ANTRIX IT POLICY

ANTRIX IT POLICY

(Version 1.0)

एन्ट्रिक्स कॉर्पोरेशन लिलिटेड/Antrix Corporation Limited

बेंगिरूु /Bengaluru - 560 094

February 2019

IT POLICY – Version 1.0

2 | P a g e

Table of Contents

1. Introduction

2. Purpose

3. Scope

4. Data/Information Classification

5. Software and Licensing Policy

6. Network and Infrastructure Policy

7. E-Mail Policy

8. End-point system policy

9. Portable storage Media Policy

10. Network Access Policy

11. Server Policy

12. Backup and Restore Policy

13. Website Policy

14. Cyber Crisis Management

15. E-Waste Policy


3 | P a g e

Introduction

ANTRIX, the commercial arm of ISRO, has established a full-fledged IT

infrastructure for catering to different IT systems. IT systems that are established are

as follows

Customised ERP using InfoR

On premise e-mail services using Zimbra

On premise file sharing services

Antrix website

ANTRIX is also in the process of strengthening the IT eco system by implementation

of new application systems and also enhancing the IT infrastructure. Due to

technology advancements and also changing landscape in IT there is a need to bring

out a comprehensive IT policy which clearly brings out the roles and responsibilities,

acceptable use policies, management of confidentiality of data, backup and recovery

mechanisms, IT security infrastructure and incident response plan. This document

brings out comprehensive IT policy covering all aspect mentioned above.

Purpose

The purpose of bring out this policy for ANTRIX is

Ensuring effective control and maintenance of IT infrastructure, including

defining a system of access to applications and services, security procedures,

etc.

To actively search and identify information technologies that will give strategic

advantage to the enterprise and seeking opportunities to acquire such

technologies that create competitive barriers in marketing, procurement and

manpower management.

To design and develop a comprehensive plan for IT infrastructure that may

serve as guide for future direction of application development effort. This may

include a proper system of regular evaluation of existing and proposed

applications in terms of their contribution to the success of the enterprise.

To provide IT infrastructure that would enable the users to effectively and

efficiently use IT systems aligned with ANTRIS business goals

To develop and preserve information as corporate resource and to offer

infrastructure to ensure coherent access for users to complete, concise and

timely information.

To establish a general approach to information security

To detect and forestall the compromise of information security such as misuse

of data, networks, computer systems and applications.

To bring out acceptable use polices for IT systems


4 | P a g e

To establish and implement an incident response plan

To establish backup and recovery procedure

To bring a systematic approach for e-waste management

Scope

This policy applies to all information, information systems, networks, applications,

locations and users of ANTRIX including data entry assistants, contract engineers.

Data/Information Classification

ANTRIX deals with sensitive information from ISRO/DOS and also enters into

business contracts with customers through the globe. Data owners should determine

both the data classification and the exact measures a data custodian needs to take

to preserve the integrity in accordance to that level.

A consistent system for the classification of information within ANTRIX enables

common assurances in information partnerships, consistency in handling and

retention practice where information is shared with outside organisations.

All information available with ANTRIX can be classified appropriately into one of the

following by data owners

Secret: Information, unauthorised disclosure of which could be expected to cause

serious damage to national interest or cause serious embarrassment in its

functioning. This classification should be used for highly important information (e.g

sensitive legal documents, defence contracts etc)

Confidential: Information, unauthorised disclosure of which could be expected to

cause damage to the security of the organisation or could be prejudicial to the

interest of the organisation or could affect the organisation or its functioning. Most

information on proper analysis will be classified no higher than confidential

Restricted: Information, which essentially meant for official use only and which

would not be published or communicated to anyone except for official purpose. (e.g.

ISO documents)

Unclassified: Information that requires no protection against disclosure. e.g. website

information

Generic guidelines

All IT systems are to be used by Antrix users for official purpose only. It

systems shall not be used for playing/viewing videos and games and other

personal activities.

