Naavi.org

In a gazette notification dated December 21, 2015, the Government of India has declared UIDAI system as a “Protected System” under ITA 2000/8.

This was long overdue and given the criticality of the system and the risks associated with the security breach, it is necessary to ensure that the system is protected both technically and legally. Some of the news paper reports have highlighted the impact of this notification by stating “UIDAI: Illegal access to Aadhaar data can land you in jail for 10 years “.

While this is certainly a message that should go out, we should add “Even an attempt to access UIDAI systems without authorization, may land a person in jail for 10 years and this is a non bailable cognizable offence”.

The information security professionals who work in the area of penetration testing should be particularly cautious to avoid any unintentional actions that may appear as an “Attempt” to access UIDAI system.

Under ITA 2000, the section 70 stated as follows:

Protected system (Sec 70 of ITA 2000)
(1) The appropriate Government may, by notification in the Official Gazette, declare that any computer, computer system or computer network to be a protected system.

(2) The appropriate Government may, by order in writing, authorise the persons who are authorised to access protected systems notified under sub-section (1)

(3) Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine.

Under ITA 2008, the section was modified to read as under:

Protected system (Amended Vide ITAA-2008)

(1)The appropriate Government may, by notification in the Official Gazette, declare any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure, to be a protected system.

Explanation: For the purposes of this section, “Critical Information Infrastructure” means the computer resource, the incapacitation or destruction of which , shall have debilitating impact on national security, economy, public health or safety. (Substituted vide ITAA-2008)

(2)The appropriate Government may, by order in writing, authorize the persons who are authorized to access protected systems notified under sub-section (1)
(3)Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine.
(4) The Central Government shall prescribe the information security practices and procedures for such protected system. (Inserted vide ITAA 2008)

As one can observe, the ITA 2000 version did not specify that the system of declaring as “Protected System” is to be reserved for only “Critical Information Infrastructure”, though this was definitely the intention that could be read into the section.

Unfortunately, certain Governments did not understand this intent and went ahead to declare “All E Governance Systems” as “Protected”. Tamil Nadu was one such State which made such a overreaching ruling. (See the copy of the order here). In this order dated 29th June 2005, the TN Government declared

“any computer, computer system (Hardware, Software and Accessories), Website, online service or computer network including the Uniform Resource Lacator (URL) in any of the offices of the Government of Tamil Nadu or of the Government undertakings or Boards to be a “protected system”

This made all computers of the Government whether they are used for critical operations or not as “Protected Systems” and placed restrictions on the access. Fortunately, not many cases were filed under the section though the risk of misuse of the section was always there.

In an article in this site on January 10 2003, Naavi had also raised a doubt as to whether a State Government has the power to notify a “Protected System” under ITA 2000. (Read the article here).

When the amendments of 2008 were made, it was good that Central Government removed the ambiguity in one aspect that the section was not meant to declare “Any” system as “Protected”. The criteria was that the system should be considered as “Critical Information Infrastructure” which was defined in ITA 2008.

The definition of Critical Information Infrastructure in this context is any “computer resource, the incapacitation or destruction of which , shall have debilitating impact on national security, economy, public health or safety.”. This does not restrict that the system should belong to the Government since some of the systems that are critical for national economy, health, or safety” may be even in a private sector.

There is no doubt that UIDAI given the uses to which it is being put should be considered as a “Critical Information Infrastructure” and the protection of Section 70 should be accorded.

We may however bring to the attention of the Government here that the notification of December 21, 2015 donot provide details of “Information security practices and procedures”. 

It is possible that we may consider the CERT-In guidelines on information security is applicable to UIDAI. However, the Gazette Notification ought to have specified what Information Security Practices and Procedures are applicable for the access of these systems.

One may argue that this is not a matter on which public is to be notified. However, since an “Attempt” to access the system is to be considered as an “offence”, it is prudent for the Government to at least state in general terms what would constitute such offence by defining the limitations.

In particular information security professionals as well as those involved in Aadhar related IT projects need to  watch out while undertaking security scanning or software testing exercises to avoid any unintentional violations of Section 70.

The development will also add an additional angle to ITA 2008 compliance programs which should be followed by all IT Companies, Payment gateways, e-KYC companies, etc.

