Professional Documents
Culture Documents
Complete Tutorial ISM PDF
Complete Tutorial ISM PDF
in e-Governance
Day 1
Slide 3
Expectations from the course
Slide 4
Synopsis of training course
Slide 5
Business need for the course
Module 1:
The training course will equip the participants with a range of practices and standards in relation
to information security management for e-Governance projects to:
• Secure critical information assets of government against loss, theft etc
• Ensure data confidentiality, integrity and non-repudiation
• Ensure availability and continuity of the IT services
• Ensure IT systems implementations inline with the security policies and standards defined
by DIT/central/state governments…
Slide 6
Performance Objectives of the Course - Module 1
The training course performance objectives in terms of expected capabilities to be
demonstrated by the participants in their respective departments post training completion
includes the following:
• Support information security risk assessment and development of information security strategy, policy
and procedures for e-Governance projects
• Ensure that e-Governance solutions are implemented to address information security risks and threats
Slide 7
Knowledge – Skills – Attitudes (KSA) matrix for course – Module 1
Knowledge
• Information security risks and its impact on the government business
• Understand IT landscape in e-Governance and potential information security risks and
threats across various levels
• Information Security Architecture for e-Governance projects
• Approach for development and implementation of security strategy, policies and
procedures
• Policy and regulatory aspects related to information security in e-Governance
Slide 8
Knowledge – Skills – Attitudes (KSA) matrix for course – Module 1
Skills
• Define the scope of information security audit
Slide 9
Knowledge – Skills – Attitudes (KSA) matrix for course – Module 1
Attitude
• Recognize the information security risks in the business environment and its impact to the
organization
• Appreciate the need for information security and its awareness in the organization
• Provide enough emphasis on information security management within the organization
• Align organization culture to implement best practices in information security
Slide 10
A Typical day during the training…
Slide 11
Course Outline
Day Sessions
Slide 12
Course Outline – contd..
Day Sessions
Slide 13
End of Session
Slide 14
Course: Information Security Management in e-
Governance
Day 1
Slide 3
What is Information?
Slide 4
Information in Governments
– Governments are moving towards e-Governance to improve convenience, reduce time,
improve transparency in delivering services to businesses and citizens
– Businesses and citizens expect high standards of services, instant access to information,
efficient transactions and support, whenever and wherever they need it, but in a secure
fashion.
– The two major components of the approach are the information delivery and service
delivery.
– In the first component, various web-based information services are used by the
Governments of different granularity.
– On the other hand, in the second component, the citizen is given access to the
Government business related IT systems to provide transaction services (e.g. tax
payments, filing of forms, issuing certificates etc)
Slide 5
Information in Governments
– These two types of components bring the issues of information and systems security such
as architecture, standards and technology to the forefront.
– Another fundamental element of the problem is the unprecedented gap between the pace
of technological change and the inevitably glacial pace of policy and law making.
– Any good system of governance should be resilient to attacks by frauds, inadvertent virus, a
variety of motivated cyber crimes through unauthorised access and even to a nation-
sponsored cyber war and in the scenarios of disaster and warfare.
Slide 6
Information in Governments
– Models of e-Governance From the developmental perspective, e-Governance can
be defined as the application of electronic means (in particular the ICT) in:
(1) the interaction between Government and citizens and Government and
businesses, as well as in
Slide 7
Some of the kind of Information
exchanged in Governments
Public
Information,
Personalized Critical
Information. Information,
Information
types
Business
Comparative
Information,
Data,
and
Feedback and
Opinions,
Based on these classes of information, their sources and frequency of update and exchange,
various models of e-Governance projects are evolved.
Slide 8
Information assets in Governments
• Information can be found in various places such as :
Slide 9
Technology Base for e-Governance
– Communication Network: The Data and Voice Network owned by the
Government or private players.
Slide 10
Facets of Information assets Partly
Trusted Untrusted
Information available at end user level
which could be trusted , un-trusted , Third Third-Party Internet
Party etc . Application
Web Tier
Service Layer – Information is available
Databases
at the applications , databases etc level
Application
• With every new application, newer vulnerabilities crop up, posing immense
challenges to those who are mandated to protect the IT assets
• The assets that must be protected to ensure secure e-Gov include client
computers, the messages traveling on the communication channel, and the Web
and e-gov servers – including any hardware attached to the servers
Slide 12
Need for Information security in
Governments
• In the current climate of elevated risk created by the vulnerabilities of and threats
to the Nations IT infrastructure, cyber security is not just a paperwork drill.
Slide 13
Need for Information security in
Governments (contd..)
• Governments amass a great deal of confidential information about their
employees, customers, products, research, and financial status.
Slide 14
Need for Information security in
Governments (contd..)
• Example include many such as
• A defacement / hacking of a public website can cause loss of
repudiation
• Vital data i.e. databases can be lost if unauthorized entry is not
checked properly
• A e-procurement website stops functioning all of a sudden
• A disaster strikes and the processes gets standstill
• Repudiation loss: One party of a transaction denies having received a
transaction nor can the other party deny having sent a transaction ??
• Protecting confidential information is a business requirement, and in
many cases also an ethical and legal requirement!!
Slide 15
Understanding Security Measures
• Data Center Security
• Use Firewalls
• Web-site Security
• Anti-virus tools
• Anti-phishing tools
• Physical Office Security
• Restricted Accessibility
• Regular checks & reviews
• Secured Working Processes
• Planning long-term solutions
• Process-Cycle to be followed (PDCA Cycle – Plan, Do, Check & Assess Cycle )
Slide 16
Categorization of Information Systems
Slide 17
Challenges & Issues - Security
• • Data & Application security
• PPP models (service delivery model)
• Lack of internal Technical capacities
– Loopholes in the applications and databases
– Knowledge transfer
– Exit management
• • Complex e-Governance Projects
– High performance & response time
– High Security desired on operations but not a top priority to start
with
• • Multiple Legacy Environments
• Security framework
• Implementation of Security Standards
• Implementation of suitable access controls and authorization
• Preparation of RFPs which captures all the security requirements
Slide 18
Points of concern in Governments
• Letting vendors define “good security”
• Underestimating the required security expertise
• Assigning untrained people to maintain security
• Relying primarily on a firewall.
• Firstly think of budget concerns, neglecting the value of their information
and organizational reputations.
• Authorizing reactive, short-term fixes so problems re-emerge rapidly.
