Section 23 in The Credit Information Companies Rules, 2006
23. Data security and system integrity safeguards
- Every credit institution shall adopt such procedure and measures in relation to their daily operations as may be necessary to safeguard and protect the data, information and the credit information maintained by them, against any unauthorised access to or misuse of the same including the following safeguards, namely:-(a)adopting the minimum standards for physical and operational security including site design, fire protection, environmental protection;(b)keeping the round the clock physical security;(c)issuance of instructions for removing, labelling and securing the removable electronic storage media at the end of the session or working day;(d)providing physical access to the critical systems to be on dual control basis;(e)making comprehensive succession plan for the key personnel so as to ensure that non-availability of a person does not disrupt the system;(f)keeping of paper based records, documentation and backup data containing all confidential information in secured and locked containers or filing system, separately from all other records;(g)adopting adequate procedure to ensure that the records could be accessed only by authorised persons on need to know basis;(h)providing details of creation of firewalls and stress testing of systems through ethical hacking to evaluate and ensure its robustness;(i)protecting systems against obsolescence;(j)adopting procedure for change of software and hardware;(k)providing for disaster recovery and management plan; and(l)taking necessary steps while handing over systems for maintenance to prevent unauthorised access or loss of data, information and credit information maintained by them.
