Goa Housing Board

An Autonomous Body of the Government of Goa · Estd. 1969

State Emblem of Goa
State Emblem of India — Satyameva Jayate

Policy

Security Policy

The Goa Housing Board takes the security of its official website and the data it handles seriously. This policy describes the principles applied to the website at ghb.goa.gov.in, the controls that protect it, and the route through which security researchers may report vulnerabilities.

Principles

  • Minimum data — only the information that is necessary for a specific public function is collected from citizens.
  • Least privilege — administrative access to the website and its systems is granted only where it is needed for official duties and is reviewed at defined intervals.
  • Defence in depth — security is enforced at the network, application and data layers, with logging and monitoring at each layer.
  • Secure by default — every new feature is assessed for security and accessibility before it is published.

Technical controls

  • The website is served only over HTTPS. HTTP requests are redirected to HTTPS and the connection is protected with HTTP Strict Transport Security.
  • Modern security response headers are applied, including Content-Security-Policy, X-Content-Type-Options, Referrer-Policy and Permissions-Policy.
  • All form submissions are protected against cross-site request forgery and all user input is validated and sanitised on the server.
  • The application is not exposed to the database, file system or operating system beyond what is required for its operation.
  • The website does not embed third-party tracking scripts, social media pixels or commercial analytics. Only government-approved services such as the Bhashini translation plugin are loaded from external sources.
  • Sensitive data is never placed in URL parameters, browser storage, server logs or analytics events.
  • Software dependencies are reviewed monthly. Security advisories for any dependency are triaged within seven working days.

Data handling

Personal data submitted through forms on this website is used only for the purpose for which it was provided. It is not sold, shared with marketing organisations or used for profiling. Detail on what is collected, how it is stored and how long it is retained is set out in the Privacy Policy.

Authentication and authorisation

Administrative access to the website is restricted to nominated officers of the Goa Housing Board. Strong passwords and multi-factor authentication are enforced. Access is reviewed when an officer changes role or leaves the Board.

Audit and assurance

  • The website is audited annually against the Guidelines for Indian Government Websites by an STQC-empanelled auditor.
  • A cybersecurity audit is carried out annually by a CERT-In empanelled auditor before any major release.
  • Accessibility is audited annually against WCAG 2.1 Level AA.
  • Findings from each audit are tracked to closure under the Web Information Manager.

Incident response

Security incidents are handled under the Contingency Management Plan. Suspected or confirmed cybersecurity incidents are reported to the Indian Computer Emergency Response Team (CERT-In) in accordance with the prevailing CERT-In directions.

Responsible vulnerability disclosure

Security researchers and members of the public who identify a vulnerability in this website are requested to report it to the Web Information Manager before disclosing it publicly. Reports should include enough detail to reproduce the issue.

The Goa Housing Board will:

  • acknowledge receipt of the report within three working days;
  • confirm the finding and provide an indicative timeline for remediation within ten working days;
  • credit the reporter publicly where they wish to be credited and where the report led to a fix.

Reports may be sent to the Web Information Manager at the address listed on the Web Information Manager page.

Legal framework

This policy is applied in line with the Information Technology Act, 2000, the rules made under it, the directions issued by CERT-In, the Guidelines for Indian Government Websites and any instructions issued by the Government of Goa.

Related policies and plans

Ownership and review

This policy is owned by the Web Information Manager of the Goa Housing Board and is reviewed every twelve months, or sooner if there is a material change in the threat environment or in the regulatory framework.

Last reviewed: