incidents when running
from DR facilities
Is there an identification of incident process? If yes, does it include: -
Unauthorized physical access. -
Information system failure or loss of service. -
Malware activity (anti-virus, worms, Trojans). -
Denial of service. -
System exploit. -
Feedback and lessons learned.
Whether management responsibilities and procedures are established to ensure
quick, effective and orderly response to information security incidents.
Are the Information security events assessed and decided if they are to be
classified as information security incidents?
Whether the information gained from the evaluation of the past information
security incidents are used to identify recurring or high impact incidents.
Are processes and procedures for identification, collection, acquisition and
preservation of evidence are defined including:
Are audits performed to ensure compliance with any legal, regulatory or industry
requirements?
Whether controls such as: publishing intellectual property rights compliance policy,
procedures for acquiring software, policy awareness, maintaining proof of
ownership, complying with software terms and conditions are considered.
Is there records retention policy covering paper and electronic records, including
email, in support of applicable regulations, standards and contractual
requirements?
Whether data storage systems were chosen so that required data can be retrieved
in an acceptable timeframe and format, depending on requirements to be fulfilled
(viz. data retention time frame basis as per local legal requirement).
Whether important records of the organization is protected from loss destruction
and falsification, in accordance with statutory, regulatory, contractual and business
requirement.
Whether consideration is given to possibility of deterioration of media used for
storage of records.
Whether data protection and privacy is ensured as per relevant legislation,
regulations and if applicable as per the contractual clauses.
Whether a log-on a warning message is presented on the computer screen prior to
log-on. Whether the user has to acknowledge the warning and react appropriately
to the message on the screen to continue with the log-on process.
Whether internal procedures are developed and followed when collecting and
presenting evidence for the purpose of disciplinary action within the organization
Is there a IT Disaster Recovery Management (IT DR) framework to improve the
resiliency of the organization and ensure availability of the IT systems supporting
the business operations ?
Are there any processes, procedures and controls in place to ensure the required
level of continuity for critical services and processes during a disaster / disruptive
events ?
Is Business Impact Analysis and Business Continuity Risk Assessment done for
the BU / Department / Concept / Corporate in consideration with RTO & RPO?
Whether Business continuity plans are tested regularly to ensure that they are
up to date and effective.
Whether Business continuity plans were maintained by regular reviews and
updates to ensure their continuing effectiveness
Has any third party evaluated DR Program in the past 12 months?

Is there a DR test plan


Has Annual management review of the DR program for adequacy of resources
(people, technology, facilities, and funding) conducted?
Is the disaster recovery site located in a different geographical location?
Is the incident response personnel identified with necessary responsibility,
authority & competence to manage an incident & are the same communicated to
the concerned personnel?
Are there detailed recovery procedures (applications, Infrastructure components)
documented for an effective recovery of the business applications ?
Is there an internal audit, risk management or compliance department with
responsibility for identifying and tracking resolution of outstanding regulatory
issues?
Are audits performed to ensure compliance with any legal, regulatory or industry
requirements?
Are there procedures to ensure compliance with legislative, regulatory, and
contractual requirements on the use of material where intellectual property rights
may be applied and on the use of proprietary software products?
Is there a records retention policy covering paper and electronic records, including
email, in support of applicable regulations, standards and contractual
requirements?
Whether managers ensure that all security procedures within their area of
responsibility are carried out correctly to achieve compliance with security policies
and standards.
Do managers regularly review the compliance of information processing facility
within their area of responsibility for compliance with appropriate security policy
and procedure
Whether information systems are regularly checked for compliance with security
implementation standards.
Is there an independent audit function within the organization?
Whether audit requirements and activities involving checks on operational systems
should be carefully planned and agreed to minimize the risk of disruptions to
business process.
Whether the audit requirements, scope are agreed with appropriate management.

Are any information systems audit tools (e.g., software or data files) accessible to
any users in any unprotected area?
Whether access to information system audit tools such as software or data files
are protected to prevent any possible misuse or compromise.
Is there a policy implemented for privacy and protection of personally identifiable
information developed and implemented? IS this policy communicated to all
persons involved in the processing of personally identifiable information?
Is regular compliance review of any system, service, or infrastructure, or any
physical location and procedures within their area of responsibility with the
appropriate security policies, standards and any other security requirements
done? Has a review of security policies, standards, procedures, and/or guidelines
been performed within the last 12 months?
Are Information systems regularly reviewed for compliance with the organization’s
information security policies and standards? Has a network penetration test been
conducted within the last 12 months?
Whether all relevant statutory, regulatory, contractual requirements and
organizational approach to meet the requirements were explicitly defined and
documented for each information system and organization.
Whether specific controls and individual responsibilities to meet these
requirements were defined and documented.
Does the cloud hosting policy ensure that critical business records are maintained
within India
Does the policy cover security requirements for data and systems hosted on cloud
services?
Do changes to cloud-based systems follow the change management policy?