Security Guidelines issued by DOP
Several systematic shortcomings are being noticed in the operational methods of Sanchay Post, giving scope for possible manipulation with malafide intentions. It has been observed that the instructions issued to manage the data entry module of Sanchay Post securely were not followed by many of the units leading to frauds in Sanchay Post software.
2. It is once again reiterated that the following aspects should be taken care of by all concerned without any deviation.
a) Operationalization of the data entry module should be limited to the assigned supervisor only.
b) Only one data entry operator should be there in an office/ network.
c) It is the sole responsibility of the supervisor to keep the password secretly with him, as he is held responsible for the data entries made in an office running Sanchay post online, as pass word securities were not followed properly.
d) As instructed earlier a register should be kept to note the entries in the chronological order carrying the details of corrections made using data entry modules each duly attested by the concerned supervisor.
e) The System Managers of the field units can also hold periodical training for Post office and Divisional office staff to make them fully conversant with the checks and controls existing in the Sanchay Post software, so that supervisory control is made more effective.
3. Please circulate the above said instructions under acknowledgement to all the supervisors and operators of Sanchay post offices in your region immediately.
Directorate Letter No. 48-05/2004-Tech/KW dated 02.01.2008
A kind reference is invited to the above letter on Security of Sanchay Post Software. Now a copy of C.O. Lr. No. Tech/2-18/08-09 dated 01.12.2008 regarding Security guidelines for Computerized SB Offices is enclosed herewith for information and necessary action.
Further it is brought to the notice of this office that Data Entry Packages of Sanchay Post are not uninstalled after the accounts were brought into online in several offices and usage of several unauthorized softwares. Hence the following instructions are issued for immediate action.
1. All the Data Entry Modules of Sanchay Post should be immediately uninstalled after completion of the data entry.
2. The Data Entry Package should be installed only in Server or other systems under the direct control of the PM/ SPM only.
3. 'Data Entry Supervisor' user class should be allotted to the PM/ SPM only.
4. It is seen that all users are allotted to Data Entry which is highly irregular.
5. User names and password should be official specific not office specific. No general names and designations should be used. This should be monitored by the Divisional Heads / Sub Divisional Heads during their visits / inspections and recorded.
6. If one PA / Supervisor is on leave, the concerned PM/ SPM should change/authorize the name of the other official actually working on the branch while giving day begin.
7. For every Software / Hardware Problem, an error book should be maintained and recorded then and there by the officials concerned and the DSMs concerned should note the action taken for the rectification. The same should be perused by the
8. Divisional Heads / Sub Divisional Heads during their visits / inspections and recorded.
9. A separate register for entry / access of LAN server should be maintained with the details such as Date and Time of Entry, Work done and out time etc. The register should be under the personal custody of the Head of the Office.
10. It is seen that the opening balances, closing balances are being modified through some unauthorized software which is highly irregular and warrants Disciplinary Action.
11. Similarly doing day begin for the dates prior to the date of operation is also not correct.
12. Directorate has already issued instruction regarding security / preservation of SQL Server Password with the Divisional Heads and hence Divisional Heads should monitor the same to prevent unauthorized persons to have knowledge about the 'SA' password.
13. All the floppy / CD/DVD/Flash Drives should be disabled except the one used for taking backups by the Supervisor incharge.
14. The following certificate from the concerned System Administrators / DSMs should be obtained in respect of Computerised Offices under their jurisdiction and filed at the Divisional Office.
"Certified that there is no unauthorized software installed and data entry modules are uninstalled in the …………………………………….. SO/HO.
Signature of the SA/DSM
Date: "
15.The following certificate should be sent by the Divisional Heads to this office immediately.
"Certified that the SAs / DSMs are instructed about the Security Guidelines for Computerised Offices and the relevant certificates were obtained and filed.
Signature of the Divisional Head
Date:
15. An action taken report on the C.O. Lr. No. Tech/2-15/08-09 dated 01.12.2008 should be sent within a week.
Security guidelines for computerized SB Offices – Reg.
