Section 6: System integrity and security measures

Q: What does Section 6 of The Information Technology (Certifying Authorities) Rules, 2000 (TITCAR) deal with?

Section 6 TITCAR pertains to "System integrity and security measures". It is part of the The Information Technology (Certifying Authorities) Rules, 2000, a legislation enacted by the Parliament of India. Section 6 of The Information Technology (Certifying Authorities) Rules, 2000 (TITCAR) governs system integrity and security measures. As verified on 19 May 2026.

Q: Is Section 6 TITCAR still in force?

Yes, Section 6 of the The Information Technology (Certifying Authorities) Rules, 2000 is currently in force across the Republic of India.

Q: What is धारा 6 TITCAR?

धारा 6 TITCAR is the Devanagari Hindi reference for Section 6 of the The Information Technology (Certifying Authorities) Rules, 2000. Section 6 of The Information Technology (Certifying Authorities) Rules, 2000 (TITCAR) governs system integrity and security measures. As verified on 19 May 2026.

Q: What is Dhara 6 TITCAR?

Dhara 6 TITCAR is the Roman Hindi reference for Section 6 of the The Information Technology (Certifying Authorities) Rules, 2000. "Dhara" means "Section" in Hindi. Section 6 of The Information Technology (Certifying Authorities) Rules, 2000 (TITCAR) governs system integrity and security measures. As verified on 19 May 2026.

Q: How to cite Section 6 of The Information Technology (Certifying Authorities) Rules, 2000?

Cite as: "Section 6, The Information Technology (Certifying Authorities) Rules, 2000 (TITCAR)" in legal briefs. For academic writing, use the BlueBook format: The Information Technology (Certifying Authorities) Rules, 2000, § 6 (India).

Law on Tips Editorial Board

6.1

Use of Security Systems or Facilities.-(1) Security controls shall be installed and maintained on each computer system or computer node to prevent unauthorised users from gaining entry to the information system and to prevent unauthorised access to data.

(2)

Any system software or resource of the computer system should only be accessible after being authenticated by access control system.

6.2

System Access Control.-(1) Access control software and system software security features shall be implemented to protect resources. Management approval is required to authorise issuance of user identification (ID) and resource privileges.

(2)

Access to information system resources like memory, storage devices, etc., sensitive utilities and data resources and programme files shall be controlled and restricted based on a "need-to-use " basis with proper segregation of duties.

(3)

The access control software or operating system of the computer system shall provide features to restrict access to the system and data resources. The use of common passwords such as "administrator " or "president " or "game ", etc., to protect access to the system and data resources represent a security exposure and shall be avoided. All passwords used must be resistant to dictionary attacks.

(4)

Appropriate approval for the request to access system resources shall be obtained from the System Administrator. Guidelines and procedures governing access authorisations shall be developed, documented and implemented.

(5)

An Access Control System manual documenting the access granted to different level of users shall be prepared to provide guidance to the System Administrator for grant of access.

(6)

Each user shall be assigned a unique user ID. Adequate user education shall be provided to help users in password choice and password protection. Sharing of user IDs shall not be allowed.

(7)

Stored passwords shall be encrypted using internationally proven encryption techniques to prevent unauthorised disclosure and modification.

(8)

Stored passwords shall be protected by access controls from unauthorised disclosure and modification.

(9)

Automatic time-out for terminal inactivity should be implemented.

(10)

Audit trail of security-sensitive access and actions taken shall be logged.

(11)

All forms of audit trail shall be appropriately protected against unauthorised modification or deletion.

(12)

Where a second level access control is implemented through the application system, password controls similar to those implemented for the computer system shall be in place.

(13)

Activities of all remote users shall be logged and monitored closely.

(14)

The facility to login as another user from one user's login shall be denied. However, the system should prohibit direct login as a trusted user (e.g., root in Unix, administrator in Windows NT or Windows 2000). This means that there must be a user account configured for the trusted administrator. The system requires trusted users to change their effective username to gain access to root and to re-authenticate themselves before requesting access to privileged functions.

