National Skills Registry

(NSR)
Background Check Standards

NSR - Background Check Standards Version 1.0 Page 1 of 23

For Internal Restricted Circulation Only
 Table of Contents

Methodology followed in developing the standards ............................................................................... 3

Scope of the Standards ............................................................................................................................ 3
A. Operations: .................................................................................................................................. 3
B. Systems ....................................................................................................................................... 3
C. Compliance with the standard ..................................................................................................... 3
i) Infrastructure and Facilities ................................................................................................. 4
ii) Staff Management................................................................................................................ 5
iii) Verification Process ............................................................................................................ 6
iv) Verification Process Timelines ........................................................................................... 9
v) Quality control .................................................................................................................. 10
vi) Management Information System ..................................................................................... 11
vii) Grievance handling and redressal ..................................................................................... 11
viii) Confidentiality................................................................................................................... 12
B. Systems ......................................................................................................................................... 13
Physical Access and Associated Security ..................................................................................... 13
Environmental Conditions............................................................................................................. 14
Personnel Management and Security ............................................................................................ 15
Computing Infrastructure (Servers / Desktops) Management and Security .................................. 15
Network Operations Management and Security ........................................................................... 16
Disaster Recovery Management and Business Continuity Planning ............................................ 18
General Security ............................................................................................................................ 20
C. Compliance with the standard ...................................................................................................... 22

NSR - Background Check Standards Version 1.0 Page 2 of 23

For Internal Restricted Circulation Only
Methodology followed in developing the standards
Following guidelines have been kept in view while attempting to design these basic standards:
1. End User expectations
2. Present processes followed and existing best practices
3. Differences in sizing and infrastructure of various Background Checkers (BGCs) and
cost concerns
4. Acceptability and adaptability of the standards among the BGCs and Clients
5. Need for non-repudiation and assurance
6. Limitations of available information sources

In view of the above guidelines an inclusive process of standard designing has been followed. At
various stages of standard development the draft is distributed to BGCs and various industry
users and their comments are invited for consideration.

Scope of the Standards

The standards have been designed so as to take a comprehensive approach and deal with all the
areas which relate to functioning of BGCs and performance of their roles relating to NSR
system. In view of this the standards attempt to cover following areas:

A. Operations:
Infrastructure and Facilities
Staff management
Verification processes
Verification Timelines
Quality Control
Management Information System
Grievance Handling and Redressal
Confidentiality

B. Systems

C. Compliance with the standard

NSR - Background Check Standards Version 1.0 Page 3 of 23

For Internal Restricted Circulation Only
 i) Infrastructure and Facilities
Background Checkers (BGC) are expected to service verification requests through-
out the country
These services need to be provided preferably through network of own employees
situated in various branch locations.
If services of franchisees or vendors are used for enhancing the network coverage,
then comprehensive vendor management plan needs to be in place for ensuring
control on entities handling client data. These would involve:
o Availability of complete list of agents and vendors. Agents / Vendors need to
be corporate entities and not individuals.
o Having structured service agreements, Non Disclosure Agreements, penalty
clauses etc. with these vendors.
o Licensing records like Service Tax Registration, PAN, TAN, Employee
Provident Fund Registration. Employee State Insurance Registration,
VAT/CST registration, Shops & Establishment license, Professional Tax
Records etc. need to be available for all vendors.
o Due diligence needs to be conducted on all vendors. Records need to be
available for the same.
o Inspection needs to be conducted on all vendors at least once in a year to
check their manpower, data security practices, staff training practices and
process quality control. Records need to be maintained for the same.
o Provision of partial information to the vendor to ascertain if vendor is able to
obtain the remaining details which may require genuine source verification
o Collection of supportings for checks done in all cases.
o Employing audit practices like call back, dummy verification requests, re-
verifying certain proportion of checks with other vendors or own employees
to check the genuineness of the same.
o BGC using vendor services needs to clarify on the extent of liability borne by
it for any discrepancies observed in the verifications conducted by vendors.
All offices of BGCs need to comply with Information Security Management System
(ISMS) requirements.

