Authentication Compliance Policy

Authentication Compliance Policy

Document Version Control

Document Definition: This document is derived from “Authentication Compliance Policy” published by Unique Identification Authority of India.

Board of Directors meeting dated 06/09/2024 resolved that "The Amreli Jilla Madhyastha Sahakari Bank Ltd." is expedient to have a comprehensive Aadhaar Authentication Compliance Policy in order to provide direction to the various stakeholders and responsible personnel within “The Amreli Jilla Madhyastha Sahakari Bank Ltd.” (Sub-AUA/Sub-KUA) for deploying relevant security controls to secure the data of the Aadhaar number holder in compliance to the relevant provisions of the Aadhaar Act, 2016; the Aadhaar and Other Laws (Amendment) Act, 2019; the Aadhaar (Authentication) Regulations, 2016; the Aadhaar (Data Security) Regulations; the Aadhaar (Sharing of Information) Regulations, 2016.

Abbreviations

1. Terms and Definitions

1. “Aadhaar number” means an identification number issued to an individual under sub-section (3) of section 3, and includes any alternative virtual identity generated under sub-section (4) of that section.

Reference: Section 2(a) of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016 and Section 3(i)(a) of the Aadhaar and Other Laws (Amendment) Act, 2019

2. “Aadhaar Data Vault” (ADV) means a separate secure database/vault/system where the entities mandatorily store Aadhaar numbers and any connected data such that it will be the only place where the said data will be stored.

 Reference: Point number (a) Circular No. 11020/205/2017 – UIDAI (Auth-I), dated 25.07.2017

3. “Authentication” means the process by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such Repository verifies the correctness, or the lack thereof, on the basis of information available with it.

Reference: Section 2(c) of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016

4. “Authentication Service Agency” or “ASA” shall mean an entity providing necessary infrastructure for ensuring secure network connectivity and related services for enabling a requesting entity to perform authentication using the authentication facility provided by the Authority.

Reference: Regulation number 2(f) of the Aadhaar (Authentication) Regulations, 2016

5. “Authentication User Agency” or “AUA” means a requesting entity that uses the Yes/ No authentication facility provided by the Authority.

Reference: Regulation number 2(g) of the Aadhaar (Authentication) Regulations, 2016

6. “Authority”means the Unique Identification Authority of India established under sub-section (1) of section 11 of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016.

Reference: Section 2(e) of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016

7. “Consent” means the consent referred to in section 11 of PDP bill 2019 

Reference: section 11 of PDP bill 2019 (given below)

11. (1) The personal data shall not be processed, except on the consent given by the data principal at the commencement of its processing.

2. The consent of the data principal shall not be valid, unless such consent is—
   1. free, having regard to whether it complies with the standard specified under section 14 of the Indian Contract Act, 1872;
   2. informed, having regard to whether the data principal has been provided with the information required under section 7;
   3. specific, having regard to whether the data principal can determine the scope of consent in respect of the purpose of processing;
   4. clear, having regard to whether it is indicated through an affirmative action that is meaningful in a given context; and
   5. capable of being withdrawn, having regard to whether the ease of such withdrawal is comparable to the ease with which consent may be given.
3. In addition to the provisions contained in sub-section (2), the consent of the data principal in respect of processing of any sensitive personal data shall be explicitly obtained—
   1. after informing him the purpose of, or operation in, processing which is likely to cause significant harm to the data principal;
   2. in clear terms without recourse to inference from conduct in a context; and
   3. after giving him the choice of separately consenting to the purposes of, operations in, the use of different categories of, sensitive personal data relevant to processing.
4. The provision of any goods or services or the quality thereof, or the performance of any contract, or the enjoyment of any legal right or claim, shall not be made conditional on the consent to the processing of any personal data not necessary for that purpose.
5. The burden of proof that the consent has been given by the data principal for processing of the personal data under this section shall be on the data fiduciary.
6. Where the data principal withdraws his consent from the processing of any personal data without any valid reason, all legal consequences for the effects of such withdrawal shall be borne by such data principal.

8. “Demographic information” includes information relating to the name, date of birth, address and other relevant information of an individual, as may be specified by regulations for the purpose of issuing an Aadhaar number, but shall not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history.

Reference: Section 2(k) of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016

1. “e-KYC User Agency” or “KUA” shall mean a requesting entity which, in addition to being an AUA, uses e-KYC authentication facility provided by the Authority.

