• The Directorate of Fire & Emergency Website has been placed in protected zones with implementation of firewalls and IDS (Intrusion Detection System) and high availability solutions.
• Before the launch of the Directorate of Fire & Emergency Website, simulated penetration tests have been conducted. Penetration testing has also been conducted one time after the launch of the Directorate of Fire & Emergency Website.
• The Directorate of Fire & Emergency Website has been audited for known application-level vulnerabilities before the launch and all the known vulnerabilities have been addressed.
• Hardening of servers has been done as per the guideline of Cyber Security division before the launch of the Directorate of Fire & Emergency Website.
• Access to web servers hosting the Directorate of Fire & Emergency Website is restricted both physically and through the network as far as possible.
• Logs are maintained at one location for authorized physical access of Directorate of Fire & Emergency Website servers.
• Web-servers hosting the Directorate of Fire & Emergency Website are configured behind IDS, IPS (Intrusion Prevention System) and with system firewalls on them.
• All the development work is done in a separate development environment and is well tested on the staging server before updating it on the production server.
• After testing properly on the staging server, the applications are uploaded to the production server using SSH and VPN through a single point.
• The content contributed by/from remote locations is duly authenticated & is not published on the production server directly. Any content contributed must go through the moderation process before final publishing to the production server.
• All contents of the web pages are checked for intentional or unintentional malicious content before final upload to web server pages.
• Audit and Log of all activities involving the operating system, access to the system, and access to applications are maintained and archived. All rejected accesses and services are logged and listed in exception reports for further scrutiny.
• All newly released system software patches; bug fixes and upgrades are expediently and regularly reviewed and installed on the web server.
• On Production web servers, Internet browsing, mail and any other desktop applications are disabled. Only server administration related tasks are performed.
• Server passwords are maintained by the Developer M/s. Technotrix, Goa and are not shared.
• Mr. Alan Lobo, Software Developer, M/s. Technotrix, Goa has been designated as Administrator for the Directorate of Fire & Emergency Website and shall be responsible for implementing this policy for each of the web servers. The administrator shall also coordinate with the Audit Team for required auditing of the server(s).
• The Directorate of Fire & Emergency Website has been re-audited for the application-level vulnerability after major modification in application development The Directorate of Fire & Emergency Website has been audited before launch and has complied with all the points mentioned in the policies document of the Cyber Security Group mentioned above.
• The Directorate of Fire & Emergency Website has also been subjected to an automated risk assessment performed through vulnerability identification software before and after the launch and all the known vulnerabilities have been addressed.

 

• Notice & Disclosures:

The Directorate of Fire & Emergency Website will not sell, trade, or disclose the personally identifiable information of its website users to any unauthorized third parties.

• Data Quality and Access:

The Directorate of Fire & Emergency Website takes all steps possible to ensure that the data on the website is accurate. While reviewing the website if something is found to be inaccurate the Directorate of Fire & Emergency Website will make every effort to correct said information as quickly as possible. If it is found to be an inaccuracy with the entire system the Directorate of Fire & Emergency Website will work swiftly to correct the problem so that your web experience is as trouble- free as possible. Any change to your user account will not be reflected on the website until the following business day.  The information contained on the Directorate of Fire & Emergency website is subject to change without prior advance notice.

While using the Directorate of Fire & Emergency website certain information such as your IP Address and time spent on pages may be collected. This non-personal information is collected to monitor any unauthorized use or access to the Directorate of Fire & Emergency site. Anyone caught attempting to harm, steal information from, or otherwise damage the Ministry /Department Name website will be prosecuted to the full extent of the law.

• Application Security Audit:

A Drupal CMS is used in the Directorate of Fire & Emergency Services Website for displaying the information dynamically as per the users’ requests. The application has been security audited for the known application-level vulnerabilities as per Top 10 OWASP and the application security vulnerabilities have been addressed before the launch of the Portal.

The website has been audited by Cert-in empanelled agency periodically. The periodicity shall be one year from the date of issue of certificate or additional changes in the dynamic content carried out whichever is earlier. A periodic check on the requirement of a security certificate is recommended to the web information manager in case there are changes in the functionality or any other environmental changes.

• Server Audit:

The Applications and database servers hosting the Directorate of Fire & Emergency Services website and Databases have been security audited. The hardening of the server has been done. The access to the server is restricted both physically and through the network as far as possible. The Logs are being maintained for authorized physical access to the Directorate of Fire & Emergency Services. The servers have been placed behind the Application firewall in order to make them hidden to the outside public. All the development work is done on a separate development environment and well tested on the staging server before updating it on the production server. The Directorate of Fire & Emergency Services website contents on the NIC Data Centre servers are uploaded using secured SSH and VPN through a single point. The contents are first checked by approval authority before publishing on the website. All contents of the web pages are checked for intentional or unintentional malicious content before final upload of the same on the website. Audit and Log of all activities referring to the operating system, access to the system and access to applications are maintained and archived. All rejected accesses and services are logged and listed in exception reports for further scrutiny. All newly released system software patches, bug fixes and upgrades are deployed regularly and reviewed. The Antivirus has been deployed on the servers and is updated online.

• Data Security:

The Directorate of Fire & Emergency Services takes security very seriously and has therefore taken every precaution to secure our borrowers' information. To secure the user’s information, the Directorate of Fire & Emergency Services has implemented several security measures to prevent loss, theft, or misuse of any borrower data.

• Website Access Rights:

 The website is accessible to the entire world.

Website Architecture: