This Agreement is made on the ____day of _______, 20__

BY AND BETWEEN

Company name, an existing company within the meaning of the Companies Act, 2013
and having its registered office at ADDRESS (hereinafter referred to as “COMPANY
NAME” which expression shall, unless it be repugnant to the context or meaning
thereof, be deemed to mean and include its successors- in- interest and permitted
assigns) of the One Part

AND

XYZ, a company incorporated/an existing company under the Companies Act, 2013
and having it registered office at _________________________________, hereinafter
referred to as “XYZ” (which expressions shall, unless it be repugnant to the context or
meaning thereof, be deemed to mean and include its successors-in-interest and
assigns) of the Other Part.

(COMPANY NAME and XYZ are hereinafter collectively referred to as the “Parties”
and individually as a “Party”)

WHEREAS
A. COMPANY NAME is engaged in the business of inter-alia, running hospitals and
providing healthcare services in various cities in India and has established multi-
specialty hospitals at various locations in India and has significant expertise and
goodwill in the field of cardiac and other medical care.

B. XYZ is engaged in the business of providing full service Interactive media

solutions to its clients across the Internet (hereinafter referred to as the “Services);

C. XYZ has represented to COMPANY NAME that it is engaged in providing the

services of creating, designing and implementing effective digital advertising
campaigns, creating and designing artwork and all other incidental material required
in such digital advertising campaigns, developing business strategy for the effective
promotion of varied products and services and all other related activities towards
development and promotion of the brands of various organizations. Further, it has the
infrastructure, manpower and experience in the above area and possesses the financial
capabilities to perform the above functions and such other functions as may be
assigned to them by COMPANY NAME from time to time.

D. COMPANY NAME has acquired immense goodwill in the healthcare industry

and and is desirous of availing of the services of XYZ and XYZ has agreed to provide
such services to COMPANY NAME on the terms and conditions set forth herein
below :
NOW THIS AGREEMENT WITNESSETH AND IT IS AGREED BY AND
BETWEEN THE PARTIES AS FOLLOWS:

1. DEFINITIONS

1.1 Delivery means delivery to COMPANY NAME

1.2 Deliverable means any item to be delivered to COMPANY NAME by the Service
Provider

1.3 Intellectual Property Rights means patents, trade marks, Internet domain names,
service marks, registered designs, applications for registration of any of the foregoing,
copyright, design rights, trade and business names, semiconductor topography rights
and any other similar protected rights in any country.

1.4 Materials means all materials including but not limited to documents, software
code, plans, programs, data, diagrams, charts, reports, specifications, studies and
inventions and all drafts thereof and working papers relating thereto on whatever
media
1.5 Specifications means descriptions, designs, functional and technical requirements
for the Services and/or Deliverables

1.6 Trademarks shall mean the trademarks/brand names/logos among others whether
or not registered under the Trademarks Act, used or owned by COMPANY NAME,
and shall include the trademark/brand names/logos that may be created by XYZ for
COMPANY NAME from time to time during the course of this Agreement.

1.7 CMB Agency shall mean an entity which purchases time and space from Media
owners as per the Media Plan approved by COMPANY NAME or on behalf of
COMPANY NAME, in writing.

1.8 Fee shall mean the total remuneration payable to XYZ as stated in Annexure 1
hereof.

2. PURPOSE

This Agreement is executed with the purpose of having a strategic arrangement

between the parties, whereby XYZ shall handle COMPANY NAME’s interactive
requirements on the Internet, specifically on www.facebook.com, www.twitter.com,
www.youtube.com, and such other websites as notified by COMPANY NAME,
creation of application software for mobile phones and creation, maintenance &
updating of micro-sites.

XYZ shall provide the services to COMPANY NAME as per the requirements and
specifications intimated to them from time to time.

The quality of the service will be the essence of this agreement and shall from a
central factor of this agreement. XYZ will take all possible steps to ensure consistent
good quality of service as per benchmarks stipulated by COMPANY NAME.
3. TERM

3.1 This Agreement shall be effective from …….. and shall continue to remain in
force for a period of one (1) year and shall apply to all the campaign (s)
during the period of one year from the effective date, unless terminated
earlier in accordance with provisions thereof.