Reference: Regulation number 2(l) of the Aadhaar (Authentication) Regulations, 2016

10. “Global AUAs” means the agencies which will have access to full e-KYC (with Aadhaar number) and the ability to store Aadhaar number within their system. 

Reference: Point number 9(a) of Circular No. 1 of 2018, F. No. K-11020/217/2018-UIDAI (Auth-I), dated 10th January 2018

11. “Local AUAs” means the agencies which will only have access to Limited KYC and will not be allowed to store Aadhaar number within their systems.

Reference: Point number 9(b) of Circular No. 1 of 2018, F. No. K-11020/217/2018-UIDAI (Auth-I), dated 10th January 2018

50. “Hardware Security Module (HSM)” means a device that will store the keys used for digital signing of Auth XML and decryption of e-KYC response data received from UIDAI.

Reference: Point number 4 of Circular No. 11020/204/2017 – UIDAI (Auth-I), dated 22.06.2017

1000. “Identity information” in respect of an individual, includes his Aadhaar number, his biometric information and his demographic information.

Reference: Section 2(n) of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016

14. “Limited KYC” means the service that does not return Aadhaar number and only provides an agency specific unique UID Token along with other demographic fields that are shared with the Local AUAs depending upon its need. 

Reference: Point number 3 (II) and 9(b) of ‒ Circular No. 1 of 2018, F. No. K-11020/217/2018-UIDAI (Auth-I), dated 10th January 2018

• “PID Block” means the Personal Identity Data element which includes necessary demographic and/or biometric and/or OTP collected from the Aadhaar number holder during authentication.

Reference: Regulation number 2(n) of the Aadhaar (Authentication) Regulations, 2016

16. “Personnel” means all the employees, staff and other individuals employed/contracted by the requesting entities.

Reference: Regulation number 2 (1) (f) of Aadhaar (Data Security) Regulations 2016

17. “Reference Key” means an additional key which is mapped with each Aadhaar number stored in the Aadhaar data vault.

Reference: Point number (c) Circular No. 11020/205/2017 – UIDAI (Auth-I), dated 25.07.2017 

18. “Requesting Entity” means an agency or person that submits the Aadhaar number, and demographic information or biometric information, of an individual to the Central Identities Data Repository for authentication.

Reference: Section 2(u) of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016

19. “Resident” means an individual who has resided in India for a period or periods amounting in all to one hundred and eighty-two days or more in the twelve months immediately preceding the date of application for enrolment.

Reference: Section 2(v) of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016

20. “Sensitive personal data or information” means such personal information which consists of information relating to —

1. password;
2. financial information such as Bank account or credit card or debit card or other payment instrument details;
3. physical, physiological and mental health condition; iv.sexual orientation;

5. medical records and history;
6. Biometric information;
7. any detail relating to the above clauses as provided to body corporate for providing service; and
8. any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise;

provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.

Reference: Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

21. “UID Token” means a 72-character alphanumeric string returned by UIDAI in response to the authentication and Limited KYC request. It will be unique for each Aadhaar number for a particular entity (AUA/Sub-AUA) and will remain same for an Aadhaar number for all authentication requests by that particular entity.

Reference: Point number 10 of in Circular No. 1 of 2018, F. No. K-11020/217/2018-UIDAI (Auth-I), dated 10th January 2018

5. “Virtual ID (VID)” means any alternative virtual identity issued as an alternative to the actual Aadhaar number of an individual that shall be generated by the Authority in such manner as may be specified by regulations.

Reference: Section 3 (4) of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016 and Section 4 of the Aadhaar and Other Laws (Amendment) Act, 2019

2. Purpose

The purpose of this policy is to provide direction to the various stakeholders and responsible personnel within The Amreli Jilla Madhyastha Sahakari Bank Ltd. for deploying relevant security controls to secure the data of the Aadhaar number holder in compliance to the relevant provisions of the Aadhaar Act, 2016; the Aadhaar and Other Laws (Amendment) Act, 2019; the Aadhaar (Authentication) Regulations, 2016; the Aadhaar (Data Security) Regulations; the Aadhaar (Sharing of Information) Regulations, 2016.