Slide 19
Top Security Myths
Slide 21
Threats
– External Parties
– Employees
Slide 22
Generic Threat Profile Disclosure
Accidental Modification
Loss, Destruction
Interruption
Inside
Disclosure
Modification
Loss, Destruction
Deliberate
Interruption
Accidental Disclosure
Modification
Loss, Destruction
Interruption
Outside
Disclosure
Modification
Loss, Destruction
Deliberate Interruption
Slide 23
Information Security Threats and
Vulnerabilities
• Client Threats: Until the introduction of executable Web content, Web pages were
mainly static. Coded in Hyper Text Markup Language (HTML), static pages could do
little more than display content and provide links to related pages with additional
information.
• Widespread use of active content has changed this perception.
• Active Content: Active Contents like Java applets, ActiveX controls, JavaScript, and
VBScript refer to programmes that are embedded transparently in Web pages and
that cause action to occur.
• Embedding active content to Web pages involved in e-Governance introduces
several security risks.
• Malicious active content delivered by means of cookies can reveal the content
of client-side files or even destroy files stored on client computers.
Slide 24
Information Security Threats and
Vulnerabilities
• Malicious Codes: Computer viruses, worms and Trojan Horses are examples of malicious
code. People are aware but may not be prepared to deal with such adversaries.
• Server-side Masquerading: Masquerading lures a victim into believing that the entity with
which it is communicating is a different entity.
• For example, if a user tries to log into a computer across the Internet but instead reaches
another computer that claims to be the desired one, the user has been spoofed.
• Communication Channel Threats: The Internet serves as the electronic chain linking a
consumer (client) to the e-Gov server.
• Messages on the Internet travel randomly from a source node to a destination node.
• Impossible to guarantee that every computer on the Internet through which messages
pass is safe, secure, and non-hostile.
Slide 25
Information Security Threats and
Vulnerabilities
• Confidentiality Threats: Confidentiality is the prevention of unauthorised
information disclosure. Use of Internet definitely poses confidentiality threats to
the messages sent.
• Server Threats: The server is the third link in the client-Internet-server trio
embodying the e-Gov path between the citizens and the Government. Servers
have vulnerabilities that can be exploited by anyone determined to cause
destruction or to illegally acquire information.
Slide 26
Information Security Threats and
Vulnerabilities
• Web Server Threats: Web server software is not inherently high-risk, it has been designed
with Web service and convenience as the main design goal. The more complex the software
is, the higher the probability that it contains coding errors (bugs) and security holes.
• e-Gov Server Threats: The e-Gov server, along with the Web server, responds to requests
from Web browsers through the HTTP protocol and Common Gateway Interface (CGI) scripts.
Several pieces of software comprise the egov server software suite. Each of these softwares
can have security holes and bugs.
Slide 27
Information Security Threats and
Vulnerabilities
• Common Gateway Interface Threats: A Common Gateway Interface (CGI) implements the
transfer of information from a Web server to another programme, such as a database
programme. Because CGIs are programmes, they present a security threat if misused
Slide 28
Threat Sources
Source Motivation Threat
Challenge
External Hackers Ego System hacking
Game Playing
Backdoors
Deadline
Internal Hackers Fraud
Financial problems
Poor documentation
System attacks
Revenge Letter bombs
External Agents
Political Viruses
Denial of service
Corruption of data
Unintentional errors
Poorly trained Malicious code introduction
Programming errors
employees System bugs
Data entry errors
Unauthorized access
Slide 29
Threat Sources
Categories of Threat Example
Deviations in quality of service from service provider Power and WAN issues
Slide 30
Threat Sources
Slide 31
Relationships between assets , risks,
threats , vulnerabilities
Threats Gives Rise to
Agents
Threat Exploits
Vulnerability Leads to
Risks
Asset
Can damage
Exposure
And cause an
Safeguard
Can be countered by Slide 32
Information Security
• Information security means protecting information and information
systems from unauthorized access, use, disclosure, disruption, modification or
destruction.
• These fields are interrelated often and share the common goals of protecting the
confidentiality, integrity, availability , accountability and assurance of information.
Slide 33
IT Security
Slide 34
Security objectives
Organizations meet this goal by striving to accomplish the following objectives:
Slide 36
Information security focus
Information Security focus
• Protection of information assets
• Protection of Computer systems
• Protection of Data networks
• Protection of Databases & Applications
• Protection of end user environments
• Protection of Physical and environmental
• Security measures in Third Party Outsourcing
• Logical access control
• Disaster recovery Planning
• Security Audit
• Public Key Infrastructure
• Legal Frameworks and various initiatives by GoI
Elements of Information
Security…
Organization
Staff
People
Our Business
Process
Process
Technology
Slide 38
Elements of Security….. People
& Processes
• Management • Helpdesk / Service management
• Employees • Incident Reporting and
• Business Partners Management
• Service providers • Change Requests process
• Contractors • Request fulfillment
• Citizens • Access management
• Regulators etc… • Identity management
• Service Level / Third-party
Services Management
• IT procurement process etc...
People who use or interact with The processes refer to "work
the Information practices" or workflow.
Slide 39
Technology “what we use to
improve what we do”
Network Infrastructure
• Cabling, Data/Voice Networks and equipment
• Telecommunications services (PABX), including VoIP
services , ISDN , Video Conferencing
• Server computers and associated storage devices
• Operating software for server computers
• Communications equipment and related hardware.
• Intranet and Internet connections
• VPNs and Virtual environments
• Remote access services
• Wireless connectivity
Application software
• Finance and assets systems, including Accounting
packages, Inventory management, HR systems,
Assessment and reporting systems
• Software as a service - instead of software as a
packaged or custom-made product.
Slide 40
Technology “what we use to
improve what we do”
Physical Security components
• CCTV Cameras
• Clock in systems / Biometrics
• Environmental management Systems: Humidity
Control, Ventilation , Air Conditioning, Fire Control
systems
• Electricity / Power backup
Access devices
• Desktop computers
• Laptops, ultra-mobile laptops and PDAs
• Thin client computing.
• Printers, Scanners, Photocopier etc.
Slide 41
Information Security Management
Information Security
Security Policy
People
Regulatory Compliance
User Awareness Program
Access Control
Process Security Audit
Incident Response
Encryption, PKI
Technology Firewall, IPS/IDS
Antivirus
Security Audit
42
A Structured Approach to
Security Design
• For security to be effective it must be designed as a whole and applied consistently
across an organization and its IT infrastructure.
• The steps to design security of a system is to model the system, identify the
security properties to be preserved, model the adversary, and then ensure that the
security properties are preserved under attacks.
Security Policy
Security Infrastructure
Specification
Security Infrastructure
Implementation
Security Testing
Requirement
Validation
Slide 44
Security Engineering Life Cycle
• Security Requirement Specification and Risk Analysis
• The first phase in the Security Engineering Life Cycle collects information regarding assets
of the organisation that needs to be protected, threat perception on those assets,
associated access control policies, existing operational infrastructure, connectivity
aspects, services required to access the asset and the access control mechanism for the
services.
