The Unique ID Project (UID) project has been announced by the Government of India under the leadership of Mr Nandan Nilekani and a body known as UID Authority of India (UIDAI) has been formed. The UIDAI has already announced that a pilot project would be undertaken in Karnataka under the direct supervision of Mr M N Vidyashankar, the Principal Secretary, e-Governance, Government of India. Naavi had already published some suggestions about the UID project in which the security requirements had been briefly highlighted. This note contains more detailed suggested security requirements that can be tested in the pilot project. These security requirements have been developed based on the Information Security Framework (IISF-309) formulated by Naavi under the ITA 2008 and published as a Draft for Debate.. . Naavi

The UID project envisages creation of a Unique Identification Number for every citizen of India.  The UIDAI will now create a database with the UID (a number) of individuals and associated with 12 parameters of identity. These records will be held by UIDAI. The UID number would be used by other service providers for rendering their services an such service providers may issue ID cards to the individuals with the service related data plus the UID number.

The exact manner in which UID would be used by the service providers is to be determined by them. For example, an applicant to the NREGS would be asked to quote his UID number in his application. The NREGS will provide the service and tag it against the UID so that a second application against the same UID is not possible. Obviously, NREGS may have to check the UID with the person who claims it. For this purpose, it needs to have access to the parameters associated with the UID. This means that it has to have access to the UID data base. It has to then proceed to check the parameters independently and certify that the applicant is in deed the owner of the UID.

In practice, the service provider may not be expected to independently check all the 12 parameters associated with the UID. He will only check the biometric parameter and import  all other data. Alternatively, he will import the data on the basis of the name and then check the biometric data.

(P.S: Naavi has suggested treating the biometric feature attached to the UID as the “Root ID” and in such a case, the index of UID has to be maintained on the basis of the biometric feature. Once the biometric data is fed into the computer, it should fetch the details of who is the person, what is his sex, what is his date of birth, what is his father’s name, where does he live etc. Once the UID is established, the service provider can associate other service related data with the given UID and proceed..

If however the “Name” is used as the “Root ID”, the index will be built on the name. The applicant has to provide his name and then the system will return the UID data. Since “Name” is not unique in most cases and also since there would be problems of indexing in different languages, the feeding of the name will have to return a couple of alternate UIDs and after checking the other parameters such as sex or father’s name or age, the exact UID associated with the name can be digged out.

If “Name” is treated as the “Root ID”, and a person provides his name and a UID, the tendency with the verification agency would be to feed both to the system and match the name with the UID. If this test is positive, the person would be registered for the service with the declared UID and the declared name. In most such cases, a further check based on other parameters may not be conducted since it would seem redundant.

Alternatively, the service provider may input the UID in a query to the UID system and extract the parameters associated with the UID. If these tally with what the service applicant has provided to the  service provider in his application, then the applicant is considered validated. Some service providers may check the biometric parameter and others may be satisfied with the checking of the name parameter.

It is to avoid such possibilities that Naavi has suggested that the “Finger Print” should be used as the “Root ID” and indexing has to be built on the “Finger Print”. Query to the UIDAI data base should preferably be permitted only through the biometric feature. This will be critical as long as UIDAI will only maintain a virtual data base and does not issue any ID card of its own.)

The service oriented information held by the service providers is not the responsibility of the UIDAI and therefore not of concern to the current discussion though these security principles are extended even to them through the service level agreements to the extent necessary.

The UIDAI would however be responsible for the data maintained by it which covers the 12 parameters as envisaged now. If access to these is provided to the service provider, it also means that there is a risk associated with such access which has to be managed.

Naavi has already discussed in the previous note the need for changes to be made to the system. One of the important changes suggested which has reference to this discussion is to bifurcate the data associated with the individual holder of UID into two parts one to be called the Primary Identification Data (PID)  and the other to be called Secondary Identification Data. (SID).