3. Human Resources

1. A Technical and Management SPOC shall be appointed for Aadhaar related activities and communication with UIDAI. UIDAI shall also be informed about the appointment of any new SPOC.
2. The Amreli Jilla Madhyastha Sahakari Bank Ltd. shall conduct a background check and sign a confidentiality agreement/NDA with all personnel/agency handling Aadhaar related information. UIDAI or agency appointed by UIDAI may validate this information.
3. The Amreli Jilla Madhyastha Sahakari Bank Ltd. shall take an undertaking from BCs / similar entities (if applicable), Sub-AUAs and other third-party contractors regarding NDAs and BGVs conducted successfully for their personnel handling Aadhaar related data.
4. Information security trainings shall be conducted for all the personnel for Aadhaar related authentication services during induction and subsequently on periodic basis. The training shall include all relevant security guidelines as per the UIDAI information security policy for Authentication, Aadhaar Act, 2016, Aadhaar Regulations, 2016 and all circulars/notices published from time to time.
5. Specific and specialised training shall be conducted for various functional roles involved in authentication ecosystem.
6. Training shall be conducted half yearly and as and when changes are made in the authentication ecosystem. Records of such training conducted shall be maintained.
7. Access to authentication infrastructure shall not be granted before signing NDA and completion of BGV for the personnel.
8. The user ID credentials and access rights of personnel handling Aadhaar related authentication data shall be revoked/ deactivated within 24 hours of exit of the personnel.

4. Asset Management

1. All assets used by The Amreli Jilla Madhyastha Sahakari Bank Ltd. (business applications, operating systems, databases, network etc.) for the purpose of delivering services to residents using Aadhaar authentication services shall be identified, labelled and classified.
2. Details of the information asset shall be recorded, and an asset inventory should be maintained and updated as and when required.
3. The Amreli Jilla Madhyastha Sahakari Bank Ltd. shall define a procedure for disposal of the information assets being used for authentication operations. Information systems / documents containing Aadhaar related information shall be disposed-off securely.
4. Before sending any equipment out for repair, the equipment shall be sanitised to ensure that it does not contain any Aadhaar related data. A movement log register of all the equipment sent outside shall be maintained.
5. The Amreli Jilla Madhyastha Sahakari Bank Ltd. shall not transfer or make an unauthorized copy of any Aadhaar related information including identity information to any personal device or other unauthorized electronic media / storage devices.
6. Controls shall be implemented to prevent and detect any loss, damage, theft or compromise of the assets containing any Aadhaar related information. 
7. The authentication devices used to capture resident’s biometric shall be STQC certified Registered Devices. All the Sub-AUAs, Business Correspondents or other sub-contractors shall also use the STQC certified Registered Devices only. 
8. Ownership of authentication assets shall be clearly defined and documented. 
1. All the assets (e.g., POS devices, tablets, desktop, laptop, servers, databases etc.) used by The Amreli Jilla Madhyastha Sahakari Bank Ltd. and its sub-contractors for Aadhaar Authentication shall be used after their hardening has been done as per the hardening baseline document. The Amreli Jilla Madhyastha Sahakari Bank Ltd.  shall define their own hardening standards, unless specified by UIDAI.

5. Access Control

1. Only authorized individuals shall be provided access to information facilities (such as Authentication application, audit logs, authentication servers, application, source code, information security infrastructure etc.) processing Aadhaar related information. Access Control List shall be maintained.
2. The Amreli Jilla Madhyastha Sahakari Bank Ltd. its sub-AUAs, BCs and other third-party personnel with access to UIDAI information assets shall have least privilege access for information access and processing.
3. Access rights and privileges to information processing facilities for Aadhaar related information shall be revoked within 24 hours of exit of respective personnel. Post deactivation, user IDs shall be deleted if not in use.
4. Access rights and privileges to information facilities processing Aadhaar related information shall be reviewed on a quarterly basis and the report shall be maintained for audit purposes.
5. Common user IDs / group user IDs shall not be used. Exceptions shall be approved by The Amreli Jilla Madhyastha Sahakari Bank Ltd. ’s senior management and documented where there is no alternative.
6. Procedures shall be put in place for secure storage and management of administrative passwords for critical information systems; if done manually, then a fire-proof safe or a password vault shall be used and an access log register shall be maintained.
7. The users shall not be provided with local admin access rights on their system. In the case of administrative access being provided, the users shall be prohibited from modifying the local security settings.
8. In the case of assisted devices and applications where operators need to mandatorily perform application functions (not a self-service application), operators should be authenticated using some authentication scheme such as password, Aadhaar authentication, smart card-based authentication, etc.

