Complete Tutorial ISM PDF

Course: Information Security Management
in e-Governance
Day 1
Session 1: Introduction to the Course

Agenda
Welcome to the training course
Getting to know the participants - Personal introductions and objectives
Introduction to the training course objectives
Understanding the expectations from the participants

Welcome & Introduction
Sponsors, Facilitators and Participants
Slide 3
Expectations from the course
What are your expectations from the course?
Slide 4
Synopsis of training course
What does the training programme contain?
Slide 5
Business need for the course
Module 1:
The training course will equip the participants with a range of practices and standards in relation
to information security management for e-Governance projects to:
• Secure critical information assets of government against loss, theft etc
• Ensure data confidentiality, integrity and non-repudiation
• Ensure availability and continuity of the IT services
• Ensure IT systems implementations inline with the security policies and standards defined
by DIT/central/state governments…
Slide 6
Performance Objectives of the Course - Module 1
The training course performance objectives in terms of expected capabilities to be
demonstrated by the participants in their respective departments post training completion
includes the following:
• Support information security risk assessment and development of information security strategy, policy
and procedures for e-Governance projects
• Ensure that e-Governance solutions are implemented to address information security risks and threats
• Support in implementation of security monitoring and evaluation mechanisms to ensure compliance to

security policies, procedures
• Good practices and standards in information security
• Approach for managing information security
• Identification of information security risk categories in the organization
• Definition of broad level solutions for information security risk management
• Definition of scope of Information Systems Security Policy
• Introduction to Enterprise Applications
Slide 7
Knowledge – Skills – Attitudes (KSA) matrix for course – Module 1
Knowledge
• Information security risks and its impact on the government business
• Understand IT landscape in e-Governance and potential information security risks and
threats across various levels
• Information Security Architecture for e-Governance projects
• Approach for development and implementation of security strategy, policies and
procedures
• Policy and regulatory aspects related to information security in e-Governance
Slide 8
Skills
• Define the scope of information security audit
Slide 9
Attitude
• Recognize the information security risks in the business environment and its impact to the
organization
• Appreciate the need for information security and its awareness in the organization
• Provide enough emphasis on information security management within the organization
• Align organization culture to implement best practices in information security
Slide 10
A Typical day during the training…
• Five sessions per day

• Three sessions pre-lunch
• Two sessions post -lunch
• Each session is for approximately 60 minutes
• Each session can be a:
• Theoretical or conceptual discussion
• Discussion on real life examples (successful e-Governance initiatives..)
• Classroom exercise on application of concepts learned during the training…
• Presentation or discussion on the findings from the classroom exercise
• Or can include all the above…….
Slide 11
Course Outline
Day Sessions
Day 1 Session 1: Welcome to the training course

Session 2: Introduction to Information Security in e-Governance
Session 3: Models and Frameworks for Information Security Management
Session 4: Securing Business Applications
Session 5: Securing Data and Operating Systems
Day 2 Session 1: Securing IT Infrastructure

Session 2: Security in end user environment
Session 3: Physical and Environmental Security
Session 4: Security Policies
Session 5: Disaster Recovery Planning
Slide 12
Course Outline – contd..
Day Sessions
Day 3 Session 1: Information Security Audit – Concepts & Importance

Session 2: Regulatory Framework of e-Governance
Session 3: Introduction to ERP Applications
Session 4: Introduction to Open Source Systems
Session 5: Key Learnings, Feedback and training course wrap up
Slide 13
End of Session
Slide 14
Course: Information Security Management in e-
Governance
Day 1
Session 2: Introduction to Information Security

in e-Governance
Agenda
Need for Information Systems Security Policy
Elements of Information Security Policy
Approach for development of Information Security Policy
Information Security Organization and roles, responsibilities

What is Information?
• BS ISO 27002:2005 defines

Information as :
• 'Information is an asset which, like

other important business assets,
has value to an organization and
consequently needs to be suitably
protected’
Slide 3
What is Information?
• Printed or written on paper

• Stored electronically
Information • Transmitted by post or using electronics
means
can be • Shown on corporate videos

• Displayed / published on web
• Verbal – spoken in conversations
‘…Whatever form the information takes, or means by which it is

shared or stored, it should always be appropriately protected’
(BS ISO 27002:2005)
Slide 4
Information in Governments
– Governments are moving towards e-Governance to improve convenience, reduce time,
improve transparency in delivering services to businesses and citizens
– Businesses and citizens expect high standards of services, instant access to information,
efficient transactions and support, whenever and wherever they need it, but in a secure
fashion.
– The two major components of the approach are the information delivery and service
delivery.
– In the first component, various web-based information services are used by the
Governments of different granularity.
– On the other hand, in the second component, the citizen is given access to the
Government business related IT systems to provide transaction services (e.g. tax
payments, filing of forms, issuing certificates etc)
Slide 5
– These two types of components bring the issues of information and systems security such
as architecture, standards and technology to the forefront.
– Another fundamental element of the problem is the unprecedented gap between the pace
of technological change and the inevitably glacial pace of policy and law making.
– Any good system of governance should be resilient to attacks by frauds, inadvertent virus, a
variety of motivated cyber crimes through unauthorised access and even to a nation-
sponsored cyber war and in the scenarios of disaster and warfare.
– In a networked society these kinds of threats have a potential to cripple a Government.
Slide 6
– Models of e-Governance From the developmental perspective, e-Governance can
be defined as the application of electronic means (in particular the ICT) in:
(1) the interaction between Government and citizens and Government and
businesses, as well as in
(2) internal Government operations to simplify and improve democratic,

Government and business aspects of Governance
Slide 7
Some of the kind of Information
exchanged in Governments
Public
Information,
Personalized Critical
Information. Information,
Information
types
Business
Comparative
Information,
Data,
and
Feedback and
Opinions,
Based on these classes of information, their sources and frequency of update and exchange,
various models of e-Governance projects are evolved.
Slide 8
Information assets in Governments
• Information can be found in various places such as :
• End user environment – Systems , documents etc.
• Servers – application (web , in house developed, mail etc) , database

server , backup servers, Domain servers and many more
• Network - Wireless Networks , Local area network , internet etc.
• Other devices such as laptops , pocket devices, smart cards, smart

phones, tablet PCs etc
Slide 9
Technology Base for e-Governance
– Communication Network: The Data and Voice Network owned by the
Government or private players.
– e-Government System Interface: Point of admission to the Government

System.
– Backend Systems: Database and Business layers of the Information

Infrastructure
Slide 10
Facets of Information assets Partly
Trusted Untrusted
Information available at end user level
which could be trusted , un-trusted , Third Third-Party Internet
Party etc . Application
Web Tier
Service Layer – Information is available
Databases
at the applications , databases etc level
Application
Service Delivery Platform
Network Layer – Information resides at

the network level which encompasses Common Framework
the entire business functions of the
Governments.
Service Delivery platforms have a huge Backbone Network

asset in terms of government data
Securing the information assets
• Security of information & information assets is becoming a major area of concern
• With every new application, newer vulnerabilities crop up, posing immense
challenges to those who are mandated to protect the IT assets
• e-Government security requirements can be studied by examining the overall

process, beginning with the citizens end and ending with the e-Gov server
• The assets that must be protected to ensure secure e-Gov include client
computers, the messages traveling on the communication channel, and the Web
and e-gov servers – including any hardware attached to the servers
Slide 12
Need for Information security in
Governments
• In the current climate of elevated risk created by the vulnerabilities of and threats
to the Nations IT infrastructure, cyber security is not just a paperwork drill.
• Adversaries are capable of launching harmful attacks on IT systems, networks, and

information assets.
• Enterprise concerns have been heightened by increasingly sophisticated hacker

attacks and identity thefts, warnings of cyber terrorism, and the pervasiveness of
IT uses.
• Many in the industry and critical infrastructure organizations have come to

recognize that their continued ability to gain citizens confidence will depend on
improved software development, systems engineering practices and the adoption
of strengthened security models and best practices.
Slide 13
Governments (contd..)
• Governments amass a great deal of confidential information about their
employees, customers, products, research, and financial status.
• Most of this information is now collected, processed and stored on

electronic computers and transmitted across networks to other
computers.
• A breach of security could lead to lost opportunities, defamation, loss of

goodwill, repudiation loss, financial loss , transactional loss , loss of
citizens confidence and many others
Slide 14
Governments (contd..)
• Example include many such as
• A defacement / hacking of a public website can cause loss of
repudiation
• Vital data i.e. databases can be lost if unauthorized entry is not
checked properly
• A e-procurement website stops functioning all of a sudden
• A disaster strikes and the processes gets standstill
• Repudiation loss: One party of a transaction denies having received a
transaction nor can the other party deny having sent a transaction ??
• Protecting confidential information is a business requirement, and in
many cases also an ethical and legal requirement!!
Slide 15
Understanding Security Measures
• Data Center Security
• Use Firewalls
• Web-site Security
• Anti-virus tools
• Anti-phishing tools
• Physical Office Security
• Restricted Accessibility
• Regular checks & reviews
• Secured Working Processes
• Planning long-term solutions
• Process-Cycle to be followed (PDCA Cycle – Plan, Do, Check & Assess Cycle )
Slide 16
Categorization of Information Systems
• Categorize Information based on

• Hardware
• Software
• Data
• Documentation
• Personnel
• Procedures
• Models etc
Slide 17
Challenges & Issues - Security
• • Data & Application security
• PPP models (service delivery model)
• Lack of internal Technical capacities
– Loopholes in the applications and databases
– Knowledge transfer
– Exit management
• • Complex e-Governance Projects
– High performance & response time
– High Security desired on operations but not a top priority to start
with
• • Multiple Legacy Environments
• Security framework
• Implementation of Security Standards
• Implementation of suitable access controls and authorization
• Preparation of RFPs which captures all the security requirements
Slide 18
Points of concern in Governments
• Letting vendors define “good security”
• Underestimating the required security expertise
• Assigning untrained people to maintain security
• Relying primarily on a firewall.
• Firstly think of budget concerns, neglecting the value of their information
and organizational reputations.
• Authorizing reactive, short-term fixes so problems re-emerge rapidly.
Slide 19
Top Security Myths
In fact, 80% of data loss is caused by

insiders.
Hackers
cause most
Encryption security
In fact, encryption is only one makes your breaches.
data
approach to securing data. Security secure.
also requires access control, data Firewalls
make your
integrity, system availability, and data
auditing. secure.
In fact, 40% of Internet break-ins

occur in spite of a firewall being in
place!!!!
Security myths
Defining the risks , threats and
vulnerabilities
– Risk: A possibility that a threat exploits a vulnerability in an asset and
causes damage or loss to the asset
– Threat: Something that can potentially cause damage to the

organization, IT Systems or network.
– Vulnerability: A weakness in the organization, IT Systems, or network

that can be exploited by a threat
Slide 21
Threats
– External Parties
– Low awareness of security issues
– Employees
– Growth in networking and distributed computing
– Growth in complexity and effectiveness of hacking tools and viruses
– Natural Disasters eg. fire, flood, earthquake
Slide 22
Generic Threat Profile Disclosure
Accidental Modification
Loss, Destruction
Interruption
Inside
Disclosure
Modification
Loss, Destruction
Deliberate
Interruption
Critical Information Assets
Accidental Disclosure
Modification
Loss, Destruction
Interruption
Outside
Disclosure
Modification
Loss, Destruction
Deliberate Interruption
Slide 23
Information Security Threats and
Vulnerabilities
• Client Threats: Until the introduction of executable Web content, Web pages were
mainly static. Coded in Hyper Text Markup Language (HTML), static pages could do
little more than display content and provide links to related pages with additional
information.
• Widespread use of active content has changed this perception.
• Active Content: Active Contents like Java applets, ActiveX controls, JavaScript, and
VBScript refer to programmes that are embedded transparently in Web pages and
that cause action to occur.
• Embedding active content to Web pages involved in e-Governance introduces
several security risks.
• Malicious active content delivered by means of cookies can reveal the content
of client-side files or even destroy files stored on client computers.
Slide 24
Vulnerabilities
• Malicious Codes: Computer viruses, worms and Trojan Horses are examples of malicious
code. People are aware but may not be prepared to deal with such adversaries.
• Server-side Masquerading: Masquerading lures a victim into believing that the entity with
which it is communicating is a different entity.
• For example, if a user tries to log into a computer across the Internet but instead reaches
another computer that claims to be the desired one, the user has been spoofed.
• Communication Channel Threats: The Internet serves as the electronic chain linking a
consumer (client) to the e-Gov server.
• Messages on the Internet travel randomly from a source node to a destination node.
• Impossible to guarantee that every computer on the Internet through which messages
pass is safe, secure, and non-hostile.
Slide 25
Vulnerabilities
• Confidentiality Threats: Confidentiality is the prevention of unauthorised
information disclosure. Use of Internet definitely poses confidentiality threats to
the messages sent.
• Availability Threats: The purpose of availability threats, also known as delay or

denial of service threats, is to disrupt normal computer processing or to deny
processing entirely. Slowing any Internet service will detract citizens from using
egov services.
• Server Threats: The server is the third link in the client-Internet-server trio
embodying the e-Gov path between the citizens and the Government. Servers
have vulnerabilities that can be exploited by anyone determined to cause
destruction or to illegally acquire information.
Slide 26
Vulnerabilities
• Web Server Threats: Web server software is not inherently high-risk, it has been designed
with Web service and convenience as the main design goal. The more complex the software
is, the higher the probability that it contains coding errors (bugs) and security holes.
• e-Gov Server Threats: The e-Gov server, along with the Web server, responds to requests
from Web browsers through the HTTP protocol and Common Gateway Interface (CGI) scripts.
Several pieces of software comprise the egov server software suite. Each of these softwares
can have security holes and bugs.
• Database Threats: Besides Government information, databases connected to the Web

contain critical and private information that could irreparably damage a enterprise or citizen
if it were disclosed or altered.
• Some databases store user name/password pairs in a non-secure way.
• If someone obtains user authentication information, then he or she can masquerade as a
legitimate database user and reveal private and costly information.
Slide 27
Vulnerabilities
• Common Gateway Interface Threats: A Common Gateway Interface (CGI) implements the
transfer of information from a Web server to another programme, such as a database
programme. Because CGIs are programmes, they present a security threat if misused
• Password Hacking: The simplest attack against a password-based system is to guess

passwords.
• Guessing of passwords require access to the complement, the complementation
functions, and the authentication functions be obtained.
• If none of these have changed by the time the password is guessed, then the attacker
can use the password to access the system.
Slide 28
Threat Sources
Source Motivation Threat
Challenge
External Hackers Ego System hacking
Game Playing
Backdoors
Deadline
Internal Hackers Fraud
Financial problems
Poor documentation
System attacks
Revenge Letter bombs
External Agents
Political Viruses
Denial of service
Corruption of data
Unintentional errors
Poorly trained Malicious code introduction
Programming errors
employees System bugs
Data entry errors
Unauthorized access
Slide 29
Threat Sources
Categories of Threat Example
Human Errors or failures Accidents, Employee mistakes
Compromise to Intellectual Property Piracy, Copyright infringements
Deliberate Acts or espionage or trespass Unauthorized Access and/or data collection
Deliberate Acts of Information extortion Blackmail of information exposure / disclosure
Deliberate Acts of sabotage / vandalism Destruction of systems / information
Deliberate Acts of theft Illegal confiscation of equipment or information
Deliberate software attacks Viruses, worms, macros Denial of service
Deviations in quality of service from service provider Power and WAN issues
Forces of nature Fire, flood, earthquake, lightening
Technical hardware failures or errors Equipment failures / errors
Technical software failures or errors Bugs, code problems, unknown loopholes
Technological Obsolesce Antiquated or outdated technologies
Slide 30
Threat Sources
High User Theft, Virus Attacks

Knowledge of IT Sabotage,
Systems Misuse
Systems & Lack Of Lack of security Natural

Network Documentation Calamities &
Failure Fire
Slide 31
Relationships between assets , risks,
threats , vulnerabilities
Threats Gives Rise to
Agents
Threat Exploits
Vulnerability Leads to
Risks
Asset
Can damage
Exposure
And cause an
Safeguard
Can be countered by Slide 32
Information Security
• Information security means protecting information and information
systems from unauthorized access, use, disclosure, disruption, modification or
destruction.
• Information security enables a Organizations to meet its business objectives by

implementing business systems with due consideration of information
technology (IT)- related risks to the organization, business and trading partners,
technology service providers, and most importantly CITIZENS.
• The terms information security, computer security and information

assurance are frequently incorrectly used interchangeably.
• These fields are interrelated often and share the common goals of protecting the
confidentiality, integrity, availability , accountability and assurance of information.
Slide 33
IT Security
• IT Security means eliminating the disruption of business operations and reducing

the exposure to various attacks.
• IT Security deals with several different “trust aspects” of information.
• Information security involves the architecture where an integrated combination

of appliances, systems and solutions, software, surveillance, and vulnerability
scans working together
• IT Security is not just confined to computer systems, it applies to all aspects of

protecting information or data, in whatever form. i.e. Physical, People etc.
• Security is achieved using several strategies simultaneously or used in

combination with one another
Slide 34
Security objectives
Organizations meet this goal by striving to accomplish the following objectives:
• Availability—The ongoing availability of systems addresses the processes, policies,

and controls used to ensure authorized users have prompt access to information. This
objective protects against intentional or accidental attempts to deny legitimate users
access to information or systems.
• Integrity of Data or Systems—System and data integrity relate to the processes,

policies, and controls used to ensure information has not been altered in an
unauthorized manner and that systems are free from unauthorized manipulation that
will compromise accuracy, completeness, and reliability.
• Confidentiality of Data or Systems —Confidentiality covers the processes, policies,

and controls employed to protect information of customers and the institution against
unauthorized access or use.
Security objectives (contd..)
• Accountability —Clear accountability involves the processes, policies, and

controls necessary to trace actions to their source. Accountability directly
supports non-repudiation, deterrence, intrusion prevention, security
monitoring, recovery, and legal admissibility of records.
• Assurance —Assurance addresses the processes, policies, and controls used to

develop confidence that technical and operational security measures work as
intended.
Slide 36
Information security focus
Information Security focus
• Protection of information assets
• Protection of Computer systems
• Protection of Data networks
• Protection of Databases & Applications
• Protection of end user environments
• Protection of Physical and environmental
• Security measures in Third Party Outsourcing
• Logical access control
• Disaster recovery Planning
• Security Audit
• Public Key Infrastructure
• Legal Frameworks and various initiatives by GoI
Elements of Information
Security…
Organization
Staff
People
Our Business
Process
Process
Technology
Technology which our

Business use
Slide 38
Elements of Security….. People
& Processes
• Management • Helpdesk / Service management
• Employees • Incident Reporting and
• Business Partners Management
• Service providers • Change Requests process
• Contractors • Request fulfillment
• Citizens • Access management
• Regulators etc… • Identity management
• Service Level / Third-party
Services Management
• IT procurement process etc...
People who use or interact with The processes refer to "work
the Information practices" or workflow.
Slide 39
Technology “what we use to
improve what we do”
Network Infrastructure
• Cabling, Data/Voice Networks and equipment
• Telecommunications services (PABX), including VoIP
services , ISDN , Video Conferencing
• Server computers and associated storage devices
• Operating software for server computers
• Communications equipment and related hardware.
• Intranet and Internet connections
• VPNs and Virtual environments
• Remote access services
• Wireless connectivity
Application software
• Finance and assets systems, including Accounting
packages, Inventory management, HR systems,
Assessment and reporting systems
• Software as a service - instead of software as a
packaged or custom-made product.
Slide 40
Technology “what we use to
improve what we do”
Physical Security components
• CCTV Cameras
• Clock in systems / Biometrics
• Environmental management Systems: Humidity
Control, Ventilation , Air Conditioning, Fire Control
systems
• Electricity / Power backup
Access devices
• Desktop computers
• Laptops, ultra-mobile laptops and PDAs
• Thin client computing.
• Printers, Scanners, Photocopier etc.
Slide 41
Information Security Management
Confidentiality Integrity Availability Authenticity Assurance
Security Policy
People
Regulatory Compliance
User Awareness Program
Access Control
Process Security Audit
Incident Response
Encryption, PKI
Technology Firewall, IPS/IDS
Antivirus
Security Audit
42
A Structured Approach to
Security Design
• For security to be effective it must be designed as a whole and applied consistently
across an organization and its IT infrastructure.
• The steps to design security of a system is to model the system, identify the
security properties to be preserved, model the adversary, and then ensure that the
security properties are preserved under attacks.
• Detailed modeling of the system and identification of the required security

properties are possible.
• But it is almost impossible to accurately model the adversaries and vulnerabilities

of the system exploited by those adversaries.
• The result is that there is nothing called absolute security.

Security Engineering Life Cycle
Security requirement
Security Policy
Security Infrastructure
Specification
Security Infrastructure
Implementation
Security Testing
Requirement
Validation
Slide 44
• Security Requirement Specification and Risk Analysis
• The first phase in the Security Engineering Life Cycle collects information regarding assets
of the organisation that needs to be protected, threat perception on those assets,
associated access control policies, existing operational infrastructure, connectivity
aspects, services required to access the asset and the access control mechanism for the
services.
• Security Policy Specification

• Security Requirement Specification and Risk Analysis Report as input and generates a set
of e-Gov security policies.
• The policy statements are high-level rule-based and generic in nature and thereby, does
not provide any insight to system implementation or equipment configuration.
Slide 45
• Security Infrastructure Specification
• This phase analyses the Security Requirement Specification and the Security
Policy Specification to generate a list of security tools that are needed to
protect the assets.
• It also provides views on the location and purpose of the security tools.
• Security Infrastructure Implementation

• The organisation, in this phase, procures, deploys, and configures the
selected security infrastructure at the system level.
Slide 46
• Security Testing
• In this phase, several tests are carried out to test the effectiveness of the security
infrastructure, functionality of the access control mechanism, specified operational
context, existence of known vulnerabilities in the infrastructure etc.
• Requirement Validation
• This phase analyses the extent of fulfillment of the security requirements for
implementing e-Governance organization by the corresponding security policy and
the implemented security infrastructure.
• Change in the service goal, operational environment, and technological
advancement may lead to a fresh set of security requirements and thereby,
triggering a new cycle of the Security Engineering Life Cycle.
Slide 47
e-Governance Security Assurance
Framework (eSAFE)
Categorization Baseline
of Information Control Risk assessment
Systems Selection
Monitoring
Implementation Refinement of
Effectiveness of
of controls controls
Controls
Slide 48
Baseline Control Selection
Master Catalog of Security Controls
Complete Set of Security Controls and Control Enhancements
Low Baseline Medium Baseline High Baseline

Controls Controls Controls
Low Baseline Medium Baseline

Selection of a subset of security High Baseline
Builds on Low Baseline with Builds on Medium Baseline with
controls from the master catalog— additional controls, and control
consisting of basic level controls additional controls, and control
enhancements selected from the
enhancements selected from the
master catalog
master catalog
Slide 49
Risk Assessment
• Identify risks based on
• Asset value
• Impacts
• Threats
• Vulnerabilities
• Asset loss exposure
Slide 50
Refinement & implementation of
controls
• Determine desirable and mandatory controls
• Evaluate existing and mandatory controls
• Determine the refinements needed in the
controls
• Implement controls
Slide 51
Monitoring Effectiveness of Controls
• Monitor the controls in place

• Encourage testing
• Have security audit
• Move towards complying to information
security standards
Slide 52
References
• www.mit.gov.in
• www.egovonline.net
Slide 53
in e-Governance
Day 1
Session 3: Models and Frameworks for

Information Security Management
Agenda
Introduction to Enterprise Security framework
Overview of security models , framework & standards
Salient features of ISO 27001 security standards

What is Information Security
ISO 27001:2005 defines this as:
• Confidentiality : the property that information is not made available or

disclosed to unauthorized individuals, entities(programs), or processes
(superceding processes)
• Integrity : the property of safeguarding the accuracy and completeness

of assets.
• Availability : the property of being accessible and usable upon demand

by an authorized entity.
Slide 3
Who Should be Concerned?
• Users -Standards will affect them the most.
• System Support Personnel -they will be required to implement and adapt

and support the standards.
• Executive Management -concerned about protection of data and the

associated cost of the policy / standards.
Slide 4
Role of Standards
• Manage Information Security

• Identify assets and appropriately protect them
• Reduce the risks of human error, theft, fraud or misuse of facilities
• Prevent unauthorized access, damage and interference to business
• Ensure the correct and secure operation of information processing facilities
• Control Access to Information
• Ensure security is built into information systems
• Counteract interruptions to business activities
• Avoid breaches of any criminal and civil law, statutory, regulatory or
contractual obligations
Slide 5
Why Best Practices are Important!
• Today, the effective use of best practices can help avoid re-inventing
wheels, optimize the use of scarce IT resources and reduce the
occurrence of major IT risks, such as:
Project failures
Wasted investments
Security breaches
System crashes
Failures by service providers to understand and meet customer
requirements
Slide 6
Why Best Practices are Important!
COBIT, ITIL and ISO 27000 are valuable to the ongoing growth and success of an
organization because:
– Companies are demanding better returns from IT investments
– Best practices help meet regulatory requirements for IT controls
– Organizations face increasingly complex IT-related risks
– Organizations can optimize costs by standardizing controls
– Best practices help organizations assess how IT is performing
– Management of IT is critical to the success of enterprise strategy
– They help enable effective governance of IT activities
– A management framework helps staff understand what to do (policy, internal
controls and defined practices)
– They can provide efficiency gains, less reliance on experts, fewer errors,
increased trust from business partners and respect from regulators
Slide 7
Benefits
• Productivity: Audit/Review Savings
• Breaking Barriers -Business Relationships
• Self-Analysis
• Security Awareness
• Targeting Of Security
• 'Baseline' Security and Policy
• Consistency
• Communication
Slide 8
After adopting Standards
• Moved towards international best practice

• Manage the breadth and depth of information risk
• Build confidence in third parties
• Reduce the likelihood of disruption from major incidents
• Fight the growing threats of cybercrime
• Comply with legal and regulatory requirements
• Maintain business integrity
• Citizens Confidence – Most Important
Slide 9
Approach in Implementing Standards
• Support from Top Management

• Risk management -Accept, Mitigate, Transfer
• Well developed Security Policy
• Effective Implementation of policy
• User awareness is most important
• Prevention is better than cure
• Periodic review / audit
• Understand fundamental system functionality
• Identify security issues due to gaps
Slide 10
ITIL ISO 20000
Service Management
ISO 27K
Integrated IS Framework
PMI
Project Management
COBIT
Slide 11
IT Operations
Application Delivery
CMM
Business Continuity
BS 25999
Some of the Standards - Overview
Environment
(ISO 14001)
Business Quality (ISO

Continuity 9001: 2000 ,
( BS 25999) QS 9000)
Environment Improvement
Organization
(ISO 14001) (ISO 9004)
Governance Customers
( COBIT) (BS 8600)
Information
Security
(ISO 27001 ,
27002)
Slide 12
ISO 27000
Slide 13
History of ISO - Timeline
• 1992
The Department of Trade and Industry (DTI), which is part of the UK Government,
publish a 'Code of Practice for Information Security Management'.
• 1995
This document is amended and re-published by the British Standards Institute (BSI)
in 1995 as BS7799.
• 1996
Support and compliance tools begin to emerge, such as COBRA.
• 1999
The first major revision of BS7799 was published. This included many major
enhancements. Accreditation and certification schemes are launched. LRQA and
BSI are the first certification bodies.
Slide 14
History of ISO – The Timeline
• 2000
In December, BS7799 is again re-published, this time as a fast tracked ISO
standard. It becomes ISO 17799 (or more formally, ISO/IEC 17799).
• 2001
The 'ISO 17799 Toolkit' is launched.
• 2002
A second part to the standard is published: BS7799-2. This is an Information
Security Management Specification, rather than a code of practice. It begins the
process of alignment with other management standards such as ISO 9000.
• 2005
A new version of ISO 17799 is published. This includes two new sections, and
closer alignment with BS7799-2 processes..
• 2005
ISO 27001 is published, replacing BS7799-2, which is withdrawn. This is a
specification for an ISMS (information security management system), which aligns
with ISO 17799 and is compatible with ISO 9001 and ISO 14001
Slide 15
Where did 17799 come from?
• BS7799 was conceived, as a technology-neutral, vendor-neutral management
system that, properly implemented, would enable an organization's management
to assure itself that its information security measures and arrangements were
effective.
• From the outset, BS7799 focused on protecting the availability, confidentiality

and integrity of organizational information and these remain, today, the driving
objectives of the standard.
• BS7799 was originally just a single standard, and had the status of a “Code of
Practice”.
• In other words, it provided guidance for organizations, but hadn't been written as
a specification that could form the basis of an external third party verification and
certification scheme.
Slide 16
Overview – ISO 27000 (base standard)
Published standards
ISO/IEC 27001 - the certification standard against which organizations' ISMS may be
certified (published in 2005)
ISO/IEC 27002 - the re-naming of existing standard ISO 17799 (last revised in 2005,
and renumbered ISO/IEC 27002:2005 in July 2007)
ISO/IEC 27006 - a guide to the certification/registration process (published in 2007)
In preparation
ISO/IEC 27000 - a standard vocabulary for the ISMS standards
ISO/IEC 27003 - a new ISMS implementation guide
ISO/IEC 27004 - a new standard for information security management measurements
ISO/IEC 27005 - a proposed standard for risk management
ISO/IEC 27007 - a guideline for auditing information security management systems
ISO/IEC 27011 - a guideline for telecommunications in information security
management system
ISO/IEC 27799 - guidance on implementing ISO/IEC 27002 in the healthcare industry
Slide 17
Well known ISO standards in the 27xxx series
ISO 27001
This is the ISO 27002
specification for an This is the new
information security standard number of
management the existing ISO
system & replaces 17799 standard
old BS7799-2
ISO 27004
Designated number
ISO 27005
for a new standard
Emerging standard
covering information
for information
security
security risk
management
management
measurement &
metric
Slide 18
Where does ISO 27001 / 27002 fits in…..
Slide 19
Implementation context for PDCA
ISO 27001 Information Security Management System (ISMS) adopts the PDCA
model
• Plan (Design Phase)
Establish the objectives and processes necessary to deliver results in accordance with the
specifications.
• Do (Implementation Phase)
Implement the processes.
• Check AKA Study (Assessment Phase)
Monitor and evaluate the processes and results against objectives and Specifications and
report the outcome.
• Act (Manage, Authorize Phase)
Apply actions to the outcome for necessary improvement. This means reviewing all steps
(Plan, Do, Check, Act) and modifying the process to improve it before its next implementation.
Slide 20
PDCA Process
P
D ISMS PROCESS
C Interested Interested
Parties Parties
A
Management Responsibility
PLAN
Establish
ISMS
DO ACT
Implement &
Maintain &
Operate the
Improve
P ISMS
R
Information
O Security Managed
C Requirements CHECK Information
& Monitor & Security
E Expectations
Review ISMS
S
S
Slide 21
BS ISO/IEC 27002:2005 (aka – ISO 27002)
The international Standard that establishes the guidelines and general principles for initiating,
implementing, maintaining, and improving information security management in an organization.
The full title of this standard is: “Information technology. Security techniques. Code of
practice for information security management”
ISO 27002 is technology independent, focusing on :