Since data collected and retained by the UIDAI includes what is termed as “Sensitive Personal Data” under the ITA 2008 (Information Technology Act 2000 as amended by Information Technology Amendment Act 2008), UIDAI is liable under Section 43A to maintain “Reasonable Security Practice”. Though the authority responsible for defining reasonable security practice under ITA 2008 (say the CERT-IN) is likely to come up with what they would term as “Reasonable” for holders of “Sensitive Personal Data”, their perspective is likely to be limited to the BPOs and UIDAI needs to implement far greater levels of security than any BPO is expected to do. Hence UIDAI should opt to develop its own stringent standards of security which should clearly extend beyond the boundaries of what ITA 2008 is likely to prescribe.

What would be considered “Reasonable” in the context of baazee.com  et al., which is the focus of ITA 2008 may be considered grossly inadequate in the context of UID where the data is considered very sensitive and is also exposed to the threat of an organized attack from Cyber Terrorists and Cyber Warriors.

In this background, a set of security requirements indicated for further debate. These have been built around the Indian Information Security Framework version 309, (IISF-309) formulated by Naavi as a general guideline for compliance under ITA 2008

 

Security Suggestions for UID under IISF-309 

1. Client Consent:

The UID client is the Indian Citizen whose sensitive personal information is held by UID.  UIDAI should therefore obtain consent of the Citizen to collect, hold, use and destroy the information collected.

UID will therefore be considered as “Issued on Request” and those who opt for UID should submit an application where their consent is incorporated. In the offline mode the application will be downloaded from the UIDAI website as a blank application form, completed signed and lodged with the UIDAI.

If UIDAI appoints “Registration Agents”, (UIDRA) to receive the applications, verify contents and certify their correctness for further processing,  they need to be treated as “Agents” of UIDAI and a very strict selection criteria including background checks, privacy declarations, indemnity etc should be obtained from every individual who is involved in this  activity.

Ultimately the entire integrity of the system hinges on the reliability of these enumerators or registration agents.

When the applications are digitized for the UID data base, each element of the data base is to be authenticated by digital signatures of the UIDRA.

The form should also be scanned and kept in a digital archive in addition to the filing of the paper form.

The RA should sign a suitable undertaking with UIDAI which makes him liable for any differences between the printed application form and the data base. RA should be accountable both as a department person as well as for civil and criminal liabilities. This should be made clear in the appointment of the RAs and their consent must be taken for the purpose.

In order to ensure that they understand the seriousness of their assignment, they need to provide a suitable “Security Deposit” before being appointed.

Appointment of RA must be considered a privileged security appointment (like a VIP Security team etc) and should not be restricted by normal Government regulations of reservations and other criteria which may hamper security. No person having allegiance to any organization, faith or group which subordinates national interests to their own ideology should be appointed as RA.

Once the data appears on the electronic database of the UID, the data holder should be able to securely log in and verify the data from a synchronized mirror server.

Any objections on the inaccuracy of the data should be handled under a suitable system of grievance redressal. Any mistake observed and corrected will also be recorded as a “Security Breach” and the responsibility for the same would be fixed on the concerned person.

2. Employee Awareness:

All employees would undergo appropriate induction training which includes awareness about the security responsibilities.

Every employee of UIDAI and those of the RA should undergo suitable awareness training on the legal liabilities arising out of the negligence or malicious activities and duly certified for having undergone the relevant training. They would also undergo a “Test” for having completed the training.

Such training will consist of awareness of the provisions of ITA 2008, the Privacy and Security policies of UIDAI and other associated information besides the technical training involved in handling the creation and maintenance of the data base.

3.Employee Declaration:

All employees would  sign a voluntary “Declaration of Ethics” agreeing to abide by the privacy and security requirements of UIDAI.

4. Assigned Responsibility

The responsibility for compliance of Privacy and security requirements shall be allocated to an exclusive official who shall provide periodical compliance reports and certificates to the management every month. The name of the compliance official would be made available to the public through the UIDAI website.

