Reasonable Security Practices
For UID Project
A Draft
for Debate Prepared by Naavi
naavi9@gmail.com:
www.naavi.org
The Unique ID Project (UID)
project has been announced by the Government of India under the
leadership of Mr Nandan Nilekani and a body known as UID Authority of
India (UIDAI) has been formed. The UIDAI has already announced that a
pilot project would be undertaken in Karnataka under the direct
supervision of Mr M N Vidyashankar, the Principal Secretary,
e-Governance, Government of India. Naavi had already published some
suggestions about the UID project in which the security requirements had
been briefly highlighted. This note contains more detailed suggested
security requirements that can be tested in the pilot project. These
security requirements have been developed based on the Information
Security Framework (IISF-309) formulated by Naavi under the ITA 2008 and
published as a Draft for Debate.. . Naavi
The
UID project envisages creation of a Unique Identification Number for every
citizen of India. The UIDAI will now create a database with the UID (a
number) of individuals and associated with 12 parameters of identity. These
records will be held by UIDAI. The UID number would be used by other
service providers for rendering their services an such service providers
may issue ID cards to the individuals with the service related data plus
the UID number.
The exact
manner in which UID would be used by the service providers is to be
determined by them. For example, an applicant to the NREGS would be asked
to quote his UID number in his application. The NREGS will provide the
service and tag it against the UID so that a second application against the
same UID is not possible. Obviously, NREGS may have to check the UID with
the person who claims it. For this purpose, it needs to have access to the
parameters associated with the UID. This means that it has to have access
to the UID data base. It has to then proceed to check the parameters
independently and certify that the applicant is in deed the owner of the
UID.
In
practice, the service provider may not be expected to independently check
all the 12 parameters associated with the UID. He will only check the
biometric parameter and import all other data. Alternatively, he will
import the data on the basis of the name and then check the biometric data.
(P.S:
Naavi has suggested treating the biometric feature attached to the UID as
the “Root ID” and in such a case, the index of UID has to be maintained on
the basis of the biometric feature. Once the biometric data is fed into the
computer, it should fetch the details of who is the person, what is his
sex, what is his date of birth, what is his father’s name, where does he
live etc. Once the UID is established, the service provider can associate
other service related data with the given UID and proceed..
If
however the “Name” is used as the “Root ID”, the index will be built on the
name. The applicant has to provide his name and then the system will return
the UID data. Since “Name” is not unique in most cases and also since there
would be problems of indexing in different languages, the feeding of the
name will have to return a couple of alternate UIDs and after checking the
other parameters such as sex or father’s name or age, the exact UID
associated with the name can be digged out.
If
“Name” is treated as the “Root ID”, and a person provides his name and a
UID, the tendency with the verification agency would be to feed both to the
system and match the name with the UID. If this test is positive, the
person would be registered for the service with the declared UID and the
declared name. In most such cases, a further check based on other
parameters may not be conducted since it would seem redundant.
Alternatively, the service provider may input the UID in a query to the UID
system and extract the parameters associated with the UID. If these tally
with what the service applicant has provided to the service provider in
his application, then the applicant is considered validated. Some service
providers may check the biometric parameter and others may be satisfied
with the checking of the name parameter.
It is
to avoid such possibilities that Naavi has suggested that the “Finger
Print” should be used as the “Root ID” and indexing has to be built on the
“Finger Print”. Query to the UIDAI data base should preferably be permitted
only through the biometric feature. This will be critical as long as UIDAI
will only maintain a virtual data base and does not issue any ID card of
its own.)
The
service oriented information held by the service providers is not the
responsibility of the UIDAI and therefore not of concern to the current
discussion though these security principles are extended even to them
through the service level agreements to the extent necessary.
The UIDAI
would however be responsible for the data maintained by it which covers the
12 parameters as envisaged now. If access to these is provided to the
service provider, it also means that there is a risk associated with such
access which has to be managed.
Naavi has
already discussed in the previous note the need for changes to be made to
the system. One of the important changes suggested which has reference to
this discussion is to bifurcate the data associated with the individual
holder of UID into two parts one to be called the Primary Identification
Data (PID) and the other to be called Secondary Identification Data.
