Close

    GIGW 3.0

    Policy Templates for STQC Certification

    To keep delivering government information and services with consistently good quality through a department’s website, while continually conforming to GIGW guidelines, it is important to establish a framework of “ground rules” that can be clearly understood & honored by all website stakeholders in both the design and daily operations of the website. These ground rules consider all factors that may impact the website contents accuracy, its validity, accessibility, website security, up-time etc. To enable all government website stakeholders to adopt a consistent and tested framework, so that uniformity can be maintained, a set of template policies has been devised. These templates can be suitably customized to reflect specific details of each website. Conformance in letter and spirit to these policies included in the handbook would ensure that the website meets the citizen expectation at all times: authentic, accurate, easily accessible information from a credible source such as an official government website.

    Content Archival Policy (CAP)

    Purpose:

    Government websites generally are storehouses of a large number of documents and reports, which are of relevance and importance to specific audiences as well as citizens at large. Many times, these documents also have historical importance and are also referred extensively for academic and research purposes. These documents can be kept for online access only for a specific period of time and need to be moved to offline archives on the expiry of the pre-decided duration. This is important since these old documents sometimes need to be referred to for regulatory or legal purposes.

    The Departments MUST have a clear-cut Archival Policy with regard to such old documents stating for how long would they be kept online, when would they be moved to offline archives and if/when would they be permanently deleted or purged.

    Template

    • The <section names e.g., visitor statistics, newsletter and spotlight items> will be online archived automatically after entering <y th year> from the date of their publishing.
    • <Name of Ministry / Department / Organization> maintains online archives for a period of <x years> to allow for the retrieval of content which has expired.
    • <Schemes, Tenders, Forms, Recruitment Notices> which have been withdrawn, or discontinued, or have exceeded <x years> after archiving, may be expunged.
    Content Archival Policy

    Content Contribution, Moderation, & Approval Policy (CMAP)

    Purpose:

    Each and every bit of content published on a government website should be verified and checked thoroughly as the public expects nothing less than authentic and accurate information from a credible source such as an official government website.

    The Departments MUST have a Content Contribution, Moderation and Approval Policy (CMAP) stating the responsibility, authorisation and workflow details with regard to content publishing on the site.

    Scope:

    • Departments/Agencies must have a (documented) process and audit trail to ensure that content has an appropriate authorization from within the Department/Agency before being published to the website
    • The documentation at minimum must show who has the authority to approve content and track the approval for each content item (showing who approved and when)
    • Depending on the scale of a website, a suitable Content Contribution, Moderation and Approval Policy (CMAP) structure may be adopted.
    • This can be implemented easily by assigning workflow roles in the Content Management System.

    Template

    Policy Statement for 2-tiered CMAP structure (for small websites)

    The <Website / Portal / Web Application> of <Name of Ministry / Department / Organization> represents a single department where most content is contributed by a single set of sources. We hereby adopt a 2-tiered structure to implement CMAP requiring minimum 2 officials to execute the CMAP roles, viz.,

    • Contributor
    • Moderator/Approver

    Template to implement 2-tiered CMAP structure for small websites

    SECTIONS ROLES ROLES
    CONTRIBUTOR MODERATOR &
    APPROVER
    Home page
    News, Press Releases,
    Recruitments, Tenders etc
    Who’s Who, Organization
    Chart, Circulars/Notifications
    <Preferably Admin/
    Personnel Deptt>
    <Preferably HOD
    Admin/Personnel>
    Acts, Documents, Forms,
    Reports etc

    Policy Statement for 3-tiered CMAP structure (for large websites)

    The <Website/Portal/Web Application> of <Name of Ministry/ Department / Organization>

    represents multiple divisions/departments. We hereby adopt a 3-tiered structure to implement CMAP needing minimum 3 officials to execute the CMAP roles, viz.,