Users are responsible for proper upkeep of their end point system


5 | P a g e

Software and Licensing Policy

ANTRIX policy is to manage its software assets to derive maximum benefit to

ANTRIX and its employees and, especially, to ensure that ANTRIX and its

employees:

Acquire, reproduce, distribute, transmit, and use computer software in

compliance with regulatory laws

Maintain only legal software on ANTRIX computers and computer networks.

All software is protected under copyright laws from the time of its creation. ANTRIX

has licensed copies of computer software from a variety of OEMs to help fulfil its

mission. Unless otherwise provided in the software license, duplication of

copyrighted software, except for backup and archival purposes, is a violation of this

Policy.

Only licensed software has to be installed on the IT systems. If use or distribution of

unauthorized software is found, the IT department may be notified immediately.

ANTRIX employees shall not loan or give anyone any software licensed to ANTRIX.

The licenses for some software permit employees of ANTRIX to make a copy of the

software for home use to conduct the official business from their homes. Under no

circumstances, employee shall not use software for purposes other than the official

business.

ANTRIX employee shall not use or distribute personally -owned software on the

organization’s computers or networks. Further, no employee shall download software

from the Internet without the prior approval of the IT department. Such software

threatens the integrity and security of the organization’s computers and networks.

Network and Infrastructure Policy

Network plays an important role as it binds all the information assets together and

provides a means for operational transaction where different entities can participate,

exchange information and carry operations over the information by making use of

specific ports, protocols and services provided by the network.

Antrix shall establish a highly secured network infrastructure, providing access,

facilitating exchange of information and executing a variety of transactions. A

combination of network solutions and devices shall be deployed in order for these

transactions to be successful.

Antrix should ensure that a network diagram illustrating all network devices and other

significant devices is available. Since this contains classified information, such


6 | P a g e

documentation should be appropriately protected and its distribution will be limited.

Antrix shall maintain and update a map/inventory of authorised devices such as

a. Infrastructure components spread across the organisation and

connected to the network endpoints, server systems and other IT

security appliances

b. Connectivity and access to endpoints, devices should be recorded and

maintained

c. The spread of the organisational assets across the operational

functions should be recorded

ANTRIX shall procure all network and infrastructure hardware elements from

manufacturers or resellers who are authorised partners, with reasonable

demonstration of compliance with global security practices.

Antrix shall secure the network perimeter by deploying UTM in redundant Active-

Passive mode.

Antrix should divide the network into multiple functional zones according to the

sensitivity or criticality. Wherever possible, physical isolation should be performed.

Sensitive IT assets like ERP, Active Directory systems must not be directly

accessible from the external environment.

Antrix shall ensure that appropriate network segmentation technologies like VLAN,

SDN are implemented to physically and logically isolate the network and protect

classified information and critical services

Antrix shall ensure that appropriate security policies, tools and methodologies are

implemented to protect transmission of information over LAN.

Critical information transmission will use secured protocols like SSH, HTTPS.

E-Mail Policy

ANTRIX uses e-mail as a major mode of communication. Communications include

ANTRIX data that travel as part of mail transactions between users located both

within the country and outside.

ANTRIX shall implement a secured mail on-premise mail server.

E-Mail services are provided on the domain antrix.co.in. Only the e-mail services

provided by ANTRIX shall be used for official communications by users.

Official e-mail id provided by ANTRIX can be used to communicate with any other

user, whether private or public. However, the user must exercise due discretion on

the contents that are being sent as part of the e-mail.


7 | P a g e

Appropriate Use of E-mail Service

E-mail is provided as a professional resource to assist users in fulfilling their official

duties. Designation based ids should be used for official communication and name

based ids can be used for both official and personal communication.

Examples of inappropriate use of the e-mail service

Creation and exchange of e-mails that could be categorized as harassing,

obscene or threatening.

Unauthorized exchange of proprietary information or any other privileged,

confidential or sensitive information.

Unauthorized access of the services. This includes the distribution of emails

anonymously, use of other officers' user ids or using a false identity.

Creation and exchange of advertisements, solicitations, chain letters and

other unofficial, unsolicited e-mail.

Creation and exchange of information in violation of any laws, including

copyright laws.

Wilful transmission of an e-mail containing a computer virus.

Misrepresentation of the identity of the sender of an e-mail.

Use or attempt to use the accounts of others without their permission.

Transmission of e-mails involving language derogatory to religion, caste,

ethnicity, sending personal e-mails to a broadcast list, exchange of e-mails

containing anti-national messages, sending e-mails with obscene material,

etc.

Use of distribution lists for the purpose of sending e-mails that are personal in

nature, such as personal functions, etc.

Any case of inappropriate use of e-mail accounts shall be considered a violation of

the policy and may result in deactivation of the account. Further, such instances may

also invite scrutiny by the investigating agencies depending on the nature of

violation.

E-Mail security

The mail server shall be deployed on an hardened OS. Mail securing gateway with

anti-spam, dual anti-virus protection and malware protection shall be deployed in an

appliance mode at the perimeter level.

Antrix mail server shall implement an SSL certificate for server authentication for

web mail services through http secured mode(HTTPS)

As ANTRIX is a business entity, mail services by users can be accessed by webmail,

mail clients like Outlook express, Thunderbird. All security mechanisms shall be put

in place for access to mail services through mail clients. Strong passwords and


8 | P a g e

keeping the browser and mail clients up to date are the best security practices that

are to be adopted.

ANTRX IT team shall ensure that the latest operating system, anti-virus and

application patches are available on all the devices, in coordination with the User.

It is recommended that ANTRIX officials should use (VPN)/ (OTP) for accessing e-

mail services from outside ANTRIX office as deemed appropriate by the competent

authority.

While handling sensitive and confidential data best practices related to handling and

security of information may be followed. All confidential information shall be sent

through password protected attachments. Passwords shall be shred to concerned

recipients through modes other than mail.

E-mail Usage

Only the E-mail account provided by ANTRIX shall be used for official

communication.

Official E-mail shall not be forwarded to personal E-mail account.

User shall not attempt any unauthorized use of E-mail services, such as:

Distribution of messages anonymously

Misusing other user’s E-mail address

Using a false identity

Sending messages to harass or intimidate others

Sending messages with content in any form of antinational, offensive,

defamatory, discriminatory, malicious or pornographic material

End Point system policy

User shall be responsible for the activities carried out on the client system, using

the accounts assigned to him / her.

User’s network access shall be subjected to monitoring / filtering for malicious /

unauthorized activities.

User shall use account with limited privileges on client system and shall not

use administrator privileges.

Backup of important files shall be taken by the user at regular intervals on the

storage space provided for the user in backup storage

User shall not leave system unattended. The user shall lock out his / her system

before leaving the system.


9 | P a g e

Additionally, system idle timeout shall be configured on the client system

configuration.

Maintenance or rectification of faults in the client system shall be carried out under

close supervision of the user.

User shall check that the system time is as per IST. Any variation shall be reported

to the IT department.

User shall not engage in any of the following activities:

Circumventing security measures

Harassing other users by accessing or modifying their data / resources on

the system

Creating, accessing, executing, downloading, distributing, storing or

displaying any form of antinational, offensive, defamatory, discriminatory,

malicious or pornographic material

Making copies of software / data for unauthorized use

Impersonation

Phishing

Social engineering

Unauthorized use of software license

Providing official e-mail address on Internet mail groups / bulletin boards

for personal use

Any activity that is in violation of Central Civil Services (Conduct) rules

User shall report any security incident to the IT department. The security

incident will be handled as per the Security Incident Management Process

User shall ensure that the system is configured as follows:

User shall not share client system with anyone, by default. However, if

necessary for any specific reason (for use by data entry assistants),

following shall be ensured:

Every user on the shared client system has a separate account.

File / Folder access permission is limited to meet functional requirement

of the user.

User shall not share hard disk or folders with anyone, by default.

However, if necessary, only the required folders shall be shared with

specific user.

By default all interfaces on the client system are disabled and only those

interfaces which are required are enabled. The client system shall be configured

using standard profile by IT Department


10 | P a g e

Virus and Malicious Code (adware, spyware, malware)

User shall ensure that client system is configured with the authorized anti-virus

software.

User shall ensure that anti-virus software and the virus pattern files are up-to-

date.

User shall ensure that anti-virus scan is configured to run at regular intervals.

It shall be ensured that regular scan is not stopped

In case, a virus does not get cleaned or some abnormality in virus scanning is

noticed, it may be brought to the notice of IT department for handling as per security

incident management process

Hardware, Operating System and Application Software

User shall use only the software / hardware which are authorized by the IT

Department.

The following activities shall be carried out by the IT Administrator. However, the

user shall ensure the following:

Operating System and other software is installed using authorized

source / Original Equipment Manufacturer (OEM) media with valid

license.

While installing the Operating System and other software

packages, only the required

System shall be updated with latest service packs, security patches

and updated drivers without affecting the functionality usage of the

system.

Booting from removable media is disabled.

Strong passwords shall be used for protection of system at various

levels

The user of the system shall ensure the following

Passwords are enabled on BIOS and System login level

Auto-logon feature on the client system is disabled

As a best practice passwords shall be changed at regular intervals

to avoid compromise on the system

If a password is suspected to have been compromised, it shall

be changed immediately and a security incident shall be reported

to the IT department for handling through security incident

management process


11 | P a g e

Portable Storage Media Policy

User shall use officially issued portable storage media only for the systems

connected to the network.

User shall return the portable storage media, if it is no longer a functional

requirement or in case of damage / malfunctioning.

User shall ensure that portable storage media used is free from virus, malware. It

shall be ensured that virus scan is carried out before using the USB on the client

system

User shall ensure that the execution of software directly from portable storage media

is not done.

Network Access Policy applicable for the user

User shall take prior approval from the competent authority to connect the client

system to the network.

A client system authorized to connect to one network shall not connect to any other

network.

For wireless connectivity, user shall ensure the following:

By default, the wireless interfaces are disabled.

Client system does not connect to wireless networks / devices without

approval from the competent authority.

If permitted, the wireless interface of the client system is enabled to connect

to authorize wireless network only.

Guest systems shall be connected to wireless infrastructure only after due

approvals. Guest systems shall be connected in a separate layer completely

separated from ANTRIX network.

Client System Log

User having administrative privilege shall not disable /delete the audit trails / logs on

the client system. The logs are required for any forensic analysis


12 | P a g e

Server Policy General Requirements All internal servers deployed at ANTRIX shall be administered by IT department. At a minimum level, the following information is required to positively identify the server:

Server Location (Room, Rack etc.)

Hardware and Operating System/Version

Main functions and applications, if applicable Configuration changes for production servers shall follow the best practices of change management procedure Configuration Requirements Server operating system shall be configured using standard profile and hardened as per the standard hardening practices Services and applications that will not be used must be disabled where practical. Access to services should be logged and/or protected through access-control methods such as a web application firewall, if possible. The most recent security patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements. Standard security principles of least required access shall always be used to perform a function. Administrator, root, or other super-user account rights will only be granted to servers when the use of non-elevated system accounts will not serve the same purpose. If a methodology for secure channel connection is available (i.e., technically feasible), privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec). Servers should be physically located in an access-controlled environment. Servers are specifically prohibited from operating from uncontrolled cubicle areas. Backups of each system shall be performed on a regular basis in accordance with Data Backup and Archiving Policy. These backups shall be performed of each server's operating system, application code, system and application configurations, and business data. A test server system, which is a mirror of the production server system, shall exist for each of this organization's servers. This test version of the system must be kept in a trusted state off of this organization's production network.


13 | P a g e

All server administrative tasks shall be conducted on a secured system exclusively for that purpose. Access to server services from outside ANTRIX LAN will be managed through appropriate policies in the UTM. Under special circumstances, for trouble shooting purposes, remote administration shall be enabled for a specific duration through appropriate policies at perimeter level. Monitoring All security-related events on critical or sensitive systems must be logged and audit trails saved Security-related events will be reported to IT department, who will review logs and for any abnormal activity. Incident Management process will be initiated and corrective measures will be implemented. Security related events include, but are not limited to:

Port-scan attacks

Evidence of unauthorized access to privileged accounts

Anomalous occurrences that are not related to specific applications on the host.

Backup and Restore Policy This part of the policy is designed to ensure that ANTRIX organisational production data is backed up in a periodic manner and can be recovered within an acceptable span of time. This covers the infrastructure and procedure that are provided for organisational data and recovery. ANTRIX IT team will be responsible for all aspects of backing up of production servers which are part of ANTRIX data centre. The production servers are ERP servers, database servers, Mail servers and website servers. Backups or snapshots shall be carried out on the backup infrastructure (NAS storage, backup appliances etc). It is the responsibility of the IT team at ANTRIX to make sure backups are running as scheduled IT system administrator shall verify that backup jobs have completed successfully. In

case of backup failures, the reason for such failures shall be analysed and resolved.

A backup register shall be maintained for each backup carried out with server

details, date and time of backup, backup file name and completion details.


14 | P a g e

The IT team shall be responsible for

Checking backup reports to ensure that they were completed without errors

Managing and administering storage areas for backup

Troubleshooting and investigating what caused data loss or data corruption on production servers

Developing scheduling policies and testing of backups to ensure viability There will be no backups performed of the data stored on user devices, such as desktops, workstations, and/or laptops. Users will be allocated a pool of storage on NAS storage which can be utilised by for storing of important data files. Backups of critical systems must cover system files, software files and data files, for both the running systems and the snapshot image. A combination of backup technology must be used to ensure the most efficient backup and recovery of operation services. Automated backups must be performed using any one of the following solutions:

Network-Attached Storage (NAS)

Storage Area Network (SAN)

Replication and mirroring technologies

Backup management system, backup tapes and tape libraries Recovery Standard Restoration Process All restore requests must be submitted to the ANTRIX IT team, which will review the request and address the request. to the IT administrator. Requests must detail the following:

Specific file(s) and / or folder(s) that are required to be restored.

From which server the data has to be restored.

From which specific date the data has to be restored.

To what restore location.

Whether the restored data should over-write the current data in the original location or not.

The restoration details are to managed in a register Emergency Restoration Emergency restoration must be formally approved by the IT Director after reviewing the impact of the restoration

Due care must be followed to prevent any loss of data or damage to backup media in an emergency.


15 | P a g e

Details of the backup restoration must be formally documented by the IT administrator, after the emergency restoration.


16 | P a g e

WEBSITE POLICY In order to disseminate information to business customers and other stakeholders, Antrix shall host the website as per the following guidelines Antrix website shall be designed and developed in accordance with the GIGW(Guidelines for Indian Government Websites) compliance and certification handbook Antrix website shall be hosted on premise datacentre in a dedicated server with all relevant security controls Security driven development and hosting shall be followed in usage of tools, coding and hosting Formal patch management mechanism shall be strictly in place. All possible security measures shall be ensured to prevent defacement/hacking of the website and Antrix shall have a contingency plan to deal with such incidents. Whenever a link takes the user out of Antrix website, the site departure should be indicated in an attention drawing manner as well as explaining the consquences ANTRIX website shall be audited through Cert-In empanelled auditors. The identified vulnerabilities if any shall be corrected before deployment of the website live. ANTRIX shall have a well-defined mechanism to update the contents of the website. Website content shall be updated by IT team only on due approvals from respective Heads/Business Directors. Concurrence of CMD, ANTRIX shall be obtained for hosting. Website shall be hosted on a multi-tier security infrastructure having UTM in the perimeter. If Discussion Forums are hosted on the website, it shall be moderated. All files uploaded to the website and downloaded from the website shall pass through anti-virus and anti-malware systems Website shall be monitored for regular traffic including the impact of traffic during hacking. Electronic commerce transactions if any shall be handled through secured mechanisms. Industry standard regulation and guidelines shall be followed for electronic transactions.


17 | P a g e

Web Application Firewall(WAF) shall be deployed to protect the website from OWASP top 10 vulnerabilities Server hardening shall be carried out before hosting the website. Appropriate patch management shall be in place to take care of vulnerabilities. The website shall undergo security audit, preferably once in a year by Cert-In empanelled auditors. ANTRIX website hacking defacement shall be handled through a formal incidence management plan for detection, mitigation and restoration.