Naavi

This Christmas has been a real merry Christmas for India…. and also Pakistan. In a stunning move which stunned everybody from his supporters to detractors, Indian PM Mr Narendra Modi dropped in at Lahore wished happy birthday to the Pakistani Counter part, Nawaz Shariff, gave gifts to his grand daughter for her wedding, touched the feet of Nawaz’s mother in respect, travelled in Pakistani military helicopter along with Nawaz Shariff, and virtually created an earthquake in the region. Whether immediate results are seen or not, the developments of 25th December 2015 in Indo-Pak relations will be a key development in the  history of the region and will permanently change the perception about Mr Modi in the minds of the Anti-Modi-Congress supporters in India.

Today morning when we opened the news papers, there was another development which was equally “disruptive” but in the domain of the Financial regulations in India. In what is a huge turn around, RBI came out with a statement “Technology behind bitcoin can help fight Counterfeiting”.

In 2014, we had discussed at length the “Legal Validity” of “Bitcoins” in this site and some of those discussions have continued from time to time.

(The articles can be accessed here)

Following a Bitcoin conference in Bangalore and subsequently in a well read interview in Times of India, Naavi argued that “Bitcoin” was an electronic document and recognized in ITA 2000/8 and hence cannot be banned. In the follow up detailed article at Naavi.org titled “Why RBI cannot/neednot/should not ban Bitcoins?”, Naavi explained why Bitcoin as a category of “Crypto Currency/Virtual Coin” has huge advantages that can be harnessed by RBI. Naavi also explained that while part of the Bitcoin holdings and transactions may involve violations of PMLA or FEMA which can be tackled under the relevant laws, part of the Bitcoin holdings, particularly those mined in India could be considered as legal holdings.  Naavi also provided some suggestions to RBI on what it should do and stated as follows.

QUOTE

What RBI Should Do

.. RBI of course has a duty to advise the public through an open advisory not to consider Bitcoin as a currency. This is more for public education so that they are not cheated by smart operators.

Apart from the caution notice that RBI should release, they may consider some steps of their own to meet the situation arising out of the Crypto Currency phenomenon.

…if RBI so desires, it can provide some concessions to Bitcoin Exports  (Sale of Bitcoins by an Indian against receipt in foreign currencies) and Bitcoin Mining (Production activity similar to software development), It can also consider production of Bitcoins by Indians through foreign pools as a “Software Service Export”. In my opinion, RBI should consider these measures.

On the other hand, RBI may clarify limits on the import of Bitcoins (Buying of Bitcoins from foreign sources where the payment is designated in a foreign currency). While RBI has the right to ban such imports, it may consider permitting imports through designated exchanges upto a limit of say Rs 75000/-.

RBI may have to however caution the public that buying and selling of Bitcoins must be restricted to persons whose identity is known and records kept. Public must understand that in the current legal environment, Bitcoin is a “Virtual Commodity” and it does not have the immunity that “Negotiable Instruments” posses where a holder in certain circumstances claim the status of a “Holder in due course” which is free from the defects of the transferor.

STPI may consider declaring its own policies if some body wants to set up a Bitcoin (or another cryptocoin) mining facility as an STPI unit.

UNQUOTE

Naavi also gave a wishlist on Bitcoins which included a Crypto Coin Exchange of India, India Crypto Currency Pool and Hybrid Vareity of Crypto Coin and invited RBI to constitute an expert committee to take the discussion further.

However, as was feared, RBI came out with an “Advisory”, ED conducted a couple of raids on Bitcoin operators in India and put a fear of God in the techies who had enthusiastically embarked on a “Bitcoin Journey”. Naavi had held out during the time that the “Technology behind Bitcoins” is a very useful technology and must be harnessed by RBI. Subsequently one of the Bitcoin enthusiasts demanded that the RBI advisory needs to be clarified further as it introduced uncertainty in business. RBI however came out with a harsh rebuking reply . In the RBI also stated that the person “..is not entitled to call upon RBI to clarify the legal position in this regard..”

RBI was visibly angry with the person sending a notice demanding clarification and it went on to warn the person that if inspite of the clarifications, the person goes ahead with any legal proceedings, RBI would defend at the risk of the person’s cost and consequences.

This was nothing different from the stand Indian Government had taken in respect of its dialogue with Pakistan which Modi has now changed.

