Section 5: Information Management

Q: What does Section 5 of The Information Technology (Certifying Authorities) Rules, 2000 (TITCAR) deal with?

Section 5 TITCAR pertains to "Information Management". It is part of the The Information Technology (Certifying Authorities) Rules, 2000, a legislation enacted by the Parliament of India. Section 5 of The Information Technology (Certifying Authorities) Rules, 2000 (TITCAR) governs information Management. As verified on 19 May 2026.

Q: Is Section 5 TITCAR still in force?

Yes, Section 5 of the The Information Technology (Certifying Authorities) Rules, 2000 is currently in force across the Republic of India.

Q: What is धारा 5 TITCAR?

धारा 5 TITCAR is the Devanagari Hindi reference for Section 5 of the The Information Technology (Certifying Authorities) Rules, 2000. Section 5 of The Information Technology (Certifying Authorities) Rules, 2000 (TITCAR) governs information Management. As verified on 19 May 2026.

Q: What is Dhara 5 TITCAR?

Dhara 5 TITCAR is the Roman Hindi reference for Section 5 of the The Information Technology (Certifying Authorities) Rules, 2000. "Dhara" means "Section" in Hindi. Section 5 of The Information Technology (Certifying Authorities) Rules, 2000 (TITCAR) governs information Management. As verified on 19 May 2026.

Q: How to cite Section 5 of The Information Technology (Certifying Authorities) Rules, 2000?

Cite as: "Section 5, The Information Technology (Certifying Authorities) Rules, 2000 (TITCAR)" in legal briefs. For academic writing, use the BlueBook format: The Information Technology (Certifying Authorities) Rules, 2000, § 5 (India).

Law on Tips Editorial Board

5.1

System Administration.-(1) Each organization shall designate a properly trained "System Administrator " who will ensure that the protective security measures of the system are functional and who will maintain its security posture. Depending upon the complexity and security needs of a system or application, the System Administrator may have a designated System Security Administrator who will assume security responsibilities and provide physical, logical and procedural safeguards for information.

(2)

Organisations shall ensure that only a properly trained System Security Administrator is assigned the system security responsibilities.

(3)

The responsibility to create, classify, retrieve, modify, delete or archive information must rest only with the System Administrator.

(4)

Any password used for the system administration and operation of trusted services must not be written down (in paper or electronic form) or shared with any one. A system for password management should be put in place to cover the eventualities such as forgotten password or changeover to another person in case of System Administrator (or System Security Administrator) leaving the organization. Every instance of usage of administrator's passwords must be documented.

(5)

Periodic review of the access rights of all users must be performed.

(6)

The System Administrator must promptly disable access to a user's account if the user is identified as having left the Data Centre, changed assignments, or is no longer requiring system access. Reactivation of the user's account must be authorized in writing by the System Administrator (Digitally signed e-mail may be acceptable).

(7)

The System Administrator must take steps to safeguards classified information as prescribed by its owner.

(8)

The System Administrator must authorize privileged access to users only on a need-to-know and need-to-do basis and also only after the authorization is documented.

(9)

Criteria for the review of audit trails/access logs, reporting of access violations and procedures to ensure timely management action/response shall be established and documented.

(10)

All security violations must be recorded, investigated, and periodic status reports compiled for review by the management.

(11)

The System Administrator together with the system support staff, shall conduct a regular analysis of problems reported to and identify any weaknesses in protection of the information.

(12)

The System Administrator shall ensure that the data, file and Public Key Infrastructure (PKI) servers are not left unmonitored while these systems are powered on.

(13)

The System Administrator should ensure that no generic user is enabled or active on the system.

5.2

Sensitive Information Control.-(1) Information assets shall be classified and protected according to their sensitivity and criticality to the organization.

(2)

Procedures in accordance with Para 8.3 of these Guidelines must be in place to handle the storage media, which has sensitive and classified information.

(3)

All sensitive information stored in any media shall bear or be assigned an appropriate security classification.

(4)

All sensitive material shall be stamped or labelled accordingly.

(5)

Storage media (i.e. floppy diskettes, magnetic tapes, portable hard disks, optical disks, etc.) containing sensitive information shall be secured according to their classification.

(6)

Electronic communication systems, such as router, switches, network device and computers, used for transmission of sensitive information should be equipped or installed with suitable security software and if necessary with an encryptor or encryption software. The appropriate procedure in this regard should be documented.

(7)

Procedures shall be in place to ensure the secure disposal of sensitive information assets on all corrupted/damaged or affected media both internal (e.g. hard disk/optical disk) and external (e.g. diskette, disk drive, tapes, etc.) to the system. Preferably such affected/corrupted/damaged media both internal and external to the system shall be destroyed.

5.3

Sensitive Information Security.-(1) Highly sensitive information assets shall be stored on secure removable media and should be in an encrypted format to avoid compromise by unauthorized persons.

(2)

Highly sensitive information shall be classified in accordance with Para 3.

(3)

Sensitive information and data, which are stored on the fixed disk of a computer shared by more than one person, must be protected by access control software (e.g., password). Security packages must be installed with partition or provide authorization to segregated directories/files.

(4)

Removable electronic storage media must be removed from the computer and properly secured at the end of the work session or workday.

(5)

Removable electronic storage media containing sensitive information and data must be clearly labelled and secured.

(6)

Hard disks containing sensitive information and data must be securely erased prior to giving the computer system to another internal or external department or for maintenance.

5.4

Third Party Access.-(1) Access to the computer systems by other organisations shall be subjected to a similar level of security protection and controls as in these Information Technology security guidelines.

(2)

In case the Data Centre uses the facilities of external service/facility provider

(outsourcer) for any of their operations, the use of external service/facility providers (e.g. outsourcer) shall be evaluated in light of the possible security exposures and risks involved and all such agreements shall be approved by the information asset owner. The external service or facility provider shall also sign non-disclosure agreements with the management of the Data Centre/operational site.

(3)

The external service/facility provider (e.g. outsourcer) shall provide an equivalent level of security controls as required by these Information Technology Security Guidelines.

5.5

Prevention of Computer Misuse.-(1) Prevention, detection, and deterrence measures shall be implemented to safeguard the security of computers and computer information from misuse. The measures taken shall be properly documented and reviewed regularly.

(2)

Each organization shall provide adequate information to all persons, including management, systems developers and programmers, end-users, and third party users warning them against misuse of computers.

(3)

Effective measures to deal expeditiously with breaches of security shall be established within each organisation. Such measures shall include:

(i) Prompt reporting of suspected breach;

(ii) Proper investigation and assessment of the nature of suspected breach;

(iii) Secure evidence and preserve integrity of such material as relates to the discovery of any breach;

(iv) Remedial measures.

(4)

All incidents related to breaches shall be reported to the System Administrator or System Security Administrator for appropriate action to prevent future occurrence.

(5)

Procedure shall beset-up to establish the nature of any alleged abuse and determine the subsequent action required to be taken to prevent its future occurrence. Such procedures shall include:

(i) The role of the System Administrator, System Security Administrator and management;

(ii) Procedure for investigation;

(iii) Areas for security review; and

(iv) Subsequent follow-up action.