Policies and Guidelines for e-Governance
Download
Report
Transcript Policies and Guidelines for e-Governance
Smt Ujwala Udgaonkar,
Centre for Information Technology
YASHADA
Adoption of Open Source Software Policy
Universal Electronic Accessibility Policy
Email policy
Password Policy
Use of IT Resources Policy
National Cyber Security Policy
E-Governance policy (Maharashtra)
Guidelines for Indian Government Websites
(GIGW)
Software Development & Re-Engineering
Guidelines for Cloud Ready Applications
E-mail Account Management & Effective Email Usage Guidelines
GoI aims to
◦ make Government services digitally accessible to
citizens in their localities
◦ ensure efficiency, transparency and reliability of such
services at affordable costs
Objectives
◦ To provide a policy framework for rapid and effective
adoption of OSS
◦ To ensure strategic control in e-Governance applications
and systems from a long-term perspective
◦ To reduce the Total Cost of Ownership (TCO) of projects
To meet these objectives, there is a need to
set up a appropriate hardware and software
infrastructure, which may require significant
resources
There is a need for the Government
Organizations to adopt Open Source Software
This policy will encourage the formal
adoption and use of Open Source Software
(OSS) in Government Organizations
It is imperative to ensure that Electronics & ICTs
are accessible to differently abled so that they act
as an enabler for providing equal opportunity
Design of products, environments, programmes
and services to be usable by all people, to the
greatest extent possible, without the need for
adaptation or specialized design
Universal Design shall include assistive devices
for particular groups of differently abled persons
where this is needed
Scope of the policy covers technological
aspects including access to Electronics & ICTs
products (both hardware & software) and
services by differently abled persons in the
areas of universal design, assistive
technology and independent living aids
Applicability
◦ All new e-Governance applications and systems
being considered for implementation
◦ New versions of the legacy and existing systems
Accessibility Standards
◦ ATAG (Authoring Tools Accessibility Guidelines)
◦ WCAG 2.0 (Web Content Accessibility Guidelines)
◦ UAAG (User Agent Accessibility Guidelines)
ATAG - Authoring tools are software and services
that "authors" (web developers) use to produce web
content
◦ web page authoring tools, e.g.WYSIWYG HTML
editors
◦ software for generating websites, e.g.CMS,
courseware tools
◦ multimedia authoring tools
◦ websites that let users add content, such as
blogs, wikis, photo sharing sites, online forums,
and social networking sites
ATAG has two main parts:
◦ making the authoring tool itself accessible
◦ authoring tool helping authors produce accessible
content
WCAG - The WCAG documents explain how
to make web content more accessible to
people with disabilities. Web "content"
generally refers to the information in a web
page or web application, including:
◦ natural information such as text, images, and
sounds
◦ code or markup that defines structure,
presentation, etc.
UAAG - User agents include Web browsers,
media players, and assistive technologies,
which are software that some people with
disabilities use in interacting with computers
UAAG is primarily for developers of Web
browsers, media players, assistive
technologies, and other user agents
UAAG and supporting resources are also
intended to meet the needs of many different
audiences, including policy makers,
managers, and others
Only the e-mail services provided by NIC, the
Implementing Agency of the Government of
India shall be used for official
communications by all organizations
Objective
◦ to ensure secure access and usage of Government
of India e-mail services by its users
◦ All services under e-mail are offered free of cost to
all officials under Ministries / Departments /
Statutory Bodies / Autonomous bodies
It is recommended that GoI officials on long
deputation / stationed abroad and handling
sensitive information should use (VPN) /
(OTP) for accessing GoI email services as
deemed appropriate by the competent
authority.
It is recommended that Embassies and
missions abroad should use Static IP
addresses
Use of Digital Signature Certificate (DSC) and
encryption shall , be mandatory for sending emails deemed as classified and sensitive
Updation of current mobile numbers under the
personal profile of users is mandatory for
security reasons. The number would be used only
for alerts and information regarding security sent
by the IA
Updation of personal e-mail id (preferably from a
service provider within India), in addition to the
mobile number, shall also be mandatory in order
to reach the user through an alternate means for
sending alerts
Users shall not download e-mails from their
official e-mail account, configured on the GoI
mail server, by configuring POP or IMAP on
any other e-mail service provider.
This implies that users should not provide
their GoI e-mail account details (id and
password) to their accounts on private e-mail
service providers
Any e-mail addressed to a user, whose
account has been deactivated / deleted, shall
not be redirected to another email address
Forwarding of e-mail from the e-mail id
provided by GoI to the Government official’s
personal id outside the GoI email service is
not allowed due to security reasons
Auto-save of password in the Government email service shall not be permitted
Based on the request of the respective
organizations, Implementing Agency will
create two ids, one based on the designation
and the other based on the name.
Designation based id’s are recommended for
officers dealing with the public
Designation based ids should be used for
official communication and name based ids
can be used for both official and personal
communication
The User is responsible for any data / e-mail
that is transmitted using the GoI e-mail
system. All e-mails / data sent through the
mail server are the sole responsibility of the
user owning the account
Exemptions
◦ Organizations, including those dealing with national
security, that currently have their own independent
mail servers can continue to operate the same,
provided the e-mail servers are hosted in India
Users shall be responsible for all activity
performed with their personal user IDs
All user-level passwords shall be changed
periodically (at least once every three months)
Users shall not be able to reuse previous
passwords
Password shall be enforced to be of a
minimum length and comprising of mix of
alphabets, numbers and characters
Passwords shall not be stored in readable
form
All access codes including user ID passwords,
network passwords, PINs etc. shall not be
shared with anyone, including personal
assistants or secretaries
Passwords shall not be revealed on
questionnaires or security forms
The "Remember Password" feature of
applications shall not be used
The same password shall not be used for
each of the systems / applications to which a
user has been granted access e.g. a separate
password to be used for a Windows account
and an UNIX account should be selected
First time login to systems / services with
administrator created passwords, should
force changing of password by the user.