NSR - Background Check Standards Version 1.0 Page 4 of 23

For Internal Restricted Circulation Only
 ii) Staff Management
Adequate number of personnel: BGC will appoint and make available adequate
number of personnel for verification activity to ensure that all the processes and
requirements can be completed in time and as per the process expectations with
all necessary documentations and reporting required.
Training: BGC will have a formal induction training programme for all its new
recruits. Apart from educating employees on background check procedures,
induction training needs to sensitize employees on importance of background
check process, maintaining confidentiality of information and following
organizations code of conduct. Training process will also involve conducting
tests to assess impact of training on employees and taking feedback to improve
training content and methods.BGC will maintain complete training records for all
employees which may include manuals, attendance records, test results and
follow-ups, feedback forms etc. Refresher training would also be provided to
existing employees depending on organizational needs.
Outsourced staff: If BGC uses the service of outsourced staff which are
available in own premises, then the above requirement of training will apply to
such staff as well. If the services of outsourced agencies are used for conducting
field checks etc. then BGC will ensure that the vendor has basic license to do
business and is complying with various laws like Minimum Wages Act,
Prevention of Child Labour etc. BGC will conduct inspections to ensure that the
outsourced agency has adequate manpower, well trained staff that are aware of
efficient data collection procedures and are sensitized to data confidentiality
requirements. BGCs will formulate a Dos and Donts for outsourced staff whose
compliance would be monitored by the BGC.
Legal compliance: BGC will ensure that all legal requirements like TDS
deduction and deposit; ESIC, employee provident fund contribution etc. are
complied for employees.Effort will be made by BGCs to ensure that outsourced
agencies also comply with all legal requirements for maintaining man power.
This can be ensured by making agreements, taking declaration from outsourced
agencies etc.
Non-Disclosure: Non-Disclosure Agreements will be executed with all
employees and vendor agencies. Employees and vendors need to be sensitized to

NSR - Background Check Standards Version 1.0 Page 5 of 23

For Internal Restricted Circulation Only
 the implication of executing the Non-Disclosure Agreement so that
confidentiality of client data is maintained.
Entry & Exit Procedures: All employees of BGC shall be subjected to
background check process and will begin working only after clearance of the
same. On resignation of an employee BGC will have a process in place to ensure
that all information accesses are removed and company equipments and data are
recovered from the employee. BGC needs to ensure that an adequate transfer
process is in place to ensure carry forward of all activities being conducted by the
exiting employees. Escalation matrix needs to be shared with clients and they
need to be informed of the change in point of contact. Facility needs to be
available for transfer of communication intended for exiting employee to ensure
efficient continuity of business operations.

iii) Verification Process

BGC needs to adopt such verification processes to verify each and every item of the
verification request so as to ensure assurance of the correctness and completeness of the
verification result reported by the BGC and verifiability of the results reported.

Choice of Verification method: BGC needs to ensure that the verification methodology
chosen by it is such that it gives maximum assurance of the verification results.
Address verification:
All address checks will be done physically by BGC staff by visiting the address
provided by the client to check the candidates residential status with family
members, neighbours, security guards etc. Aspects like length of stay, ownership
status, name and contact details of person from whom confirmation was taken are
recorded.
In no circumstance will oral verification of address be done by usage of
telephonic verification methods etc.
BGC will maintain adequate supportings to ensure genuineness of the field
checks done by the field staff.
Where outsourced staff is used for conducting field checks, the BGC shall ensure
authenticity of the checks by collecting supportings and conducting audit
practices like call back, sample re-verification etc.

NSR - Background Check Standards Version 1.0 Page 6 of 23

For Internal Restricted Circulation Only
 Education verification:
In case of education verification BGC will check to ensure that the university or
institute issuing the qualification to the candidate is genuine and is authorized by
law to issue such qualification.
If for e.g. degree qualification can be verified by university as well as with
college, first attempt should be made to verify this with University and if
university does not respond after multiple follow-ups, communication may be
made with college concerned. However, in such cases where based on experience
of dealing with an University it is established that University verification is prone
to delays / errors, preference may be given to verification directly from the
college provided adequate documentary evidence of the confirmation can be
obtained on record.
BGC needs to maintain check list detailing standard process to be followed for
approaching any college or university for education confirmations. Aspects like
non-repudiation of confirmations given, contact details, charges applicable,
documents required, verification timelines need to be taken into consideration.
BGC will follow standard process for obtaining confirmation from educational
institutions. There will be no circumvention of the standard process with intent to
reduce cost or timelines etc, since this may risk the authenticity of the
confirmations given.
Written confirmations will maintained for education checks done. If due to client
requirements confirmations are taken verbally first, then the same shall be
followed with written confirmations and the client shall be informed of the
outcome for the same.
BGC will try to obtain all educational confirmations by using the services of own
staff. If services of outsourced staff are utilized, then it will be ensured that they
also follow the standard process for obtaining confirmations. BGC shall collect
supportings from such outsourced staff and conduct audit practices like sample
re-verification etc. to ensure authenticity of checks done.
BGC shall maintain audit trail of education checks done like documents
submitted, fee paid, communication reverts received from colleges/universities
etc.

NSR - Background Check Standards Version 1.0 Page 7 of 23

For Internal Restricted Circulation Only
 Employment verification:
Effort must be made by the BGC to ascertain the authenticity of the employer
company claimed by the candidate. Procedures like site visit, net searches etc.
may be used for the process.
BGC needs to maintain check list of the standard process to be followed for
approaching a particular company for receiving employee confirmations. These
would cover document requirements, contact details, past experience of obtaining
verifications from that company etc.
Employment details of the candidate need to be checked with the HR department
of the concerned organization and confirmation needs to be obtained in writing
from the official email id of the company.
If BGC encounters a scenario wherein it is unable to take written confirmations
on account of organization not cooperating etc. and is compelled to do verbal
verification, then effort needs to be taken to ensure the authenticity of the
confirmation by conducting site visit of the company to obtain physical
verification, obtaining confirmation from officially published landline numbers of
the company, checking authenticity by taking verbal confirmations from multiple
officials in the company etc.
Where HR department is not available in the company, BGC needs to ensure that
the confirmation is taken from officials authorized to give such confirmations.
Details of the official providing confirmation may be captured.

Criminal verification:
BGC will have documented standard process to be followed in case of criminal
verifications. Criminal checks would be conducted through court records.

Database Checks:
All database checks shall be done by BGCs using software licensed to the BGC.
BGC staff will be provided adequate training to operate the database check
systems. Training will be based on operational procedures specified by database

NSR - Background Check Standards Version 1.0 Page 8 of 23

For Internal Restricted Circulation Only
 check vendor and past experiences to ensure optimum quality of services are
provided to clients. There would be proper guidelines for conducting database
searches which would be part of the operational manual of BGCs. These
guidelines would be part of the training programme for BGC officials conducting
database checks. This would ensure uniformity and optimum utilization of
database check software.
Disclosure shall be made to the clients of the extent of checks covered by the
database and the validity of the same.

Reasonable efforts and follow-up: Getting verification confirmation and documentary

proof of the results from various sources of information may require repeated follow-up,
visits etc. The BGC should ensure that such efforts are made and documented before
deciding on an alternate method of verification.

iv) Verification Process Timelines

Turnaround Time for completion of verification processes is of extreme importance to
clients. Many of the HR processes at clients end are dependent on quicker completion of
verification processes by BGCs. Therefore following verification timelines standards
needs to be maintained by BGCs:

Activity Defined Time Line

Address verification Within 7 working days from receipt of
complete documents from client.
Education verification Within 15 working days from receipt of
complete documents from client
Employment verification Within 10 working days from receipt of
complete documents from client
Criminal verification Within 3 working days from receipt of
(to be done through court record checks) complete documents from client
Database Checks Within 3 working days
Drug checks Within 5 working days

NSR - Background Check Standards Version 1.0 Page 9 of 23

For Internal Restricted Circulation Only
 BGC needs to ensure that it has adequate teams in place to check insufficiencies in
documents received from clients. These insufficiencies need to be promptly escalated to
the client, preferably within 1 working day of receiving the case.
BGC needs to also ensure that it has processes in place to ensure quicker turnaround
times than the limits prescribed by the above standard.

v) Quality control
BGC will maintain a team to perform quality check on reports before same are shared
with the client. The object of the quality check is to ensure that:
Zero tolerance towards integrity issues
Accuracy at 100 %
There is no incomplete or missing information which are essential to complete
the verification process
Verifications done are in line with client requirements as specified in the
agreements executed with clients and circulars or other communications received
from clients
Supportings are available for all checks done
In case verifications are done with the support of vendors, the vendor has
followed the standard process for obtaining confirmations
Verifications results can be reported with reasonable assurance and comply with
all applicable laws and procedures.