• Management aspects of information security,
• Defining controls in a generic sense so that they are applicable across different applications,
platforms, and technologies.
Slide 22
Structure and Format of ISO 27002
ISO/IEC 27002 is:

• A code of practice - a generic, advisory document, not truly a standard or formal specification
• A reasonably well structured set of suggested controls to address information security risks,
covering confidentiality, integrity and availability aspects
ISO 27002 specifies 39 control objectives:

• To protect information assets against threats to their confidentiality, integrity and availability
• Which comprise a generic functional requirements specification for an organization’s
information security management controls architecture
• And suggests literally hundreds of best-practice information security control measures
Slide 23
The formal standard is arranged in the following sections:
0. Introduction
1. Scope
2. Terms and definitions
3. Structure of this standard
4. Risk assessment
The actual control domains and detail controls begin with Section 5.
Section 5: Security policy

Management should :
• Define a policy to clarify their direction of, and support for, information security,
• Provide a high-level information security policy statement identifying key information security
directives and mandates for the entire organization
• Support the policy by a comprehensive suite of more detailed corporate information security
policies, typically in the form of an information security policy manual. The policy manual in
turn is supported by a set of information security standards, procedures and guidelines
Section 6: Organization of information security
A suitable information security governance structure should be designed and implemented.
6.1 Internal organization

• The organization should have a management framework for information security.
• Senior management should approve information security policies.
• Roles and responsibilities should be defined
• Information security should be independently reviewed.
6.2 External parties
Information security should not be compromised by the introduction of third party products or
services. Risks should be assessed and mitigated. when dealing with customers and in third
party agreements.
Slide 25
Section 7: Asset management

The organization should be in a position to understand what information assets it holds, and to
manage their security appropriately.
7.1 Responsibility for assets
All [information] assets should be accounted for and have a nominated owner. The inventory
should record ownership and location of the assets, and owners should identify acceptable uses.
An inventory of information assets should be maintained, including:
• IT hardware, • storage media
• software • computer room air conditioners and UPSs,
• data and ICT services)
• system documentation
7.2 Information classification
Information should be classified according to its need for security protection and labeled
accordingly.
Slide 26
Section 8: Human resources security

The organization should manage system access rights etc. for ‘joiners, movers and
leavers’, and should undertake suitable security awareness, training and educational
activities.
8.1 Prior to employment

Security responsibilities should be taken into account when recruiting permanent
employees, contractors and temporary staff
8.2 During employment
Management responsibilities regarding information security should be
defined. Employees and third party IT users should educated and trained in security
procedures. A formal disciplinary process is necessary to handle security breaches.
8.3 Termination or change of employment
Security aspects of a person’s exit from the organization (e.g. the return of corporate
assets and removal of access rights) or change of responsibilities
Slide 27
Section 9: Physical and environmental security

Valuable IT equipment should be physically protected against malicious or accidental
damage or loss, overheating, loss of mains power etc.
9.1 Secure areas

This section describes the need for concentric layers of physical controls to protect
sensitive IT facilities from unauthorized access.
9.2 Equipment security
Critical IT equipment, cabling and so on should be protected against physical damage,
fire, flood, theft etc., both on- and off-site. Power supplies and cabling should be
secured. IT equipment should be maintained properly and disposed of securely.
Slide 28
Section 10: Communications and operations management

This lengthy, detailed section of the standard describes security controls for systems
and network management.
10.1 Operational procedures and responsibilities

10.2 Third party service delivery management
10.3 System planning and acceptance
10.4 Protection against malicious and mobile code
10.5 Back-up
10.6 Network security management
10.7 Media handling
10.8 Exchange of information
10.9 Electronic commerce services
10.10 Monitoring
Slide 29
Section 11: Access control

Logical access to IT systems, networks and data must be suitably controlled
to prevent unauthorized use. This is another lengthy and detailed section.
11.1 Business requirement for access control

11.2 User access management
11.3 User responsibilities
11.4 Network access control
11.5 Operating system access control
11.6 Application and information access control
11.7 Mobile computing and teleworking
Slide 30
Section 12: Information systems acquisition, development and

maintenance
Information security must be taken into account in the Systems Development
Lifecycle (SDLC) processes for specifying, building/acquiring, testing,
implementing and maintaining IT systems.
12.1 Security requirements of information systems

12.2 Correct processing in application systems
12.3 Cryptographic controls
12.4 Security of system files
12.5 Security in development and support processes
12.6 Technical vulnerability management
Slide 31
Section 13: Information security incident management

Information security events, incidents and weaknesses (including near-
misses) should be promptly reported and properly managed.
13.1 Reporting in information security events and weaknesses

An incident reporting/alarm procedure is required, plus the associated
response and escalation procedures. There should be a central point of
contact, and all employees, contractors etc. should be informed of their
incident reporting responsibilities.
13.2 Management of information security incidents and improvements
Responsibilities and procedures are required to manage incidents
consistently and effectively, to implement continuous improvement (learning
the lessons), and to collect forensic evidence.
Slide 32
Section 14: Business continuity management

This section describes the relationship between IT disaster recovery planning,
business continuity management and contingency planning, ranging from
analysis and documentation through to regular exercising/testing of the
plans. These controls are designed to minimize the impact of security
incidents that happen despite the preventive controls noted elsewhere in the
standard.
Section 15: Compliance

15.1 Compliance with legal requirements
15.2 Compliance with security policies and standards, and technical
compliance
15.3 Information systems audit considerations
Slide 33
Implementation process cycle
IS POLICY
SECURITY MANAGEMENT
ORGANISATION REVIEW
PLAN
Establish
ISMS
DO
ASSET Implement &
ACT
Maintain & CORRECTIVE &
IDENTIFICATION Operate the PREVENTIVE
& ISMS Improve ACTIONS
CLASSIFICATION
CHECK
Monitor &
Review ISMS
CONTROL
CHECK
SELECTION &
PROCESSES
IMPLEMENTATION
OPERATIONALIZ
E THE PROCESES
Slide 34
ITIL
Slide 35
Background
What is Information Technology Infrastructure Library (ITIL ®)?
• Describes best practice in IT service management (ITSM) drawn from public

and private sector IT organizations
− The primary objective of Service Management is to ensure that the IT
services are aligned to the business needs and actively support them.
• Benefits include:
− Increased user and customer satisfaction with IT services
− Improved service availability, directly leading to increased benefits profits
and revenue
− Financial savings from reduced rework, lost time, improved resource
management and usage
− Improved time to market for new products and services
− Improved decision making and optimized risks
ITIL® is a Registered Trade Mark, and Registered Community Trade Mark of the Office of Government Commerce,
and is Registered in the U.S. Patent and Trademark Office.
Slide 36
What is ITIL® V3?
• ITIL® is about more than ‘just’ infrastructure

• “Business of IT” oriented approach
• Promoting service based approach to managing IT
• Includes discussion topics about strategic options, functions, roles and
responsibilities as well as continual improvement
• Makes reference to other frameworks (i.e. Cobit, ISO27001) and talks about
better alignment to those
• Helps to provide a standardized process context
• Highlights the importance of process
• Identifies the core activities and metrics for its processes
• Requests measurement programs (baselining, benchmarking) to ensure
performance (i.e. TCO, ROI, Costing/Pricing)
• Revised certification program for Professionals – more structured and focused
by processes
Slide 37
Version 3 Overview
V3 Overview
Supporting material:
Service design:
• Service, organizational, process
and technology maps • Service Catalogue Mgmt
• Service Level Mgmt
• Supplier Mgmt
Service strategy: • Capacity Mgmt
• Service Portfolio Mgmt • Availability Mgmt
• Financial Mgmt • IT Service Continuity Mgmt
• Demand Mgmt • Information Security Mgmt
Service operation:
• Event Mgmt Service transition:
• Incident Mgmt • Change Mgmt
• Request Fulfilment • Service Asset & Configuration
• Access Mgmt Mgmt
• Problem Mgmt • Knowledge Mgmt
Functions: • Transition Planning and Support
• Service Desk • Release & Deployment Mgmt
• Technical Mgmt • Service Validation & Testing
• IT Operations Mgmt • Evaluation
• Applications Mgmt
Continual Service Improvement:

• Seven Step Improvement Process
Slide 38
ITIL® Version 3
Service Design
Slide 39
Service Design
Goals & Objectives
Goal:
The design of appropriate and innovative IT services, including their
architectures, processes, policies, and documentation, to meet current and
future agreed business requirements.
Objectives:
− Design services to meet agreed business outcomes
− Design processes to support the service lifecycle
− Identify and manage risks
− Design secure and resilient IT infrastructures, environments, applications
and data/information resources and capability
− Design measurement methods and metrics
Slide 40
Service Design
Goals & Objectives (contd..)
Objectives (contd..):
− Produce and maintain plans, processes, policies, standards, architectures,
frameworks and documents to support the design of quality IT solutions
− Develop skills and capability within IT
− Contribute to the overall improvement in IT service quality
Slide 41
Service Design
Processes covered in Service Design

• Service Catalogue Management: The purpose SCM is to provide a single, consistent
source of information on all of the agreed services, and ensure that it is widely
available to those who are approved to access the service catalogue
• Service Level Management: SLM negotiates, agrees and documents appropriate IT

service targets with the business, and then monitors and produces reports on
delivery against the agreed level of service
• Capacity Management: The purpose of Capacity Management is to provide a point

of focus and management for all capacity and performance-related issues, relating to
both services and resources, and to match the capacity of IT to the agreed business
demands
• IT Service Continuity Management: The purpose of ITSCM is to maintain the

appropriate on-going recovery capability within IT services to match the agreed
needs, requirements and timescales of the business
Slide 42
Service Design
Processes covered in Service Design (con’t)
• Availability Management: The purpose of Availability Management is to provide a

point of focus and management for all availability-related issues, relating to services,
components and resources, ensuring that availability targets in all areas are
measured and achieved, and that they match or exceed the current and future
agreed needs of the business in a cost-effective manner
• Information Security Management: The purpose of the ISM process is to align IT

security with business security and ensure that information security is effectively
managed in all service and Service Management activities
• Supplier Management: The purpose of the Supplier Management process is to

obtain value for money from suppliers and to ensure that suppliers perform to the
targets contained within their contracts and agreements, while conforming to all of the
terms and conditions
Slide 43
Service Design
IT Service Continuity Management (ITSCM)
ITSCM is concerned with managing an organisation’s ability to continue to

provide a pre-determined and agreed level of IT Services to support the
minimum business requirements following an interruption to the business.
Goal:
The goal of the ITSCM is to support the overall Business Continuity Management
process by ensuring that the required IT technical and service facilities (including
computer systems, networks, applications, data repositories, telecommunications,
technical support, and Service Desk) can be resumed within required, and agreed,
business timescales.
Slide 44
Service Design
IT Service Continuity Management – Objectives
• To maintain a set of IT service Continuity Plans and IT recovery plans that support
the overall Business Continuity Plans (BCPs) of the organization
• To complete regular Business Impact Analysis (BIA) exercises to ensure that all
continuity plans are maintained in line with changing business impacts and
requirements
• To conduct regular risk assessment and management exercises in conjunction

particularly with the business and the Availability Management and Security
Management processes, that manages IT services within an agreed level of
business risk
Slide 45
Service Design
IT Service Continuity Management – Objectives
• To ensure that appropriate continuity and recovery mechanisms are put in place to
meet or exceed the agreed business continuity targets
• To assess the impact of all changes on the IT service Continuity Plans and IT
recovery plans
• To ensure that proactive measures to improve the availability of services are

implemented wherever it is cost justifiable to do so
• To negotiate and agree the necessary contracts with suppliers for the provision of the
necessary recovery capability to support all continuity plans in conjunction with the
Supplier Management process
Slide 46
Service Design
IT Service Continuity Management
Lifecycle of Service Continuity Management
Lifecycle Key activities

Business Policy setting
Continuity Initiation Scope
Management
Initiate a project
(BCM)
Business Impact Analysis

Requirements
and strategy Risk Assessment
Business Continuity
Strategy IT Service Continuity Strategy
Develop IT Service continuity plans

Business Continuity Develop IT plans, recovery plans
plans Implementation and procedures
Organization Planning
Testing strategy
Education, awareness and Training

Invocation On going Review and audit
Operation Testing
Change Management
Slide 47
Service Design
IT Service Continuity Management – KPIs
• Positive results from audits performed over the ITSCM plans to ensure that, at all
times, the agreed recovery requirements of the business can be achieved
• Successful results from recovery testing
• Reduction in the risk and impact of possible failure of IT services
• Increased awareness of business impact, needs and requirements throughout IT
• Increased preparedness of all IT service areas and staff to respond to an

invocation of the ITSCM plans
Slide 48
IT Service Continuity Management – KPIs
• Response time to restore business operations after a disaster occurs based on the
type of recovery option chosen (i.e. manual, immediate, fast, intermediate, or
gradual)
• Cost of service continuity management vs. cost incurred by the business in the
event of an IT service loss. This could include both tangible (i.e. financial) and
intangible (i.e. reputation) costs
Slide 49
COBIT – Control Objective for Information & related Technology
• Accepted globally as a set of tools that ensures IT is working effectively

• Provides common language to communicate goals, objectives and expected
results to all stakeholders
• Based on, and integrates, industry standards and good practices in:
– Strategic alignment of IT with business goals
– Value delivery of services and new projects
– Risk management
– Resource management
– Performance measurement
Slide 50
COBIT – Control Objective for Information & related Technology
COBIT® provides guidance for executive management to govern IT within the

enterprise
• More effective tools for IT to support business goals
• More transparent and predictable full life-cycle IT costs
• More timely and reliable information from IT
• Higher quality IT services and more successful projects
• More effective management of IT-related risks
Slide 51
Harmonizing the Elements of IT Governance
IT
Governance
Resource
Management
Slide 52
®
The COBIT Framework
Slide 53
®
COBIT Defines Processes, Goals and Metrics
Relationship
Amongst
Process,
Goals and
Metrics (DS5)
Slide 54
®
COBIT Products and Their Primary Audience
COBIT, Risk IT and Val

IT frameworks Implementing and
Continually Improving IT
Governance COBIT User Guide for
Service Managers
COBIT and
Application Controls
Slide 55
End of Session
Slide 56
in e-Governance
Day 1
Session 4: Securing Business Applications
Slide 1
Agenda
Introduction to categories and definition of business applications

Information security risks in application software
Information security solutions and standards for securing business
applications
Slide 2
Defining Application Software
Computer Software (SW), consisting of programs, enables a computer to perform specific

tasks, as opposed to its physical components (hardware or HW) which can only do the tasks
they are mechanically designed for.
There are three major categories of computer software:
System Software helps run the computer hardware and computer system (e.g. operating
systems, device drivers, diagnostic tools, servers, windowing systems, and utilities).
Programming Software provides tools to assist a programmer in writing computer

programs (codes) using different programming languages in a more convenient way (e.g.
code editors, compilers, interpreters, linkers, debuggers).
Application Software allows end users to perform/accomplish one or more specific

business operations/tasks.
Slide 3
Defining Application Software
Categories of Application Software (ASW):
Commercial-off-the-Shelf (COTS) Software

is a term for ready-made application software, available for sale, lease, or license to
end users.
COTS software is available for most of the support functions of the government and
for some of the core functions of the government (e.g. HR, Finance, Supply chain, Tax
and Revenue management..)
Custom Developed Software (CDSW) I

“in-house developed” (or “bespoke” or “tailored”) software designed to meet the
specific needs of end users/organizations.
Most of the government entities in India are currently adopting custom developed
software approach..
Slide 4
Support Core
Functions Functions
Human Revenue tax

Resource administration
Finance
Licensing
Citizens
Govt. employees
Slide 5
Issuance of
Procurement
Certificate
Act / Legislation / Regulation

Asset Security &
& Inventory Surveillance
Business
Illustrative business functions in government sector…..
Education
Applications software supporting government business
functions..
Support functions application (example) • Applications forms the backbone of

• HRMS : Payroll , Work Time, the core and support functions of
Administration, HR management governments
Information system, Recruiting, • Most of the business functions of
Performance record, Employee Self- governments revolve around
Service etc. applications
• Others such as Financial Management , • Application performance can be
asset management etc unique based on individual
application requirements and user
expectations.
Core functions application (example)
• Land registration : Land registration ,
issuance of certificates etc.
• Other applications as e-police , e-health
, Revenues , tax etc.
Slide 6
Information Security Risks surrounding business
applications
Slide 7
Risks surrounding business applications
• Unauthorized access: It is when a person who does not have permission to connect to or
use a system gains entry in a manner unintended by the system owner
• Unauthorized transactions: Unauthorized transactions are transactions without proper

authorization
• Data Manipulation: A way in which data can be manipulated and changed
• Data Loss: Data loss refers to the unforeseen loss of data or information
• Denial of Services: A denial-of-service attack (DoS attack) or distributed denial-of-service

attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended
users
• Data theft: When information is illegally copied or taken from a business or other individual
Slide 8
Security Compromise : Outcome
• Theft and fraud
• Loss of confidentiality
• Loss of privacy
• Loss of integrity
• Loss of availability
• Loss of Revenue
• Goodwill loss
• And so many……..
Slide 9
The most common Business Application security issues
• Inadequate IT Security and IT involvement during definition, design testing & review
• Inadequate development team knowledge - application security threats & secure application
development principles
• Inadequate security controls throughout the SLDC (e.g. Security Considerations during
Business Impact and Threat Assessments, Problem and Change Management, Testing)
• Inadequate security testing
• Bespoke and rapid development of applications
• Inadequate independent and qualified security assessments
• Unqualified assessors undertaking security reviews
Slide 10
Approach for securing business applications
Slide 11
Key Focus areas in Application Security
• Authentication - How do I know who this is ?
• Ability to Validate
• Proving Identity
• Authorization - How do I know what he/she can access?”.
• Allowing to Transact
• Accounting - How to I check what is happening in the system ?
• Audit Trails
• Users Management - How do I manage this identity and what it can access over its
lifetime?
• Management
• Profiling
Slide 12
Authentication
• Authentication services facilitate the process of determining who a user is

• An organisation may support multiple authentication schemes and mechanisms
• Authentication systems must be able to reliably verify the identity of the individual or
organizational customer
• Authentication can be single factor or two factor or three factor authentication
User Authentication Server Resource
Evidence Auth.
Protocol
Auth.
Factors
Authentication Steps
User’s Devices • User and User’s Devices present Evidence to Authentication

Server demonstrating possession of Authentication Factors
• Authentication Server conveys Evidence to Resource in
Authentication Protocol
Slide 13
Variations on the Model
• Local authentication: User authenticates directly to resource, without authentication server
• e.g.: Log into PC; Unlock smart card
• Authentication server: User authenticates once to authentication server, which relays ticket
or authentication assertion to resource
• e.g.: Kerberos; Identity providers
• Validation server: Resource relies on separate validation server for part or all of
authentication decision
• e.g.: Credential federation
• Contextual factors: Where & when did the protocol originate?
Slide 14
Describing an Authentication Mechanism
• An authentication mechanism is a process involving:
• Selected authentication factors
• Particular evidence about those factors; and a
• Specific protocol for conveying the evidence
• Simple authentication mechanism has one resource, one authentication decision
Authentication Factors
Something you know:
• Password Password
• Knowledge-based authentication Answer
Something you have:
• One-time password token One-time password
• Smart card / USB token Signature
Something you are / can do:
• Biometrics Fingerprint
Slide 15
Strong Authentication
• A system may recognise one or more of three factors to be used for authenticating users:
• 'Something you know', such as a password, PIN or an out of wallet response,
• 'Something you have', such as a mobile phone, credit card or hardware security
token
• or 'Something you are', such as a fingerprint, a retinal scan, or other biometric.
• Strong authentication will entail using more than one of these authentication factors at any
one time.
Slide 16
Authentication factors
Slide 17
Single Factor Authentication (SFA)
• SFA is the traditional security process that requires a user name and password before granting
access to the user.
• SFA security relies on the diligence of the user, who should take additional precautions -- for
example, creating a strong password and ensuring that no one can access it.
• Single factor authentication needs an enhanced security environment for users to authenticate
and transact on web
• It also needs a mechanism to have a centralized repository of User profiles and credentials
User Knowledge
Username, password
User Server
Single Factor Authentication
Slide 18
User Id Rules – Best Practices for User ID creations -
Illustrative
• Definition and implementation of policy and procedures for creation and management of
user id’s
• There should be a one-to-one relationship between user Ids and individuals.
• Access to computing resources (e.g. files, applications, and databases) via shared User Ids
should be strictly prohibited
• Deactivation of user accounts, which are inactive for long durations (e.g. more than 60
days)
• User Ids with special system privileges should be controlled and restricted to a limited
number of authorised personnel
• Administrators should logon as themselves, using a normal User Id when performing

regular work duties rather than logging in as the Supervisor/Administrator
• Logging in as the Supervisor/Administrator should be limited to administrative activities only
• "Guest" accounts or features (where applicable) should be disabled
Slide 19
Strong password
• A strong password is one that is designed to be hard for a person or program to discover.
• Because the purpose of a password is to ensure that only authorized users can access
resources, a password that is easy to guess is a security risk.
• Essential components of a strong password include sufficient length and a mix of character
types.
• A typical weak password is short and consists solely of letters in a single case.
Slide 20
Password Management – Illustrative Best Practices
• The minimum length of passwords should be set as 8 characters and alphanumeric
• Password expiration period of 1 or two month should be set to force users to change their
passwords at regular intervals
• Passwords should never be displayed, stored or transmitted in clear text
• The system should force the user to change the password (issued by the Systems
Administrator) at the time of the initial logon
• User Ids should be disabled after incorrect passwords have been entered for 3 consecutive
times.
• Default passwords, shipped with software upon installation of the software or receipt of a
system with pre-loaded software, should be immediately changed.
• The practice of "recycling" or reusing the same password when prompted for a change
should be prevented, where possible.
• System files holding authentication data or passwords should be protected from

unauthorised access
Slide 21
Challenges with Single factor authentication / passwords
- When they are memorable, they are weak
- When they are strong, they are unmanageable
- People almost always either pick weak passwords or they record their passwords
someplace handy (perhaps protected by a single password)
Slide 22
Two factor authentication
Slide 23
What is 2-3 Factor Authentication
• Is a combination of Something you know (Password), Something you have (Smart Card /
tokens) and/or Something you are (Biometric)
• Authentication using two or three independent methods – typically something you have
(device) and something you know (password)
• A reusable password plus a physical device greatly increases the security around
authentication
• Two-Factor authentication is being more widely embraced by the banking and financial
services industries
• Most common example: ATMs require that you have a reusable password (PIN) and a
physical card in order to access bank account
• Examples: Digital Certificates, Smart Cards, RSA Tokens. Biometrics…
Slide 24
Digital Certificates
• Digital Client certificates are solution for enabling the enhanced user identification and
access controls needed to protect sensitive online information
• Used to authenticate an individual & issued by trusted third parties known as Certificate
Authorities (CAs)
• It is given at various security levels. Higher the security level, the CA verifies the authenticity
of the certificate seeker more.
• Digital certificates can also be stored and transported on smart cards or USB tokens for use
when traveling
• Digital Certificates can be issued by any one as long as there are people willing to believe
them
Slide 25
Classes of Public Key Certificates
• Class 0 Certificate: This certificate shall

be issued only for demonstration/ test List of Certificate Issuing Authorities:
purposes. • Safescrypt – Sify communications Ltd
• IDRBT Certifying Authority – IDRBT
• Class 1 Certificate: Will confirm that
• National Informatics Centre
user’s name (or alias) and E-mail address
form an unambiguous subject within the • Tata Consultancy Services
Certifying Authorities database. • mtnlTrustLine – MTNL
• Code Solutions Certifying Authority - Code
• Class 2 Certificate: Will confirm that the
Solutions
information in the application provided by
the subscriber does not conflict with the • e-Mudhra - 3i Infotech Consumer Services
information in well-recognized consumer
databases.
Retrieved from http://cca.gov.in on 12/06/2010
• Class 3 Certificate: High assurance
certificates and primarily intended for e-
commerce applications
Slide 26
Few areas where Digital certificates are prominently used in
governments
• MCA-21 : Requires a Class 2 or Class 3 individual signature

• e - procurements applications
• e-mudhra
• E- filing of patents…
Slide 27
Security token & Smart Cards
Security Token
• One form of 'something you have' is the smart card and USB tokens
• If the security token is a software token, it is usually associated with a particular

workstation
• Security tokens use two-factor authentication using a password and a device (or an
appropriate hardware identifier)
• Security token is usually a hardware device such as a Smart Card
Smart Cards
• Tamperproof, electronic storage of PKI keys.
• Can be uploaded or generated on the card
• Cards do not release the keys but rather perform the signing operation on the card
• Card can run applets/applications which are written in Java and other common languages.
Slide 28
One-time password (OTP)
• A One-time password has a limited duration validity on a single use
• These devices have an LCD screen which displays a pseudo-random number consisting of 6
or more alphanumeric characters
• Generated using a counter-based token or a clock-based token
• Counter-based token is an active token that generates a one-time password based on a

counter in the server and the secret key of the user
• Clock-based token is an active token that generates one-time passwords based on the server
clock
Slide 29
Something you are: biometrics
Usage of “something you are”

• Biometric authentication involves unique physical or behavioral characteristics of individuals
• Fingerprint, Facial, Retinal, Iris, Voice, Hand Geometry
• Prevents unauthorized access by requiring cardholder to be present
• Can be combined with “something you know” = PIN and “something you have” = smart card.
Slide 30
Few methods / protocols for authentication
LDAP Kerberos
• The Lightweight Directory Access Protocol (or • Kerberos is a network authentication protocol that
LDAP) provides networked access to a will allow individuals communicating over an
hierarchical database of authentication insecure network to prove their identity to one
information. another in a secure manner.
• LDAP is appropriate for any kind of directory-like • Kerberos is a client-server model that provides
information, where fast lookups and less-frequent mutual authentication, thereby allowing both the
updates are the norm making it perfect for use in user and the server verify each other's identity
authenticating an organisation’s users.
Native Authentication
• Native authentication schemes are authentication mechanisms built into devices and/or
some applications that often utilise proprietary authentication protocols and non standardised
authentication information stores.
Slide 31
Single Sign On - SSO
• Single sign-on (e-SSO) is a property of authentication for multiple, related, but independent
software systems.
• With this property a user logs in once and gains access to all systems without being
prompted to log in again at each of them.
• The process authenticates the user for all the applications they have been given rights to and
eliminates further prompts when they switch applications during a particular session.
• The user's credentials are stored in a very secure cryptographically locked store and that the
users themselves no longer know the applications credentials, it's possible to 'release' (logon
with) certain credentials based on a defined 'authentication grade'.
• Two factor authentication systems such as smart cards or biometrics can be linked to
different authentication grades.
Slide 32
SSO - Advantages
• Reduced operational cost
• Reduced time to access data
• Improved user experience, no password lists to carry
• Advanced security to systems
• Strong authentication
- One Time Password devices
- Smartcards
• Centralized management of users, roles
• Fine grained auditing
Slide 33
Authorisation
• Once we know (reasonably) who it is, we need to decide what they can access, and
how.
• Authorisation facilitate the process of determining what a user is entitled to access
• Authorization is the function of specifying access rights to resources, which is related

to information security and computer security in general and to access control in
particular.
• When a user tries to access a resource, the access control process checks that the user
has been authorized to use that resource
• Users should only be authorized to access whatever they need to do their jobs !!!
Slide 34
Authorisation
Role Based Access Control
• Authorise users of systems based on predefined privileges that are associated with a
job function.
• Hence the access users would gain to systems should be restricted to their role within
the organisation, and when the user changes roles, the user’s access to systems
changes as well.
• Access to systems within the organisation should be based on roles wherever

possible.
• For e.g. depending upon the need the final approval of an land allotment application
should be restricted to some members of the approving committee.
Slide 35
Role-Based Access Control
During operation, the system uses the access control rules to decide whether access
requests from (authenticated) users shall be granted or rejected.
Resources include individual files' or items' data, computer programs,

computer devices and functionality provided by computer applications.
User Role Permissions
Slide 36
Context-Based Access Control
Trusted users that have been authenticated are often authorized to unrestricted
access to resources.
"Partially trusted" will often have restricted authorization in order to protect resources
against improper access and usage
with has given
User Role Permission Constraints
Context
Slide 37
Authorisation
Context / Rule Based Access Control