Slide 45
Security Engineering Life Cycle
• Security Infrastructure Specification
• This phase analyses the Security Requirement Specification and the Security
Policy Specification to generate a list of security tools that are needed to
protect the assets.
• It also provides views on the location and purpose of the security tools.
Slide 46
Security Engineering Life Cycle
• Security Testing
• In this phase, several tests are carried out to test the effectiveness of the security
infrastructure, functionality of the access control mechanism, specified operational
context, existence of known vulnerabilities in the infrastructure etc.
• Requirement Validation
• This phase analyses the extent of fulfillment of the security requirements for
implementing e-Governance organization by the corresponding security policy and
the implemented security infrastructure.
• Change in the service goal, operational environment, and technological
advancement may lead to a fresh set of security requirements and thereby,
triggering a new cycle of the Security Engineering Life Cycle.
Slide 47
e-Governance Security Assurance
Framework (eSAFE)
Categorization Baseline
of Information Control Risk assessment
Systems Selection
Monitoring
Implementation Refinement of
Effectiveness of
of controls controls
Controls
Slide 48
Baseline Control Selection
Master Catalog of Security Controls
Complete Set of Security Controls and Control Enhancements
Slide 50
Refinement & implementation of
controls
• Determine desirable and mandatory controls
• Evaluate existing and mandatory controls
• Determine the refinements needed in the
controls
• Implement controls
Slide 51
Monitoring Effectiveness of Controls
Slide 52
References
• www.mit.gov.in
• www.egovonline.net
Slide 53
Course: Information Security Management
in e-Governance
Day 1
Slide 3
Who Should be Concerned?
Slide 4
Role of Standards
Slide 5
Why Best Practices are Important!
• Today, the effective use of best practices can help avoid re-inventing
wheels, optimize the use of scarce IT resources and reduce the
occurrence of major IT risks, such as:
Project failures
Wasted investments
Security breaches
System crashes
Failures by service providers to understand and meet customer
requirements
Slide 6
Why Best Practices are Important!
COBIT, ITIL and ISO 27000 are valuable to the ongoing growth and success of an
organization because:
– Companies are demanding better returns from IT investments
– Best practices help meet regulatory requirements for IT controls
– Organizations face increasingly complex IT-related risks
– Organizations can optimize costs by standardizing controls
– Best practices help organizations assess how IT is performing
– Management of IT is critical to the success of enterprise strategy
– They help enable effective governance of IT activities
– A management framework helps staff understand what to do (policy, internal
controls and defined practices)
– They can provide efficiency gains, less reliance on experts, fewer errors,
increased trust from business partners and respect from regulators
Slide 7
Benefits
• Self-Analysis
• Security Awareness
• Targeting Of Security
• Consistency
• Communication
Slide 8
After adopting Standards
Slide 9
Approach in Implementing Standards
Slide 10
ITIL ISO 20000
Service Management
ISO 27K
Information Security
Integrated IS Framework
PMI
Project Management
COBIT
Slide 11
IT Operations
Application Delivery
CMM
Business Continuity
BS 25999
Some of the Standards - Overview
Environment
(ISO 14001)
Environment Improvement
Organization
(ISO 14001) (ISO 9004)
Governance Customers
( COBIT) (BS 8600)
Information
Security
(ISO 27001 ,
27002)
Slide 12
ISO 27000
Slide 13
History of ISO - Timeline
• 1992
The Department of Trade and Industry (DTI), which is part of the UK Government,
publish a 'Code of Practice for Information Security Management'.
• 1995
This document is amended and re-published by the British Standards Institute (BSI)
in 1995 as BS7799.
• 1996
Support and compliance tools begin to emerge, such as COBRA.
• 1999
The first major revision of BS7799 was published. This included many major
enhancements. Accreditation and certification schemes are launched. LRQA and
BSI are the first certification bodies.
Slide 14
History of ISO – The Timeline
• 2000
In December, BS7799 is again re-published, this time as a fast tracked ISO
standard. It becomes ISO 17799 (or more formally, ISO/IEC 17799).
• 2001
The 'ISO 17799 Toolkit' is launched.
• 2002
A second part to the standard is published: BS7799-2. This is an Information
Security Management Specification, rather than a code of practice. It begins the
process of alignment with other management standards such as ISO 9000.
• 2005
A new version of ISO 17799 is published. This includes two new sections, and
closer alignment with BS7799-2 processes..
• 2005
ISO 27001 is published, replacing BS7799-2, which is withdrawn. This is a
specification for an ISMS (information security management system), which aligns
with ISO 17799 and is compatible with ISO 9001 and ISO 14001
Slide 15
Where did 17799 come from?
• BS7799 was conceived, as a technology-neutral, vendor-neutral management
system that, properly implemented, would enable an organization's management
to assure itself that its information security measures and arrangements were
effective.
• BS7799 was originally just a single standard, and had the status of a “Code of
Practice”.
• In other words, it provided guidance for organizations, but hadn't been written as
a specification that could form the basis of an external third party verification and
certification scheme.
Slide 16
Overview – ISO 27000 (base standard)
Published standards
ISO/IEC 27001 - the certification standard against which organizations' ISMS may be
certified (published in 2005)
ISO/IEC 27002 - the re-naming of existing standard ISO 17799 (last revised in 2005,
and renumbered ISO/IEC 27002:2005 in July 2007)
ISO/IEC 27006 - a guide to the certification/registration process (published in 2007)
In preparation
ISO/IEC 27000 - a standard vocabulary for the ISMS standards
ISO/IEC 27003 - a new ISMS implementation guide
ISO/IEC 27004 - a new standard for information security management measurements
ISO/IEC 27005 - a proposed standard for risk management
ISO/IEC 27007 - a guideline for auditing information security management systems
ISO/IEC 27011 - a guideline for telecommunications in information security
management system
ISO/IEC 27799 - guidance on implementing ISO/IEC 27002 in the healthcare industry
Slide 17
Well known ISO standards in the 27xxx series
ISO 27001
This is the ISO 27002
specification for an This is the new
information security standard number of
management the existing ISO
system & replaces 17799 standard
old BS7799-2
ISO 27004
Designated number
ISO 27005
for a new standard
Emerging standard
covering information
for information
security
security risk
management
management
measurement &
metric
Slide 18
Where does ISO 27001 / 27002 fits in…..
Slide 19
Implementation context for PDCA
ISO 27001 Information Security Management System (ISMS) adopts the PDCA
model
• Plan (Design Phase)
Establish the objectives and processes necessary to deliver results in accordance with the
specifications.
• Do (Implementation Phase)
Implement the processes.
• Check AKA Study (Assessment Phase)
Monitor and evaluate the processes and results against objectives and Specifications and
report the outcome.
• Act (Manage, Authorize Phase)
Apply actions to the outcome for necessary improvement. This means reviewing all steps
(Plan, Do, Check, Act) and modifying the process to improve it before its next implementation.
Slide 20
PDCA Process
P
D ISMS PROCESS
C Interested Interested
Parties Parties
A
Management Responsibility
PLAN
Establish
ISMS
DO ACT
Implement &
Maintain &
Operate the
Improve
P ISMS
R
Information
O Security Managed
C Requirements CHECK Information
& Monitor & Security
E Expectations
Review ISMS
S
S
Slide 21
BS ISO/IEC 27002:2005 (aka – ISO 27002)
The international Standard that establishes the guidelines and general principles for initiating,
implementing, maintaining, and improving information security management in an organization.
The full title of this standard is: “Information technology. Security techniques. Code of
practice for information security management”
Slide 22
Structure and Format of ISO 27002
Slide 23
Structure and Format of ISO 27002
0. Introduction
1. Scope
2. Terms and definitions
3. Structure of this standard
4. Risk assessment
The actual control domains and detail controls begin with Section 5.
Slide 25
Structure and Format of ISO 27002
• system documentation
7.2 Information classification
Information should be classified according to its need for security protection and labeled
accordingly.
Slide 26
Structure and Format of ISO 27002
Slide 27
Structure and Format of ISO 27002
Slide 28
Structure and Format of ISO 27002
Slide 29
Structure and Format of ISO 27002
Slide 30
Structure and Format of ISO 27002
Slide 31
Structure and Format of ISO 27002
Slide 32
Structure and Format of ISO 27002
Slide 33
Implementation process cycle
IS POLICY
SECURITY MANAGEMENT
ORGANISATION REVIEW
PLAN
Establish
ISMS
DO
ASSET Implement &
ACT
Maintain & CORRECTIVE &
IDENTIFICATION Operate the PREVENTIVE
& ISMS Improve ACTIONS
CLASSIFICATION
CHECK
Monitor &
Review ISMS
CONTROL
CHECK
SELECTION &
PROCESSES
IMPLEMENTATION
OPERATIONALIZ
E THE PROCESES
Slide 34
ITIL
Slide 35
Background
Slide 37
Version 3 Overview
V3 Overview
Supporting material:
Service design:
• Service, organizational, process
and technology maps • Service Catalogue Mgmt
• Service Level Mgmt
• Supplier Mgmt
Service strategy: • Capacity Mgmt
• Service Portfolio Mgmt • Availability Mgmt
• Financial Mgmt • IT Service Continuity Mgmt
• Demand Mgmt • Information Security Mgmt
Service operation:
• Event Mgmt Service transition:
• Incident Mgmt • Change Mgmt
• Request Fulfilment • Service Asset & Configuration
• Access Mgmt Mgmt
• Problem Mgmt • Knowledge Mgmt
Functions: • Transition Planning and Support
• Service Desk • Release & Deployment Mgmt
• Technical Mgmt • Service Validation & Testing
• IT Operations Mgmt • Evaluation
• Applications Mgmt
Slide 38
ITIL® Version 3
Service Design
Slide 39
Service Design
Goal:
The design of appropriate and innovative IT services, including their
architectures, processes, policies, and documentation, to meet current and
future agreed business requirements.
Objectives:
− Design services to meet agreed business outcomes
− Design processes to support the service lifecycle
− Identify and manage risks
− Design secure and resilient IT infrastructures, environments, applications
and data/information resources and capability
− Design measurement methods and metrics
Slide 40
Service Design
Objectives (contd..):
− Produce and maintain plans, processes, policies, standards, architectures,
frameworks and documents to support the design of quality IT solutions
− Develop skills and capability within IT
− Contribute to the overall improvement in IT service quality
Slide 41
Service Design
Slide 43
Service Design
Goal:
The goal of the ITSCM is to support the overall Business Continuity Management
process by ensuring that the required IT technical and service facilities (including
computer systems, networks, applications, data repositories, telecommunications,
technical support, and Service Desk) can be resumed within required, and agreed,
business timescales.
Slide 44
Service Design
• To maintain a set of IT service Continuity Plans and IT recovery plans that support
the overall Business Continuity Plans (BCPs) of the organization
• To complete regular Business Impact Analysis (BIA) exercises to ensure that all
continuity plans are maintained in line with changing business impacts and
requirements
Slide 45
Service Design
• To ensure that appropriate continuity and recovery mechanisms are put in place to
meet or exceed the agreed business continuity targets
• To assess the impact of all changes on the IT service Continuity Plans and IT
recovery plans
• To negotiate and agree the necessary contracts with suppliers for the provision of the
necessary recovery capability to support all continuity plans in conjunction with the
Supplier Management process
Slide 46
Service Design
Slide 47
Service Design
• Positive results from audits performed over the ITSCM plans to ensure that, at all
times, the agreed recovery requirements of the business can be achieved
Slide 48
IT Service Continuity Management – KPIs
• Response time to restore business operations after a disaster occurs based on the
type of recovery option chosen (i.e. manual, immediate, fast, intermediate, or
gradual)
• Cost of service continuity management vs. cost incurred by the business in the
event of an IT service loss. This could include both tangible (i.e. financial) and
intangible (i.e. reputation) costs
Slide 49
COBIT – Control Objective for Information & related Technology
Slide 50
COBIT – Control Objective for Information & related Technology
Slide 51
Harmonizing the Elements of IT Governance
IT
Governance
Resource
Management
Slide 52
®
The COBIT Framework
Slide 53
®
COBIT Defines Processes, Goals and Metrics
Relationship
Amongst
Process,
Goals and
Metrics (DS5)
Slide 54
®
COBIT Products and Their Primary Audience
COBIT and
Application Controls
Slide 55
End of Session
Slide 56
Course: Information Security Management
in e-Governance
Day 1
Slide 1
Agenda
Slide 2
Defining Application Software
System Software helps run the computer hardware and computer system (e.g. operating
systems, device drivers, diagnostic tools, servers, windowing systems, and utilities).
Slide 3
Defining Application Software
Slide 4
Support Core
Functions Functions
Finance
Licensing
Citizens
Govt. employees
Slide 5
Issuance of
Procurement
Certificate
Education
Applications software supporting government business
functions..
