UIDAI – Information Security Policy for ASA – V 6.0
1. Policy Statement
Security of UIDAI related information assets handled by the external ecosystem partners for providing services, is of paramount importance. The confidentiality, integrity and availability of these shall always be maintained by these partners by deploying controls commensurate with the asset value.
1.1 Control Objective
UIDAI shall ensure the security of UIDAI related information assets handled by ASA:
- Providing Authentication Service Agencies (ASA) with an approach and directives for implementing information security of all information assets used by them for providing services to UIDAI and Authentication User Agencies (AUA).
- Establishing review mechanism to ensure that the ASAs adhere to all provisions of the UIDAI Information Security policy – External Ecosystem ASA as well as maintain compliance with the Aadhaar Act, 2016 and its regulations.
1.2 Scope
The UIDAI Information Security policy – External Ecosystem Partner ASA is applicable to all Authentication Service Agencies that provide Central Identities Data Repository (CIDR) connectivity to AUAs/KUAs.
Authentication Service Agencies (ASA): Authentication Service Agency is an entity providing necessary infrastructure for ensuring secure network connectivity and related services for enabling a requesting entity to perform authentication using the authentication facility provided by UIDAI
ASAs have established a secure leased line connectivity with the CIDR compliant with UIDAI’s standards and specifications. ASAs offer their UIDAI-compliant network connectivity as a service to Authentication User Agencies (AUAs)/ KYC User Agencies (KUAs) and transmit AUAs’/KUAs’ authentication requests to CIDR. Only agencies contracted with UIDAI as ASAs shall send authentication requests to CIDR and no other entity can directly communicate with CIDR.
An ASA could serve several AUAs/KUAs and may also offer value added services such as multi-party authentication, authorization and MIS reports to AUAs.
This policy is applicable wherever Aadhaar related information is processed and/or stored by Authentication Service Agencies. In case there is a conflict of any of the provisions of this policy with the Aadhaar Act, 2016 or its regulations, then the Aadhaar Act, 2016 and regulations shall prevail.
2. Information Security policy for Authentication Service Agencies
2.1 Purpose
This section outlines the Information Security policy and controls applicable for Authentication Service Agencies (ASAs).
2.2 Terms and Definitions
| S.No | Terms | Definitions |
|---|---|---|
| 1 | AUA/ASA | Authentication User Agency/ Authentication Service Agency |
| 2 | Asset | An asset is anything that has value to the organization. Assets can be classified into the following 5 categories:
|
| 3 | CCTV | Closed Circuit Television |
| 4 | CIDR | Central Identities Data Repository |
| 5 | eKYC | Electronic Know Your User |
| 6 | GRC | Governance, Risk and Compliance |
| 7 | HSM | Hardware Security Module |
| 8 | nformation/ information asset | Information that has value to the organization (UIDAI) including but not limited to resident biometric and demographic information, personally identifiable information, employee information, organization information such as CIDR architecture, infrastructure, network details etc. |
| 9 | IDS | Intrusion Detection System |
| 10 | IPS | Intrusion Prevention System |
| 11 | ISO (ISO 27001) | International Organisation of Standardization |
| 12 | IT | Information Technology |
| 13 | KUA | Know your customer User Agencies |
| 14 | NDA | Non-Disclosure Agreement |
| 15 | NTP | Network Time Protocol |
| 16 | Personal data | Data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling. |
| 17 | PID | Personal Identity Data |
| 18 | Sensitive personal data | Personal data, which may, be related to, or constitute –
|
| 19 | SPOC | Single Point of Contact |
| 20 | SSL | Secure Sockets Layer |
| 21 | STQC | Standard Testing and Quality Control |
| 22 | VA | Vulnerability Assessment |
| 23 | VID | Virtual ID |
| 24 | VPN | Virtual Private Network |
| 25 | WAF | Web Application Firewall |
Information Security Domains and related Controls
2.3 Human Resources
1. ASA shall appoint a Technical and Management SPOC for Aadhaar related activities and communication with UIDAI. ASA shall also inform UIDAI about the appointment of any new SPOC.