Subsequent to the RBI’s angry reply, Naavi has been reminding from time to time that “Bitcoin” may be tainted because of it’s past but the Block Chain technology has the potential of revolutionalizing the Digital Currency concept.

However there appeared to be no hope of a re thinking… until today morning news paper reported a positive view point on the Block Chain technology attributed to RBI. The article quotes RBI saying

“With its potential to fight counterfeiting, the ‘blockchain’ is likely to bring about a major transformation in the functioning of financial markets, collateral identification (land records for instance) and payments system,” said the RBI. The central bank pointed out that the traditional system of record maintenance works on the basis of ‘trust’ and the ‘regulatory’ and ‘controlling’ power of central entities/counter parties. “As against this, the ‘blockchain’ technology is based on a shared, secured and public ledger system, which is not controlled by any single (‘central’) user and is maintained collectively by all the participants in the system based on a set of generally agreed and strictly applied rules,”

This turn around to my mind is as bold as Modi dropping into Lahore to wish Nawaz Shariff a “Happy Birthday”.

Now it is time for RBI to walk its talk and set up a proper Expert Committee which can study “How RBI can harness the Block Chain Technology”.

As always, we need to point out that RBI needs to find appropriate members for this committee who can provide appropriate inputs. ..and request the committee to watch the space of Naavi.org where some voluntary inputs can be found not only from Naavi but also from its erudite readers.

I call upon the readers to contribute their views to the “Virtual Special Interest Group of Naavi.org on Harnessing of Block Chain Technology” which is deemed to be constituted right away. Naavi has already proposed a VSIG on Amendments to ITA 2008 and the Harnessing of Block Chain Technology can also be taken up in the same VSIG as an additional sub group. Volunteers are welcome.

Naavi

We have been discussing the concept of “ITA 2008 Compliance” in these columns. Naavi has suggested some directions for measuring the level of compliance in the form of maturity model. (Refer this article).

In the recent times, we have also introduced the extended thought of Cyber Insurance for which ITA 2008 compliance is an essential ingredient.

While the measurement of ITA 2008 maturity is itself a measure of “Cyber Insurability” of an organization, it is time to think about a separate measurement for quantitative measurement of” Cyber Insurability” of an organization. A preliminary attempt to introduce the concept is made here. It is envisaged that  with the contribution from other readers this concept may be extended further.

Naavi

Cyber Insurability for this context is defined as ” A measure of maturity of an organization for a Cyber Insurance Company to provide a Cyber Insurance Cover”.

The perspective is from the Cyber Insurance Company which has to assess the proposed Insurer, accept an underwriting proposal and quote a premium.

Cyber Insurance proposal normally consists of two key elements. First is a cover for “Own damage” and the second is the cover against “Third Party Liability”.

The own damage liability is more controllable than the third party liability which depends on whether the affected third party can successfully make a claim for damages.

If a company does not use or store the personal data of third parties, their exposure to third party liability risk is low. The risk that an Insurance company takes may therefore be dependent on the “Type of Information Asset insured”.

We can roughly say for the purpose of understanding that the “Cyber Insurability of an organization which does not use, transmit or store third party liability” is high. The exact amount for which an organization is insurable may however depend on the value of assets possessed by the Company.

In an organization where Cyber Insurance is sought only for its own information assets namely the hardware, software and corporate data residing there in, the insurer’s concern is limited to the efficiency of the DRP/BCP and the reputation loss that the organization may undergo on account of an attack.  For example, if there is an E Commerce website which is under DOS attack and closed for say 3 hours, then there is a loss of business for 3 hours besides a marginal reputation loss. If the DRP/BCP System of the organization is efficient, the loss can be reduced further. However, there is some ability to control the loss and contain it within a  set of its existing customers.

On the other hand, if the attack involves “Loss of Data” then the question of valuing the loss becomes important. Here the presence or absence of third party data becomes very important to determine the value of the  loss. If there is no third party data, the possibility of any claim from third parties is zero.

The loss of corporate data could be the business data or data which constitute “Intellectual Property”.  Loss of Intellectual Property can be valued and also defended subsequently by litigation. Hence it is also controllable. Loss of corporate business data may lead to reputation loss or weakening of its business competitiveness. There is an element of uncertainty of such damage but an Insurance company may consider such damage as “Discretionary” and “Vague” and reject recognizing an insurable component for “Likely reduction in market share on account of compromise of the Corporate business data”.