3.2 This Agreement may be renewed from time to time on the mutual consent of
both the parties subject to such terms and conditions as agreed upon.

4. SERVICES TO BE PROVIDED BY XYZ

XYZ shall provide COMPANY NAME all services necessary for the effective brand
building so as to generate desired positioning of COMPANY NAME in the market
and as may be specified by COMPANY NAME from time to time. Such services
shall, inter alia, include the following:

4.1 XYZ shall obtain information from COMPANY NAME on all aspects
including without limitation the functionalities, intended consumer segment
among others.

4.2 On the basis of the Profile, XYZ shall conduct quarterly and annual reviews
of COMPANY NAME’s digital strategy.

4.3 XYZ will ideate and design digital marketing concepts which will help
establish a unique and positive image of COMPANY NAME.

4.4 COMPANY NAME may at is sole discretion, select any of the concepts
developed by XYZ for further refinement or progress by XYZ

4.5 Upon selection of the concepts by COMPANY NAME, XYZ shall design
and develop web sites, banner designs, design schemes, emailers, slogans,
application software, games, videos among others which shall be original and
complimentary and shall be suitable for the effective marketing of
COMPANY NAME.

4.6 XYZ is responsible for management of the web-site of COMPANY NAME

in term of updations, making it contemporary in terms of technology,
analytics and consumer feedback process. XYZ shall follow the security
guidelines of COMPANY NAME as stated in Annexure 3.

4.7 XYZ shall develop short and long-term strategies for marketing of
COMPANY NAME in terms of its web site, interactive media, social media,
mobile marketing, for brand building and other matters incidental thereto.

4.8 XYZ shall provide resources for content writing (for blogs, websites, social
network sites such as www.facebook.com, photo sharing sites) and brand
content seeding. In addition, XYZ will be actively involved in Electronic
 Public Relations and Online Reputation Management (ORM) for
COMPANY NAME and release 2 online press releases per quarter.

4.9 XYZ shall create pages on social networking websites, photo-sharing

websites, video sharing websites among others for the COMPANY NAME
brand and regularly update them with appropriate content like videos,
pictures, contests, polls, information about the brand, after obtaining prior
approval of COMPANY NAME. XYZ shall also analyze user activity on
these pages, suggest strategies for rapidly increasing the users on the social
networking websites for the Brand and ecompany nameancing the experience
of the brand’s users on the Social Networking websites.

4.10 XYZ shall undertake media planning and buying. This includes
advertisement operations, buying, reporting and access to resources such as
‘Comscore’ that will be used to create media plans and strategies. All metrics
like Cost Per Click (CPC) / Click Through Ratio(CTR) / Cost per fan
(CPF) /Social Engine Optimisation (SEO) / Search Engine Marketing (SEM),
Landing Page Optimisation (LPO) will be benchmarked to the best in the
industry

4.11 XYZ shall coordinate its activities with COMPANY NAME, media
partners of COMPANY NAME, CMB Agency and public relations service
provider, if any, whenever necessary and as requested by COMPANY
NAME, for the fulfillment of the objectives of this Agreement. It is
understood that COMPANY NAME reserves the right to purchase media
space itself for the Product(s) or through a CMB Agency. In the event,
COMPANY NAME does so through appointing another agency, it shall
communicate such appointment to XYZ.

4.12 All activities of XYZ shall be undertaken and completed in accordance with
the time schedule which may be notified by COMPANY NAME from time
to time.

4.13 Conceptualizing COMPANY NAME’s promotional campaigns on the

internet.

4.14 XYZ shall ensure compliance with all the relevant rules and regulations
pertaining to services provided under this Agreement.

