An application service provider refers to a vendor that supplies software containing data, which is hosted and operated in the vendor’s data center. In this arrangement, the management and security of the software are not overseen by the Information Technology department. This encompasses third-party software and services vendors.
An Application Service Provider (ASP) is a vendor that offers software hosting with data management in its data center, independently of Information Technology control and security. This encompasses third-party software and services vendors.
Audit Requirements:
- The communication between ASP and E-sign Service Provider (ESP) must be digitally signed and encrypted.
- The communication line between ASP and ESP should be secure, preferably through leased lines or similar private, secure channels. If a public network is used, it is recommended to deploy a secure protocol like SSL.
- ASP should have a well-documented Information Security policy aligned with standards such as ISO 27001.
- Conduct a compliance review of controls as per the Information Security policy.
- ASPs should follow standards such as ISO 27001 to maintain Information Security
- Ensure compliance with prevailing laws such as the IT Act 2000 and relevant Rules and Regulations.
- Implement software to prevent malware/virus attacks, install anti-virus software, and establish additional network security controls and endpoint authentication schemes.
- Implement a resident consent process to obtain approval for each transaction. Users should willingly agree to sign, and the consent form should be stored securely.
- Conduct an Application Security Assessment of the ASP by a CERT-In empaneled auditor.
- Implement data logging for audit purposes.
- ASP should refrain from delegating any obligation to external organizations or applications.
- Identify stakeholders involved in eSign services, including end-users, ASP, ESP, CA, e-KYC Provider, and CCA.
- Utilize the provided audit checklist under these guidelines.
- Demonstrate and analyze the production-ready application concerning eSign.
- Verify the production environment for security requirements, compliance, and location.
Why Work with us?
CERT-IN Empaneled Security Auditor
CEREIV is empaneled by CERT-In for Digital security verification services, validating organizational readiness and system security.
Flexible Delivery
The CEREIV team recognizes the need for flexibility in test scheduling to help customers achieve optimal results.
Are you ready for the next steps?
Related Insights
Navigating the Path to CERT-IN Compliance: A Step-by-Step Guide
Ensuring the security of India's internet infrastructure hinges significantly on the...
GST Suvidha Providers System Audit: A wholesome Approach
Who is a GST Suvidha Provider or GSP? GST Suvidha Provider or GSP focuses to an...
Process Guidelines For CERT-In Empanelled Information Security Auditing Organizations
Introduction to CERT-In CERT-In (the Indian Computer Emergency Response Team) is a...