• Access to systems within the organisation also support rules / context wherever
needed.
• Context / Rule based access control seeks to authorise users of systems based on
predefined rules that are associated with an identity or set of identities
• Hence the access users would gain to systems will be restricted to rules set by the
organisation, and when the rules change, the user’s access to systems changes as
well.
• For e.g. in case of land allotment application, once the application is processed , a rule
can be set which only allows the managing director to change the allotted value etc.
Slide 38
Some of the best practices for authorization
• Users’ access rights should be reviewed at an interval of 3 months. However, authorisations

for special privileged access rights should be reviewed at an interval of 1 months.
• The Systems Security Administrator should review user access rights when changes to a
user’s normal duties are required, for example, as a result of resignation, termination,
transfer or promotion.
Slide 39
Solutions/Tools for Authorization implementation?
Slide 40
Audit and Audit trails
• Audit – the process of reviewing activities that enables the reconstruction and examination of
events to determine if proper procedures have been followed.
• System logs of “who was on what system when” depend on Authentication credentials of the
user
• The Audit element provides a control mechanism that is used to
determine whether policy objectives are being met,
to determine and verify privilege settings,
to determine whether users have accounts on the appropriate systems,
to create audit trails of activity, as well as
to determine whether segregation of duties is being enforced.
• Audit records typically result from activities such as transactions or communications by

individual people, systems, accounts or other entities.
Slide 41
Audit trails - Need
Individual Accountability
• An individual's actions are tracked in an audit trail allowing users to be personally
accountable for their actions.
• This deters the users from circumventing security policies. Even if they do, they can
be held accountable.
Reconstructing Events
• Audit trails can also be used to reconstruct events after a problem has occurred.
• The amount of damage that occurred with an incident can be assessed by reviewing
audit trails of system activity to pinpoint how, when, and why the incident occurred.
Audit trails and similar evidence is needed for
• Monitoring and reviewing any application access related breaches;
• Use of evidence in relation to a potential breach of contract, breach of regulatory
requirement or in the event of civil or criminal proceedings e.g. under Copyrights Act,
Information Technology Act
Slide 42
Audit trails - Need
• Problem Monitoring
• Used as on-line tools to help monitor problems as they occur.
• Real time monitoring helps in detection of problems like disk failures, over utilization
of system resources or network outages.
• Intrusion Detection
• Intrusion detection refers to the process of identifying attempts to penetrate a

system and gain unauthorized access.
• Audit trails can help in intrusion detection if they record appropriate events.
• Determining what events to audit so that audit trails can be used in an effective
manner to aid intrusion detection is one of the present research issues being looked
into by the research community.
Slide 43
Audit trail – Need
Reporting
• The Reporting element enables the organisation to draw a variety of reports relating to the
use of its identities.
• In particular, reports on audit trails form a basis for accountability within the organisation by
tracking who requested access, why the request was granted or denied, and who approved
the request.
• During investigations, audit reports can be used to conduct thorough analysis of incidents.
Slide 44
Audit trail – Best practices
• Live application connections and data should be subject to strict change control. When
programs are changed, an audit log containing all relevant information should be retained
• An audit trail of all access should be securely maintained and reviewed on a daily basis.
• The audit log and issues related to the usage of sensitive privileges / utilities should be
reviewed weekly and followed up for any inappropriate usage.
• The use of sensitive utilities should be logged in "tamper-proof" logs for review by the
Systems Security Administrator, wherever possible.
• The router , firewall , switches audit logs should also be reviewed on a daily basis for
unauthorized access
Slide 45
Audit Trail Analysis
• The audit trails need to be analyzed to determine vulnerabilities, establish accountability,

assess damage and recover the system.
• Manual analysis of audit trails though cumbersome is often resorted to because of the
difficulty to construct queries to extract complex information from the audit logs.
• There are many tools that help in browsing the audits.
• The major obstacle in developing effective audit analysis tools is the copious amounts of
data that logging mechanisms generate
Slide 46
Approach to design secured applications
Slide 47
Custom Application development
Develop security controls throughout the SLDC.
- Provide adequate security training to those designing and developing applications

(Stakeholders, Project Managers, BA’s, Architects, Coders and testers. )
- Undertake application security review such as design reviews, code reviews &
Penetration Testing at various intervals during the SLDC – not two days before go live.
- Develop Policies, Standards for Systems Development & Maintenance.
- Develop Policies and Standards for control of the Development Environment, Source
Code and Access Control.
- Develop reusable SECURE code blocks.
Slide 48
Managing information security in enterprise applications –
Holistic approach
Operate/Maintain
Vulnerability scanning regularly Requirements
performed during the application Defined according to governance
maintenance phase on both the rules for authentication, authorization,
application and infrastructure to non-repudiation, data confidentiality,
ensure no new security risks have integrity, accountability, session
been introduced and that the level management, transport security,
of security is still intact privacy, etc.
Governance
Deployment Security Polices, Guidelines, Design
Standards, Procedures, Metrics Design with considerations for
Application should be tuned and created & enforced by network, server, middleware,
hardened at all layers of the organizations database and programming platform
platform stack to minimize
vulnerabilities, leveraging techniques
infrastructure software
such as threat modeling, risk
misconfiguration vulnerabilities.
analysis, misuse and abuse cases.
System & Integration

Test Coding & Unit Test
Penetration Testing performed during
SIT to simulate application abuses and Follow secure coding
guidelines. Perform code review
ensure any vulnerabilities uncovered
are properly addressed as “security & code scanning to minimize
coding vulnerabilities.
bugs”
Slide 49
Enterprise Application – Important Security measures
Completed modification moved to Tested modification moved to

Test by production control Production by production control
Development Test Production
Environment Environment Environment
• Developers make • No modifications • No modifications
modifications to code made to code made to code
• Developers have read/ • Developers have • Developers have no
write/ execute access read and execute or read only access
• End-users do not have access
• User has execute
any access • End-users have read access
• Unit and system testing and execute access
• Live use of program
performed by developers • Integration and user for business
acceptance testing is purposes.
performed here
Code copied for further Source code copied by

changing by developers developers for modification
Slide 50
Security Checks in Production vs. Development
Production Phase
Development Phase
• Testing is more end-to-end, checks
application layer, network layer, and system • Testing is more focused on application layer
layer security vulnerabilities vulnerabilities
• Appropriate for tool-based vulnerability • Appropriate for all levels of security tests
scanning
• Very appropriate for security functionality test

• Inappropriate for security functionality test & & attack script penetration, thanks to intimate
attack script penetration, due to lack of application knowledge
intimate application knowledge
• Good at finding commonly known platform

• Good at finding commonly known platform vulnerabilities as well as application code
vulnerabilities specific vulnerabilities
• Not very good at finding application code • Low cost due to early discovery of security
specific vulnerabilities defects
• High cost related to late discovery of security

defects
Slide 51
End of Session
Slide 52
in e-Governance
Day 1
Session 5: Securing Data and Operating

systems
Agenda
Introduction to information, data and database systems

Information security risks surrounding data and database systems
Information security considerations and solutions for data and database
systems
Database Systems
Terms & Concepts : What is a Database?
• An organized collection of information
- A database can also be defined as a collection of information represented in coded data

elements and specific relationships between those data elements
- Databases are cardinal components of any application which enables provision of

dynamic content and is shared across users, uses and applications
• Usually in the form of
- Fields: a single value / piece of information; like a ‘cell’ in Excel
- Records: a complete set of information; composed of fields (a “row”)
- File (or table): a set of records
• DBMS (Database Management System)
- basically the software that manages your database
Slide 3
Slide 3
Operating Systems
What is an operating system?

The operating system can be
considered in various ways:
• an intermediary between the user
software and the hardware
• an abstraction layer providing an
idealized view of the computer
hardware
• a virtual machine
• a set of services
FebruaryPage
20074
Slide 4
The leading risks and threats
Risks to your computer’s security include:
- Viruses
- Worms
- Trojans
- Spyware
Slide 5
Slide 5
Operating system security
• OS is responsible for ensuring that the users are securely

authenticated and controlled
• Operating system comes with many security vulnerabilities
• Firewall stops most Internet based attacks, however, they
cannot stop all outside attacks
• Firewalls are less effective for attacks within the corporation
• Operating system security is required to achieve the three
basic objectives of security (CIA): Confidentiality, Integrity and
Availability.
Slide 6
Keep Your Operating System Updated
• Just keep your system up to date with the latest software available.
• Online criminals are constantly at work devising new ways to attack your computer
and invade your privacy. Fortunately, software companies work even harder to
counter those threats and to provide you with updated tools that you can use to
protect your PC.
• You should regularly update your computer operating system with security updates
provided by the manufacturer. The same goes for your Web browser and other
important applications, including your antivirus and antispyware programs
Slide 7
The Benefits of Automatic Security Updates
• As with human viruses, the best treatment for computer viruses is to avoid getting
them in the first place.
• Having up-to-date security features already installed as part of your computer

system helps to ensure that you have the highest level of protection available.
• And because security software is continually updated to anticipate and respond to

new and evolving threats, the easiest way to ensure that you have the latest
security enhancements is to schedule automatic updates for your computer.
Slide 8
Install and Maintain Antivirus Software
• Antivirus software helps to protect your computer by scanning every e-mail,

application or piece of content that enters your PC.
• Strong antivirus programs can detect and destroy thousands of specific viruses
before they have a chance to damage your system.
• Online attackers are constantly creating new viruses and worms, and devising new
ways to invade and damage your computer.
• To protect your PC from these threats, make sure you never let your antivirus
program expire, and keep the software up to date with the latest updates from the
manufacturer.
Slide 9
Install and Maintain Antispyware Software
• Antispyware software can expose any spies already on your system, and help to
keep your computer running smoothly and prevent further intrusion.
• As with your operating system and antivirus software, it is essential that you keep
your antispyware software updated to make sure you have the highest level of
protection for your PC.
Slide 10
Need for Operating systems hardening
• Host hardening makes it difficult to attack on a host systems.
• A hardened OS is one in which the vendor has modified the kernel source
code to provide for a mechanism, which provides a security perimeter
between the non – secure application software, the secure application
software and network stack
• A kernel connects the application software to the hardware of a computer
Slide 11
OS hardening fundamentals
Following are the fundamental steps for OS hardening

Do a disconnected install
• During installation of an OS , disconnect from any network,
especially the internet
• Best practice suggest to download the necessary patches and then
apply these downloaded patches to the machines
Lock down the OS
• Install all applicable patches and updates (in the form of service
packs or updated releases)
• Update the OS on regular basis
Slide 12
OS hardening fundamentals
Lock down the services:

• All services and third party programs on the computer should be checked
to ensure that they are the most current versions
• Lock down the services which are not required on the machine
Define a proper baseline

• Once the IT system is patched and locked down next step is to establish a
baseline for IT systems
• This is mostly to ensure that a proper documentation of changes that were
carried out on the IT system exists
• If any changes are made to the baselines , it can be verified and
appropriate security measures can be taken
Slide 13
Some other measures for Operating System Security
Some of the measures are listed below

- Provide physical security to the host
- Install the OS with secure configuration options
- Download and install patches for know vulnerabilities
- Turn off unnecessary services and hardening all remaining applications
- Manage users and groups
- Manage access permission
- Regular server backup
Slide 14
Some of the measures for Host Hardening
• Patch and update the OS

• Identify vulnerabilities
• Mitigate if necessary
• Patch servers in isolation
• Test patches before applying (depends upon availability of test environment)
• Harden and configure the OS
• Disable and remove unnecessary services or applications
• Configure user authentication
• Configure resource controls
• Install and configure additional security controls
• Anti-malware –End-point Security
• Host based firewalls to block unwanted open ports
• Host based intrusion detection (HIDS) system
• Patch management software
• Test the security of OS
Slide 15
Additional operating system access controls
Additional operating system access controls include the following actions:

• Ensure system administrators and security professionals have adequate
expertise to securely configure and manage the operating system.
• Ensure effective authentication methods are used to restrict system access
to both users and applications.
• Activate and utilize operating system security and logging capabilities and
supplement with additional security software where supported by the risk
assessment process.
• Restrict operating system access to specific terminals in physically secure
and monitored locations.
Slide 16
Additional operating system access controls (cont’d)
• Lock or remove external drives from system consoles or terminals residing

outside physically secure locations.
• Restrict and log access to system utilities, especially those with data
altering capabilities.
• Restrict access to operating system parameters.
• Prohibit remote access to sensitive operating system functions, where
feasible, and at a minimum require strong authentication and encrypted
sessions before allowing remote support.
Slide 17
Additional operating system access controls (cont’d)
• Limit the number of employees with access to sensitive operating systems

and grant only the minimum level of access required to perform routine
responsibilities.
• Segregate operating system access, where possible, to limit full or root
level access to the system.
• Monitor operating system access by user, terminal, date, and time of
access.
• Update operating systems with security patches and using appropriate
change control mechanisms.
Slide 18
End of Session
Slide 19
in e-Governance
Day 2
Session 1: Securing your network (WAN

and LAN)
Agenda
Introduction to Data Networks, LAN and WAN
Introduction to infrastructure elements of LAN and WAN
Introduction to Data Center and IT infrastructure elements in a Data Center
Security challenges and risks surrounding LAN and WAN environments
Security challenges and risks surrounding IT Infrastructure in Data Center

environments
Information security measures and solutions for securing LAN, WAN and Data
Center
Page 2
Terminology
Basic Terminology
Network
- A network is a group of computers/IT components connected together in such a
way as to facilitate:
• Data/voice/video Communication among people within and across building,
locations, cities and countries
• Sharing of data/files/documents within office, across offices (in the same city
or across the cities)
• Accessing the software applications and databases for performing business
functions
Slide 3
Network Architectures
How are Computers Connected on a Network?
IP_10.54.40.29
IP (Internet Protocol): unique address that

devices use in order to identify and communicate
with each other on a computer network using the
IP standard
IP_10.54.40.30
Slide 4
Some Network Terminologies
LAN (Local Area Network)

- a group of computers and associated devices that share a common communications
line and typically share resources within a small geographic area (for example, within
an office building)
- Used for connecting IT infrastructure (computers, printers, servers, scanners etc)
existing in a particular office or building or a campus to facilitate sharing of information
among the users
WAN - (Wide Area Network)

- Connecting systems or networks (LANs) spread across multiple locations/geographies
/cities/countries
- Relies on a shared or a common communication backbone
- Used for connecting the IT infrastructure/LANs across multiple locations to facilitate
sharing of information among users spread across different locations
Slide 5
LAN and WAN
Office 1 in Delhi Office

Office12in
inDelhi
Mumbai
LAN Server Server

LAN
Switch Switch
ROUTER ROUTER
WAN
Leased Line
What is internet
A computer network consisting of a worldwide network of computer networks that use

the TCP/IP network protocols to facilitate data transmission and exchange.
Internet is a public network for facilitating communication among the group of networks
connected to the public network
What is Intranet
An intranet is a private computer network that uses Internet Protocol technologies to

securely share any part of an organization's information or operational systems within
that organization across multiple locations/geographies.
Importance of Security
• The Internet has undoubtedly become the largest public data network, enabling and facilitating
both personal and business communications worldwide.
• The volume of traffic moving over the Internet, as well as corporate networks, is expanding
exponentially every day.
• While the Internet has transformed and greatly improved the way we do business, this vast
network and its associated technologies have opened the door to an increasing number of
security threats from which corporations must protect themselves.
• An attack may directly cause several hours of downtime for employees, and networks must be
taken down in order for damage to be repaired or data to be restored.
• Clearly, loss of precious time and data can greatly impact employee efficiency and morale !!!
Slide 8
Threats to Data
• A single hacker working from a basic computer can generate damage to a large number of
computer networks that wreaks havoc around the world.
• Perhaps even more worrisome is the fact that the threats can come from people we know.
• In fact, most network security experts claim that the majority of network attacks are initiated by
employees who work inside the corporations where breaches have occurred.
• Employees, through mischief, malice, or mistake, often manage to damage their own
companies’ networks and destroy data.
• Remote employees and partners pose the same threats as internal employees, as well as the
risk of security breaches if their remote networking assets are not properly secured and
monitored.
Slide 9
Who are the enemies?
Hackers
• This generic term applies to computer enthusiasts who take pleasure in gaining access to
other people’s computers or networks.
• Many hackers are content with simply breaking in and leaving their “footprints,” which are joke
applications or messages on computer desktops.
• Other hackers, often referred to as “crackers,” are more malicious, crashing entire computer
systems, stealing or damaging confidential data, defacing Web pages, and ultimately
disrupting business.
• Some amateur hackers merely locate hacking tools online and deploy them without much
understanding of how they work or their effects.
Slide 10
Unaware Staff
• As employees focus on their specific job duties, they often overlook standard network security
rules
• They might choose passwords that are very simple to remember so that they can log on to their
networks easily
• Such passwords might be easy to guess or crack by hackers using simple common sense or a
widely available password cracking software utility
• Employees can unconsciously cause other security breaches including the accidental
contraction and spreading of computer viruses
• One of the most common ways to pick up a virus is from a floppy disk or by downloading files
from the Internet. Employees who transport data via floppy disks can unwittingly infect their
corporate networks with viruses they picked up from computers in copy centers or libraries
• They might not even know if viruses are resident on their PCs. Corporations also face the risk
of infection when employees download files, such as PowerPoint presentations, from the
Internet
Slide 11
Disgruntled Staff
• Far more unsettling than the prospect of employee error causing harm to a network is the
potential for an angry or vengeful staff member to inflict damage.
• Angry employees, often those who have been reprimanded, fired, or laid off, might vindictively
infect their corporate networks with viruses or intentionally delete crucial files.
• This group is especially dangerous because it is usually far more aware of the network, the
value of the information within it, where high-priority information is located, and the safeguards
protecting it.
Slide 12
Causes of Intrusion
Intruders are always discovering new vulnerabilities (informally called "holes") to exploit
in computer software.
• Users fail to obtain and install the latest patches/updates, or correctly configure the
software to operate more securely.
• Most of the incidents could prevented if system administrators and users kept their
computers up-to-date with patches and security fixes.
• Some default settings that allow other users to access your computer unless you
change the settings to be more secure
Slide 13
What can these enemies do to Organizations
- Unauthorized Intrusions
- Denial of Service (DoS) Attacks
- Viruses, Worms, Trojan Horses (Backdoors)
- Vandals
- Data Interception
- Website Defacements
- Internal Attacks
- Non-compliance
Slide 14
Approach for securing IT
Infrastructure
Slide 15
Eight Security Dimensions Address the Breadth of Network
Vulnerabilities
• Limit & control access to
network elements, services & Access Control
• Provide Proof of Identity
applications
• Examples: shared secret,
• Examples: password, ACL,
firewall
Authentication PKI, digital signature, digital
certificate
• Prevent ability to deny that an
activity on the network Non-repudiation
• Ensure confidentiality of data
occurred • Example: encryption
• Examples: system logs,
Data Confidentiality
digital signatures
• Ensure data is received as
• Ensure information only flows Communication Security sent or retrieved as stored
from source to destination • Examples: MD5, digital
• Examples: VPN, MPLS, signature, anti-virus software
L2TP Data Integrity
Availability
• Ensure network elements, • Ensure identification and
services and application network use is kept private
available to legitimate users Privacy • Examples: NAT, encryption
• Examples: IDS/IPS, network
redundancy, BC/DR
Eight Security Dimensions applied to each Security Perspective (layer and plane) 16
Defense-in-Depth
• Perimeter Defences: Packet

Filtering, Stateful Inspection of
Packets, Intrusion Detection
Assume Prior Layers Fail

Perimeter Defense
• Network Defences: VLAN Access
Control Lists, Internal Firewall,
Network Defense
Auditing, Intrusion Detection
Host Defense
• Host Defences: Server Hardening,
Host Intrusion Detection, IPSec
Application Defense Filtering, Auditing
• Application Defences: AV, Content

Data & Resources
Scanning, Layer 7 (URL) Switching
Source, Secure Web and Mail
Servers
• Data and Resources: Databases,

Network Services and
Applications, File Shares
We will discuss the following network security components
• Firewalls
• Intrusion Detection System
• Intrusion Prevention Systems
• Quarantine
• Routers
• AAA server
• Antivirus Gateway
• Virtual Private Networks
• Network Monitoring Tools
Slide 18
Firewalls
• A system designed to prevent unauthorized access to or from a private network.

Firewalls can be implemented in both hardware and software, or a combination
of both.
• Frequently used to prevent unauthorized internet users from accessing private

networks connected to the Internet, especially intranets. All messages entering or
leaving the intranet pass through the firewall, which examines each message and
blocks those that do not meet the specified security criteria.
• A firewall is considered a first line of defense in protecting private information.

For greater security, data can be encrypted.
Control Capabilities of Firewalls
Slide 20
Firewall rule sets
A static rule-set is an
unchanging statement to A dynamic rule set often
be applied to packet is the result of
header, such as blocking Rule sets can be static or dynamic coordinating a firewall
all incoming traffic with and an IDS.
certain source addresses.
For example, an IDS that alerts on malicious activity may send a message to
the firewall to block the incoming IP address.
The firewall, after ensuring the IP is not on a “white-list”, creates a rule to

block the IP. After a specified period of time the rule expires and traffic is
once again allowed from that IP.
Slide 21
Packet Filter Firewalls
• Packet filter firewalls evaluate the headers of each incoming and outgoing
packet to ensure it has a valid internal address, originates from a permitted
external address, connects to an authorized protocol or service, and contains
valid basic header instructions.
• If the packet does not match the pre-defined policy for allowed traffic, then the
firewall drops the packet.
Stateful Inspection Firewalls

• Stateful inspection firewalls are packet filters that monitor the state of the TCP
connection. Each TCP session starts with an initial “handshake” communicated
through TCP flags in the header information.
• When a connection is established the firewall adds the connection information
to a table.
• The firewall can then compare future packets to the connection or state table.
This essentially verifies that inbound traffic is in response to requests initiated
from inside the firewall
Slide 22
Proxy Server Firewalls
• Proxy servers act as an intermediary between internal and external IP addresses

and block direct access to the internal network.
• Essentially, they rewrite packet headers to substitute the IP of the proxy server for
the IP of the internal machine and forward packets to and from the internal and
external machines. Due to that limited capability, proxy servers are commonly
employed behind other firewall devices.
• Proxy servers provide another layer of access control by segregating the flow of
Internet traffic to support additional authentication and logging capability, as well as
content filtering.
• They may implement anti-virus and anti-spam filtering, disallow connections to

potentially malicious servers, and disallow the downloading of files in accordance
with the institution’s security policy.
Slide 23
Application-Level Firewalls
• Application-level firewalls perform application-level screening, typically including the

filtering capabilities of packet filter firewalls with additional validation of the packet
content based on the application.
• Application-level firewalls capture and compare packets to state information in the

connection tables. Unlike a packet filter firewall, an application level firewall
continues to examine each packet after the initial connection is established for
specific application or services such as telnet, FTP, HTTP, SMTP, etc.
• The application- level firewall can provide additional screening of the packet
payload for commands, protocols, packet length, authorization, content, or invalid
headers.
• Application level firewalls provide the strongest level of security, but are slower and
require greater expertise to administer properly.
Slide 24
Firewall Services and Configuration
Firewalls may provide some additional services:
Network address translation (NAT)

NAT readdresses outbound packets to mask the internal IP addresses of the
network.
Untrusted networks see a different host IP address from the actual internal
address. NAT allows an institution to hide the topology and address schemes of
its trusted network from untrusted networks.
Dynamic host configuration protocol (DHCP)

DHCP assigns IP addresses to machines that will be subject to the security
controls of the firewall.
Slide 25
Firewall Services and Configuration cont’d
Virtual Private Network (VPN) gateways

A VPN gateway provides an encrypted tunnel between a remote external
gateway and the internal network.
Placing VPN capability on the firewall and the remote gateway protects
information from disclosure between the gateways but not from the gateway to
the terminating machines.
Placement on the firewall, however, allows the firewall to inspect the traffic and
perform access control, logging, and malicious code scanning
Slide 26
Firewall Policy
• A firewall policy states management’s expectations for how the firewall should
function and is a component of the overall security policy.
• It should establish rules for traffic coming into and going out of the security
domain and how the firewall will be managed and updated.
• Therefore, it is a type of security policy for the firewall and forms the basis for
the firewall rules.
• The firewall selection and the firewall policy should stem from the ongoing
security risk assessment process.
• Accordingly, management needs to update the firewall policy as the institution's

security needs and the risks change.
Slide 27
Firewall Policy - Contd
At a minimum, the policy should address

• Firewall topology and architecture,
• Type of firewall(s) being utilized,
• Physical placement of the firewall components,
• Monitoring firewall traffic,
• Permissible traffic ,
• Firewall updating,
• Coordination with security monitoring and intrusion response mechanisms,
• Responsibility for monitoring and enforcing the firewall policy,
• Protocols and applications permitted,
• Regular auditing of a firewall’s configuration and testing of the firewall’s
• effectiveness, and
• Contingency planning.
Slide 28
Intrusion Detection System
IDS system analyzes and identifies attempts to hack or break into a computer
system.
• Identifies attacks through various methods including
- anomaly detection
- signature matching
• Types
- Host IDS
- Network IDS
IPS
• Inline device
• Single box approach
• False Positive
Types of IDS
Slide 30
Positioning of IDS / IPS
DMZ
Network
IDS
Internet
Router Firewall WWW

Server
DMZ
Network
Internet
Router
Firewall IPS WWW
Server
Network Intrusion Prevention Systems
Network Intrusion Prevention Systems (NIPS) are an access control mechanism that
allow or disallow access based on an analysis of packet headers and packet payloads.
An Intrusion Prevention System is a network security device that monitors network

and / or system activities for malicious or unwanted behavior and can react, in real
time, to block or prevent those activities.
They are similar to firewalls because they are located in the communications line,
compare activity to preconfigured or preprogrammed decisions of what packets to pass
or drop, and respond with pre-configured actions
Slide 32
Network Intrusion Prevention Systems (contd)
The IPS units generally detect security events in a manner similar to IDS units and are
subject to the same limitations.
After detection, however, the IPS unit may take actions beyond simple alerting to
potential malicious activity and logging of packets.
For example, the IPS unit may block traffic flows from the offending host. The ability to
sever communications can be useful when the activity can clearly be identified as
malicious.
When the activity cannot be clearly identified, for example where a false positive may
exist, IDS-like alerting commonly is preferable to blocking.
Slide 33
IPS basics
• Intrusion detection : It is the process of monitoring the events occurring in a

computer systems or network and analyzing them for signs of possible
intrusions (incident)
• Intrusion detection systems : It is a software that automates the intrusion

detection process. The primary responsibility of an IDS is to detect unwanted
and malicious activities
• Intrusion prevention systems : It is a software that has all the capabilities of

an intrusion detection system and can also attempt to stop possible incidents
Slide 34
Intrusion Detection - Definition
Intrusion detection is a technique of detecting unauthorized access to a computer

system or a computer network.
An intrusion into a system is an attempt by an outsider to the system to illegally gain

access to the system. Intrusion prevention, on the other hand, is the art of preventing
an unauthorized access of a system’s resources.
The two processes are related in a sense that while intrusion detection passively
detects system intrusions, intrusion prevention actively filters network traffic to prevent
intrusion attempts.
Slide 35
What can an IPS do?
IPS can detect and block:

• OS, Web and database attacks
• Spyware / Malware
• Instant Messenger
• Peer to Peer (P2P)
• Worm propagation
• Critical outbound data loss (data leakage)
Slide 36
Functions of IDS
The functions of Intrusion detection includes:

• Monitoring and analyzing both user and system activities
• Analyzing system configurations and vulnerabilities
• Assessing system and file integrity
• Ability to recognize patterns typical of attacks
• Analysis of abnormal activity patterns
• Tracking user policy violations.
Slide 37
IDS Working Procedures
Types of IDS
- Host Based IDS
- Network Based IDS
- Hybrid Intrusion Detection
- Network-Node Intrusion Detection (NNID)
Slide 38
Host-based Intrusion Detection Systems
• Host-based Intrusion Detection Systems are designed to monitor, detect, and

respond to user and system activities and attacks on a given host
• Host Intrusion can be used to fight out internal threats because of its ability to
monitor and respond to specific user actions and file accesses on the host
Host based IDS are equipped with tools which will:

• Audit policy management and centralization
• Supply data forensics
• Statistical analysis and evidentiary support
• Provide some measure of access control in certain instances
Slide 39
HIDS Advantages
Some of the HIDS advantages are

• Host Level protection:-They are better than NIDS at monitoring and keeping track
of local system events. Because Host-based only protects a single system,
switches, VPN, and routers do not affect their functionality.
• Encrypted Attacks:-They aren’t typically hindered by encrypted attacks. Host-
based IDS can read transmitted packets before they are encrypted and received
packets after they are decrypted.
• Integrity Breaches:-They can help to detect software integrity breaches, such as
Trojan horse software, file modifications, and so on.
Periodically analyze logs, perform file system integrity check
Slide 40
Network IDS
Network intrusion detection deals with data packets flowing through the wire between
the hosts.
Also referred to as “packet- sniffers,”NID devices intercept packets traveling along
various communication mediums and protocols, usually TCP/IP
Network Based IDS Advantages-
- Increase overall security
- Protect multiple systems
- Allow monitoring traffic inside your firewall
- Alert you to incoming attacks
- Detect slow attacks
- Delayed analysis
- Take corrective action
Slide 41
Hybrid Intrusion Detection
• A Hybrid IDS is a combination of host-based IDS and network IDS technologies.

Hybrid intrusion detection provides attack recognition on the network packets
flowing to and from a single and is host system-based.
• Hybrid IDS offer management and alert notification from both network and host
based intrusion detection devices
• A Hybrid IDS offers the best of HIDS and NIDS technologies providing attack
recognition on the network packets flowing to and from single hosts.
Slide 42
Network-node Intrusion Detection
• Network-node captures the packet-intercepting technology of the wire and puts it on

the hosts
• With NNID, the packet-sniffer is positioned in such a way that it captures packets
after they destination host.
Advantages of NNIDS
• The advantage to NNID is its ability to defend specific hosts against packet-based
attacks in these complex environments where conventional NID is ineffective.
• Since the NNIDS system is not expected to examine individual packet on the wire it
is relatively much faster and also less resource intensive. Thus it can be installed
on existing servers without imposing too much burden.
• NNID is suitable for heavy traffic networks, switched network environments, or VPN
implementations with encrypted traffic on the wire
Slide 43
Quarantine
• Quarantining a device protects the network from potentially malicious code or

actions.
• Typically, a device connecting to a security domain is queried for conformance to
the domain’s security policy.
• If the device does not conform, it is placed in a restricted part of the network until it
does conform.
• For example, if the patch level is not current, the device is not allowed into the
security domain until the appropriate patches are downloaded and installed.
Slide 44
Routers
In larger, more complex networks, data must be directed specifically to the

intended destination. Routers direct network data messages, or packets,
based on internal addresses and tables of routes, or known destinations that
serve certain addresses. Directing data between portions of a network is the
primary purpose of a router.
Slide 45
Router - Access Mechanism for Administrators
Controlling access to a router by administrators is an important issue. There

are two types of access: Local and Remote.
• Local access usually involves a direct connection to a console port on the router
with a dumb terminal or a laptop computer.
• Remote access typically involves allowing Telnet or SNMP connections to the
router from some computer on the same subnet or a different subnet.
• It is recommended only allow local access because during remote access all
telnet passwords or SNMP community strings are sent in clear to the router.
• If an attacker can collect network traffic during remote access then he can
capture passwords or community strings.
Slide 46
Router - Secure Remote Management Access
If the router that needs to be managed is remote from the actual administrator; often it
is only accessible over public networks.
To secure the management traffic between client/administrator and target network
device, encrypting protocols are required.
• SSH is the de-facto standard for all remote command line configurations and file
transfers.
• For Web-based management, using Secure Socket Layer (SSL) or Transport Layer
Security (TLS) secures HTTP traffic.
• SNMP is used to discover, monitor and configure networking devices. The secure
implementation of SNMP version 3 is essential to ensure confidential and
authenticated communications.
Slide 47
Router- Secure Remote Management Access
If the router that needs to be managed is remote from the actual administrator; often it
is only accessible over public networks.
To secure the management traffic between client/administrator and target network
device, encrypting protocols are required.
• The best way to control the identity of the administrator and the privileges
allocated to that individual is to authenticate an administrator prior to granting
access.
• This can be done through Authentication, Authorization and Accounting (AAA)
servers, such as Remote Authentication Dial-in User Service (RADIUS),
Terminal Access Controller Access Control System (TACACS) or Lightweight
Directory Access Protocol (LDAP) directory servers.
• AAA servers can also be supplemented by strong authentication techniques.
Slide 48
AAA Components
AAA server
- Authenticates users accessing a device or network
- Authorizes user to perform specific activities
- Performs accounting of device or user activities
Network Access Server (NAS) or Access Device

- A router, switch, or other network device that can perform AAA
functions on users or devices connecting to it
RADIUS or TACACS+
- Protocols that can be used by an access device to communicate with
the AAA server
AAA Network Components
Note: AAA server may communicate with a

Windows domain controller or a Unix server that
has the user password database
How the AAA server works
Authenticators
Supplicant AAA
Database
123456
1. User 2. Protocol 3. Web Server, VPN 4. Protocol 5. AAA Server

name/password Gateway, Firewall,
VPN: L2TP/ RADIUS Authenticates password
entered on client WLAN Acess Point,
IPSec
device Unix (login/SSH,…) Tracks and logs user
LAN: 802.1x etc session
Web: HTTPS Authenticate
password locally or
…Etc.
forward to AAA
Virtual Private Networks
Slide 52
Traditional Connectivity
[From Gartner Consulting]

What is VPN?
• Virtual Private Network is a type of private network

that uses public telecommunication, such as the
Internet, instead of leased lines to communicate.
• Became popular as more employees worked in

remote locations.
Private Networks vs. Virtual Private Networks
• Employees can access the network (Intranet) from remote locations.
• Secured networks.
• The Internet is used as the backbone for VPNs
• Saves cost tremendously from reduction of equipment and

maintenance costs.
• Scalability
Remote Access Virtual Private Network
(From Gartner Consulting)

Brief Overview of How VPN Works
• Two connections – one is made to the Internet and the second is made to
the VPN.
• Datagrams – contains data, destination and source information.
• Firewalls – VPNs allow authorized users to pass through the firewalls.
• Protocols – protocols create the VPN tunnels.
Four Critical Functions
• Authentication – validates that the data was sent from the sender.
• Access control – limiting unauthorized users from accessing the network.
• Confidentiality – preventing the data to be read or copied as the data is
being transported.
• Data Integrity – ensuring that the data has not been altered
Encryption
• Encryption -- is a method of “scrambling” data before transmitting it onto

the Internet.
• Public Key Encryption Technique
• Digital signature – for authentication

Tunneling
A virtual point-to-point connection made through a public network. It transports

encapsulated datagrams.
Original Datagram
Encrypted Inner Datagram
Datagram Header Outer Datagram Data Area
Data Encapsulation [From Comer]
Two types of end points:

Remote Access
Site-to-Site
Virtual Private Networks (VPN)
Basic Architecture
Antivirus Gateway
• The most common transmission routes for viruses and worms are through email
and Web traffic.
• In addition, the growing volume of unsolicited email (spam) and inappropriate Web
surfing poses risks to corporate security, liability, and employee productivity.
• Effective security at every network tier—especially virus protection at the Internet
gateway—is essential in today’s Internet-enabled network environments.
• Gateway Solution provides multi-layered protection against viruses, spam, and
unwanted email and Web content at the Internet gateway.
Slide 62
Managing Enterprise Network
Security
Slide 63
What are Network Monitoring Tools?
• Allows the administrator to know the health status of the network.

• It provides information about collected data and the analysis of such raw data with a
view to using scarce or limited resources effectively.
• Uses network probe. Probes let you isolate traffic problems and congestions
slowing your network to a crawl.
• Network Monitoring tools can apply various security policies at the click of a mouse
to all the network devices available in the network.
Slide 64
Network Management: Why is it needed
• Lowers costs by eliminating the need for many administrators at multiple locations
performing the same function
• Makes network administration and monitoring easier and more convenient
• Coherent presentation of data
Slide 65
Network Management: Why is it needed cont’d
• Performance Management – how smoothly is the network running
• Fault Management - reactive and proactive network fault management (deals

with problems and emergencies in the network)
• Configuration Management – keeping track of device settings and how they

function
• Accounting Management - cost management and charge back assessment
• Security Management - SNMP (Version 1 and 2) doesn’t provide much here
Slide 66
What can we use the tools for?
• Identifying unofficial services or servers

• Monitoring usage and traffic statistics
• Troubleshooting your network
• Investigating a security incident
• Keeping logs of users activities for accountability
• Application of organization wide security policies to the network devices
Slide 67
Who? What? Where? How? When?.. Some question you need to
know
Who is accessing your network?
- students, academics, staff, visitors or others
What are they accessing your network for?
- academic study, social use, business use, illegal use
Where are they accessing your network from?
- internal, external
How are they accessing your network?
- remote user, local Ethernet, WAN, dial-up, Wi-Fi, VPN
When did they access your network?
- today, yesterday, last week, last month…
Slide 68
Active vs. Passive
• Active – relies upon data gathered from probe packets injected into the network.
• Passive – relies upon data gathered from active network traffic
Slide 69
Thank you
in e-Governance
Day 2
Session 2: Security in end user environment

Agenda
Introduction to IT Infrastructure elements in end user environment
Information security challenges in end user environment
Information security considerations and solutions for securing end user

environment
Defining end users
End user environments are often characterized by a variety of people that
Handle business information within and beyond the Organization’s infrastructure
Use technology that has been provided locally (eg finance software, USB memory
sticks and mobile broadband cards)
Configure their own desktop PCs and laptops (including the operating system)
Make extensive use of the Internet for business and personal use
Perform ad hoc development and customization of business applications
End users are typically employees who have access to and use
technology to perform a particular role or function within the
organization.
Slide 3
Defining end users - Characteristics
The level of technical skill, access to information and security awareness end
users have also varies with individuals being:
Regular everyday users
Operational staff (with limited experience of technology)
Technically competent users who configure software and build applications
Mobile end users
Individuals with special privileges (e.g. administrators and power users)
Temporary staff (i.e. non-employees that perform a specific role for a short period of time).
Slide 4
Some of the Information assets at end user environment
• Desktop PCs, laptops, etc

• Portable storage devices
• Specialist equipment like scanners etc.
• Media
Slide 5
Factors affecting how end user environments are managed
The difference between an organization's corporate infrastructure

and most end user environments can be significant, but often not
apparent
A corporate infrastructure of enterprise-based applications, data

centers and global networks is important in most organizations,
often centrally controlled and well protected
However, the use and protection of business information can be

heavily influenced by individuals in the end user environment,
where much of the information resides, is processed and
shared (often beyond the control of the corporate infrastructure)
Slide 6
Technology at end user environment
Technology represents an integral part of an organization's information

processing capability.
End users make use of technology to:

Process information – using a wide variety of business applications
such as:
• enterprise resource planning (eg SAP or Oracle)
• customer relationship management (CRM)
• commercial-off-the-shelf software (COTS)
• desktop applications
Slide 7
Technology at end user environment cont’d
Store information – using equipment such as:

• desktop PCs, thin-client devices, laptops, etc
• portable storage devices (eg external hard-disk drives, flash memory
cards, USB memory sticks and media players with storage capacity)
• specialist equipment (eg scanning devices, bar code readers, data
capture appliances and monitoring equipment)
• media (eg CDs, DVDs, magnetic tapes and computer disks).
Slide 8
Technology – contd..
Transmit information – using communication software that supports

connectivity such as:
• local area networks (LANs) and wide area networks (WANs)
• wireless local area networks (WLANs) and Voice over IP (VoIP)
• Internet connections, Internet broadband and mobile (eg those used by
mobile end users)
• direct connections to third party networks (eg using modem connections
and leased lines)
• Bluetooth and infra-red.
Slide 9
Information security risks in end user
environment
Slide 10
Risks associated with end user environment if not taken
care of…..
Information in end user environments is subject to many different threats that
can result in security incidents, with varying degrees of frequency and
magnitude.
Common examples of threats include:
Fraud (e.g. through modifying business information or creating false computer transactions /
records)
Theft of computer equipment, software and business information introduction of malware (e.g.
viruses, spyware and worms)
Downloading, storing or sending of inappropriate content (e.g. with obscene or discriminatory

content)
Information leakage (e.g. when replying to emails, sending documents and participating in
teleconference calls)
Deliberate disclosure of confidential information (e.g. by disgruntled employees or ‘malicious

insiders’)
Slide 11
Risks associated with end user environment if not taken
care of….. Cont’d
Infrastructure failure (PCs, LAN, Printers, Scanners..)
Human error (e.g. entering incorrect data into business applications)
Social engineering attacks (e.g. by criminals that target employees to reveal confidential
business information)
Eavesdropping (e.g. when people are discussing a confidential topic)
Shoulder-surfing (e.g. unauthorized individuals looking over the shoulder of people who
are processing confidential information on the screen or reading confidential paperwork).
Slide 12
Challenges at end user environment
There are significant information security challenges that organizations

currently face with many of their end user environments.
In particular, it is not unusual for management – at all levels within the

organization (including senior executives) – to be unaware of the:
− Individuals or groups responsible for protecting information in the end
user environment
− Types and importance of information handled in end user environments
− Wide range of threats to this information, which can – and often do –
result in security incidents
− Real business impact caused when an incident occurs
− Extent to which critical and confidential information in end user
environments is inadequately protected.
Slide 13
Impact of information security risks
Slide 14
Security Compromise : Outcome
− Theft and fraud
− Loss of confidentiality
− Loss of privacy
− Loss of integrity
− Loss of availability
Slide 15
Approach for securing end user
computing infrastructure
Slide 16
Establish a security-positive culture in the end user
environment
Threats and
vulnerabilities
addressed
Ideal security measures
• Human error
Provide end
Set objectives users with Monitor the • Information leakage
Make end • Loss of equipment containing
for security actions for behavior and
users aware of confidential information
awareness in protecting security-
information • Insider threat
the end user critical and related actions
risks
environment confidential of end users • Tendency to share business
information information with Unauthorized
parties
• Poor security behaviour
Slide 17
environment
• A security-positive culture is typically established by changing end user

behavior, which often involves compulsory attendance at security
awareness training etc.
• Make end users aware (e.g. as part of security awareness) that they are
responsible for protecting business information they process, store and
transmit.
• This includes when information is processed or stored on personal

devices (approved or otherwise) or transmitted to external parties.
• Look for end user behavior that does not meet security requirements,
often identified during security monitoring activities (e.g. non-compliance).
Slide 18
environment (cont’d)
Perform security monitoring of the end user environment, using a range of
techniques (e.g. to help determine if policy is being complied with and awareness
objectives are being adequately met).
• Participating in the review of the results of corporate monitoring activities that

relate to the end user environment (eg reviewing end user access logs,
unusual transaction activity, software failures and application availability)
• Carrying out regular audits / reviews to assess compliance with acceptable

usage policies for business applications, equipment and connectivity
• Performing ad hoc end user-based security assessments within the end user
environment to determine the level of information protection provided by end
users
Slide 19
Information Protection Policy Measures…..
Understand who is the owner of critical and confidential information handled in

the end user environment
• Classify and label confidential information (eg secret, restricted, internal
or public) according to the organization's classification scheme or
equivalent
• Maintain important details about confidential information (eg type and
description, assigned level of confidentiality, physical / virtual location,
name or role of the information owner and date for reclassification) in an
information classification register
Slide 20
Information Protection Policy Measures…..
• Delete unwanted information (including electronic documents, emails and

temporary web browser files) once they are no longer required or
according to the document retention policy
• Comply with the organization's procedures for information security

incidents (eg by reporting potential and actual to a specialized helpdesk)
Slide 21
Business applications Protection Policy Measures…..
• Use only approved corporate email and instant messaging services

• Download / install only approved software
• Read and comply with End User License Agreements (EULAs) for
software installed by end users (where authorised)
• Use templates to create new electronic documents (not existing electronic
documents that may contain confidential information)
Slide 22
Equipment Protection Policy Measures…..
• Maintain the security configuration and settings of equipment and

software (eg by checking that virus protection software and personal
firewall are in operation at all times and are prevented from being
tampered with)
• Use file-based encryption, as a minimum, to protect individual confidential

electronic files in storage and in transit (eg when saving to a portable
storage device or sending via email or instant messaging)
• Protect information when storing on external hard-disk drives, flash

memory cards and media (eg CDs and DVDs) by using encryption and
storing the equipment in a secure location
Slide 23
Connectivity Protection Policy Measures…..
• Disable communication settings (eg wireless and Bluetooth) on mobile

devices, such as laptops and smartphones, when not required
• Use secure web browser sessions (eg using SSL or TLS) where possible
• Encrypt confidential email before sending to recipients
• Use a virtual private network (VPN) when connecting to the corporate
network from a remote location
Slide 24
Locations Protection Policy Measures…..
Adhere to the organization's ‘clear desk policy’ (or equivalent)

• Protect equipment and paper documents physically (eg by locking them
away overnight and when not used during the day)
• Log off or lock desktop PCs and laptops (eg with a passphrase or PIN) to
protect confidential information if leaving equipment unattended (eg
during a meeting, lunch break or overnight)
• Challenge or report (eg to senior management or Physical Security
function) unknown individuals in the end user environment who are not
wearing an identification pass or acting in an unusual manner
Slide 25
Implement measures to protect critical and confidential
information
Ideal security measures Threats and

vulnerabilities
addressed
• Information leakage
• Excessive privileges and
Determine the security access rights
measures required to Apply manual controls • Disclosure or theft of
protect each stage of for information handling confidential information
• Corruption of information
the information lifecycle
• Information located beyond
the control of the
Organization
• Excess of confidential
information that has not
been classified
Slide 26
information
Create
• Label information according to its level of classification (as indicated in the
organization's information classification scheme)
• Record key properties (e.g. information owner and level of classification)
within electronic documents (e.g. properties) and in an information
classification inventory (or equivalent)
Slide 27
information..cont’d
Process
• Use validation routines in applications to help ensure critical information
remains accurate (e.g. using data type checks, range checks, limit checks
and presence checks)
• Process information in secure locations (e.g. offices with locked doors and
access limited to specific individuals) to avoid unauthorized access to, or
viewing of, confidential information
• Perform regular backups (e.g. by regularly saving electronic documents
and configuring auto-save) to ensure critical information remains available
at all times
Slide 28
Transmit
• Use virtual private networks (VPNs) when connecting to the corporate

network from a remote location
• Encrypt wireless networks used in the end user environment (whether

they connect to a corporate network or not)
• Use secure web browser sessions (e.g. using SSL or TLS) where
possible
• Encrypt confidential email before sending to recipients
Slide 29
Store
• Use hard-disk encryption on desktop PCs and laptops
• Apply file-based encryption when storing confidential files on unprotected

devices (eg USB memory sticks and external harddisk drives)
• Use encrypted USB memory sticks when transferring files between

computers
Slide 30
Destroy
• Destroy business information when it is no longer required (eg according to
the organisation’s document retention policy or equivalent)
• Use secure deletion software on computers, hand-held devices (eg

smartphones) and portable storage devices (eg USB memory sticks and
external hard-disk drives) to destroy information in electronic format
Slide 31
• Degauss hard-disk drives and magnetic media where the stored

information needs to be permanently destroyed
• Shred confidential paper-based documents and other correspondence or

place in confidential waste bins
• Incinerate or physically destroy items such as hard-disk drives, portable

storage devices and media (eg CDs and DVDs)
Slide 32
Deploy and protect approved end user equipment
Ideal security measures Threats and

vulnerabilities
addressed
Monitor the
Acquire and Apply software Protect
protective
use only controls to equipment
measures
approved endpoint against theft or • Loss of availability of critical
associated
equipment devices loss information
with equipment
• Theft or loss of equipment
• Introduction of malware
• Poor practices around use of
portable storage devices and
hand-held devices
• Introduction of personally-owned
equipment
Slide 33
Deploy and protect approved end user equipment
• Comply with corporate policy covering the acquisition and use of equipment
to help ensure only suitable equipment is purchased and used within the end
user environment.
• Provide standard builds for corporate-issued equipment (eg devices that use
the identical hardware setup, the same type and version of operating system
and software and are configured the same)
• Consult with the Information Security or IT function when acquiring equipment

locally, particularly if it is not listed on the ‘approved list of equipment’ (or
equivalent)
• Include protective measures (eg methods of backup, anti-virus software and

personal firewall software) that end users can apply to their personally-owned
equipment (including equipment at home).
Slide 34
Deploy and protect approved end user equipment (Contd)
Protect endpoint devices, such as desktop PCs, laptops and hand-held

devices by applying a set of standard controls, such as:
• deploying hard-disk encryption or file-based encryption solutions to
protect confidential information that is processed by, stored on or
• transmitted using the endpoint device
• restricting access (eg using password, token or biometric methods)
• filtering network traffic (eg personal firewalls)
• protecting against malware (eg deploying up-to-date anti-virus and anti-
spyware software)
• backing up critical information at regular intervals (eg using automated
backup software).
Slide 35
Develop and use desktop applications in a secure manner
Threats and
vulnerabilities addressed
Maintain an
Implement a Review the
inventory of
system development
critical user • Application failure
development Applications and use of
desktop environment
methodology desktop • Corruption of information in critical
applications
for desktop applications desktop
in the end
• Applications
• Lack of an inventory for critical
desktop applications
• No system development
methodology for critical desktop
applications
Slide 36
(contd)
• Review desktop applications used in end user environment (with application

owners, information owners or equivalent) to identify those that warrant a risk
assessment
• Create an inventory of all critical desktop applications used in the end user
environment.
• Record important details in the inventory of each critical desktop application
• Make the inventory of critical desktop applications available to the individual

or group responsible for maintaining the corporate asset register for business
applications
• Update details in the inventory as circumstances change, such as

modifications to an application or a change in its level of criticality or
classification
Slide 37
(contd)
• Segregate the roles associated with the development and use of critical
desktop applications (to help reduce the likelihood of software bugs,
human error and fraud)
• Comply with corporate policy for developing and using critical desktop
applications (including the use of guidance and checklists).
• Store critical desktop applications in a central location to enable them to

be protected in a consistent manner, for example by using access control,
requiring passwords, performing encryption, creating audit trails and
carrying out regular backups. E.g Network folder, database etc.
• Review and test critical desktop applications to verify that standards for
their development and use have been followed
Slide 38
(contd)
• Perform independent audits of critical desktop applications prior to going

live, and on a regular basis (using automated auditing tools where
possible), for example by using a dedicated internal audit function or a
specialist third party organization
• Review anomalies and issues regarding the development and use of

critical desktop applications identified during security monitoring activities
(eg non-compliance).
Slide 39
Restrict and monitor network connectivity
Threats and
vulnerabilities addressed
• Unauthorized access to
network equipment and
• networks
Ideal security measures • Cracking of wireless
encryption keys
• Eavesdropping of network
Provide Restrict the use communications
Protect network
guidance on the of network Monitor network
use of network connectivity in
and telephony-
traffic and • Unavailability of network
based connectivity
connectivity the end user connections
connectivity
techniques Environment
Slide 40
Restrict and monitor network connectivity (contd..)
Comply with corporate policy (eg acceptable usage policies) for using
network connectivity (including the use of guidance and checklists) in the
end user environment.
This would typically cover:

− restricting connectivity (eg implementing access control on wireless
access points, passphrase protection on telephony equipment and
applying protective controls (eg encryption for transmitting
information)
− monitoring the use of connectivity (eg using methods of intrusion
detection, intrusion prevention and data loss / leakage protection).
Slide 41
Restrict the number of network connection points accessible within the end
user environment, for example by:
− keeping rooms with network access points locked
− connecting only the physical cables on network equipment (eg routers,
switches and modems) that are required by equipment in the end
− user environment, and disconnecting them when no longer required
− concealing network cabling (eg to prevent tampering and unauthorised
connection to the network).
Slide 42
Restrict desktop applications from accessing the Internet (unless approved) to

prevent vulnerabilities being exploited to provide unauthorized access to
corporate computers and networks.
Examples of how to restrict applications accessing the Internet include:

− modifying functional properties within the application
− configuring a personal firewall (eg to block attempts by the application to
connect over the Internet).
− Perform regular vulnerability assessments on networks associated with
the end user environment to identify security weaknesses that malicious
parties (eg hackers or disgruntled employees) may exploit.
Slide 43
Protect physical end user locations
Threats and vulnerabilities

addressed
Enable end
Perform • Theft of equipment
regular
Protect end
users to apply
reviews of the • Eavesdropping private
physical conversations
user locations physical end
protection
user • Disclosure of confidential in papers
techniques
environment
• Natural and man-made disasters
Slide 44
Protect physical end user locations (contd..)
Comply with corporate policy (eg an approved ‘clear desk policy’), standards
and procedures for protecting physical locations covering the end user
environment.
This is necessary to help provide physical protection of:

− end users who operate in each location
− equipment (eg desktop PCs, printers and videoconferencing kit) and
media (eg CDs and DVDs) located in each location
− paper-based information (eg documents, reports and printouts) stored in
each location.
Slide 45
Protect physical end user locations (contd)
Restrict access to confidential areas within the end user environment by a

range of measures, including:
− physical access mechanisms (eg using card access, biometric systems or
combination locks)
− restricted areas (by locked doors when unused)
− limiting access for visitors, and escorting them at all times.
Slide 46
Protect critical and confidential paper-based documents and media by:

− storing them in locked filing cabinets or fireproof safes
− adopting best practice for packaging and use of courier firms when
sending them in the post (eg encrypting the information in the case of
media and concealing the contents by using one envelope inside another)
Slide 47
Perform regular patrols of the end user environment to:

− check compliance with the organization's ‘clear desk policy’
− detect any unauthorized equipment (e.g. keystroke logging hardware,
wireless access points)
− identify unattended computers that are logged on
− detect any unusual activity (e.g. tampering) associated with shared
equipment, such as printers, facsimile machines and scanners.
Slide 48
Thank you
Slide 49
in e-Governance
Day 2
Session 3: Physical and Environmental

Security
Agenda
Introduction to physical and environmental infrastructure elements

needed for supporting IT Infrastructure management
Information security challenges and risks related to physical and
environmental aspects surrounding information security systems
Security considerations and solutions for securing physical and
environmental aspects related to Information Systems
Page 2
Physical Security: so what do you check ?
• Physical access : Is there is any perimeter control for protecting against

access? Is it regularly monitored or tested?
• Does access control exists to all ‘entry points’ to the facilities? Is it
effective?
• Are computer program , information / documentation, data and media
under secure storage?
• Does a backup power supply exists that is capable of operating the
computer systems , servers , air conditioning, heating and lighting?
• Are there comprehensive instructions or procedures to be followed in case
of a physical and environmental threat?
Slide 3
Physical Security: so what do you check ?
• Fire : Are there adequate fire precautions in the facility including detectors ,
alarm systems etc?
• Are all the areas kept free of combustible material ?
• Are all fire prevention and fire-fighting equipments regularly services and
checked by their manufactures ?
• Has the risks from storms and other natural disaster evaluated and catered
for ?
Slide 4
Physical and Environmental Security
• Often , ‘physical and environmental security’ is either overlooked or

considered ‘boring and dry’
• Physical & Environmental security – an important aspect of information
security
• Physical penetration offers the hacker or malicious user access to
sensitive data with less acumen making it tempting attack method.
• Physical security of Information systems means literally their ‘physical’
protection.
• Physical threats can damage computer installations , data centers and
computer networks
• e.g : e-mails should not be lost because there is a flood in the basement
Slide 5
Importance of Physical Security
• Most people focus on protecting logical systems (software that is running )

• If you cannot protect the physical systems (computer hardware), you
cannot protect the program and data running on the hardware
• Physical security deals with who has access to buildings, computer rooms, and the
devices within them
• Protect sites from natural and man-made physical threats
Slide 6
Physical Security Baseline Definitions
• Physical security involves measures undertaken to protect personnel,

equipment and property against anticipated threats.
• Passive measures include the effective use of architecture, landscaping

and lighting to achieve improved security by deterring, disrupting or
mitigating potential threats.
• Active measures include the use of proven systems and technologies

designed to deter, detect, report and react against threats.
Physical Security Baseline Definitions
• ISO 27001 role of physical security – Protect the organization’s assets by properly choosing a
facility location, maintaining a security perimeter, implementing access control and protecting
equipment.
• The physical security office is usually responsible for developing and enforcing appropriate
physical security controls, in consultation with the computer security management, program
and functional managers, and others, as appropriate. Physical security should address not
only central computer installations, but also backup facilities and office environments.
• In the government, this office is often responsible for the processing of personnel background
checks and security clearances.
• What is the impact of convergence (merging IT security and physical security) on this role and
how does it play into the responsibilities for physical security risk assessments and action
plans?
Slide 8
Understand risks surrounding physical
and environmental eco system
Slide 9
Physical Security Threats
• Weather
• Tornadoes, hurricanes, floods, lire, snow, ice, heat, cold, humidity, etc.
• Fire/chemical
• Explosions, toxic waste/gases, smoke, fire
• Earth movement
• Earthquakes, mudslides
• Structural failure
• Building collapse because of snow or moving objects (cars, trucks, airplanes,
etc.)
Slide 10
Physical Security Threats (cont’d.)
• Energy
• Loss of power, radiation, magnetic wave interference, etc.
• Biological
• Virus, bacteria, etc.
• Human
• Strikes, theft, sabotage, terrorism and war
Slide 11
Impact to the business due to these
risks
Slide 12
Physical Security Compromise : Outcome
• Theft and fraud

• Loss of confidentiality
• Loss of privacy
• Loss of integrity
• Loss of availability
Slide 13
Approach to Managing physical and
environmental security
Slide 14
If someone really wants to get at the information, it is not difficult if
they can gain physical access to the computer or the physical
Infrastructure !!!
Slide 15
Physical Security Planning
A physical security planning must address:
- Crime and disruption protection through deterrence (fences, security
guards, warning signs, etc.)
- Reduction of damages through the use of delaying mechanisms

(e.g., locks, security personnel, etc.)
- Crime or disruption detection (e.g., smoke detectors, motion

detectors, CCTV, etc.)
- Incident assessment through response to incidents and

determination of damage levels
- Response procedures (fire suppression mechanisms, emergency

response processes, etc.)
16
Physical and Environmental Security Policy –
Policy Sections
The Physical and Environmental Security Policy consists of the

followings
Physical Clear Desk

Physical Environmental Power Cabling
Security of IT and Clear
Security Security Supplies Security
Infrastructure Screen..
Physical Security - Standards
Computer and Communication Rooms
Physical Security Standards
Visitors and Third Parties
• Visitors and third parties should be only allowed entry to computer and
communication rooms for authorised and specific purposes only.
• Visitors and third parties should not be permitted unsupervised access to

computer and communication rooms. This arrangement should exclude
employees of outsourcing agencies who are responsible for owning or operating
an information processing facility.
• The date and time of entry and departure of visitors and third parties and the
purpose of visit should be recorded in a visitor’s log.
• The date and time of entry and departure and the purpose of entry of authorised
personnel (including employees of outsourcing agencies) outside normal business
hours or assigned hours of work should be recorded in a log.
Identification Badges
All authorised personnel

Visitor badges should be of
and visitors should be a different colour from
required to wear some employee Identification
form of visible badges.
identification (e.g.
employee identification
badges, visitor badges) Personnel should be
within computer and encouraged to question
communication rooms. unescorted strangers not
wearing visible identification.
Reconciliation of badges
issued to visitors and third
parties should be done at the
end of each day.
Identification Badges
Its the responsibility of each employee or third parties, who

has been issued an identification badge to immediately
report lost or stolen badges.
The original identification badge should be taken back

wherever possible (e.g. broken, damaged cards) while
issuing a duplicate card.
Identification badges should be returned by an employee,

when retired or terminated, and by personnel of
outsourcing agencies at the end of the contract.
Identification badges taken from retired or terminated

employees should be destroyed in a controlled manner.
Information Storage Media
All information storage media (e.g. hard disks, floppy disks, magnetic
tapes and CD-ROMs) containing sensitive or confidential data should
be physically secured, when not in use.
Physical access to magnetic tape, disk and documentation libraries

should be restricted to authorised personnel based on job
responsibilities.
Back-up media should be stored in fire resistant safes or cabinets.
Any personal information storage media like cartridge tapes, DAT

drives, floppy drives should not be allowed to brought inside computer
and communication rooms.
Any storage media (floppy drives, CDs, DAT tapes) should not be
allowed out of Government premises without adequate clearances
from HODs/Security Officers.
Offsite Facilities
• Fall back equipment and back-up media should be stored at a safe

distance (e.g. an offsite location) to avoid damage from a disaster at the
main site.
• The physical and environmental safeguards available at the off-site

location should provide the same level of security, at a minimum, as at the
primary site.
Security Instructions
• Long term contractors, consultants and business associates should be
issued instructions on the security requirements of the site.
Security Inspections
• Security inspections should be made regularly. The inspection should
cover functionality and administration.
Major Data Centres
• The following physical security controls should be followed for major data
centres in addition to the standards mentioned above:
• Major data centres and facilities housing sensitive or critical systems

should be clearly separated from other areas.
• Access should be restricted through use of electronic door locks and

authentication mechanisms like biometrics, swipe cards or other form of
electronic cards, which should require both card and a personal code or
characteristic.
Major Data Centres
• The electronic door locks should be equipped on doors that should

automatically close and which should set off an audible alarm when they
are kept open beyond a certain period of time.
• The doors should be equipped with burglar alarms.
• The electronic door locks should support anti pass back mechanism (i.e.
disallow entry for more than one time, unless an exit is recorded in the
system), remote locking and unlocking.
• There should be audible alarm for attempted unauthorised entry

Major Data Centres
• Electronic door locks should not be deactivated without prior permission

unless needed for situations like emergency evacuation in case of fire.
• Deactivation of electronic door locks should be documented.
• Access to the security software, which validates and records the ‘swipes’
or electronic card access, should be restricted to authorised individuals.
Major Data Centres
• The Data center and access within the facility should be monitored 24 hours a
day through the use of people manning the center, CCTV and alarm systems.
The cameras should be located at strategic points.
• The video surveillance recording should be retained for a minimum period of

atleast 7 days for possible future playback.
• The Systems Security Administrator should review access rights on a quarterly

basis.
• Security inspections should be made regularly and at least within every 6

months. The inspection routine should include access control, alarm systems
and burglar protection. The inspection should cover functionality and
administration.
Major Data Centres
• Third party vendors and consultants should be allowed supervised access

only. This access needs to be authorised by the Systems Administrator.
• Personal information processing equipment like laptops should not be

allowed inside a major data processing centre, unless authorised by the
Chief Information Officer or the Systems Administrator, in the absence of
the Chief Information Officer.
• An audit trail of all access should be securely maintained and reviewed on

a daily basis.
Electronic Access Cards for Major Data Centres
• Electronic access cards should be issued to employees and personnel from

outsourcing agencies in a controlled manner with approval from the Chief Information
Officer or the Data Centre In-charge.
• Electronic access cards should be personal. In case if an electronic access card is lost
or stolen, the concerned staff should immediately report to the Chief Information Officer
or the Data Centre In-charge.
• The electronic access card, which has been reported lost, should be deactivated within
12 hours.
• The original electronic access card should be taken back wherever possible (e.g.
broken, damaged cards) while issuing a duplicate card.
• Electronic access cards should be returned by an employee, when retired or

terminated, and by personnel of outsourcing agencies at the end of the contract.
Physical Security
Electronic Access Cards for Major Data Centres
• Electronic access cards should be returned by an employee, when retired or

terminated, and by personnel of outsourcing agencies at the end of the contract.
• Non-returned electronic access cards of retired or terminated personnel

(employees or staff from outsourcing agencies) should be deactivated
immediately.
• Electronic access cards taken from retired or terminated employees should be

destroyed or re-used in a controlled manner.
• The expiration period of electronic access cards issued to long-time third parties
(e.g. employees of outsourcing agencies) should coincide with the end of the
contract period.
CCTVs
• Def: A Television Transmission System That Uses Cameras to

Transmit Pictures To Connected Monitors
• CCTV Levels:
- Detection: The Ability to Detect the Presence of an Object
- Recognition: The Ability to Determine the Type of Object (animal,
blowing debris, crawling human)
- Identification: The Ability to Determine the Object Details (person, large
rabbit, small deer, tumbleweed)
• Remember: Monitoring Live Events is Preventive and
Recording of Events is Detective
32
Environmental Security
Appropriate controls should be established to ensure environmental

exposures (fire, cyclones, water, temperature and humidity) are adequately
controlled.
Purpose & Objectives

Environmental exposure to information systems is primarily due to naturally
occurring events like cyclones, floods and water damage besides fire,
temperature and humidity.
The Environmental Security Policy defines the minimum controls, which

should be in place to reduce exposure to these environmental threats.
Floods
Cyclones and Water
Damage
Fire Safety
Major
Fire
Data
Safety
Environmental
Centers
Security
• The most serious threat to the safety of the people who work in the
organization is the possibility of fire
• Fires account for more property damage, personal injury, and death
than any other threat
• It is imperative that physical security plans examine and implement

strong measures to detect and respond to fires and fire hazards
Slide 34
Floods
Cyclones and Water
Damage
Fire Detection and Response
Major
Fire
Data
Safety
Environmental
Centers
Security
Fire suppression systems are devices installed and maintained to detect

and respond to a fire
They work to deny an environment of one of the three requirements for a

fire to burn: heat, fuel, and oxygen
- Water and water mist systems reduce the temperature and saturate some
fuels to prevent ignition
- Carbon dioxide systems rob fire of its oxygen
- Soda acid systems deny fire its fuel, preventing spreading
- Gas-based systems disrupt the fire’s chemical reaction but leave enough
oxygen for people to survive for a short time
Slide 35
Fire Detection Cyclones
Floods
and Water
Damage
Major
Fire
Data
Safety
Environmental
Centers
Security
Before a fire can be suppressed, it must be detected

Fire detection systems fall into two general categories:
• manual and automatic
Part of a complete fire safety program includes individuals that monitor the
chaos of a fire evacuation to prevent an attacker accessing offices
There are three basic types of fire detection systems: thermal detection,
smoke detection, and flame detection
• Smoke detectors operate in one of three ways: photoelectric, ionization,
and air-aspirating
Slide 36
Floods
Cyclones and Water
Damage
Fire Suppression Fire

Major
Data
Safety
Environmental
Centers
Security
Can be portable, manual, or automatic

Portable extinguishers are rated by the type of fire:
• Class A: fires of ordinary combustible fuels
• Class B: fires fueled by combustible liquids or gases
• Class C: fires with energized electrical equipment
• Class D: fires fueled by combustible metals
Installed systems apply suppressive agents, either sprinkler or gaseous
systems
• Sprinkler systems are designed to apply liquid, usually water
• In sprinkler systems, the organization can implement wet-pipe, dry-
pipe, or pre-action systems
• Water mist sprinklers are the newest form of sprinkler systems and
rely on microfine mists
Slide 37
Water Sprinkler System
Slide 38
Floods
Cyclones and Water
Damage
Gaseous Emission Systems Major
Fire
Data
Safety
Environmental
Centers
Security
Until recently there were only two types of systems

- carbon dioxide and halon
• Carbon dioxide robs a fire of its oxygen supply
• Halon is a clean agent but has been classified as an ozone-depleting
substance, and new installations are prohibited
Alternative clean agents include the following:
- FM-200
- Inergen
- Carbon dioxide
- FE-13 (trifluromethane)
Slide 39
Floods
Cyclones and Water
Environmental Security Damage
Standards Fire Prevention Fire

Safety
Major
Data
Environmental
Centers
Security
• All computer systems should be housed in an environment equipped with

portable fire extinguishers.
• The fire extinguishers should be accessible in all areas. The distance to the
nearest portable fire extinguisher should be a maximum of 25 metres.
• Fire safety equipment should be checked regularly in accordance with
manufacturer's instructions. The test results should be documented.
• Hazardous and combustible materials should be stored at a safe distance
from server rooms and other computer rooms. Computer supplies such as
stationery should not be stored in server rooms.
• Comprehensive fire and emergency instructions should be displayed in
prominent locations.
Floods
Cyclones and Water
Damage
Environmental Security Fire

Major
Data
Safety
Cyclones Environmental
Security
Centers
• Computer and communication rooms in cyclone prone areas should be housed in

buildings, which are resistant to cyclones e.g. use of permanent cyclone shutters for
doors and windows, double doors, wind resistant roof sheathing etc.
• All computer systems should be moved away from windows or glass doors when a
cyclone approaches, even if the windows or doors are covered.
• All computer systems should be located on a small interior room on the first floor in
cyclone prone areas. This should ensure least impact of winds and floods.
• All computer equipment should be switched off or unplugged when a cyclone

approaches to protect them from power surges.
Floods
Cyclones and Water
Damage

Major
Data
Safety
Floods and Water Damage Environmental
Security
Centers
• All server rooms should be housed in an environment equipped with moisture detectors.
• Computer and communication rooms should not be located in areas susceptible to water
seepage and flooding like the basement.
• Computer and communication rooms should be located in raised or elevated floors in flood
prone areas.
• Adequate drainage provision should be provided to prevent water damage or flooding.
• Electrical equipment, which may have received water damage, should be checked and dried
before being returned to service.
Floods
Cyclones and Water
Damage
Environmental Security
Major
Major Data Centres Fire
Safety
Environmental
Data
Centers
Security
• The following environmental controls should be followed for major data centres and for
critical systems in addition to the standards mentioned above:
• Automatic fire suppression system, in combination with fire alarms, should be installed.
• Smoke detectors should supplement the fire suppression system.
• Smoke detectors should be placed above and below the ceiling tiles. The detectors should
produce an audible alarm when activated.
• The surrounding walls should be non-combustible and resistant to fire for at least 60 minutes.
All openings to these walls (doors, ventilation ducts, etc.) should be likewise rated at least 60
minutes.
• Curtains, desks, cabinets and other general office materials in the data centre should be fire
resistant.
Floods
Cyclones and Water
Damage

Major
Data
Safety
Major Data Centres Environmental
Security
Centers
Data centres should be housed in buildings, which are resistant to cyclones.

The following controls should be considered:
• Permanent cyclone shutters for doors and windows
• Double doors
• Wind resistant roof sheathing
• Data centres should be located on an interior room on the first floor in cyclone prone areas. This
should ensure least impact of winds and floods.
• Information processing facilities should be equipped with water or moisture detectors. The
detectors should produce an audible alarm, when activated.
• Data centres should be located in raised or elevated floors in flood prone areas.
Power Supplies
Information processing equipment should be protected from power

failures and other electrical anomalies. A suitable electrical supply
should be provided that confirms to the equipment manufacturer’s
specifications.

Information processing equipment needs to be safeguarded from
power failures and other electrical anomalies.
Uninterruptible Power Supplies (UPSs)
In case of power outage, a UPS is a backup power source for major

computer systems
There are four basic configurations of UPS:
• the standby
• ferroresonant standby
• line-interactive
• the true online
Slide 46
Uninterruptible Power Supplies (UPSs)
A standby or offline UPS is an offline battery backup that detects the

interruption of power to the power equipment
A ferroresonant standby UPS is still an offline UPS

• the ferroresonant transformer reduces power problems
The line-interactive UPS is always connected to the output, so has a

much faster response time and incorporates power conditioning and
line filtering
The true online UPS works in the opposite fashion to a standby UPS
since the primary power source is the battery, with the power feed
from the utility constantly recharging the batteries
• this model allows constant feed to the system, while completely
eliminating power quality problems
Slide 47
Emergency Shutoff
• One important aspect of power management in any environment is the

need to be able to stop power immediately should the current represent a
risk to human or machine safety
• Most computer rooms and wiring closets are equipped with an emergency
power shutoff, which is usually a large red button, prominently placed to
facilitate access, with an accident-proof cover to prevent unintentional use
Slide 48
Power Supplies
Power Supply Standards
• Uninterrupted Power Supply (UPS) should be used to support orderly

close down or continuous running of information processing
equipment.
• The UPS equipment should be checked at least once in 3 months in

accordance with the manufacturer’s recommendations.
• All buildings should have proper earthing to prevent electric surges.

Power Supply Standards
Power-off Switches
• Two emergency power-off switches should be used, one in the computer

room, and the other near, but outside, the computer room. This should
facilitate rapid power-off in case of an emergency such as during a fire or
emergency evacuation.
• The power-off switches should be clearly labelled, easily accessible but

shielded to prevent accidental activation.
Power Supplies
Major Data Centres
The following controls should be followed for major data centres and for time-
sensitive systems
• Backup UPS equipment should be used to ensure continuous running of

sensitive or critical systems in case the original UPS equipment fails.
• Back-up generators should be used to ensure continued processing for

critical systems in case of power failure for a prolonged period.
Cabling Security
Power and telecommunication cabling carrying data or supporting

information services should be protected from interception or damage.

- Power and telecommunication cables that feed into the information processing
facility are exposed to many environmental hazards like cyclones, floods, fire,
lightning or cutting due to careless digging.
- Cables carrying data or supporting information services should be protected
from interception or damage to reduce the risk of power or communication
failure.
Cabling Standards
• Power and telecommunication lines into information processing facilities

should be underground, where possible, or subject to adequate alternative
protection.
• Network cabling should be protected from unauthorised interception or

damage due to environmental hazards e.g. by using conduit or by avoiding
routes through public areas.
• Power cables should be separated from communication cables to prevent

interference.
Cabling Standards
Major Data Centres
The following controls should be followed for major data centres and for
sensitive or critical systems
- Installation of armoured conduit and locked rooms or boxes at inspection and
termination points
- Use of alternate routings or transmission media
Physical Security of Laptops
Policy Statement
• The physical security of laptops, as well as the security of the data
residing in these systems, should be ensured.

• Laptops and their related components (e.g. peripherals, disk drives)
are highly vulnerable to unauthorised access or theft, thereby
presenting unique risks in the areas of disclosure or destruction of
proprietary information.
• Laptops should be physically secured at all times to prevent
unauthorised access or theft.
Responsibility
• Employees to whom laptop computers are issued should be
responsible for its safe custody.
Physical Security Controls
- All laptops should have a ‘power-on’ password.
- Laptops should not be left on the desk or in the work area or any other
visible location overnight. It should be locked in a secure area at the end
of the workday.
- The laptop or case should not be left unattended in cars.
- Laptops should not be left unattended in public places like an airport.

Airport rest rooms and areas around telephones could be especially
vulnerable locations.
• Laptops should never be checked in as luggage, while travelling. It must

always be hand carried in a briefcase or a laptop carrying case.
• Laptops should be locked inside luggage and kept out of sight, when left in
hotel rooms.
• The concerned staff should file a police report immediately in the event a
laptop is stolen. The staff should also notify the Systems Security
Administrator and the Head of Department within one business day of the
theft.
Additional Devices
• Any removable media devices, such as CD Writers, Zip drives and Tape
drives, should not be added to individual laptops unless authorised by the
Head of Department.
• Modems should not be added to individual laptops unless cleared and

authorised by the Head of Department after consulting with the Chief
Information Officer.
Clear Desk and Clear Screen
A clear desk and a clear screen policy for information processing facilities
should be adopted.

• Information must be protected from unauthorised disclosure, modification
or theft.
• A clear desk policy for papers and removable storage media and a clear
screen policy should reduce the risks of unauthorised access, loss and
damage during and outside normal working hours.
Clear Desk and Clear Screen
General Standards
• Computer terminals and printers should not be left logged on, when unattended.
• Key locks, power-on and screensaver passwords, or other controls should be used
to protect them when not in use.
• Computer media should be stored in suitable locked cabinets when not in use,
especially after working hours.
• Incoming and outgoing mail points and unattended fax and telex machines should
be protected from unauthorised use outside normal working hours.
• Photocopiers should be locked or protected from unauthorised use outside normal
working hours.
• ‘Top Secret’, ‘Secret’ and ‘Confidential’ information and storage media should be
locked (ideally in a fire-resistant safe or cabinet) when not required.
And finally……………….. Back Up your System
• Backing up your data should be a habit -Something you do automatically

and consistently. Once you have completed a backup, Do not leave the
backup media in the PC or even in your office. Store it in a Fire Proof
media safe or an approved off-site location
• Safeguard your backup media. If that backup contains personal or
confidential information, it should be protected and secured. Do not allow
unauthorized access to your backup media.
• If you can’t afford to lose it, then you can’t afford NOT to back it up!
Your PC, Your Data, Your Responsibility !!!
Thank you…
in e-Governance
Day 2
Session 4: Information Security Policy and

Organization
Agenda
Need for Information Systems Security Policy
Elements of Information Security Policy
Approach for development of Information Security Policy
Information Security Organization and roles, responsibilities

Security Policy
One of the desired features of an electronic government is to guarantee

that:
• confidential data held in the system is fully protected.
• network be protected from unauthorized access, malicious attack and
loss of data integrity
• Poor security can leads to inability to function and lose of data, incur more
cost to fix and recover data, disruption to government operation, and
damage reputation.
• Security policy needs to be defined to protect the government assets as

well as to provide better and faster response to security incidents.
Slide 3
Security Policy contd..
The assets that must be protected include:

− Computer and Peripheral Equipment.
− Communications Equipment.
− Computing and Communications Premises.
− Power, Water, Environmental Control, and Communications utilities.
− Supplies and Data Storage Media.
− System Computer Programs and Documentation.
− Application Computer Programs and Documentation.
− Information.
Slide 4
A well defined Security Policy will help government organizations
• To minimize the adverse effect of security incidents
• To educate users of information assets security measures
• To provide a mechanism for reporting of security incidents so that remedy

/ action can be taken quickly
• To ensure that security measures/guidelines are adhered to by users
• To formulate and review policies, goals, strategies, standard and

operational guidelines pertaining to information security of the Central /
state government
Slide 5
A well defined Security Policy will help government organizations
contd..
• To monitor, review and co-ordinate the implementation of central / state

security measures among state public agencies
• To establish standard in the application security measures
• To carry out auditing on central / state assets so that security

measures/guidelines are adhered to
• To take pre-emptive actions to remove possible source of vulnerabilities
Slide 6
Information security policies
• Information security policies are a special type of documented

business rule for protecting information and the systems which store and
process the information.
• Within an organization, these written policy documents provide a high-

level description of the various controls the organization will use to protect
information.
• It is a formal declaration of management's intent to protect information,

and are required for compliance with various security and privacy
regulations.
• Lays down the rules through which people are given access to an
organization’s technology, system and information assets.
Slide 7
Information security policies contd..
• Security policies define the overall security and risk control objectives that
an organization endorses
• Set of detailed rules as to what is allowed on the system and what is not
allowed.
• The security policy defines what business and security goals and
objectives management desires, but not how these solutions are
engineered and implemented.
Slide 8
Purposes of a Security Policy
• The primary purpose of a security policy is to inform users, staff, and

managers of those essential requirements for protecting various assets
including people, hardware, and software resources, and data assets.
• Using, managing and distributing such information – in any form,

electronic or physical - in a manner that is consistent with those
requirements.
• Provide a baseline from which to acquire, configure, and audit computer

systems and networks for compliance with the policy.
• Subsequent development of operational procedures, the establishment of

access control rules and various application, system, network, and
physical controls and parameters.
Slide 9
Security Principles
• The definition of security principles is an important first step in security

policy development as they dictate the specific type and nature of
security policies most applicable to one’s environment.
• Security principles are used to define a foundation upon which security

policies can be further defined.
• Organizations should evaluate and review these security principles before

and after the development and elaboration of security policies.
Slide 10
The principles for security policies are based upon the following
goals:
Ensure the integrity of

Provide assurance for the customer’s and
the confidentiality and Ensure the your processed data,
Ensure the integrity of
integrity of customer confidentiality of the and prevent the
Ensure the availability data processing
data and allow for the customer’s and your unauthorized and
of data and operations and
compartmentalization processed data, and undetected
processing resources. protect them from
of risk for customers prevent unauthorized modification,
unauthorized use.
and your disclosure or use. substitution, insertion,
organization. and deletion of that
data.
Slide 11
Security Policy Goals
Translate, clarify and communicate

management’s position on security as
defined in high-level security principles.
The security policies act as a bridge

between these management objectives
and specific security requirements.
Slide 12
The policy deals with the following domains of security
− Computer system / Network security: CPU, Peripherals, OS. This includes

data security.
− Physical security: The premises occupied by the IT personnel and
equipment.
− Operational security: Environment control, power equipment, operation
activities.
− Procedural security by IT, vendor, management personnel, as well as
ordinary users.
− Communications security: Communications equipment, personnel,
transmission paths, and adjacent areas.
Slide 13
Types of information security policy documents
• Acceptable Use Policy • Password Policy

• Authentication Policy • Physical Security policy
• Backup Policy • Remote Access Policy
• Confidential Data Policy • Retention Policy
• Data Classification Policy • Third Party Connection Policy
• Encryption • VPN Policy
• Email Policy • Wireless Access Policy
• Policy • Many others
• Guest Access Policy
• Incident Response Policy
• Mobile Device Policy
• Network Access Policy
• Network Security policy
• Outsourcing Policy
Slide 14
Elements of an information security policy document
• An ideal information security policy document should contain the following

elements:
− Title - Brief description of the document.
− Number - A number or unique identifier for the policy document.
− Author - The author of the document.
− Publish Date - The date the policy has been officially approved.
− Scope - Describes the organizational scope that this policy applies to.
− Policy Text - The written policies.
− Sanctions - Provides information on violations of the written policy.
− Sponsor - The executive sponsor of the policy document.
Slide 15
Policy Hierarchy
Slide 16
Characteristics of good security policies
• They must be implementable through system administration

procedures, publishing of acceptable use guidelines, or other appropriate
methods.
• They must be enforceable with security tools, where appropriate, and

with sanctions, where actual prevention is not technically feasible.
• They must clearly define the areas of responsibility for the users,
administrators, and management.
• They must be documented, distributed, and communicated.
Slide 17
Policy Flexibility
• A successful security policy must be flexible.
• In order for a security policy to be viable for the long term, a security
policy should be independent of specific hardware and software
decisions, as specific systems choices change rapidly.
• In addition, the mechanisms for updating the policy should be clearly

spelled out.
• This includes the process, the people involved, and the people who must
sign-off on the changes.
Slide 18
Security Policy Communication
• Disseminate Policy to all appropriate users, staff, management, vendors,

third party processors, and support personnel.
• May also be necessary to communicate some or all policies to customers

/ citizens as well.
• Establishing a record that those involved have read, understood, and

agreed to abide by the policy is an essential part of this process.
Slide 19
Policy Management
• To ensure that your policies do not become obsolete, you should

implement a regular review process of them.
• That process should include some form of update mechanism so that

changes in your organization’s operating environment can be quickly
translated into your security policy.
Slide 20
Relationship to Standards and Procedures
• Security policies embody management’s overall security expectations,

goals and objectives.
• To be practical and implementable, policies must be further defined by

standards, guidelines, and procedures.
• These must ensure that all operations are consistent with the intent of the
security policies.
Slide 21
Relationship to Standards and Procedures
• Standards, guidelines, and procedures provide specific interpretation of

policies and instruct users, customers, technicians, management, and
others on how to implement the policies.
• Organization should undertake the definition of standards, guidelines, and

procedures only after the development and acceptance of security
policies, and after specific security mechanisms supporting these policies
are determined or implemented.
Slide 22
Security Policy Structure
The basic structure of a security policy should contain the following components:
• A statement of the issue that policy addresses.
• A statement about your position on the policy.
• How the policy applies in the environment.
• The roles and responsibilities of those affected by the policy.
• What level of compliance to the policy is necessary.
• What actions, activities and processes are allowed and which are not.
• What are the consequences of non-compliance.
Slide 23
Roles and Responsibilities
The development of security policies is predicated upon the participation of various
organizations.
In general, it is recommended that the following areas participate in this development

effort:
• Business management
• Technical management
• Data security
• Risk management
• Systems operations
• Application development
• Network engineering
• Systems administration
• Internal audit
• Legal
• Human resources
Slide 24
Recommended Development Method
The following provides an outline of the tasks used to develop security policies
• All responsible organizations and stakeholders are identified and their roles,
obligations and tasks detailed.
− It is important to understand how your organization is structured, who will be
the responsible owner of the security policy and also who will function as its
custodian.
− Critical to obtain the appropriate level of consensus to ensure that the security
policy properly reflects the issues, concerns, requirements, goals, and
objectives for your organization.
− Representation should be as broad as practical but at a minimum include:
data security, legal, human resources, internal audit, operations, and
development organizations.
Slide 25
Recommended Development Method (contd..)
• The primary business objectives are outlined.

− Knowing the primary objectives of your business is important to
scoping the security policy effort.
− For example, one organization may require extensive audit,
monitoring, and backup and recovery processes because of regulatory
mandates while this may not be applicable to another.
− The intent here is to make security policy cost effective.
− That is, do what is appropriate for your organization, not the security
consultant selling you the security policies!!
Slide 26
A list of security principles representing management’s security goals is outlined.
− Accompanying this article is a list of security principles.
− These should be reviewed and incorporated into your security policy

development effort as necessary.
− The purpose of the security principles is to allow your organization to state in a

plain and simple fashion, without technical details or jargon, what core values
are most important to your organization.
Slide 27
All applicable data and processing resources are identified and classified.
• In today's IT environments, data is often one of the most important assets

and should be treated accordingly.
• For that reason, cataloging your data and processing resources enables
you to more easily make qualified and informed decisions about their use
and value.
• This then enables you to later apply the most cost effective controls on
those assets.
Slide 28
A data flow analysis is performed for the primary data classifications, from
generation through deletion.
• The purpose of a data flow analysis is to allow you to identify all of the
trust points that touch your data.
• For instance, in a transaction processing system, data may flow through

browsers, web, data, and other servers or firewalls and be stored in
databases, on magnetic tape or paper.
• By tracing the flow of your data assets through your processing assets,
you can later determine the type and placement of logical and physical
controls to protect those assets.
Slide 29
The primary threats that can reasonably be expected in one’s environment are
outlined.
• The development of a threat profile enables you to decide what type of threats
exist in your particular environment, what the probability is of a threat manifesting
itself into an actual problem, and what the ramifications, costs and consequences
are of those threats being realized.
• Remember, threats vary widely between different environments.
• The threats and consequences of attacks to a financial network processing

monetary instruments will be different than the threats and consequences of
attacks to an online government application.
Slide 30
The primary security services necessary in the environment are identified.
• After your data and processing assets are identified and a threat profile
created, the next step is to determine what general security services
would be appropriate in your environment.
• These security services are high-level and can include for example:
accountability, authorization, availability, identification, authentication,
confidentiality, integrity, and non-repudiation.
• Knowing what security services your environment requires will drive the
selection of the types of security policies you will need as well as the
specific content or components of those policies.
Slide 31
A generic policy template is constructed.
• The structure of a security policy can take many forms.
• This article offers recommendations for both the components and

characteristics of security policies.
• This step is used to articulate the specific topics that you consider
necessary for each security policy.
Slide 32
A list of security policies is defined.
• The last step before actually drafting the security policies themselves is to
identify all of the security policy focus areas that must be addressed.
• The creating of this list is based upon the results of the above steps.
Slide 33
Security Policy Implementation
Once you’ve created your policy, you need to roll it out to your organization.
• First, and perhaps most importantly, a security policy must be backed by

your Organization’s senior management team.
• If the position doesn’t exist, an Information Security Officer should be

designated who is responsible for implementing and managing the
security policy.
• Go through each policy and think about how it will be applied within the
organization.
• Make sure that the tools are in place to conform to the policy.
Slide 34
Security Policy Implementation contd..
• For example, if the policy specifies that a certain network be monitored,

make sure that monitoring capabilities exist on that network segment.
• If a policy specifies that visitors must agree to the Acceptable Use Policy
before using the network, make sure that there is a process in place to
provide visitors with the Acceptable Use Policy.
Slide 35
• User education is critical to a successful security policy implementation.
• A training session should be held to go over the specific policies that will
impact users, as well as provide basic information security awareness
training.
• Users must be provided any user-level policies, and must acknowledge in

writing that they have read and will adhere to the policies.
Slide 36
• No matter how well thought out, no policy will be 100% applicable for
every scenario, and exceptions will need to be granted.
• Exceptions, however, must be granted only in writing and must be well

documented.
• It should be made clear from the outset that the policy is the official
standard, and an exception will only be granted when there is an
overwhelming business need to do so.
Slide 37
Policy Review
• After the security policy has been in place for some period of time, the
Organization’s information security controls should be audited against the
applicable policies.
• Make sure that each policy is both A) being followed, and B) still
appropriate to the situation.
• Regularly review the security policy to ensure that it still meets

Organization’s requirements.
• Create a process so that the policy is periodically reviewed by the

appropriate persons.
Slide 38
Policy Review contd..
• Review should occur both at certain intervals (i.e., once per year), and
when certain business changes occur (i.e., the company opens a new
location).
• This will ensure that the policy does not get “stale” and will continue to be
a useful management tool for years to come
Slide 39
End of Session
Slide 40
in e-Governance
Day 2
Session 5: Disaster Recovery Planning

Agenda
Introduction to Disaster Recovery Planning (DRP)
Need for disaster recovery planning
Approach for Disaster Recovery Planning
Key elements in a DRP

Current scenario - Dependence on IT
• IT is becoming the key enabler for many government and public sector
organizations in achieving the business objectives
• Many organizations are moving towards mandatory electronic transactions
eliminating the manual working methods completely
• E.g. Ministry of Corporate Affairs (MCA21 Project)
• E-Procurement initiatives in Andhra Pradesh, Karnataka, DGS & D etc.
• Passport issuance…
• More and more information is stored electronically
• NeGP is driving IT incubation in all key government sectors/
departments…
Slide 3
Defining a Disaster
As per Principle of Availability of Resources:

• Businesses are run based on the assumption that the current level of resources
will not decline.
• Availability addresses the requirement that access to information and resources
is available on a timely basis wherever needed to meet business requirements.
• All organizations face the risk that disasters may compromise the availability of
resources.
A disaster is defined as any event, which causes unacceptable level of

interruption to access for business information, transactions, business
operations for an unacceptable period of time. Whenever a disaster strikes,
it impacts one or more of the resources, which an organization is
employing.
Slide 4
Defining a Disaster (contd..)
A disaster may impact in various ways that could affect the organisation’s ability
to carry on operations. For example, it may:
• not be able to operate from the affected site
• lose critical resources (systems, documents, data)
• lose ability to interact with citizens, businesses, employees, other
government agencies..
• not be able to service citizens etc.
Slide 5
Defining a Disaster (contd..)
Few examples of ‘disasters’ in IT Environment

• Organization website is hacked and is inaccessible to people who wish to visit it
for a time frame that has an adverse impact on a business
• Application server hosting critical business application is not reachable for a
week
• Server room gets flooded with rain water and cables are immersed in water
causing short circuit and breakdown of services
• Breakdown of the cooling / UPS units causing high disruption in day to day
activities
Slide 6
The Cost/Impact of Disaster..
LEGAL/REGULATORY
•Contractual Requirements REVENUE
PRODUCTIVITY
•SLAs •Direct Loss
• Loss Of Productivity
•Regulatory Requirements •Deferred Losses
• Employees Impacted
•Compensatory Payments
•Lost Future Revenue
•Billing Losses
•Investment Losses
REPUTATION
FINANCIAL
•Customers
•Suppliers PERFORMANCE
•Business Partners •Revenue Recognition
•Etc. •Cash Flow
•Payment Guarantees
OTHER EXPENSES
•Temporary employees,
•Equipment Rental,
•Overtime,
•Etc.
Disaster Recovery Planning
• A Disaster Recovery Plan (DRP) is a set of procedures designed to

restore information systems
• Disaster recovery (DR) planning is concerned with preparation for and
response when disaster hits.
• DR Planning is:
- Knowing potential risks to information systems
- Planning ahead to avoid risks
- Being prepared in the event a problem occurs
- Taking the necessary steps to proactively prepare for potential problems
- Identifying how to respond when a problem occurs…
Slide 8
Objectives of Disaster Recovery Plan (DRP)
• Minimize the damage caused to IT enablers and recover them to continue

business operations in occurrence of a DRP event.
• Provide a plan of action to facilitate an orderly recovery of critical IT enablers
• Identify key individuals and define their roles and responsibilities, in process of
recovering after DRP event
• Catalog probable resources and vendors that could assist in the recovery
process.
• Establish general procedures for release of information to employees,

customers and stakeholders.
Slide 9
Examples of Events without and with a DR Plan
Without a DR plan
Server Crash & Several days of rebuild
data corruption data from backup media
With a DR plan
Recovery from backup server

Or disc based backup media
Without a DR plan
Hurricane etc Several days’ outage
With a DR plan
Transfer to servers in alternate

processing center
Slide 10
Examples of Events without and with a DR Plan
Without a DR plan
Earthquake Damaged servers, outage

of more than a week
With a DR plan
Little to no outage because of

preventive measures and
backup power
Without a DR plan Servers damaged from
smoke or extinguishment
Fire materials several days to
rebuild data from backup
With a DR plan media
Early suppression of fire,

resulting in minimal damage
and downtime
Slide 11
Dangerous Excuses for not implementing a Disaster Recovery Plan
• It costs too much money to implement
• Not enough time or resources.
• It will never happen to our company.
• Why bother? We have good data backups.
• We “plan” on implementing one next year !!!
12
Approach for Development of DRP
Step 1: Risk Assessment: Identification of potential risks in the current IT

environment
Step 2: Business Impact Analysis: Analyze the impact of identified risks to the
business
Step 3: Strategy Selection: Identification of possible solutions for risk mitigation

and selection of appropriate solution based on business needs
Step 4: Plan Development: Documentation of scenarios, solutions, roles and

responsibilities for Disaster Recovery
Step 5: Testing and Maintenance: Testing the validity of the plan and keeping
the plan updated inline with the changes in IT environment
DRP Approach: Step 1 – Risk Assessment
Risk Assessment consists:

• Health check of existing DR plans (if any)
• Threat/Risk Analysis for IT environment
• Review of existing mitigation programs/measures
Risks in IT environment exists surrounding (illustrative):

• Application Software
• Business Data
• IT Infrastructure – Networks , Computing and Storage infrastructure
etc.
• Facilities like Data Centre
• End user environment…
Illustrative Risks surrounding Application Software/Business applications
• Application server crash leading to loss of application software

• Loss of source code/files
• Loss of application design documents
• Lack of support from the software vendor
• Loss of application software change history
• Application software hacked leading to unauthorised transactions
• Loss of training and administration manuals….
Slide 16
Illustrative Risks surrounding Business Data/Database systems
• Database server crash leading to loss of data

• Unable to recover data from data backup tapes
• Unauthorised access/changes to the business data/database systems
• Theft of data/Data falling into wrong hands
• Loss of database design documents…
Slide 17
Illustrative Risks surrounding Network, Computing and Security Infrastructure
• Devise failures (Router, switch, firewall, Computing Infrastructure

IPS, Modem..…)
• Module failure… Layer 2 Switch
• Server failure (Disk, RAM, power unit..)

• Network circuits failure Internal firewall
• Cabling failure (LAN and WAN)

• Hacking and penetration into the network Core Switch
• Denial of Service (DoS) attacks…
Single point of failure IDS / IPS
External firewall
Router
Internet
Slide 18
Illustrative Risks surrounding Facilities and support infrastructure
• Discontinued power supply

• Failure in UPS/battery backup
• Generator not working in the need of the hour
• Cooling systems (AC) failure
• Floods and Earth quakes
• Breach in Access control systems
• Fire extinguishers not working…..
Illustrative Risks surrounding End user environment
• PC/Disk failure
• Theft of PCs/Laptops/Data
• Virus attacks
• Installation/usage of unlicensed software
• Printer/Scanner failure…
Slide 20
Risk Assessment – A continuous process
Threat /Risk
Threat
Threat Impact Assessment
Asset Value
Assessment Assessment
Assessment
Vulnerability Mitigation
Mitigation Options
Vulnerability Risk Management (Decision)
Decision
Assessment
Assessment
Risk
Risk Assessment
Assessment Cost Analysis
Activities
Benefit Analysis (Risk Mgmt)
Vulnerability Reassessment and Risk Reduction Mitigation

Execution
Actions
Vulnerability Reassessment and Risk Reduction
Slide 21
Phase II - Business Impact Analysis
BIA focuses on:
- Identifying the business functions/processes/services
- Impact of the identified risks surrounding Information Systems on the business

(functions/processes/services),
- Defining Recovery Time and Recovery Point Objectives
• Provide basis for determining cost effective strategies for risk mitigation
Slide 22
Phase II BIA - Objectives
• Determine critical and necessary business functions/ processes and the

resource dependencies
• Identify critical computer applications and the associated “outage tolerance”
• Evaluation of impact of identified risks on the business functions/processes
• Estimate the financial and operational impact of the disruption and the required
recovery time frame for the critical business functions
• Provide basis for determining cost effective strategies
• Build business case for strategy selection
• Prepare solid foundation for plan development
Phase II BIA – Focus areas
• Describe functions
• Suggest importance
• Describe resources
– System applications
– Business Dependencies
• Processing time frames
• Describe contributions
• Estimate impacts due to identified risks
• Describe recovery time frame priorities
Understanding RTO & RPO
• The Recovery Time Objective (RTO) for an application is the goal for how quickly you need
to have that application’s information back available after downtime has occurred.
• The Recovery Point Objective (RPO) for an application describes the point in time to which
data must be restored to successfully resume processing (often thought of as time between
last backup and when an “event” occurred)
100%
Service
RPO
RTO
Time
Scheduled Back up Disaster DRP Normalcy
Back up taken Strikes invoked restored
Slide 25
Understanding RTO & RPO
Recovery Point Objectives

How much data I can afford to loose
Weeks
Days
Hours
Recovery Time Objective

How long can I afford to be without IT Systems
Minutes
Minutes Hours Days Weeks
Slide 26
Phase - III: Strategy Selection
• Objective
Define the action items needed to best protect the organisation and to select the most
appropriate recovery solutions for IT systems supporting critical business functions.
• Key Activities
Identification of range of solutions/strategies for the identified risks
Cost Benefit analysis of identified solutions/strategies based on defined RTO and

RPO
Strategy selection
Phase III Strategy Selection –
Range of Strategies for Risk Mitigation
We will discuss illustrative strategies available for the following components:
• Application Software
• Data Recovery and Protection
• IT Infrastructure – Networks , Computing and Storage infrastructure etc.
• Facilities
• End user environment..
Slide 28
Range of illustrative strategies for Application Software

• Implement Software Configuration Management tools for version control and source code
management
• Backup of application software and source code
• Backup of application design and configuration documents
• Backup of application training, administration manuals
• Updation of application design, configuration, training and administration manuals inline
with changes in the software
• Maintenance of Software Change History
• Planning for effective transition management during vendor switch over…
Slide 29
Range of illustrative strategies for Data and Database systems

• Maintain multiple levels of data backup (disk mirroring in server/SAN and backup tapes
through tape library)
• Off-site storage of data backup tapes/media
• Data replication at DR site
• Database server configuration and image backup
• Maintain backup of Database design documents…
Slide 30
Range of illustrative strategies for Network and Security components:

• Redundancy at each of the critical network component level (Core router, switch, internet
router..)
• Redundancy at network circuit level (network circuits from alternate ISPs)
• Redundancy at each of the critical security component level (firewall, IPS, VPN
concentrator..)
• Maintaining spares for the critical infrastructure elements
• Maintain backup of the design, configuration and IP addressing schema files, system
images
• Signing SLA with the System Integrators/OEMs for replacement of components inline with
RTO/RPO
• Penetrating testing and vulnerability assessment at regular intervals to identify and bridge
the information security gaps
• Implementation of network and security monitoring and management tools
• Insurance for the Infrastructure
Slide 31
Range of illustrative strategies for Computing Infrastructure

• Redundancy at the server level
• Maintaining spares for the critical servers and its components
• Maintain backup of the design, configuration and IP addressing schema files, system
images
• Implementation of computing infrastructure at alternate site as backup (DR)
RTO/RPO
• Penetrating testing and vulnerability assessment at regular intervals to identify and bridge
the information security gaps
• Implementation of server monitoring and management tools
• Insurance for the Infrastructure
Slide 32
Physical and environmental aspects of IT systems

• Implementation of Disaster Recovery (DR) site
• Power: Redundancy in UPS, power supply from alternate sources/feeds, adequate battery
backup, generator set, power supply to the IT equipment through alternate UPS systems
• Cooling: Redundancy in air-conditioning systems
• Security: Video surveillance, Key-card entry controls, Biometric entry controls, Security
guards, Hardened facilities, Locking cabinets, Equipment cages
• Environmental controls: Smoke and fire detection, Fire alarms and evacuation, Fire
suppression, Fire extinguishers, Sprinkler systems, water detectors
• Insurance for the facilities..
Slide 33
Cold Site
• Have basic environment (power, electric wiring, AC , flooring etc. )
• Ready to receive equipments but do not offer any components at the site in
advance
• Activation of the site may take several weeks
Warm Sites
• Partially configured with network connections & selected peripherals
equipments such as disk drives , tape drives and controllers but without the
main computing infrastructure
• Sometimes equipped with a less powerful central processing unit
Slide 34
Hot site
• Fully configured and ready to be operated in some hours
• Generally intended for emergency operations of a limited time period and not for
long extended use
• Components of the DR plan for network connectivity to a hot site over a public
switched network should address issuers as redundancy and maintaining
sufficient capacity on diverse paths to re-routed path
Reciprocal arrangements
• Arrangement between two or more organizations that possesses similar
facilities
Slide 35
User (workstation) Environment - Range of Strategies
• To the greatest extent reasonably possible, use standard configurations for

client/server workstations.
• Use imaging technology and tools that can help you quickly build replacement
client/server workstations.
• Test images in a variety of workstation types: In a disaster scenario, you may have to
build workstations on hardware platforms that you don’t routinely work with.
• Consider a thin-client environment, with client/server software installed on servers,
reducing workstations to smart terminals.
• Thin-client technology enables the organization to centralize client-side software
installation, configuration, and maintenance.
• Back up workstation imaging systems.
• If you can recover those imaging systems in a disaster, you can use them to build
new client/server workstations, as needed.
Slide 36
Range of illustrative strategies for End User Environment

• Maintaining end user system images
• Provision for central data backup facilities for end users – for critical data
• Mail server backup
• Maintaining spares for PCs, Printers and other end user computing infrastructure based on
failure rates/scenarios
RTO/RPO
Slide 37
Cost vs Benefit Analysis of the Strategies - Example
Cost
Load balancing
Mirroring
Standard Vaulting
Recovery
72hrs 24 hrs Minutes
Disaster Recovery Times
Source : Gartner
Slide 38
Strategy Selection - Decision
• Alternatives are heavily dependent upon the identified recovery time
objectives
• The faster a function is required the more expensive the solution will
typically be
• Interdependencies need to be covered during the selection process
• Select the most appropriate recovery strategy
Phase IV: Plan Development
• DR Plan contains an integrated set of procedures and resource information that is used to
recover from an event that has caused a disruption to business operations
• It answers questions on responding to a disaster in terms of:
– Who
– What
– When
– Where
– Why
– How
• Plans Contain
– Each failure scenario has one or more approved alternatives
– Preparation Plan
• Advance steps to prepare for the implementation of the alternatives
• Not all alternatives require preparation
– Execution Plan
• The steps to follow if a failure/disaster occurs
• Includes identification of internal and external dependent groups
1. DISASTER RECOVERY PLANNING 14. CMT RECOVERY ACTIONS
OVERVIEW 15. FACILITIES RECOVERY TEAM (FRT)
2. OBJECTIVE OF THE DRP 16. CLASSIFICATIONS OF DRP EVENTS
3. ASSUMPTIONS (L1, L2, L3..)
4. CLASSIFICATION OF A DRP EVENT 17. DRP ADMINISTRATION
5. SITE DETAILS 18. PLAN ADMINISTRATION & TESTING
6. DRP EVENT HANDLING STRATEGY 19. PLAN MAINTENANCE
7. DRP RECOVERY ORGANISATION 20. PLAN DISTRIBUTION
8. FIRST CONTACT AND EVENT 21. COMPLIANCE AUDIT
REPORTING
9. DECLARATION OF DRP EVENT
10. MEDIA MANAGEMENT PLAN
11. EVACUATION PROCEDURES
12. CRISIS MANAGEMENT TEAM
13. ROLES & RESPONSIBILITIES OF CMT
1. EMERGENCY CONTACT NUMBERS
2. DETAILED DAMAGE ASSESSMENT AND SALVAGE CONTROL SHEET
3. PROPERTY REMOVAL FORM
4. LIST OF IT VENDORS & SERVICE PROVIDERS
5. LIST OF ADMINSTRATION VENDORS
6. IT HARDWARE INVENTORY
7. INSURANCE DETAILS
8. NETWORK DIAGRAM
9. DRP MAINTENANCE CHECKLIST
10. DRP CHANGE REQUEST FORM
Phase IV: Plan Development – Details for failure Scenario
Failure Scenario
Possible Causes
Enablers impacted Processes Impacted Departments/Functions
impacted
Pre-Events (prevention measures)

Action Steps Dept Responsible Individual Responsible
Detection and Escalation
Action Steps Triggers Responsibility
Emergency
Recovery

Phase V: Testing and Maintenance
Objectives:
• Establish testing and maintenance procedures and timetable
• Testing the plan and procedures
• Finalise and maintain DRP
Benefits:
• Determine if documented recovery strategies & associated recovery
procedures are viable to recover critical business functions within their
stated recovery time objectives
• Validates planning assumptions
• Identifies strengths and weaknesses
• Provides the opportunity for all parties (IT & other Business Units) to
participate together
Testing - Component Testing
• Actual physical exercises designed to assess the readiness and

effectiveness of discrete plan elements and recovery activities.
• Isolation of key recovery activities allows team members to focus their

efforts while limiting testing expense and resources.
• Effective for identifying and resolving issues that may adversely affect
the successful completion of a full interruption test.
Types of Tests
Until you thoroughly test all the recovery procedures, the organization
shouldn’t expect those procedures to save it from ruin if a disaster strikes.
• Checklist tests
• Preliminary test where the DR plan is reviewed to ensure that it addresses all
the procedures and critical areas
• Simulation test
• All the operational and support personnel are expected to perform in case of
disaster meet for practice session.
• Typically goes to the point of relocating to alternate site but does not perform
actual recovery
• Parallel test
• Test processes runs parallel to the real processes.
• Goal is to ensure that critical systems will run at the alternate site if required
• Full interruption test
• Disaster is replicated to the point of ceasing normal production operations.
Absolute way to test whether the DR sites works or not .
Slide 46
Thank you…..
Slide 47
in e-Governance
Day 3
Session 1: Information Security Audits

Agenda
Need for information security audit and its objectives

Categories of information security audit
Scope of information security audit and expected outcomes
Network security assessment
Role of information security auditor
Slide 2
Security Audits - FAQ
• We already have firewalls in place. Isn't that enough?

• We did not realize we could get security audits. Can you really get security audits, just like
financial audits?
• We have already had a security audit. Why do we need another one?
Slide 3
Answers
• Firewalls and other devices are simply tools to help provide security. They do not, by
themselves, provide security.
• Using a castle as an analogy, think of firewalls and other such tools as simply the walls and
watch towers. Without guards, reports, and policies and procedures in place, they provide
little protection.
• Security audits, like financial audits should be performed on a regular basis.
Slide 4
Security Audit…
Ever increasing number of:

Business use of IT is involving more
• gaps in the information security
• complex systems Leads to measures
• Networking • network & systems
• Internet connectivity vulnerabilities
• rapidly changing technology….. • hacking incidents…
Can be identified and

addressed by
Testing/auditing security:
• periodically
• by validation of information security risks,
mitigation measures, controls, polices and
procedures in the organization
• Comparison with the industry best practices…
Slide 5
Audit forms an integral part of security monitoring processes
Preventative Detective
locks and keys motion detectors

backup power smoke and fire detectors
Physical biometric access controls CCTV monitors
site selection sensors and alarms
fire extinguishers
authentication audit trails
Firewalls & IPS intrusion detection
anti-virus software automated configuration
Technical
encryption monitoring
access control….. penetration testing
Vulnerabilities assessment
Diagnostic reviews…
employment procedures security reviews and audits
supervision performance evaluations
technical training required vacations/rotation of
Administrative
separation of duties duties
disaster recovery plans incident investigations
security awareness training
Diagnostic reviews…
Slide 6
Defining security audit
Security Audit :
• Identifying the information security risks to the organization and evaluation of
Information security measures and effectiveness
• It is a systematic evaluation of the security of an organization Information

systems by measuring how well it conforms to the best practices.
• an audit on the level of information security in an organization.
• auditing information security covers topics from auditing the physical security of
data centers to the auditing logical security of databases and application..
Slide 7
Why do u need a Security Audit?
• Most businesses are connected to the Internet and have implemented measures
(policies, systems) to protect themselves from unauthorised access/transactions
• IT can be at risk, even with all the right technology, if security policy and procedures
are poorly implemented or outdated
• A few software vulnerabilities account for majority of successful attacks
• Hackers/attackers are opportunistic – taking the easiest and most convenient route.
• Hacking exploits the best-known flaws with the most effective and widely available
attack tools
• It counts on organizations not fixing the problems, and they often attack
indiscriminately, by scanning the Internet for vulnerable systems.
Slide 8
Need for IT Security Audit
• To ensure that the security is in order to ensure that organizations security systems
and processes are working as intended
• To verify and ensure compliance with some the legislations and acts
• To identify the gaps in the existing defenses…
Slide 9
IT Security Audit – Where does it fall
Security audit is the final step in the implementation of an Organization’s

security defenses.
Various steps Define and develop

Finally , security
Identify the audit encompassing
leading to information asset and
security policy
covering what and Enforce the policies
testing and ensuring
possible risks to that the
Information those assets
how to protect
Organization’s assets
Information asset
security audit are fully protected
Slide 10
Types of Security Audit
External Audit Assessment

- Public information collection
- External Penetration
• Non-destructive test
• Destructive test
Internal Audit Assessment
- Confidential information collection
- Security policy reviewing
- Interviews
- Environment and Physical Security
- Internal Penetration
- Security and controls review of information systems and infrastructure
Slide 11
External Audit Assessment
• Hackers view of the network

• Simulate attacks from outside
• Point-in-time snapshots
• Can NEVER be 100%
• Ethical hacking
• conducted to identify the gaps in the information security systems with a view to bridge
these gaps for strengthening information security
• Organizations get ethical hacking/external audit done through professional agencies to
identify the gaps in the systems
Slide 12
External Audit-Public Information Gathering
This basically involves

- Network Identification
• Identify IP addresses range owned/used by the organization/systems in target
- Network Fingerprinting
• Try to map the network topology
• Perimeter models identifications
- OS & Application fingerprinting
• OS finger printing
• Port scanning to define services and application
• Banner grabbing
Slide 13
Internal Audit
• To assess the effectiveness of information security measures of the

organization with a view to bridge the identified gaps
• Conducted at the premises
• A process of hacking with full knowledge of the network topology and
other crucial information.
• Also to identify threats within the organization and surrounding the
information systems
Slide 14
Focus of IT Security Audit (Illustrative)
• Information Security Policies and Procedures

• Information Security Architecture
• Business Applications
• Database systems and data sources
• Computing infrastructure (Servers, PCs..)
• Network infrastructure (Router, Switch, WAN, LAN, VPN..)
• Security Infrastructure (Firewall, IPS/IDS, Antivirus)
• Physical Security (physical access control systems to data center, end user environment i.e.
bio-metric, CC TV..)
• Environmental controls (Power, cooling system, UPS etc)
• HR Awareness
• IT Systems Documentation
Slide 15
Security Audit Horizon….. Business Applications for core and support
functions of the Government
Logical Access Controls Procedural controls

General Computer Input/output Controls Audit trials
Controls
Application Controls Configuration controls
Databases supporting business applications
Access Controls
Data Integrity controls
Business Configuration controls
Audit & Accounting policies
Applications
Operating systems hosting business applications and
databases
Databases User Management and Password policies
Access Controls
Accounting & Audit policies
Operating Systems Service packs and security patches
Network
Network infrastructure comprising of LAN and
IT Processes Internet supporting administrative access
Access controls
Technical Security policies
Controls Management and Monitoring controls
Architecture, Policy and Procedures
Physical access Controls
Environmental Controls
Backup procedures
Asset Management Processes
Insurance Policies
Slide 16
Security Audit Horizon…..
Authorizations and Legacy System Interfaces Testing, Conversion & project

Security management
Physical Database
Security & Management Integrity
Environmental Database
server
Operating
Change
System Security Application Control
server
Enterprise Security Presentation Internet

Policies & server Firewalls
Procedures
Configuration Management & Backup, Recovery and

Control Business Process Controls Contingency Planning
Slide 17
What does IT Security Auditing involves..
Some standard techniques
IT security auditing to assess the security posture of systems and networks can include a
combination of the following:
• Network Scanning
• Vulnerability Scanning
• Password Cracking
• Log Review
• Integrity Checkers
• Virus Detection
• Penetration Testing etc…
Slide 18
Network Scanning
• Involves using a port scanner to identify all hosts potentially connected to an organization's
network, the network services operating on those hosts and specific application running the
identified service.
• Provides a comprehensive list of all active hosts and services, printers, switches, and routers
operating in the address space scanned by the port-scanning tool, i.e., any device that has a
network address or is accessible to any other device.
• Port scanners first identify active hosts in the address range specified by the user using
Transport Control Protocol/Internet Protocol (TCP/IP) Internet Control Message Protocol
(ICMP) ECHO and ICMP ECHO_REPLY packets
Slide 19
Network Scanning (contd..)
Organizations should conduct Network scanning to
Identify
Check for deviations Assist in the
unauthorized from the configuration
hosts Identify allowed Prepare for of the Collect
connected to vulnerable services penetration intrusion forensics
the services defined in the testing detection evidence.
organization’s organization’s system (IDS)
network security and
policy
Slide 20
Network Scanning (contd..)
The following corrective actions may be necessary as a result of network

scanning:
• Investigate and disconnect unauthorized hosts,
• Disable or remove unnecessary and vulnerable services,
• Modify vulnerable hosts to restrict access to vulnerable services to a limited
number of required hosts (e.g., host level firewall or TCP wrappers), and
• Modify enterprise firewalls to restrict outside access to known vulnerable
services.
Slide 21
Vulnerability Scanning
• Vulnerability scanning identifies hosts and open ports, together with information on
the associated vulnerabilities
• Different to port scanning as doesn’t rely on human interpretation of the results
• Most vulnerability scanners also attempt to provide information on mitigating

discovered vulnerabilities
• Vulnerability scanners provide system and network administrators with proactive

tools that can be used to identify vulnerabilities before an adversary can find them
• A vulnerability scanner is a relatively fast and easy way to quantify an

organization's exposure to surface vulnerabilities
• Vulnerability scanners can also help identify out-of-date software versions,

applicable patches or system upgrades, and validate compliance with, or deviations
from, the organization's security policy
Slide 22
Vulnerability Scanning (contd..)
Vulnerability scanners provide the following capabilities:

• Identifying active hosts on network
• Identifying active and vulnerable services (ports) on hosts.
• Identifying applications and banner grabbing.
• Identifying operating systems.
• Identifying vulnerabilities associated with discovered operating systems and

applications.
• Identifying mis-configured settings.
• Testing compliance with host application usage/security policies.
• Establishing a foundation for penetration testing
Slide 23
Vulnerability Scanning (contd..)
The following corrective actions may be necessary as a result of vulnerability scanning:
• Upgrade or patch vulnerable systems to mitigate identified vulnerabilities as appropriate
• Deploy mitigating measures if the system cannot be immediately patched in order to

minimize the probability of this system being compromised
• Improve configuration management program and procedures to ensure that systems are
upgraded routinely
• Assign a staff member to monitor vulnerability alerts and mailing lists, examine their
applicability to the organization's environment and initiate appropriate system changes
• Modify the organization's security policies, architecture, or other documentation to ensure

that security practices include timely system updates and upgrades
Slide 24
Password Cracking
• Password cracking programs can be used to identify weak passwords.
• Password cracking verifies that users are employing sufficiently strong passwords.
• During a penetration test or a real attack, password cracking employs captured

password hashes.
• Passwords hashes can be intercepted when they are transmitted across the
network (using a network sniffer) or they can be retrieved from the targeted system.
• Once the hashes are obtained, an automated password cracker rapidly generates
hashes until a match is found.
Slide 25
Log Reviews
• Various system logs can be used to identify deviations from the organization's security policy,
• Review focuses on firewall logs, IDS logs, server logs, and any other logs that are collecting
audit data on systems and networks
• Log review and analysis can provide a dynamic picture of ongoing system activities that can
be compared with the intent and content of the security policy.
• Essentially, audit logs can be used to validate that the system is operating according to
policies.
Slide 26
Log Reviews (contd..)
The following actions can be taken if a system is not configured according to policies:
• Remove vulnerable services if they are not needed.
• Reconfigure the system as required to reduce the chance of compromise.
• Change firewall policy to limit access to the vulnerable system or service.
• Change firewall policy to limit accesses from the IP subnet that is the source of compromise.
Slide 27
Virus Detectors
• All organizations are at risk of “contracting” computer viruses, Trojans and worms if they are
connected to the Internet, or use removable media (e.g., floppy disks and CD-ROMs), or use
shareware/freeware software.
• The impact of a virus, Trojan, or worm can be as harmless as a pop-up message on a

computer screen, or as destructive as deleting all the files on a hard drive.
• With any malicious code, there is also the risk of exposing or destroying sensitive or
confidential information.
• Virus detectors support in identifying the existing virus programmes on the systems
Slide 28
Virus Detectors (contd..)
• The virus detector installed on the network infrastructure is usually installed on mail servers or
in conjunction with firewalls at the network border of an organization.
• Server based virus detection programs can detect viruses before they enter the network or
before users download their e-mail.
• The other type of virus detection software is installed on end-user machines.
• Software detects malicious code in e-mails, USB disks, hard disks, documents and the like but
only for the local host
• The software also sometimes detects malicious code from web sites.
• This type of virus detection program has less impact on network performance but generally
relies on end-users to update their signatures, a practice that is not always reliable.
Slide 29
Virus Detectors (contd..)
The following steps are recommended:

• Virus definition files should be updated at least weekly and whenever a major outbreak of
a new virus occurs.
• The anti-virus software should be configured to run continuously in the background and
use heuristics, if available to look for viruses.
• After the virus definition files are updated, a full system scan should be performed.
Slide 30
Penetration Testing
• Penetration testing is security testing in which evaluators attempt to circumvent the security
features of a system based on their understanding of the system design and implementation.
• The purpose of penetration testing is to identify methods of gaining access to a system by

using common tools and techniques used by attackers.
• However, it is a very labor-intensive activity and requires great expertise to minimize the risk
to targeted systems.
• It may slow the organization's networks response time due to network scanning and
vulnerability scanning.
Slide 31
Penetration Testing (contd..)
This rules of engagement, should include:
• Specific IP addresses/ranges to be tested
• Any restricted hosts (i.e., hosts, systems, subnets, not to be tested)
• A list of acceptable testing techniques (e.g. social engineering, DoS, etc.) and tools
(password crackers, network sniffers, etc.)
• Times when testing is to be conducted (e.g., during business hours, after business hours,
etc.)
• Identification of a finite period for testing
• IP addresses of the machines from which penetration testing will be conducted so that
administrators can differentiate the legitimate penetration testing attacks from actual
malicious attacks
• Points of contact for the penetration testing team, the targeted systems, and the networks
• Measures to prevent law enforcement being called with false alarms (created by the
testing)
• Handling of information collected by penetration testing team.
Slide 32
Penetration Testing (contd..)
• To simulate an actual external attack, the testers are not provided with any real information
about the target environment other than targeted IP address/ranges and they must covertly
collect information before the attack.
• An internal penetration test is similar to an external except that the testers are now on the
internal network (i.e., behind the firewall) and are granted some level of access to the network
(generally as a user but sometimes at a higher level).
• The penetration testers will then try to gain a greater level of access to the network through
privilege escalation
Slide 33
Internet Audit – Security Policy Review
• Understand and analyse the approach adopted by the organisation for

Enterprise Security Architecture as compared with the standard approach to
highlight any gaps
• Identify the gaps between corporate policies and security architecture
• Whether the Security Policy relate to the business requirements and meet the
direction and expectations of senior management
• Perform Gap Analysis between Security Policies and Information Systems
Strategic Plans
• Ensure that there are clearly defined expectations, roles and responsibilities
amongst end users and administrators
• Ensure that detailed technical and security administration processes and
procedures have been exhaustively elaborated in the administrative guidelines
• Ensure that there are sufficient compliance controls to ensure that the security
policies and standards are being complied with
• Assess the adequacy of the Business Resumption/ Disaster Recovery Plan
Slide 34
Internal Audit-Information gathering
• Discussion of the network topology

• Placement of perimeter devices of routers and firewalls
• Placement of mission critical servers
• Existence of IDS
• Logging
Slide 35
Internal Audit-Environment & Physical Security
• Locked / combination / card swipe doors

• Temperature / humidity controls
• Neat and orderly computing rooms
• Fire suppression equipment
• UPS (Uninterruptible power supply)….
Slide 36
Internal Audit-Penetration
For Internal penetration test, it can divided to few categories

- Network
- Perimeter devices
- Servers and OS
- Application and services
- Monitor and response
Slide 37
Internal Audit-Network
• Location of devices on the network

• Redundancy and backup devices
• Staging network
• Management network
• Monitoring network
• Other network segmentation
• Cabling practices
• Remote access to the network
Slide 38
Internal Audit-Perimeter Devices
Involves of checking of configuration of perimeter devices like

- Routers
- Firewalls
- Wireless
- VPN servers
Test involves the followings
Test the ACL and filters like egress and ingress
Firewall rules
Configuration Access method
Logging methods
Slide 39
Internal Audit-Server & OS
• Identify mission critical servers like application, database, DNS, Email and
others..
• Examine OS and the patch levels
• Examine the ACL on each servers
• Examine the management control-acct & password
• Placement of the servers
• Backup and redundancy
Slide 40
Internal Audit-Application & Services
Identify services and application running on the critical mission servers.