    • Contributor
    • Moderator
    • Approver

    Template to implement 3-tiered CMAP structure for large websites

    SECTIONS ROLES
    CONTRIBUTOR MODERATOR APPROVER
    Home & common sections e.g., FAQs, Help etc
    Who’s Who, Organization
    Chart, Circulars/Notifications
    <Preferably Admin/
    Personnel Deptt>
    <Preferably Admin/Personnel Deptt HoD> <Preferably Web Information Manager>
    <Section2:
    Department 1>
    <Preferably Deptt-1> <Preferably HOD> <Preferably Web Information Manager>
    <Section 3:
    Department 2>
    <Preferably Deptt-2>

    Purpose:

    Copyright is a form of protection provided under law to the owners of “original works of authorship” in any form or media. It is implied that the original information put up on the website by a Government Department is by default a copyright of the owner Department and may be copied, reproduced, republished, uploaded, posted, transmitted, or distributed only if the copyright policy of the concerned Department allows so. The copyright policy of a Department could be liberal, moderate or conservative depending upon their preferences based on the kind of information available on their website.

    However, since it is a duty of a Government Department to provide all the information in the public domain freely to the citizens, the Departments should aim to have a liberal copyright policy.

    Template Moderate

    Copyright policy-ModerateMaterial featured on this <Website / Portal / Web Application> may be reproduced free of charge after taking proper permission by sending a mail to us. However, the material has to be reproduced accurately and not to be used in a derogatory manner or in a misleading context. Wherever the material is being published or issued to others, the source must be prominently acknowledged. However, the permission to reproduce this material shall not extend to any material which is identified as being copyright of a third party. Authorisation to reproduce such material must be obtained from the departments/copyright holders concerned.

    These terms and conditions shall be governed by and construed in accordance with the Indian Laws. Any dispute arising under these terms and conditions shall be subject to the exclusive jurisdiction of the courts of India.

    Template Conservative

    Copyright policy-ConservativeMaterial featured on this <Website / Portal / Web Application> may NOT be reproduced under any circumstances.

    These terms and conditions shall be governed by and construed in accordance with the Indian Laws. Any dispute arising under these terms and conditions shall be subject to the exclusive jurisdiction of the courts of India.

    Template Liberal

    Copyright policy-LiberalMaterial featured on this <Website / Portal / Web Application> may be reproduced free of charge. However, the material has to be reproduced accurately and not to be used in a derogatory manner or in a misleading context. Wherever the material is being published or issued to others, the source must be prominently acknowledged. However, the permission to reproduce this material shall not extend to any material which is identified as being copyright of a third party. Authorisation to reproduce such material must be obtained from the departments/copyright holders concerned.

    copyright policy

     

    Content Review Policy (CRP)

    Purpose: 

    Every piece of content appearing on the government website should be reviewed after a pre-decided duration for its accuracy, relevance and currency. All Government Departments MUST formulate a proper web Content Review Policy (CRP) depending upon the nature of their content and if possible also publish the policy on their website.

    Template

    The <Name of Ministry / Department / Organization Website / Portal / Web Application> is the face of the government disseminating government information and services. This content Review Policy has been formulated to keep the content on the <Website / Portal / Web Application> current and up-to-date. Since the type of the content on the <Name of Ministry / Department / Organization Website / Portal / Web Application> varies, different Review timelines are defined for the diverse content elements.

    This Review Policy is based on different types of content elements, their validity and relevance as well as the archival policy.

    As a general rule: 

    • The entire website content shall be reviewed in a phased manner over a period of <x months> to ensure the currency of the content. The exception to the above is listed below:

    Content Review Timeline

    SECTION REVIEW PERIODICITY
    Home Page <periodicity e.g.,Daily>
    News Page Daily
    Who’s who list As and when required
    Newsletter, Circulars, Notifications etc No review required
    Acts, Rules <periodicity e.g., 1 year>
    Content Review Policy

    Contingency Management Plan & Disaster Recovery Process

    Purpose: 

    The website of a Government Department is its presence on the Internet and it is very important that the site is fully functional at all times. It is expected of the government websites to deliver information and services on a 24×7 basis. Hence, all efforts should be made to minimise the downtime of the website as far as possible.

