National Portal | Home | Site Map | Contact Us

Root Certifying Authority of India (CPS)

 

Operational Requirements

Records of the following application transactions shall be maintained:

  • Registration;
  • Certification;
  • Publication;
  • Suspension; and
  • Revocation.

Records and log files shall be reviewed regularly for these activities.

To facilitate decision-making, all agreements and correspondence relating to services provided by RCAI are collected and consolidated at a single location.

  • Certificate application records, including records relating to rejected applications;
  • Certificate generation requests, whether or not Certificate generation was successful;
  • Certificate issuance, suspension and revocation records, including CRLs;
  • Audit records, including security-related events;

4.5.2 Frequency of processing log
The CCA's audit logs are regularly reviewed by its personnel and all significant events are detailed in an audit log summary. Such reviews verify that the log has not been tampered with, and then briefly inspect all log entries, with a more thorough investigation of any alerts or irregularities in the logs. Action taken following these reviews are documented.

4.5.3 Retention period for audit log
The CCA retains its audit logs onsite for at least twelve months and subsequently retains them in the manner described in para 10 of the Information Technology Security Guidelines as given in Schedule-II of IT (CA) Rules, 2000.

4.5.4 Protection of audit log
The electronic audit log system includes mechanisms to protect the log files from unauthorized viewing, modification, and deletion.

Manual audit information will be protected from unauthorized viewing, modification and destruction.

4.5.5 Audit log backup procedures
CCA uses highly secure systems to maintain the integrity of its electronic audit logs over time and has established a series of security procedures regarding their storage, access and backup.

4.5.6 Audit collection system
The CCA audit collection system is a combination of automated and manual processes. The system is maintained through access control mechanisms and role separations with regard to the software and hardware and through confidential documented operational procedures known and followed by CCA personnel. The control measures of both the automated and the manual processes are audited in accordance with §2.7 of this CPS.

4.5.7 Notification to event-causing subject
Operations personnel notify the security administrator when a process or action causes a critical security event or discrepancy.

4.5.8 Vulnerability assessments
Events in the audit process are logged, in part, to monitor system vulnerabilities. The RCAI ensures that a vulnerability assessment is performed, reviewed and revised, if necessary, following an examination of these monitored events.

A full risk assessment has been completed for the CCA Root CA operations and will be performed at a minimum annually.

4.6 Records Archival

4.6.1 Types of event recorded All significant events are recorded including new officer creation, incident reports, daily events, changes to the environment or system, CCTV recording of CA operations.

All events concerning the operation of CCA Root CA certification services are recorded.

Transactions that meet exception criteria are completely and accurately highlighted and reviewed by personnel independent of those that initiate the transaction.

Adequate audit trails are captured and certain information needed to determine sensitive events and pattern analysis that would indicate possible fraudulent use of the system (e.g. repeated unsuccessful logons, access attempts over a series of days) are analyzed. This information includes such information as who, what, when, where, and any special information such as:

  • Success or failure of the event
  • Use of authentication keys, where applicable

Automated or manual procedures are used to monitor and promptly report all significant security events, such as accesses, which are out-of-pattern relative to time, volume, frequency, type of information asset, and redundancy. Other areas of analysis include:

  • Significant computer system events (e.g. configuration updates, system crashes)
  • Security profile changes
  • Actions taken by computer operations, system administrators, systems programmers, and/or security administrators

Digital Signature Certificates stored and generated by the RCAI are recorded.

Audit information as detailed in §4.5 are recorded.

4.6.2 Retention period for archive
All CCA Root CA records concerning the operation of its certification services are archived and are retained for a period of ten(10) years.

Computer system access records shall be kept for a minimum of two years, in either hard copy or electronic form. Records, which are of legal nature and necessary for any legal or regulation requirement or investigation by a law enforcement agency, shall be retained as per provisions of the IT Act.

4.6.3 Protection of archive
All information pertaining to the CCA's operation, CA's application, verification, identification, authentication and CA's agreement to Terms and Conditions of the license shall be stored within the country.

4.6.4 Archive backup procedures
A second copy of all information retained or backed up by CCA shall be stored at a location within the country duly protected either by physical security alone, or a combination of physical and cryptographic protection. The secondary site shall have adequate protection from environmental threats such as temperature, humidity and magnetism. Such a disaster recovery site is under planning.

4.6.5 Requirements for time-stamping of records
The time source GPS clock for the CCA Root CA is independently verified periodically and all electronic automated Root CA records are associated with the time and date of their occurrence.

The real time clock of the computer system shall be set accurately to ensure the accuracy of audit logs, which may be required for investigations or as evidence in legal or disciplinary cases.

The real time clock of the computer or communications device is set to Indian Standard Time (IST). Further, there is a procedure in place that checks and corrects drift in the real time clock.

4.6.6 Archive collection system
Only authorized and authenticated staff are allowed to handle archive material.

4.6.7 Procedures to obtain and verify archive information The CCA verifies the integrity of the backups once every six months. Information stored off-site is also periodically verified for data integrity. This is done atleast once every six months.

4.7 Key changeover

4.7.1 The lifetime of RCAI signing keys is set to five years. On key rollover, a new public key will be made available via the web and through the NRDC.

4.7.2 A Licensed CA may only apply to renew its key within three months prior to the expiration of its License, provided the previous certificate has not been revoked. Automated key changeover for Licensed CAs is not permitted.

4.8 Compromise and Disaster Recovery

4.8.1 Computing resources, software, and/or data are corrupted
The CCA has established business continuity procedures that outline the steps to be taken in the event of the corruption or loss of computing and networking resources, nominated website, repository, software and/or data.

4.8.2 Entity public key is revoked
In the event of the RCAI private signature key being revoked, the CCA shall revoke and re-issue all certificates in use at that instant.

4.8.3 Entity key is compromised
In the event of the RCAI private signature key being revoked, the CCA shall revoke and re-issue all certificates in use at that instant.

4.8.4 Secure facility after a natural or other type of disaster
In the event of a natural or other type of disaster the operation of RCAI and NRDC will be re-established on an independent disaster recovery site, using the backup data taken on a daily basis from the primary CA site.

The recovery time for bringing up the secondary site is targeted to be better than 48 hours. The disaster recovery site is under planning.

4.9 CA Termination
In the event of change in government policies, and/or Acts, as a result of which if the CCA is terminated, the CCA shall:

  • Provide no less than 6 months notice to all current Licensed CA of its intent to cease operations
  • Ensure the secure preservation and maintenance of all relevant databases, archives, records and documents with an independent custodian and/or designated government body. The CCA archives will be retained in the manner and for the time indicated in 4.6.
  • Provide access to National Repository maintained by the CCA, for a maximum period of 12 months following cessation of services
  • Revoke all valid certificates at the end of the notice period.
  • Ensure availability and access to relevant CRLs for a period of 12 months following cessation of operations.
Root Certificate 2011 Root Certificate 2011 Certificate Revocation Details 2011
Root Certificate 2007 Root Certificate 2007 Certificate Revocation Details 2007
FAQ

How do I get a Digital Signature Certificate? 

Who are the CAs licensed by the CCA? 

more...
What's New?
Contact Details

Controller of Certifying Authorities
Electronics Niketan,
6 CGO Complex, Lodhi Road,
New Delhi - 110003
FAX : 91-011-24369578
info@cca.gov.in
©2008 CCA. All rights reserved.
Best Viewed In: 1024 X 768 		AUDITORS | ADJUDICATING OFFICER | RTI | RFD disclaimer | Terms And Conditions | WebSite Polices | Public Grievances