All verification requests should be routed through quality control processes before being finally
reported. BGC may also deploy process review mechanism which would periodically evaluate
the adequacy of various processes deployed and improvements required in the same.

BGC may also appoint an Internal Auditor to sample check its processes, control mechanisms
and quality controls. The auditor will report to the management to review and improve the
existing processes.

NSR - Background Check Standards Version 1.0 Page 10 of 23

For Internal Restricted Circulation Only
 vi) Management Information System
BGC should develop and maintain adequate MIS system to generate information on
various parameters like:
Client wise list of cases received
Cases rejected on account of insufficiencies
Initiated
Status of initiated verifications
Time taken to complete verifications
Billing

These details will enable the BGC to have better control on its verification processes and also
enable it to have a clear insight into all aspects of the background screening process to reflect on
the health of each client account.

vii) Grievance handling and redressal

BGC activities involve providing verification reports on claims made by candidates at

the request of companies hiring such candidates. This involves doing source verification
and mapping it to information provided by the candidate. This process may result in
grievances or problems to candidates, their family members and client companies. It is
important to have a proper system to receive such grievances, handle and resolve them in
a timely and professional manner.

BGC needs to maintain a well-trained client engagement team which will service client
requirements in an efficient manner. Escalation matrix needs to be made available to
clients to ensure that they know whom to reach out to if they have any difficulties. BGC
also needs to have a system to ensure that candidates or their families etc. are not
hassled by field staff in the course of conducting source verifications.

BGC must maintain a register (physical / electronic) for all grievances received by it.
The register should indicate details of the:

NSR - Background Check Standards Version 1.0 Page 11 of 23

For Internal Restricted Circulation Only
 Date of receiving the complaint
Person making the complaint
Type of complaint
Description of issue
Details of official to whom the complaint was assigned
Action taken
Date of communicating the action taken to the complainant
Any further communication by the complainant
Any other details

viii) Confidentiality

Personal information of candidates and companies is provided to BGCs for processing,

reporting of verification results and storage. The information is very important and
confidential. BGC must take all necessary steps to ensure that information received,
processed, reported and stored by it is safeguarded and not accessible to any
unauthorized person. BGC should also ensure that any person authorized to access and /
or handle any such confidential information is adequately trained and is aware about the
sensitivity and confidentiality of the information and has signed necessary confidentiality
agreements with BGC to ensure confidentiality.

BGC should put in place system which disables any person from exporting, extracting,
transmitting etc. such confidential information from BGC location. In case BGC uses
assistance of outsourced vendors for verifications and personal information of candidate
is shared with these vendors, then BGC will have mechanism for ensuring that
confidentiality of these details are maintained. BGC needs to execute Non-Disclosure
Agreements with such vendors, enforce practices like sensitizing vendors on importance
of maintaining confidentiality of data, destruction of confidential information after usage
at vendor premises etc. to prevent misuse of such information.

NSR - Background Check Standards Version 1.0 Page 12 of 23

For Internal Restricted Circulation Only
B. Systems

Objective:

The objective of this section is to provide Information System operations guidelines for a single
/ multi location BGC Information Technology set-up. These guidelines are oriented towards
providing pointers to the Information System Controls, to facilitate effective implementation of
IT Set-up and operations. These controls are required to ensure availability of the IT systems
and also to safeguard critical information from unauthorized access, disclosure or modification.

At the outset however, it may be clarified that the below listed are comprehensive model
best practice guidelines. The extent of its adoption will depend on the need as well as
constraints associated with specific installation / business operation. One may decide not to
adopt a specific guideline after undertaking a proper analysis of risk involved in not
adopting the same.