Slide 6
Information Security Risks surrounding business
applications
Slide 7
Risks surrounding business applications
• Unauthorized access: It is when a person who does not have permission to connect to or
use a system gains entry in a manner unintended by the system owner
• Data Loss: Data loss refers to the unforeseen loss of data or information
• Data theft: When information is illegally copied or taken from a business or other individual
Slide 8
Security Compromise : Outcome
• Loss of confidentiality
• Loss of privacy
• Loss of integrity
• Loss of availability
• Loss of Revenue
• Goodwill loss
• And so many……..
Slide 9
The most common Business Application security issues
• Inadequate IT Security and IT involvement during definition, design testing & review
• Inadequate development team knowledge - application security threats & secure application
development principles
• Inadequate security controls throughout the SLDC (e.g. Security Considerations during
Business Impact and Threat Assessments, Problem and Change Management, Testing)
Slide 10
Approach for securing business applications
Slide 11
Key Focus areas in Application Security
• Ability to Validate
• Proving Identity
• Allowing to Transact
• Audit Trails
• Users Management - How do I manage this identity and what it can access over its
lifetime?
• Management
• Profiling
Slide 12
Authentication
Evidence Auth.
Protocol
Auth.
Factors
Authentication Steps
Slide 13
Variations on the Model
• Authentication server: User authenticates once to authentication server, which relays ticket
or authentication assertion to resource
• Validation server: Resource relies on separate validation server for part or all of
authentication decision
Slide 14
Describing an Authentication Mechanism
• An authentication mechanism is a process involving:
• Selected authentication factors
• Particular evidence about those factors; and a
• Specific protocol for conveying the evidence
• Simple authentication mechanism has one resource, one authentication decision
Authentication Factors
Something you know:
• Password Password
• Knowledge-based authentication Answer
Something you have:
• One-time password token One-time password
• Smart card / USB token Signature
Something you are / can do:
• Biometrics Fingerprint
Slide 15
Strong Authentication
• A system may recognise one or more of three factors to be used for authenticating users:
• 'Something you have', such as a mobile phone, credit card or hardware security
token
• Strong authentication will entail using more than one of these authentication factors at any
one time.
Slide 16
Authentication factors
Slide 17
Single Factor Authentication (SFA)
• SFA is the traditional security process that requires a user name and password before granting
access to the user.
• SFA security relies on the diligence of the user, who should take additional precautions -- for
example, creating a strong password and ensuring that no one can access it.
• Single factor authentication needs an enhanced security environment for users to authenticate
and transact on web
• It also needs a mechanism to have a centralized repository of User profiles and credentials
User Knowledge
Username, password
User Server
Slide 18
User Id Rules – Best Practices for User ID creations -
Illustrative
• Definition and implementation of policy and procedures for creation and management of
user id’s
• Access to computing resources (e.g. files, applications, and databases) via shared User Ids
should be strictly prohibited
• Deactivation of user accounts, which are inactive for long durations (e.g. more than 60
days)
• User Ids with special system privileges should be controlled and restricted to a limited
number of authorised personnel
Slide 19
Strong password
• A strong password is one that is designed to be hard for a person or program to discover.
• Because the purpose of a password is to ensure that only authorized users can access
resources, a password that is easy to guess is a security risk.
• Essential components of a strong password include sufficient length and a mix of character
types.
• A typical weak password is short and consists solely of letters in a single case.
Slide 20
Password Management – Illustrative Best Practices
• Password expiration period of 1 or two month should be set to force users to change their
passwords at regular intervals
• The system should force the user to change the password (issued by the Systems
Administrator) at the time of the initial logon
• User Ids should be disabled after incorrect passwords have been entered for 3 consecutive
times.
• Default passwords, shipped with software upon installation of the software or receipt of a
system with pre-loaded software, should be immediately changed.
• The practice of "recycling" or reusing the same password when prompted for a change
should be prevented, where possible.
Slide 21
Challenges with Single factor authentication / passwords
- People almost always either pick weak passwords or they record their passwords
someplace handy (perhaps protected by a single password)
Slide 22
Two factor authentication
Slide 23
What is 2-3 Factor Authentication
• Is a combination of Something you know (Password), Something you have (Smart Card /
tokens) and/or Something you are (Biometric)
• Authentication using two or three independent methods – typically something you have
(device) and something you know (password)
• A reusable password plus a physical device greatly increases the security around
authentication
• Two-Factor authentication is being more widely embraced by the banking and financial
services industries
• Most common example: ATMs require that you have a reusable password (PIN) and a
physical card in order to access bank account
Slide 24
Digital Certificates
• Digital Client certificates are solution for enabling the enhanced user identification and
access controls needed to protect sensitive online information
• Used to authenticate an individual & issued by trusted third parties known as Certificate
Authorities (CAs)
• It is given at various security levels. Higher the security level, the CA verifies the authenticity
of the certificate seeker more.
• Digital certificates can also be stored and transported on smart cards or USB tokens for use
when traveling
• Digital Certificates can be issued by any one as long as there are people willing to believe
them
Slide 25
Classes of Public Key Certificates
Slide 26
Few areas where Digital certificates are prominently used in
governments
Slide 27
Security token & Smart Cards
Security Token
• One form of 'something you have' is the smart card and USB tokens
• Security tokens use two-factor authentication using a password and a device (or an
appropriate hardware identifier)
Smart Cards
• Cards do not release the keys but rather perform the signing operation on the card
• Card can run applets/applications which are written in Java and other common languages.
Slide 28
One-time password (OTP)
• These devices have an LCD screen which displays a pseudo-random number consisting of 6
or more alphanumeric characters
• Clock-based token is an active token that generates one-time passwords based on the server
clock
Slide 29
Something you are: biometrics
Slide 30
Few methods / protocols for authentication
LDAP Kerberos
• The Lightweight Directory Access Protocol (or • Kerberos is a network authentication protocol that
LDAP) provides networked access to a will allow individuals communicating over an
hierarchical database of authentication insecure network to prove their identity to one
information. another in a secure manner.
• LDAP is appropriate for any kind of directory-like • Kerberos is a client-server model that provides
information, where fast lookups and less-frequent mutual authentication, thereby allowing both the
updates are the norm making it perfect for use in user and the server verify each other's identity
authenticating an organisation’s users.
Native Authentication
• Native authentication schemes are authentication mechanisms built into devices and/or
some applications that often utilise proprietary authentication protocols and non standardised
authentication information stores.
Slide 31
Single Sign On - SSO
• Single sign-on (e-SSO) is a property of authentication for multiple, related, but independent
software systems.
• With this property a user logs in once and gains access to all systems without being
prompted to log in again at each of them.
• The process authenticates the user for all the applications they have been given rights to and
eliminates further prompts when they switch applications during a particular session.
