ANTRIX IT POLICY
Transcript of ANTRIX IT POLICY
ANTRIX IT POLICY
(Version 1.0)
एन्ट्रिक्स कॉर्पोरेशन लिलिटेड/Antrix Corporation Limited
बेंगिरूु /Bengaluru - 560 094
February 2019
IT POLICY – Version 1.0
2 | P a g e
Table of Contents
1. Introduction
2. Purpose
3. Scope
4. Data/Information Classification
5. Software and Licensing Policy
6. Network and Infrastructure Policy
7. E-Mail Policy
8. End-point system policy
9. Portable storage Media Policy
10. Network Access Policy
11. Server Policy
12. Backup and Restore Policy
13. Website Policy
14. Cyber Crisis Management
15. E-Waste Policy
IT POLICY – Version 1.0
3 | P a g e
Introduction
ANTRIX, the commercial arm of ISRO, has established a full-fledged IT
infrastructure for catering to different IT systems. IT systems that are established are
as follows
Customised ERP using InfoR
On premise e-mail services using Zimbra
On premise file sharing services
Antrix website
ANTRIX is also in the process of strengthening the IT eco system by implementation
of new application systems and also enhancing the IT infrastructure. Due to
technology advancements and also changing landscape in IT there is a need to bring
out a comprehensive IT policy which clearly brings out the roles and responsibilities,
acceptable use policies, management of confidentiality of data, backup and recovery
mechanisms, IT security infrastructure and incident response plan. This document
brings out comprehensive IT policy covering all aspect mentioned above.
Purpose
The purpose of bring out this policy for ANTRIX is
Ensuring effective control and maintenance of IT infrastructure, including
defining a system of access to applications and services, security procedures,
etc.
To actively search and identify information technologies that will give strategic
advantage to the enterprise and seeking opportunities to acquire such
technologies that create competitive barriers in marketing, procurement and
manpower management.
To design and develop a comprehensive plan for IT infrastructure that may
serve as guide for future direction of application development effort. This may
include a proper system of regular evaluation of existing and proposed
applications in terms of their contribution to the success of the enterprise.
To provide IT infrastructure that would enable the users to effectively and
efficiently use IT systems aligned with ANTRIS business goals
To develop and preserve information as corporate resource and to offer
infrastructure to ensure coherent access for users to complete, concise and
timely information.
To establish a general approach to information security
To detect and forestall the compromise of information security such as misuse
of data, networks, computer systems and applications.
To bring out acceptable use polices for IT systems
IT POLICY – Version 1.0
4 | P a g e
To establish and implement an incident response plan
To establish backup and recovery procedure
To bring a systematic approach for e-waste management
Scope
This policy applies to all information, information systems, networks, applications,
locations and users of ANTRIX including data entry assistants, contract engineers.
Data/Information Classification
ANTRIX deals with sensitive information from ISRO/DOS and also enters into
business contracts with customers through the globe. Data owners should determine
both the data classification and the exact measures a data custodian needs to take
to preserve the integrity in accordance to that level.
A consistent system for the classification of information within ANTRIX enables
common assurances in information partnerships, consistency in handling and
retention practice where information is shared with outside organisations.
All information available with ANTRIX can be classified appropriately into one of the
following by data owners
Secret: Information, unauthorised disclosure of which could be expected to cause
serious damage to national interest or cause serious embarrassment in its
functioning. This classification should be used for highly important information (e.g
sensitive legal documents, defence contracts etc)
Confidential: Information, unauthorised disclosure of which could be expected to
cause damage to the security of the organisation or could be prejudicial to the
interest of the organisation or could affect the organisation or its functioning. Most
information on proper analysis will be classified no higher than confidential
Restricted: Information, which essentially meant for official use only and which
would not be published or communicated to anyone except for official purpose. (e.g.
ISO documents)
Unclassified: Information that requires no protection against disclosure. e.g. website
information
Generic guidelines
All IT systems are to be used by Antrix users for official purpose only. It
systems shall not be used for playing/viewing videos and games and other
personal activities.
Users are responsible for proper upkeep of their end point system
IT POLICY – Version 1.0
5 | P a g e
Software and Licensing Policy
ANTRIX policy is to manage its software assets to derive maximum benefit to
ANTRIX and its employees and, especially, to ensure that ANTRIX and its
employees:
Acquire, reproduce, distribute, transmit, and use computer software in
compliance with regulatory laws
Maintain only legal software on ANTRIX computers and computer networks.
All software is protected under copyright laws from the time of its creation. ANTRIX
has licensed copies of computer software from a variety of OEMs to help fulfil its
mission. Unless otherwise provided in the software license, duplication of
copyrighted software, except for backup and archival purposes, is a violation of this
Policy.
Only licensed software has to be installed on the IT systems. If use or distribution of
unauthorized software is found, the IT department may be notified immediately.
ANTRIX employees shall not loan or give anyone any software licensed to ANTRIX.
The licenses for some software permit employees of ANTRIX to make a copy of the
software for home use to conduct the official business from their homes. Under no
circumstances, employee shall not use software for purposes other than the official
business.
ANTRIX employee shall not use or distribute personally -owned software on the
organization’s computers or networks. Further, no employee shall download software
from the Internet without the prior approval of the IT department. Such software
threatens the integrity and security of the organization’s computers and networks.
Network and Infrastructure Policy
Network plays an important role as it binds all the information assets together and
provides a means for operational transaction where different entities can participate,
exchange information and carry operations over the information by making use of
specific ports, protocols and services provided by the network.
Antrix shall establish a highly secured network infrastructure, providing access,
facilitating exchange of information and executing a variety of transactions. A
combination of network solutions and devices shall be deployed in order for these
transactions to be successful.
Antrix should ensure that a network diagram illustrating all network devices and other
significant devices is available. Since this contains classified information, such
IT POLICY – Version 1.0
6 | P a g e
documentation should be appropriately protected and its distribution will be limited.
Antrix shall maintain and update a map/inventory of authorised devices such as
a. Infrastructure components spread across the organisation and
connected to the network endpoints, server systems and other IT
security appliances
b. Connectivity and access to endpoints, devices should be recorded and
maintained
c. The spread of the organisational assets across the operational
functions should be recorded
ANTRIX shall procure all network and infrastructure hardware elements from
manufacturers or resellers who are authorised partners, with reasonable
demonstration of compliance with global security practices.
Antrix shall secure the network perimeter by deploying UTM in redundant Active-
Passive mode.
Antrix should divide the network into multiple functional zones according to the
sensitivity or criticality. Wherever possible, physical isolation should be performed.
Sensitive IT assets like ERP, Active Directory systems must not be directly
accessible from the external environment.
Antrix shall ensure that appropriate network segmentation technologies like VLAN,
SDN are implemented to physically and logically isolate the network and protect
classified information and critical services
Antrix shall ensure that appropriate security policies, tools and methodologies are
implemented to protect transmission of information over LAN.
Critical information transmission will use secured protocols like SSH, HTTPS.
E-Mail Policy
ANTRIX uses e-mail as a major mode of communication. Communications include
ANTRIX data that travel as part of mail transactions between users located both
within the country and outside.
ANTRIX shall implement a secured mail on-premise mail server.
E-Mail services are provided on the domain antrix.co.in. Only the e-mail services
provided by ANTRIX shall be used for official communications by users.
Official e-mail id provided by ANTRIX can be used to communicate with any other
user, whether private or public. However, the user must exercise due discretion on
the contents that are being sent as part of the e-mail.
IT POLICY – Version 1.0
7 | P a g e
Appropriate Use of E-mail Service
E-mail is provided as a professional resource to assist users in fulfilling their official
duties. Designation based ids should be used for official communication and name
based ids can be used for both official and personal communication.
Examples of inappropriate use of the e-mail service
Creation and exchange of e-mails that could be categorized as harassing,
obscene or threatening.
Unauthorized exchange of proprietary information or any other privileged,
confidential or sensitive information.
Unauthorized access of the services. This includes the distribution of emails
anonymously, use of other officers' user ids or using a false identity.
Creation and exchange of advertisements, solicitations, chain letters and
other unofficial, unsolicited e-mail.
Creation and exchange of information in violation of any laws, including
copyright laws.
Wilful transmission of an e-mail containing a computer virus.
Misrepresentation of the identity of the sender of an e-mail.
Use or attempt to use the accounts of others without their permission.
Transmission of e-mails involving language derogatory to religion, caste,
ethnicity, sending personal e-mails to a broadcast list, exchange of e-mails
containing anti-national messages, sending e-mails with obscene material,
etc.
Use of distribution lists for the purpose of sending e-mails that are personal in
nature, such as personal functions, etc.
Any case of inappropriate use of e-mail accounts shall be considered a violation of
the policy and may result in deactivation of the account. Further, such instances may
also invite scrutiny by the investigating agencies depending on the nature of
violation.
E-Mail security
The mail server shall be deployed on an hardened OS. Mail securing gateway with
anti-spam, dual anti-virus protection and malware protection shall be deployed in an
appliance mode at the perimeter level.
Antrix mail server shall implement an SSL certificate for server authentication for
web mail services through http secured mode(HTTPS)
As ANTRIX is a business entity, mail services by users can be accessed by webmail,
mail clients like Outlook express, Thunderbird. All security mechanisms shall be put
in place for access to mail services through mail clients. Strong passwords and
IT POLICY – Version 1.0
8 | P a g e
keeping the browser and mail clients up to date are the best security practices that
are to be adopted.
ANTRX IT team shall ensure that the latest operating system, anti-virus and
application patches are available on all the devices, in coordination with the User.
It is recommended that ANTRIX officials should use (VPN)/ (OTP) for accessing e-
mail services from outside ANTRIX office as deemed appropriate by the competent
authority.
While handling sensitive and confidential data best practices related to handling and
security of information may be followed. All confidential information shall be sent
through password protected attachments. Passwords shall be shred to concerned
recipients through modes other than mail.
E-mail Usage
Only the E-mail account provided by ANTRIX shall be used for official
communication.
Official E-mail shall not be forwarded to personal E-mail account.
User shall not attempt any unauthorized use of E-mail services, such as:
Distribution of messages anonymously
Misusing other user’s E-mail address
Using a false identity
Sending messages to harass or intimidate others
Sending messages with content in any form of antinational, offensive,
defamatory, discriminatory, malicious or pornographic material
End Point system policy
User shall be responsible for the activities carried out on the client system, using
the accounts assigned to him / her.
User’s network access shall be subjected to monitoring / filtering for malicious /
unauthorized activities.
User shall use account with limited privileges on client system and shall not
use administrator privileges.
Backup of important files shall be taken by the user at regular intervals on the
storage space provided for the user in backup storage
User shall not leave system unattended. The user shall lock out his / her system
before leaving the system.
IT POLICY – Version 1.0
9 | P a g e
Additionally, system idle timeout shall be configured on the client system
configuration.
Maintenance or rectification of faults in the client system shall be carried out under
close supervision of the user.
User shall check that the system time is as per IST. Any variation shall be reported
to the IT department.
User shall not engage in any of the following activities:
Circumventing security measures
Harassing other users by accessing or modifying their data / resources on
the system
Creating, accessing, executing, downloading, distributing, storing or
displaying any form of antinational, offensive, defamatory, discriminatory,
malicious or pornographic material
Making copies of software / data for unauthorized use
Impersonation
Phishing
Social engineering
Unauthorized use of software license
Providing official e-mail address on Internet mail groups / bulletin boards
for personal use
Any activity that is in violation of Central Civil Services (Conduct) rules
User shall report any security incident to the IT department. The security
incident will be handled as per the Security Incident Management Process
User shall ensure that the system is configured as follows:
User shall not share client system with anyone, by default. However, if
necessary for any specific reason (for use by data entry assistants),
following shall be ensured:
Every user on the shared client system has a separate account.
File / Folder access permission is limited to meet functional requirement
of the user.
User shall not share hard disk or folders with anyone, by default.
However, if necessary, only the required folders shall be shared with
specific user.
By default all interfaces on the client system are disabled and only those
interfaces which are required are enabled. The client system shall be configured
using standard profile by IT Department
IT POLICY – Version 1.0
10 | P a g e
Virus and Malicious Code (adware, spyware, malware)
User shall ensure that client system is configured with the authorized anti-virus
software.
User shall ensure that anti-virus software and the virus pattern files are up-to-
date.
User shall ensure that anti-virus scan is configured to run at regular intervals.
It shall be ensured that regular scan is not stopped
In case, a virus does not get cleaned or some abnormality in virus scanning is
noticed, it may be brought to the notice of IT department for handling as per security
incident management process
Hardware, Operating System and Application Software
User shall use only the software / hardware which are authorized by the IT
Department.
The following activities shall be carried out by the IT Administrator. However, the
user shall ensure the following:
Operating System and other software is installed using authorized
source / Original Equipment Manufacturer (OEM) media with valid
license.
While installing the Operating System and other software
packages, only the required
System shall be updated with latest service packs, security patches
and updated drivers without affecting the functionality usage of the
system.
Booting from removable media is disabled.
Strong passwords shall be used for protection of system at various
levels
The user of the system shall ensure the following
Passwords are enabled on BIOS and System login level
Auto-logon feature on the client system is disabled
As a best practice passwords shall be changed at regular intervals
to avoid compromise on the system
If a password is suspected to have been compromised, it shall
be changed immediately and a security incident shall be reported
to the IT department for handling through security incident
management process
IT POLICY – Version 1.0
11 | P a g e
Portable Storage Media Policy
User shall use officially issued portable storage media only for the systems
connected to the network.
User shall return the portable storage media, if it is no longer a functional
requirement or in case of damage / malfunctioning.
User shall ensure that portable storage media used is free from virus, malware. It
shall be ensured that virus scan is carried out before using the USB on the client
system
User shall ensure that the execution of software directly from portable storage media
is not done.
Network Access Policy applicable for the user
User shall take prior approval from the competent authority to connect the client
system to the network.
A client system authorized to connect to one network shall not connect to any other
network.
For wireless connectivity, user shall ensure the following:
By default, the wireless interfaces are disabled.
Client system does not connect to wireless networks / devices without
approval from the competent authority.
If permitted, the wireless interface of the client system is enabled to connect
to authorize wireless network only.
Guest systems shall be connected to wireless infrastructure only after due
approvals. Guest systems shall be connected in a separate layer completely
separated from ANTRIX network.
Client System Log
User having administrative privilege shall not disable /delete the audit trails / logs on
the client system. The logs are required for any forensic analysis
IT POLICY – Version 1.0
12 | P a g e
Server Policy General Requirements All internal servers deployed at ANTRIX shall be administered by IT department. At a minimum level, the following information is required to positively identify the server:
Server Location (Room, Rack etc.)
Hardware and Operating System/Version
Main functions and applications, if applicable Configuration changes for production servers shall follow the best practices of change management procedure Configuration Requirements Server operating system shall be configured using standard profile and hardened as per the standard hardening practices Services and applications that will not be used must be disabled where practical. Access to services should be logged and/or protected through access-control methods such as a web application firewall, if possible. The most recent security patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements. Standard security principles of least required access shall always be used to perform a function. Administrator, root, or other super-user account rights will only be granted to servers when the use of non-elevated system accounts will not serve the same purpose. If a methodology for secure channel connection is available (i.e., technically feasible), privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec). Servers should be physically located in an access-controlled environment. Servers are specifically prohibited from operating from uncontrolled cubicle areas. Backups of each system shall be performed on a regular basis in accordance with Data Backup and Archiving Policy. These backups shall be performed of each server's operating system, application code, system and application configurations, and business data. A test server system, which is a mirror of the production server system, shall exist for each of this organization's servers. This test version of the system must be kept in a trusted state off of this organization's production network.
IT POLICY – Version 1.0
13 | P a g e
All server administrative tasks shall be conducted on a secured system exclusively for that purpose. Access to server services from outside ANTRIX LAN will be managed through appropriate policies in the UTM. Under special circumstances, for trouble shooting purposes, remote administration shall be enabled for a specific duration through appropriate policies at perimeter level. Monitoring All security-related events on critical or sensitive systems must be logged and audit trails saved Security-related events will be reported to IT department, who will review logs and for any abnormal activity. Incident Management process will be initiated and corrective measures will be implemented. Security related events include, but are not limited to:
Port-scan attacks
Evidence of unauthorized access to privileged accounts
Anomalous occurrences that are not related to specific applications on the host.
Backup and Restore Policy This part of the policy is designed to ensure that ANTRIX organisational production data is backed up in a periodic manner and can be recovered within an acceptable span of time. This covers the infrastructure and procedure that are provided for organisational data and recovery. ANTRIX IT team will be responsible for all aspects of backing up of production servers which are part of ANTRIX data centre. The production servers are ERP servers, database servers, Mail servers and website servers. Backups or snapshots shall be carried out on the backup infrastructure (NAS storage, backup appliances etc). It is the responsibility of the IT team at ANTRIX to make sure backups are running as scheduled IT system administrator shall verify that backup jobs have completed successfully. In
case of backup failures, the reason for such failures shall be analysed and resolved.
A backup register shall be maintained for each backup carried out with server
details, date and time of backup, backup file name and completion details.
IT POLICY – Version 1.0
14 | P a g e
The IT team shall be responsible for
Checking backup reports to ensure that they were completed without errors
Managing and administering storage areas for backup
Troubleshooting and investigating what caused data loss or data corruption on production servers
Developing scheduling policies and testing of backups to ensure viability There will be no backups performed of the data stored on user devices, such as desktops, workstations, and/or laptops. Users will be allocated a pool of storage on NAS storage which can be utilised by for storing of important data files. Backups of critical systems must cover system files, software files and data files, for both the running systems and the snapshot image. A combination of backup technology must be used to ensure the most efficient backup and recovery of operation services. Automated backups must be performed using any one of the following solutions:
Network-Attached Storage (NAS)
Storage Area Network (SAN)
Replication and mirroring technologies
Backup management system, backup tapes and tape libraries Recovery Standard Restoration Process All restore requests must be submitted to the ANTRIX IT team, which will review the request and address the request. to the IT administrator. Requests must detail the following:
Specific file(s) and / or folder(s) that are required to be restored.
From which server the data has to be restored.
From which specific date the data has to be restored.
To what restore location.
Whether the restored data should over-write the current data in the original location or not.
The restoration details are to managed in a register Emergency Restoration Emergency restoration must be formally approved by the IT Director after reviewing the impact of the restoration
Due care must be followed to prevent any loss of data or damage to backup media in an emergency.
IT POLICY – Version 1.0
15 | P a g e
Details of the backup restoration must be formally documented by the IT administrator, after the emergency restoration.
IT POLICY – Version 1.0
16 | P a g e
WEBSITE POLICY In order to disseminate information to business customers and other stakeholders, Antrix shall host the website as per the following guidelines Antrix website shall be designed and developed in accordance with the GIGW(Guidelines for Indian Government Websites) compliance and certification handbook Antrix website shall be hosted on premise datacentre in a dedicated server with all relevant security controls Security driven development and hosting shall be followed in usage of tools, coding and hosting Formal patch management mechanism shall be strictly in place. All possible security measures shall be ensured to prevent defacement/hacking of the website and Antrix shall have a contingency plan to deal with such incidents. Whenever a link takes the user out of Antrix website, the site departure should be indicated in an attention drawing manner as well as explaining the consquences ANTRIX website shall be audited through Cert-In empanelled auditors. The identified vulnerabilities if any shall be corrected before deployment of the website live. ANTRIX shall have a well-defined mechanism to update the contents of the website. Website content shall be updated by IT team only on due approvals from respective Heads/Business Directors. Concurrence of CMD, ANTRIX shall be obtained for hosting. Website shall be hosted on a multi-tier security infrastructure having UTM in the perimeter. If Discussion Forums are hosted on the website, it shall be moderated. All files uploaded to the website and downloaded from the website shall pass through anti-virus and anti-malware systems Website shall be monitored for regular traffic including the impact of traffic during hacking. Electronic commerce transactions if any shall be handled through secured mechanisms. Industry standard regulation and guidelines shall be followed for electronic transactions.
IT POLICY – Version 1.0
17 | P a g e
Web Application Firewall(WAF) shall be deployed to protect the website from OWASP top 10 vulnerabilities Server hardening shall be carried out before hosting the website. Appropriate patch management shall be in place to take care of vulnerabilities. The website shall undergo security audit, preferably once in a year by Cert-In empanelled auditors. ANTRIX website hacking defacement shall be handled through a formal incidence management plan for detection, mitigation and restoration.