Guidelines:

Physical Access and Associated Security

Physical Security is utmost important as recovery from any physical damage to infrastructure
is most time consuming. Such damage could be effected by any one as it requires only a
strong motive and negligible or no knowledge of technology at all. General guidelines for
physical access and security are as follows:
a. Office area demarcation in zones as (i) restricted, (ii) controlled and (iii) public zones.
b. Photo ID access control cards / badges to be issued to and displayed by all staff
members.
c. Recording and retention of the in / out time log.
d. Server room access with appropriate electronic authentication Biometric / Access Card.
Access only to be allowed on a need-to-access basis
e. Stringent visitor access policy. In the normal course, visitors should not be allowed into
restricted or controlled zones.
f. Professionally trained security guards for premises.
g. Periodic structural audit of premises - confirm sustenance in Earth Quake. This is
specially important for old buildings in excess of 15 years of age

NSR - Background Check Standards Version 1.0 Page 13 of 23

For Internal Restricted Circulation Only
 h. Presence of authorized and knowledgeable staff member during vendor engineer
working in restricted or controlled zones.
i. Where possible, server room location to be chosen, away from fire prone localities such
as chemical factory, Petrol Pump, Refinery etc.
j. Adequate fire extinguishers to be available at proper place to enable use if required.
k. Regular testing and maintenance of firefighting equipment.
l. Fireproof cabinets / room to store the back-up media and very sensitive critical
documents.

Environmental Conditions
Environmental conditions are equally important for efficient functioning of the IT set-up.
Temperature, humidity, dust can result in short circuits leading to small fires or disruption in
power supply may not damage the equipment beyond repair, but can have serious effect on
availability and / or uptime. Guidelines for maintaining certain environmental conditions are
as follows:
a. Installation and monitoring of air conditioner / cooling in Server Room (desirable that
both Temperature and Humidity is monitored and ensure that it does not cross the
threshold / norms laid down by the equipment provider).
b. Temperature and Humidity control and monitoring, as prescribed by the vendor, for
equipment located in other areas.
c. Environment to be maintained dust free.
d. Clean power supply through UPS equipment with adequate battery backup to gracefully
shut down system in the eventuality of power supply disruption or for switch over to DG
set if installed. DG set, if installed, should have adequate fuel to keep the system
operational for desired timeframe.
e. Server room to have shielding from Electromagnetic interference. This could be as per
the given norms of the equipment (server, firewall appliance, LAN Switches etc.)
provider

NSR - Background Check Standards Version 1.0 Page 14 of 23

For Internal Restricted Circulation Only
Personnel Management and Security
With technology advancement, it is possible to carry truck load of paper information in an
electronic storage device of the size which fits in any pocket without visibility. Critical and
confidential information being shipped out from any establishment would be an equal disaster as
Tsunami or Earth Quake. However this could be largely possible only because of the
compromised / disgruntled personnel within the establishment. Hence Personnel management
becomes an integral part of Information System Operations. Guidelines for ensuring minimum
discipline and security in terms of personnel management are as follows:
a. Background check for the staff members, vendor employees, outsourced resources,
franchisee staff having access to critical information and operational knowledge.
b. Staff members to provide Confidentiality and non disclosure undertaking. This may
necessarily include the post-resignation period also.
c. Access to Information System to be allowed only on need to know basis and after
proper authorization.
d. Roles and Responsibilities to ensure segregation of duty.
e. Relieving process to ensure revocation of all access (physical and logical).
f. Information Security awareness training to be provided to all staff members and
periodically repeated. Effectiveness of such training to be measured.
g. Responsibility of staff members towards Information System operations to be clearly
stated in Code of conduct / appointment orders.
h. Similar clauses to be included and appropriate undertaking to be obtained for
appointment of third party / outsourced agencies and its staff members

Computing Infrastructure (Servers / Desktops) Management and Security

Time has come when it is difficult to survive unless appropriate measures to safeguard
Information System set-up have been implemented. With more and more open systems with
some technology understanding and logical access methods, it is possible to easily take
advantage of the loop holes in the set-up. Hence it is necessary to have Computing Infrastructure
equipped with protection mechanism. Guidelines for Computing Infrastructure Management and
ensuring security are as follows:
a. Maintain up-to-date inventory of all Assets used for Computing (Hardware / Software
/Network equipment).

