Definitions
- “IT Sector” means manufacturing of hardware and software for Information
Technology other than ESDM, and shall include development of IT software, IT
services, IT enabled services, IT infrastructure, IT training institutions and robotics
centre.
- “IT Industries” include IT hardware & software industries. IT software industries include
IT software, IT services, IT enabled services, IT infrastructure and IT training
institutions. The “IT Industry” shall cover development, production and services related
to IT products. Here IT includes IT & Telecommunications.
- “IT Software” is defined as any representation of instructions, data, sound or
image, including source code and object code recorded in a machine readable
form, and capable of being manipulated for providing interconnectivity to a user,
by means of an automatic data processing machine falling under heading “IT
Products”, but does not include “non-IT products”.
-
“IT Products” are defined as computer, digital-data communication and digital data broadcasting products
as notified by the Ministry of Finance, Government of
India or Central Board of Excise & Customs.
- “IT Service” is defined as any IT-based service which results from the use of any IT
system for realizing value addition.
- “IT Training Institution” means an institution imparting training in the field of IT, IT
Enabled Service and IT Services and having an accreditation / affiliation from
NIELIT (GOI) or any University established by Law in India or any Institution which
has a Deemed University status as per the UGC Act.
-
“IT Infrastructure” means the physical infrastructure built by a firm or a builder
and sold / leased or transferred on lease-cum-sale to an IT industry for its use or
the infrastructure built by an IT industry for its own use.
-
“Telecommunications” means telecommunications companies including Basic
Telecom Service Providers, VSAT, Cellular (Mobile) companies, Telecom Infrastructure Companies, LAN,
ISPs and any other value added services licensed
by Ministry of Communications & IT, Government of India.
-
“Electronic System Design Manufacturing (ESDM)” means electronic hardware design
and manufacturing (which shall include embedded software) for information
technology, telecommunications, defense, medical, industrial automotive, robotics,
consumer product, applications and components, part and accessories required for the
aforesaid product and applications;
-
“Robotics Enterprise” means an industrial undertaking or a business concern or
any other establishment, by whatever name called, engaged in manufacturing, in
any manner, or engaged in providing or rendering of service or services pertaining
to robots, i.e. an automatically controlled, reprogrammable, multipurpose
manipulator programmable in three or more axes;
- “Backward Area” means an area as the Government may so notify by an order;
- “CST” means tax payable under the Central Sales Tax Act, 1956 to the Government of
Rajasthan;
- “Commencement of Commercial Production/Operation” means:
- For a new enterprise, the date on which the enterprise issues:
- he first sale bill of the goods manufactured related to the investment made
under this Policy; or
- the first bill of commercial transaction related to the investment made under
this Policy; or
- the first receipt of deposit of fee/charges etc. for providing any service with
respect to facilities set up related to investment under this Policy; or Provided that
investment made in development of an industrial park, it shall mean
the date of handing over of possession to the first unit in the park.
-
For an existing enterprise making investment for expansion, the date on which the
enterprise issues:
- the first sale bill of the goods manufactured after completion of expansion; or
- the first bill of commercial transaction after completion of expansion; or
- the first receipt of deposit of fee/charges etc. for providing any service with
respect to facilities set up after completion of expansion:
Provided that investment made in development of an industrial park, it shall mean the date of
handing over of possession to the first unit in the park.
- For revival of sick industrial enterprise, the date on which the enterprise issues the
first sale bill of the goods manufactured after its revival;
- “Conversion Charges” means the conversion charges payable to Government for
change in land use and shall include any part of such charges payable to local bodies;
- “Conversion Charges” means the conversion charges payable to Government for
change in land use and shall include any part of such charges payable to local bodies;
- “Eligible Units”: New units will be eligible for availing of incentives under this Policy.
Existing units carrying out expansion/ diversification during the operative period of this
Policy will be eligible for one-time incentives.
- “Employment by an enterprise” means to employ any person, other than the directors,
promoters, owners and partners, for wages or salary to do any manual, unskilled,
skilled, technical or operational work, in or in connection with the work of an enterprise
and who works either in the premises of the enterprise or engaged in Rajasthan outside
the premises of enterprise and gets his/her wages or salary either directly from the
enterprise or whose wages or salary is reimbursed by the enterprise;
- “Enterprise” means an industrial undertaking or a business concern or any other
establishment, by whatever name called, engaged in manufacture of goods, in any
manner, or engaged in providing or rendering of service or services, as may be
specified by an order by the State Government;
- “Existing Enterprise” means a manufacturing or service enterprise that is engaged in
commercial production or operation during the operative period of the Scheme;
- “Existing Unit” means a manufacturing/service unit which is active with minimum 20
direct employees at the time of implementing expansion.
- “Expansion” means creation of additional capacity for production of goods or
operational capacity for service in same line of production/operation or through a new
product line or new line of services by an existing enterprise provided that in case of
expansion at existing site, additional investment is more than 25% of its existing
investment on the date of initiating expansion at that site;
- “Investment” or “Eligible Fixed Capital Investment (EFCI)” means investment made by
an enterprise in fixed assets, in the following, up to the date of commencement of
commercial production:
- price paid for the land;
- cost of new factory sheds and other new industrial buildings;
- price paid for new plant and machinery or equipment;
- other investment made in new fixed assets essential for production of the unit as
approved by the Screening Committee; and
- technical know-how fees or drawing fee paid in lump-sum to foreign collaborators
or foreign suppliers or paid to laboratories recognized by the State Government or
the Government of India;
- However investment made in land in excess of 30% of the total investment/EFCI
made and expenditure in purchase of existing factory sheds, industrial buildings
and old plant and machinery by the Enterprise shall not be included in
investment/EFCI;
- “Land Tax” means the tax payable under chapter VII of the Rajasthan Finance Act,
2006;
- “Large Enterprise” means a manufacturing enterprise other than Micro, Small and
Medium Enterprises;
- “Manufacturing Enterprise” means an enterprise employing plant and machinery in
processing of goods which brings into existence a commercially different and distinct
commodity and shall include an enterprise in the production of Commercial off-theshelf software, but shall not
include such processing as may be specified by the State
Government by an order;
- “Micro, Small or Medium Enterprise (MSME)” means a manufacturing enterprise
notified as such under the Micro, Small and Medium Enterprises Development Act,
2006;
- “Most Backward Area” means a block, which is more backward than backward area
and is notified as such by the Government in the Finance Department, by an order;
- “New Unit” means a new manufacturing or service enterprise set up by making
investment within the meaning of clause 14 and includes a new unit set up by an
existing enterprise at a site other than the existing site for manufacturing products or
providing services which are different from those being manufactured or provided by it
in the State, by making investment within the meaning of clause 14 and having
separately identifiable books of accounts and depositing the taxes and duties leviable under any State Act
including Provident Fund separately;
- “Person with disability (PwD)” means a person suffering from not less than forty per
cent of any of the following disabilities:
- blindness;
- low vision;
- eprosy-cured;
- hearing impairment;
- locomotor disability;
- mental retardation;
- mental illness
as certified by a Medical Authority i.e. any hospital or institution specified for this
purpose by the Government of Rajasthan under the Persons with Disabilities (Equal
Opportunities, Protection of Rights and Full Participation) Act, 1995;
- “Revival of a Sick Industrial Enterprise” means, in case the sick industrial enterprise was
lying closed due to sickness, re-commencement of commercial production, and in case
of a running sick industrial enterprise, enhancement of production level due to infusion
of fresh funds for change in production process/technology/product line, subject to
condition that the enterprise provides employment to the extent of 50% in the first two
years and 100% within five years from the date of commencement of commercial
production of the maximum employment attained in any month of the 3 preceding
years from the date of its declaration as a sick industrial enterprise;
- “Service Enterprise” means an enterprise engaged in providing or rendering of services
including custom made software development and related services, as the Government
in the Finance Department may notify by an order;
- “Sick Industrial Enterprise”means:
- A manufacturing enterprise which has been declared sick before the
commencement or during the operative period of this Policy by the competent
authority under the provisions the Sick Industrial Companies (Special Provision)
Act, 1985; or
- A manufacturing enterprise, which has been taken over before the
commencement or during the operative period of this Policy and sold during the
operative period of the Scheme to a new management by RIICO/RFC/Central Financial Institutions/Banks;
- “Sick Industrial Enterprise” means:
- A manufacturing enterprise which has been declared sick before the
commencement or during the operative period of this Policy by the competent
authority under the provisions the Sick Industrial Companies (Special Provision)
Act, 1985; or
- A manufacturing enterprise, which has been taken over before the
commencement or during the operative period of this Policy and sold during the
operative period of the Policy to a new management by RIICO/RFC/Central
Financial Institutions/Banks;
- “Stamp Duty” means the duty defined as stamp duty payable under the Rajasthan
Stamp Act, 1998;
- “State Empowered Committee (SEC)” means the State Empowered Committee
constituted under Section 3 of the Rajasthan Enterprises Single Window Enabling and
Clearance Act, 2011;
-
“Women/Schedule Caste (SC)/Schedule Tribe (ST)/Person with disability (PwD)
enterprise” means an enterprise other than a Company constituted under the
Companies Act, 1956 and other association of persons by whatsoever name it may be
called, having:
-
Women/Schedule Caste (SC)/Schedule Tribe (ST)/Person with disability (PwD) as
proprietor, in case of proprietorship enterprise; or
-
majority of partners who are Women/Schedule Caste (SC)/Schedule Tribe
(ST)/Person with disability (PwD) and such partners are working partner(s) having
more than 50% investment in the capital of the enterprise, in case of partnership
including limited liability partnerships;
- “VAT” means the tax payable under the Rajasthan Value Added Tax Act, 2003;
- “Year” means financial year (From 1st April to 31st March) and quarter means the
period of three months ending on 30th June, 30th September, 31st December and
31st March;
SECTION 1
Stratum of Digital Rajasthan
1.1 Preamble
e-Governance in Rajasthan has steadily evolved from computerization of Government
departments to fragmented initiatives aimed at speeding up e-Governance implementation
across the various arms of the Government at the State and local levels. These fragmented
initiatives are being unified into a common vision and strategy under the Rajasthan
e-Governance Framework leveraging the Rajasthan e-Governance Architecture.
Rajasthan takes a holistic view of e-Governance initiatives across the State and
departments, integrating them into a collective vision and a shared cause. Around this idea,
a magnanimous State-wide infrastructure reaching down to the remotest of villages is
evolving, and large-scale e-Governance initiatives are taking place to enable easy, reliable
access of people to the Government the e-Way.
Over the last few decades, evolutions in the Information Technology & Electronics (ITE)
arena have emerged as the most significant enablers for improving efficiency &
effectiveness of the Government & non-government organisations. Rajasthan recognizes
the enormous potential of Electronics and Information technology and has made significant
efforts to ensure that the benefits of these sectors percolate to its citizens.
Rajasthan's multicultural population of 6.86 crore lives and works on a land area of
342239 square kilometres, and has learned to combine skills and diligence with education
and technology to sustain the momentum of economic growth. There is a recognition that
information technology is needed to leverage Rajasthan's intellectual capital for the State to
be the leader and benchmark for e-Governance. A concerted effort to harness computer
power began in the early 1980s, and in a manner that has become a state formula, the
Government has taken the leadership reins of the race.
e-Governance is seen as a key element of the Rajasthan's governance and administrative
reform agenda. The Rajasthan e-Governance Framework and Architecture has the
potential to enable huge savings in costs through the sharing of core and support infrastructure, enabling
interoperability through standards, and of presenting a seamless
view of Government to citizens. The ultimate objective is to bring public services closer to
citizens.
Rajasthan emphasises that creating digital opportunities in the 21st century is not
something that happens after addressing “core” development challenges, but it is rather a
key component of addressing those challenges. There are three key challenges in stepping
up e-Governance: investments in and access to ICTs, capacity building to utilize
e-Governance services, and promoting people's participation in e-democracy. It is hoped
that improved access to information and services will provide economic and social
development opportunities, facilitate participation and communication in policy and
decision-making processes, and promote the empowerment of the marginalised groups.
In its continuing endeavour of development, the Rajasthan e-Governance, IT & ITES Policy
2015 envisages promoting citizen access to ICTs for encouraging their participation in
e-Governance. The Policy is for the people, by the people. Though the 33 districts of
Rajasthan are at various stages of development, the Policy attempts to highlight the
possibilities for other districts that are similar to capital in levels of development. To promote
the IT / ITES Industry in the city, this Policy attempts to develop a more modern and vibrant
ecosystem for Electronics and IT industry to support electronic governance initiatives of the
Government of India and attract investment and talent to such industries in Rajasthan. Key
focus areas of the policy include pioneering e-Governance initiatives, research &
development in Electronic System Design and manufacturing, support of the Micro Small &
Medium Enterprises and promotion of entrepreneurship that harnesses the huge talent pool
of the people of Rajasthan, and ensuring inclusive growth - for one and for all.
1.2 Rajasthan e-Governance & IT Mandate
- Vision
o achieve good governance and facilitate inclusive growth, harnessing ICT and
evolving e-Governance with improvement in delivery of services, bridging the digital
divide and evolving Digital Rajasthan.
- Mission
- Establishing complete participatory & transparent open Governance and Citizen Centric IT and
e-Governance for the residents of Rajasthan
- Branding Rajasthan on the IT Landscape
- Establishing 7 Smart Cities in Rajasthan by 2020
- Positioning Rajasthan as Best IT Investment Destination
- Positioning and Branding Jaipur as IT, ITeS and R&D Hub in North and West India
- Improvement in the environment for IT Industry in Rajasthan.
- Objectives
- Till 2025:
- Achievement of up to 500,000 direct employable professionals in the ICT
sector vide implementation of ICT/ESDM initiatives in Rajasthan with
establishment of Rajasthan Skills Registry.
- Development of at least 2,000 technology startups in the State and
prioritization of IT/ITeS/ESDM sector under Rajasthan Venture Capital Fund
with specific capital for development of IT/ITeS/ESDM startups in Rajasthan.
- Increase in the current investment in
IT/ITeS sector by 10 times.
- Increase in the IT turnover to INR
50,000 crore.
- Increase in IT exports from the State
to INR 5000 crore.
- Making two individuals (at least one
female) in every household e-literate
so as to bridge the digital divide.
- Improvement in delivery of public services
by leveraging e-Governance and
m-Governance to achieve Efficiency,
Effectiveness, Economy, Transparency,
Accountability and Reliability in service
delivery across all departments and
functions and Re-engineer the Government business practices and rules
to ensure hassle-free service delivery.
- Ensuring requisite connectivity to all
Government offices up to Panchayat level
by 2016.
- Creating centralized, integrated and
unified state datasets to ensure uniformity,
de-duplication and updating.
- Providing secure e-Space for
personal/official storage with facility for
authentication and workflow to residents
and organizations, private or public, in
Rajasthan.
- Rise in awareness among the school and college children and society as a whole
regarding environmentally sound e-Waste management and take steps for its
proper disposal.
- Implementation of a uniform website policy for Rajasthan Government with
emphasis on user-friendliness of the interface for all inclusive percolation of the
benefits of IT
- Promotion of Robotics and Open Source Technology for IT initiatives in Rajasthan.
- Promotion of Robotics and Open Source Technology for IT initiatives in Rajasthan.
- Achieve up to 5,00,000 direct
employable professionals in the
ICT sector
- Develop at least 2,000
technology startups
- Prioritize IT/ITeS/ESDM sector
- Increase in the current
investment in IT/ITeS sector,
Increase IT turnover to INR
50,000 crore. and Increase in IT
exports from the State to INR
5000 crore.
- Establishing Smart Cities
- Automated Service Delivery
with automated one-time
verification of Government
documents
- Connectivity up to Panchayat
level by 2016
- Centralized, integrated and
unified State Datasets
- Promotion of Robotics
- Promotion of Open Source
Technology
SECTION 2
e-Governance for All
2.1Service Delivery - e-Governance and m-Governance
- Enabling actions shall be taken for implementation of existing and future
e-Governance and m-Governance projects in the State with emphasis on Service
Delivery, Right to Information and Grievance Redressal.
- Enabling actions shall be taken for implementation of existing and future
e-Governance and m-Governance projects in the State with emphasis on Service
Delivery, Right to Information and Grievance Redressal.
- Uniform and Unified Datasets, collated centrally as a Hub shall be developed to take
care of issues like duplication, isolation and
obsolescence. In complete adherence to the
State e-Governance Framework, such
Datasets shall follow a common structure,
shall be centrally located, controlled and
managed, and shall provide complete
flexibility of expansion and integration using
state-of-the-art technologies.
- Affidavits and Notary Attestation shall be
completely removed and Datasets shall be
used instead of documents for service
delivery
- Individual, Family, Governmental and
Organisational secure e-Space shall be
provided to residents and organisationsto
enable them to secure their digital dialog and to allow safe document storage, sharing, e-Sign and approval
protocol to avoid
providing attestation of duplicate documents, enabling service delivery through all
Government departments centrally in a paperless fashion.
- One Person One e-Identity shall be achieved with unique online profile for each citizen
under a common framework
- One Person One e-Identity shall be achieved with unique online profile for each citizen
under a common framework
- Efforts would be undertaken to provide all government services through mobile devices
for 'on-the-move' service delivery. Endeavour will be to provide services 'Anywhere,
Anytime, Any network, Any device'.
- Self-service kiosks shall be installed across the State.
- An integrated platform for reality check leveraging iFacts shall be used by the
government to ensure end-to-end grievance redressal.
- An endeavour would be made to analyse the behaviour of the citizens in usage of
Government portals so as to constantly improve these portals and make them more
user friendly.
- Knowledge resources / Digital Library will be set-up that will maintain a repository of
documents for use by general public and Govt. authorities. This would include official
gazette notifications, acts, rules, regulations, circulars, policies and scheme documents
for electronic access in a time-bound manner
- Easy access and delivery of all
Government services:
- Automated Unified Service
Delivery and benefits
transfer using e-Mitra and
Bhamashah
- Unrestricted and seamless
means of service delivery -
Web Portals, Mobile, e-Mitra
Kiosks
- Automated electronic
verifications and secure
storage - Raj eVault
- Next Generation IT
Infrastructure:
- Connectivity till village level
(RajNET)
- Complete readiness for
mobile governance
2.2 Office Automation
- Government shall notify the acceptance of correspondence through emails
received from the public. Further, use of official email ID would be mandated by
Government for all official communications, which, inter alia, includes (i)
responding to such correspondence of citizens, and (ii) for intra- and interdepartmental communication within
Government and communication with Govt.
of India to make citizen-government interface more efficient and effective.
- Complete office automation in an integrated fashion shall be carried out, with
end-to-end automated office processes and workflow automation, and shall
ensure all government departments integrated on a common platform.
- Common Gateway for all citizen services
with corresponding required information
available to public leveraging eMitra
Integrated Service Delivery Platform and
Bhamashah.
- Integrated GIS-based Decision Support
System shall be implemented and
commissioned with GIS Mapping and
Layers for all respective departments, and
Government shall mandate the use of
only this GIS-based decision making
system by all departments.
-
Automation of all Government offices
- GIS-based Decision Support
System with GIS Mapping
(Rajdharaa)
- Centralized Grievance
Redressal (Rajasthan
Sampark)
- Centralized Monitoring and
Accountability System (RAAS
& iFacts)
- Unification of Government
information — creation of
Centralized Data Repository
- 'Anywhere, Anytime, Any
network, Any device' service
delivery through mobile phones,
tablets, call centres, TV, etc.
- One Person One e-Identity with
unique online profile for each
resident
- Creation of next generation IT
Infrastructure
2.3 IT Infrastructure
- Creation of next generation IT
Infrastructure and up-gradation of
existing IT infrastructure shall be
undertaken to bring it at par with the
world class state-of-the-art infrastructure.
- Further, development of IT infrastructure
shall be undertaken to support the
increasing requirements of Rajasthan including the rural areas to ensure that high
speed internet connectivity reaches every citizen.
- Extended State Data Centre to provide 'on-the-go' services through an integrated
cloud-based mechanism to all the departments to minimize the overheads
associated with managing the physical infrastructure and to ensure that all the
components of IT infrastructure (Hardware, Software, Network, etc.) would be
available as simple and configurable services
- Government shall endeavour to provide every state resident with high speed
internet access (wired and wireless) for creation of smart city infrastructure This
will be achieved, inter alia, through (i) making 7 Wi Fi cities in Rajasthan (ii)
creation of fibre-ready urban homes.
- Government shall encourage Green IT initiatives. Departments shall be disposing
off their unusable, redundant and irreparable IT infrastructure as per the
guidelines of e-Waste management. For this, guidelines on the obsolescence of IT
hardware will be formulated.
- Rajasthan Information Security Policy shall promote public trust in Government,
with continual improvements to protect the State from cyber attacks and cyber disruptions, thus enhancing
preparedness, security and resilience.
SECTION 3
Bridging Human Capital Divide
- Rajasthan e-Governance Centre of Excellence
with a mandate of IT for Jobs and
Employability Assurance, Rural ICT workforce
development and IT Education Incubation
Units shall be established, and shall become
the central authority for Capacity and Skill
Building in IT/ITeS/ESDM/R&D fields in
Rajasthan. This CoE shall be:
- Strengthening of IT & Personality
Development Program/soft skills
curriculum with significant weightage in
overall performance/grades and
spreading of awareness about job opportunities in IT.
- Standardized IT/ ITeS/ BPO/ KPO/ ESDM/ ITES-BPO certification for job aspirants
for the industry. The certification shall be granted by relevant authorities in
Government in association with the private sector thus adding credibility to the IT
professional skills, reducing time and cost of hiring for recruiters.
- Facilitating training and development of IT skills as well as personality
development program for teachers and encouraging them to use IT to enhance
the effectiveness of teaching.
- Encouraging introduction of IT Clubs for students & faculty.
- Facilitating partnership between educational institutes and industry to provide
courses/ training on emerging IT technologies.
- Facilitating setting up of e-Learning centres, in rural/ slum areas for promotion of
IT education along with soft skills development and spreading awareness about
job opportunities in IT.
- Transforming non-IT human resource to IT specialities taking advantage of Digital
India and Digital Rajasthan campaign.
- Strive towards digital economy and knowledge based society drawing upon the
strength of Digital Rajasthan.
- Possibility of introducing distance learning program/ vocational courses shall be
explored in this respect. This would enable “anytime anywhere” learning.
- Spreading awareness about job opportunities in IT and facilitating short-term job
oriented certificate courses in various IT skills and Personality Development Program for
unemployed educated youth shall be done.
- Rajasthan Skills Repository with Data bank of students who are IT literate and suitable
for deployment in the IT industry would be established, maintained and shared with
the industry. This would enable the industry to have easy access to skilled manpower.
SECTION 4
SECTION 3
Bridging Human Capital Divide
4.1 IT/ITeS Industry Development
- Benefits to Manufacturing Enterprises
- Investment up to Rs.5 crore
- Investment subsidy of 30% of VAT and CST which have become due and have
been deposited by the enterprise for seven years.
- Employment Generation Subsidy up to 20% of VAT and CST which have
become due and have been deposited by the enterprise, for seven years.
- Investment more than Rs.5 crore and up to Rs.25 crore
- Investment subsidy of 60% of VAT and CST which have become due and have
been deposited by the enterprise, for seven years.
- Employment Generation Subsidy up to 10% of VAT and CST which have become
due and have been deposited by the
enterprise, for seven years.
- Investment more than Rs.25 crore
- Investment subsidy of 70% of VAT
and CST which have become due
and have been deposited by the
enterprise, for seven years.
- Employment Generation Subsidy up
to 10% of VAT and CST which have
become due and have been
deposited by the enterprise, for
seven years. Employment Generation Subsidy up
to 10% of VAT and CST which have
become due and have been
deposited by the enterprise, for
seven years.
- Exemption from payment of 50% of Electricity Duty for seven years.
- Exemption from payment of 50% of Land Tax for seven years
- VAT/CST Incentive – Investment
& Employment Generation
Subsidy
- Up to 80% for Manufacturing
- Up to 90% for Women, SC,
ST, Persons with Disability
- Up to 100% for Backward
and Most Backward Areas
- Up to 80% of VAT
Reimbursement for Services
Industry
- Up to 50% exemption on
Land Tax, Electricity Duty,
Entry Tax
- Up to 100% exemption on
Stamp Duty
- Benefits to Service Enterprises
- Reimbursement of 50% of amount of VAT paid on purchase of plant and
machinery or equipment for a period up to seven years from date of issuance of
the entitlement certificate, provided that for enterprises engaged in providing
entertainment, the reimbursement shall be restricted to 25% of such amount of
VAT paid;
- Exemption from payment of 50% of Electricity Duty for seven years
- Exemption from payment of 50% of Land Tax for seven years.
- Special Provisions for Women, Scheduled Castes, Scheduled Tribes and
Persons with Disability Enterprise
Eligible Women/Schedule Caste (SC)/Schedule Tribe (ST)/Person with disability (PwD)
enterprises shall in addition to the benefits specified in other clauses, be eligible to avail
the following additional benefits:
- A manufacturing enterprise shall get additional Investment Subsidy to the extent of
10% of VAT and CST which have become due and have been deposited by the
enterprise.
- A service enterprise shall get additional 10% reimbursement of VAT paid on the
plant and machinery or equipment for a period up to seven years from date of
issuance of the entitlement certificate for this purpose.
- Benefits to Enterprises in Backward and Most Backward Areas
- An eligible enterprise, making investment in a backward area or a most backward
area shall be granted the same benefits as would have been applicable if the
enterprise was located elsewhere in the State but the period of benefit, except for
interest subsidy, shall be extended to ten years.
Provided that the State Government may, on the recommendation of the State
Empowered Committee (SEC), grant to a manufacturing enterprise and a service enterprise making an
investment in a backward area, such benefits as mentioned
in below mentioned clauses b and c respectively, which are applicable for
investments in most backward areas, with a view to attract investment in the
backward area.
- A manufacturing enterprise, making investment in a most backward area shall, in
addition to benefits under clause a above, get additional investment subsidy of
20% of the VAT and CST which have become due and have been deposited by the
enterprise, for a period of seven years
- A service enterprise making investment in a backward area shall, in addition to
benefits mentioned in other clauses of the Scheme, get
additional 10% reimbursement of VAT paid and a service
enterprise making investment in a most backward area
shall, in addition to benefits mentioned in other clauses,
get additional 20% reimbursement of VAT paid on the
plant and machinery or equipment for a period up to
seven years from the date of issuance of the entitlement
certificate for this purpose.
- Power to Grant Customized Package
- Notwithstanding anything contained in the Scheme, the
State Government, on the recommendation of State Empowered Committee
(SEC), may grant a customized package under section 11 of the Rajasthan
Enterprises Single Window Enabling and Clearance Act, 2011, to the
manufacturing enterprises investing more than Rs.200 crore or providing
employment to more than 400 persons.
- Notwithstanding anything contained in the Scheme, the State Government may
grant a customized package to the service enterprises investing more than Rs.200
crore or providing employment to more than 500 persons.
- MSME Sector
Manufacturing enterprises in the MSME sector shall, in addition to benefits mentioned
above, if applicable, be granted the following benefits:
- For micro and small enterprises in rural areas, 75% exemption from payment of
electricity duty in place of 50% exemption from payment of electricity duty, as
provided in notification number F.12(99)FD/Tax/07-56 of 15.10.2009, as
amended from time to time.
- Reduced CST of 1%, against C Form, on sale of goods for a period of ten years,
for micro and small enterprises as provided in notification number
F.12(99)FD/Tax/07-66 of 14.02.2008 as amended from time to time;
- 50% exemption from payment of Entry Tax on raw and processing materials and
packaging materials excluding fuel as provided in notification number
F.12(99)FD/Tax/07-65 of 14.02.2008 as amended from time to time; and
- Reduced Stamp Duty of Rs.100 per document in case of loan agreements and
deposit of title deed and lease contract and Rs.500 per document in case of
simple mortgage with or without transfer of possession of property executed for
taking loan for setting up of micro, small or medium enterprises or enhancing
credit facilities or transfer of loan account from one bank to another by MSME as
provided in notification number F.2 (97)FD/Tax/2010- 11 of 25.04.2011.
- ESDM Sector
Enterprises making a minimum investment of Rs.25 lakh rupees in the ESDM sector
shall, be granted the following benefits:
- Investment Subsidy of 75% for first four years, 60% for next three years and 50%
for the last three years, of VAT and CST which have become due and have been
deposited by the enterprise, for ten years;
- Employment Generation Subsidy up to 10% of VAT and CST which have become
due and have been deposited by the enterprise, for ten years; and
- 50% exemption from payment of Entry Tax on capital goods, for setting up of
plant for new unit or for expansion of existing enterprise or for revival of sick
industrial enterprise, brought into the local areas before the date of
commencement of commercial production/operation.
- Robotics Centre
The State shall promote establishment of Robotics Centres acting for the future of robotics by casting the
vision, and supporting the
technology of robotics through Robotics enterprise
promotion in Rajasthan. On investments of Rs.50 crore or
more for establishment of such centres, Interest Subsidy of
5% on term loan taken from State Financial
Institution/Finance Institution/banks recognized by RBI
subject to a maximum of Rs.10 lakh per year for a period
up to 5 years or up to the period of repayment of loan,
whichever is earlier, from the date of commencement of the centre shall be provided.
- Benefits for Internet Connectivity
- Subsidy on Bandwidth for Connectivity (for BPOs/KPOs)
25% subsidy on Bandwidth for connectivity paid to Internet Service Provider (ISP),
subject to maximum of Rs.5 lakh per annum, shall be available for a period of two
years from the date of starting commercial production/operation. The subsidy
amount will be determined on the basic benchmark prices to be declared by
Government separately.
- Gateway and High Bandwidth Backbone
The State Government shall encourage private sector to become ISPs in the districts
and set up international gateways in the State. The State Government shall
facilitate and promote the establishment of
broadband digital network (both wired and
wireless) in the State.
- Rajasthan Venture Capital Fund/SME
Tech Fund RVCF II
25% of Rajasthan Venture Capital Fund shall
be en-marked for IT/ITeS Sector. SME Tech
Fund RVCF II with a committed corpus of over
Rs.155 crore, raised by RVCF shall support
enterprises in the high tech/emerging sectors
that are of value to the Indian Economy, commercially viable in terms of profitability and exhibit
substantial future growth
potential.
IT/ITeS enterprises shall be eligible for support from this fund.
- 25% subsidy on Internet
Bandwidth
- Venture Capital
- 25% of Rajasthan Venture
Capital Fund en-marked for
IT/ITeS Sector
- RVCF SME Tech Fund II for
IT/ITeS Sector
- Exemption from Zoning
Regulations and Land
Conversion to IT Parks/IT
Campuses, IT Industry
- Exemption from Zoning Regulations and Land Conversion
IT Parks/IT Campuses notified by the Department of Industries/Department of IT&C
and IT industry, i.e., IT/ITES Units/Companies shall be exempted from the Zoning
Regulations and payment of conversion charges, subject to the provisions of State Acts
and the following:
- a maximum area limit (to be notified separately)
- a maximum area limit (to be notified separately)
- Stamp Duty and Registration Fee Exemption
- Enterprises with investment up to Rs.5 crore shall be provided 50% exemption
from payment of stamp duty on purchase or lease of land and construction or
improvement on such land
- Enterprises with investment of Rs.5 crore and more shall be provided 100%
exemption from payment of Stamp Duty on purchase or lease of land and
construction or improvement on such land.
- Interest Subsidy
Service Enterprises making investment more than Rs.25 lakh shall be provided 5%
Interest subsidy on Term Loan taken from State Financial Institutions/ Financial
Institutions/ Bank recognized by Reserve Bank of India for purchase of equipment
required for rendering services related to
IT/ITeS Sector, subject to a maximum of Rs.5
lakh per year for a period of 5 years or up to
the period of repayment of loan, whichever is
earlier, from the date of commencement of
commercial operation.
The enterprises which are engaged in
manufacturing and rendering of services Service Enterprises making investment more than Rs.25 lakh shall be
provided 5%
Interest subsidy on Term Loan taken from State Financial Institutions/ Financial
Institutions/ Bank recognized by Reserve Bank of India for purchase of equipment
required for rendering services related to
IT/ITeS Sector, subject to a maximum of Rs.5
lakh per year for a period of 5 years or up to
the period of repayment of loan, whichever is
earlier, from the date of commencement of
commercial operation.
The enterprises which are engaged in
manufacturing and rendering of services
- Investment Subsidy and Employment Generation Subsidy, or
- Interest Subsidy
- Upto 5% Interest Subsidy on term
loans
- Upto 5% Interest Subsidy on term
loans
- 30% Reimbursement of Quality
Certification Costs upto Rs.5 lakh
- Patent Filing Costs
The Government of Rajasthan is keen to encourage the filing of patents by companies
located within the State. The Government will, therefore, reimburse the cost of filing
patents to companies having their headquarters in Rajasthan for successfully receiving
patents. Reimbursement of such cost will be limited to a maximum of Rs.3 lakh per
patent awarded per year.