    It is therefore necessary that a proper Contingency Plan MUST be prepared in advance to handle any eventualities and restore the site in the shortest possible time.

    Template

    <Name of Ministry / Department / Organization Website / Portal / Web Application> has been placed in protected zones with implementation of firewalls and IDS (Intrusion Detection System) and high availability solutions.

    1. Defacement Protection 
      • <Name of Ministry / Department / Organization Website / Portal / Web Application> is audited for protection against Security & Performance degradation.
      • Any application level modification on the <Name of Ministry / Department / OrganizationWebsite / Portal / Web Application> requires re-audit.
      • All the server configuration and logs are monitored timely.
      • Only System administrator users are allowed to access the servers for doing administration and configuration tasks.
      • All the backend servers are under lock and net secured.
      • Contents are updated through a <secure FTP using VPN / CMS>.
    2. Monitoring 
      • There are <two> ways of monitoring the defacement of <Name of Ministry / Department / Organization Website / Portal / Web Application>.
      • Cyber security division monitors by analyzing the log files.
      • <Website Monitoring Team specifics> also monitors the <Name of Ministry /Department / Organization Website / Portal / Web Application> after interval of every <frequency> for possible defacement or undesirable change in the <Name of Ministry / Department / Organization Website / Portal / Web Application>. (in case the site has a dedicated monitoring team)
    3. Defacement Response Plan 

      In case of any eventuality, whoever notices the defacement (either Website Monitoring Team or Cyber Security) informs the Web Information Manager on phone as well as through mail. NIC Cyber Security Division or Help Desk also informs the Administrator <Name of Ministry / Department / Organization Website / Portal / Web Application> on telephone and also by mail.

      S. NO. PERSON IN CHARGE DESIGNATION MAIL ADDRESS TELEPHONE NUMBER
      1 <Name>
      2 <Name>
      3 <Name>

      As soon as the <Name of Ministry / Department / Organization Website / Portal / Web Application> Server Administrator gets the information regarding the defacement, s/he takes the following steps.

      • According to the degree of defacement, the site is stopped or continued partially.
      • Log files are analyzed to troubleshoot the source of defacement and blocking of the service.
      • Type of the defacement is analyzed and fixed.
      • The Portal Service is started from the DR site in case of complete loss of data or during long downtime.
      • Log files are given to the security division for analysis.
      • Based on security recommendations, all vulnerabilities are fixed and the application is re-audited.
      • The affected/corrupted content and the site are restored from the backup.

      Time for Restoration after defacement 

      The time taken for restoration depends on the degree of defacement and services affected by the defacement. Ideally it will take <x hours> for the restoration.

    4. Natural Calamity Response Plan 

      There could be circumstances whereby due to some natural calamity (it may be due to any reason that is beyond control of any person), the entire data centre where the <Name of Ministry / Department / Organization Website / Portal / Web Application> has been hosted gets destroyed or ceases to exist. In such a case first of all the In-charge of the National Data Centre will declare the natural calamity and would instruct the sites to be started from the DR site, which is located at <Name of Data Center Location>.

    Hyperlinking Policy

    Purpose:

    Since government websites receive queries and requests from owners of other websites who might want to provide a hyperlink to their web pages, every Indian government website must have a comprehensive and clear-cut hyperlinking policy defined and spelt out for those who wish to hyperlink content from any of its sections. The hyperlinking policy enumerates the detailed criteria and guidelines with respect to hyperlinks with other sites. The basic hyperlinking practices and rules should ideally be common across the websites of any government entity e.g., State/Ministry.

    Template

    Links to external websites/portals

    Links to external websites/portals At many places in this <Website / Portal / Web Application>, you shall find links to other <Websites/ Portals/Web applications/Mobile apps>. These links have been placed for your convenience. <Department Name> is not responsible for the contents of the linked destinations and does not necessarily endorse the views expressed in them. Mere presence of the link or its listing on this <Website / Portal / Web Application> should not be assumed as endorsement of any kind. We can not guarantee that these links will work all the time and we have no control over availability of linked destinations.