CRISIS MANAGEMENT Enterprises in every industry and of all sizes are finding themselves under an increasing barrage of cyberattacks. At the same time, the threat landscape is evolving, becoming more sophisticated and doing so at a faster pace than many organisations are able to keep up with. To protect against this type of attack, every entity within ANTRIX supply chain needs to be equally aware of and protected against them. Ensuring there is no weak link within a chain by implementing an overarching cybersecurity strategy could be the best possible approach. As cybersecurity threats continue to grow in volume and sophistication, ANTRIX shall adopt the best practices that allow it to rapidly identify, respond to, and mitigate these types of incidents while becoming more resilient and protecting against future incidents. Chief Information Security Officer (CISO)

Mr K.Parthasarathy CISO Tel Nos: Off.: +91 80 22178341 Mobile : +91 9845717468 E-mail: [email protected]

IT team with Director, IT as the head will be responsible for overall IT security and incident management. IT Services support

IT Services and Video Conference

[email protected] +91 80 22178313

IT Security Audit Antrix shall carry out IT security through Cert-IN empanelled auditors once in 2 years.

mailto:[email protected]


18 | P a g e

List of critical assets and business continuity analysis

Sl.No Critical IT resources

Outage Impact Allowable Outage Time

Recovery Priority

1 Leased Line internet

All communication to/from ANTRIX will not be available and IT services like mail, website, ftp will be affected

3 to 12 hours depending on the nature of fault

Very High

2 UTM Internet services will not be available

1 hour (As UTM is setup in Active – Passive mode)

Low

3 ERP Server ERP services will be affected

1 business day

Medium

4 Website server

Website will not be available

1 business day

Low

5 WAF Web portals will be without protection

1 business day

Low

6 Mail server Mail services will be affected

1 business day

High

7 Mail security gateway

Mail services will be without protection

1 business day

Medium

8 FTP Secured FTP services will not be available

1 business day

Low

DR Plan and DR setup Backups and snapshots are stored in Network Attached Storage device with RAID configuration. All essential services can be rolled over to standby devices in a short time frame.


19 | P a g e

E-waste policy E-waste has been defined as “waste electrical and electronic equipment, whole or in part or rejects from their manufacturing and repair process, which are intended to be discarded”. Whereas Electrical and electronic equipment has been defined as “equipment which is dependent on electrical currents or electro-magnetic fields to be fully functional”. ANTRIX has been using several electronic products for its realization of space based products. The high rates of obsolescence of the above mentioned items coupled with steady rise in the demand have resulted in substantial growth in e-waste generation’. The policy prepared is in line with Salient Features of E-waste (management) Rules 2016 and Amendments E-Waste disposal process ANTRIX adopts the 2 stage process for disposal of e-waste

Condemnation

Segregation and disposal Disposal approval (Condemnation) Once the electronic equipment becomes unserviceable or has reached end of life, it is put up approval for condemnation. ANTRIX has constituted a condemnation committee for disposal of electronic equipment. Once the equipment is approved for condemnation they are categorized as e-waste according to the nomenclature. This will be as per the categories of electrical and electronic equipment mentioned in Annexure IV of Ímplementation of E-Waste rules guidelines 2011’. Some of the specific equipments which are categorized as e-waste are