(SID).
Since
data collected and retained by the UIDAI includes what is termed as
“Sensitive Personal Data” under the ITA 2008 (Information Technology Act
2000 as amended by Information Technology Amendment Act 2008), UIDAI is
liable under Section 43A to maintain “Reasonable Security Practice”. Though
the authority responsible for defining reasonable security practice under
ITA 2008 (say the CERT-IN) is likely to come up with what they would term
as “Reasonable” for holders of “Sensitive Personal Data”, their perspective
is likely to be limited to the BPOs and UIDAI needs to implement far
greater levels of security than any BPO is expected to do. Hence UIDAI
should opt to develop its own stringent standards of security which should
clearly extend beyond the boundaries of what ITA 2008 is likely to
prescribe.
What
would be considered “Reasonable” in the context of baazee.com et al.,
which is the focus of ITA 2008 may be considered grossly inadequate in the
context of UID where the data is considered very sensitive and is also
exposed to the threat of an organized attack from Cyber Terrorists and
Cyber Warriors.
In this
background, the following is a set of security requirements indicated for
further debate. These have been built around the Indian Information
Security Framework version 309, (IISF-309) formulated by Naavi as a general
guideline for compliance under ITA 2008.
Security Suggestions for UID under IISF-309
No |
Framework Reference |
Suggestions |
1 |
Client
Consent |
The UID client is the
Indian Citizen whose sensitive personal information is held by UID. UIDAI
should therefore obtain consent of the Citizen to collect, hold, use
and destroy the information collected.
UID will therefore be
considered as “Issued on Request” and those who opt for UID should
submit an application where their consent is incorporated. In the
offline mode the application will be downloaded from the UIDAI website
as a blank application form, completed signed and lodged with the UIDAI.
If UIDAI appoints
“Registration Agents”, (UIDRA) to receive the applications, verify
contents and certify their correctness for further processing, they
need to be treated as “Agents” of UIDAI and a very strict selection
criteria including background checks, privacy declarations, indemnity
etc should be obtained from every individual who is involved in this
activity.
Ultimately the entire
integrity of the system hinges on the reliability of these enumerators
or registration agents.
When the applications
are digitized for the UID data base, each element of the data base is
to be authenticated by digital signatures of the UIDRA.
The form should also
be scanned and kept in a digital archive in addition to the filing of
the paper form.
The RA should sign a
suitable undertaking with UIDAI which makes him liable for any
differences between the printed application form and the data base. RA
should be accountable both as a department person as well as for civil
and criminal liabilities. This should be made clear in the appointment
of the RAs and their consent must be taken for the purpose.
In order to ensure
that they understand the seriousness of their assignment, they need to
provide a suitable “Security Deposit” before being appointed.
Appointment of RA must
be considered a privileged security appointment (like a VIP Security
team etc) and should not be restricted by normal Government regulations
of reservations and other criteria which may hamper security. No person
having allegiance to any organization, faith or group which
subordinates national interests to their own ideology should be
appointed as RA.
Once the data appears
on the electronic database of the UID, the data holder should be able
to securely log in and verify the data from a synchronized mirror
server.
Any objections on the
inaccuracy of the data should be handled under a suitable system of
grievance redressal. Any mistake observed and corrected will also be
recorded as a “Security Breach” and the responsibility for the same
would be fixed on the concerned person. |
2 |
Employee Awareness |
All employees would
undergo appropriate induction training which includes awareness about
the security responsibilities.
Every employee of
UIDAI and those of the RA should undergo suitable awareness training on
the legal liabilities arising out of the negligence or malicious
activities and duly certified for having undergone the relevant
training. They would also undergo a “Test” for having completed the
training.
Such training will
consist of awareness of the provisions of ITA 2008, the Privacy and
Security policies of UIDAI and other associated information besides the
technical training involved in handling the creation and maintenance of
the data base. |
3 |
Employee Declaration |
All employees would
sign a voluntary “Declaration of Ethics” agreeing to abide by the
privacy and security requirements of UIDAI. |
4 |
Assigned Responsibility |
The responsibility for
compliance of Privacy and security requirements shall be allocated to
an exclusive official who shall provide periodical compliance reports
and certificates to the management every month. The name of the
compliance official would be made available to the public through the
UIDAI website. |
5 |
Employee Background Check |
All employees should be
subject to a rigorous background check and the official responsible for
the check would confirm the successful completion of background check
to the compliance official. No person owing allegiance to any
organization or faith or group which subordinates national interests to
its won ideology shall be allowed to be part of the UIDAI or any of its
registration agents.