4.15 XYZ shall ensure the deployment of trained and competent personnel for
rendering services under this Agreement.

5. ACCEPTANCE

It is acknowledged by XYZ that the deliverables arising out of the services provided
by XYZ pursuant to this Agreement are subjective by nature and hence, the
acceptance of the same by ITC shall be subject to the satisfaction of ITC and hence,
ITC shall be entitled to reject the deliverables without any explanation if not satisfied
with the quality or suitability of the deliverables. ITC may, at its sole discretion,
request XYZ to rework on the deliverables if not satisfied with the results or without
prejudice to any other remedies that it may have pursue such remedies as also
available under this Agreement. This performance by XYZ of this Agreement shall be
deemed to be completed only on confirmation by the authorized/concerned manager
of ITC. However it is understood by XYZ that no such confirmation provided by ITC
shall or shall be deemed to dilute any remedies that ITC may pursue in future in
respect of deliverables which are not in accordance with this Agreement. ITC will
convey to XYZ from time to time the name(s) of the person(s) who are authorized by
ITC to give such confirmations. The list of such officials of ITC is enclosed as
Annexure 2 to this Agreement.

6. REMUNERATION

6.1 COMPANY NAME shall pay XYZ the fee in terms of Annexure 1 hereto for
services rendered and deliverables submitted in terms of this Agreement.

6.2 All payments shall be made by COMPANY NAME under this Agreement on
XYZ raising invoices on COMPANY NAME. Invoices will be raised by XYZ
on COMPANY NAME on a monthly basis at the end of every calendar month
for which the services have been provided. All payments shall be subject to
deduction of tax at source as applicable. All taxes, other than as expressly
provided for in Annexure 1, shall be borne by the Party on whom the same is
levied. The timely and adequate payment of any tax to the governmental
authorities shall be the responsibility of the respective Party on whom the
same is levied. In addition, all media invoices to be paid by COMPANY
NAME to XYZ will require submission of third-party monitoring reports
along with the original publisher invoice by XYZ and the server report of the
publisher. In case where third-party monitoring is not available, server reports
of publishers need to be submitted along with a justification on the non-
availability of the third party monitoring. All invoices raised by XYZ shall be
paid by COMPANY NAME to XYZ within 60 calendar days of receipt of the
clear and complete invoices along with all supporting documents.

7. TERMINATION

7.1 Without prejudice to any other rights and remedies, COMPANY NAME may
terminate this agreement immediately on giving written notice to XYZ if XYZ
commits a material breach of this agreement which is not capable of remedy
or commits a material breach of this agreement which if capable of remedy is
not remedied within 15 days of receipt by XYZ of a notice in writing
specifying the breach required to be remedied.
 7.2 COMPANY NAME may terminate this agreement without assigning any
reason by giving thirty days notice.

7.3 Either party may terminate this agreement in case a winding-up decree has
been obtained against the other party or the other party enters into
liquidation or commits an act of bankruptcy or has an administrator or
receiver appointed over the whole or any part of its assets.

7.4 COMPANY NAME may terminate this agreement immediately in the event it
is not satisfied with the deliverables of XYZ despite a rework and
resubmission of the deliverables by XYZ pursuant to a request by COMPANY
NAME.

7.5 Any termination of this Agreement howsoever caused shall not affect the
continuance in force of any provision hereof which expressly or by
implication is intended to come into or continue in force after termination.

8. EFFECT OF TERMINATION/EXPIRATION

Upon termination / expiration of this agreement, whichever occurs earlier:

8.1 The parties will settle all undisputed dues of each other, outstanding as on
the date of the termination / expiration. This sub-clause shall not be
applicable in case of a termination by cause.

8.2 The parties agree that the termination or expiration of this Agreement,
shall not affect any obligations of either party, which may have accrued
prior to the termination of this Agreement. However, notwithstanding
anything contained in this clause, in case of termination by cause, XYZ
shall not be entitled to make any claim against COMPANY NAME.

8.3 In the event of any termination of this Agreement by cause, COMPANY

NAME shall not be required to make payment for services rendered for the
month or any proportion thereof for which payment is otherwise due. This
shall be without prejudice to COMPANY NAME’s other rights against
XYZ.