6. Password Policy

1. The allocation of initial passwords shall be done in a secure manner and these passwords shall be changed at first login.
2. All user passwords (including administrator passwords) shall remain confidential and shall not be shared, posted or otherwise divulged in any manner. 
3. If the passwords are being stored in the database or any other form, they should be stored in an encrypted / hashed form. 
4. Password shall be changed whenever there is any indication of possible system or password compromise. 
5. Complex passwords shall be selected with a minimum length of 8 characters, which: 
   1. are not based on anything somebody else could easily guess or obtain using person related information, e.g. names, telephone numbers, and dates of birth etc.; 
   2. is free of consecutive identical characters or all-numeric or all-alphabetical groups; 
   3. contains at least one numeric, one uppercase letter, one lowercase letter and one special character; 
   4. shall be changed at regular intervals (passwords for privileged accounts shall be changed more frequently than normal passwords); 
   5. shall not allow the use of last 5 passwords; 
   6. shall not allow the username and password to be the same for a particular user; 
   7. users shall not use the same password for various UIDAI access needs; 
6. Password shall not be hardcoded in codes, login scripts, any executable program or files. 
7. Password shall not be stored or transmitted in applications in clear text or in any reversible form. 
8. Password shall not be included in any automated log-on process, e.g. stored in a macro or function key. 
1. Three successive login failures shall result in user account being locked; they should not be able to login until their account is unlocked and the password reset. The user shall have to contact the System Engineers/Administrators for getting the account unlocked. 

7. Cryptography and Security of Aadhaar number

1. The Personal Identity data (PID) block comprising of the resident’s demographic / biometric data shall be encrypted as per the latest API specifications rolled out by UIDAI.
2. The PID shall get encrypted at the end point device used for authentication and it shall remain encrypted during transit and flow within the ecosystem and while sharing this information with ASAs.
3. The encrypted PID block shall not be stored unless in case of buffered authentication for not more than 24 hours after which it should be deleted from the local systems.
4. While providing authentication services to Sub-AUAs, The Amreli Jilla Madhyastha Sahakari Bank Ltd. shall ensure that the client application used for Aadhaar authentication is developed and digitally signed by the The Amreli Jilla Madhyastha Sahakari Bank Ltd.
5. The key(s) used for digitally signing of authentication request and decryption of e-KYC XML Response shall be stored in HSM only. The HSM used shall be FIPS 140-2 compliant.
6. All the HSM provisions shall be followed as defined in the circular – 11020/204/2017 dated 22nd June 2017 and any subsequent guideline / circular / notice published by UIDAI in this regard. 
7. The authentication request shall be digitally signed by The Amreli Jilla Madhyastha Sahakari Bank Ltd. and/or by the Authentication Service Agency, as per the mutual agreement between them. 
8. Key management activities shall be performed by The Amreli Jilla Madhyastha Sahakari Bank Ltd. to protect the keys throughout their lifecycle. The activities shall address the following aspects of key management, including; 
   1. key generation; 
   2. key distribution; 
   3. Secure key storage; 
   4. key custodians and requirements for dual Control; 
   5. prevention of unauthorized substitution of keys; 
   6. Replacement of known compromised or suspected compromised keys; 
   7. Key revocation and logging and auditing of key management related activities. 
1. The Reference Key used for Aadhaar Data Vault (ADV) should be generated using Universally Unique Identifier (UUID) scheme so that Aadhaar Number can neither be guessed nor reverse engineered using the reference. 
10. Full Aadhaar number display must be controlled only for the Aadhaar number holder or various special roles/users having the need within the agency/department. Otherwise, by default, all displays should be masked such that only last four digits of the Aadhaar number are displayed. 
11. The Amreli Jilla Madhyastha Sahakari Bank Ltd. shall make necessary changes in their authentication systems for use of Virtual token, UID token and Limited e-KYC. 
50. The Amreli Jilla Madhyastha Sahakari Bank Ltd.  shall integrate Virtual Token and UID Token into their services. 