5. Employee Background Check:

All employees should be subject to a rigorous background check and the official responsible for the check would confirm the successful completion of background check to the compliance official. No person owing allegiance to any organization or faith or group which subordinates national interests to its won ideology shall be allowed to be part of the UIDAI or any of its registration agents.

The UIDAI shall be exempted from all requirements of “Reservation” and other controls on employment applicable to Government organizations as a part of the security requirements.

If required a constitutional amendment shall be made to ensure that no authority can interfere in the operations of the UIDAI under any pretext.

6.Information Classification :

Information associated with the UID shall be classified in the minimum into two categories namely “Primary” and “Secondary”. Out of the “Primary” category a part would be considered “Public” information and other would be treated as “Private-Primary Information”.

Public information would be made available on the web and would be available for any body to see. Public are encouraged to inform the UIDAI if any errors are spotted.

Public information may consist of name, sex, age, registered address.

Copy of Public and Primary Information would also be made available to the individual under the signature of (or as per Sec 65B of Indian Evidence Act) the UIDAI for his/her reference.

Private-Primary information would be available to the data holder for query on a synchronized data server to ensure that the information is accurate at all times.

Secondary Information would be kept in paper format in multiple locations. One copy would also be kept in digital format with strong encryption in an offline media with DRP support. This would be available to authorized UID employees only for grievance redressal and under appropriate audit trail recordings.

Within UIDAI no employee would be provided access to all aspects of the data base.

The elements of the data base would be broken into multiple parts and scattered with an algorithm across the data base. They would be assembled only by authorized employees as per “need to know“ basis.

7. Employee Cyber Usage Policy

Employees would be subject to appropriate restrictions in use of Computers so that UID information is not subject to risk elements from Cyber space.

All access would be based on multi factor authentication of the employee and with archival of audit trail with a trusted third party with adequate security.

In particular, no computer which has access to secondary data will have access to Internet.

8. Media Usage Policy

Employees would be subject to appropriate restrictions in use of Media and other storage devices so that UID information is not subject to risk elements from Cyber space.

In particular, no storage media would be allowed to be used by the employees  in the ordinary course. All computers would work on the network with dumb terminals.

Storage devices such as mobiles would be kept out of the secured premises.

9. Sanction Policy

In order to preserve the integrity of the employees, every employee would be subject to appropriate punishments in case of breach of any security norm whether it results in data breach or not.

No breach will go unpunished and the policy would be well documented, distributed and agreed to by the employees.

Any breach will be properly documented and disposed according to the declared policy.

10. Privacy and Security Practice Statement

UIDAI will develop a detailed Privacy and Security Policy Statement which would be adequately communicated to all the employees as well as the clients and business associates of the organization. A copy should be made available through the website of the Company. The organization may develop different versions of the statement for the public and internal use as the management may find it necessary.

11.Physical Security

UIDAI shall have appropriate policies and procedures to ensure that only authorized persons will have access to the working area containing IT assets including the Wireless perimeters. An appropriate documentation would be maintained for guest access provided.

All access points shall be monitored by appropriate electronic access monitoring devices.

The entry and exit of authorized persons to the work area would be linked to the attendance and any anomalies recorded as a security breach incident.

Biometric systems will be used to permit access to any area. All information assets would be tagged by RFID tags for movement within the premises and their movement monitored.

12. Logical Access Security

Policies and Procedures shall be implemented for ensuring that access to any IT device is made available only with appropriate access authentication such as Passwords.

Appropriate measures shall be initiated for ensuring that a strong password policy is maintained across the organization.

Use of hardware tokens with biometric and RFID tags shall be used where considered necessary.

13. Information Storage Security

Policies and Procedures shall be appointed to ensure that information under storage is accessible only by authorized persons on a “Need to Know” basis.

Information under storage is kept in encrypted.