(15)

The startup and shutdown procedure of the security software must be automated.

(16)

Sensitive Operating System files, which are more prone to hackers must be protected against all known attacks using proven tools and techniques. That is to say no user will be able to modify them except with the permission of System Administrator.

6.3

Password Management.-(1) Certain minimum quality standards for password shall be enforced. The quality level shall be increased progressively. The following control features shall be implemented for passwords:

(i) Minimum of eight characters without leading or trailing blanks;

(ii) Shall be different from the existing password and the two previous ones;

(iii) Shall be changed at least once every ninety days; for sensitive system, password shall be changed at least once every thirty days; and

(iv) Shall not be shared, displayed or printed.

(2)

Password retries shall be limited to a maximum of three attempted logons after which the user ID shall then be revoked; for sensitive systems, the number of password retries should be limited to a maximum of two.

(3)

Passwords which are easy-to-guess (e.g., user name, birth date, month, standard words, etc.) should be avoided.

(4)

Initial or reset passwords must be changed by the user upon first use.

(5)

Passwords shall always be encrypted in storage to prevent unauthorized disclosure.

(6)

All passwords used must be resistant to dictionary attacks and all known password cracking algorithms.

6.4

Privileged User's Management.-(1) System privileges shall be granted to users only on a need-to-use basis.

(2)

Login privileges for highly privileged accounts should be available only from Console and terminals situated within Console room.

(3)

An audit trail of activities conducted by highly privileged users shall be maintained for two years and reviewed periodically at least every week by operator who is independent of System Administrator.

(4)

Privileged user shall not be allowed to log in to the computer system from remote terminal. The usage of the computer system by the privilege user shall be allowed during a certain time period.

(5)

Separate user IDs shall be allowed to the user for performing privileged and normal

(non-privileged) activities.

(6)

The use of user IDs for emergency use shall be recorded and approved. The passwords shall be reset after use.

6.5

User's Account Management.-(1) Procedures for user account management shall be established to control access to application systems and data. The procedures shall include the following:

(i) Users shall be authorised by the computer system owner to access the computer services.

(ii) A written statement of access rights shall be given to all users.

(iii) All users shall be required to sign an undertaking to acknowledge that they understand the conditions of access.

(iv) Where access to computer services is administered by service providers, ensure that the service providers do not provide access until the authorization procedures have been completed. This includes the acknowledgement of receipt of the accounts by the users.

(v) A formal record of all registered users of the computer services shall bemaintained.

(vi) Access rights of users who have been transferred, or left the organisation shall be removed immediately.

(vii) A periodic check shall be carried out for redundant user accounts and access rights that are no longer required.

(viii) Ensure that redundant user accounts are not re-issued to another user.

(2)

User accounts shall be suspended under the following conditions:

(i) when an individual is on extended leave or inactive use of over thirty days. In case of protected computer system, the limit of thirty days may be reduced to fifteen days by the System Administrator.

(ii) immediately upon the termination of the services of an individual.

(iii) suspended or inactive accounts shall be deleted after a two months period. In case of protected computer systems, the limit of two months may be reduced to one month.

6.6

Data and Resource Protection.-(1) All information assets shall be assigned an "owner " responsible for the integrity of that data/resource. Custodians shall be assigned and shall be jointly responsible for information assets by providing computer controls to assist owners.

(2)

The operating system or security system of the computer system shall:

(i) Define user authority and enforce access control to data within the computer system;

(ii) Be capable of specifying, for each named individual, a list of named data objects (e.g., file, programme) or groups of named objects, and the type of access allowed.

(3)

For networked or shared computer systems, system users shall be limited to a profile of data objects required to perform their needed tasks.

(4)

Access controls for any data and/or resources shall be determined as part of the systems analysis and design process.

(5)

Application Programmer shall not be allowed to access the production system.