NSR - Background Check Standards Version 1.0 Page 15 of 23

For Internal Restricted Circulation Only
 b. Hardening of Operating System of Servers so as to disable services / ports / protocols
which are not required for normal operation.
c. Establish Patch Management practice.
d. Enable and review Event and Security logs on servers.
e. Log and monitor failed login attempts (preferably disable the account for repeated failed
attempt beyond permitted retries and raise on-line alert, such accounts can be reactivated
after suitable enquiries have been made to determine the cause of repeated failed
attempts)
f. It is desirable to have HIDS (Host based Intrusion Detection System) for critical servers,
especially if they are hosted on the service providers site.
g. Restrict direct user access to Database servers only to required application servers or
System Support and DBA users. Such access be monitored and accounted for.
h. Servers, Desktops to have latest Antivirus Software version and Virus Signature files for
immediate detection.
i. Periodically review User IDs and associated rights.
j. Only licensed software to be used on Servers and Desktops.
k. Periodic monitoring / automatic alerts for the symptoms which may lead to failure.

Network Operations Management and Security

Due to percolation of Internet and wide deployment of Networked Systems, only physical access
to gain control of Information System set-up is no longer required. With some technology
understanding and appropriate access methods, anyone can easily gain unauthorized access to
the critical set-ups sitting remotely. Hence, there is a need to have appropriate network
operations management and security in place. Also the network has become the backbone of any
business. Non-availability / poor availability of network access could pose impediment in the
day to day operations.
Guidelines for Network Operations Management and Security are as follows:
a. Routers utilization monitoring used for terminating external connections to the
internal network.
b. Routers to have the latest IOS (or one version older) installed.

NSR - Background Check Standards Version 1.0 Page 16 of 23

For Internal Restricted Circulation Only
 c. Hardening of the router may be done at the time of installation and periodic review of
the same carried out to ensure the controls are adequately protecting the network
infrastructure and network access.
d. Authorized Access Control List (ACL) to be configured and periodically reviewed.
e. Internal network to be protected with Firewall security with strictly defining policy
rules that are required for the network to operate.
f. Installation of Network IDS (Intrusion Detection System) and monitoring the logs of
the same is desirable (not mandatory for all BGC set-ups).
g. Shunning to be enabled on Router / Firewall for the suspicious traffic detected by
IDS, is desirable (not mandatory for all BGC set-ups).
h. Publicly accessible servers and critical processing servers to be installed in different
zones of Firewall (Demilitarized Zones). (Usually expose only web servers to
external world while application and database servers to be accessible to only trusted
systems. Webs servers should not have a direct access to database servers. However,
if the BGC is using one physical box to host all the services (web, application and
database), it may be desirable to install some kind of logical partitioning between
these processes.
i. Database servers to be located in High Security Zone (if separate database server is
configured).
j. Access to Local Area Network (LAN) to be restricted to only authorized computer
systems regardless of the Server, Desktops or Laptops.
k. LAN access points which are not in use are to be either disabled or physically
disconnected.
l. Use of Internal Firewall is desired if WI-FI or Wireless LAN installed.
m. Use of Switch based LAN and implementation of measures to prevent traffic sniffing
on LAN is desirable. However, if HUB based LAN is installed, this may not be
possible. Such limitations are to be addressed by more stringent physical security
polices and processes (including encryption of LAN traffic).
n. If the LAN network is very large, VLANs and, if required, physically isolated LAN
set-up to be used for Production set-ups and Management Network. Use of internal
firewall to control the access to critical production set-up from general LAN, is
desirable (not mandatory for small set-ups).

NSR - Background Check Standards Version 1.0 Page 17 of 23

For Internal Restricted Circulation Only
 o. Any connectivity from general office LAN to Internet to be allowed only through
Firewall. This necessarily need not be a branded appliance. It could be a standard
LINUX configured firewall with proper policies. If dial-up / broadband connection is
to be established the same may be done using isolated desktops or by placing that
desktop in a separate VLAN.
p. Stringent third party remote access policy and procedures to be implemented.
q. It could be a good to have practice to carry out the Periodic penetration testing and
review the outcome.
r. External access through LAN may be allowed through proxy and appropriate
blocking of sites / categories of sites which are not required for BGC functioning
(such as gaming sites, war sites etc.) is desirable. Log review of the access done by
individual may be maintained and reviewed on proxy server.