8.4 On expiry or termination of this Agreement, XYZ shall immediately

return/deliver to COMPANY NAME all information provided by
COMPANY NAME, all works-in-progress, creative materials,
advertisements and all other materials developed by XYZ in course of
providing the services and XYZ shall not retain any copy of the same.
 8.5 Further, XYZ shall also refund to COMPANY NAME the fees already
received by it under this Agreement if the deliverables have not been
received by COMPANY NAME. Such refund shall be made by XYZ to
COMPANY NAME within a period of 15 days from the date of written
notice.

8.6 COMPANY NAME’s obligation under this Agreement is restricted only to

the payment of consideration and handing over tax deduction certificates
as per the provisions of the Income Tax Act, 1961.

9 INDEMNITY

XYZ shall indemnify COMPANY NAME , its directors, officers and employees from
and against all claims, demands, actions, suits and proceedings, whatsoever that may
be brought or made against each other by or on behalf of any persons, body, authority
whatsoever and whomsoever and all duties, penalties, levies, taxes, losses, damages,
costs, charges and expenses and all other liabilities of whatsoever nature which may
become liable to pay, incur or sustain by virtue of or as a result of the performance or
non performance or observance or non observance of any of the terms and conditions
of this Agreement by XYZ.

10. INTELLECTUAL PROPERTY RIGHTS

10.1 XYZ shall take prior written approval of COMPANY NAME before using
any Trade Marks of COMPANY NAME in any of the activities undertaken
pursuant to this Agreement.

10.2 XYZ acknowledges that all intellectual property rights whether vested,
contingent or future and all other rights of whatever nature in the deliverables
or materials or in relation to the services shall constitute work made at the
instance of COMPANY NAME, i.e. ‘work made for hire’, within the
meaning of the Copyright Act, 1957 and shall solely and exclusively vest
with COMPANY NAME in perpetuity. Such deliverables and materials shall
include, without limitation, all audio visual data, films, rushes, photographs,
unmixed data, sound, music, promotional concepts, shooting scripts,
photographs, still, notes and references, produced or arising in any form
including physical or electronic form.

10.3 XYZ agrees and acknowledges that all the deliverables under this Agreement
shall be the exclusive property of COMPANY NAME, as the work is done at
the instance of COMPANY NAME for valuable consideration, in respect of
any and all countries and their territories and COMPANY NAME is and
shall be the sole and absolute owner thereof and XYZ will not sell, trade,
disclose, give or intentionally or unintentionally make available any of the
Intellectual Property to any private or public individual, or corporation or
 other entity, or any person and will take all reasonable precautions to prevent
the illegal or unauthorized use of the Intellectual Property.

10.4 COMPANY NAME shall be entitled to use all materials and deliverables
created under this Agreement in any manner whatsoever across the world
without any limitation. It is clarified that the right to use shall include,
without limitation, the right to publish, copyright, dub, distribute, edit,
excerpt, exhibit, adapt, modify, animate, use in composite or split, video
form, and in any medium including any promotional or merchandizing,
physical or electronic material or internet or for outdoor advertising.