As compared to the above, if the Insuree possesses third party personal information, any loss arising there of would create a potential litigation from a large section of the customers. The exact loss estimate becomes difficult since each person may make claim for a different amount and the claims may arise at different points of time in the post data breach scenario.

In situations where there is a regulatory authority which can step in on behalf of the data subjects and impose a fine or collect damages on behalf of the community, it may be possible for the regulatory agency to fix some norms to determine the total liability which becomes a subject matter of Insurance. The individual liabilities also may be limited by the insuree obtaining legally binding contracts from the data subjects limiting the potential damage either to a fixed amount or to a maximum amount. In such cases the losses may be determinable. If no such contractual bindings are there, the potential loss may be open in terms of value as well as time.

The business practices that an Insuree organization follows therefore may have impact on the liabilities that the Insurer has to undertake in the event of a data breach.

This difference is what we may call as the “Cyber Insurability” of an organization.

An organization may be considered Cyber Insurable if its liabilities can be determined with some degree of certainty when a mishap occurs and not so if it is indeterminate.

Obviously, every organization will have a certain “Degree of Certainty and a degree of uncertainty” and hence we cannot measure the Cyber Insurability as a binary property.

We need to therefore develop a “Cyber Insurability Index” that measures the ease with which different organizations may be assessed for its ability to determine the insurance risk.

The Cyber Insurability Index may have two dimensions. One is the index across the other insurance subjects which measures how Company A is more easily insurable than Company B or vice versa. The other dimension is how a given company over the years moving up over a period of time on its own measure of Cyber Insurability.

May be we can call this Inter Company indexing  and Intra Company indexing.

Inter company indexing will depend on the nature of the industry, its potential to be a target for cyber attacks, its location, size, information security culture etc. This can be based on the study of the environment of threats and vulnerabilities affecting a given type of activity. This may be done as an industry level analysis even without a specific study of a company.

For example, from the Cyber Crime studies released by most companies, it emerges that BFSI industry has higher risk in terms of insurance claims and also a high possibility of indeterminable losses that may be claimed by the clients of the company in the even of a data breach.

Intra Company indexing may indicate how the company is improving or declining in its standard of bringing in some kind of control on the potential loss that may occur on account of a breach. This will include information security measures undertaken by the company from year to year, the changes in the industry environment, emergence of new technology in the industry etc. This will be a subject matter to be determined by a “Cyber Insurability Audit” of a company.

When a company is first audited for the Intra Company Cyber Insurance Index, the audit can try to measure the changes that has occurred in the last one year that contributes to making the Insurance liability more determinable and show the current status as an indication of progress or deterioration over a period of one year. This would be a good indicator to be incorporated in the annual report of a company.

For example, if I say the CII-Intra of Company X is 120, it means that there was a 20% improvement in the status (an indication of how much more the company is palatable to an insurance company) in the last one year. If I say the CC-Intra for Company Y is 70, it may mean that the uncertainties in the company from the point of view of a Cyber Insurance Company has increased.

Each subsequent year the index can be re worked with a reference to the base year.

These are some of my preliminary thoughts that I place before the audience for a feedback and further refinement.

Naavi

The first ever study of the Indian Cyber Insurance Industry-2015 throwing up the perception of the industry on what they want from the Cyber Insurers is ready for being released some time in January 2016.

The study undertaken by the undersigned along with a group of IS professionals collected responses from different professionals from the industry and academia has given a good insight into what the industry perceives about the Cyber Insurance policies.

Since the industry is in a nascent stage and the experience of how the industry functions is yet to mature, the results are more representative as a “Perception” or “Expectation” study and would be available for being expanded in the coming days into a “Status of the industry study.

The survey provides interesting insights into the prospects of the industry and what the Insurance companies need to consider to strengthen their products.

Though only 6% of the  respondents indicated that they have actual experience of the products, 72% said that they are willing to consider such products if a suitable product at a proper price is available. There is also an indication that if suitable product under proper price is not available, more than 54% of the respondents were not ready to jump in in the near future.

The study also provides valuable qualitative insights into what would be acceptable to the market in terms of conditionalities, exclusions, liability limitations etc.