• The user's credentials are stored in a very secure cryptographically locked store and that the
users themselves no longer know the applications credentials, it's possible to 'release' (logon
with) certain credentials based on a defined 'authentication grade'.
• Two factor authentication systems such as smart cards or biometrics can be linked to
different authentication grades.
Slide 32
SSO - Advantages
• Strong authentication
- Smartcards
Slide 33
Authorisation
• Once we know (reasonably) who it is, we need to decide what they can access, and
how.
• When a user tries to access a resource, the access control process checks that the user
has been authorized to use that resource
• Users should only be authorized to access whatever they need to do their jobs !!!
Slide 34
Authorisation
• Authorise users of systems based on predefined privileges that are associated with a
job function.
• Hence the access users would gain to systems should be restricted to their role within
the organisation, and when the user changes roles, the user’s access to systems
changes as well.
• For e.g. depending upon the need the final approval of an land allotment application
should be restricted to some members of the approving committee.
Slide 35
Role-Based Access Control
During operation, the system uses the access control rules to decide whether access
requests from (authenticated) users shall be granted or rejected.
Slide 36
Context-Based Access Control
Trusted users that have been authenticated are often authorized to unrestricted
access to resources.
"Partially trusted" will often have restricted authorization in order to protect resources
against improper access and usage
Context
Slide 37
Authorisation
Slide 38
Some of the best practices for authorization
• The Systems Security Administrator should review user access rights when changes to a
user’s normal duties are required, for example, as a result of resignation, termination,
transfer or promotion.
Slide 39
Solutions/Tools for Authorization implementation?
Slide 40
Audit and Audit trails
• Audit – the process of reviewing activities that enables the reconstruction and examination of
events to determine if proper procedures have been followed.
• System logs of “who was on what system when” depend on Authentication credentials of the
user
Slide 41
Audit trails - Need
Individual Accountability
• An individual's actions are tracked in an audit trail allowing users to be personally
accountable for their actions.
• This deters the users from circumventing security policies. Even if they do, they can
be held accountable.
Reconstructing Events
• Audit trails can also be used to reconstruct events after a problem has occurred.
• The amount of damage that occurred with an incident can be assessed by reviewing
audit trails of system activity to pinpoint how, when, and why the incident occurred.
Audit trails and similar evidence is needed for
• Monitoring and reviewing any application access related breaches;
• Use of evidence in relation to a potential breach of contract, breach of regulatory
requirement or in the event of civil or criminal proceedings e.g. under Copyrights Act,
Information Technology Act
Slide 42
Audit trails - Need
• Problem Monitoring
• Real time monitoring helps in detection of problems like disk failures, over utilization
of system resources or network outages.
• Intrusion Detection
• Audit trails can help in intrusion detection if they record appropriate events.
• Determining what events to audit so that audit trails can be used in an effective
manner to aid intrusion detection is one of the present research issues being looked
into by the research community.
Slide 43
Audit trail – Need
Reporting
• The Reporting element enables the organisation to draw a variety of reports relating to the
use of its identities.
• In particular, reports on audit trails form a basis for accountability within the organisation by
tracking who requested access, why the request was granted or denied, and who approved
the request.
• During investigations, audit reports can be used to conduct thorough analysis of incidents.
Slide 44
Audit trail – Best practices
• Live application connections and data should be subject to strict change control. When
programs are changed, an audit log containing all relevant information should be retained
• An audit trail of all access should be securely maintained and reviewed on a daily basis.
• The audit log and issues related to the usage of sensitive privileges / utilities should be
reviewed weekly and followed up for any inappropriate usage.
• The use of sensitive utilities should be logged in "tamper-proof" logs for review by the
Systems Security Administrator, wherever possible.
• The router , firewall , switches audit logs should also be reviewed on a daily basis for
unauthorized access
Slide 45
Audit Trail Analysis
• Manual analysis of audit trails though cumbersome is often resorted to because of the
difficulty to construct queries to extract complex information from the audit logs.
• The major obstacle in developing effective audit analysis tools is the copious amounts of
data that logging mechanisms generate
Slide 46
Approach to design secured applications
Slide 47
Custom Application development
- Undertake application security review such as design reviews, code reviews &
Penetration Testing at various intervals during the SLDC – not two days before go live.
- Develop Policies and Standards for control of the Development Environment, Source
Code and Access Control.
Slide 48
Managing information security in enterprise applications –
Holistic approach
Operate/Maintain
Vulnerability scanning regularly Requirements
performed during the application Defined according to governance
maintenance phase on both the rules for authentication, authorization,
application and infrastructure to non-repudiation, data confidentiality,
ensure no new security risks have integrity, accountability, session
been introduced and that the level management, transport security,
of security is still intact privacy, etc.
Governance
Deployment Security Polices, Guidelines, Design
Standards, Procedures, Metrics Design with considerations for
Application should be tuned and created & enforced by network, server, middleware,
hardened at all layers of the organizations database and programming platform
platform stack to minimize
vulnerabilities, leveraging techniques
infrastructure software
such as threat modeling, risk
misconfiguration vulnerabilities.
analysis, misuse and abuse cases.
Slide 50
Security Checks in Production vs. Development
Production Phase
Development Phase
• Testing is more end-to-end, checks
application layer, network layer, and system • Testing is more focused on application layer
layer security vulnerabilities vulnerabilities
• Appropriate for tool-based vulnerability • Appropriate for all levels of security tests
scanning
• Not very good at finding application code • Low cost due to early discovery of security
specific vulnerabilities defects
Slide 51
End of Session
Slide 52
Course: Information Security Management
in e-Governance
Day 1
Slide 3
Slide 3
Operating Systems
FebruaryPage
20074
Slide 4
The leading risks and threats
- Viruses
- Worms
- Trojans
- Spyware
Slide 5
Slide 5
Operating system security
Slide 6
Keep Your Operating System Updated
• Just keep your system up to date with the latest software available.
• Online criminals are constantly at work devising new ways to attack your computer
and invade your privacy. Fortunately, software companies work even harder to
counter those threats and to provide you with updated tools that you can use to
protect your PC.
• You should regularly update your computer operating system with security updates
provided by the manufacturer. The same goes for your Web browser and other
important applications, including your antivirus and antispyware programs
Slide 7
The Benefits of Automatic Security Updates
• As with human viruses, the best treatment for computer viruses is to avoid getting
them in the first place.
Slide 8
Install and Maintain Antivirus Software
• Strong antivirus programs can detect and destroy thousands of specific viruses
before they have a chance to damage your system.
• Online attackers are constantly creating new viruses and worms, and devising new
ways to invade and damage your computer.