8. Physical and Environmental Security

1. The servers should be placed in a secure cabinet in the The Amreli Jilla Madhyastha Sahakari Bank Ltd. ’s Data Centre.
2. Data Centre hosting Aadhaar related information shall be fully secured and access controlled.
3. Data Centre shall be manned by security guards during and after office hours.
4. CCTV surveillance shall cover the AUA/KUA servers.
5. Access to the Data Centre shall be limited to authorized personnel only and appropriate logs for entry of personnel should be maintained.
6. The movement of all incoming and outgoing assets related to Aadhaar in the Data Centre shall be documented.
7. Lockable cabinets or safes shall be provided in the Data Centre and information processing facilities having critical Aadhaar related information.
8. Fire doors and fire extinguishing systems shall be deployed, labelled, monitored, and tested regularly.
1. Preventive maintenance activities like audit of fire extinguishers, CCTV shall be conducted quarterly.
10. Physical access to Data Centre and other restricted areas hosting critical Aadhaar related equipment/information shall be pre-approved and recorded along with the date, time and purpose of entry.
11. Signs or notices legibly setting forth the designation of restricted areas and provisions of entry shall be posted at all entrances and at other points along the restricted areas as necessary especially where the servers are physically hosted.
50. Controls shall be designed and implemented to protect power and network cables from unauthorized interception or damage.
1000. A clear desk and clear screen policy for shall be adopted to reduce risks of unauthorized access, loss and damage to information related to Aadhaar. Screen saver or related technological controls shall be implemented to lock the screen of the information systems when unattended beyond a specified duration.
14. Controls such as intrusion detection and evaluation plans shall be implemented in case of an emergency.

9. Operations Security

1. The Amreli Jilla Madhyastha Sahakari Bank Ltd.  shall complete the Aadhaar on-boarding process as defined by UIDAI, before the commencement of formal operations.
2. Standard Operating Procedure (SOP) shall be developed for all information systems and services related to Aadhaar operations. The SOP shall include the necessary activities to be carried out for the operation and maintenance of the system or service and the actions to be taken in the event of a failure.
3. Personnel involved in operational/development/testing functions shall not be given additional responsibilities in system administration processes, audit log maintenance, security review of system or process and which may compromise data security requirements.
4. Where segregation of duties is not possible or practical, the process shall include compensating controls – such as monitoring of activities, maintenance and review of audit trails and management supervision.
5. The Amreli Jilla Madhyastha Sahakari Bank Ltd. ’s personnel shall not intentionally write, generate, compile copy or attempt to introduce any computer code designed to damage or otherwise hinder the performance of, or access to, any Aadhaar information.
6. The Test and Production facilities / environments shall be physically and/or logically separated.
7. A formal Patch Management Procedure shall be established for applying patches to the information systems. Patches should be updated at both application and server level.
8. Periodic Vulnerability Assessment (VA) exercise shall be conducted for ensuring the security of the Aadhaar infrastructure.
1. All hosts that connect to the Aadhaar Authentication Service or handle resident’s identity information shall be secured using endpoint security solutions. Anti-virus / malware detection software shall be installed on such hosts.
10. Network intrusion and prevention systems should be in place – e.g. IPS, IDS, WAF, etc. 
11. Ensure that the event logs recording the critical user-activities, exceptions and security events shall be enabled and stored to assist in future investigations and access control monitoring. 
50. Regular monitoring of the audit logs shall take place for any possible unauthorized use of information systems and results shall be recorded. Access to audit trails and event logs shall be provided to authorized personnel only. 
1000. The The Amreli Jilla Madhyastha Sahakari Bank Ltd.  shall follow all the consent related provisions as defined in the Aadhaar Act, 2016, Aadhaar Regulations 2016 and all circulars/notifications published from time to time. 
14. The Amreli Jilla Madhyastha Sahakari Bank Ltd. shall maintain the logs of the Aadhaar authentication transaction as defined in the Aadhaar (Authentication) Regulations, 2016. 
15. The Aadhaar authentication logs shall not, in any event, retain the PID information. 
16. The e-KYC data of an Aadhaar number holder, received upon e-KYC authentication, shall be stored in encrypted form after obtaining appropriate consent from the resident. Further, the usage of e-KYC data shall be governed as defined by the Aadhaar Act 2016, Aadhaar Regulations 2016 and all circulars/notifications published from time to time. 
17. The e-KYC data of an Aadhaar number holder, received upon e-KYC authentication, shall be shared with sub-AUA or any other entity after obtaining specific permission from UIDAI by submitting an application in this regard. After obtaining the appropriate permissions, the said data may be shared as per provisions of the Aadhaar Act, 2016, Aadhaar Regulations 2016 and all circulars/notifications published from time to time. 
18. The client application used for Aadhaar authentication shall not store biometric data collected during authentication under any circumstances. 
19. The logs of authentication transactions shall be maintained as defined by Aadhaar Act 2016, Aadhaar Regulations 2016 and all circulars/notifications published from time to time. 
20. The server shall reside in a segregated network segment that is isolated from the rest of the network of the organisation. The server shall be dedicated for the online Aadhaar Authentication purposes and shall not be used for any other activities not related to Aadhaar. 
21. All computer clocks shall be set to an agreed standard using a NTP server or shall be managed centrally and procedure shall be made to check for and correct any significant variation; 
5. The Amreli Jilla Madhyastha Sahakari Bank Ltd.  or its sub-AUAs, BCs and other sub-contractors performing Aadhaar authentication shall ensure identity information is not displayed or disclosed to external agencies or unauthorized persons. Also, Aadhaar data mapped with any other departmental data such as on ration card/birth certificate/caste certificate or any other document/service shall not be published or displayed at any platform. 
23. No data pertaining to the resident or the transaction shall be stored within the terminal device. 
10. The Amreli Jilla Madhyastha Sahakari Bank Ltd. shall store Aadhaar Numbers and Aadhaar related information on a separate secure database / vault / system, which shall be made secure and accessed through internal systems only. This Aadhaar Data Vault must be kept in a highly restricted network zone that is isolated from any untrusted zone and other internal network zones.
25. Aadhaar number and any other data kept in the Aadhaar Data Vault shall be kept in an encrypted format only. 
26. The Amreli Jilla Madhyastha Sahakari Bank Ltd. shall follow all the Aadhaar Data Vault provisions as defined in the circular – 11020/205/2017 dated 25th July 2017 and any subsequent guideline / circular / notice published by UIDAI in this regard. 
1. The Amreli Jilla Madhyastha Sahakari Bank Ltd. may be collecting biometric of residents for purposes other than those defined under the Aadhaar Act 2016, Aadhaar Regulations 2016 and all circulars/notifications published from time to time. In such cases, Aadhaar number should not be linked with the biometric data collected for such other purposes. 
28. The user account shall be logged out after the session is finished. 
55. An auto lock out mechanism for workstation, servers and/ or network device shall be implemented.
82. The Amreli Jilla Madhyastha Sahakari Bank Ltd. shall not share its e-KYC license key with any other organisation. Sub-AUAs or any other entity shall not perform e-KYC using a The Amreli Jilla Madhyastha Sahakari Bank Ltd. ’s license key  etc. For better decoupling and independent evolution of various systems, it is necessary that Aadhaar number be never used as a domain specific identifier. In addition, domain specific identifiers need to be revoked and/or re-issued. 

136. Separate license keys must be generated by The Amreli Jilla Madhyastha Sahakari Bank Ltd.  for their Sub-AUAs in the manner prescribed by UIDAI. 
163. The Amreli Jilla Madhyastha Sahakari Bank Ltd. must have its Aadhaar related servers hosted in data centres within India. 

10. Communications security

1. Each authentication device shall have a Unique Device Code. This number shall be transmitted with each transaction along with UIDAI assigned institution code for The Amreli Jilla Madhyastha Sahakari Bank Ltd. as specified by the latest UIDAI API documents.
2. A unique transaction number shall be generated automatically by the authentication device which should be incremented for each transaction processed.
3. The network between The Amreli Jilla Madhyastha Sahakari Bank Ltd. , its sub-contractors and ASA shall be secure The Amreli Jilla Madhyastha Sahakari Bank Ltd.  shall connect with ASAs through leased lines or similar secure private lines. If a public network is used, a secure channel such as SSL or VPN shall be used.
4. The server shall be hosted behind a firewall. The firewall rules shall block incoming access requests to the server from all sources other than The Amreli Jilla Madhyastha Sahakari Bank Ltd. ’s PoT terminals.
5. Use of web-based e-mail shall be restricted to official use and in accordance with the acceptable usage guidelines or as per organization policy.