2. ASA shall conduct a background check and sign an agreement/NDA with all personnel/agency handling Aadhaar related information. UIDAI or agency appointed by UIDAI may validate this information.
3. ASA shall collect an undertaking from third party contractors regarding NDA and BGVs conducted successfully for their personnel handling Aadhaar related data.
4. Information security and data privacy trainings shall be conducted for all ASA personnel for Aadhaar related authentication services during induction and subsequently on periodic basis. The training shall include all relevant security and privacy guidelines as per the UIDAI Information Security policy for Authentication, Aadhaar Act, 2016 and Aadhaar (Authentication & Verification) Regulations, 2021 and all circulars/notices published from time to time.
5. Specific and specialised training shall be conducted for various functional roles involved in authentication ecosystem.
6. Training shall be conducted half yearly, as and when changes are made in the authentication ecosystem. ASA shall maintain records of such trainings conducted.
7. Access to authentication infrastructure shall not be granted before signing NDA and completion of BGV for personnel.
8. The user ID credentials and access rights of personnel handling Aadhaar related authentication, data shall be revoked/ deactivated within 24 hours of exit of the personnel.
2.4 Asset Management
1. All assets used by the ASA (servers, network devices, etc.) for the purpose of delivering services to UIDAI shall be identified, labelled and classified. Details of the information asset shall be recorded and updated from time to time.
2. ASA shall define a procedure for disposal of the assets being used for authentication operations. Information systems containing Aadhaar related information shall be disposed-off securely.
3. Before sending any equipment out for repair, the equipment shall be sanitised to ensure that it does not contain any Aadhaar related data. A movement log register of all the equipment sent outside shall be maintained.
4. ASA shall implement controls to prevent and detect any loss, damage, theft or compromise of the assets containing any Aadhaar related data. Unused paper documents and printed papers shall be shredded. Unused paper documents and printed papers shall be shredded.
5. Ownership of authentication assets should be clearly defined and documented.
6. All the assets (e.g., desktop, laptop, servers, databases etc.) used by ASA and their sub- contractors for Aadhaar Authentication shall be used after their hardening has been done as per the ASA hardening baseline document. ASA shall define their own hardening standards, unless specified by UIDAI.ASA shall implement controls to prevent and detect any loss, damage, theft or compromise of the assets.
2.5 Access Control
1. Only authorized individuals shall be provided access to information facilities (such as logs, authentication servers, application, source code, information security infrastructure etc.) processing Aadhaar related information. Access control list shall be maintained by ASA.
2. ASA employees with access to Aadhaar related information assets shall have least privilege access for information access and processing.
3. Access rights and privileges to information assets for Aadhaar related information shall be revoked within 24 hours of exit of respective personnel. Post deactivation, user IDs shall be deleted if not in use as per exit formalities.
4. Access rights and privileges to information facilities processing Aadhaar related information shall be reviewed on a quarterly basis and the report shall be stored for audit purposes.
5. Common user IDs / group user IDs shall not be used. Exceptions shall be approved by ASA’s senior management and documented where there is no alternative.
6. Procedures shall be put in place for secure storage and management of administrative passwords for critical information systems.
7. The users should not be provided with local admin access rights on their system. In the case of administrative access being provided, the users shall be prohibited from modifying the local security settings. Modifying the same shall result in disciplinary action.
8. Three successive login failures shall result in user account being locked; they should not be able to login until their account is unlocked and the password reset. The user shall have to contact the System Engineers/Administrators for getting the account unlocked.
2.6 Password Policy
1. The allocation of initial passwords shall be done in a secure manner and these passwords shall be changed at first login.
2. All user passwords (including administrator passwords) shall remain confidential and shall not be shared, posted or otherwise divulged in any manner.
3. If the passwords are being stored in the database or any other form, they should be stored in an encrypted / hashed form.
4. Two/Multi-factor authentications shall be enabled in critical infrastructural components and to areas where confidential information is processed or stored.
5. Password shall be changed whenever there is any indication of possible system or password compromise.
6. Complex passwords shall be selected with a minimum length of 14 characters, which are:
- Not based on anything somebody else could easily guess or obtain using person related information, e.g. names, telephone numbers, and dates of birth etc.;
- Free of consecutive identical characters or all-numeric or all-alphabetical groups;
- Password should contain at least one numeric, one uppercase letter, one lowercase letter and one special character;
- Passwords shall be changed at regular intervals (passwords for privileged accounts shall be changed more frequently than normal passwords);
- System should not allow the use of last 3 (Three) passwords;
- System should not allow the username and password to be the same for a user; and
- Users must not use the same password for various UIDAI access needs.
7. Passwords shall not be hardcoded in codes, login scripts, any executable program or files.
8. Password should not be stored or transmitted in applications in clear text or in any reversible form.
9. Passwords shall not be included in any automated log-on process, e.g. stored in a macro or function key
10. The application should have auto lockout feature i.e., after a certain time of inactivity (15 mins or as specified in the policy document), the session should logout.
2.7 Cryptography and Security of Aadhaar number
1. Key management activities shall be performed by all ASAs to protect the keys throughout their lifecycle. The activities shall address the following aspects of key management, including;
- key generation;
- key distribution;
- secure key storage;
- key custodians and requirements for dual control;
- prevention of unauthorized substitution of keys;
- replacement of known compromised or suspected compromised keys; and
- key revocation and logging and auditing of key management related activities.
2. Encrypted PID block and license keys that came as part of authentication packet should never be stored anywhere in ASA system.
3. The key(s) used for digitally signing of authentication request shall be stored in HSM only. The HSM used shall be FIPS 140-2 compliant.
4. The ASA shall follow all the HSM provisions as defined in the circular – 11020/204/2017 dated 22nd June 2017 and any subsequent guideline / circular / notice published by UIDAI in this regard.
5. ASA shall not store Aadhaar number, UID Token or VID in their transaction logs.
2.8 Physical and Environmental Security
1. The ASA servers should be placed in a secure cabinet in the ASA Data Centre.
2. ASA Data Center hosting Aadhaar related information shall be fully secured and access controlled.
3. ASA Data Center shall be manned by security guards during and after office hours.
4. ASA shall retain the recordings of CCTV for at least 90 (ninety) days. Further, access to CCTV logs and recordings shall be provided to authorized individuals only. CCTV recordings shall be securely stored and in case of any breach or incident, these recordings shall be shared upon request with UIDAI. Backup of CCTV shall be retained in media for 1 (one) year.
5. Access to the ASA Data Center should be limited to authorized personnel only and appropriate logs for entry of personnel should be maintained.
6. The movement of all incoming and outgoing assets related to Aadhaar in the ASA Data Center shall be documented.
7. Lockable cabinets or safes shall be provided in the ASA Data Center and information processing facilities having critical Aadhaar related information.
8. Fire doors and fire extinguishing systems shall be deployed, labelled, monitored, and tested regularly.
9. Preventive maintenance activities like audit of fire extinguishers, CCTV shall be conducted quarterly.
10. Physical access to ASA Data Center and other restricted areas hosting critical Aadhaar related equipment/information shall be pre-approved and recorded along with the date, time and purpose of entry.
11. Signs or notices legibly setting forth the designation of restricted areas and provisions of entry shall be posted at all entrances and at other points along the restricted areas as necessary especially where the ASA servers are physically hosted.
12. Controls shall be designed and implemented to protect power and network cables from unauthorized interception or damage.
13. A clear desk and clear screen policy shall be adopted to reduce risks of unauthorized access, loss and damage to information related to Aadhaar. Screen saver or related technological controls shall be implemented to lock the screen of the information systems when unattended beyond a specified duration.
14. Controls such as intrusion detection and evaluation plans shall be implemented in case of an emergency.
2.9 Operations Security
1. ASA shall complete the Aadhaar ASA on-boarding process before the commencement of formal operations.
2. Information security policy, processes, roles and responsibilities shall be maintained by ASA for governance of Information security.