Security guidelines to be followed in the offices using Sanchay Post software, along with a list of 'Do's and Dont's for the officials working on SB LAN is enclosed. Please ensure that the guidelines are strictly adhered to. Additional security measures required if any may be combined with these guidelines and implemented.
Guidelines to be followed by the Systems Administrators / Operators of Computerized Offices:
• The server should be kept securely away from unauthorized users and outsiders to ensure security of data. The 'SA' of MSSQL server has full rights on the operation of RDBMS. It is therefore, necessary that the PASSWORD is granted to the appropriate official and a record is maintained for the same. He should also change the password at regular intervals to ensure better security and should not give the password to other operators.
• The System Administrators should not use SQL Server Management tools such as Query Analyzer, Enterprise manager etc. but should use the front end application only.
• The System Administrators / Managers should ensure that no one has access to SQL Server Tools, which can be used to tamper with databases.
• No personal Pen/Flash Drive/ Laptop should be permitted inside the office by the visitors/employees.
• Keep a written record of the officials granted 'LAN Administrator'. 'SQL Administrator' and 'Data Entry Super' rights along with the period.
• Keeping the security issues in mind, the role of the System Administrators should be closely monitored by the competent authority.
System Administrators/Managers to ensure:
• That the clients connecting to the server should have only the client connectivity component of SQL server installed on them. Any other administrative tools such as the Query Analyser, Enterprise Manager etc., if found installed in the clients, should be uninstalled.
• Maintaining Operating system and Database in a NTFS partition provides the ability to limit network access based on user accounts and network-defined groups. Do not unnecessarily share folders on the server.
• Removal of Data entry modules for schemes which have been made online on all the nodes. If found absolutely necessary it should be installed in only one node.
• A new class of user called 'Data Entry Supervisor' has been introduced from Sanchay Post ver 5.0. Correction of accounts in which transactions have been performed in the online module (i.e. already online accounts) can only be done by the 'Data Entry Supervisor'. Hence the rights for the role of Data Entry Supervisor are to be allotted only to the head of the office. (PM/SPM).
• User rights allotted in Sanchay Post should be post specific and a person should not be allotted both counter and supervisor rights. Group and Form access in online mode should be as per work distributions to counter users and supervisors. They should not be assigned groups or forms which are not handled by them to prevent and misuse. The users should be given access to only the functions they perform and they should set their own password.
• Passwords should be official specific and not post specific. If there are five people who are likely to handle an operation over a period of time, individual user id should be created for each of them and under no circumstances should one individual log in with another's id.
• Only the names of the officials should be given as "Person Name" while creating new persons. Designation of the officials (such as 'Super', 'Counter', 'Postmaster', PA, SPM, APM) should not be used as 'Person name'.
• All the persons operating Sanchay Post application package should be given logon permissions ('person name' & 'person password' corresponding to 'Your Name' & 'Your Password' in the SB application login screen) using the officials name only.
• In the event of one's pass word becoming known to others one should reset his pass word immediately. Free trading of password is risky. If an individual makes his password public, the risk lies with him. Full responsibility for misuse of his password would fall on him.
• Enforce password change at regular intervals and minimum password length to ensure better security.
• Supervisor's id should be at an appropriate level. If more than one supervisor was to work owing to leave or training etc more ids can be created for each of the supervisors in the office.
• Delete old or inactive user accounts
• People who have moved out of the computerized operation set up in a specific office should be removed from the user group without any loss of time.
• Periodic backup should be taken without fail.
• The daily, weekly, monthly backup copies should be kept in different places. (System administrator, Head of the office, Divisional office etc.). The backup taken should be tested to see that restoration is possible without difficulty.
• Atleast one copy of the backup should be kept in a building away from the office (Offsite) to provide protection against location-specific catastrophes. Rotate tapes used for back up and replace tapes when its suspect.
• Antivirus software should be installed in all the nodes and regularly updated. Suitable mechanism for regular upgrading / updates to protect vulnerability against new Viruses should be formulated and implemented.