Disaster Recovery Management and Business Continuity Planning

Fire, natural calamities and manmade attack can seriously impact IT infrastructure and thus
challenge continuity of Business Continuity service. Hence appropriate Disaster Recovery
Management (DRM) strategies and Business Continuity planning (BCP) is very important
aspect. DRM and BCP guidelines are as follows:
a. Critical servers / network equipment / security devices to have inbuilt redundancy if
technology of device permits.
b. Security devices / Production servers with on site hot standby redundancy for critical
applications, is desirable. However important cost benefit factor to be considered before
investing in hot standby system is impact on business and information security due to
non-availability of the security devices / production application / file servers. Senior
Management of BGC organization may undertake the proper impact analysis and risk
assessment and decision may be documented for records. If the decision is not to have
hot standby redundancy as the business does not have severe impact of non-availability,
such decision to be revisited every year and outcome documented for the records.
c. All BGCs need to establish a Disaster Recovery Site (DRS). It is not necessary that such
site has to be equipped with equal infrastructure as production. However, it could be
ready to host infrastructure at short notice. Appropriate arrangement with the vendor to
provide server which can cater to bare minimum critical services may be made and

NSR - Background Check Standards Version 1.0 Page 18 of 23

For Internal Restricted Circulation Only
 documented officially with the vendor. If nature of service / business demands then equal
capacity infrastructure may also be considered for DRS. The DRS should be preferably
be in another city, however if the BGC has no such office where such set-up can be
hosted, the DRS could be in the same city.
d. If the DRS is located in another office of same city / another city and the stand-by server
is hosted, the database / files etc. may be kept up-to-date at periodicity and as per the
business requirements. If the server set-up is not available, appropriate remote copy
back-up provisions to be made to ensure restorability on another server if need to start
operations from another site is felt. It may be necessary to have complete application
system back-up also as the data / files alone cannot provide for continuity of business.
e. Two sets of backups are taken on daily basis. While one may be stored locally in
fireproof cabinet / room other remote set be sent to DRS / remote safe location such as
Directors residence etc. Preferably encrypt the remote copy backup.
f. BGC Organizations Sr. Management is required to identify and document the staff
members role in the eventuality of invoking DRS operations. This should be clearly
communicated to the staff members who are supposed to report and carry out the
business operations from the remote site. Communication to the vendors, clients and
other interested entities such a media etc. to be standard and documented with the spokes
person identified and informed about the same.
g. BGC Organization to also ensure availability of important information stored in media,
paper etc. Hence copies of all such critical information has to be stored in remote
location. This does not necessarily mean all the BGC reports, work papers etc. This
means that important agreement copies, legal papers etc.
h. Knowledge of remote location / DRS is not supposed to be public information.
Unnecessary public declaration, which can make such location knowledge common
information, is to be prevented.
i. Periodic drill to shift operate from DRS if fully equipped and owned, is desirable.
However, in case where the site is identified and equipped only to the extent that within
short time the computing infrastructure could be hosted, a table walk through of such
plan to be carried out regularly and documented. Such plan and findings of table walk
through may be reviewed by Sr. Management and approved.

NSR - Background Check Standards Version 1.0 Page 19 of 23

For Internal Restricted Circulation Only
General Security
Apart from specific security guidelines for each aspect of Information Systems, some general
security guidelines have to be implemented in any set-up. These guidelines act like nuts and
bolts to the strong girdles used for building information system security. Some of these
guidelines are as below:

Password Management (Preferably system enforced password policy)

a. Minimum length of the password has to be eight characters.
b. Password has to adhere to alphanumeric complexity standards i.e. combination of
alphabet (capital and small) and numbers. Introduction of special character in password
is desirable though not mandatory.
c. Password is not to be shared under any circumstances. Generic user ids which would
lead to sharing of password are not to be defined. In case of emergency if the password
has to be shared, the same has to be done after obtaining permission of the Officer In
Charge. Records for such disclosure of password has to be maintained after due
authorization by the Officer In Charge. The user who shared his password has to
change it during the 1st login after sharing the password.
d. Passwords are to be changed periodically with a periodicity not exceeding 60 days.
e. If technically feasible history of last 5 passwords to be maintained and reuse of these
passwords by the user is to be prevented.

Maintenance of Information System Infrastructure

a. All the computer / network / general equipment used for operations are to be covered
under valid Annual Maintenance Contract (AMC).
b. AMC agreement has to include clauses for Service Level Agreements (SLA),
Confidentiality and Obligations of the Vendor Organization towards the Information
System Security.
c. Clause to provide standby equipment, if the problem cannot be fixed within SLA time
frame has to be included in AMC agreement.

