Directorate of Income Tax (Systems)
RSA Token Policy (2016)
(1) What is a RSA Token?
RSA Token is a secure user’s authentication system. RSA Token is a unique, time-synchronous solution that automatically Changes the user’s password every 60 seconds. This makes the solution more secured than event-synchronous systems (like presently followed User id and User password which can be valid for an indefinite period of time). RSA Token looks like as under:
(2) Why the RSA Token is required?
The need for a secure authentication system, like the RSA Token, is required in an important department like the Income Tax Department (ITD) which will, in due course, maintain a most comprehensive database of financial details of the top tax payers and wealth owners. With the advancement of computerization in the department, especially, in the background of shift from de-centralized (2-tier) to centralized (3-tier) system, a need was felt to enhance network security by introducing an additional security layer through RSA solution.
(3) Objectives of RSA token usage in ITD/ITBA application
RSA Token provides a higher level of authentication to ensure access by authentic/valid users. RSA Token will offer a second level of security apart from Application User ID & Password. To ensure that RSA Token provides necessary additional safeguard, it has been provided with following features:
The RSA token number displayed is dynamic & changes frequently. So it can’t be memorized & misused by an unauthorized person.
It is tamper proof.
No outsider will be able to use except the authorized ITD users.
(4) Who is admissible for the RSA TOKEN?
RSA Token is admissible to
i. All officers (ITO & above), Inspectors, Administrative Officers, DDO, Sr. PS, PS and PA of the Department.
ii. Two staff (Sr.TA/TA/EA/Steno) attached with all officers (ITO and above) of the Department.
iii. Any other official, who is not covered above, on the recommendation of the respective Pr.CCIT/Pr.DGIT.
iv. Any other official, who is eligible for a network node as per the Network Node Policy of the Department.
i. It will be the policy of Department to allot RSA token only once to the officer grade users. The same would continue to be retained by the officer still the officer grade user is in service.
ii. For the non-gazetted official grade of user attached with officer (ITO and above), the RSA token would be allotted if he/she is enabled by the officer.
5) Essentials to implement RSA token (Binding of RSA token with Employee code:
Users Details who are expected to have access to ITD/ITBA Application will be required to maintained and constantly updated at the Primary Data Centre (PDC) at New Delhi. The Users Details required are as follows:-
The User Details like User Name/ Designation of Employee/ Employee Code, Building name and address would be linked to the allotted Physical RSA Token No. The same would be managed in centralized manner at the Primary Data Center by the Service Provider of ITBA as RSA Token Database manager. Through RSA solution, a proper and constant audit trail would be created for network access and help identifying the specific employees who are accessing the system. After successful RSA binding, PIN will be intimated to the respective user via email or mobile.
The first step for the designated employee would be required to obtain an Employee Number and Name based email id from the RCC by filing up the form for this purpose.
(6) How RSA Token would be used
To access the ITD/ITBA Application following steps are to be followed:
While accessing ITD/ITBA Application, this system will prompt for three information specific to the user.
i. It will ask you to enter your Used ID (Employee number) (e.g. U678456)
ii. In the second field enter your Password
iii. In the third field enter four digit PIN (PIN will be informed to the user during RSA binding) followed by RSA Token Number (i.e. six digits displayed in RSA Token which changes after 60 seconds).
For clarity, please refer to the above diagram of RSA token where the six digits no are displayed as 832849 & 983334 respectively.
iv. After RSA authentication, user will be able to access ITD/ITBA Application by using application user ID and password
v. It is important to note that no user can log into the centralized environment without a RSA Token. Neither physical RSA Token alone nor PIN alone sufficient to access the ITD/ITBA Application. In the event of loss, RSA Token cannot be used/misused by third person because PIN will not be with third person. It would therefore be necessary that officers/officials do not share PIN no. with ANYONE.
(7) How the Users Details would be collected
The CIT (Admin & CO) would ensure correct updated and complete Users Details prescribed in para 5 above through the Building in Charge officers as well as through the proper channel of HQ of CCIT/DGIT/CIT/DIT . The FMS engineer may also contact the field formation to update the details while carrying out configuration of details on RSA database manager.
8) How the Users Details would be initially updated and Users would be trained & the Distribution of R.S.A. tokens would be executed
It would be the responsibility of the concerned Pr. CCsIT (CCA) and CsIT (Admin & CO) to update Users detail, to organize the briefing meeting on RSA Token, and to ensure RSA Token distribution.
