इंटरनेट मानक Disclosure to Promote the Right To Information Whereas the Parliament of India has set out to provide a practical regime of right to information for citizens to secure access to information under the control of public authorities, in order to promote transparency and accountability in the working of every public authority, and whereas the attached publication of the Bureau of Indian Standards is of particular interest to the public, particularly disadvantaged communities and those engaged in the pursuit of education and knowledge, the attached public safety standard is made available to promote the timely dissemination of this information in an accurate manner to the public. “जान1 का अ+धकार, जी1 का अ+धकार” “प0रा1 को छोड न’ 5 तरफ” Mazdoor Kisan Shakti Sangathan Jawaharlal Nehru “The Right to Information, The Right to Live” “Step Out From the Old to the New” IS 15024-1 (2001): Technical Product Documentation - Handling of Computer-Based - Technical Information, Part 1: Security Requirements [PGD 24: Drawings] “!ान $ एक न’ भारत का +नम-ण” Satyanarayan Gangaram Pitroda ““IInnvveenntt aa NNeeww IInnddiiaa UUssiinngg KKnnoowwlleeddggee”” “!ान एक ऐसा खजाना > जो कभी च0राया नहB जा सकता हहहहै””ै” Bhartṛhari—Nītiśatakam “Knowledge is such a treasure which cannot be stolen” L-.4$ IS 15024 (Part l):2001 ; ! ISO 11442-1:1993 ‘, 4 ~ $77ww7w 7 m TI*44 *—’* %T - ,% ;: n ?’qywmwm :, 11’(TITI*II* mlgTwMl@ Indian Standard TECHNICAL PRODUCT DOCUMENTATION — HANDLING OF COMPUTER-BASED TECHNICAL INFORMATION PART 1 SECURITY REQUIREMENTS ICS 01.110; 35.240.10 :._ 0 BIS 2001 BUREAU OF INDIAN STANDARDS MANAK BHAVAN, 9 BAHADUR SHAH ZAFAR MARG NEW DELHI 110002 A./gust 2001 Price Group 2 .’ Drawings Sectional Committee, BP 24 “* -.. NATIONAL FOREWORD This Indian Standard (Part 1) which is identical with ISO 11442-1 : 1993 ‘Technical product documentation — Handling of computer-based technical information: Part 1 Security requirements’ issued by the International Organization for Standardization (ISO) was adopted by the Bureau of Indian Standards on the recommendation of Drawings Sectional Committee and approval ofthe Basic and Production Engineering Division Council. This standard (Parl 1) covers security aspects involved in the handling of computer-aided design (CAD) information. These computer security is with regard to installation and operation; system security; document contents and communication. Other parts of this series are given as follows: IS 15024 (Part 2): 2001 Technical product documentation — Handling of computer-based technical information: Part 2 Original documentation IS 15024 (Part 3) :2001 Technical product documentation — Handling of computer-based technical information: Part 3 Phases in the product design process IS 15024 (Part 4): 2001 Technical product documentation — Handling of computer-based technical information: Pati 4 Document management and retrieval system The text of ISO Standard has been approved as suitable for publication as Indian Standard without deviations. In this adopted standard, certain terminology and conventions are not identical to those used in Indian Standards. Attention is particularly drawn to the following: a) Wherever the words ‘International Standard’ appear, referring to this standard, they should be read as ‘Indian Standard’. ,..- b) Comma (,) has been used as a decimal marker while in Indian Standards the current practice is to use a full point (.) as the decimal marker. In this adopted standard, refer e nce appears to certain international Standards for which Indian Standards also exist. The corresponding Indian Standards which are to be substituted in their place are listed below along with their degree of equivalence for the editions indicated: . International Corresponding Indian Standard Degree of Standard Equivalence ISO 10209-1:1992 IS 8930 (Part 1) : 1995 Technical product Identical documentation — Vocabulary Part 1 Terms relating totechnical drawings: General and types of drawings (first revision) iSO/TR 10623:1991 IS 15025:2001 Technical product documentation do — Requirements for computer-aided design and draughting — Vocabulary .