CRISIS MANAGEMENT Enterprises in every industry and of all sizes are finding themselves under an increasing barrage of cyberattacks. At the same time, the threat landscape is evolving, becoming more sophisticated and doing so at a faster pace than many organisations are able to keep up with. To protect against this type of attack, every entity within ANTRIX supply chain needs to be equally aware of and protected against them. Ensuring there is no weak link within a chain by implementing an overarching cybersecurity strategy could be the best possible approach. As cybersecurity threats continue to grow in volume and sophistication, ANTRIX shall adopt the best practices that allow it to rapidly identify, respond to, and mitigate these types of incidents while becoming more resilient and protecting against future incidents. Chief Information Security Officer (CISO)
Mr K.Parthasarathy CISO Tel Nos: Off.: +91 80 22178341 Mobile : +91 9845717468 E-mail: [email protected]
IT team with Director, IT as the head will be responsible for overall IT security and incident management. IT Services support
IT Services and Video Conference
[email protected] +91 80 22178313
IT Security Audit Antrix shall carry out IT security through Cert-IN empanelled auditors once in 2 years.
IT POLICY – Version 1.0
18 | P a g e
List of critical assets and business continuity analysis
Sl.No Critical IT resources
Outage Impact Allowable Outage Time
Recovery Priority
1 Leased Line internet
All communication to/from ANTRIX will not be available and IT services like mail, website, ftp will be affected
3 to 12 hours depending on the nature of fault
Very High
2 UTM Internet services will not be available
1 hour (As UTM is setup in Active – Passive mode)
Low
3 ERP Server ERP services will be affected
1 business day
Medium
4 Website server
Website will not be available
1 business day
Low
5 WAF Web portals will be without protection
1 business day
Low
6 Mail server Mail services will be affected
1 business day
High
7 Mail security gateway
Mail services will be without protection
1 business day
Medium
8 FTP Secured FTP services will not be available
1 business day
Low
DR Plan and DR setup Backups and snapshots are stored in Network Attached Storage device with RAID configuration. All essential services can be rolled over to standby devices in a short time frame.
IT POLICY – Version 1.0
19 | P a g e
E-waste policy E-waste has been defined as “waste electrical and electronic equipment, whole or in part or rejects from their manufacturing and repair process, which are intended to be discarded”. Whereas Electrical and electronic equipment has been defined as “equipment which is dependent on electrical currents or electro-magnetic fields to be fully functional”. ANTRIX has been using several electronic products for its realization of space based products. The high rates of obsolescence of the above mentioned items coupled with steady rise in the demand have resulted in substantial growth in e-waste generation’. The policy prepared is in line with Salient Features of E-waste (management) Rules 2016 and Amendments E-Waste disposal process ANTRIX adopts the 2 stage process for disposal of e-waste
Condemnation
Segregation and disposal Disposal approval (Condemnation) Once the electronic equipment becomes unserviceable or has reached end of life, it is put up approval for condemnation. ANTRIX has constituted a condemnation committee for disposal of electronic equipment. Once the equipment is approved for condemnation they are categorized as e-waste according to the nomenclature. This will be as per the categories of electrical and electronic equipment mentioned in Annexure IV of Ímplementation of E-Waste rules guidelines 2011’. Some of the specific equipments which are categorized as e-waste are
Computers
Printed Circuit Boards
Electronic tools
Monitors
Printers
Consumables like cartridges
CFL Lamps
IT POLICY – Version 1.0
20 | P a g e
Regulatory Mechanism As per the directives of the Ministry of Environment and Forest, all hazardous waste including e-waste should be sold to parties having Environmentally Sound Management Facility(ESM). Central Pollution Control Board has specific prescribed guidelines for environmentally sound management of electronic waste. The CPCB has also certified list of e-waste recyclers/dismantlers and e-waste is to be sold only to these certified parties. 