10.5 Neither XYZ nor any of its employees, agents or independent contractors of
XYZ who have been associated with the services under this Agreement shall
have any claim to any right, title or interest in any kind or nature of
deliverables under this Agreement. If XYZ or any of its personnel or third
party is deemed to be the owner of any of the Intellectual Property, whether
registered/granted or not, under any law for the time being in force, XYZ
expressly assigns and agrees to assign or cause its personnel or such third
party to assign to COMPANY NAME or its assignee all right, title and
interest of whatsoever nature in and to all of the Intellectual Property. XYZ
will or cause its personnel or such third party to execute and deliver to
COMPANY NAME such instruments of transfer and take other such action
that COMPANY NAME may reasonably request, including, without
limitation, such assignments and other documents required to vest in
COMPANY NAME or its assignee the entire right, title and interest in and to
any of the Intellectual Property so that COMPANY NAME or its assignee is
the sole and absolute owner of the Intellectual Property in any and all
countries in which COMPANY NAME may desire such protection.
10.6 XYZ undertakes to perform at the request of COMPANY NAME all lawful
acts and execute, acknowledge, and deliver all documents/instruments
including assignments deemed necessary, useful or appropriate by
COMPANY NAME to vest in COMPANY NAME or its assignee the entire
and absolute right, title and interest in and to the Intellectual Property in any
and all countries including India and obtain and record title to the Intellectual
Property and to enable COMPANY NAME to prepare, file and prosecute
applications for and obtain copyrights and other forms of Intellectual
Property, as well as continuations, divisions, continuations-in-part, additions,
reissues, renewals, and extensions of the Intellectual Property , as
COMPANY NAME at any time deems useful or desirable to preserve such
interests in any and all countries selected by COMPANY NAME including
India, and to obtain and record title to copyrights and other forms of
Intellectual Property so that COMPANY NAME or its assignee will be the
sole and absolute owner of the Intellectual Property in any and all countries
including India in which COMPANY NAME may desire such protection.

10.7 XYZ represents that there are no impediments in assigning or transferring the
Intellectual Property to COMPANY NAME either with respect to any third
parties or in respect of any employees, agents or subcontractors engaged in
providing services to XYZ.
 10.8 All materials and deliverables provided by XYZ should be original and own
creation of XYZ or the service provider engaged by XYZ, as the case may be
XYZ nor the Service Provider engaged by XYZ shall infringe any other
Third Party’s intellectual Property rights.

10.9 The provisions of this Clause will survive the expiry or termination of this
Agreement.
11. EXCLUSIVITY

During the term of the Agreement, XYZ agrees and undertakes that without
COMPANY NAME’s prior written consent in this regard, it shall not either directly
or indirectly or through its agents or subsidiaries or affiliates or any other party,
render any or all of its services rendered by it hereunder in relation to the services to
any other company, whether or not based or having its operations in India, engaged in
the business of healthcare in India.

12. APPROVALS

1.1 XYZ shall seek written approval of all visuals, art works, copy, scripts,
media-schedules, financial estimates among others.

1.2 Both COMPANY NAME and XYZ shall communicate to each other the
names of officials authorized to sign various documents or grant approvals
under this Agreement.

1.3 XYZ shall buy advertising space on the World Wide Web on behalf of
COMPANY NAME after obtaining express written instructions from
COMPANY NAME. COMPANY NAME shall honour XYZ’s commitments
arising out of any contracts or agreements entered into by XYZ on behalf of
COMPANY NAME with COMPANY NAME’s prior express written
sanction.

1.4 COMPANY NAME shall make every effort to put instructions and approvals
in writing. Where those are conveyed verbally, XYZ is required to confirm
them in writing.

Authorized Signatories of COMPANY NAME with respect to this Agreement are

detailed in Annexure 2.

13. CONFIDENTIALITY

13.1 Both the Parties shall keep confidential all information related to each
other or the other’s affiliates including all information in written or unwritten
form and whether or not specifically designated to be confidential. Such
information may include, without limitation, information related to past,
present, and/or future business activities, processes, techniques, business
plans, formulations, products, testing, storage and other methodologies and
norms, services, trade secrets and other technical knowledge including the
product briefs, samples, designs, work-in-progress and the fact and contents
of and relating to this agreement between the Parties, whether such
information is disclosed by any party or becomes known during the term of
this Agreement.

13.2 Both parties shall not disclose or use such confidential information for
any other purpose other than the one for which it is disclosed without the
prior written consent of the other save that either party shall be entitled to
disclose the same as is required to be disclosed by a party by an order of any
court of competent jurisdiction in connection with any proceedings of any
such court or otherwise by force of law or regulation having the force of law
or the rules of any regulatory authority. Prior to such disclosure, Disclosing
Party shall intimate the Other Party at the earliest.