The UIDAI shall be
exempted from all requirements of “Reservation” and other controls on
employment applicable to Government organizations as a part of the
security requirements.
If required a
constitutional amendment shall be made to ensure that no authority can
interfere in the operations of the UIDAI under any pretext. |
6 |
Information Classification |
Information associated
with the UID shall be classified in the minimum into two categories
namely “Primary” and “Secondary”. Out of the “Primary” category a part
would be considered “Public” information and other would be treated as
“Private-Primary Information”
Public information
would be made available on the web and would be available for any body
to see. Public are encouraged to inform the UIDAI if any errors are
spotted.
Public information may
consist of name, sex, age, registered address.
Copy of Public and
Primary Information would also be made available to the individual
under the signature of (or as per Sec 65B of Indian Evidence Act) the
UIDAI for his/her reference.
Private-Primary
information would be available to the data holder for query on a
synchronized data server to ensure that the information is accurate at
all times.
Secondary Information
would be kept in paper format in multiple locations. One copy would
also be kept in digital format with strong encryption in an offline
media with DRP support. This would be available to authorized UID
employees only for grievance redressal and under appropriate audit
trail recordings.
Within UIDAI no
employee would be provided access to all aspects of the data base.
The elements of the
data base would be broken into multiple parts and scattered with an
algorithm across the data base. They would be assembled only by
authorized employees as per “need to know“ basis. |
7 |
Employee Cyber Usage Policy |
Employees would be
subject to appropriate restrictions in use of Computers so that UID
information is not subject to risk elements from Cyber space.
All access would be
based on multi factor authentication of the employee and with archival
of audit trail with a trusted third party with adequate security.
In particular, no
computer which has access to secondary data will have access to
Internet. |
8 |
Media
Usage Policy |
Employees would be
subject to appropriate restrictions in use of Media and other storage
devices so that UID information is not subject to risk elements from
Cyber space.
In particular, no
storage media would be allowed to be used by the employees in the
ordinary course. All computers would work on the network with dumb
terminals.
Storage devices such
as mobiles would be kept out of the secured premises. |
9 |
Sanction Policy |
In order to preserve
the integrity of the employees, every employee would be subject to
appropriate punishments in case of breach of any security norm whether
it results in data breach or not.
No breach will go
unpunished and the policy would be well documented, distributed and
agreed to by the employees.
Any breach will be
properly documented and disposed according to the declared policy. |
10 |
Privacy and Security Practice Statement |
UIDAI will develop a
detailed Privacy and Security Policy Statement which would be
adequately communicated to all the employees as well as the clients and
business associates of the organization. A copy should be made
available through the website of the Company. The organization may
develop different versions of the statement for the public and internal
use as the management may find it necessary. |
11 |
Physical Security |
UIDAI shall have
appropriate policies and procedures to ensure that only authorized
persons will have access to the working area containing IT assets
including the Wireless perimeters. An appropriate documentation would
be maintained for guest access provided.
All access points
shall be monitored by appropriate electronic access monitoring devices.
The entry and exit of
authorized persons to the work area would be linked to the attendance
and any anomalies recorded as a security breach incident.
Biometric systems will
be used to permit access to any area. All information assets would be
tagged by RFID tags for movement within the premises and their movement
monitored. |
12 |
Logical Access Security |
Policies and
Procedures shall be implemented for ensuring that access to any IT
device is made available only with appropriate access authentication
such as Passwords.
Appropriate measures
shall be initiated for ensuring that a strong password policy is
maintained across the organization.
Use of hardware tokens
with biometric and RFID tags shall be used where considered necessary. |
13 |
Information Storage Security |
Policies and
Procedures shall be appointed to ensure that information under storage
is accessible only by authorized persons on a “Need to Know” basis.
Information under
storage is kept in encrypted.