- Networking and Business Growth Support
- Quality Certifications
The Government of Rajasthan will reimburse 30% of expenditure incurred for obtaining
quality certifications for CMM Level 2 upwards. Reimbursement will be limited to a
maximum of Rs.5 lakh. Similar reimbursement will be made to BS7799 for security and
also for ITES Companies for achieving COPC and eSCM certifications. The IT/ITES
units/companies/firms can claim this incentive only once. A company/firm can claim
incentive for BS7799 or any one of CMM Level 2 upwards/COPC/ eSCM.
- Protection of IPR
There will be a legal mechanism to control piracy of
information technology products. Intellectual Property
Right (IPR) protection support will be given to all
entrepreneurs developing software and animation. All
online transactions would be secured by a fool-proof
mechanism of digital signature and biometric-like fingerprint and its recognition.
- Outstanding Performance Awards
Registered IT/ITES units in the State will be considered for 'Outstanding Contribution
Award' in form of grant each year in each category on the basis of objective criteria
published by the Government.
Awards shall be given to the following categories:
- New Ventures - Most Promising Venture
- IT Enterprises - Best performing IT Company
- Innovation Leader - Enterprise that has displayed the maximum innovation in its
products and services
- Startup Ventures
A total of 3 awards shall be given in each category, with a Grant of Rs.1.5 lakh for
each award.
- Incubation Units
The state shall be promoting sectorial incubation units for development of concerned
sector, in partnership with industry and academia. IT/ITeS/ESDM/R&D Incubation Units
in Sitapura EPIP Zone shall be promoted by the State.
- Manpower Development Subsidy
Subsidy on Manpower development shall be provided in respect of Training/Technical
up-gradation/Skill up gradation of local persons in a registered training
organization/institution subject to a ceiling
Investment in fixed capital Total Ceiling
Up to Rs.25 lakh Rs.1.5 lakh
Rs.25 lakh to 50 lakh Rs.3 lakh
Rs.50 lakh and above Rs.5 lakh
- Auxiliary Support for Investors
All IT companies would be notified as 'Public Utility
Service' providers under the Industrial Disputes Act, 1947. All IT units, given the nature of their
operations, will be granted permission to work on
a 24x7 model.
4.2 General Incentives
General incentives available to the ICT industry, automatically are:
- IT/ITES units are exempt from the purview of the Pollution Control Act, except in
respect of power generation sets.
- IT/ITES units/companies are exempt from the purview of statutory power cuts.
- The regulatory regime of labour laws shall be simplified to suit the needs of IT &
ITES companies. General permission shall be granted to all IT & ITES companies
to have 24x7 operations/to run in three shifts.
- Barriers pertaining to employment of women at night shall be removed, the
companies will be instructed to offer employment to women with adequate
security to them for working at night.
- The IT & ITeS companies will be permitted to self-certify that they are maintaining
the registers and forms as contemplated and prescribed under the following Acts:
- The Payment of Wages Act, 1936
- The Minimum Wages Act, 1948
- The Workmen’s Compensation Act, 1923
- The Contract Labour (Regulations and Abolition) Act, 1970
- Employees State Insurance (Amendment) Act, 2010
- Bombay Shops and Establishment Act
- The Payment of Gratuity Act, 1972
- The Maternity Benefit Act, 1961
- Equal Remuneration Act, 1976
- Water (Prevention and Control of Pollution) Act, 1974
- Employment Exchange Act, 1959
- The Factories Act, 1948
- The Factories Act, 1948
- IT/ITES units/companies and non-hazardous hardware manufacturing industry are
declared as essential service.
SECTION 5
Green IT
5.1Condemnation and Disposal of IT Equipment
- Applicability
- All Departments/Companies/Corporations/Institutions/Organizations/Bodies on
whom this Policy is applicable must ensure that there are proper procedures in
place for the condemnation and disposal of IT equipment that is unserviceable or
is no longer required. This Policy shall be applicable to the following departments
and bodies:
- All Government Departments under the aegis of Government of Rajasthan
- All Companies/Corporations/Autonomous Bodies/Local Bodies under the
aegis of Government of Rajasthan
- All PSUs under the aegis of Government of Rajasthan
- Definition of IT Equipment
- Hardware
By its own nature IT equipment is constantly evolving and this can therefore
become a very broad category making it impossible to list every single item or
group of items within this policy document; however a non-exhaustive list of IT
and related equipment to be considered for this purpose is associated.
- Software can be summarized as follows:
- Desktop Software: all applications and related data loaded onto a desktop or
laptop computer.
- Desktop Software: all applications and related data loaded onto a desktop or
laptop computer.
- Desktop Software: all applications and related data loaded onto a desktop or
laptop computer.
- Useful life of various items and replacement
Depending upon the nature, usage, maintenance cost, obsolescence in terms of
technology, up-gradation of technology, etc., the related items are classified in
following categories for the purpose of disposal of these items. The detailed non exhaustive list of
category-wise items is available in section 5.2:
Category |
Nature |
Suggestive Items |
Useful/Productive Life |
1 |
mmediate
obsolescence
/ use-and throw
products |
Printing Consumables
(Non-refillable Ink Toners),
CDs, DVDs, Digital Audio
Tapes (DAT), UPS Batteries |
As per usage. No residual
value determined. However,
proper inventories of
purchase, issue and final
use/disposal, etc. would be
maintained in order to keep
an accounting system.
|
2 |
Low life/ Fast
obsolescence
products |
Mobile Phones
Laptops, Pen Drive,External Hard Disk Drive (HDD), etc.
|
Two years
Three years in case of
Laptops, Pen Drive, HDD,
etc. for replacement.
Residual values determined
separately. |
3 |
Medium
obsolescence
/ Medium
life products |
esktops, Printers, Multi functional Devices (MFDs),
Scanners, Multi-media
Projectors, UPS Systems, |
Five years for replacement. |
4 |
Slow
obsolescence/
long life
products |
Fax, EPABX, Electronic items
such as cameras, TVs, DVD
Players, Public Address
Systems, Electronic Calorie
Meter, etc.
|
Seven years |
5 |
Software |
Software like MS Office,
Oracle, MS-SQL,
MS-Windows, Antivirus, etc |
Please refer to the
explanation given below. |
Note: The above mentioned items can be used beyond the mentioned/specified life till such time
these items continue to serve the purpose.
- Use-and-throw products: These products have no fixed life and can be used till
these are consumed or are under replacement warranty (like SMF batteries are
covered under 1 year replacement warranty from the manufacturer). However, the
user departments must maintain proper inventory of purchase, issue and disposal
thereof so as to ensure prudent official use of these items.
- Low life products: The general useful/productive life in the case of products/items
in this category would be two years in the case of a Mobile Phone Instrument and
three years in the case of laptops and other items mentioned therein for
replacement purposes. However, one may use the same for longer period so long
as the item/equipment serves the purpose.
- Medium life products: The useful/productive life of products in this category is
fixed at 5 years even though the products can be continued to be used for longer
period in an organisation/department, being a multiple level of usage in terms of
level of works to be done like Software development/testing, Data Processing,
Information searching, Word processing, etc. Accordingly, the life of these
products is fixed as five years for replacement purposes. However, one can use the
equipment for longer period so long as it fulfills the user requirements.
- Medium life products: The useful/productive life of products in this category is
fixed at 5 years even though the products can be continued to be used for longer
period in an organisation/department, being a multiple level of usage in terms of
level of works to be done like Software development/testing, Data Processing,
Information searching, Word processing, etc. Accordingly, the life of these
products is fixed as five years for replacement purposes. However, one can use the
equipment for longer period so long as it fulfills the user requirements.
- Software: Purchase of software can be booked as a one-time office expenditure.
The old software can be upgraded into latest version by taking the benefit of old
purchase in case scheme is available from the developer/principal company. In the
alternative, latest software can be purchased and in that case the residual value of
the old software can be treated as NIL. The old software can be donated to the
State/Central recognised Service/Education Organisations.
- Grounds for condemnation
For all condemnation cases, the concerned department shall form a committee
comprising minimum 3 members, one of which shall be from the finance/accounts
department and one member shall be a representative of DoIT&C in the department. If in case there is no
member of DoIT&C in the concerned office, the matter shall first be
escalated to the HO of the concerned department and if not resolved, then to the
DoIT&C.
The lCT Products/Equipment can be condemned on following grounds:
- Technically obsolete
- Completed the life span as mentioned in Clause 4 and 5 and currently not in
working condition.
- Technology outdated affecting performance and output that is expected out
of it
- Package Software can only be condemned by declaring it as technically
obsolete when no more updates or support are available from OEM.
- Package Software can only be condemned by declaring it as technically
obsolete when no more updates or support are available from OEM.
- Non-repairable
ICT Products/Equipment can be condemned due to non-availability of spare-parts.
- Physically damaged
ICT Products/Equipment that have been damaged beyond repair due to fire or any
other reason beyond human control can be condemned as Physically Damaged.
- Disposal/alternate Use
- The primary mechanism of alternate use, which must be considered in cases
where the said item(s) are still in usable condition, should be to transfer the
item(s) to Government School(s) of the districts in which the said office is located.
- For this purpose, if the said item(s) are found usable by the DoIT&C representative
in the department, a committee with DEO/BEO should be constituted to decide
where the items can be sent for optimum usage.
- For this purpose, if the said item(s) are found usable by the DoIT&C representative
in the department, a committee with DEO/BEO should be constituted to decide
where the items can be sent for optimum usage.
- The mode of Condemnation may be done either by Buyback or Disposal, as
decided by the committee formed for condemnation by the concerned
department.
- Buyback
If the committee decides to choose Buyback mode of Condemnation, the proposal
for purchasing new ICT Products/Equipment under buyback mode will be sent by
the concerned Department to DoIT&C for obtaining NOC. The Buyback rates for
specific hardware as finalized in the ongoing Rate Contract shall be applicable. If
the Buyback rates are not specified in the Rate Contract then the committee will
decide the Buyback rates based on their assessment, after comparing similar Rate
Contract in the past and in consultation with the Vendor.
- Disposal
If the committee decides to choose disposal mode of Condemnation, the
concerned Department can dispose it through Tender, Auction or Scrap depending
on assessed residual value of the ICT Products/Equipment and as per the
procedure laid down in this Policy document.
- For the Products/Equipment with residual value above Rs.2 Lakh, the
Department can dispose it through Advertised Tender or Public Auction.
- For Products/Equipment with residual value less than Rs.2 Lakh, the mode of
disposal will be determined by Department’s Competent Authority, keeping in
view the necessity to avoid accumulation of such Products/Equipment and
consequential blockage of space and also the deterioration in value of
Products/Equipment to be disposed of.
- Process of Disposal through Advertised Tender
The broad steps to be adopted for this purpose are as follows:
- Preparation of bidding documents
- Invitation of tender for the condemned ICT Products/Equipment to be sold
- Opening of bids
- Analysis and evaluation of bids received
- Selection of highest responsive bidder
- Collection of sale value from the selected bidder
- Issue of sale release order to the selected bidder
- Release of the condemned ICT Products/Equipment that were sold to the selected
bidder
- Return of bid security to the unsuccessful bidders
The important aspects to be kept in view while disposing the condemned ICT
Products/Equipment through advertised tender are as under:
- The basic principle for sale of condemned ICT Products/Equipment through
advertised tender is ensuring transparency, competition, fairness and
elimination of discretion. Wide publicity should be ensured of the sale plan
and the Condemned ICT Products/Equipment to be sold. All the required
terms and conditions of sale are to be incorporated in the bidding document
comprehensively in plain and simple language. Applicability of taxes, as
relevant, should be clearly stated in the document.
- The bidding document should also indicate the location and present condition
of the condemned ICT Products/Equipment to be sold so that the bidders can
inspect the condemned ICT Products/Equipment before bidding.
- The bidders should be asked to furnish bid security along with their bids. The
amount of bid security should ordinarily be ten per cent of the assessed or
reserved price of the condemned ICT Products/Equipment. The exact bid
security amount should be indicated in the bidding document.
- The bid of the highest acceptable responsive bidder should normally be
accepted. There should normally be no post tender negotiations. If at all
negotiations are warranted under exceptional circumstances, then it can be
with HT (Highest Tenderer) if required.
with HT (Highest Tenderer) if required.
- In case the total quantity to be disposed of cannot be taken up by the highest
acceptable bidder, the remaining quantity may be offered to the next higher
bidder(s) at the price offered by the highest acceptable bidder
- Full payment, i.e. the residual amount after adjusting the bid security should
be obtained from the successful bidder before releasing the condemned ICT
Products/Equipment.
- In case the selected bidder does not show interest in lifting the sold
condemned ICT Products/Equipment, the bid security should be forfeited and other actions initiated
including re-sale of the condemned ICT
Products/Equipment in question at the risk and cost of the defaulter, after
obtaining legal advice.
Process of Disposal through Auction
- The Department may undertake auction of condemned ICT Products/Equipment
to be disposed of either directly or through approved auctioneers.
- The basic principles to be followed here are similar to those applicable for disposal
through advertised tender so as to ensure transparency, competition, fairness and
elimination of discretion. The auction plan including details of the condemned lCT
Products/Equipment to be auctioned and their location, applicable terms and
conditions of the sale, etc. should be given wide publicity.
- While starting the auction process, the condition and location of the condemned
lCT Products/Equipment to be auctioned, applicable terms and conditions of sale
etc., should be announced again for the benefit of the assembled bidders.
- During the auction process, acceptance or rejection of a bid should be announced
immediately. If a bid is accepted, earnest money (not less than twenty-five percent
of the bid value) should immediately be taken on the spot from the successful
bidder either in cash or in the form of Deposit-at-Call-Receipt (DACR), drawn in
favour of the Department selling the condemned lCT Products/Equipment.
- The condemned lCT Products/Equipment should be handed over to the successful
bidder only after receiving the balance payment.
- The condemned lCT Products/Equipment should be handed over to the successful
bidder only after receiving the balance payment.
- A sale account should be prepared for goods disposed of, duly signed by the
officials who supervised the sale or auction.
Process of Disposal at Scrap Value or by Other Modes
- If the Department is unable to sell condemned lCT Products/Equipment in spite of
its attempts through auction and advertised tender, it may dispose-off the same at
its scrap value with the approval of the competent authority in consultation with Finance division.
- In case the Department is unable to sell condemned ICT Products/Equipment even
at its scrap value, it may adopt any other mode of disposal including destruction of
the Products/Equipment in an eco-friendly manner so as to avoid any health
hazard and/or environmental pollution and also the possibility of misuse of such
Products/Equipment
- All rules, regulations and norms of e-Waste Management, Energy Efficiency and
bio-friendly disposal of all electronic waste containing substances like Lead,
Cadmium, Mercury, PVC that have the potential to cause harm to human health
and environment must be followed by the departments.
Responsibility of Department
Each unit of department will prepare equipment condemnation note which should
be individually numbered having equipment description, including the make,
model, serial number, asset register number, purchase date, purchase price,
reason for condemnation and additional information, if any.
Department will constitute a condemnation committee which will review all
condemnation notes and decide about the condemnation of equipment as per
guidelines given above. The committee should have at least one member from
accounts/finance background and also the representative of DoIT&C in the
department as a member.
All procedure and rules made under relevant Rules of the Government on
maintenance of records for condemnation of non-consumables items will be made
in these cases.
The condemnation report so prepared by the department based on these
guidelines will be sent to the headquarters of concerned department for approval
by the nodal officer. The condemnation will be done only after approval is
obtained from the headquarters of the said department. To avoid piece-meal
approach, all cases of a department may be processed once a year in May-June.
5.2 LIST OF ICT EQUIPMENT
Category I
- CD ROM/DVD/Compact Disk
- Floppy Disk
- Tapes DAT/DLT
- Ribbons
- Toners - non refillable
- Toners - non refillable
- Inks for output devices
- Any type of Cell/Batteries beyond repair
Category II
- Laptop Computers
- Note book Computers
- Palm top Computers/PDA
- iOS/Android/ Windows based mobile & smartphones, iPad/ Tablets
- Hard Disk Drives / Hard Drives
- RAID Devices & their Controllers
- Floppy Disk Drives
- Floppy Disk Drives
- Tape Drives - DLT Drives / DAT
- Optical Disk Drives
- Other Digital Storage Devices, Pen Drive, Memory Card
- Key Board
- Monitor
- Mouse
- Multi-Media Kits
- Access Card
- Electronics Purse
- Electronics Wallet
- Universal Pre-payment card
- Smart card etc.
Category III
- Desktop
- Personal Computer
- Servers
- Work-station
- Nods
- Terminals
- Terminals
- Network interface card (NIC)
- Adaptor-ethernet/PCI/EISA/combo/PCMCIA
- SIMMs-Memory
- DIMMs-Memory
- Central Processing Unit (CPU)
- Controller-SCSI/Array
- Processors-Processor/Processor Power Module/Upgrade
- Dot-matrix printers
- Laser jet printers
- Ink jet printers
- Ink jet printers
- LED printers
- LED printers
- Plotters
- Pass book Printers
- Hubs
- Hubs
- Hubs
- Hubs
- Trans-receivers
- Switch Mode Power Supplies
- Uninterrupted Power Supplies
Category IV
- Telephones
- Videophones
- Facsimile Machines/Fax cards
- Tele-Printers/Telex machinesTele-Printers/Telex machines
- PABX/EPABX/RAX/MAX -Telephone exchange
- Multi plexers/Muxes
- Modems
- Telephone Answering Machines
- Tele-Communication Switching Apparatus
- Antenna & Mast
- Wireless Datacom Equipment
- VSATs
- Video Conferencing Equipment
- Including Set Top Boxes for both Video and Digital Signalling
- Fibre Cable
- Fibre Cable
- Cable
- Connectors, Terminal Blocks
- Jack Panels, Patch Cord
- Mounting Cord, Patch Panels
- Back Boards, Wiring Blocks
- Surface Mount Boxes
- Printed circuit Board Assembly/populated PCB
- Printed Circuit Board/PCB
- Transistors
- Integrated Circuits/ICS
- Diodes/Thyristor/LED
- Registers
- Capacitors
- Switches (On/Off, Push- button, Rocker, etc.)
- Plugs/Sockets/Relays
- Magnetic Heads, Print Heads
- Connectors
- Microphones/Speakers
Category V
- Application Software
- Operating System
SECTION 6
Digitally Secure Rajasthan
6.1Information Security Policy
-
Foundation of Information Security
The State of Rajasthan recognises its dependence on information systems for effective
operations of its e-Governance Initiatives. It is, therefore, essential that this information
infrastructure is secure from destruction, corruption, unauthorized access, and breach
of confidentiality, however accidental or deliberate
Information Security requirements are of utmost importance for the State. Successful
internal co-operation requires that a common security concept prevails in the GoR.
The objective is to define standards to ensure that information is secure at all times, in
turn creating a foundation upon which sound internal controls within the computerized
environment can be exercised. This is applicable to all officers and officials associated
with Rajasthan Government/Boards/Corporation/PSUs/Third Parties.
It is vital that we continue our efforts with security and risk management so as to equip
ourselves to meet the challenges of service running catering to the citizens of the State
and give each User Department the means to fulfil its mandate for delivering Citizen
Services.
-
State requires an information security policy for the following reasons.
- Maintaining Confidentiality: Confidentiality of information is mandated by IT laws
(IT Amendment Act 2008) followed by GoR. Different classes of information
warrant different degrees of confidentiality. The hardware and software
components that constitute the IT assets represent a sizable monetary investment
that must be protected. The same is true for the information stored in its IT
systems, some of which may have taken huge resources to generate, and some of which can never be
reproduced.
- Integrity & Availability: The integrity and availability of information, whether
acquired, provided or created must be ensured at all times.
- Safeguarding Critical Information: Critical information like audit reports, budgets,
sensitive and confidential information is protected from unauthorized access, use,
disclosure, modification and disposal, whether intentional or unintentional.
- Awareness among officers and officials: officers and officials, third party users are
made aware of the information security policy.
- Review & Evaluation
The State shall be responsible for review and approval of Information Security Policy at
the time of any major change(s) in the existing environment or once every year,
whichever is earlier. Review shall take place in response to significant changes
including but not limited to changes in risk assessment, security incidents, new
vulnerability, change in technology or network infrastructure. The changes suggested in
the Policy shall be approved from the appropriate authority and institutionalized within
State with intimation to all concerned.
- Information Security Organization Structure
- Chief Information Security Officer (CISO)
The Chief Information Security Officer shall provide the direction and support for
all information security initiatives. The CISO is responsible for providing direction
and leadership through:
- Reviewing and Approval of the Information Security Policy.
- Approval of the resource requirements (human, IT Assets and financial) for
information security.
- Driving information security initiatives across GoR.
- Conducting status review(s) of security implementation at Government
Departments.
- Additional Chief Information Security Officer (Addl. CISO)
- Additional Chief Information Security Officer (Addl. CISO)
- Propose the resource requirements (human, IT Assets and financial) for
information security.
- Prepare roadmap to drive information security initiatives across the State.
- Monitor security implementation at Government Departments.
- Organize a refresher course for Information Security Officer with regards to
Information Security.
- Prepare the classification of Information assets
- Understanding and Circulation of all the IT laws and amendments to
Concerned ISOs.
- Incident Response Team (IRT)
Incident Response Team will be an independent body headed by officer
nominated by HOD, IT&C. Members of IRT shall include Subject Matter Experts
from all domains viz. legal, administrative, technical, etc.
The IRT will check the authenticity of security incident and shall forward the
request to CERT-In for resolution and coordinate with them till the closer of
incident.
An Incident Reporting Team shall be made responsible for root cause analysis of
security incidents and to preserve the logs and details for legal actions collected
during analysis and recommend the preventive and corrective action to ISO. This
team will be established by DoIT&C.
- Information Security Officer (ISO)
The ISO assumes overall responsibility for ensuring the implementation,
monitoring, training and enforcement of the information security policy and
standards within the department/ district collectorate office
- ISO will be responsible for the implementation of the Information Security
Policy and monitor the compliance by departmental officials.
- Recommending, coordinating and implementation of information security
policies, standards, processes, training and awareness programs; to ensure
appropriate safeguards are implemented.
- ISOs are responsible for ensuring that appropriate controls are in place on the
IT Assets to preserve the security properties of confidentiality, integrity,
availability and privacy of departmental information
- Information Security Manager (ISM)
Information Security Manager of respective departments is responsible for:
- Administering security tools, reviewing security practices, identifying and
analyzing security threats and solutions and responding appropriately to
security violations.
- Administration of all user-ids and passwords and the associated processes for
reviewing, logging, implementing access rights, emergency privileges and
reporting requirements.
- End User
End User
- It is the responsibility of each end user to report any incident which is
observed /suspected to ISM.
- Users shall not test any existence of vulnerability in the information systems.
- Understand the IT laws and amendments
- Avoid breaches of any law, statutory, regulatory and/ or contractual
obligations as well as security requirements.
6.2 Asset Management
- Introduction
For information systems to be used effectively, efficiently and legally the assets that
make up those systems must be properly controlled. This is referred to as asset
management.
Asset management is not limited to stock of information (electronic data) but also
covers physical computer equipment's/Softwares used to access them. This Policy shall
emphasize on the importance of identification /classification of IT assets to ensure
adequate accountability and responsibility of the ISO/ISM. The Policy also ensures that
information systems needs to be suitably protected based on the confidentiality,
integrity and availability of the information systems.
- Responsibility
ISM shall be made responsible for following:
- A computer-based Asset Register shall be prepared and maintained for recording
all Information Assets with their appropriate classification
- Providing Asset Management reports to user department as and when required on
approval from ISO.
- Ownership
ISO shall ensure that Information assets belonging to department has been identified
and documented. The ISO shall be responsible for following:
- Ensuring that all the Information assets are recorded in asset register
- Establishing the classification scheme of the Information assets.
- Implement appropriate security controls to safeguard the Information assets as per
Information Security Policy
- Review and update the asset register to reflect any changes to the access rights and or the
classification scheme of the IT asset.
- Information Classification
All information assets will have different degrees of sensitivity and accessibility to the
organization. Information shall be classified appropriately as applicable for each
department into the following categories:
- Secret: This is applied to information unauthorized disclosure of which could be
expected to cause serious damage to the National/State security or National/State
interest. This classification should be used for highly important information and is
the highest classification normally used. E.g. Visits of VIPs, security arrangements
during VIP visits and international events, information related to critical
infrastructure such as configuration details of servers in data centres, etc
- Restricted: This shall be applied to information, unauthorized disclosure of which
could be expected to cause damage to the security of the department or could be
prejudicial to the interest of the department or could affect the department in its
functioning. The information that is used as official information for departmental
level only (Restricted Circulation), etc
- Public: Information available in public domain like Government websites etc.
It is the responsibility of the ISO to appropriately classify their assets. The
classification process shall be completed for existing assets and shall be
undertaken for any new project at the time of deploying a new asset or generation
of information.
6.3 Data and Information Security
- Introduction
The Data and Information Security ensures that the officers and officials, contractors,
consultants and vendors who have access to GoR information and associated
Information assets understand their security responsibilities that are required to
maintain the protection of critical information and the controls that are required to
protect the information assets from human error, theft, fraud and/ or their misuse are
implemented.
- Objective
All officers and officials, contractors, consultants and vendors who have access to GoR
information and associated IT assets are required to understand and practice their
responsibilities for the comprehensive protection of the information assets. Failure to
adhere to information security responsibilities may entail appropriate disciplinary action
as per Rajasthan Service Rules, Government of Rajasthan.
The objectives of this Policy are to:
- Ensure that the officers and officials, contractors, consultants and vendors
understand their roles and responsibilities regarding information security
- Reduce the risks of human error, theft, fraud or misuse of the information assets
- Ensure that employees are aware of information security threats and concerns
- Minimize the damage from the security incidents and malfunctions and learn from
such incidents.
- During Employment
SO has the following responsibilities during employment of officer/official:
- The employees are made aware of their security responsibilities to maintain the
information security.
- An adequate level of awareness, education and training on the information
security is provided to all employees.
- Information Security Awareness and Training
The ISO in consultation with CISO shall ensure that:
- Officers and Officials receive appropriate training on information security
requirements.
- Officers and Officials are made aware of disciplinary process, which can be
initiated against them in case of any violations of this Policy.
- Posters and hand-outs are used for creating security awareness among Officers
and Officials
- Quiz, tests, questionnaire are circulated to measure the awareness of Officers and
Officials relating to information security on periodic basis.
- Reporting Information Security Incidents
- Officers/Officials who become aware of any loss, compromise of information or
any other incident, which has information security implications, shall immediately
report to the ISM
- Suitable feedback processes shall be implemented by Incident Response Team to
ensure that the person reporting the incident is informed about the results after
the incident has been investigated and closed in consultation with concerned ISO
and ISM.
- Security incidents shall be documented and used in user awareness training as
learning from incidents.
- End Users shall be informed that they should not, in any circumstances, attempt to
prove a suspected weakness. Any action in testing the weakness would be
interpreted as a potential misuse of the system.
- Disciplinary Action
The certain categories of activities, which have potential to harm, or actually harm the
information assets are defined as security violations and are strictly prohibited. The
security violations may entail a disciplinary action. Appropriate disciplinary action can
be taken against security violations as per Rajasthan Service Rules, Government of
Rajasthan.
- Termination or Change of Employment
- ISM shall ensure that officers and officials are communicated about their
information security responsibilities even after termination of employment/
contract regarding the return of all issued software, documents, equipment,
mobile computing devices, and access cards, manual and/ or any other asset that
is a property of GoR.
- The ISM is required to ensure that the access rights of the officers and officials for
information assets are removed upon the termination of his employment, contract
or agreement
- The ISM is required to ensure that in case of change of responsibility, the access
rights are revoked or modified as required and appropriate with proper approval
from ISO.
6.4 Physical & Environmental Security
- Introduction
The Physical and Environmental Security provides direction for the development and
implementation of appropriate security controls that are required to maintain the
protection of information systems and processing facilities from physical and
environmental threats. Information systems should be physically protected against
malicious or accidental damage or loss, overheating, loss of mains power, etc.
- Objectives
Adequate protection shall be provided to information systems and facilities against the
unauthorised physical access and environmental threats. Appropriate security controls
shall be implemented to maintain the security and adequacy of the information
systems and equipment.
- Physical Security Parameter
ISM is required to define the physical security perimeter for concerned department and
facilities where information systems of Government of Rajasthan are available. It is
strongly recommended that the physical access restrictions proportionate with the
criticality value of information system is implemented at perimeter of all such facilities
where information assets are hosted.
- Physical Entry Controls
- Access control system shall be installed at key/critical locations of Govt.
departments
- Access to Govt. department, facilities and secure areas (such as Data Centre,
Development Centre) shall be provided to authorised personnel only. Access to
secure areas shall be controlled and monitored.
- All premises and facilities, where information assets are hosted, shall be classified
into zones with defined security controls.
- All premises and facilities, where information assets are hosted, shall be classified
into zones with defined security controls response.
- Some areas are open to general public, whereas some areas may be restricted to
few officer and officials strictly on need basis like public, internal and restricted.
- Public Access, Delivery and Loading Areas
- It shall be ensured that all areas, where loading and unloading of items is done,
are monitored and equipped with the appropriate physical security controls during
these activities.
- Access to these areas shall be confined only to the identified and authorised
personnel
- The movement of all incoming and outgoing items shall be documented and
incoming items shall be inspected for the potential threats.
- It shall be ensured that all the outgoing items have a valid authorisation and gate
pass.
- Equipment Security
Information Security Manager (ISM) in consultation with ISO shall implement the
equipment security controls to prevent loss, damage, theft or compromise of
information systems.
Critical IT equipment, cabling, ect. should be protected against physical damage, fire,
flood, theft, etc., both on- and off-site. Power supplies and cabling should be secured.
IT equipment should be maintained properly and disposed of securely
- Equipment Location and Protection
All equipment shall be protected against environmental threats and unauthorised
access. It shall be ensured that:
- The equipment are appropriately located and security controls are implemented to
reduce the risk of potential threats (e.g. theft, fire, smoke, electrical supply
interference) for their continued operations.
- The unattended equipment such as servers, network are placed in secure
enclosures.
- The appropriate environmental protection controls are identified and implemented or the safety of the
equipment
- Power Supplies
All equipment shall be protected from the power failures and other disruptions caused
by failures in supporting utilities. ISM & ISO shall jointly ensure that:
- All supporting utilities, such as electricity, water supply, sewage, heating/ventilation
and air conditioning, are in appropriate condition for the information systems and/
or processing facilities that they are supporting.
- The uninterruptible power supply (UPS) systems and generators are installed to
support the continued functioning of equipment supporting critical business
operations.
- UPS equipment shall be maintained in accordance with the manufacturer’s
recommendations
- All department premises shall have proper earthing to prevent electric surges.
- An alarm system to highlight the malfunctions in the supporting utilities is
installed
- Voltage regulators shall be installed, wherever necessary, to guard against
fluctuations in power. Circuit breakers of appropriate capacity shall be installed to
protect the hardware against power fluctuations or short circuits.
- A preventive maintenance exercise is carried out at regular intervals for the utility
equipment
- Cabling Security
It shall be the responsibility of ISM to ensure that cabling is done properly. Following
controls shall be considered for cabling security:
- All cables, including power and telecommunication network cables, shall be
protected from the damage or unauthorized interception.
- All network cables and their corresponding terminals shall be identified and
marked.
- It is strongly recommended that the documents, including detailed physical
network diagrams showing cable routings and terminations are maintained with
ISM.
- It shall be ensured that the power cables are segregated from the communication
cables.
- Equipment Maintenance
ISO shall ensure the following controls for equipment maintenance:
- A preventive maintenance exercise for the utility equipments shall be conducted in
scheduled intervals ensuring their continued availability and integrity.
- Preventive maintenance of hardware, UPS, AC and other equipment shall be
covered under AMC
- The ISM shall monitor SLA to ensure that preventive maintenance is carried out in
efficient manner.
- ISM is required to apply the appropriate security controls to the off-site equipment
considering various risks that may exist outside the premises.
- Every user is required to ensure that the equipment and information systems are
disposed of after an approval from the ISO and following proper rules as per
Government of Rajasthan Rules for disposing IT Assets
- Any equipment, information system, storage device or software under the
possession of or having information of State Government department shall not be
taken outside the office premises without prior authorization of ISM and valid gate
pass.
6.5 Communication & Operations Management
- Introduction
The Communication and Operations Management establishes appropriate controls to
prevent unauthorized access, misuse or failure of information systems and equipment
and to ensure the confidentiality, integrity and availability of information that is
processed by or stored in the information systems/equipment
- Responsibility
The ISM is responsible for the implementation of the controls defined in this Policy.