Check vulnerabilities for the versions running. Remove unnecessary
services/application.
This may include :
- DNS
• Name services
- Email
• Pop3,SMTP
- Web/Http
- SQL
- Others
Slide 41
Internal Audit-Monitor & Response
Audit should check for procedures on
Event Logging and Audit

What are logged?
How frequent logs are viewed?
How long logs are kept?
Network monitoring
What is monitored?
Response Alert?
Intrusion Detection
IDS in place?
What rules and detection used?
Incident Response
How is the response on the attack?
What is recovery plan?
Follow up?
Slide 42
Internal Audit-Analysis and Report
Analysis result
- Check compliance with security policy
- Identify weakness and vulnerabilities
- Cross check with external audit report
Report- key to realizing value
- Must be 2 parts
• Not technical (for management use)
• Technical (for IT staff)
- Methodology of the entire audit process
- Separate Internal and External
- State weakness/vulnerabilities
- Suggest solution to harden security
Slide 43
Guidelines for auditee organizations for Security Audit –
Issues by Cert India
Slide 44
Guidelines for auditee organizations for Security Audit
Auditing contract should have the following :

Introduction – identifies the purpose, participants, and scope of audit
- Purpose
- Participants (auditee & auditor organization and any other)
- Audit scope definition
Audit Environment
• describes the environment in which the auditor will perform the audit
including the physical location, hardware/software being used, policy and
procedures the auditor will need to follow.
• Entities and Locations
• Facilities at each location
• Equipment at each location
• Policies, Procedures and Standards
• Agreement and Licenses
Slide 45
Guidelines for auditee organisations for Security Audit
Roles and Responsibilities : describes the roles and responsibilities of all

major participants.
• In case any of the activities to be audited in the auditee organsaition is
outsourced, auditee must ensure that relevant personnel from outsourced
organization are available at the time audit.
• The auditor’s responsibilities need to articulate not just the audit tasks, but
also the documentation of their activities, reporting their actions etc
Slide 46
Auditee roles and responsibilities for Security Audit
• Auditee refrains from carrying out any unusual or major network changes during
auditing/testing.
• To prevent temporary raises in security only for the duration of the test, the auditee notifies
only key people about the auditing/testing. It is the auditee’s judgment, which discerns who
the key people are, however it is assumed that they will be people at policy making level,
managers of security processes, incident response, and security operations.
• If necessary for privileged testing, the auditee provides for necessary access tokens whether
they be logins and passwords, certificates, secure ID numbers, etc. and they are typical to
the users of the privileges being tested.
Slide 47
List of typical reviews and tests
• Review of security policies and procedures

- Review of organization IT security policy and management system
- Review of security procedures including
- Incident response
- Business continuity planning and disaster
• Information Security Testing
- Information Integrity Review
- Intelligence Survey
- Human Resources Review
- Competitive Intelligence Scouting
- Privacy Controls Review
- Information Controls Review
Slide 48
List of typical reviews and tests
Internet Technology Security Testing 12. Trusted Systems Testing

1. Logistics and Controls 13. Access Control Testing
2. Posture Review 14. Password Cracking
3. Intrusion Detection Review 15. Containment Measures Testing
4. Network Surveying 16. Survivability Review
5. System Services Identification 17. Denial of Service Testing
6. Competitive Intelligence Scouting 18. Security Policy Review
7. Privacy Review 19. Alert and Log Review
8. Document Grinding
9. Internet Application Testing
10. Exploit Research and Verification
11. Routing
Slide 49
Role of Auditors….
Slide 50
Role of Auditors
To determine whether
- Appropriate controls supporting integrity of business processes have been
incorporated
- Appropriate security controls have been designed to minimise the risks of
unauthorised access
- Appropriate controls exist surrounding the multi-platform Client server
environment
Internal Auditors have to understand the objectives and implications of the

Enterprise policies, procedures and standards, assess and control their
compliance on a continued basis
Slide 51
Selecting external security consultants – Questions you need to
ask !!
• Does the consultant organization offer a comprehensive suite of services ,

tailored to specific requirements ?
• Does the consulting organization have a quality certification ?
• Does the consulting organization have a track record of having handled a
similar assignment for security consulting ?
• Are the organization’s security professional having certificates like CISSP,
CISA,CSM and CIPP?
• Does the Organization have sound methodology to follow ?
• Is the Organization recognized contributor within the security industry in
terms of research and publication etc. ?
Slide 52
End of Session
Slide 53
in e-Governance
Day 3
Session 2: Regulatory framework of

e-Governance
Slide 1
Agenda
Need for regulatory framework for e-Governance

IT Act 2000, its amendments and related provisions
Other policy frameworks related to e-Governance (data protection, privacy,
cyber laws, IPR…)
Impact of e-Governance on existing legislations and act
Slide 2
Why a Regulatory Framework?
• E-Commerce & E-Government service delivery involves:

Use of Electronic Records
Electronic Transactions Most of these issues are
The existing Regulatory
Electronic Contracts common also to the wider
Framework may need
Handling of citizen data & privacy issues
e-Commerce landscape of
amendments to recognise
the country, and need to be
Issue of Certificates electronically… this new form of doing
addressed to build trust in
business
electronic transactions
• Other e-Governance specific aspects include:
Legal backing to e-Governance initiatives
Formalisation of Standards and Interoperability norms
Data Protection, Privacy and IPR issues
Mechanism for socially inclusive service delivery
Slide 3
Electronic Transactions: How are they different?
• Challenges posed by e-Commerce:

- Classification difficulties: the virtual goods
- New contract types: web hosting, web server etc.
- Transactions taking place in open platforms
• … but the essence of business transactions remains the same.
• Conventional law has not become obsolete...
- “On line” contracts are not different from “off line”
- Medium of a transaction is generally irrelevant for the law.
• …and nevertheless, it requires some adaptation.
Slide 4
Legal Obstacles to e-Commerce
• Legal concepts are based on the existence of a tangible medium:

- “instrument”, “document”, “original”, “signature”
• Legal concepts based on geographic location:

- “delivery”, “receipt”, “dispatch”, “surrender”
• Functional Equivalence needs to be established between the Manual
and Electronic media used (electronic records, signatures,
documents, communication)
Slide 5
Achieving Functional Equivalence
• Paper-based requirements (“writing”, “record”, “signature”,

“original”) specify certain purposes and functions
• Consider criteria necessary to replicate those functions and
give electronic data the same level of recognition as
information on paper
• A paper document signed by an individual fulfils the following
criteria:
- The document can be attributed to the individual as the
signature is unique to the person (authenticity, non repudiation
and integrity)
• If the electronic document can replicate these functions (e.g. by use
of a Digital Signature Certificate attached to the document), it is
functionally equivalent to the paper document
Slide 6
Providing legal backing for Functional Equivalence
If certain conditions are fulfilled, the legal

value of electronic transactions shall be
equivalent to that of other forms of
communication, such as the written form.
This can be achieved by a

single enactment of Law
without having to review every
single piece of existing
Indian IT Act, 2000 achieves legislation establishing formal
this by defining the conditions requirements
by which equivalence can be
ascertained between paper
based and electronic
documents
Slide 7
Genesis of IT Act - The UNCITRAL Model Law
• As electronic transactions extends across national boundaries, there

is a need for international harmonization in IT Laws
• The United Nations Commission on International Trade Law
(UNCITRAL) is the legal body of the United Nations system in the
field of international trade law
• UNCITRAL drafted the “UNCITRAL Model Law on Electronic
Commerce - 1996” for adoption by countries
• The e-Commerce / IT Laws of most countries are modelled on
UNCITRAL Model Law
Slide 8
Objectives of the Model Law
• To facilitate rather than regulate electronic commerce

• To adapt existing legal requirements
• To provide basic legal validity and raise legal certainty
• Basic Principles of Model Law

• Functional Equivalence Law to provide conditions for
equivalence of handwritten
• Media and Technology Neutrality (manual) and electronic
• Party Autonomy records, signatures etc
Law to provide the

transacting parties the Law to treat all
autonomy to choose to use technologies on an
e-Commerce and decide equal footing
security levels
Slide 9
IT Act, 2000
• Came into effect from October 17th, 2000 on the lines of the UNCITRAL Model Law
• India is the 12th nation in the world to adopt Cyber Laws
• The Act applies to the whole of India and also applies to any offence or
contravention there under committed outside India by any person irrespective of his
nationality, if such act involves a computer, computer system or network located in
India
• 94 Sections segregated into 13 Chapters and 4 Schedules
• IT Act 2000 was amended through the Information Technology Amendment Act,
2008 which came into effect from October 27, 2009
IT Act and amendments is equivalent to:

- at least 45 (and counting) U.S. Federal enactments
- at least 598 (and counting) U.S. State enactments
- at least 16 (and counting) UK enactments
Slide 10
Objectives of IT Act, 2000
• Legal Recognition for transactions carried out by means of electronic data

interchange
- Digital Signatures and Regulatory Regime for Digital Signatures
- Admissibility of Electronic Documents at par with paper documents
• E-Governance
- Electronic Filing of Documents and E-Payments
• Define Civil wrongs, Offences, punishments
- Investigation, Adjudication of Cyber crimes
- Appellate Regime
• Amend existing Acts to address IT Act provisions
- Indian Penal Code & Indian Evidence Act - 1872
- Banker’s Books Evidence Act – 1891 & Reserve Bank of India Act – 1934
Slide 11
IT Act – Important Definitions
• “access” means gaining entry into ,instructing or communicating with the logical,
arithmetic or memory function resources of a computer, computer resource or
network;
• "computer" means electronic, magnetic, optical or other high-speed date
processing device or system which performs logical, arithmetic and memory
functions by manipulations of electronic, magnetic or optical impulses, and includes
all input, output, processing, storage, computer software or communication facilities
which are connected or relates to the computer in a computer system or computer
network;
• "computer network" means the inter-connection of one or more computers through-
(i) the use of satellite, microwave, terrestrial lime or other communication media;
and (ii) terminals or a complex consisting of two or more interconnected computers
whether or not the interconnection is continuously maintained;
Slide 12
IT Act – Important Definitions
• "electronic record" means date, record or date generated, image or sound stored,
received or sent in an electronic form or micro film or computer generated micro
fiche;
• “security procedure” means the security procedure prescribed by the Central
Government under the IT Act, 2000.
• secure electronic record – where any security procedure has been applied to an
electronic record at a specific point of time, then such record shall be deemed to be
a secure electronic record from such point of time to the time of verification
Slide 13
Admissibility of Electronic Records
As per the definition provided in IT Act, 2000

• "electronic record" means date, record or date generated, image or sound
stored, received or sent in an electronic form or micro film or computer
generated micro fiche
Section 4 of the IT Act provides legal recognition to electronic records

• “If any information is required in printed or written form under any law the
Information provided in electronic form, which is accessible so as to be
usable for subsequent use, shall be deemed to satisfy the requirement of
presenting the document in writing or printed form”
Slide 14
Electronic Records in Government Service Delivery
Section 4: Where any law provides for:

• the filing of any form, application or any other document with any office, authority, body or
agency owned or controlled by the appropriate Government in a particular
Section manner;
9 of the Act clarifies that
• noby
the issue or grant of any license, permit, sanction or approval person can insist
whatever name that a in a
called
particular manner; government body should accept,
issue, create, retain and
• the receipt or payment of money in a particular manner; preserve any document in
electronic form
“Such requirement shall be deemed to have been satisfied if such filing, issue,
grant, receipt or payment, as the case may be, is effected by means of such electronic
form as may be prescribed by the appropriate Government”
The Law also gives recognition for publication of Rules, Regulation etc in Electronic
Gazette
Slide 15
Authentication of Electronic Records
• Section 3: Any electronic record may be authenticated by a subscriber using a

Digital Signature
“The authentication of the electronic record shall be effected by the use of
asymmetric crypto system and hash function which envelop and transform the initial
electronic record into another electronic record”
Digital Signature Regime will

be discussed in detail in the
next session
Slide 16
Retention of Electronic Records
Section 7: Where any law provides that documents, records or information

shall be retained for any specific period, then, that requirement shall be
deemed to have been satisfied if such documents, records or information are
retained in the electronic form, if:
• the information contained therein remains accessible so as to be usable for a
subsequent reference;
• the electronic record is retained in the format in which it was originally generated,
sent or received or in a format which can be demonstrated to represent accurately
• the details which will facilitate the identification of the origin, destination, date and
time of dispatch or receipt of such electronic record are available in the electronic
record:
Slide 17
Attribution of Electronic Records
An electronic record can be attributed to the originator:

• if it was sent by the originator himself;
• by a person who had the authority to act on behalf of the originator in respect of
that electronic record; or
• by an information system programmed by or on behalf of the originator to operate
automatically.
Slide 18
Acknowledgement of receipt of Electronic Records
An electronic record can be attributed to the originator:

• If Originator has not specified particular method - Any communication automated or
otherwise from the addressee or conduct from the addressee indicating the receipt
of the record
• If specified that the receipt is necessary, then unless acknowledgement has been
received Electronic Record shall be deemed to have been never sent
• Where acknowledgement is not received within time specified or within reasonable
time the originator may give notice to treat the Electronic record as though never
sent
Slide 19
Digital Signatures – IT Act Amendment
• The PKI Digital Signature Regime proposed by IT Act of 2000 is
Technology specific
• This is against the global best practices as envisaged in the
UNCITRAL Model Law on e-Signatures – 2001:
Any electronic signature technology which fulfills the criteria of equivalence
between handwritten and electronic signatures, should be admissible
• Accordingly, the IT Act Amendments of 2008 provided recognition to
other electronic signature technologies, which are identified by the
Central Government
Slide 20
Major themes of IT Amendment Act, 2008
• To make the Act Technology Neutral:

Enabling provision added to replace Technology specific “Digital
Signatures” to technology neutral “Electronic Signatures”. Central govt
to specify accepted forms of electronic signatures in the Rules
• To enable the IT Act to be easily amendable with advances of Technology
Exclusion of applicability modified to allow Central Government to
change the list by executive orders (Rules)
• Enabling provision for PPP in e-Gov service delivery
• Provisions for more extensive coverage of Cyber Crimes including Cyber
Terrorism
Slide 21
Other Amendments in ITAA 2008
To be taken up in subsequent sessions:
• Amendments in Cyber Crime Regulation (Session 6)
• Amendments to Schedules concerning existing Acts (Session 7)
Slide 22
Statutory bodies under IT Act and its Amendments
• Controller of Certifying Authorities: Regulating agency for

the working of Licensed Certifying Agencies (already
discussed in the Digital Signature Regime)
• Indian Computer Emergency Response Team (CERT – in):
National Nodal Agency in the area of Cyber Security
• Cyber Appellate Tribunal: Appellate body in Cyber Crime
related cases (discussed in Session 6)
Slide 23
Indian Computer Emergency Response Team (CERT – in)
• Sub section 70A (1) of the ITAA 2008:

The Central Government may, by notification published in the Official Gazette,
designate any organization of the Government as the national nodal agency in
respect of Critical Information Infrastructure Protection
• Accordingly, 70B (1), stipulates that the identified nodal agency be called Indian
Computer Emergency Response Team
• CERT – in to be headed by a Director General and perform functions related to
ensuring Cyber Security in the country
Slide 24
CERT – in : Mission and Mandate
Mission: ‘Alert, Advice and Assurance’

‘Ensure security of cyber space in the country’
by
‘Enhancing the security of communications and Information
infrastructure’
through
‘Proactive action and effective collaboration aimed at security
incident prevention, prediction, response & recovery and security
assurance’
Slide 25
Functions of CERT - in
• Following are the the functions of CERT-in:
collection, analysis and dissemination of information on cyber incidents;
forecast and alerts of cyber security incidents;
emergency measures for handling cyber security incidents;
coordination of cyber incidents response activities;
issue guidelines, advisories, vulnerability notes and whitepapers relating to
information security practices, procedures, prevention, response and reporting
of cyber incidents;
such other functions relating to cyber security as may be prescribed.
• Section 70B (6): CERT – in may call for information and give direction to the service
provides, intermediaries, data centres, body corporate and any other person.
• No court shall take cognizance of any offence under this section, except on a
complaint made by an officer authorized in this behalf by CERT - in
Slide 26
Agenda for the session
• Impact of GPR / e-Governance projects on Legal Framework: Institutional

Structures, Statutory Powers
• Legislation that may need amendments, specific to e-Governance
initiatives (e.g. Changes in Public Procurement Act, Financial Rules to
enable e-Procurement, e.g. Changes in Land Revenue Act to allow for
electronic Land Records, etc.)
Slide 27
Impact of e-Governance on Legal Framework
Slide 28
Government Processes are related to Legal Framework..
• Processes are designed /processes evolve in accordance with the legislation

governing that particular domain
• Some of these Legislations may be old and antiquated:
E.g. Laws governing the Land Record Management include - Registration Act
1905, Stamp Act 1899, Survey & Boundaries Act 1923, Revenue Code 18xx
• Basis of the legal system is to put in controls, and not better service delivery
• Acts are department-centric, not citizen-centric
• Rules are complex and tedious
10,000 rules, 0.1 million forms!
• E-Government allows for controls to be enforced in a cost-effective manner,

allowing departments to concentrate on better service delivery
Slide 29
Many a time, process / service delivery problems can be traced
back to legislative intent…
Delivery
Legislative Process Delivery
Channel
Intent Problems Problems
Problems
• Legislation was well intentioned and

relevant at the time it was drafted
• Focused more on control and ensuring
compliance, rather than service delivery
• Rules added along the way, making the
legal framework complex and tedious
Slide 30
Process problems arose due to the focus on control…
Delivery
Channel
Problems
• Asking for too much information (by every

agency, on every occasion)
• Burden of proof thrown on Citizen (Attachments,
Annexures, Attestations)
• Complexity of rules & regulations (Anything to do
with money is more complex!)
• Heavy reliance on manual systems
• No concept of Quality Assurance
Slide 31
Which was compounded by problems in delivery channels…
Delivery
Channel
Problems
• Jurisdiction (too many ‘narrow domestic

walls!’, too many ‘single windows’)
• Restricted timings
• Disparate and sub-optimal delivery
networks
• No choice of delivery channels
• Process & Delivery Channel often
combined resulting in delay, malpractice
Slide 32
Which ultimately resulted in degraded service delivery…
Delivery
Channel
Problems
• Mindset & attitudinal problems

• Delivery Agents unsuitable (Unqualified/
Untrained/ Unequipped)
• Lack of empowerment of front-end people
• Lack of dedicated delivery teams
• Delivery is handled on a part-time basis
• Lack of service levels, measurement
systems
Slide 33
Some of the considerations when processes were designed...
…are no longer true with advances in technology
Information can appear at Field personnel need

only one place at a time a fixed place for
communications
Only experts can perform

Personal contact with
Complex work
customer
Is the best contact
We should choose
between
You have to find out
Centralization &
where things are..
Decentralization
Managers make E-Government allows

Plans get revised
ALL the decisions for best of both worlds –
periodically
better controls and
better service delivery
Slide 34
But they are no longer valid in the e-Government context (1/2)
Then… Technology Aid Now…
Information can appear

Information can appear at Shared
simultaneously
only one place at a time Databases
at all the places it is needed
Only experts can perform A generalist can do

Expert Systems
Complex work the work of an expert
We should choose We can get the benefits of

between Centralization &
Networks
Centralization & Decentralization
Decentralization simultaneously
Decision
Managers make Decision-making is a
Support
ALL the decisions part of everyone’s job
Systems
Slide 35
But they are no longer valid in the e-Government context (2/2)
Then… Technology Aid Now…

Field personnel can
Field personnel need
Wireless, send and receive
a fixed place for
Laptops & PDAs Information
communications
anytime, anywhere
Personal contact with Virtual contact with

Interactive
customer Customer
Video
Is the best contact is more convenient
You have to find out Things tell you

RFID
where things are.. where they are !
High
Plans get revised Plans get revised
Performance
periodically dynamically
Computing
Slide 36
Illustrative Case: MCA21
• MCA21 is one of the Central Mission Mode Projects, designed for electronic service
delivery by the Ministry of Company Affairs (MCA)
• The project involved large scale Government Process Re-engineering and IT

enablement of processes
• The Legal framework governing the regulation of corporate sector in India

(companies registration, compliance filing etc) was amended to give sufficient legal
backing to the e-Governance initiative
• As on date, all company registrations and compliance filings are mandated to be

filed online
Slide 37
MCA21 – Background
• Ministry of Company Affairs’ primary function is the administration of Companies

Act, 1956, other allied Acts and rules & regulations framed there-under
• The following services were proposed to be made online through the MCA21
project:
- Registration and incorporation of new companies
- Filing of Annual Returns and Balance Sheets
- Filing of forms for change of names/address/Director’s details
- Registration and verification of charges
- Inspection of documents
- Applications for various statutory services from MCA
- Investor grievance redressal
Slide 38
Situation before MCA21
• Company incorporation and • Company data in silos in RoC

compliance filing was done offices in paper form
manually at Registrar of
• Time consuming process for filing
Companies (RoC) offices in
and inspection
States and Union Territories
• Lack of transparency and
• Each RoC also acted as the
reduced service levels
registry of records relating to the
companies registered with them, • Investor grievances given low
which are made available for priority
inspection by members of public • Difficulty in doing any quantitative
on payment of prescribed fee analysis of corporate information
Slide 39
MCA21 impact
After MCA21 rollout Impact

• Online registration and • Anytime / anywhere service to
incorporation of companies corporate
• Simplified and easy mode of filing • Corporate centric approach
of e-forms / returns
• Increased transparency
• Online registration and
• Enhanced service levels
verification of changes
• MCA employees and devote more
• Centralized Data repository and
time to doing value added tasks
online inspection of documents
including data analysis
by public
• Timely grievance redressal
Slide 40
Snapshot of MCA21 implementation (1/3)
Front Office • MCA21 portal as the single

window for filing of information
online
• Facilitation centres set up at select

location to ease transition from
Facilitation
e-Filing manual to e-filing
centres
Back Office • Processing of filings and Internal

• Automation of processing at RoC functions of MCA computerized
offices • Old records at each RoC digitized
• Centralised Repository of and made available online
Company Information
Slide 41
Slide 42
Source: MCA21 Process Handbook, Ministry of Company Affairs
• E-filing made mandatory, with Digital Signature Certificates
• All payments to be made through e-Payments (Online banking / credit cards /

payment at designated bank branches)
• E-Stamping mandated wherever stamp duty is to be paid
• Unique Company Identification Numbers (CIN) assigned to each registered

company
• Directors of Companies to obtain Director Identification Number (DIN)
• Facilitation counters gradually being phased out in favour of filing at customer’s

premises
Slide 43
Legal Framework for the MCA21 project
• The processes of Company Registration and Compliance filing were based on
the Companies Act, 1956 (and the Rules made there-under) and the Monopolies
and Restrictive Trade Practices Act 1969
• The other relevant Acts included:

- The Competition Act, 2002
- The Chartered Accountants Act, 1949
- The Costs and Works Accounts Act, 1959
- The Company Secretaries Act, 1980
- The Partnership Act, 1932
- The Societies Registration Act, 1860
- The Companies (Donation to National Fund) Act, 1951
Slide 44
Why do we need legal amendments?
• The following questions arise…
Does the electronic
records have the same
validity as the paper
records
How do I make it legally

mandatory to file
company information The Companies Act
online? does not talk about CIN /
DIN..
What if a company goes

to court insisting on its
right to file returns in
paper form?
Slide 45
Providing Legal Framework for the MCA21 project
• Some of these legal questions are answered by IT Act:
- Digital Signature signing and submission of e-forms
- Equivalence of electronic and paper records…
• But the domain legislation needs to be amended to reflect the new processes
and procedures..
• Laws to be amended to incorporate enabling provisions, leaving procedural

issues to be handled in subordinate legislation
• Subordinate legislation to be amended, detailing the new process regime
Slide 46
Amendment to Companies Act, 1956
Amendments to mandate Director Identification Number:
• Amendments to sections 253 & 266 A to 266F to mandate every Director to obtain a DIN.
No Director to be re-appointed without obtaining a DIN
Insertion of provisions 610B to 610E to mandate electronic filing:

• 610B: Filing of inspections, documents, applications etc through e-forms, as prescribed in
the Rules
RoC to maintain such documents in electronic form
• 610C: Powers to central government to modify Act in relation to electronic records

(including manner and form of filing)
• 610D: Provision for providing value added services
• 610E: Provisions of IT Act to apply in items relating to electronic records
Specifics of e-Filing, Payments, Inspection

etc incorporated in Companies General
Rules and Forms, 1956
Slide 47
In Summary…
E-Governance Amend sub-ordinate

Amend Laws to
initiative (GPR, IT legislation to
bring in enabling
enablement, incorporate specific
provisions
enabling structures) changes
Slide 48
End of Session
Slide 49
Course: Enterprise Applications and Open
Source Systems for e-Governance
implementation
Day 3
Session 3: Introduction to ERP Applications

Agenda
Introduction to ERP Applications
Benefits of ERP Applications
Comparison of ERP applications with the custom developed/bespoke software

systems
Challenges in ERP system implementations and measures for addressing the

challenges
Introduction
• In today's environment, there is a much greater interaction between the

citizens and Governments.
• Governments are more closely linked to Citizens , internal staffs and its
suppliers.
• Governments seek to obtain operational efficiencies that will lower costs,

improve citizens relations, increase revenues etc.
• All units of an organization must work together in a goal congruence to

achieve maximum operating effectiveness and efficiencies.
• The pre-requisite is that the information must be accurate and timely

managed.
Historical system architectures
• Historically, organizations created “islands of automation / information”.
• A hodge-podge of various systems that operated or managed various

divergent business processes.
• Sometimes these systems were integrated with each other and

sometimes they weren’t.
• Sometimes they were loosely interfaced and sometimes they were more
tightly interfaced.
IT Scenario………Before ERP
• Finance department decides to implement IT software….calls IT

expert….develops IT solution for Finance department
• Purchase Department decides to implement IT software….calls IT

expert….develops IT solution for Purchase department
• HR team decides to implement IT software ….……….do…….……………….

Develops Human Resource Software
• Production Planning team decides to implement IT software

….……….do…….………………. Develops Planning Software
Result
Too many home grown , independent, standalone and non-integrated software
systems
in the organization
Traditional File System
• Each system uses its own programs and files

• When systems are not integrated
Inability to share data
Difficult to maintain
data duplication (i.e. redundancy)
System 1 System 2
Program 1 Program 2 Program 1 Program 2
File 1 File 1 File 1 File 1
6
Disadvantages of multiple systems
• Data in too many systems and hence manual compilation
• Duplication of data entry
• Non Standard procedures
• Variations in information formats
• Only few people has access to key information

Delay in getting simple information
Getting quick and accurate information

is almost impossible
Sales Marketing Service Warranty
Finance HR / training
Costing Product Engineering
Purchase Quality Production Stores

Database Systems
• Systems share the same database

• Database allows systems integration
Systems share the same data
Systems are easy to maintain
No (or less) redundancy
System 1 System 2
Program 1 Program 2 Program 1 Program 2
DBMS
9
Business Integration?
I Suppliers
V n
e t
r e
ti g Production Sales Logistics Horizontal
c r Department Department Department Integration
a a
l ti
o
n
Citizens
10
So can we integrate existing systems to make our own ERP?
• Integration of existing system is technically very complex and expensive

• Need dedicated IT team
• System can become very unstable after addition of new functionalities
• Maintenance of system is expensive
Solution
Readymade Software with built-in integration
called as ERP
Enterprise Resource Planning (ERP) systems
Enterprise Resource Planning (ERP) systems

− integrate all the business processes through a common information
system (or an integrated set of info systems)
Production
Department Warehousing
Process1 Process2
Process1 Process2
HR Logistics
Department Common Department
Process1 Process2 Database Process1 Process2
Legal Accounting
Department Department
Process1 Process2 Process1 Process2
ERP system
12
Enterprise Resource Planning
Integrate all departments and functions across an organization / department

onto a single computer system that can serve all those different departments'
particular needs.
Enterprise Resource Planning Systems
• ERP systems integrate all the

functions and departments
within an organization through
a common information system
• At the heart of ERP systems

is a common database
• When a user enters or

updates information in one
module, it is immediately and
automatically updated
throughout the entire system
14
Entreprise Resource planning
Internal department Human resource
Enquiry Hiring/training
Legal req, candidates

Enquiry status Training schedule
Citizen / Customer
Payroll
Benefits
Expense
s
RM&components Cost / profitability

orders analysis
Production & Production plan Finance &

Materials management Materials inventory
accounting
What is an ERP?
• Enterprise-wide system that integrates the business functions and

processes of an organization
• Integration of business functions into one seamless application
• Usually runs on a relational database
• Replaces countless departmental and workgroup information systems

What is an ERP?
• Links business processes
• Maintains audit trail
• Utilizes a common information system
• Implementation normally involves BPR: Business Process Reengineering

Before/After ERP
ERP Enterprise Architecture
ERP Architecture
Two-tier Implementations
• In typical two-tier architecture, the server handles both application and

database duties.
• The clients are responsible for presenting the data and passing user input
back to the server.
• While there may be multiple servers and the clients may be distributed
across several types of local and wide area links, this distribution of
processing responsibilities remains the same.
ERP Architecture
Three-tier Client/Server Implementations

• In three-tier architectures, the database and application functions are
separated.
• This is very typical of large production ERP deployments.
• In this scenario, satisfying client requests requires two or more network

connections.
• Initially, the client establishes communications with the application server.
• The application server then creates a second connection to the database

server.
ERP Functionality
Finance Human Resources e-Business
-General Ledger -HR/Benefits -eProcurement

-Accounts Receivable Administration - Employee Self Service
-Accounts Payable -Payroll - e-Recruiting/e-Hiring
-Procurement -Self-service HR - e-Filing
-Fixed Assets - Citizen Access
-Treasury Mgmt - Web-enabled transactions
-Cost Control - e-Commerce
-Grant Management
Transaction Engine
Core software that manages
transaction flow among
applications and handles tasks
like security and data integrity
Customer Relationship Mgt

Data Analysis
Supply Chain Mgmt -Consistent user experience
Decision support software that lets
senior executives and other users - Personalization of services
Planning, scheduling and fulfillment - Realtime access- enterprise info
analyze transaction data to track
applications that address all
business performance
procurement requirements across
the enterprise
Why implement an ERP System?
To support Organization’s goals /

objectives
Integrated, on-line, secure, self-

service processes for business
Eliminate costly fragmented

technologies
Improved Integration of Systems

and Processes
Lower Costs
Empower Employees
Enable Partners, Citizens and

Suppliers
What will an ERP do for your Institutions / departments?
Support for G2G (Government

Integrate information across
to Government), G2C
all functions (examples
(Government to citizen) and
include registration, financial
G2B (Government to
collections, human resources
business) record keeping and
etc.)
work flow processes.
Facilitate the flow of Information captured at source

information among the & Instant availability of
Organization’s functions. information
Track a wide range of

Organizational events in an
Support analysis and improve
integrated fashion, and
the performance of the
facilitate planning future
department.
activities based on these
events.
What will an ERP do for your Institution / department?
Allow users or internal staff to:
• Input data into one system to enable it to

be processed with other data
• Access data as information reports in a
real-time environment
• Share common data and practices across
the entire institution
• Re-engineer business practices
How does ERP create value?
Enables Eliminates
Integrates Employ Use of
Organizational Information
Activities "Best Practices“
Standardization Asymmetries
How does ERP create value?...cont’d
Allows
Facilitates Intra- Facilitates Inter-
Simultaneous
Provides On- Organization Organization
Access to the
Line and Real- Communication Communication
Same Data for
Time Information and and
Planning and
Collaboration Collaboration
Control
Advantages of ERP
Tangible benefits:
• Improves the productivity of process and personnel
• Lowering the cost of products and services purchased
• Paper and postage cost reductions
• Inventory reduction
• Lead time reduction
• Reduced stock obsolescence
• Faster product / service look-up and ordering saving time and money
• Automated ordering and payment, lowering payment processing and
paper costs
Advantages of ERP
Intangible benefits:
• Increases organizational transparency and responsibility
• Accurate and faster access to data for timely decisions
• Can reach more vendors, producing more competitive bids ;
• Improved customer response
• Saves enormous time and effort in data entry ;
• More controls thereby lowering the risk of mis-utilization of resources
• Facilitates strategic planning
• Uniform reporting according to global standards
Advantages/Disadvantages of ERP
Advantages: Disadvantages:
• Information entered once • Implementation is expensive
into system
and lengthy
• Allows customization
• Maintenance is costly and
• Provides functionality to time consuming
interact with other modules
• Data errors are replicated
through the system
What is an ERP – Key Characteristics
• Integrating all the business functions

• Integrating the systems running in all the locations
• Transparency of information using a single data source across the
organization
• Software must be
− Responsive
− Modular
− Flexible
− Easy to add functionalities
− Provide growth path
Integration
Seamless integration of all the information flowing through an Organization–

financial and accounting, human resource information, supply chain
information, and customer information.
Packages
• Enterprise systems are not developed in-house

• Information Systems life cycle is different
− Mapping organizational requirements to the processes and
terminology employed by the vendor and
− Making informed choices about the parameter setting.
• Organizations that purchase enterprise systems enter into long-term

relationships with vendors.
Costs of ERP
• Costs to implement an ERP system is not just a ‘one-time thing.’
• Real costs are in constant training, upgrading, and maintenance.
• Benefits are not seen right away.
Customization: If the software

Process rework: Redefining
Consulting fees: Hiring external package does not meet all of the
Software cost: Purchasing the processes in order to ensure the
experts to help implement the company’s needs, it may be
software. company is using the most
system correctly. required to customize the
efficient and effective processes.
software.
Integration and testing: Ensuring

all software products, including
Data warehouse integration and
disparate systems not part of the
data conversion: Moving data
ERP system, are working Training: Training all new users.
from an old system into the new
together or are integrated.
ERP system.
Testing the ERP system includes
testing all integrations.
Other Costs
• IT Infrastructure costs
• Cost of maintaining parallel Systems
• Opportunity cost for using Internal Resources during ERP
Implementations
• Follow up service cost !!!
Why does ERP project fails…
• Lack of sufficient top management support

• Inadequate definition of functional requirements
• Poor ERP package selection
• Incorrect time and effort estimates
• Insufficient expertise and resource for carrying out implementation
Why does ERP project fails…cont’d
• Misfit of ERP applications with company’s business processes

• Resistance to change in business processes
• Unrealistic expectations of benefits and ROI
• Inadequate training and system handover
• Poor project management
Strategic Critical Success factors
Top management
commitment and
support
Visioning and
planning
Build a business case
Implementation
strategy and
timeframe
Project management
& Change
Management
Tactical critical success factors
Project team: the

Communication
Balanced team best and
plan
brightest
Project cost
Empowered Team morale
planning and
decision makers and motivation
management
BPR and
software
configuration
Tactical critical success factors..cont’d
Legacy system
IT infrastructure Client consultation
consideration
Consultant selection
Selection of ERP
and relationship
Tactical critical success factors..cont’d
Training and job Troubleshooting/crises Data conversion and

redesign management integrity
Post implementation
System testing
evaluation
Thank You…
Course: Enterprise Applications and Open
Source Systems for e-Governance
implementation
Day 3
Session 4: Introduction to Open Source

Systems
Agenda
• Definitions of Open Source systems, open source standards , drivers &

applicability of open source
• Open Source vs. free software vs. custom developed applications
• Importance of Open Source systems in Organizations - Total Cost of Ownership
• Example where open source systems can be used (positioned) for better Return
on Investments
Open-Source in India
In the year 2010, if FOSS is adopted at 50 per cent levels across the
economy, India can save around $2 billion (around Rs 9,800 crore), suggests
a study conducted by the Indian Institute of Management-Bangalore.
Source: http://www.business-standard.com/india/news/open-source-software-can-
save-india-2-bn/369858/
Technology Architectures
1998
2002
2006
2010
Application Usage
Time
Mainframe applications Web service applications

Packaged applications Open Source Applications
Component applications
Source: PwC 2002 - Technology Assessment

4
Doing More with Less
Source: Red Hat Summit 2009

Why would Governments use or create Open Source Software
(OSS) - Value for Governments?
License
Fee
+ ∑ y=1
Annual
S&M
Why would Governments use or create OSS (value for
Government)?
Rs. IT Budget
Business Solutions
Business Applications &
Business Components
Infrastructure Software
(Core & Technology Services)
Government)?
• Can evaluate in detail, lowering risk

– Can see if meets needs (security, etc.)
– Mass peer review typically greatly increases quality/security
– Aids longevity of records, Government transparency
• Can copy repeatedly at no additional charge (lower TCO)

– Support may have per-use charges (compete-able)
• Can share development costs with other users

Government)? ….. contd..
• Can modify for special needs & to counter attacks

– Even if you’re the only one who needs the modification
• Control own destiny: Freedom from vendor lock-in, vendor abandonment,

conflicting vendor goals, etc.
In many cases, OSS approaches have the potential to increase

functionality, quality, and flexibility, while lowering cost and development
time
Government)? ….. contd..
For many Governments the world over, the choice of Open Source is a strategic one.
• The preference towards Open Source platforms is firstly because, acquiring and
upgrading proprietary software is expensive.
• There is also the proposition that it is safer to entrust knowledge in the public
domain to Open Source, which is also in the public domain, than to proprietary
platforms.
• Thirdly, using open source would enable India to encourage our own software
professionals to provide software support in the form of add-on applications that
could be written at a cost much smaller than that required to buy multi-featured
packaged software.
Source : http://dqindia.ciol.com/content/top_stories/103101501.asp
Retrieved on 12th July 2010
Simply put……………
• Cost savings
• Security
• Reliability
• Open standards, avoidance of vendor lock-in
• Reduced reliance on imports
• Developing local software industry
• Localization
Weighing Benefits
Benefits of FOSS: Cost Savings

− Zero licensing costs
− Easier administration, especially with thin-client model
− Less downtime from security patching
http://www.apdip.net

Benefits of FOSS: Cost Savings
• Internet Payment Gateway (IPG) has been developed using LAMP (Linux,
Apache, MySQL, PHP) for Guwahati Municipal Corporation
( www.myguwahati.in) for payment of online property taxes by the
citizens.
• It provides a common gateway to all Nationalized Banks in India through

Net Banking, Credit cards and ITZ cash cards
• The IPG has also been implemented for the e-Tendering System and
International Payments are accepted online.
• Investment: Rs. 0.1 million only

Where to Expect Costs
• No cost for software – staff time only for evaluation, deployment, and maintenance
• Internal implementation – staff time and IT support
• Outside implementation support – costs for installation, configuration, data

transfer, and training
• Internal maintenance – fulltime system admin, hardware procurement and

maintenance, IT helpdesk, and network support
• Outside maintenance support – annual helpdesk maintenance, release upgrades,

hosting services
• Internal development – programming staff time and IT
• Outside development support – feature enhancement, feature creation, bug fixes

Weighing Benefits contd..
Benefits of FOSS: Security

− Open Source code allows frequent and detailed audits for software holes
− Availability of source code allows user fixing of flaws, instead of
dependence on vendor
− Security built into systems by default
Benefits of FOSS: Reliability and Stability

- FOSS systems based on Unix, frequently used as servers.
- Uptime is critical
Benefits of FOSS: Open Standards

− Open Standards - critical in ensuring vendor independence and permanence of
stored public data.
− FOSS systems typically use established, open standards:
• Apache - HTTP, SSL, CGI
• Mozilla - HTML, CSS, xHTML, POP, SMTP, IMAP
• Linux Kernel - POSIX
− FOSS products are easily reverse-engineered to determine formats used.
Benefits of FOSS: Reduced Imports

- No licensing fees to foreign companies
- Service-based business model, as opposed to product-based, results in most
expenditures staying within local economy
Benefits of FOSS: Development of Local Software Industry

Extensive FOSS developer base normally correlates with an innovative software
industry because of:
− Low barriers to entry
− Availability of source code enables easier understanding and experimentation
with computer science concepts
− Researchers able to tap into online resources and global development
network
Benefits of FOSS: Localization

− Proprietary software makers localize their software only when economically
advantageous
− Easy customization of FOSS systems allows localization to local languages,
customs and ways of working.
− FOSS developers are global and multilingual, thus most software is built with
internationalization and localization in mind.
Understanding Open Source Software (OSS)
In simplest of language an OSS is a software licensed to users with these

freedoms:
To run the program for any

purpose,
To freely redistribute copies of

To study and modify the
either the original or modified
program, and
program (without royalties, etc.)
Open Source is a development model
Project lead
volunteer
volunteer
volunteer
volunteer
Firm based software development Open Source software development
Code developed Code developed

by firm by community
Code locked
via binary and
Code distributed
sent to
to users
customers
Users create
binary
Customers
run program
Users run program

Bug
complaints & Users find and fix bugs,
feature and create new features
request to
company
Users distribute
modifications
Understanding Open Source Software (OSS).. contd..
• Open Source Software is a software for which the source code is

distributed along with the executable program, and which includes a
license allowing anyone to modify and redistribute the software.
• Source code is the actual instructions which programmers write to create

a piece of software, the "recipe" for the program.
• Once a program has been "compiled" into a form which can be installed
and run on a computer, its source code is irretrievable.
Understanding Open Source Software (OSS).. contd..
• It is practically impossible to make changes to a program without having a

copy of its source code.
• If a program's license includes the right to modify the program, this right is
meaningless unless the source code is readily available.
Understanding Open Source Software (OSS).. .contd..
Open Source Software is

• Software licensed with a copyright license compliant with the Open
Source Definition (OSD)
• Software is distributed with its source code in a human readable format
• Software is developed in an open and collaborative way by groups of
developers
In practical terms?
Open source means
• The source code is available to the end-user

• The source code can be modified by the end-user
• The licensing conditions promote re-use and wide availability of the
software
• The cost of acquisition to the end-user is often minimal
Open Source vs. Free Software
• The Free Software movement and the Open Source movement are
separate but have overlapping goals
• Open Source: software should be open source as a matter of practicality

(i.e. a development methodology)
• Free Software: software should be free as a matter of social responsibility

(i.e. software for the greater good; free as in freedom)
Open Source Definition- As per Open Source initiative
The Open Source Definition is used by the Open Source Initiative to determine
whether or not a software license can be considered open source.
Some of these criterions are :
a) Free Redistribution
• The license shall not restrict any party from selling or giving away the software as
a component of an aggregate software distribution containing programs from
several different sources.
• The license shall not require a royalty or other fee for such sale.
..contd..
b) Source Code
The program must include source code, and must allow distribution in source code as
well as compiled form.
c) Derived Works
The license must allow modifications and derived works, and must allow them to be
distributed under the same terms as the license of the original software
d) Distribution of License
The rights attached to the program must apply to all to whom the program is
redistributed without the need for execution of an additional license by those parties
..contd..
e) License Must Not Be Specific to a Product

The rights attached to the program must not depend on the program's being part of a
particular software distribution.
f) License Must Not Restrict Other Software

• The license must not place restrictions on other software that is distributed along
with the licensed software.
• For example, the license must not insist that all other programs distributed on the
same medium must be open-source software.
g) License Must Be Technology-Neutral

No provision of the license may be predicated on any individual technology or
style of interface.
Open Source Initiative,

http://opensource.org/docs/osd
Typical OSS development model
• OSS users typically use

Developer software without paying
Community licensing fees
• OSS users typically pay

Bug Reports Trusted for training & support
Developer
Improvements Source Code • OSS users are
(as source responsible for
Trusted paying/developing new
code) Repository improvements &
any evaluations that they
need; often cooperate
Distributor with others to do so
• Goal: Active development

community (like a
User consortium)
Open Standards
• An open standard is a standard that is publicly available and has various

rights to use associated with it, and may also have various properties of
how it was designed (e.g. open process).
• The terms "open" and "standard" have a wide range of meanings

associated with their usage.
• The term "open" is usually restricted to royalty-free technologies while the

term "standard" is sometimes restricted to technologies approved by
formalized committees that are open to participation by all interested
parties and operate on a consensus basis.
Open Standards contd..
• The term "open standard" is sometimes coupled with "open source" with
the idea that a standard is not truly open if it does not have a complete
free/open source reference implementation available.
• Open standards which specify formats are sometimes referred to as open

formats.
• "Open Standards" facilitate interoperability and data exchange among

different products or services and are intended for widespread adoption.
Open Source Initiative's Definition:
• The Open Source Initiative defines the requirements and criteria for open
standards as follows:
• An "open standard" must not prohibit conforming implementations in open
source software.
• To comply with the Open Standards Requirement, an "open standard" must
satisfy the following criteria.
• If an "open standard" does not meet these criteria, it will be discriminating
against open source developers.
Other elements of "Open Standards" include, but are not limited to:
• Collaborative process – voluntary and market driven development (or approval) following a
transparent consensus driven process that is reasonably open to all interested parties.
• Reasonably balanced – ensures that the process is not dominated by any one interest
group.
• Due process - includes consideration of and response to comments by interested parties.
• Intellectual property rights (IPRs) – IPRs essential to implement the standard to be

licensed to all applicants on a worldwide, non-discriminatory basis, either (1) for free and
under other reasonable terms and conditions or (2) on reasonable terms and conditions
(which may include monetary compensation).
• Quality and level of detail – sufficient to permit the development of a variety of competing
implementations of interoperable products or services.
• Publicly available – easily available for implementation and use, at a reasonable

price. Publication of the text of a standard by others is permitted only with the prior
approval of the SDO.
• On-going support – maintained and supported over a long period of time.

Open Source Software vs. Proprietary software
• A proprietary license prohibits modification, copying, or redistribution

without the company's permission.
• It ensures that only one entity -- the company or individual that created
the software -- has the right to make changes or even see the software's
internal structure.
• Proprietary software is created by a relatively small group of developers

within a particular company
• They complete a program and then try to remove as many flaws (software
errors or "bugs," and security "holes") as possible before the software
goes to market.
Open Source Software vs. Proprietary software contd..
• Any flaws which remain after shipping time become the consumers
problem, leading to lost work and frustration.
• Purchasers of proprietary software become involuntary testers.
• Even if users know how to solve a flaw, the software license prohibits
them from making the fix themselves.
Comparing GOTS, COTS Proprietary, and COTS OSS
Support Strategy Flexibility Cost Risks

Become obsolescent
Government- (government bears
High High
owned / GOTS all costs & can’t
afford them)
Abandonment, &
COTS – Proprietary Low Medium*
high cost if monopoly
As costly as GOTS if
COTS – OSS High Low* fail to build develop-
ment community
OSS is not always the right answer...

but it’s clear why it’s worth considering
(both reusing OSS and creating new/modified OSS)
Comparing Open Source software and Enterprise application
Open Current Gap

Enterprise
Source Applications
Lack of Support
Reliable &
Low Cost
Predictable
Lack of Integration
Easily
High Quality
Adoptable
Lack of Training
Unique Available
Functionality Resources
Lack of Skills
No Vendor High Degree of
Lock-In Automation
Multiple Lack of Tools Performance &

Choices Scalability
Myths about Open Source Software (OSS)
• Myth: OSS same as open systems/standards

• Myth: OSS is non-commercial
• Myth: OSS is unreliable
• Open Source Software Is Too Risky for IT Security
• Myth: OSS unsupported
• Myth: OSS is no cost
Myth 1 : Open systems/open standards: Different, yet
compatible
• Open System = “A system that employs modular design, uses widely
supported and consensus based standards for its key interfaces, and has
been subjected to successful tests to ensure the openness of its key
interfaces”.
– Open systems require open standards
• Greater interoperability & flexibility, lower costs, higher security, ...
• Open systems/open standards & open source software:
– Work well together; both strategies for reducing dependency
– Not the same thing
Myth 2 : Nearly all OSS are commercial items / COTS
Nearly all OSS are commercial items

• Many OSS projects supported by commercial companies
– IBM, Sun, Red Hat (solely OSS, market cap $4.3B), Novell, Microsoft (WiX,
IronPython, SFU, Codeplex site)
• Big money in OSS companies
– Citrix bought XenSource ($500 million), Sun buying MySQL ($1 billion), Red
Hat bought JBoss ($350 million), ...
– IBM reports invested $1B in 2001, made it back in 2002
– Venture capital invested $1.44B in OSS 2001-2006 [InfoWorld]
Myth 3: OSS often very reliable
100
• Studies have found OSS apps
significantly more reliable [U Wisconsin]
–Proprietary
Unix failure rate: 28%,23%
–OSS: Slackware Linux 9%, GNU utilities 6%
0
Failure Rate
–Windows: 100%; 45% if forbid certain Win32 message formats
• IIS web servers >2x downtime of Apache [Syscontrol AG]

• Linux kernel TCP/IP had smaller defect density
[See http://www.dwheeler.com/oss_fs_why.html]
Myth 4 : Open Source Software Is Too Risky for IT Security
• Network World magazine article states , “Most of the packaged security

appliances for everything from firewalls to security information
management are built on the same BSD Unix and Linux distributions as
the application servers you build yourself.”
• A recent Forrester Research report further argued that enterprises should

seriously consider open source options for mission-critical infrastructure.
• Open-Source platforms are as a result considered more secure than

many of their proprietary counterparts, since the frequency of the updates
offered keeps the windows of vulnerability and susceptibility to an
absolute minimum.
Few other myths….
• Myth: OSS unsupported

– Businesses support OSS. Red Hat, Novell, HP, Sun, IBM, DMSolutions,
SourceLabs, OpenLogic, Carahsoft, ...
– Community support often good; 1997 InfoWorld “Best Technical Support” award
won by Linux User Community
• Myth: Only programmers care about software licenses
• Myth: OSS is no cost

– Training, support, transition, etc. are not free-of-cost
– Competition often produces lower TCO & higher ROI for OSS
OSS Strengths
• Ability to fit local needs: Availability of the source code means that
you can modify and enhance the software to more closely fit your own
needs.
• No restrictions on use: no restrictions on how the software is used

and no invoices for each user license.
• Low cost: no charge for the software itself. If other libraries share
their efforts, each user’s cost is reduced. Pay only for needed support
or any additional products & services if required. Even then huge
savings than commercial SW.
• Innovation: with open source code , users keep-up innovating,

improving which means often much faster development cycle when
compared to proprietary software
OSS Strengths
• User-driven: Traditional vendors focus on providing functionality

meeting needs of the majority of their customers. In contrast, OSS
features emerge from the community of users. This makes OSS
development user-driven: you decide what features are important and
deserve attention rather than a vendor.
• Collaboration: vibrant local, national and global user groups

collaborate in creativity, development and trouble shooting.
• Reliability: OSS is peer-reviewed software, exposed to extreme

scrutiny, with problems being found and fixed instead of being kept
secret until the wrong person discovers.
• So the code base is more reliable than closed, proprietary software.
Mature open-source code is as bulletproof as software ever gets.
OSS Strengths
• Security: Proprietary software, with 'closed' source code, support and

future development rely solely on the resources of a single vendor. If
the vendor goes down, so does your product support.
• Dramatically reduces the potential of supplier lock–in which solves "a

huge problem of potential opportunism" and reduces the chances of
ending up in "a dependent relationship."
OSS: Weaknesses
• Unanticipated Efforts: An Organization may find that it needs to do a

great deal more work than anticipated to adapt the software exactly to the
local needs.
• Lack of Coordination: The decentralized development of open source

software means that progress can be chaotic and there may be delays in
addressing bugs.
• Inadequate Technical Support: Documentation tends to be limited and

aimed at developers. There usually is limited technical support, especially
for users of the software.
• Risk of discontinuation: Development or support may discontinue. The

same risk exists with commercial options.
• Pay-for-Support provides solution to most of the problems

OSS: Weaknesses contd..
• Long learning curve is a drawback in open source.
• Due to the nature of free and open source software deployment, there is a
dearth of open source experts in case of troubleshooting.
• There is no clear ownership for free and open source software. As it’s a
“global public good” responsibility lies in the cyberspace.
OSS: Weaknesses.. contd..
Pay-for-Support companies and service providers of OSS are using all state-
of-the-art technologies and processes to keep OSS products competitive
against their commercial competitors.
Some of the open source initiatives in India
National Research Centre for free/Open Source Software (NRCFOSS)
• National Resource Centre for Free/Open Source Software (NRCFOSS) aims

• to contribute to the growth of FOSS in India through Research and Development,
Human Resource Development, Networking and Entrepreneurship Development,
• Serve as the reference point for all FOSS related activities in the country
including the creation and maintenance of this national FOSS Portal.
NRCFOSS is funded by the

• Department of Information Technology (DIT), Ministry of Communication and
Information Technology (MCIT), Govt. of India, and
• Managed jointly by the Chennai division of the Centre for Development of
Advanced Computing(C-DAC) and AU-KBC Research Centre, Anna
University,Chennai.
Bharat Operating System Solutions - BOSS
• BOSS (Bharat Operating System Solutions) GNU/Linux distribution developed

by C-DAC (Centre for Development of Advanced Computing) derived from Debian
for enhancing the use of Free/ Open Source Software throughout India.
• BOSSGNU/Linux - a key deliverable of NRCFOSS has upgraded from Entry level

server to advanced server.
• It supports Intel and AMD x86/x86-64 architecture. BOSS GNU/Linux advanced

server has unique features such as Web server, proxy server, Database server,
Mail server, Network server, File and Print server, SMS server, LDAP server.
• BOSS GNU/Linux advanced server is comprised with administration tool such as

webmin which is a web based interface, Gadmin, PHP myadmin, PHP LDAP
admin, PG admin.
http://bosslinux.in/
Bharat Operating System Solutions - BOSS contd..
• Currently BOSS GNU/Linux Desktop is available in almost all the Indian

Languages such as Assamese, Bengali, Gujarati, Hindi, Kannada, Malayalam,
Marathi, Oriya, Punjabi, Sanskrit, Tamil, Telugu, Bodo, Urdu, Kashmiri, Maithili,
Konkani, Manipuri which will enable the mainly non-English literate users in the
country to be exposed to ICT and to use the computer more effectively.
• The accessibility of BOSS Linux will have a constructive impact on the digital
divide in India as more people can now have access to software in their local
language to use the Internet and other information and communications
technology (ICT) facilities.
• Community Information centers (CIC’s) and internet cafes will also benefit from
BOSS GNU/Linux as this software can be utilized to power these outlets and is
affordable and easy to install, use and support.
http://bosslinux.in/
FOSS in State Government
Assam Government includes FOSS in state IT policy

− It also extends beyond software and says that all generic hardware purchased by
the Government should have support for open source software.
− Entrepreneurs/ companies using FOSS for application/website development would
be given preference over those using third party packaged applications.
http://osindia.blogspot.com/2009/12/yet-another-indian-state-Government.html
IT@Schools
The South Indian state of Kerala, pioneered open source in schools with its
famous IT@Schools project, that now covers three million students from the 5th-10
standards, involves 200,000 teachers across 4071 schools.
− Since then, other Indian states like Karnataka, Gujarat, Assam, West Bengal and
others have made open source a key part of their school education initiatives.
− a study by the Indian Institute of Management, Bangalore, found that the
Kerala Government's usage of OSS saved it Rs 49 crore ($10.2 million).
http://opensource.com/Government/10/4/oss-one-best-tools-modernizing-india-education-system

Identifying and Controlling Weeds - OSCAR, India
• The Open Source Simple Computer for Agriculture in Rural Areas (OSCAR)
project involves the prototyping of an application software for weed identification
and control of the rice and wheat crop systems of the Indo-Gangetic Plains.
• It is targeted at being deployed on low-cost computing devices running GNU/Linux

that can be shared among farmers of a local community.
• OSCAR is unique in that it is the first of its kind within the domain of information
and communications technology (ICT) applications for agriculture.
• By being available as FOSS, it promotes the aggregation of information from

academic/research institutions as well as from traditional knowledge systems.
Identifying and Controlling Weeds - OSCAR, India…. contd..
• The OSCAR project aims to address the issue of declining agricultural productivity
in South Asia by producing a tool for decision-making in weed identification and
control.
• The specific objective of the project is to demonstrate a prototype of this tool

implemented in software and running on desktop computers and low-cost
computing devices.
• The project has tested the application with various target groups in the four
countries of the IGP – Bangladesh, India, Nepal and Pakistan, with encouraging
results.
eBiz
• The Government of India has started its eBiz initiative - a project to build
a framework for Government to Business (G2B) services where services
from the federal, state and local Government agencies will be made
available through a single portal.
• The eBiz architecture is to be built on the principles of interoperability and

open standard
Few other worldwide examples
Dspace
• DSpace captures data in any format – in text, video, audio, and data. It
distributes it over the web. It indexes the contents, so users can
search and retrieve items. It also preserves digital work over the long
term.
• DSpace provides a way to manage research materials and
publications in a professionally maintained repository to give them
greater visibility and accessibility over time.
• DSpace is freely available as open source software.
Eprint
• EPrints Open Source Software is a platform for building repositories of

research literature, scientific data, student theses, project reports,
multimedia artefacts, teaching materials, scholarly collections, digitised
records, exhibitions and performances.
• It has features such as

* Archive Documents, Multimedia and Data
* Multi-Language Support
Drupal
Drupal is a free software package that allows an individual or a community of users
to easily publish, manage and organize a wide variety of content on a website.
It enables features such as:
* Content Management Systems
* File uploads and downloads, etc
Joomla
Joomla! is an Open Source Content Management System.
It is used for creating simple websites to complex corporate applications.
Wikipedia
Wikipedia has become the world’s largest encyclopedia due to adoption of an open
source model.
http://www.dwheeler.com/numbers
http://eGovstandards.Gov.in
& EA
Session 5: Course Closure

Agenda
Q&A
Feedback from Audience

Questions & Answers (30 Mins)
Slide 3 Slide 3
Feedback from Audience (30 Mins)
Please fill the Course Feedback Form
Slide 4 Slide 4
Thank You
Slide 5 Slide 5

Complete Tutorial ISM PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Complete Tutorial ISM PDF

Uploaded by

Copyright:

Available Formats

Course: Information Security Management

Session 1: Introduction to the Course

Welcome to the training course

Getting to know the participants - Personal introductions and objectives

Introduction to the training course objectives

Understanding the expectations from the participants

Sponsors, Facilitators and Participants

What are your expectations from the course?

What does the training programme contain?

• Support in implementation of security monitoring and evaluation mechanisms to ensure compliance to

• Good practices and standards in information security

• Approach for managing information security

• Identification of information security risk categories in the organization

• Definition of broad level solutions for information security risk management

• Definition of scope of Information Systems Security Policy

• Introduction to Enterprise Applications

• Five sessions per day

Day 1 Session 1: Welcome to the training course

Day 2 Session 1: Securing IT Infrastructure

Day 3 Session 1: Information Security Audit – Concepts & Importance

Session 2: Introduction to Information Security

Need for Information Systems Security Policy

Elements of Information Security Policy

Approach for development of Information Security Policy

Information Security Organization and roles, responsibilities

• BS ISO 27002:2005 defines

• 'Information is an asset which, like

• Printed or written on paper

can be • Shown on corporate videos

‘…Whatever form the information takes, or means by which it is

(BS ISO 27002:2005)

– In a networked society these kinds of threats have a potential to cripple a Government.

(2) internal Government operations to simplify and improve democratic,

• End user environment – Systems , documents etc.

• Servers – application (web , in house developed, mail etc) , database

• Network - Wireless Networks , Local area network , internet etc.

• Other devices such as laptops , pocket devices, smart cards, smart

– e-Government System Interface: Point of admission to the Government

– Backend Systems: Database and Business layers of the Information

Service Delivery Platform

Network Layer – Information resides at

Service Delivery platforms have a huge Backbone Network

• e-Government security requirements can be studied by examining the overall

• Adversaries are capable of launching harmful attacks on IT systems, networks, and

• Enterprise concerns have been heightened by increasingly sophisticated hacker

• Many in the industry and critical infrastructure organizations have come to

• Most of this information is now collected, processed and stored on

• A breach of security could lead to lost opportunities, defamation, loss of

• Categorize Information based on

In fact, 80% of data loss is caused by

In fact, 40% of Internet break-ins

– Threat: Something that can potentially cause damage to the

– Vulnerability: A weakness in the organization, IT Systems, or network

– Low awareness of security issues

– Growth in networking and distributed computing

– Growth in complexity and effectiveness of hacking tools and viruses

– Natural Disasters eg. fire, flood, earthquake

Critical Information Assets

• Availability Threats: The purpose of availability threats, also known as delay or

• Database Threats: Besides Government information, databases connected to the Web

• Password Hacking: The simplest attack against a password-based system is to guess

Human Errors or failures Accidents, Employee mistakes

Compromise to Intellectual Property Piracy, Copyright infringements