1.3 Each Party agrees to use all reasonable efforts to take such action as
may be appropriate to prevent the unauthorized use and disclosure of, and to
keep confidential all such Confidential Information, including:

1.3.1 Not disclosing to any third party the terms and

conditions of this Agreement or any Confidential Information

1.3.2 Safeguarding all documents against theft, damage by

unauthorized persons.

13.4 The foregoing obligations shall not apply, however, to the extent, but
only to the extent, of the Confidential Information, which:

13.4.1 Was already obtained in good faith by the recipient

Party prior to receipt thereof;

13.4.2 Was already in the public domain or become so through

no fault of the recipient Party;

13.4.3 Was acquired by the recipient Party from a third party

having the right to convey the Confidential Information to the
recipient Party without any obligations of confidentiality not to
disclose the same;

13.4.4 Is independently developed by the recipient Party; and

13.4.5 Is approved for release by prior written authorization by

COMPANY NAME of the Confidential Information;

13.5 On termination of the Agreement, the parties shall forthwith return all
the documents containing Confidential Information (received from the other
party) in its possession or in the possession of its Representatives. The
parties shall further destroy all copies of any analyses, compilations,
 excerpts, summaries, studies or other documents (including, without
limitation, information stored on computer or any other electronic medium)
prepared by it for internal use or any other purpose, that may have been
derived from or otherwise reflect Confidential Information.

14. WAIVER

Failure or waiver to exercise any right or part thereof by either party under this
Agreement in one or more instances shall not constitute a waiver of those of those
rights in another instance. Similarly, any waiver by either party of any of the rights
established herein.

15. SEVERABILITY

If any provision contained in this Agreement is determined to be invalid or

unenforceable, in whole or in part, the remaining provisions and any partially
enforceable provision will, nevertheless, be binding and enforceable, and the parties
agree to substitute the invalid provision with a valid one, which most closely
approximates the intent and the economic effect of the invalid provision.

16. RELATIONSHIP

The Parties to this Agreement have a principal-to-principal relationship with each

other. None of the provisions of the Agreement shall be deemed to constitute a
partnership, agency or any other relationship. No party shall have the authority to bind
the Other party otherwise than under this Agreement or shall be deemed to be the
agent of the other in any way.

17. AMENDMENT
Any terms, which amend or are supplementary to the terms of this Agreement, will be
valid only if made in writing and duly signed by the parties.

18. ANNEXURES

Any Annexures to the present Agreement are to be considered an integral part thereof.

19. ENTIRE AGREEMENT

This instrument contains the entire agreement between the parties and is merged
herein with all prior and collateral representations, promises, and conditions in
connection with the subject matter hereof. Any representation, promise or condition
not incorporated herein shall not be binding upon either party and this agreement
supersedes and is in lieu of all or prior or contemporaneous agreements between the
parties with respect to the subject matter hereof. Any modification of any provision of
this agreement must be in writing and signed by authorized representatives of the
parties hereto.
20. LAW AND JURISDICTION

This Agreement shall be governed by, and construed in accordance with the laws of
India. Should the parties fail to reach an amicable settlement in case of a dispute
arising out of the performance and/or interpretation of the present Agreement, the
parties submit to the exclusive jurisdiction of the competent Courts of Bangalore,
State of Karnataka, India.

21. CORPORATE GOVERNANCE

Either Party represents that no benefit, either in cash or in kind has been
provided/received by/ to any officer or employee, or any relative/associate of any
officer or employees of the other Party or of any of its associate companies, in order
to secure this Agreement and XYZ undertakes not to provide any benefit, either in
cash or in kind to any such officer/ employee/ relative/ associate as reward or
consideration either for securing this Agreement or any other matter related to this
Agreement.

22. AGREEMENT IN COUNTERPART

This agreement shall be executed in two originals for the benefit of the parties and
each copy shall be the original as against the other.

23. FORCE MAJEURE

Neither party shall be liable for any failure or delay in performance under this
agreement to the extent said failures or delays are in the nature of Acts of God
including floods, fires, earthquakes, wars, riots, acts of governments occurring
without its fault or negligence or the effects of which persist despite reasonable efforts
undertaken by the party unable to perform to mitigate the effects, and such party does
everything reasonably possible to resume its performance under this agreement.
A party affected by an event of force majeure shall give the other party written notice,
with full details as soon as possible and in any event not later than three calendar days
of the occurrence of the cause relied upon. If force majeure applies, dates by which
performance obligations are scheduled to be met will be extended for a period of time
equal to the time lost due to any delay so caused.

In the event force majeure event continues for sixty (60) days or more, the non-
affected party shall have the right to terminate the Agreement by giving a further
notice of 15 days.

24. NOTICES

All notices referred to in this Agreement shall be in writing and shall be sent by
registered post acknowledgment due to the following addresses:
Either Party may from time to time designate by written notice to the other Party a
substitute address which it desires to be used for service. Service of any notices may
also be made personally.

Notices by e-mail shall not be considered to be legal notices.

In the event that either Party changes its address it shall, prior to the date of such
change, notify the other Party in writing. Thereafter such new address shall be the
address of that Party for the purposes of this Agreement.

IN WITNESS WHEREOF, the parties have signed these presents the day and year
first hereinabove written.

For XYZ For Company name

(Authorized Signatory) (Authorized Signatory)

 ANNEXURE 1

REMUNERATION

ANNEXURE 2

AUTHORIZED SIGNATORY

Authorized Officials of XYZ

Authorized Officials of COMPANY NAME

ANNEXURE 3
SECURITY GUIDELINES FOR EXTERNALLY HOSTED COMPANY NAME
WEBSITES

Design, Development or Maintenance of Websites

(i) The Website should be designed and developed or maintained taking
security into consideration. The website design should be done considering
secure authentication, authorization, data/input validation, session
management and so on
(ii) The Website should be developed or maintained with in-built defence for
Common Web Application Vulnerabilities. XYZ may refer to OWASP
(Open Web Application Security Project) for Web Application
vulnerabilities and counter measures.
(iii) Use of insecure channels (For instance, FTP) should be avoided for
application updates. Application version updates/upgrades over the Public
Network (Internet) should be performed over secure channels (For
instance, SSL, SSH)

Website Hosting Infrastructure

(i) Website should preferably be hosted using 3 Tier Architecture i.e., the
Webserver, Application and the Database Server are hosted on physically
separate servers. The Web Server should be installed at DMZ (behind
 perimeter firewall), Application Server in Secure Zone 1 (behind 2nd
internal firewall) and the Database Server should be installed at Secure
Zone 2 (behind 2nd internal firewall). In case, 3 tier hosting is not feasible,
then at least 2 tier Architecture should be followed.
(ii) The Hosting infrastructure should have Firewall based access control in
place to allow only the permissible traffic towards ITC websites. The
firewall should block all unwanted traffic originating from Internet and
Internal Network.
(iii) Zoning should be in place to segregate External Network (Internet), DMZ
and Internal Networks through Firewalls.
(iv) The Operating System, Webserver and Database Configurations should be
hardened to reduce the exposure to vulnerabilities. Hardening refers to
securing default configurations and includes tasks such as activating
secure configuration parameters, removal of unwanted software, securing
permissions, disabling non-essential services, activating audit of security
events and so on.
(v) Security Patches should be applied for the various components of the
infrastructure software (Operating System, Webserver, Database, Other
Software). There should be a process in place to periodically check for
available patches and apply the latest security patches/hotfixes as and
when they are released by the vendors.
(vi) The Hosting infrastructure should have intrusion prevention/detection
systems deployed and round the clock proactive monitoring in place to
thwart any intrusion attempts towards the hosted websites.
(vii) Physical and Logical Access Controls should be in place to allow only
identified administrators to work on the servers where ITC Websites are
hosted. Access should be allowed on the principle of least privilege and
need to know basis to ensure only requisite access is provided based on
requirements.
Other Requirements
(i) The Websites should be hosted at ISO 27001 Certified Data Centre.