The CsIT (Admin & CO), with support from the offices of CCIT/CIT (Admn) and the help of FMS team, would coordinate the above three activities at the HQ of RCC/ HQ of CIT (Admn) / HQ of CCIT.
The CCIT office would call the Building in Charge officers up to the rank Addl/JCIT, and other junior Building in Charge officers with the User detail of their respective location in a format given in para-5 for briefing/training meeting on RSA Token to be conducted by FMS at HQ of CCIT office. The HQ of office of CCsIT and the CIT (Admin & CO) should extend all facilitation to the team of FMS and this Directorate in the process of updating Users Details and conducting the RSA Token distribution meeting.
As far as possible the acknowledgement for having received the RSA Token may be given by users. However for locations other than CCIT HQ, the RSA Token of concerned user can be handed over to the Building in Charge officers after verification of the user at the said location by CIT (Admin & CO). The CIT (Admin & CO) can take personal help of the Building in Charge officers for verifying the user at such location. The Building in Charge officers on receiving the RSA Token shall give an acknowledgment not only for his personal RSA token but also for others on whose behalf he is collecting the RSA token.
The Building in Charge officers up to the rank Addl./JCIT or other junior Building in Charge officers on delivering the RSA Token to actual users shall obtain signature of actual users and forward the copy of the same to the office of CIT (Admin & CO) and FMS engineers. FMS team would share the user details with ITBA RSA team on the RSA_Support@incometax.goc.in email id. The CIT (Admin & CO) would keep a record in a consolidated manner for all the location of each RCC. ITBA RSA team will generate PIN for every user from the particular location during RSA binding. PIN will be intimated to the respective user via email or mobile.
(9) How the rest of Users would get training on RSA Token
Further training and briefings session on RSA Token can be organized by the Building in Charge officers.
(10) Safe keeping and local record keeping of RSA Token
After receiving the RSA Tokens, the User should keep a note of the RSA Token number in some private/secret record. The RSA token number will be required to be quoted if RSA token is lost or stolen. The User should keep the token safely at all times. The RSA token is similar to an identity like ATM/Credit card and should be kept safely. Under no circumstances the RSA Tokens should be shared/lent to others including colleagues.
The range head i.e. Addl/JCIT would act as the custodian of R.S.A. Token for the RSA Tokens allotted to official grade Users of his range. The CIT (Admn & CO) would act as the custodian of R.S.A. Token for the RSA Tokens allotted to officer grade Users his charge including that of CCIT/DGIT/ CIT (Appeals) offices and officers in the investigation wing and others. In multi CsIT charge /CCsIT region, the Pr. CCIT (CCA) may nominate any one CIT to handle the above work.
On the transfer of official, holding RSA token, intimation should be immediately sent to ITBA-RSA team for deactivation of RSA token in the following format:
Events such as retirements, suspensions and death in harness would presuppose surrender of RSA Token to the custodian of R.S.A. Tokens. Newly appointed officers would have to be allotted RSA Token. It is imperative that all the custodians namely, the range head i.e. Addl/JCIT CIT as well as the CIT (Admn & CO) or CIT nominated by Pr. CCIT (CCA) maintain a complete record of R.S.A. Token Register in running format for all RSA tokens allotted to Users in the following format and its return/withdrawal.
R.S.A. Token Register in running format
Since the RSA Token allotted to official grade of users may keep on changing the holder depending who the user is posted in a given circle/ward/TRO , it is necessary that the range head i.e. Addl/JCIT CIT shall also maintain a token wise ledger for all RSA Token allotted by him as under:
Token wise ledger as under Ledger Folio No.
Thus, two registers are required to be maintained in the office of the range head i.e. Addl/JCIT.
All the spare R.S.A. Token will be kept by the CIT (Admin & CO) of the region.
(11) How the R.S.A. Tokens would be stored.
In case there is allocation of excess RSA tokens (due to vacancies in posts) the spare R.S.A. Tokens will be stocked only with the CIT (Admin & CO) of the region having regard to no. of total nodes operational under respective Pr. CCsIT/Pr DGIT. The details of spare R.S.A. Tokens would be handed over to CIT (Admin & CO) in the same RSA Token distribution meeting at the HQ of RCC. The CIT (Admin & CO) shall maintain a Spare R.S.A. Token Register in following format:
Spare R.S.A. Token Register
(12) How the R.S.A. Tokens would be given to Any new incoming employee on recruitment after initial distribution as above executed
A freshly recruited officer will apply to the CIT (Admn & CO) /CIT nominated by Pr. CCIT (CCA) under intimation/ endorsement to respective JCIT/Addl.CIT and Building in Charge officer for allotment of R.S.A. Token after he has been allotted an employee No.
