CERT-In Directions, 28 April 2022 · ISO 27001 readiness
Cyber security policy
Vikram Dev University maintains a cyber-security posture aligned to the CERT-In Directions of 28 April 2022 issued under Section 70B of the Information Technology Act, 2000, and to ISO 27001 readiness practice.
Chief Information Security Officer (CISO)
- CISO
- Designated under the CERT-In Directions, 2022. ciso@vikramdevuniversity.ac.in
- Routing
- The CISO reports to the Registrar, with escalation to the Vice-Chancellor for incidents of significant severity.
Incident reporting
If you suspect that any system of the University has been compromised, that your University account has been compromised, that you have received a phishing email purporting to be from the University, or that personal data of yourself or another person has been disclosed without authorisation, please report immediately to the CISO.
- Internal incident desk: ciso@vikramdevuniversity.ac.in
- CERT-In: incident@cert-in.org.in · 1800-11-4949
Responsible vulnerability disclosure
Vikram Dev University welcomes responsible disclosure of security vulnerabilities by security researchers acting in good faith.
- Report findings to ciso@vikramdevuniversity.ac.in. A PGP fingerprint will be published on this page in due course.
- The University commits to acknowledge receipt within five working days, validate the report within thirty days, and credit the reporter on request.
- Researchers should not access data beyond what is necessary to demonstrate the issue, must not degrade service, and must not disclose publicly until the University confirms a fix or until ninety days have elapsed.
- Where the issue concerns a critical national-infrastructure service or implicates personal data on a scale, the University will coordinate with CERT-In as required.
Practices and controls
- Hosting on MeitY-empanelled CSPs. All personal data and primary backups remain within India.
- Log retention of 180 days, stored in India, in accordance with the CERT-In Directions.
- Time synchronisation with the National Physical Laboratory or NIC NTP servers.
- Incident response SOP with a six-hour notification SLA to CERT-In for reportable incidents.
- Annual VAPT (Vulnerability Assessment and Penetration Testing) by an external CERT-In empanelled auditor.
- Quarterly internal audit covering access control, change management, and backup verification.
- Closed object store for uploaded files; no writable web-root pattern. Signed URLs for time-limited access.
- Security headers at the origin: HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Content-Security-Policy.
- Multi-factor authentication for staff and faculty accounts; passwordless options where supported.
- DPDP-aligned incident response: notification to the Data Protection Board and to affected data principals as required.
Phishing awareness
The University communicates with students and staff only from email addresses
ending in @vikramdevuniversity.ac.in. We will never ask you to share
a password, OTP, or full Aadhaar number by email or telephone. If you receive a
message that asks for any of these, do not reply; report to the CISO.
References
- CERT-In Directions, 28 April 2022
- CERT-In Responsible Vulnerability Disclosure Coordination Programme
Last updated: 26 April 2026 · Reviewed by: Chief Information Security Officer