SECTION 119 OF THE INCOME-TAX ACT, 1961 – INCOME-TAX AUTHORITIES – INSTRUCTIONS TO SUBORDINATE AUTHORITIES – INFORMATION SECURITY GUIDELINES
CISO INSTRUCTION NO.1 [F.NO.500/62/2015-FTTR-III], DATED 10-7-2015
Confidentiality of Taxpayer information has always been a fundamental cornerstone of tax systems. The tax administration is obliged to keep the information submitted by the taxpayers, including their sensitive financial and personal information, confidential and is required to take steps to ensure that they are not disclosed inappropriately, either intentionally or by accident. Maintaining the confidentiality of taxpayers’ information has assumed a greater significance in view of increased availability of information regarding offshore tax evasion and tax avoidance and stashing of unaccounted money abroad. The information and/or evidence of such tax avoidance/evasion and the underlying criminal activity is often located outside the territorial jurisdiction and is obtained only through bilateral and multilateral co-operation amongst countries/jurisdictions.
2. The Government of India has played an important role on international forums in developing international consensus for such cooperation as per globally accepted norms. The Government of a country/jurisdiction will, however, agree to exchange information with another country only if the information exchanged is kept confidential, used only for the specified purposes and disclosed only to authorized person(s) in accordance with the agreement on the basis of which it is exchanged. It is, therefore, essential that for continued assistance by the treaty partners of India, the information received is kept confidential and is used and disclosed strictly as per the terms of the Agreement.
3. An Information Security Committee (ISC) has been constituted in the Central Board of Direct Taxes (CBDT) under the chairmanship of Member (IT) through orders F. No. 500/137/2011-FTTR-III dated 7th April, 2015 and 19th June 2015 with a view to pulling in place a robust Information Security Mechanism in the Department. The ISC shall consist of a Chief Information Security Officer (CISO) and six other members. The responsibilities of the ISC and CI SO arc enclosed atAnnexure A.
4. It has now been decided that all Cadre Controlling Pr. CCsIT should set up a Local Information Security Committee (LISC) headed by a Pr. CIT level officer and comprising CIT (Administration), two CIT level officers and two Addl./Jt. CIT Level officers. Additional Commissioner (HQ) (Administration) will be the Member Secretary of the LISC. The LISC will be responsible for:
| (a) | Ensuring implementation of the Information Security Policies and Procedures (ISPP) issued by the CISO. | |
| (b) | Ensuring that ongoing information security awareness education and training is provided to all employees. | |
| (c) | Conducting security reviews ensuring that action is taken to plug any identified/potential gaps. | |
| (d) | Providing monthly reports to the CISO on the status of information security policy, violations and information security incidents. |
5. If an unauthorized disclosure takes place, the LISC should undertake an investigation and prepare a complete report, fixing responsibility and recommending actions to be taken against the person(s) concerned for the breach. The report should also suggest measures to be taken to avoid similar incidents in the future. Action for breach of confidentiality including under the conduct rules and initiation of proceedings under section 280 of the Income-tax Act, 1961, may be taken in appropriate cases by the Pr. CCIT/Pr. DGIT/CCIT/DGIT concerned.
6. The Information classification guidelines (based on existing classification as per Manual of Departmental Security Instructions issued by the Ministry of Home Affairs in 1994) are enclosed at Annexure B. All information should be classified into one of the specified categories.
7. Files/documents classified as top secret/secret/confidential/restricted need to be safeguarded since their authorized access or disclosure may cause embarrassment to the Government and result in breach of treaty commitments. Broad guidelines for handling such documents have been provided in Manual on Exchange of Information issued by the CBDT in May, 2015. Detailed instructions in this regard as incorporated in the Manual of Departmental Security Instructions issued by the Ministry of Home Affairs in 1994 must be followed while dealing with such files/documents.
8. Information security guidelines in respect of following domains are enclosed at Annexure C:
| (a) | Physical and environmental security | |
| (b) | Personnel security | |
| (c) | Identity, access and privilege management | |
| (d) | Security monitoring and incident management |
9. The Information security guidelines consist of following sections:
| (a) | Background— Provides an overview and the coverage of each domain and states the important evolutions and developments in each area. | |
| (b) | Relevance of domain to information security—Establishes role and scope of a domain in context of Information Security. | |
| (c) | Management guidelines— Provides domain specific recommendations in the form of guidelines and objectives. These are denoted by the nomenclature “XX.G” followed by the guideline number, where XX is the code for domain. For example, PH.G1, PH.G2, G3 … | |
| (d) | Security controls- Provides control statements which arc administrative, technical, operational or procedural and need to be diligently followed. Security controls provide insight into multiple areas which need to be implemented/addressed in order to achieve the objectives laid out in the management guidelines section. These arc denoted by the nomenclature “XX.C” followed by the control number, where XX is the code for domain. For example, PH.C1, PH.C2, PHC3… | |
| (e) | Implementation guidelines – Provides specific recommendations to aid implementation of management guidelines and security controls. These are denoted by the nomenclature “XX.1G” followed by the implementation guideline number, where XX is the code for domain. For example, PH.IG1, PH.IG2. PH.IG3 … | |
| (f) | Adoption matrix based on information classification – Provides general guidance on the depth of implementation of various controls, while considering the value of information based on its classification. |
10. All Cadre controlling Pr.CCIT/Pr. DGIT (System )/DGsIT should lake necessary steps for implementation of the above information security related guidelines. The buildings should be categorised as follows to enable implementation of the guidelines in a phased manner:
| Building Category | Building Description |
| A | Buildings having offices of Investigation Directorate, Central Charges, I & CI, FT&TR, Systems Directorate |
| B | Buildings having offices of Range Heads (other than covered under category A) |
| C | Remaining buildings |
11. The due dates for taking action are as under:
| S. No. | Action to be taken | Action by | Due Date |
| 1 | Setting up of Local Information Security Committee (LISC) headed by a Pr. CIT level officer | All Pr.CCIT | 31st July 2015 |
| 2 | Submission of list of buildings under Category A and B to CISO | LISC/Pr.CCIT | 31st August 2015 |
| 3 | Implementation of Information Security Policy and Procedures (ISPP) | LISC/Pr.CCIT | On Going |
Annexure A
Annexure B
Annexure C