Access shall be backed up by data integrity control, audit trail monitoring and archival.

14. Information Transmission Security

Transmission of Information into and out of the systems would be monitored by a suitable Firewall and appropriate polices and procedures shall be implemented to ensure that viruses and other malicious codes are filtered.

An appropriate audit trail would be maintained and archived to ensure future reference if required. All confidential mails shall be appropriately encrypted.

All outward transmissions of information including e-mails in the name of the UIDAI, likely to cause any liability to the organization shall be digitally signed by the sender.

15. Hardware/Software Policy

Policies and Procedures shall be put in place to ensure that any hardware or software  used by the organization is certified by the supplier to be free from known security vulnerabilities.

Policies and procedures shall be put in place to ensure that Hardware and Software used by an organization shall be tested by a third party security auditor and certified to be free of known security vulnerabilities.

All software used will be subject to source code audits and source code escrow.

No purchases are made from vendors associated with countries known to be active in Cyber terrorist and cyber war activities.

16. Web Presence Policy

Policies and Procedures shall be put in place to ensure that the domain name, hosting facilities and content used by the organization is adequately protected against malicious attacks, unauthorized alteration and IPR infringement. Suitable Privacy Policy and Disclosure Documents indicating the identity of the owner of the web content shall be provided on the website of the organization.

The web content is monitored by the organization regularly and by an external auditor at periodical intervals and  certified for data integrity.

17. Grievance Redressal Policy

UIDAI shall designate an official as “Security Grievance Resolution Officer” (SGRO) to be the single point contact person accountable for handling all disputes related to the information security and contact details of such a person including e-mail and physical address is provided on the website.

UIDAI shall also designate an external person of repute as an “Ombudsman” to resolve the disputes which cannot be resolved by the SGRO.

UIDAI shall also set in place an arbitration mechanism to handle disputes which are not resolved by the Ombudsman.

UIDAI shall also appoint a body of advisors with private sector representatives and NGOs to act as an agency to protect the interests of the Public.

Any grievance recorded including a complaint of inaccuracy of data shall be processed and disposed under an established system and the process documented.

18. BA Agreement Policy

Policies and Procedures shall be put in place to ensure that the Information security responsibilities of UIDAI shall also be followed by any external agency which is provided access to the protected information by a suitable contractual arrangement with appropriate indemnity provisions.

19. DLP-OLR Policy

Policies and Procedures shall be put in place by UIDAI to maintain incident monitoring system and an appropriate Disaster Recover and Business Continuity Plan to meet any contingencies arising out of security breach incidents.

Appropriate evidence archival systems shall be maintained to ensure capability for “Defensive Legal Protection” against any liability claims that may arise on the organization.

Appropriate evidence archival systems shall be maintained to empower the organization to launch  “Offensive Legal Remedy” procedures

20. Policy Documentation

UIDAI shall retain all Policy documents related to information security for a period of a minimum of 3 years either in print or electronic form.    Data which is part of a security breach incident, is kept permanently.

21.   Management Certificate/Audit Policy

The operational management shall submit a certificate of compliance of information security to the Board of Directors or such other top management which is responsible for the UIDAI, once a year, recording there in the observed short comings and how they are proposed to be remedied with appropriate implementation schedules.

The UIDAI shall incorporate a certificate of compliance of information security in the annual report to the Parliament recording there in the observed short comings and how they are proposed to be remedied with appropriate implementation schedules.

UIDAI shall also incorporate a certificate of compliance of information security in the annual report to the Parliament recording there in the observed short comings by an external auditor, the management’s perceptions and how the management proposes to meet the audit suggestions.

All documents handled by UIDAI whether in print or e-form shall be audited for data integrity and certified by the auditors at least at annual intervals.

The above suggestions are placed in the public domain for a debate so as to provide appropriate inputs to the UIDAI.

Comments are Welcome at naavi@vsnl.com

Naavi

5th September, 2009

Be Sociable, Share!