- 1S 15024 ( Part 1 ) :2001 , ISO 11442-1 : 1993 IndianStandard TECHNICAL PRODUCT DOCUMENTATION — HANDLING OF COMPUTER-BASED TECHNICAL INFORMATION PART 1 SECURITY FiEQUIREMENTS 1 Scope the editions indicated were valid. All standards are subject to revision, and parties to agreements based This part of ISO 11442 covers security aspects in- on this part of ISO 11442 are encouraged to investi- volved in the handling of computer-aided design gate the possibility of applying the most recent edi- tions of the standards indicated below. Members of (CAD)information. Such computer security is divided IEC and ISO maintain registers of currently valid into four areas: International Standards. a) security with regard to installation and operation; ISO 10209-1:1992, Technics/ product documentation — Vocabulary — Part 1: Terms relating to technical b) system security; drawings: general and types of drawings. --- c) security with regard to document contents; lSO/TR 10623:1991, Technics/product documentation — Requirements for computer-aided design and d) security with regard to communication. draughting — Vocabulary. Areas a) and b) apply to computerization in any form, irrespective of the subject area, and are therefore not 3 Definitions dealt with in detail in this part of ISO 11442, with the exception of backup copying, to which special atten- For the purposes of this part of ISO 11442, the defi- tion should be paid in computer-aided design tech- nitions given in ISO 10209-1 apply. Further termin- niques. ology is given in lSOflR 10623. The use of this part of ISO 11442 is intended to facil- itate: 4 Structural relationship of computer — communication with quality assurance functions security within the company and outside; The structural relationship of the various security sys- — consideration of the different security aspects in tems is presented schematically in figure 1. the design work; — purchase of appropriate systems and services. 5 Security with regard to installation and operation NOTE1 Foraccessauthorization. see 7.1. 2 Normative references 5.1 Installation The following standards contain provisions which, through reference in this text, constitute provisions Installation of computer equipment shall follow the of this part of ISO 11442. At the time of publication, specifications of the supplier. 1 ....— IS 15024 ( Part 1 ) :2001 ISO 11442-1 : 1993 -—.. 5.1.1 Electricity supply Once a week as a minimum the entire database con- cerned should be backup-copied. The original backup In addition to correct voltage and power, the quality copy is physically stored in a location different from of the electricity supply (protection against brief that of the original document. Power cuts and transients) shall be considered. This applies to ordina~ power as well as backup power 6 System security supplies. 6.1 Security of operation systems 5.1.2 Ventilation Adequate ventilation is required to remove heat gen- 6.2 Security of application systems erated by the computer. The computer program actually used should be regu- 5.1.3 Cooling Iarly checked against the version that was intended to be used. Extensive computer equipment may require separate cooling facilities. 7 Security of document contents 5.1.4 Magnetism 7.1 Authorization Magnetic tapes, disks and other magnetic media shall Rules shall be laid down concerning authorization to be protected against magnetic fields. create/design, read/copy, check/approve, revise and phase out document contents 5.1.5 Electrostatic environment These rules shall be documented with regard to, The equipment shall be protected against static elec- among other things, quality assurance. tricity caused by, for example, synthetic floor cover- ings. The use of user identification (user ID) and passwords (or card of authorization, etc.) permits access to: 5.1.6 Trespassing — various computer-aided activities; The location of computers in work areas may require reconsideration of access regulation, to reduce the — data for a product range or part of a product range; ..- risk of unauthorized access. — different document types (e.g. item list, assembly 5.2 Operation drawing). Passwords and user IDs should not be shared. Pass- 5.2.1 Service end maintenance words should be kept secret and changed regularly; old passwords should not be re-used. Service contracts are recommended to limit computer downtime, Table 1 gives an example of a distribution of authoriz- ation levels. 5.2.2 Stand-by equipment Each authorized person has a unique user ID and To eliminate, as far as possible, long computer password. The degree of authorization for the user ID downtimes in connection with serious equipment shall be approved by the manager of the function area faults, access to suitable stand-by equipment should involved and shall be administered by the person in be guaranteed. charge of the system. The user ID and password should not have any connection to name, employ- ment number, social security number, birth date or 5.2.3 Backup copy any other related information. Passwords may include non-alphabetic as well as alphabetic characters. Original backup copying shall be carried out in ac- cordance- with established and documented routines. For further information concerning routines for the This ensures that entered data are not lost by, e.g., different computer-aided activities, see ISO 11442-3. faults in the electrical system, computer malfunction or operator error. The routine shall specify personal responsibility, time schedule, storage medium and 7.2 Copyright storage place, etc. Temperature and humidity control is necessary for some storage media. Because not all countries have established legislation forbidding unauthorized copying or use, each docu- Original backup copying is recommended at the end ment should be provided with a clause prohibiting of each day for transactions carried out during the day. this. 2 ...— IS 15024 ( Part 1 1:2001 ISO 11442-1 :1993 — -n --! J, The clause should be affixed on any document re- and shall be indicated as shown above. At the same corded on a physical support. A label containing this time, the year of the revision can be given. This is not clause should be physically taped on the storage me- mandatory, but the copyright protection time is dium. The same clause should appear at the begin- thereby extended. b ning and end of the data file when transmitted on a communication medium. 8 Communication security This procedure is adequate in most countries. To ob- * tain protection in many other countries, a copyright 8.1 Transfer protocol checking marking is required. This marking consists of “o Company name 19XX” (where 19XX is the year in Check the rules according to which the data is being which the contents of the document were made transferred from one application package to another. available). Data shall be in defined form (input/output). In cases where the symbol Qcannot be used, it shall be replaced by the word “COPYRIGHT” 8.2 Data transfer protection When important changes are made in the contents The data which are being transferred shall be pro- of the document, the original year shall be retained tected. Output data shall be in defined form. Table 1 — Authorization in the design process Person Creata/ Check/ Document Product Read/copy Revisa Phaseout authorized design approve type ranga NNA x x x x 1 XA NNB x x 1;3 XA NNC x 1;2;3 XA NNC x 1;2;3 XB NND x x x 1 XB . ... NNE x x 1;3 XB Gvi o I I Security ( I lip I I I Installation and System security cSecurit+y of Communicant ion operational security I [ document contents security I ~1-iiiEi!E“’ “’ ‘ Eza E=7 =1 Dots transfer protection ET cl Operation Authorization EEIE3E 3EZIEGIEEIE3 Bureau of Indian Standards BIS is a statutory institution established under the Bureau of Indian Standards Act, 1986 to promote harmonious development of the activities of standardization, marking and quality certification of goods and attending to connected matters in the country. Copyright BIS has the copyright of all its publications. No part of these publications may be reproduced in any form without the prior permission in writing of BIS. This does not preclude the free use, in the course of implementing the standard, of necessary details, such as symbols and sizes, type or grade designations. Enquiries relating to copyright be addressed to the Director (Publications), BIS. Review of Indian Standards t Amendments are issued to standards as the need arises on the basis of comments. Standards are also reviewed periodically; a standard along with amendments is reaffirmed when such review indi- cates that no changes are needet if the review indicates that changes are needed, it is taken up for revision. Users of Indian Standards should ascertain that they are in possession of the latest amend- ments or edition by referring to the latest issue of ’61S Catalogue’ and ‘Standards: Monthly Additions’. This Indian Standard has been developed from Doc :No. BP 24( 0148). Amendments Issued Since Publication Amend No. Date of Issue Text Affected BUREAU OF INDIAN STANDARDS Headquarters : Manak Bhavan, 9 Bahadur Shah Zafar Marg, New Delhi 110002 Telegrams : Manaksanstha Telephones :3230131,3233375, 3239402 (Common to all offices) Regional Offices : Telephone Central : Manak Bhavan, 9 Bahadur Shah Zafar Marg 3237617 NEW DELHI 110002 { 3233841 Eastern : 1/14 C.I.T. Scheme Vll M, V. 1.P.Road, Kankurgachi 3378499,3378561 KOLKATA 700054 { 3378626,3379120 Northern : SCO 335-336, Sector 34-A, CHANDIGARH 160022 603843 602025 { Southern : C.I.T. Campus, IV Cross Road, CHENNAI 600113 2541216,2541442 2542519,2541315 { Western : Manakalaya, E9 MlDC, Marol, Andheri (East) 8329295,8327858 MUMBAI 400093 { 8327891,8327892 Branches : AHMEDABAD. BANGALORE. BHOPAL. BHUBANESHWAR. COIMBATORE. FARIDABAD. GHAZIABAD. GUWAHATI. HYDERABAD. JAIPUR. KANPUR. LUCKNOW. NAGPUR. NALAGARH. PATNA. PUNE. RAJKOT. THIRUVANANTHAPURAM. PrintedatPrabhatOffsetPress,NewDelhi-2