The report is being issued in two versions. One will be a free version for public information containing the summary of the findings. The other would be a professional version with business insights meant for the industry users which may be nominally priced.

Await for more information  in due course.

Naavi

(First posted  on Cyberinsurance.org.in)

The fact that Cyber Appellate Tribunal (CAT) the appellate authority for all Adjudications in the country under Section 46 of ITA 2000/8 has not been functional since June 2011 has been discussed adnauseam on this site. (Refer here). It was therefore heartening to note that a Parliamentary Panel made reference to CAT in one of its recent briefings. (Refer DNA article).

The committee is reported to have made the following observations.

Quote:

The committee also expressed concern on only one Cyber Appellate Tribunal (CAT) being set up in the country till date though the Act provides for setting up Benches in other parts of the country.

“The Committee are surprised to learn that since inception of CAT, only 17 appeals have been disposed off by the former Chairperson and 21 appeals are still pending for hearing in the Tribunal which are scheduled for disposal on appointment of the new Chairperson,” it said.

While expressing their displeasure over the undue delay taking place in disposal of appeal by the CAT, the committee strongly recommended the department to deploy adequate manpower at the earliest.
“Efforts may also be made to set up CAT branches in other parts of the country, if need arises,” it said.

Unquote:

We may recall that it is not only the CAT that has been rendered dysfunctional over the last 4 years, even the State level Adjudication systems have also been rendered dysfunctional.

The first adjudicator who recognized his powers and duties under ITA 2000 was Mr PWC Davidar of Tamil Nadu. He went on to provide the first adjudication decision against a Bank namely ICICI Bank in the complaint filed by Mr S. Umashankar who had lost money out of phishing. ICICI Bank promptly appealed to CAT. CAT admitted the appeal with the condition that the Bank deposits Rs 5,50000/- with the adjudicator against the loss they were decreed to pay.  The appeal was heard and when the judgement was about to be delivered, the then Chair Person attained Super annuation. Since then, the case is awaiting appointment of the new Chair Person.

Additionally TN adjudicator had provided other judgements and was also hearing certain cases against PNB which were also appealed against and got stuck in the CAT. In the meantime J Jayalalitha took over as CM and promptly transferred Mr Davidar out of his position as IT Secretary ( Adjudicator by designation) and the TN adjudication system went dead.

Subsequently Maharashtra IT Secretary Mr Rajesh Aggarwal became active and held out several judgements in which Banks were indicted. He also innovated with E-Adjudication and was threatening to disrupt the system. He was promptly transferred to Delhi and since then the Maharashtra Adjudication has gone dead.

In Bangalore some applications were made to the Adjudicator and one of which was against Axis Bank which was also the Bank which does E Governance work for Karnataka Government. With this conflict, the Adjudicator gave out a bizarre ruling that Section 43 of ITA 2000/8 cannot be invoked by a Company (In the subject case the complainant was a company) and also that no complaint could be entertained on a Company (Respondent Bank was the company) and dismissed the complaints. The argument was that the word “Person” used in Section 43 does not apply to a Body corporate. The appeal to this blatantly erroneous decision has also got stuck in the non functioning CAT.

These developments indicate that Banks who were hurt in some of these judgements brought undue influence on the MCIT and stalled the activation of CAT. The CJI is also a party to this delay in appointment of the Chair Person to CAT since the appointment suggested by the Ministry has not been approved by CJI.  The Karnataka High Court which was moved to correct the impasse got stalled because the decision to appoint a CAT Chair person was pending at the CJI’s office.

As a result of these developments, the Cyber Judiciary System in India is presenting a void.  At a time we are talking of “Digital India” and increasing cyber crimes, the situation is appalling.

The entire system therefore seems to have conspired against the Cyber Crime victims in India seeking a judicial remedy.

During 2010, CAT did sit in Chennai in the case of Umashankar Vs ICICI Bank and created a precedent. There were also advanced discussions for the setting up of a Southern Bench in Bangalore. But unfortunately with the transfer of the then IT Secretary/Adjudicator Mr Ashok Manoli, all these projects were shelved and subsequently the Government of Karnataka and the subsequent Adjudicators have not shown any interest.

The Parliamentary committee deserves commendation for flagging the issue of non functional CAT but needs to push through more strongly measures to re activate the CAT. This gives a glimmer of hope to all Cyber Crime victims that Cyber Judiciary is likely to be active once again in India.

Let’s keep our fingers crossed.

Naavi

I recall my earlier article titled “Is it a WhatsApp Moment or Napster Moment for Indian Financial System?”  in which I had pointed out certain doubts about the legality of the new Electronic Signature system that was notified by the Government of India and Controller of Certifying Authorities vide the notification dated 28th January 2015  read with guidelines issued by CCA in June 2015 on the e-Sign process.

(Detailed presentation by CCA on e-sign process)

I have not so far received any response from CCA and hence I am re-iterating some of the points mentioned in that article briefly and request CCA to clarify.

I refer to the “E-authentication guidelines for e-Sign-online Electronic Signature Service”  Version 1.0 issued by CCA on 24th June 2015.

This guideline has been issued in support of the Gazette Notification GSR 61(E) dated 27th January 2015 which the Government made in support of its Digi Locker program which introduced a new “Electronic Signature” system by an addition in the Second Schedule  of ITA 2000/8.

The second schedule introduced the system which it called  “E-authentication Technique using Aadhar e-KYC services”.

Details of Aadhar e-KYC services is at the UIDAI website . Under this scheme,  UIDAI acts as an “enabler” by issuing a “digitally signed Govt issued photo ID” in electronic form for KSAs/KUAs supporting paper-less KYC schemes for Aadhaar holders (KSA or KYC Service Agency means  a valid Authentication Service agency with a secure leased line connectivity to UIDAI’s data center who has been approved and has signed the agreement to access KYC API through their network. KUA or KYC User Agency means  a valid Authentication User Agency, which is an organization or an entity using Aadhaar authentication as part of its applications to provide services to residents such as a Bank who has been approved and has signed the agreement to access KYC API.

e-Authentication Service introduced in the second schedule as a valid electronic signature is dependent on the e-KYC service of UIDAI which itself uses the digital signature.

According to the proposed system as described in the GSR 61(E) of 28th January 2015, the application form of a subscriber would be sent by a trusted third party to the Certifying authority for issue of digital certificate. In the case of Digilocker kind of on-line system, the application submission would be an “On-line” process using an API. The details submitted by the subscriber would be verified by the Aadhar e-KYC service.

In this process, an “Undigitally signed” application of the subscriber would be forwarded by the trusted third party to the certifying authority with the aadhar number. The certifying authority would get the digitally signed confirmation of the aadhar information from the aadhar e-KYC service based on which it would proceed to issue the digital certificate. (This will be subsequently consented to online by the subscriber)

The unanswered question is

If the subscriber’s application and consent is done online without a digital signature, what is the validity of the digital signature certificate issued on the basis of such unauthenticated digital submissions?

The detailed procedure for issue of digital certificate is indicated in the CCA guideline of 24th June 2015.

The CCA guideline suggests that the private-public key pair would be generated on a HSM owned by the intermediary (the trusted third party mentioned in the Gazette notification), the private key is stored in the HSM for the validity period of 30 minutes and later destroyed. All these activities are done under systems which are not under the control of the subscriber. Hence it should be considered that the private key has been compromised ab-initio.

Secondly, the authentication process of approval of the application would be based either on “Biometric” or “OTP”. (OTP is presumed to be mobile based or e-mail based). If the approval is based on OTP, it means that the approval of the application form is dependent on the KYC already done by the mobile operator or the e-mail operator. If the e-mail approval is obtained, then there is no authentication for the application form. If the mobile OTP is used, it is as good or bad as the mobile operator’s KYC system.

The CCA circular says that the DSC application form should be electronically generated and programmatically filled up with the data obtained from the e-KYC process. This means that just by submitting the Aadhar number and confirming the OTP, the DSC application gets submitted without an “Digital Signature”. Hence it is an unsigned DSC application that gets the approval of the Certifying authority.

The entire process is a circular mutually authenticating procedure dependent on the KYC of the mobile operator only.

CCA should review this process and confirm if it is in accordance with the provisions of ITA 2000/8.

Naavi

P.S: This note has to be corrected for the notification made on 30th June 2015 [GSR 539(E)] where in the use of hardware module has been deleted from the earlier notification.