Section 3(9) in The Information Technology (Recognition of Foreign Certifying Authorities not Operating under any Regulatory Authority) Regulations, 2013
(9)Security Guidelines - (a) Any Foreign Certifying Authority recognized under this regulation shall have the sole responsibility of integrity, confidentiality and protection of information and information assets employed in its operation, considering classification, declassification, labeling, storage, access and destruction of information assets according to their value, sensitivity and importance of operation.(b)Information Technology Security Guidelines and Security Guidelines for a Foreign Certifying Authority recognized under this regulation aimed at protecting its integrity, confidentiality and availability of service shall be of a level equivalent to that of a Certifying Authority licensed under the Act as specified under Schedule-II and Schedule-III of the Information Technology (Certifying Authority) Rules 2000 respectively.(c)A Foreign Certifying Authority recognized under this regulation shall formulate its Information Technology and Security Policy for operation complying with these guidelines and submit it to the Controller:Provided that any change made by any Foreign Certifying Authority recognized under this regulation in the Information Technology and Security Policy shall be submitted by it within a period of two weeks to the Controller.