However, ISO shall ensure compliance of Information Security Policy.
- Objective
Government of Rajasthan shall ensure the effective and secure operation of its
information systems and computing devices. The objectives are to:
- Develop documented operation procedures for information systems and
computing devices
- Ensure protection of information during its transmission through communication
networks.
- Protect integrity of software and information against the malicious codes.
- Develop an appropriate backup strategy and monitoring plan for protecting
integrity and availability of information processing facilities and communication
services
- Have appropriate controls over storage media to prevent its damage and/or theft
- Maintain security during the information exchange with other State Governments.
- Operations Procedures and Responsibilities
IT operating responsibilities and procedures should be documented. Changes to IT
facilities and systems should be controlled. Duties should be segregated between
different people where relevant (e.g. access to development and operational systems
should be segregated).
- Documented Operating Procedure
- Adequate documentations shall exist for maintenance of information systems. The
documentations, procedures and checklists shall be created when a new systems
or service is introduced and the activities to be carried out when a service failure
occurs or when maintenance needs to be performed
- Procedures shall be in place to ensure that activities performed in day-to-day
operations are carried out in a secure manner
- Standard Operating Procedure (SOP) shall be created to maintain the
confidentiality, integrity and availability of that specific platform or application.
- Change Management and Change Request Approval
For application software the documentation shall provide for a brief description of the
changes requested, date on which the request was made, prioritizing of the request,
tracking and controlling modifications and assigning a unique number to each request.
All changes requested shall be approved/rejected by ISO of concerned department.
- Hardware and Operating System Changes for Information Systems
- Any changes to hardware shall be done by raising a change request, approval by
the ISO and documentation of the same
- ISM shall update the asset register once the changes are done to the hardware
- Any change to the operating system or application shall be strictly controlled. Any
changes shall be done by raising a change request, approval by the ISO and
documentation of the same.
- Testing of Changes and Backup
- All critical and complex changes shall be tested before being carried out in the
live/production environment.
- A quality assurance test of the changes to be implemented shall be performed in
a test environment prior to implementation in the production environment
- A backup of the system impacted by the change shall be made prior to its being
updated.
- Unscheduled/Emergency Charges
- Unscheduled/emergency changes shall be carried out only in case there are
critical issues in current IT system/ environment, which require the change to be
carried out with approval from ISO
- An audit trail of the emergency activity shall also be generated which logs all
activity, including but not limited to:
- The user-ID making the change
- Time and date
- The commands executed
- The program and data files affected
- Segregation of Duties
Segregation of duties is important in order to reduce opportunities for unauthorized
modification or misuse of information, or services.
- ISM shall segregate the duties in such a manner so that no single user has the
ability to subvert any security controls of the infrastructure thereby negatively
impacting the business operations.
-
An individual shall not be responsible for more than one of the following duties:
data entry, computer operation, network management, system administration,
systems development, change management, security administration, security
audit, security monitoring.
Whenever segregation of duties is difficult to accomplish, other compensatory
controls such as Monitoring of activities, Audit Trails and Management Supervision
can be implemented.
- System Planning and Acceptance
For maintaining adequate future storage and memory demands of IT Systems proper
monitoring and requirement projection is performed for information assets. This will
help in avoiding potential bottlenecks that might present a threat to system security or
user services.ISM will identify the requirement and will send the requirement to ISO.
ISO will review the same and will further send it to approving authority.
- Protection against Malicious and Mobile Code
ISM shall ensure to implement software and associated controls to prevent and detect
the introduction of malicious and mobile codes like Computer Virus, Trojan Horse, etc.
which can cause serious damage to networks, workstations and critical Government
data.
Mobile code is any program, application, or content capable of movement while
embedded in an email, document or website. Mobile code uses network or storage
media, such as a Universal Serial Bus (USB) flash drive, to execute local code
execution from another computer system. The term is often used in a malicious context; mobile code creates
varying degrees of computer and system damage. Mobile
code is usually downloaded via the body of an HTML email or email attachment.
Therefore in the information systems where the use of mobile code is authorised, ISM
shall ensure configuration in such a manner that only authorized mobile code operates
according to a clearly defined set of rules.
- Backup
For continuity of business operations in the event of failures and/ or disaster, it is
essential to have the secondary copies of the data available. It is to be ensured that
backups of all the identified highly critical information assets are taken and are tested
for restoration and readable or regular intervals.
nformation Security Manager is required to ensure following:
- Identification of critical information assets
- Selection of appropriate backup media on the criticality of data and retention
period
- Backup logs shall be regularly maintained and kept up-to-date and can be in the
form of hard or soft copies
- Network Security Management
-
Network Controls
The appropriate security controls shall be implemented by the ISM to protect the
departmental network. The controls shall include, but not limited to, the following:
- Logical segregation of networks e.g. internal network zone, Demilitarized
Zone (DMZ) and External zone
- Protection through firewall
- The Documentation related to the network diagram, IP Addressing and
configuration of network devices, etc.
-
Wireless Local Area Network (WLAN)
The wireless infrastructure system shall be managed appropriately in order to
provide protection to its information and information systems. The following
controls shall be implemented by ISM to ensure WLAN security:
- Secure configuration of wireless communication devices including the Access Points and wireless
client devices such as Laptops/Workstations.
- Implementation of a strong key management system for the authentication of
clients connecting to the WLAN.
- Implementation of appropriate physical and environmental security controls to
protect wireless access points against theft and damage.
- Register access points and cards. All wireless access points must be registered
and approved by ISM. These access points are subject to periodic penetration
tests and audits
- Firewall
ISM shall establish following controls:
- Firewalls shall restrict access to all applications and network resources and
protect these from unauthorized users
- Access control policy shall be implemented on the Firewall and all activities
shall be logged (successful, unsuccessful)
- Publicly accessible servers shall be kept behind the Firewall and access control
policies shall be defined
- An updated, reviewed and approved network diagram with all connection to
and from the firewall shall be maintained
- A documented list of services and ports shall be maintained.
- Approval process for new rules for firewall shall be established
- Security of Network Services
- The ISM is required to identify the security features, service levels and
management requirements of all network services included in any network
services agreement, irrespective of the fact whether these services are being
provided in-house or outsourced.
- The ISM shall prepare a checklist of the non-essential, default and vulnerable
services for all the information systems owned by them. The non-essential
services shall be disabled on all information systems and the default and
vulnerable services required for business operations shall be fixed by
implementing alternative mitigation controls on the information systems
- Exchange of Information
- Information Exchange
Appropriate security controls shall be implemented to exchange the Govt.
department information or software assets with third parties. The security controls
shall include technical controls and contract/agreements signed with the third
parties.
The relevant information asset owners/ISM/ISO shall be responsible for ensuring
that such information assets are exchanged only after signing appropriate
agreements
- Monitoring
- ISM needs to ensure that proper logs are maintained and stored for a specific time
period for future investigation purposes
- Audit logs shall be secured in such a manner that even the ISO/CISO is not
allowed to erase or modify the logs of the activities performed by them on system
- Access to Log shall only be provided on need basis and with approval from ISO
- Time and date synchronization shall be maintained at all network devices and
servers.
6.6 Access Control
- Objective
User Access of the Information assets shall be based on their roles and responsibilities
provided. All the User ids are provided with access permissions as per requirements,
role and designation of officers and officials. The system shall deny all request other
than permitted to protect the information from unauthorised access.
The objectives of the Access Control are to:
- Provide need-based access to information assets
- Prevention of unauthorised access to information systems, network services,
operating systems, databases, information and applications
- User Access Management
The allocation of access rights to users should be formally controlled through user
registration and administration procedures (from initial user registration through to
removal of access rights when no longer required), including special restrictions over
the allocation of privileges and management of passwords, and regular access rights
reviews where if roles and responsibilities change for officers and officials than his
access rights shall be changed accordingly.
- Users shall be provided access as per their roles and responsibilities, e.g. DDO is
provided access to disburse salaries of his concerned office but is not allowed to
view or disburse salary for other offices
- Unique User id shall be provided to each employee so that each person will be
responsible for one's action which will help in tracking of security threats incidents,
if any.
- User rights shall be provided by system administrator on written approval from
ISM/ISO of Concerned department.
- User Registration
- ocumentation and implementation of procedures for registration and deregistration of User id.
- Naming Convention shall be followed for User id creation
- Identification of inactive accounts and disabling them
- Re-activation of the accounts on written request from ISM
- Guest accounts to be disabled on servers
- Password Management
- It is made mandatory for users to change their passwords during the first time
logon and after 20 days of each password change. Warnings to the users shall be
flashed before 5 days of the password expiry and to be sent repeatedly everyday
till the user changes password or password expires.
- The Password shall have a combination of alpha-numeric characters and
minimum length of eight characters for strong security.
- System shall keep record of last five passwords and shall not allow user to reuse it
at the time of changing one's passwords
- After maximum 5 unsuccessful login attempts, account shall be locked for security
purposes.
- The passwords shall not be hard coded into the logon scripts, batch programs or
any other executable files when user authentication or authorisation is required to
complete a function
- The password shall be encrypted while transmitting over network
- For forgot passwords and account lockouts, proper support procedures shall be
documented and implemented.
- User password reset is performed only when requested from user and after
identifying and verifying the user through defined procedures.
- User Responsibilities
All Users who will have access to information assets of Government of Rajasthan are
required to understand their responsibilities for maintaining the effective Security
Controls and safety of information assets.
- “Clear Desk and Clear Screen” and “Security of Unattended Equipment”
IT team needs to ensure that information system needs is auto locked if unattended for
a specified duration
- Sensitive and critical information need to be locked (electronic media)
- Desktops shall be logged off or protected with a screen when unattended for a
specified duration.
- Incoming and outgoing mail points should be protected.
- Use of scanner and digital cameras shall be monitored so that unauthorised use
for reproduction of critical information can be prevented.
- Logout from the workstation, servers and/or network device when the session is
finished.
- Application and Information Access Control
The logical access to the application software shall be restricted to the authorised users
only. The access rights shall be provided for relevant section of application, e.g. DDO is
provided access to prepare salary bills for one's concerned office employees
- User access matrix shall be updated quarterly and documented
- Information systems (Application system processing) containing critical
information shall not be hosted on the shared server, and
- High level logging mechanism shall be established for critical systems.
- Mobile Computing and Communication
- Employees shall be allowed to remotely access GoR network to access official
information after proper identification and authentication.
- The employees shall take special care of the mobile computing resources such as,
but not limited to, Laptops, mobile phones, PDA's, etc. to prevent the compromise
and/or destruction of confidential information
-
Official laptops shall be configured as per policy with proper firewall and updated
virus definitions to secure the information systems
6.7 Information Security Incident Management
- Objective
All the security breaches, discovered weakness in the system and attempts to breach in
the Information systems shall be reported and responded to promptly. Appropriate
actions shall be taken to prevent the reoccurrence.
The objectives are to:
- Develop proactive measures so that the impact of any security incident on
information systems can be minimized
- Create awareness among users so that they can report the identified incidents to
ISM.
