-
Only authorized individuals shall be provided access to information facilities (such as Authentication application, audit logs, authentication servers, application, source code, information security infrastructure etc.) processing Aadhaar related information. An Access Control List shall be maintained.
-
Access rights of employees accessing/processing information received from UIDAI shall be revoked within 24 hours of termination of service or as mentioned in the HR policy of the organization.
-
There should be periodic review of the Access rights and privileges to information facilities processing UIDAI information.
-
The servers shall be dedicated for the online Aadhaar Authentication purpose and necessary controls should be in place for physical security and surveillance of the servers. Any confidentiality breach/security breach of Aadhaar related information shall be reported toUIDAIwithin24 hours.
-
The users should not be provided with local admin access rights on their system. In the case of administrative access being provided, the users shall be prohibited from modifying the local security settings .Modifying the same shall result in disciplinary action.
-
The access rules of firewalls shall be maintained only by users responsible for fire wall administration.
-
License keys shall be kept secure and access controlled.
-
All User passwords (including administrator passwords) shall remain confidential and shall not be shared, posted, or otherwise divulged in any manner
-
If the passwords are being stored in the database or any other form, they should be stored in encrypted form
-
Complex passwords shall be selected.
-
Passwords shall not be hard coded in codes, login scripts ,any executable program or files;
-
Password should not be stored or transmitted in applications in clear text or in any reversible form