11. Information Security Incident Management

1. The Amreli Jilla Madhyastha Sahakari Bank Ltd.  shall be responsible for reporting any security weaknesses, incidents, possible misuse or violation of any of the stipulated guidelines to UIDAI immediately.
2. The Amreli Jilla Madhyastha Sahakari Bank Ltd. shall ensure that the sub-AUAs, BCs and other sub-contractors are aware about Aadhaar Authentication related incident reporting. 
3. Root Cause Analysis (RCA) shall be performed for major Aadhaar related incidents identified in its as well as its sub-contractors’ ecosystem. 
4. Any confidentiality breach/security breach of Aadhaar related information shall be reported to UIDAI within 24 hours. 
5. Report cyber incidents as mentioned in Annexure I of the directions dated 28.04.2022 of CERT-In, bearing no. 20(3)/2022-CERT-In, within 6 hours of noticing such incidents or the same being brought to their notice.
6. From the effective date of sub-section (6) of section 8 of the DPDP Act, report any personal data breach to the Data Protection Board and notify each affected individual within the time specified by the Act's rules.
7. Contact Details for Reporting and Escalation:

Internal Bank Contacts

MPOC: Mr. B S Kothiya, General Manager (CEO)

Email: ho@ajmsbank.com

Phone: +91-9825235475

TPOC: Mr. Manish Sukhadiya, Senior Officer, IT

Email: ho@ajmsbank.com

Phone: +91-9427218802

Chief Information Security Officer:Mr. D C Dhanani

Email: ho@ajmsbank.com

Phone: +91-9427218801

8. Escalation Matrix:

12. Compliance

1. The Amreli Jilla Madhyastha Sahakari Bank Ltd. shall comply with the Aadhaar Act 2016, Aadhaar Regulations 2016, UIDAI agreement, as well as other notices and circulars published by UIDAI from time to time.
2. Application used for Aadhaar authentication shall be audited by information system auditor(s) certified by STQC / CERT-IN and compliance audit report is submitted to UIDAI. All Sub-AUAs shall also access authentication services only through duly audited client applications.
3. Permission shall be taken from UIDAI before appointment of an entity as their Sub-AUA. Also, The Amreli Jilla Madhyastha Sahakari Bank Ltd. shall take permission for already appointed Sub-AUAs, if not done already.
4. The Amreli Jilla Madhyastha Sahakari Bank Ltd. shall ensure that its operations and systems are audited by an information systems auditor certified by a recognised body on an annual basis to ensure compliance with UIDAI standards and specifications and the same shall be shared with UIDAI upon request.
5. In addition to the audits to be performed by The Amreli Jilla Madhyastha Sahakari Bank Ltd. by itself on an annual basis, UIDAI may conduct audits of the operations and systems of The Amreli Jilla Madhyastha Sahakari Bank Ltd., either by itself or through an auditor appointed by UIDAI.
6. If any non-compliance is found as a result of the audit, management shall:
   1. Determine the causes of the non-compliance;
   2. Evaluate the need for actions to avoid recurrence of the same;
   3. Determine and enforce the implementation of corrective and preventive action;
   4. Review the corrective action taken.
7. The Amreli Jilla Madhyastha Sahakari Bank Ltd. shall use only licensed software for Aadhaar related infrastructure environment. Record of all software licenses shall be kept and updated regularly.
8. The Amreli Jilla Madhyastha Sahakari Bank Ltd. and its ecosystem partners shall ensure compliance to all the relevant laws, regulations as well as other notices, circulars and guidelines as defined by UIDAI from time to time.
1. Fraud Analytics module shall be deployed as part of its systems that is capable of analysing authentication related transactions to identify fraud.
10. The Amreli Jilla Madhyastha Sahakari Bank Ltd. shall audit its Sub-AUAs, BCs or other sub-contractors providing Aadhaar Authentication services as per all the relevant laws, regulations as well as other notices, circulars and guidelines as defined by UIDAI from time to time.
11. For all authentication application deployed by The Amreli Jilla Madhyastha Sahakari Bank Ltd.  and its Sub-AUA, The Amreli Jilla Madhyastha Sahakari Bank Ltd.’s logo shall be clearly visible.

13. Change Management

1. The Amreli Jilla Madhyastha Sahakari Bank Ltd. shall document all changes to Aadhaar authentication applications, Infrastructure, processes and Information Processing facilities.
2. Change log/ register shall be maintained for all such changes performed.