Goa Housing Board

An Autonomous Body of the Government of Goa · Estd. 1969

State Emblem of Goa
State Emblem of India — Satyameva Jayate

Plan

Contingency Management Plan

This plan sets out how the Goa Housing Board prepares for and responds to incidents that affect the availability, integrity or confidentiality of its official website. It defines incident categories, response timelines, backup arrangements and recovery procedures.

Scope

The plan covers the website at ghb.goa.gov.in, the application and database that power it, the search and translation services it depends on, and the hosting infrastructure on which all of these run.

Incident classification

  • Severity 1 — critical: the website is fully unavailable, displays incorrect official information that may mislead citizens, or has been defaced. Suspected data breaches and confirmed cybersecurity incidents are always Severity 1.
  • Severity 2 — major: a key section of the website (such as the feedback form, search or housing scheme pages) is unusable, or performance is severely degraded.
  • Severity 3 — minor: a non-critical feature is impaired, a small number of links is broken, or content is out of date in a way that does not mislead citizens.

Response timelines

  • Severity 1 — acknowledged within thirty minutes of detection; the Web Information Manager and the Member Secretary are informed immediately. Restoration is attempted within four hours. If restoration is not possible within that window the website displays a holding page that carries the official contact details and the expected time to recovery.
  • Severity 2 — acknowledged within one working hour and resolved within one working day.
  • Severity 3 — resolved within seven working days.

Response procedure

  1. Detect — monitoring tools, the hosting provider or a citizen report raise the issue to the Web Administrator.
  2. Triage — the Web Administrator classifies the incident, informs the Web Information Manager and, for Severity 1, the Member Secretary.
  3. Contain — for cybersecurity incidents, affected services are isolated and credentials rotated before any other action.
  4. Communicate — for Severity 1, a holding page and a public notice are issued. The status is updated until the incident is resolved.
  5. Recover — the Web Administrator and the hosting provider restore services, falling back to the most recent good backup if needed.
  6. Review — a post-incident report is prepared within seven working days, recording the cause, the response, the impact and the corrective actions taken.

Backups

  • Daily incremental backup of application data, database and uploaded content, retained for thirty days.
  • Weekly full backup retained for ninety days.
  • Monthly full backup retained for twelve months and stored at a secondary location.
  • A quarterly restore drill verifies that backups can be used to rebuild the site.

Recovery objectives

  • Recovery Time Objective (RTO) — the website is restored to a functional state within twenty-four hours of a declared disaster.
  • Recovery Point Objective (RPO) — data loss in the event of a disaster is limited to the previous twenty-four hours.

Cybersecurity incidents

Suspected or confirmed cybersecurity incidents are reported to the Indian Computer Emergency Response Team (CERT-In) in accordance with the prevailing CERT-In directions. The Web Information Manager is the single point of contact for such reports.

Roles and responsibilities

  • Web Information Manager — owns this plan, declares incident severity and approves communications.
  • Web Administrator — first responder, executes the response procedure and coordinates with the hosting provider.
  • Hosting provider — restores infrastructure, provides incident logs and supports recovery.
  • Member Secretary — informed of every Severity 1 incident and approves any communication to the public or to regulators on behalf of the Board.

Reporting an incident

Citizens and external researchers who notice an incident or a suspected vulnerability are requested to report it to the Web Information Manager. Contact details are listed on the Web Information Manager page.

Related policies and plans

Ownership and review

This plan is owned by the Web Information Manager of the Goa Housing Board and is reviewed every twelve months, after any Severity 1 incident, and whenever the threat environment or regulatory framework changes materially.

Last reviewed: