Information Security Best Practices - 1
Information Security Best Practices - 1
BEST PRACTICES
Department of Telecommunications
(Security Assurance Wing)
Table of Contents:
1. Introduction 1
2. General Computer Usage 1
3. General Internet Browsing 3
4. Password Management 9
5. Removable Information Storage Media 11
6. Email Communication 14
7. Home Wi-Fi Network 16
8. Use of Social Media by Govt. Officials 18
9. Avoiding Social Engineering Attacks 18
10. Digital Signature 21
11. Glossary 23
1. Introduction:
Department of Telecommunications, Security Assurance
Wing has prepared this document to disseminate Information
Security Best Practices for the benefit of Officials/Officers
working in DoT and the PSUs associated.
This should not be considered as an exhaustive list of
prescription for Information Security but basic minimum
precautions to be taken. Each organization may identify
additional measures for information security in accordance
with their use scenarios, sensitivity of data, business continuity
and other relevant factors.
Page | 2
2.12 Do not give remote access, file and print sharing option
to other computers. Remote access or screen sharing
options shall be disabled.
Page | 3
3.1 Always be careful when clicking on links or
downloading. If it is unexpected or suspicious for any
reason, don’t click on it.
3.6 Look for HTTPS sign in the browser address bar. The “s”
in “https” stands for secure, meaning that the website is
employing SSL encryption. Check for an “https:” with a
green padlock icon in browser address bar to verify that
a site is secure.
Chrome
Firefox
Click on the menu icon in the upper right corner and
select Options. Then in the window that opens, click
on the Privacy tab.
Under History, click the drop down menu next to
"Firefox will:" and select Use custom settings for
history.
Check the option Clear History when Firefox closes.
Click OK.
Internet Explorer
Click settings icon in the upper-right corner of the
browser and select Internet Options.
Page | 5
Open the General Tab in the window that appears.
Under the Browsing History section, check the box
next to "Delete browser history on exit." Click OK.
Microsoft Edge
Select Setting from menu at upper right corner.
Open Privacy, Search, and Services from left menu.
Click on Choose what to clear every time you close
the browser
Enable all options on next page.
3.9 No classified information of government can be stored
on private cloud services (Google drive, Dropbox,
iCloud etc.,) and one can be liable for penal action in case
of data leakage.
Page | 6
Following are the setting to turn on popup blocker
configure in various browsers:
Firefox
Click Close
Chrome
Click on Settings
Scroll to Pop-Ups
Click OK
Internet Explorer
Click Tools menu
Click OK
3.13 Remember that things on the internet are rarely free.
“Free” Screensavers etc., often contain malware. So
please be aware of such online free offers.
Page | 8
4. Password Management:
Unauthorized access is a major problem for anyone who
uses a computer or device such as smartphone or tablet or
computer. The consequences for victims of these unauthorized
break-ins can include the loss of valuable data such as classified
information, personal data etc. One of the most common ways
that hackers break into computers is by guessing passwords.
Simple and commonly used passwords enable intruders to
easily gain access and control a device. Following practices
may be considered while setting up and managing a password,
4.1 Create strong password with a minimum length of ideally
10 characters and comprising of combination of
alphabets (both lower case and upper case), numbers and
special characters.
Page | 9
4.5 Always use different passwords for every log-in account.
Using same password for more than one account risks
multiple exposures if one of the passwords is hacked.
Page | 12
Steps to enable hidden file & system file view to find any
unusual or hidden files in computer are as follows:
Windows 10
Windows 8.1
Go to Search.
5.6 Removable media like USB’s, CDs etc., must not be left
unattended, if they contain official information.
Page | 13
5.8 Removable media should not be taken out of office
unless permitted by the competent authority.
6. Email Communication:
Following practices may be considered in regards to email
communication:
6.1 Use only Government provided email address for official
communications (e.g. NIC email).
Page | 14
6.2 Designation based email address with “nic.in” or
“gov.in” domain shall be used for official purposes
instead of personal name based email in order to avoid
official communications getting stored in personal email.
This will also enhance security of official information.
6.3 While relieving from the post, the official email account
shall be handed over to the successor or surrendered.
Page | 15
6.10 User should type the complete URL in the browser
instead of clicking links received in an email.
7.5 Turn off wireless router when not needed for any
extended period of time.
Page | 17
7.7 Disable remote management feature in routers to protect
against unauthorized access.
Page | 18
9.1 Be careful to unsolicited phone calls, visits, or email
messages from individuals asking about personal or
other Government information. If an unknown individual
claim to be from a legitimate organization, try to verify
his or her identity directly with the company.
Page | 19
9.4 Vishing is the voice version of phishing. “V” stands for
voice, but otherwise, the scam attempt is the same. The
hacker uses the phone to trick a victim into handing over
valuable information. So don’t reveal any sensitive
information over phone calls.
For example, a hacker might call an officer, posing
as a Government officer. The hacker might prevail upon
the victim to provide login credentials or other
information that could be used to target the Organization.
9.5 Quid pro quo scam is another type of social engineering
attack that involves an exchange like ‘I give you this, and
you give me that’. Hackers make the victim believe as a
fair exchange, but that’s far from the case, as the cheat
always comes out on top.
For example, a hacker may call a target, pretending
to be an IT support technician. The victim might hand
over the login credentials to their computer, thinking
they’re receiving technical support in return. Instead, the
hacker can now take control of the victim’s computer,
loading it with malware or, perhaps, stealing personal
information from the computer to commit identity theft.
9.6 Be cautious of the URL of a website. Malicious websites
may look identical to a legitimate site, but the URL may
use a variation in spelling or a different domain (e.g.,
.com vs. .net). In general, all government websites have
gov.in or nic.in at the end of their names. For example, a
malicious website may have name as www.npagov.in or
Page | 20
www.npa-gov.in against the actual name
www.npa.gov.in.
9.8 Hacker wants victims to act first and think later. If the
message conveys a sense of urgency or uses high-
pressure sales tactics be sceptical; never let the urgency
influence careful review.
Page | 21
Authentic means that the creator of the document is known and
it has not been altered in any way since that person created it.
While handling official communications online following
practices may be considered:
10.1 Files should be signed digitally. The digital signature
should be validated by user itself.
Page | 22
11. Glossary Terms:
Term Definition
DDoS A Distributed Denial of Service (DDoS)
attack is an attempt to make an online service
unavailable by overwhelming it with traffic
from multiple sources.
Page | 24
SSH Secure Shell is a network protocol that
allows data to be exchanged using a secure
channel between two computers.
Page | 25
Virus Virus is a program written to enter to the
computer and damage/alter files/data and
replicate themselves.
NOTE:
In case of any doubt, National Information Security Policy
& Guidelines (NISPG) issued by Ministry of Home
Affairs may be referred.
Page | 26