- Get learnings from the incidents and implementing appropriate controls to prevent
the reoccurrence
- Incident Identification
An incident is the act of violating the security policy defined for State. The following
actions can be classified as incidents, but not limited to:
-
Reporting Security Events and Weakness
- An incident management procedure shall be formalized and documented which
includes incident identification, reporting, response, escalation and incident
resolution.
- There should be a central point of contact (ISM), and all employees/users should
be informed of their incident reporting responsibilities
- Users shall not test existence of any vulnerability in the information systems
- Users shall not test existence of any vulnerability in the information systems
A knowledge base shall be established by IRT for the information gained from the
evaluation and analysis of all information security incidents, that will be helpful to
prevent reoccurrence of security incidents, to handle security incidents and for
learning.
- Collection of Evidence
- As per the legal requirements, ISO shall collect the evidences during the incident
analysis, retained and presented for relevant jurisdiction. IRT will provide complete help to ISO for
collection of evidence. IRT has to preserve the proof for any legal
proceedings to support ISO.
- Delayed reporting of information security events or incidents, and consequent
delays in initiating investigations can result in loss of evidence. Therefore, timely
investigation shall be performed by IRT.
- Evidence shall be collected in such a manner that it should not destroy its
evidentiary proof and can be used for legal use in court, if required.
6.8 Compliance
- Introduction
The Compliance provides the direction to design and implement appropriate controls
to meet the legal, regulatory and contractual requirements as per Cyber law, IT Act
2000 and any other relevant act prevailing in India.
- Responsibility
It is the responsibility of ISO to ensure implementation of the appropriate controls to
meet the legal, regulatory and contractual requirements as circulated by ACISO. The
details about the Cyber laws, but not limited to, is available at
http://deity.gov.in/content/cyber-laws
- Objective
All Government Departments shall understand the importance of Compliance to the
legal requirements and thus enforce the appropriate controls to the officers and
officials working under their department to embed a compliance culture.
- Promote a positive ethical and compliance culture among Government offices
- Creating awareness among users regarding the law compliance
- Avoiding breaches of any law, statutory, regulatory and/ or contractual obligations
as well as security requirements
- Ensuring that officers and officials, third party users understand and adhere to the
legal, statutory, regulatory and contractual requirements which may have an impact on their daily
activities
- Compliance with Legal Requirement
- Identification of Applicable Laws
It is the responsibility of ISO to maintain a list of all relevant statuary, regulatory
and contractual requirements with the help of ISM in guidance of ACISO
(Circulated by ACISO)
- Intellectual Property Rights
- All Software and application used in Government offices shall be purchased
and issued in accordance with the license agreements.
- All employees shall abide by the Copyright laws detailed by the software
vendor
- Awareness campaigns shall be organized for employees regarding IPR
- Software shall be used for official purpose only
- Officers and Officials shall not be allowed to carry Personal Information
Processing equipment or CD writers, USB drives, etc. without obtaining prior
approval from ISM.
- Protection of Government Records
- Important records like accounting and financial records, payroll and other
employee related records shall be protected from loss or destruction.
- Retention period shall be defined for various types of records as per rules and
regulations and shall be destroyed in a safe and secure manner on
completion of their retention period.
- Extra Protection shall be taken to store the records required to meet legal
requirements.
-
Data Protection and Privacy of Personal Information
- Personal information of employees/users shall be kept safe and confidential
- Relevant Legal laws, Acts and regulations shall be followed for handling
personal information.
- Personal records shall be retained and stored as required by legislation
- The review period and review rights of personal records shall be defined by
ISO.
- Backup of personal records shall be ensured.
- Prevention of misuse of Information Processing Facilities
- Users shall be prevented from accessing information, information systems
and/ or facilities for unauthorized purposes through implementing appropriate
access controls.
- Any usage of information system other than for official purposes shall be
considered as improper use of the facilities and may lead to disciplinary
action against user.
-
Compliance with Information Security
- The ISOs shall ensure that the Policy is implemented in their respective
departments, in turn ensuring the compliance
- It shall be communicated to all employees officially through a Government order
that compliance to Information Security Policy is mandatory and if any non compliance is found,
necessary disciplinary action can be taken against the
employee.
- There shall be a regular review of compliance to the policies using Internal Audits.
Any deviations shall be noted and communicated to the HODs as a part of the
Internal Audit report
- Technical Compliance
- Technical compliance check shall be carried out to identify vulnerabilities in the
system and to check effectiveness of controls to prevent unauthorized access to
information systems
- Information systems shall be checked by ISM every six months for security and
compliance with the security Policies.
- A schedule shall be maintained to ensure that vulnerability assessment and
penetration testing is carried out at regular frequency.
- Technical compliance shall be carried out by experts.
6.9 Internet Security
- Introduction
Internet security provides directions to the officers and officials to ensure that internet usage in
Government departments is legitimate and does not breach any security of
information system, thus preventing the unauthorised use of internet.
- Responsibility
ISM shall ensure compliance of the Policy. Controls shall be established by IT Team
under guidance of ISM. Each employee/user shall take responsibility to follow Internet
Security Policy
- Objective
Appropriate technological and user level controls need to be established for ensuring
legitimate use of internet in Government departments to maintain the confidentiality,
integrity and availability of the internet system.
- Rules to be defined so that each employee in Government departments shall use
internet for legitimate purpose
- To ensure that internet system shall not be misused.
- Internet Usage
- Access to internet
- Internet should be provided to users for official purpose.
- Internet access shall be provided after approval from ISM.
- Access to Internet shall be controlled by Proxy server and firewall
- Authorised and unauthorised access to internet
- Internet usage shall be restricted to serve employees for official/office related
work and transactions.
- Unauthorised use of Internet shall include, but not limited to:
- Using for personal entertainment, personal business or profit, and
publishing personal opinions.
- Attempting to gain or gaining unauthorized access to any computer
system
- Sending/receiving/viewing racial or sexually threatening email messages
- Sending, transmitting or distributing proprietary information, data or
other confidential information.
- Using Internet for non-official purposes and wasting computer resources
like uploading and downloading large files
- Introducing computer viruses, worms, or Trojan horses
- Downloading obscene written material or pornography
- Downloading and uploading of software
- Downloading and uploading of software is allowed only when permissions are
granted from ISM.
- Trial versions shall be deleted after expiry of trial period.
- Periodic review of all desktop/laptops shall be done to ensure that no
unauthorized software is installed.
- Browsers are configured at workstations in such a manner that they should
accept applets only from trusted sources
- Internet Security awareness
Users shall be kept aware through trainings regarding the acceptable and
legitimate use of internet, e.g. downloading the content from internet,
downloading of applets for browsers, etc
- Website blocking
Internal users shall be blocked at the proxy level from accessing websites which
are deemed inappropriate as per the directions from the State Government
- Auditing, logging and monitoring
- Logging shall be maintained for all the attempts to access internet services
- ISM shall review log files of proxy server on periodic basis
6.10 E-mail Security
- Introduction
E-mail Security provides directions and controls to be established for legitimate use of
e-mail account provided to the users and to protect e-mail system from vulnerability
and modifications. E-mails originating from registered domain of Government
department/PSU/Boards/Corporation and other autonomous bodies only shall be
considered for official purpose.
- Responsibility
An e-mail server administrator for registered domains of Government departments/
PSU/Boards/Corporations and other autonomous bodies is responsible to ensure that
appropriate controls are kept in place for one's email server. Each user is responsible
for complying with the E-mail Security Policy. ISM shall ensure that access rights of e-mail id shall be
managed, e.g. on transfer of officers and officials their e-mail id which
is as per designation is given to other officer/official after changing the password.
- Objective
- E-mail security is of prime importance and appropriate technological and user
level controls shall be implemented to maintain confidentiality, integrity and
availability of the e-mail system by respective e-mail server administrators.
- The objective of the e-mail policy is to Establish the rules for the official use of the
e-mail system and to adequately protect the information transmitted through the
e-mails
- If any PSU/Boards/Corporations/Autonomous bodies are not able to follow e-mail
Policy due to lack of appropriate infrastructure, it is suggested to open their
employee's email-id on the domain (www.rajasthan.gov.in) by taking necessary
approvals.
- Authorized Use of e-mail
- All e-mail messages generated from registered e-mail System of Government
department/PSU/Boards/Corporation and other Autonomous bodies shall be
considered to be the property of Government of Rajasthan.
- Users shall not forward/redistribute any offensive or unsolicited material received
from the external sources.
- Prohibited use of e-mail
- Users shall not use e-mail for raising charitable funds campaign, political advocacy
efforts, personal amusement and entertainment.
- Users shall not use e-mail for creation or distribution of any disruptive or offensive messages,
including offensive comments about race, language, gender, hair
colour, disabilities, age, sexual orientation, pornography, culture, religious beliefs
and practice, political beliefs or national origin.
- Users shall not use e-mail for forwarding or sending messages that have racial or
sexual slur, political or religious solicitations or any other message that could
damage the reputation
- Users shall not use email for transmitting any data that potentially contains
Viruses, Trojan horses, Worms, spywares or any other harmful or malicious
program.
- Users shall not use email for transmitting any data that potentially contains
Viruses, Trojan horses, Worms, spywares or any other harmful or malicious
program.
- User Accountability
- Users shall not use any unauthorised Web-mail services for official purpose
- Users shall not share their e-mail account passwords.
- Users shall choose strong passwords as per password policy
-
- Misrepresenting, Concealing, suppressing or replacing another user’s identity on
an electronic communications system is prohibited.
- The user name, email address and related information included with electronic
messages shall reflect the actual originator of the messages.
- At a minimum, the users shall provide their name and mobile numbers in all e-mail communications
- E-mail Administrator Accountability
E-mail Administrator is responsible for following:
- All e-mails and content shall be scanned through authorized email scanning
software
- Open relay is blocked at all e-mail servers to prevent spamming
- Content monitoring systems shall be installed at e-mail Servers
- Antivirus definitions shall be kept updated at the gateway/server levels
- Electronic Mail Encryption
The objective of e-mail encryption is to prevent the email content from being read by
unintended recipients.
All electronic communications through the e-mail systems are not encrypted by default.
Therefore, if sensitive information needs to be sent by e-mail System, encryption or
similar techniques provided by the e-mail system shall be employed for the protection
of information being transmitted.
- Attachment and Virus Protection
- E-mail Server administrator shall implement appropriate controls at e-mail
gateway/server level to scan email attachments and delete malicious file
extensions or viruses. E-mail administrator shall block documented malicious file
extensions at gateway level.
- E-mail virus protection and content filtering software shall be implemented at e-mail gateway/server
level.
- Public Representations
- No e-mail messages related to State Government shall be used for advertisement
purposes.
- No e-mail messages related to State Government shall be used for advertisement
purposes
- Archival, Storage and User Back up
All official e-mail messages containing approval, work delegation, authorisation or
handing over of responsibilities or similar transactions shall be archived for future
official use by end user.
Any e-mail message which can be helpful as an evidence for critical decisions shall be
appropriately retained for future use by end user
- Disclaimer
A disclaimer approved by CISO shall be appended to all e-mail messages generating
from State Government domains.