Computers

Printed Circuit Boards

Electronic tools

Monitors

Printers

Consumables like cartridges

CFL Lamps


20 | P a g e

Regulatory Mechanism As per the directives of the Ministry of Environment and Forest, all hazardous waste including e-waste should be sold to parties having Environmentally Sound Management Facility(ESM). Central Pollution Control Board has specific prescribed guidelines for environmentally sound management of electronic waste. The CPCB has also certified list of e-waste recyclers/dismantlers and e-waste is to be sold only to these certified parties. 1. Disposal Mechanism The final disposal process is carried out as per the directives of Ministry of Environment and Forest. The final disposal is done through authorised agency through online auction. Guidelines, Notifications issued by MoEF, CPCB, SPCB etc. from time to time are strictly implemented & portal customized accordingly. The list of items proposed for disposal is forwarded to agency after segregating the items into different lots according to its nomenclature as prescribed in the guidelines for environmentally sound management of electronic waste. E-Waste and Hazardous waste are categorized separately and put as separate distinctive lots. AUTHORISE AGENCY has a qualified list of vendors who are eligible to bid for e-Waste and Hazardous waste. Only those vendors can participate in the online auction. Once the bids are finalized and payment remitted the items are handed over to the vendors against proper authorization. Endorsement When the items are handed over, necessary endorsements are being made in the gate pass book issued by Central Pollution Control Board Hard Disk disposal As the hard disks of computers contain sensitive data, ANTRIX adopts hard disk retention policy. Unserviceable hard disks are not returned to the service provider. Data sanitization techniques which specify mechanisms by which data destruction program or file shredders overwrites data with specific patterns and number of passes are used to erase data. Some centres use degaussing technique for data destruction. Degaussing is the process of totally erasing data by reducing or eliminating an unwanted magnetic field (information) stored on tape and disk media. A de-gausser is a machine that changes the magnetic domain (where the data is stored) of magnetic data storage devices. When the de-gausser is applied to magnetic domains the information is scrambled into random patterns, making the data stored in the magnetic domain unreadable. The correct use of a the appropriate de-gausser will ensure that information is no longer retrievable. Hard disks are destroyed by hitting it with hammer and disposing it as scrap.

Compact Fluorescent Lamp


21 | P a g e

ANTRIX has already phased out fluorescent lamps. However in a few places we have provided compact fluorescent lamps and luminar efficient T5 lamps where mercury content is comparatively less. However to totally alleviate mercury menace, ANTRIX has adopted the following mechanism.

All fluorescent CFLs are being replaced with LED lamps

Arrangements are being made to dispose the existing fluorescent lamps and CFLs through recyclers approved by respective State Pollution Control Board


22 | P a g e

Steps involved in E-Waste Disposal (Procedure adopted by AUTHORISE AGENCY, the nodal agency for e-waste disposal handling for ANTRIX/DOS)

The buyers and sellers have to register on the website www.authorise agencyecommerce.com/auctionhome for participation.

Buyers complete the online registration form and submit documents viz PAN card, VAT registration etc.

For buying e-waste material, the buyer has to submit the valid clearance certificate from the Central or State Pollution Control Board.

AUTHORISE AGENCY receives the consolidated list of obsolete/redundant material including e-waste from the Sellers.

AUTHORISE AGENCY schedules the e-auction and publicizes it in various leading newspapers, on its website and through direct mails to all the registered buyers.

AUTHORISE AGENCY uploads the catalogue on its website.

E-waste items/lots are given a particular category wherein the lots are visible on the “Live E-Auction Floor” to only those buyers who have submitted the CPCB/SPCB certificate and can submit their bids.

After the online bidding process is over, the system compares the highest bid with the reserve price entered into the system by the seller. The Reserve Price cannot be viewed by anyone but the seller with their user ID & Password.

After completion of the bidding process, the system compares the highest bid with the reserve price fed into the system. Wherever the highest bid equals or exceeds the reserve price the lots are sold automatically by the system and e-mail is fired to the highest bidder asking them to deposit EMD.

On receipt of EMD, AUTHORISE AGENCY issues Sale Order advising the buyer to submit Balance Sale Value + Duties + Taxes within “X” Days. The EMD is forwarded to Seller.

After receipt of Balance Sale Value + Duties + Taxes, AUTHORISE AGENCY issues Delivery Order and forwards payments to seller for lifting of Materials by the Buyer (Against Photo ID-Card).


23 | P a g e

References

1. ISRO IT Security Recommendations, Nov, 2017 2. GIGW Compliance and Certification Handbook, NIC 3. Cyber Crisis Management Plan for countering Cyber Attacks and Cyber

Terrorism, Cert-In, 2017. 4. Policy on Use of IT Resources of Government of India, October, 2014

ANTRIX IT POLICY

Documents

Transcript of ANTRIX IT POLICY