Do's and Don't's for officials working on SB LAN
Do's:
1. Use easily remembered passwords with sufficient complexity, which should be changed at frequent intervals.
To Change password
Log on to the online module. Go to 'Set Up' Menu. Select 'Set personal password', then type "Current personal password". Type new personal password and retype new password. Click on OK.
2. Back up your data every day. Keep at least one copy offsite. A register has to be maintained for recording the following information. Data name of the person taking back up. Type of Media (CD, Tape or Node) Counter signature of the Postmaster.
3. Enforce logging out when the workstation is unattended for a significant period of time. All changes done to the database is recorded against your name. Use "Lock Screen" in setup menu when leaving workstation for a short while.
4. In case of problem in connecting to the server, follow the sequence of 'switching on'
(a) Hub
(b) Server (Wait for 'Begin log on' screen with a message press Ctrl-Alt-Del to log on)
(c) Switch on nodes.
5. If when you double click on Sanchay Post icon, you get a message "Unable to connect to server. Do you want to correct". Click on "Yes". You will then be prompted for the server name. Type the server name and click "Save". You will obtain a message 'Rerun Application". Now double click on the Online or data entry icon to enter Sanchay Post application package.
6. If there is some kind of 'system message', read it first, it solves most of the problems. If you have to report a problem, record the messages you get. Telling someone that the message was something about a hardware error does not help the problem solver. Report the message to the System Administrator.
Don't's
7. Don't run any other application other than Directorate approved software on your systems. Use of any other unauthorized software for modification / entering transactions is strictly prohibited.
8. Don't allow another person to log with your name and password (including system Administrators). All the entries and changes made in the application package are entered in a log against your user name.
9. Do not simply turn off your computer: instead use the correct shut down process given below.
10. Shutdown process in nodes:
(a) Exit the application software (Sanchay Post) in the nodes by clicking on quit.
(b) Go to Start button, Click on Shut Down. You will get a screen "Shut down Windows". Select shut down from options available and click on "OK".
(c) Wait till you get the message, "It is now safe to shut down the computer" before switching the computer off.
Shut down Process in server:
Log on to the Server and then follow step (ii) & (iii) as stated above.
Sub: Security of Sanchay Post software – reg
1. It has been come to the notice that because of the easy access to the data base Sanjay Post Software is being mishandled. The offices computerized by the technology division of the Directorate are not following the security guidelines and the Head of the Office is not reviewing the security measures.
2. Please refer to the FS Divisions lr no. 76-03/2005-FS dated 30.07.2007 regarding the security of SQL server password. It is again reminded that, it is the responsibility of the Divisional Superintendent to safe guard the password and to change the password once in six months when he visits the post office for inspection/verification. Allowing the System Administrator to access the Data base will be dangerous.
3. Number entry package is also available in Sanjay Post Software. Because of this anybody can access Data base. Generally, Number Entry is used for loading old numbers and after the entry it is uninstalled. All Circle Heads should ensure that the Number Entry Package has been uninstalled and it should be complied with.
4. Server should be kept under lock and key. Instructions were given to maintain a register at Server Room and to make entries in the register. Usually it is not maintained in the Head Post Offices. Circle Heads must strictly ensure that this register is being maintained and it should be jointly signed by Postmaster/SBCO officials in Head Post Offices and in other Post Offices it should be signed by Cashier.
5. Issuing of Access card will be a better option which will keep the record of the time of entry and time spent in the Server Room. It will be effective to stop the trespassing into the server room.
6. It is also instructed that the Security Measures in the Computerised Offices may be reviewed periodically by the Inspecting Officer. It should be included in the Inspection Questionnare.
7. Secretary (P) has shown great concern in the above matter and asked to take immediate steps in this matter. Hence you are requested to give the feed back in this regard so that the information may be given to the Secretary (P) Circle wise.
This is issued with the approval of Dy. Director General (Technology).
Sd/-
(Dr. Kushal)
Asst. Director General (Technology)
0 comments:
Post a Comment