For Password Change Control, both the old
and new passwords are required to be given
whenever a password change is required
Policy for constructing a password
◦ more than eight characters
◦ No dictionary word
◦ The password shall not be a common usage word
such as names of family, pets, friends, co-workers,
fantasy characters, etc.
◦ The password shall not be based on birthdays and
other personal information such as addresses and
phone numbers
◦ The password shall be a combination of upper and
lower case characters, digits, and punctuation
characters as well and other characters
For the purpose of this policy, the term ‘IT
Resources’ includes
◦
◦
◦
◦
◦
desktop devices
portable and mobile devices
networks including wireless networks
Internet connectivity
external storage devices and peripherals like
printers and scanners and the software associated
therewith
Policy Covers-
◦ Roles and responsibilities
◦ Access to network – internet and intranet,
government wireless network, filtering and
blocking of sites
◦ Monitoring and privacy
◦ E-mail Access from the Government Network
◦ Access to Social Media Sites from Government
Network
◦ Use of IT Devices Issued by Government of India
◦ Responsibility of User Organizations
◦ Intellectual Property
◦ Scrutiny/Release of logs
About◦
◦
◦
◦
◦
◦
◦
◦
◦
◦
Creating a secure cyber ecosystem
Creating an assurance framework
Encouraging Open Standards
Strengthening the Regulatory framework
Creating mechanisms for security threat early warning,
vulnerability management and response to security
threats
Securing E-Governance services
Protection of Critical Information Infrastructure
Promotion of Research & Development in cyber security
Human Resource Development
Creating Cyber Security Awareness
Use of UID
Use of Regional Language in e-Governance
implementation
e-enablement of Services
◦ include information availability, submission of
online forms, online processing and payments,
online verification, online status tracking and online
availability of services with special stress being on
service delivery in Regional Language
Service Delivery Channels
◦ State Portal
◦ National Portal of Government of India
◦ Through other channels like Common Service
Centers (Maha e-Seva Kendra), Setu, CFC, Mobile
platforms etc.
Service Delivery Gateway
Government of India Identifiers
Website needs to be Bilingual i.e. Marathi and
English. By default, the webpage should open
in Marathi language.
Website should be developed with gov.in or
maharashtra.gov.in extension
Website should run independent of IP
Address i.e. IP Addresses should be not be
hard coded in the source code
Website should be IPv6 compliant
Website should be able to open in all six
ways. For example
◦
◦
◦
◦
◦
◦
https://www.maharashtra.gov.in
http://www.maharashtra.gov.in
www.maharashtra.gov.in
https://maharashtra.gov.in
http://maharashtra.gov.in
maharashtra.gov.in
Website should be running on SSL i.e. http
request should automatically get redirected
to https
Website should be compatible to run on multi
server environment for load sharing
Website should be compatible for
accessibility from any device, any Operating
System and any browser
CAPTCHA should be present for web pages
with form field such as feedback form,
registration form etc.
Password should not be hardcoded in any
website configuration files or stored in plain
text
Website/Application needs to be Security
Audited by the Cert-In empanelled Security
Auditors
Title tag
Accessibility Options
(Web Pages allow
resizing of text
without the use of
assistive technology)
Terms and Conditions
Contact us
Help section
Site map
Last updated on date
Consistent navigation scheme
Search box
No broken
Links
Electronic commerce
transactions handled
through secure means
Alternate text is provided for images / audio
or video clips
Use of Cascading Style Sheets
Functionality of content is operable through
keyboard
Clear indication when a link leads out to a
non government website
Pages in multiple languages are updated
simultaneously
Tested on multiple browsers
Use of Metadata for pages like title,
keywords, description and language is
appropriately included
Website should have following policies
prominently displayed on the Home Page
◦
◦
◦
◦
◦
◦
Copyright Policy
Hyperlinking Policy
Privacy Policy
Content Archival Policy
Content Review Policy
Content Contribution, Moderation & Approval
Policy
Hosting provider should provide 24x7 service
with:
◦
◦
◦
◦
disaster recovery
helpdesk support
intrusion prevention
regular backups
Need
◦ to ensure development of Common
Application Software (CAS) which can be
configured as per different states /
departments requirements without the
need of modifying the core code of the
application for a faster deployment
Evolution of eGov App Store
◦ The cloud enabled application for states /
departments will be made available on the eGov
AppStore.
◦ The eGov AppStore is a national level common
repository of customizable and configurable
applications, components and web services that can
be re-used by various government agencies /
departments at Centre and States, with the vision to
accelerate delivery of e-services
Email Account Management
◦
◦
◦
◦
◦
◦
◦
◦
Creation of E-mail addresses
Process of Account Creation
Process of Handover of Designation Based E-mail
Data retention
Data Backup
Deactivation of Accounts
Desktop Protection
Status of Account in case of Resignation or
Superannuation
Secure E-mail Access for Officials stationed
Outside India
Recommended Best Practices
For additional policies and guidelines, please
visit
http://meity.gov.in/content/policiesguideline
s
Any Questions?