    Links to <Website / Portal / Web Application> by other websites

    Links to <Website / Portal / Web Application> by other websites We do not object to you linking directly to the information that is hosted on this <Website / Portal / Web Application> and no prior permission is required for the same. However, we would like you to inform us about any links provided to this <Website / Portal / Web Application> so that you can be informed of any changes or updates therein. Also, we do not permit our pages to be loaded into frames on your site. The pages belonging to this <Website / Portal / Web Application> must load into a newly opened browser window of the User.

    Performance Evaluation & Monitoring Process

    Purpose: 

    Hosting Service Providers should provide web server statistics required for performance evaluation on a regular basis. If possible, online access to the traffic analysis should be provided so that the Department can access the traffic analysis at any point of time for the purpose of evaluation.

    Template

    1. Application Performance 

      Application performance is regularly monitored using <CMS-specific tools, or other tools> available to application administrators.

      This may include CMS specific Status Report (which is a comprehensive report based on various parameters of application availability, security, performance and access restrictions) OR list any other reports available with the tools being used to monitor application performance.

    2. Server Performance

      Host of servers including webserver and database servers are monitored periodically to ensure high availability and smooth functioning of the <Name of Ministry / Department / Organization Website / Portal / Web Application>.

    3. Download Speeds 
      • Frequency: <frequency e.g., daily / weekly etc>
      • Process: Using the open source tools and add-ons available with browsers <like Firebug’s netstat for Mozilla> the download speed of pages across the portal are checked on different Internet connectivity.
      • Pages are tested at various connections and slow loading pages are identified and corrected (once).
    4. Availability of Portal 

      Availability of <Name of Ministry / Department / Organization Website / Portal / Web Application> is monitored at intervals of <frequency> by the <Website Monitoring team (if there is a dedicated monitoring team)>. Homepage and important landing pages have been marked and provided to the monitoring team for regular check.

    Privacy Policy

    Purpose: 

    In case a Department solicits or collects personal information from visitors through their websites, it MUST incorporate a prominently displayed Privacy Statement clearly stating the purpose for which information is being collected, whether the information shall be disclosed to anyone for any purpose and to whom.

    Template

    <Name of Website / Portal / Web Application (e.g, India Portal, DoT website, TRAI website, IRCTC etc)> does not automatically capture any specific personal information from you (like name, phone number or e-mail address), that allows us to identify you individually. If you choose to provide us with your personal information, like names or addresses, when you visit our website, we use it only to fulfil your request for information. To use the <xyz section(s)>, this website <requires user registration/does not require registration. <[If user registration is required] Information so collected is used to facilitate interaction>.

    We do not sell or share any personally identifiable information volunteered on this site to any third party (public/private). Any information provided to this website will be protected from loss, misuse, unauthorized access or disclosure, alteration, or destruction.

    We gather certain information about the User, such as Internet protocol (IP) address, domain name, browser type, operating system, the date and time of the visit and the pages visited. We make no attempt to link these addresses with the identity of individuals visiting our site unless an attempt to damage the site has been detected.

    Use of Cookies:

    A cookie is a piece of software code that an internet web site sends to your browser when you access information at that site. A cookie is stored as a simple text file on your computer or mobile device by a website’s server and only that server will be able to retrieve or read the contents of that cookie. Cookies let you navigate between pages efficiently as they store your preferences, and generally improve your experience of a website.

    <We are using following types of cookies in our site:

    • Analytics cookies for anonymously remembering your computer or mobile device when you visit our website to keep track of browsing patterns.
    • Service cookies for helping us to make our website work efficiently, remembering your registration and login details, settings preferences, and keeping track of the pages you view.
    • Non-persistent cookies a.k.a per-session cookies. Per-session cookies serve technical purposes, like providing seamless navigation through this website. These cookies do not collect personal information on users and they are deleted as soon as you leave our website. The cookies do not permanently record data and they are not stored on your computer’s hard drive. The cookies are stored in memory and are only available during an active browser session. Again, once you close your browser, the cookie disappears.>

    <You may note additionally that when you visit sections of <Website / Portal / Application> where you are prompted to log in, or which are customizable, you may be required to accept cookies. If you choose to have your browser refuse cookies, it is possible that some sections of our web site may not function properly.>

    Security Policy

    Purpose: 

    Security is of paramount concern to owners as well as consumers of the website. A lot of security threats are handled at data centres and server administrator level where the website/application is hosted. Website/Application developers should however be sensitive about security aspects, as a lot of security threats arise due to vulnerability of application software code.

    These application driven attacks sometimes turn out to be quite fatal. Best Practices to follow while developing web applications using various technologies are available on CERT-IN website (http:// www.cert-in.org.in) as well as in internet space. Developers should read, understand and follow these Best Practices during development. NIC as well as CERT-IN have empaneled a number of agencies to conduct the security audit of applications.

    Template

    • <Name of Ministry / Department / Organization Website / Portal / Web Application> has been placed in protected zones with implementation of firewalls and IDS (Intrusion Detection System) and high availability solutions.
    • Before launch of the <Name of Ministry / Department / Organization Website / Portal / Web Application>, simulated penetration tests have been conducted. Penetration testing has also been conducted <x times> after the launch of the <Name of Ministry / Department / Organization Website / Portal / Web Application>.
    • <Name of Ministry / Department / Organization Website / Portal / Web Application> has been audited for known application level vulnerabilities before the launch and all the known vulnerabilities have been addressed.
    • Hardening of servers has been done as per the guideline of Cyber Security division before the launch of the <Name of Ministry / Department / Organization Website / Portal / Web Application>.
    • Access to web servers hosting the <Name of Ministry / Department / Organization Website / Portal / Web Application> is restricted both physically and through the network as far as possible.
    • Logs at <x number> different locations are maintained for authorized physical access of <Name of Ministry / Department / Organization Website / Portal / Web Application> servers.
    • Web-servers hosting the <Name of Ministry / Department / Organization Website / Portal / Web Application> are configured behind IDS, IPS (Intrusion Prevention System) and with system firewalls on them.
    • All the development work is done on a separate development environment and is well tested on the staging server before updating it on the production server.
    • After testing properly on the staging server the applications are uploaded to the production server using SSH and VPN through a single point.
    • The content contributed by/from remote locations is duly authenticated & is not published on the production server directly. Any content contributed has to go through the moderation process before final publishing to the production server.
    • All contents of the web pages are checked for intentional or unintentional malicious content before final upload to web server pages.
    • Audit and Log of all activities involving the operating system, access to the system, and access to applications are maintained and archived. All rejected accesses and services are logged and listed in exception reports for further scrutiny.
    • Help Desk staff at the <Identify Monitoring Team> monitor the <Name of Ministry / Department / Organization Website / Portal / Web Application> at intervals of <frequency> to check the web pages to confirm that the web pages are up and running, that no unauthorized changes have been made, and that no unauthorized links have been established.
    • All newly released system software patches; bug fixes and upgrades are expediently and regularly reviewed and installed on the web server.
    • On Production web servers, Internet browsing, mail and any other desktop applications are disabled. Only server administration related tasks are performed.
    • Server passwords are changed at the interval of <x number> months and are shared by <y number> persons <a name> and <b name>.
    • <a name> and <b name> have been designated as Administrator for the <Name of Ministry / Department / Organization Website / Portal / Web Application> and shall be responsible for implementing this policy for each of the web servers. The administrator shall also coordinate with the Audit Team for required auditing of the server(s).
    • <Name of Ministry / Department / Organization Website / Portal / Web Application> has been re-audited for the application level vulnerability after major modification in application development [Not applicable at first launch].

