Security Policy

1. CPPRI has been placed in protected zones with implementation of firewalls and IDS (Intrusion Detection System) and high availability solutions.
2. Before the launch of the CPPRI, simulated penetration tests were conducted. Penetration testing has also been conducted thrice after the launch of the CPPRI.
3. CPPRI has been audited for known application-level vulnerabilities before the launch, and all the known vulnerabilities have been addressed.
4. CPPRI has been re-audited for application-level vulnerabilities after major modifications in application development.
5. Hardening of servers has been done as per the guidelines of the cyber security division before the launch of the CPPRI.
6. Access to CPPRI web servers is restricted both physically and through the network as far as possible.
7. Logs at three different locations are maintained for authorized physical access to CPPRI servers.
8. CPPRI web servers are configured behind IDS, IPS (Intrusion Prevention System), and system firewalls.
9. All development work is done in a separate development environment and is well tested on the staging and pre-prod server before updating it on the production server.
10. After proper testing on the staging server, the applications are uploaded to the production server using SSH and VPN through a single point.
11. The content contributed by/from remote locations is duly authenticated and is not published on the production server directly. Any contributed content must go through the moderation process before final publishing on the production server.
12. All contents of the web pages are checked for intentional or unintentional malicious content before final upload to web server pages.
13. An audit and log of all activities involving the operating system, access to the system, and access to applications are maintained and archived. All rejected accesses and services are logged and listed in exception reports for further scrutiny.
14. Help Desk staff at the NIC Data Centre monitor the portal round the clock to check the web pages, ensuring they are up and running, that no unauthorized changes have been made, and that no unauthorized links have been established.
15. All newly released system software patches, bug fixes, and upgrades are expediently and regularly reviewed and installed on the web server.
16. On production web servers, internet browsing, email, and any other desktop applications are disabled. Only server administration-related tasks are performed.