• To protect your PC from these threats, make sure you never let your antivirus
program expire, and keep the software up to date with the latest updates from the
manufacturer.
Slide 9
Install and Maintain Antispyware Software
• Antispyware software can expose any spies already on your system, and help to
keep your computer running smoothly and prevent further intrusion.
• As with your operating system and antivirus software, it is essential that you keep
your antispyware software updated to make sure you have the highest level of
protection for your PC.
Slide 10
Need for Operating systems hardening
• A hardened OS is one in which the vendor has modified the kernel source
code to provide for a mechanism, which provides a security perimeter
between the non – secure application software, the secure application
software and network stack
Slide 11
OS hardening fundamentals
Slide 12
OS hardening fundamentals
Slide 13
Some other measures for Operating System Security
Slide 14
Some of the measures for Host Hardening
Slide 15
Additional operating system access controls
Slide 16
Additional operating system access controls (cont’d)
Slide 17
Additional operating system access controls (cont’d)
Slide 18
End of Session
Slide 19
Course: Information Security Management
in e-Governance
Day 2
Information security measures and solutions for securing LAN, WAN and Data
Center
Page 2
Terminology
Basic Terminology
Network
- A network is a group of computers/IT components connected together in such a
way as to facilitate:
• Data/voice/video Communication among people within and across building,
locations, cities and countries
• Sharing of data/files/documents within office, across offices (in the same city
or across the cities)
• Accessing the software applications and databases for performing business
functions
Slide 3
Network Architectures
IP_10.54.40.29
IP_10.54.40.30
Slide 4
Network Architectures
Slide 5
LAN and WAN
Switch Switch
ROUTER ROUTER
WAN
Leased Line
Network Architectures
What is internet
Internet is a public network for facilitating communication among the group of networks
connected to the public network
What is Intranet
• The Internet has undoubtedly become the largest public data network, enabling and facilitating
both personal and business communications worldwide.
• The volume of traffic moving over the Internet, as well as corporate networks, is expanding
exponentially every day.
• While the Internet has transformed and greatly improved the way we do business, this vast
network and its associated technologies have opened the door to an increasing number of
security threats from which corporations must protect themselves.
• An attack may directly cause several hours of downtime for employees, and networks must be
taken down in order for damage to be repaired or data to be restored.
• Clearly, loss of precious time and data can greatly impact employee efficiency and morale !!!
Slide 8
Threats to Data
• A single hacker working from a basic computer can generate damage to a large number of
computer networks that wreaks havoc around the world.
• Perhaps even more worrisome is the fact that the threats can come from people we know.
• In fact, most network security experts claim that the majority of network attacks are initiated by
employees who work inside the corporations where breaches have occurred.
• Employees, through mischief, malice, or mistake, often manage to damage their own
companies’ networks and destroy data.
• Remote employees and partners pose the same threats as internal employees, as well as the
risk of security breaches if their remote networking assets are not properly secured and
monitored.
Slide 9
Who are the enemies?
Hackers
• This generic term applies to computer enthusiasts who take pleasure in gaining access to
other people’s computers or networks.
• Many hackers are content with simply breaking in and leaving their “footprints,” which are joke
applications or messages on computer desktops.
• Other hackers, often referred to as “crackers,” are more malicious, crashing entire computer
systems, stealing or damaging confidential data, defacing Web pages, and ultimately
disrupting business.
• Some amateur hackers merely locate hacking tools online and deploy them without much
understanding of how they work or their effects.
Slide 10
Who are the enemies?
Unaware Staff
• As employees focus on their specific job duties, they often overlook standard network security
rules
• They might choose passwords that are very simple to remember so that they can log on to their
networks easily
• Such passwords might be easy to guess or crack by hackers using simple common sense or a
widely available password cracking software utility
• Employees can unconsciously cause other security breaches including the accidental
contraction and spreading of computer viruses
• One of the most common ways to pick up a virus is from a floppy disk or by downloading files
from the Internet. Employees who transport data via floppy disks can unwittingly infect their
corporate networks with viruses they picked up from computers in copy centers or libraries
• They might not even know if viruses are resident on their PCs. Corporations also face the risk
of infection when employees download files, such as PowerPoint presentations, from the
Internet
Slide 11
Who are the enemies?
Disgruntled Staff
• Far more unsettling than the prospect of employee error causing harm to a network is the
potential for an angry or vengeful staff member to inflict damage.
• Angry employees, often those who have been reprimanded, fired, or laid off, might vindictively
infect their corporate networks with viruses or intentionally delete crucial files.
• This group is especially dangerous because it is usually far more aware of the network, the
value of the information within it, where high-priority information is located, and the safeguards
protecting it.
Slide 12
Causes of Intrusion
Intruders are always discovering new vulnerabilities (informally called "holes") to exploit
in computer software.
• Users fail to obtain and install the latest patches/updates, or correctly configure the
software to operate more securely.
• Most of the incidents could prevented if system administrators and users kept their
computers up-to-date with patches and security fixes.
• Some default settings that allow other users to access your computer unless you
change the settings to be more secure
Slide 13
What can these enemies do to Organizations
- Unauthorized Intrusions
- Denial of Service (DoS) Attacks
- Viruses, Worms, Trojan Horses (Backdoors)
- Vandals
- Data Interception
- Website Defacements
- Internal Attacks
- Non-compliance
Slide 14
Approach for securing IT
Infrastructure
Slide 15
Eight Security Dimensions Address the Breadth of Network
Vulnerabilities
• Limit & control access to
network elements, services & Access Control
• Provide Proof of Identity
applications
• Examples: shared secret,
• Examples: password, ACL,
firewall
Authentication PKI, digital signature, digital
certificate
• Prevent ability to deny that an
activity on the network Non-repudiation
• Ensure confidentiality of data
occurred • Example: encryption
• Examples: system logs,
Data Confidentiality
digital signatures
• Ensure data is received as
• Ensure information only flows Communication Security sent or retrieved as stored
from source to destination • Examples: MD5, digital
• Examples: VPN, MPLS, signature, anti-virus software
L2TP Data Integrity
Availability
• Ensure network elements, • Ensure identification and
services and application network use is kept private
available to legitimate users Privacy • Examples: NAT, encryption
• Examples: IDS/IPS, network
redundancy, BC/DR
Eight Security Dimensions applied to each Security Perspective (layer and plane) 16
Defense-in-Depth
• Firewalls
• Intrusion Detection System
• Intrusion Prevention Systems
• Quarantine
• Routers
• AAA server
• Antivirus Gateway
• Virtual Private Networks
• Network Monitoring Tools
Slide 18
Firewalls
Slide 20
Firewall rule sets
A static rule-set is an
unchanging statement to A dynamic rule set often
be applied to packet is the result of
header, such as blocking Rule sets can be static or dynamic coordinating a firewall
all incoming traffic with and an IDS.
certain source addresses.
