Goa Human Rights Commission

Security Plan

1. Purpose

The Security Plan of Goa Human Rights Commission establishes the principles, controls, and procedures for safeguarding the website, its data, and its users against unauthorized access, disclosure, alteration, destruction, or disruption. The plan aims to protect the confidentiality, integrity, and availability (CIA) of all website assets and uphold user trust.

2. Scope

This plan covers:

  • The website application, source code, and content.
  • Web servers, application servers, database servers, and supporting infrastructure.
  • User data and any personal or sensitive information processed through the website.
  • All personnel, third-party vendors, and systems interacting with the website.

3. Security Principles

  • Confidentiality: Information is accessible only to those authorized to have access.
  • Integrity: Information is accurate, complete, and protected from unauthorized modification.
  • Availability: Information and services are accessible to authorized users when required.
  • Defence in Depth: Multiple layers of security controls protect the website.
  • Least Privilege: Users and systems have only the minimum access necessary to perform their functions.
  • Accountability: All security-relevant actions are traceable to identified individuals.

4. Security Controls

4.1 Network Security

  • Firewalls configured to allow only required traffic.
  • Web Application Firewall (WAF) deployed to filter malicious requests.
  • Intrusion Detection and Prevention Systems (IDS/IPS) monitoring traffic.
  • DDoS protection at the network and application layers.
  • Network segmentation separating public-facing, application, and database tiers.
  • Secure remote access (VPN) with multi-factor authentication for administrative functions.

4.2 Application Security

  • Secure software development lifecycle (SDLC) practices followed.
  • Input validation and output encoding to prevent injection attacks (SQL injection, XSS, etc.).
  • CSRF protection on all state-changing operations.
  • Secure session management with session expiration and regeneration.
  • Protection against OWASP Top 10 vulnerabilities.
  • Regular static and dynamic application security testing (SAST / DAST).
  • Third-party libraries and components updated regularly to patch known vulnerabilities.
  • Administrative interfaces protected and not publicly exposed where avoidable.

4.3 Authentication and Access Control

  • Strong password policy: minimum length, complexity, expiration, and history.
  • Multi-factor authentication (MFA) for administrative and privileged accounts.
  • Role-based access control (RBAC) with clearly defined roles and privileges.
  • Account lockout after repeated failed login attempts.
  • Periodic review of user accounts and permissions; removal of dormant accounts.
  • Separate accounts for administrative and non-administrative activities.

4.4 Data Security

  • Encryption in transit — TLS 1.2 or higher (preferably TLS 1.3) for all communications.
  • Encryption at rest for sensitive data using industry-standard algorithms.
  • Secure key management practices — keys rotated periodically, stored in a secure vault.
  • Passwords hashed using strong, adaptive algorithms (e.g., bcrypt, Argon2).
  • Personal and sensitive data handled in compliance with applicable data protection laws.
  • Data minimization — only data necessary for the stated purpose is collected and retained.

4.5 Server and Infrastructure Security

  • Servers hardened as per industry best practices; unnecessary services disabled.
  • Operating systems and software patched on a defined schedule; critical patches applied promptly.
  • Anti-malware solutions deployed and kept current.
  • File integrity monitoring on critical system and application files.
  • Regular vulnerability scans of servers and network devices.
  • Time synchronization across servers for consistent logging.

4.6 Physical Security

  • Servers hosted in data centres with appropriate physical security — access control, surveillance, fire suppression, and environmental controls.
  • Office premises handling administrative access protected by access control.
  • Visitor access logged and escorted.

4.7 Logging and Monitoring

  • All security-relevant events logged — authentication, privilege changes, data access, configuration changes.
  • Logs stored securely, protected from tampering, and retained as per the retention policy.
  • Centralized log management with real-time alerting on suspicious activity.
  • 24 × 7 monitoring of critical security events.
  • Log review performed daily for anomalies and weekly for trend analysis.

4.8 Backup and Recovery

  • Backups performed, encrypted, and stored as per the Contingency Management Plan.
  • Restoration procedures tested regularly.
  • Backup media access restricted to authorized personnel.

5. Security Testing and Audits

  • Vulnerability scans: Weekly automated scans of the website and infrastructure.
  • Penetration testing: Conducted by qualified testers at least annually and after major changes.
  • Source code review: For significant releases and periodically for core modules.
  • Configuration audit: Quarterly review of server, firewall, and application configurations.
  • Security audit / certification: As required by organizational or regulatory requirements, from an accredited third-party auditor.

6. Incident Response

Security incidents shall be handled as per the incident response workflow defined in the Contingency Management Plan, supplemented by the following security-specific actions:

  • Immediate containment — isolate affected systems, revoke compromised credentials.
  • Preserve evidence for forensic analysis.
  • Determine scope and impact, including whether personal data has been affected.
  • Notify affected parties, regulators, and law enforcement where required by law.
  • Eradicate the threat and remediate vulnerabilities exploited.
  • Restore services from clean backups after verification.
  • Conduct a detailed post-incident review and update controls.

7. Third-Party and Vendor Security

  • Security requirements included in contracts with vendors, hosting providers, and service partners.
  • Vendors assessed for compliance with agreed security standards.
  • Third-party integrations reviewed for security impact before deployment.
  • Access granted to vendors is time-bound, logged, and reviewed periodically.

8. Personnel Security and Awareness

  • Background verification for personnel with privileged access, where appropriate.
  • Security responsibilities clearly defined in job descriptions.
  • Periodic security awareness training — at induction and at least annually thereafter.
  • Simulated phishing exercises to gauge and improve awareness.
  • Non-disclosure and acceptable use agreements signed by personnel with access to sensitive information.

9. Change Management

  • All changes to the website, application, or infrastructure follow a documented change management process.
  • Changes tested in a staging environment before production deployment.
  • Security implications reviewed as part of the change approval process.
  • Rollback procedures defined for every change.
  • Emergency changes documented and retroactively reviewed.

10. Compliance and Privacy

  • Compliance with applicable data protection and privacy laws, including collection, processing, and retention requirements.
  • A privacy notice clearly communicated to users, describing what data is collected and how it is used.
  • User rights — access, correction, deletion, and consent withdrawal — honored in accordance with law.
  • Compliance with applicable sectoral and regulatory security standards.

11. Roles and Responsibilities

Role Responsibility
Chief Information Security Officer (CISO) / Security Officer Overall accountability for website security; approves this plan and oversees implementation.
Web Information Manager Coordinates security activities related to the website; liaises with security teams.
IT / Infrastructure Team Implements and maintains technical security controls.
Development Team Follows secure coding practices, addresses vulnerabilities promptly.
All Users Adhere to security policies, use strong credentials, report incidents.

12. Reporting Security Issues

Users, researchers, and members of the public who identify a potential security issue on the website are encouraged to report it responsibly to:

Security Contact
Email: sect-ghrc.goa@nic.in
Phone: 0832-2424031/2424032

Reports will be acknowledged within 2 working days and handled in confidence. Goa Human Rights Commission appreciates responsible disclosure and will not pursue action against researchers who act in good faith within the scope of this plan.

13. Plan Review and Improvement

This Security Plan shall be reviewed at least once every 12 months, and also:

  • After any significant security incident.
  • When new threats or vulnerabilities emerge.
  • When there are major changes in technology, infrastructure, or organization.
  • When required by regulatory or contractual obligations.

14. Contact

Chief Information Security Officer / Security Officer
Goa Human Rights Commission
Email: sect-ghrc.goa@nic.in
Phone: 0832-2424031/2424032