NSR - Background Check Standards Version 1.0 Page 20 of 23

For Internal Restricted Circulation Only
Information Security
Each information store (such as media, paper etc.) has to be labeled with the information
classification. Labeling facilitates identification of the criticality of information to person
handling this information.

Information transfer through Electronic / Written media

a. Adequate security measures to be deployed for the Information being transferred
electronically i.e. using email or FTP services.
b. Information is encrypted with strong encryption keys while transmitting over network.
c. Mechanism to check the integrity of data using hash algorithms to be in place.
d. Information, if transmitted on paper or any other written media, must be sealed properly
and if any tampering is observed on reaching the destination, the same is to be reported
to Officer In Charge immediately.
e. Redundant papers carrying critical / sensitive / non public information are to be
physically destroyed at the end of their life by burning, shredding or any such
mechanism. Disposal should not be done by selling these papers to paper garbage
collectors etc.

Recording of problems causing disruptions and Log Reviews

a. Each office to maintain complete record of the problems that lead to disruption of
Information system services.
b. Reason and Resolution method to be recorded and maintained as history.
c. Periodic review of these issues has to be undertaken by authorities.
d. Measures to prevent such situations are to be implemented.
e. Findings and action items to be monitored and progress reported to the authorities.

Periodic assessment of Information System Security

a. Frequent periodic assessment (say at the periodicity of 6 months) to understand and
identify the effectiveness of the various security measures implemented has to be
undertaken by Internal Independent Assessment Cell.

NSR - Background Check Standards Version 1.0 Page 21 of 23

For Internal Restricted Circulation Only
 b. Lapses and inadequacy in the implementation has to be identified and formal report has
to be filed with the reviewing authorities.
c. Independent competent third party to be appointed for neutral assessment and such
assessment / audit to be undertaken every year.
d. Action items and closure dates for the identified inadequacies are to be finalized and
follow-up assessment may be carried out to verify the closure.
e. Authorities to seriously review the findings especially for repeated observations in such
assessment / audits.

Capacity planning
a. Regular monitoring of resource utilization in terms of CPU, memory, disk.
b. Set up threshold utilization keeping in view the lead time for upgrade and likely growth
in volume in such period.
c. Avail where possible capacity on demand feature from vendor.

Staff Training
a. Staff members to be trained during induction and made aware of the above guidelines.
b. Periodic (at the interval of at least 12 months) refresher training to be provided.
c. Training in emergency evacuation and fire fighting to be provided to ensure adequate
skills to address such eventualities. Evacuation drills may be conducted periodically (at
least at the interval of 6 months) and record for the same be maintained.

C. Compliance with the standard

It is expected that all BGCs will be able to implement the standard within a period of three
months from the release date.

To ensure that all BGCs are complying with the standard NDML / NASSCOM and NSR
member companies may conduct audits. Circulars will be issued in due course in this regard to
indicate the audit methodology.

NSR - Background Check Standards Version 1.0 Page 22 of 23

For Internal Restricted Circulation Only
 Disclaimer

The standard document has been framed by NASSCOM and NDML in consultation and
consensus with leading IT/ITeS companies and background check agencies. These standards are
meant to ensure a basic level of diligence to the operations of the background checkers
empanelled on NSR. Referring organizations need to be aware that these standards should be
considered only as a guide and they are free to specify a higher / more stringent level of
operational standard for their activities.

These standards are meant for restricted circulation and not intended for publication or
circulation to or sharing with any other entity excluding the empanelled background checkers
and member companies of NSR, nor are they to be reproduced or used for any other purpose in
whole or in part, without written consent in each specific instance.

In the event that any state of affairs arises in the industry which impacts the facts mentioned in
the standards document, we reserve the right to amend these standards accordingly.

The object of these standards is to serve as a benchmark to review the operations of the
background check agencies empanelled on NSR. NASSCOM and NDML expressly disclaim all
responsibility or liability for any costs, damages, losses, liabilities incurred by anyone as a result
of the circulation, publication, reproduction or usage of these standards.

NSR - Background Check Standards Version 1.0 Page 23 of 23

For Internal Restricted Circulation Only