3. ASA shall only engage with the AUAs / KUAs approved by UIDAI and keep UIDAI informed of the list of AUAs it serves. In case of disengagement with an AUA / KUA, the ASA shall inform UIDAI within a period of 7 days from the date of disengagement.
4. Standard Operating Procedure (SOP) shall be developed for all information systems and services related to Aadhaar operations. The SOP shall include the necessary activities to be carried out for the operation and maintenance of the system or service and the actions to be taken in the event of a failure.
5. Where segregation of duties is not possible or practical, the process shall include compensating controls – such as monitoring of activities, maintenance and review of audit trails and management supervision.
6. The Test and Production facilities / environments must be physically and logically separated.
7. ASA personnel shall conduct integrity checks to verify the completeness of the data packet and authenticity of the authentication user agency before processing the authentication request.
8. A formal Patch Management Procedure shall be established for applying patches to the information systems. Patches should be updated at both application and server level.
9. Vulnerability assessment exercise should be conducted at least on an Annual basis for maintaining the security of the authentication applications. Reports shall be generated and shared upon request with UIDAI.
10. ASA personnel shall not intentionally write, generate, compile copy or attempt to introduce any computer code designed to damage or otherwise hinder the performance of, or access to, any Aadhaar information.
11. All hosts that connect to the Aadhaar Authentication Service or handle resident’s identity information shall be secured using endpoint security solutions. Anti-virus / malware detection software shall be installed on such hosts.
12. Network intrusion and prevention systems should be in place – e.g. IPS, IDS, WAF, etc.
13. ASAs shall ensure that the event logs recording the critical user-activities, exceptions and security events shall be enabled and stored to assist in future investigations and access control monitoring.
14. Regular monitoring of the audit logs shall take place for any possible unauthorized use of information systems and results shall be recorded. Access to audit trails and event logs shall be provided to authorized personnel only.
15. Aadhaar number, PID information, device identity related data and eKYC response data shall not be retained in the ASA logs.
16. The logs of authentication transactions shall be maintained by the ASA as defined by Aadhaar Act, 2016 and its Regulations.
17. All server/network devices clocks shall be set to an agreed standard using a NTP server or must be managed centrally and procedure shall be made to check for and correct any significant variation.
18. The ASA server host shall reside in a segregated network segment that is isolated from the rest of the network of the ASA organisation. The ASA server host shall be dedicated for the Aadhaar authentication purposes and shall not be used for any other activities.
19. Service continuity and service availability shall be ensured.
20. The user account shall be logged out after the session is finished.
21. An auto lock out mechanism for workstation, servers and/ or network device shall be implemented.
2.10 Communications Security
1. The network between AUA / KUA and ASA shall be secure. ASA shall connect with AUAs/KUAs through leased lines or similar secure private lines. If a public network is used, a secure channel such as SSL or VPN shall be used.
2. The network between ASA and CIDR shall be secure. ASA shall connect with CIDR through leased lines or similar secure private lines.
3. The ASA server shall be hosted behind a firewall. The firewall rules shall block incoming access requests to the server from all sources other than the respective AUAs / KUAs.
4. The ASA server shall reside in a segregated network segment that is isolated from the rest of the network of the ASA organisation.
5. Non-essential services shall be disabled on all information systems.
6. Use of e-mail shall be restricted to official use and in accordance with the acceptable usage guidelines or as per organization policy Information Security Incident Management.
7. ASA shall be responsible for reporting any security weaknesses, any incidents, possible misuse or violation of any of the stipulated guidelines to UIDAI immediately.
2.11 Information Security Incident Management
1. ASA shall be responsible for reporting any security weaknesses, any incidents, possible misuse or violation of any of the stipulated guidelines to UIDAI immediately.
2. ASA shall ensure that its personnel are aware about Aadhaar authentication related incident reporting.
3. ASA shall perform Root Cause Analysis (RCA) for major incidents identified in its as well as sub- contractors’ (if any) ecosystem.
2.12 Compliance
1. ASAs shall comply with all terms and conditions outlined in the UIDAI ASA agreement, Aadhaar Act 2016, Aadhaar (Authentication & Offline Verification) Regulations, 2021, as well as other notifications and circulars published by UIDAI from time to time.
2. ASAs shall ensure that its operations are audited by an information system auditor certified by a recognised body on an annual basis and on need basis to ensure compliance with standards and specifications. The audit report shall be shared with UIDAI upon request.
3. In addition to the audits to be performed by ASA by itself on an annual basis, UIDAI may conduct audits of the operations and systems of ASA, either by itself or through an auditor appointed by UIDAI.
4. The audit plan shall include information security controls, audit and technical testing including vulnerability assessment as well as penetration test of information systems and any new technology or delivery channel introduced.
5. If any non-compliance is found as a result of the audit, management shall:
- Determine the causes of the non-compliance;
- Evaluate the need for actions to avoid recurrence of the same;
- Determine and enforce implementation of corrective action; and
- Review the corrective action taken.
6. ASA shall use only licensed software for Aadhaar related infrastructure environment. Record of all software licenses shall be kept and updated regularly.
7. ASAs and their partners shall ensure compliance to all the relevant laws, rules and regulations, including, but not limited to, Aadhaar Act, 2016 and its Regulations, ISO27001: 2013 Standard, IT Act 2000 and 2008 amendments.
8. It is recommended that ASA shall deploy as part of its systems, a Fraud Analytics module that can analyse authentication related transactions to identify fraud.
9. ASA must have their authentication servers routing to CIDR hosted in data centres within India.
10. Ensure that all infrastructure and operations including systems, processes, devices, software and biometric infrastructure, security, and other related aspects, are in compliance with the standards and specifications as may specified by UIDAI for this purpose.
11. ASA shall always, comply with directions, specifications, etc. issued by UIDAI, in terms of network and other Information Technology infrastructure, processes, procedures, etc.
12. ASA shall comply with all relevant laws and regulations relating to data security and data management.
13. ASA shall be responsible to UIDAI for all its authentication related operations, even in the event the ASA sub-contracts parts of its operations to other entities, the responsibility shall remain with the ASA.
2.13 Data Protection
1. ASA shall maintain logs of authentication transactions processed by them, containing the following transaction details, namely:
- identity of the requesting entity;
- parameters of authentication request submitted; and
- parameters received as authentication response, provided that no Aadhaar number, PID information, device identity related data and e-KYC response data, where applicable shall be retained.
2. ASA shall establish a data privacy policy addressing the privacy aspects of Aadhaar as defined under the Aadhaar Act, Regulations and specifications. Such policy shall also be compliant to the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.
3. ASA shall maintain the logs of authentication transactions for a period of 2 (two) years. Upon expiry of the 2 (two) year period, the logs shall be archived for a period of 5 (five) years or the number of years as required by the laws or regulations governing the entity, whichever is later, and upon expiry of the said period, the logs shall be deleted except those records required to be retained by a court or required to be retained for any pending disputes.
4. ASA shall:
- Report promptly to UIDAI (within 24 hours) any information security and privacy incidents affecting the personal data of the residents; and
- Extend full cooperation to UIDAI, or any agency appointed or authorised by UIDAI to cooperate while inquiries, incidents, claims and complaints are being handled in case of any security and privacy breach.
5. ASA shall ensure that UIDAI’s data is securely disposed or returned immediately upon termination of the contract or when requested by UIDAI.
2.14 Change Management
1. ASAs shall document all changes to Aadhaar authentication applications, Infrastructure, processes and Information Processing facilities.
2. Change log/ register shall be maintained for all changes performed.
2.15 Application Security
1. ASA having an agreement to decrypt the data for AUA/KUA shall ensure that all resources of the modules and application used for authentication by default require authentication. ASA shall further ensure that there are no default passwords in use for the application framework or any components used by the application (such as “admin/password“).