A freshly recruited official, who would be required to access the ITD/ITBA Application, will apply before respective range head i.e. Addl/JCIT under intimation/ endorsement to respective Building in Charge officer to get the R.S.A. Token after he has been allotted an Employee Number and Name based email id.
The new incoming employee (whether officer or official), on recruitment, will have to furnish all the details related to User Name, Users Designation, Employee Code No, Building name and address where Employee is posted, Building in Charge (Nodal) Officer etc.
The CIT (Admin & CO) would physically handover the R.S.A. Token to the range head i.e. Addl/JCIT or CIT nominated by Pr. CCIT (CCA) who would then hand it over to the new incoming User
The range head i.e. Addl/JCIT or CIT nominated by Pr. CCIT (CCA) should ensure that intimation of User Details (Scanned copy of duly singed prescribed format) is sent to CIT(Admin & CO)/FMS Helpdesk through an Email (Refer Annexure) to link up the R.S.A. Token given by any of them and activate the R.S.A. Token. However in no case such request of activating the R.S.A. Token would be entertained by the RSA Token data manager if the request is by the User himself or by the Building in charge officer below the rank of JCIT/Addl.CIT
(13) How maintenance/Management of R.S.A.Token would be done on day-to-day basis
An employee may not be available to work on the system in five different situations: (i) employee’s proceeding on leave like E.L. /H.P.L. /E.O.L. etc, (ii) employee’s transfer, (iii) employee’s retirement, (iv) employee’s death and (v) employee’s suspension
i. When Employee proceeds on leave ( E.L./H.P.L./E.O.L. etc.)
Where an Officer proceeds on leave (5 or more days) like E.L./H.P.L./E.O.L. etc. the RSA Token need not be handed over. The communication regarding the leave and the officers taking over an successor incumbent is to be informed to CIT(Admin & CO)/FMS Helpdesk through an Email (Refer Annexure) to de link his RSA token. In case, successor incumbent is not decided due to emergency or procedural problems, then also the communication regarding leave is to be informed to CIT(Admin & CO)/FMS Helpdesk as mentioned above.
The successor incumbent has to communicate to FMS Helpdesk at the time of taking over to link his RSA token.
Officials proceeding on leave (5 or more days) like E.L. /H.P.L. /E.O.L. etc should hand over the R.S.A. token to successor incumbent (posted at same station). If that is not possible, then the R.S.A. Token has to be handed over to immediate superior officer (posted at same station). If neither successor incumbent nor immediate superior officer is posted at same station then the R.S.A. Token has to be handed over to other officer/official as per direction of range head. The fact should be recorded in Handing over/Taking over charge Report itself. A communication regarding leave is to be informed to CIT(Admin & CO)/FMS Helpdesk either through an Email (Refer Annexure). The ITBA-RSA team will de link RSA token if the official is going on leave and it is not handed over to the successor. The successor incumbent, decided by the immediate supervisory officer/range head, would ensure receiving RSA Token, PIN. The successor incumbent has to communicate taking over as successor incumbent to CIT(Admin & CO)/FMS Helpdesk through an Email (Refer Annexure) to link his RSA token.
ii. Where Employee has been Transferred and Joined duties at new location
In case of an officer’s transfer, the R.S.A. Token will remain with him/her. However, the transferred officer has to intimate his/her transfer detail (old / new designation & location) to CIT(Admin & CO)/FMS Helpdesk through an Email (Refer Annexure) to de link his old designation with his RSA token
In case of an official’s transfer, the R.S.A. Token will have to be returned to the respective range head under intimation to respective CIT (Admn)/CIT nominated by CCIT (CCA) and the respective Building in charge officer. The range head would also intimate the official’s transfer to CIT(Admin & CO)/FMS Helpdesk through an Email (Refer Annexure) to de link the RSA token from the transferred official. A RSA token will be issued to the new official by respective range head.
iii. Employee Retirement
In case of an officer’s retirement the R.S.A. token will be returned to the respective CIT (Admn.) /CIT nominated by Pr.CCIT (CCA) under intimation to respective JCIT/Addl.CIT and the respective Building in charge officer. The CIT (Admn.) /CIT nominated by CCIT (CCA) would take charge of the R.S.A. token from the retiring employee (whether officer or official) and would also intimate the User Details to CIT(Admin & CO)/FMS Helpdesk through an Email (Refer Annexure) to de link the R.S.A. Token received back by CIT (Admn.) /CIT nominated by Pr. CCIT (CCA). This should be adopted as part of the retirement procedures. Just like C G H S Card, and Identity card, the RSA token should also be surrendered before retirement dues are finally released and ‘No DUE’ certificate is given.