1. Disposal Mechanism The final disposal process is carried out as per the directives of Ministry of Environment and Forest. The final disposal is done through authorised agency through online auction. Guidelines, Notifications issued by MoEF, CPCB, SPCB etc. from time to time are strictly implemented & portal customized accordingly. The list of items proposed for disposal is forwarded to agency after segregating the items into different lots according to its nomenclature as prescribed in the guidelines for environmentally sound management of electronic waste. E-Waste and Hazardous waste are categorized separately and put as separate distinctive lots. AUTHORISE AGENCY has a qualified list of vendors who are eligible to bid for e-Waste and Hazardous waste. Only those vendors can participate in the online auction. Once the bids are finalized and payment remitted the items are handed over to the vendors against proper authorization. Endorsement When the items are handed over, necessary endorsements are being made in the gate pass book issued by Central Pollution Control Board Hard Disk disposal As the hard disks of computers contain sensitive data, ANTRIX adopts hard disk retention policy. Unserviceable hard disks are not returned to the service provider. Data sanitization techniques which specify mechanisms by which data destruction program or file shredders overwrites data with specific patterns and number of passes are used to erase data. Some centres use degaussing technique for data destruction. Degaussing is the process of totally erasing data by reducing or eliminating an unwanted magnetic field (information) stored on tape and disk media. A de-gausser is a machine that changes the magnetic domain (where the data is stored) of magnetic data storage devices. When the de-gausser is applied to magnetic domains the information is scrambled into random patterns, making the data stored in the magnetic domain unreadable. The correct use of a the appropriate de-gausser will ensure that information is no longer retrievable. Hard disks are destroyed by hitting it with hammer and disposing it as scrap.
Compact Fluorescent Lamp
IT POLICY – Version 1.0
21 | P a g e
ANTRIX has already phased out fluorescent lamps. However in a few places we have provided compact fluorescent lamps and luminar efficient T5 lamps where mercury content is comparatively less. However to totally alleviate mercury menace, ANTRIX has adopted the following mechanism.
All fluorescent CFLs are being replaced with LED lamps
Arrangements are being made to dispose the existing fluorescent lamps and CFLs through recyclers approved by respective State Pollution Control Board
IT POLICY – Version 1.0
22 | P a g e
Steps involved in E-Waste Disposal (Procedure adopted by AUTHORISE AGENCY, the nodal agency for e-waste disposal handling for ANTRIX/DOS)
The buyers and sellers have to register on the website www.authorise agencyecommerce.com/auctionhome for participation.
Buyers complete the online registration form and submit documents viz PAN card, VAT registration etc.
For buying e-waste material, the buyer has to submit the valid clearance certificate from the Central or State Pollution Control Board.
AUTHORISE AGENCY receives the consolidated list of obsolete/redundant material including e-waste from the Sellers.
AUTHORISE AGENCY schedules the e-auction and publicizes it in various leading newspapers, on its website and through direct mails to all the registered buyers.
AUTHORISE AGENCY uploads the catalogue on its website.
E-waste items/lots are given a particular category wherein the lots are visible on the “Live E-Auction Floor” to only those buyers who have submitted the CPCB/SPCB certificate and can submit their bids.
After the online bidding process is over, the system compares the highest bid with the reserve price entered into the system by the seller. The Reserve Price cannot be viewed by anyone but the seller with their user ID & Password.
After completion of the bidding process, the system compares the highest bid with the reserve price fed into the system. Wherever the highest bid equals or exceeds the reserve price the lots are sold automatically by the system and e-mail is fired to the highest bidder asking them to deposit EMD.
On receipt of EMD, AUTHORISE AGENCY issues Sale Order advising the buyer to submit Balance Sale Value + Duties + Taxes within “X” Days. The EMD is forwarded to Seller.
After receipt of Balance Sale Value + Duties + Taxes, AUTHORISE AGENCY issues Delivery Order and forwards payments to seller for lifting of Materials by the Buyer (Against Photo ID-Card).
IT POLICY – Version 1.0
23 | P a g e
References
1. ISRO IT Security Recommendations, Nov, 2017 2. GIGW Compliance and Certification Handbook, NIC 3. Cyber Crisis Management Plan for countering Cyber Attacks and Cyber
Terrorism, Cert-In, 2017. 4. Policy on Use of IT Resources of Government of India, October, 2014