    Compliance Audit 

    The <Name of Ministry / Department / Organization Website / Portal / Web Application> has been audited before launch and has complied with all the points mentioned in the policies document of the Cyber Security Group mentioned above.

    <Name of Ministry / Department / Organization Website / Portal / Web Application> has also been subjected to an automated risk assessment performed through vulnerability identification software before and after the launch and all the known vulnerabilities have been addressed.

    Terms & Conditions

    Purpose: 

    With the increased proliferation of the Internet, more and more citizens are accessing information from government websites. Clearly defined Terms & Conditions including well-worded disclaimers regarding the usage of websites must be present on every Indian government website. Terms & Conditions address the following aspects:

    • Ownership Details
    • Legal Aspects
    • Usage Policy of Content
    • Responsibility towards hyperlinked Sites

    Template

    This website is designed, developed and maintained by <Name of Department>, Government of India.

    Though all efforts have been made to ensure the accuracy and currency of the content on this website, the same should not be construed as a statement of law or used for any legal purposes. In case of any ambiguity or doubts, users are advised to verify/check with the Department(s) and/or other source(s), and to obtain appropriate professional advice.

    Under no circumstances will this Department be liable for any expense, loss or damage including, without limitation, indirect or consequential loss or damage, or any expense, loss or damage whatsoever arising from use, or loss of use, of data, arising out of or in connection with the use of this website.

    These terms and conditions shall be governed by and construed in accordance with the Indian Laws. Any dispute arising under these terms and conditions shall be subject to the jurisdiction of the courts of India.

    • The information posted on this website could include hypertext links or pointers to information created and maintained by non-government / private organisations. <Name of Department> is providing these links and pointers solely for your information and convenience. When you select a link to an external website, you are leaving the <Name of Department> website and are subject to the privacy and security policies of the owners/ sponsors of the external website.
    • <Name of Department> does not guarantee availability of linked pages at all times. <Name of Department> cannot authorise use of copyrighted materials contained in the linked website. Users are advised to request such authorisation from owners of linked websites.
    • <Name of Department> does not guarantee that linked websites comply with Indian Government Web Guidelines.

    Validation & Testing Process

    Purpose of the process: 

    The code of the webpages, scripts and applications may be tested manually or with automated tools to ensure that the quality of web content is maintained and all compliance related guidelines or adhered to.

    Validation & Testing Process (clause 10.2.4) 

    <Name of Ministry / Department / Organization Website / Portal / Web Application> is tested regularly <manually and through automated testing> tools by the Technical Manager for the following parameters.

    1. Quality Testing  
      1. Broken Links 
        • Frequency: <Daily/Weekly etc>
        • Process: <Name of Ministry / Department / Organization Website / Portal / Web Application> is monitored for broken links <manually / automated tool>.
        • Action taken : The reviewer sends a list of broken links to the quality manager who rectifies them personally.
      2. Spelling Errors
        • Frequency : <Daily / Weekly etc>
        • Process: By the QM <manually / through automated tool>. It is the responsibility of the Quality Manager to get the spelling mistakes rectified from the concerned person depending on whether the mistake is in the static or dynamic portion of content.
        • Action taken: The Quality Manager sends a mail to the concerned person who rectifies the mistake and responds back to the Quality Manager
      3. Metadata 
        • Frequency: <Weekly / Monthly etc>
        • Process: Based on the web analyzer tool reports the pages are checked for proper meta tags by the Quality Manager
        • Action taken: The Quality Manager modifies the metadata if required
    2. Accessibility Testing 

      Conformance with respect to W3C norms, Tools such as <list available tools> are used for testing.

    3. Functionality Testing 
      • Frequency: <Weekly / Monthly etc>
      • Process: Interactive components like forms etc are tested for functionality issues
      • Action taken: The Quality Manager informs the concerned person through mail in case of any problem and receives a confirmation mail on rectification of the same.
      Validation & Testing Process