Access shall be backed
up by data integrity control, audit trail monitoring and archival. |
14 |
Information Transmission Security |
Transmission of
Information into and out of the systems would be monitored by a
suitable Firewall and appropriate polices and procedures shall be
implemented to ensure that viruses and other malicious codes are
filtered.
An appropriate audit
trail would be maintained and archived to ensure future reference if
required. All confidential mails shall be appropriately encrypted.
All outward
transmissions of information including e-mails in the name of the UIDAI,
likely to cause any liability to the organization shall be digitally
signed by the sender. |
15 |
Hardware/Software Policy |
Policies and
Procedures shall be put in place to ensure that any hardware or
software used by the organization is certified by the supplier to be
free from known security vulnerabilities.
Policies and
procedures shall be put in place to ensure that Hardware and Software
used by an organization shall be tested by a third party security
auditor and certified to be free of known security vulnerabilities.
All software used will
be subject to source code audits and source code escrow.
No purchases are made
from vendors associated with countries known to be active in Cyber
terrorist and cyber war activities. |
16 |
Web
Presence Policy |
Policies and
Procedures shall be put in place to ensure that the domain name,
hosting facilities and content used by the organization is adequately
protected against malicious attacks, unauthorized alteration and IPR
infringement. Suitable Privacy Policy and Disclosure Documents
indicating the identity of the owner of the web content shall be
provided on the website of the organization.
The web content is
monitored by the organization regularly and by an external auditor at
periodical intervals and certified for data integrity. |
17 |
Grievance Redressal Policy |
UIDAI shall designate
an official as “Security Grievance Resolution Officer” (SGRO) to be the
single point contact person accountable for handling all disputes
related to the information security and contact details of such a
person including e-mail and physical address is provided on the
website.
UIDAI shall also
designate an external person of repute as an “Ombudsman” to resolve the
disputes which cannot be resolved by the SGRO.
UIDAI shall also set
in place an arbitration mechanism to handle disputes which are not
resolved by the Ombudsman.
UIDAI shall also
appoint a body of advisors with private sector representatives and NGOs
to act as an agency to protect the interests of the Public.
Any grievance recorded
including a complaint of inaccuracy of data shall be processed and
disposed under an established system and the process documented. |
18 |
BA
Agreement Policy |
Policies and
Procedures shall be put in place to ensure that the Information
security responsibilities of UIDAI shall also be followed by any
external agency which is provided access to the protected information
by a suitable contractual arrangement with appropriate indemnity
provisions. |
19 |
DLP-OLR Policy |
Policies and
Procedures shall be put in place by UIDAI to maintain incident
monitoring system and an appropriate Disaster Recover and Business
Continuity Plan to meet any contingencies arising out of security
breach incidents.
Appropriate evidence
archival systems shall be maintained to ensure capability for
“Defensive Legal Protection” against any liability claims that may
arise on the organization.
Appropriate evidence
archival systems shall be maintained to empower the organization to
launch “Offensive Legal Remedy” procedures |
20 |
Policy
Documentation |
UIDAI shall retain all
Policy documents related to information security for a period of a
minimum of 3 years either in print or electronic form. Data which is
part of a security breach incident, is kept permanently. |
21 |
Management Certificate/Audit Policy |
The operational
management shall submit a certificate of compliance of information
security to the Board of Directors or such other top management which
is responsible for the UIDAI, once a year, recording there in the
observed short comings and how they are proposed to be remedied with
appropriate implementation schedules.
The UIDAI shall
incorporate a certificate of compliance of information security in the
annual report to the Parliament recording there in the observed short
comings and how they are proposed to be remedied with appropriate
implementation schedules.
UIDAI shall also
incorporate a certificate of compliance of information security in the
annual report to the Parliament recording there in the observed short
comings by an external auditor, the management’s perceptions and how
the management proposes to meet the audit suggestions.
All documents handled
by UIDAI whether in print or e-form shall be audited for data integrity
and certified by the auditors at least at annual intervals. |
The above
suggestions are placed in the public domain for a debate so as to provide
appropriate inputs to the UIDAI.
Comments are Welcome at naavi@vsnl.com
Naavi
5th
September, 2009