In case of an official’s retirement the R.S.A. token will have to be returned to the respective range head under intimation to respective CIT (Admn.) /CIT nominated by Pr.CCIT (CCA) and the respective Building in charge officer. The range head would take change of the R.S.A. token from the retiring official and would also intimate the User Detail to CIT(Admin & CO)/FMS Helpdesk through an Email (Refer Annexure) to de activate the RSA token. This should be adopted as part of the retirement procedures. Just as C G H S Card, Identity card; the RSA token should also be surrendered before retirement dues are finally released and ‘No DUE’ certificate is given.
iv. Employee’s Death
In case of Officer’s Death
The procedure would remain same as stated in Sub Para (iii) above. The deceased officer’s family will have to return the RSA token to the CIT (Admn.)/CIT nominated by Pr. CCIT (CCA), as stated in Para 10 above, before pension papers are processed.
CIT (Admn.)/CIT nominated by Pr.CCIT (CCA) will inform CIT(Admin & CO)/FMS Helpdesk through an Email (Refer Annexure) to deactivate RSA token.
In case of an official’s Death
The procedure would remain same as stated in Sub Para (iii) above. The deceased officials’ family will have to return the RSA token to the range head before pension papers are processed.
Range Head will inform CIT(Admin & CO)/FMS Helpdesk through an Email (Refer Annexure) to deactivate RSA token.
v. Employee’s Suspension
The procedure would remain same as stated in Sub Para (iii) above. In any case, even if the employees RSA token is not received back physically for any reason what so over, it would be the duty of the CIT (Admn.) /CIT nominated by Pr. CCIT (CCA) or range head as the case of officer or official may be as stated in Para 10 above, to intimate the CIT(Admin & CO)/FMS Helpdesk through an Email (Refer Annexure) of the event within 24 hours and to deactivate the token.
(14) What happens In case of loss / misplacing of tokens or Token is stolen?
The employee (whether officer or official) should report loss of RSA token immediately to his immediate superior officer. A complaint may also be lodged with the police. A copy of the complaint is to be given to the range head/CIT (Admn.) /CIT nominated by Pr.CCIT (CCA) and the respective Building in charge officer. The range head/CIT (Admn.) /CIT nominated by Pr. CCIT (CCA) would make an entry in R.S.A. Token Register and would also intimate User details of lost RSA token number to the CIT(Admin & CO)/FMS Helpdesk through an Email (Refer Annexure) in order to deactivate the lost R.S.A. Token. This intimation should be given within 24 hours of the employees reporting the loss to prevent unauthorized entry to the ITD network.
The User, who has lost/misplaced his token will not be able to log on to the Network and ITD/ITBA application till he gets a new token as stated in Para 12 above. Since each RSA token costs approx Rs. 3300/-, the range head/CIT (Admn.) /CIT nominated by Pr. CCIT (CCA) after receiving an intimation of lost RSA token has to obtain a written explanation about the reason for loss/misplacement/damage of RSA token from the concerned User. There will be a charge of Rs.100/-towards handling charges for issuing another RSA token. In case of a RSA token is lost twice or more by the same employee, then the full value of RSA token replacement i.e. Rs.3300/-may be asked to be paid. The range head/CIT (Admn)/CIT nominated by Pr. CCIT (CCA) can issue a fresh RSA Token from the spare stock of R.S.A.Token and if the same is not available place an order to the CIT (Admin & CO) for additional tokens in advance. The CIT (Admin & CO) should ensure that spare RSA tokens are available at all times to meet such exigencies. Order should be placed with DIT (Systems) for additional spare RSA tokens as and when the CIT (Admin & CO) finds that the available stock had depleted. A damaged RSA Token will be replaced by the custodian of RSA Tokens free of cost and necessary entry should be made in stock register for having received the damaged/defective RSA token.
Download Annexure-A Contact details of CIT(CO & Admin) offices w.r.t. RSA token