For example, an IDS that alerts on malicious activity may send a message to
the firewall to block the incoming IP address.
Slide 21
Packet Filter Firewalls
• Packet filter firewalls evaluate the headers of each incoming and outgoing
packet to ensure it has a valid internal address, originates from a permitted
external address, connects to an authorized protocol or service, and contains
valid basic header instructions.
• If the packet does not match the pre-defined policy for allowed traffic, then the
firewall drops the packet.
Slide 22
Proxy Server Firewalls
• Essentially, they rewrite packet headers to substitute the IP of the proxy server for
the IP of the internal machine and forward packets to and from the internal and
external machines. Due to that limited capability, proxy servers are commonly
employed behind other firewall devices.
• Proxy servers provide another layer of access control by segregating the flow of
Internet traffic to support additional authentication and logging capability, as well as
content filtering.
Slide 23
Application-Level Firewalls
• The application- level firewall can provide additional screening of the packet
payload for commands, protocols, packet length, authorization, content, or invalid
headers.
• Application level firewalls provide the strongest level of security, but are slower and
require greater expertise to administer properly.
Slide 24
Firewall Services and Configuration
Slide 25
Firewall Services and Configuration cont’d
Slide 26
Firewall Policy
• A firewall policy states management’s expectations for how the firewall should
function and is a component of the overall security policy.
• It should establish rules for traffic coming into and going out of the security
domain and how the firewall will be managed and updated.
• Therefore, it is a type of security policy for the firewall and forms the basis for
the firewall rules.
• The firewall selection and the firewall policy should stem from the ongoing
security risk assessment process.
Slide 27
Firewall Policy - Contd
Slide 28
Intrusion Detection System
IDS system analyzes and identifies attempts to hack or break into a computer
system.
• Identifies attacks through various methods including
- anomaly detection
- signature matching
• Types
- Host IDS
- Network IDS
IPS
• Inline device
• Single box approach
• False Positive
Types of IDS
Slide 30
Positioning of IDS / IPS
DMZ
Network
IDS
Internet
DMZ
Network
Internet
Router
Firewall IPS WWW
Server
Network Intrusion Prevention Systems
Network Intrusion Prevention Systems (NIPS) are an access control mechanism that
allow or disallow access based on an analysis of packet headers and packet payloads.
They are similar to firewalls because they are located in the communications line,
compare activity to preconfigured or preprogrammed decisions of what packets to pass
or drop, and respond with pre-configured actions
Slide 32
Network Intrusion Prevention Systems (contd)
The IPS units generally detect security events in a manner similar to IDS units and are
subject to the same limitations.
After detection, however, the IPS unit may take actions beyond simple alerting to
potential malicious activity and logging of packets.
For example, the IPS unit may block traffic flows from the offending host. The ability to
sever communications can be useful when the activity can clearly be identified as
malicious.
When the activity cannot be clearly identified, for example where a false positive may
exist, IDS-like alerting commonly is preferable to blocking.
Slide 33
IPS basics
Slide 34
Intrusion Detection - Definition
The two processes are related in a sense that while intrusion detection passively
detects system intrusions, intrusion prevention actively filters network traffic to prevent
intrusion attempts.
Slide 35
What can an IPS do?
Slide 36
Functions of IDS
Slide 37
IDS Working Procedures
Types of IDS
- Host Based IDS
- Network Based IDS
- Hybrid Intrusion Detection
- Network-Node Intrusion Detection (NNID)
Slide 38
Host-based Intrusion Detection Systems
Slide 39
HIDS Advantages
Slide 40
Network IDS
Network intrusion detection deals with data packets flowing through the wire between
the hosts.
Also referred to as “packet- sniffers,”NID devices intercept packets traveling along
various communication mediums and protocols, usually TCP/IP
Network Based IDS Advantages-
- Increase overall security
- Protect multiple systems
- Allow monitoring traffic inside your firewall
- Alert you to incoming attacks
- Detect slow attacks
- Delayed analysis
- Take corrective action
Slide 41
Hybrid Intrusion Detection
Slide 42
Network-node Intrusion Detection
Slide 43
Quarantine
Slide 44
Routers
Slide 45
Router - Access Mechanism for Administrators
Slide 46
Router - Secure Remote Management Access
If the router that needs to be managed is remote from the actual administrator; often it
is only accessible over public networks.
To secure the management traffic between client/administrator and target network
device, encrypting protocols are required.
• SSH is the de-facto standard for all remote command line configurations and file
transfers.
• For Web-based management, using Secure Socket Layer (SSL) or Transport Layer
Security (TLS) secures HTTP traffic.
• SNMP is used to discover, monitor and configure networking devices. The secure
implementation of SNMP version 3 is essential to ensure confidential and
authenticated communications.
Slide 47
Router- Secure Remote Management Access
If the router that needs to be managed is remote from the actual administrator; often it
is only accessible over public networks.
To secure the management traffic between client/administrator and target network
device, encrypting protocols are required.
• The best way to control the identity of the administrator and the privileges
allocated to that individual is to authenticate an administrator prior to granting
access.
• This can be done through Authentication, Authorization and Accounting (AAA)
servers, such as Remote Authentication Dial-in User Service (RADIUS),
Terminal Access Controller Access Control System (TACACS) or Lightweight
Directory Access Protocol (LDAP) directory servers.
• AAA servers can also be supplemented by strong authentication techniques.
Slide 48
AAA Components
AAA server
- Authenticates users accessing a device or network
- Authorizes user to perform specific activities
- Performs accounting of device or user activities
RADIUS or TACACS+
- Protocols that can be used by an access device to communicate with
the AAA server
AAA Network Components
Authenticators
Supplicant AAA
Database
123456
Slide 52
Traditional Connectivity
• Secured networks.
• Scalability
Remote Access Virtual Private Network
• Two connections – one is made to the Internet and the second is made to
the VPN.
• Datagrams – contains data, destination and source information.
• Firewalls – VPNs allow authorized users to pass through the firewalls.
• Protocols – protocols create the VPN tunnels.
Four Critical Functions
• Authentication – validates that the data was sent from the sender.
• Access control – limiting unauthorized users from accessing the network.
• Confidentiality – preventing the data to be read or copied as the data is
being transported.
• Data Integrity – ensuring that the data has not been altered
Encryption
Original Datagram
• The most common transmission routes for viruses and worms are through email
and Web traffic.
• In addition, the growing volume of unsolicited email (spam) and inappropriate Web
surfing poses risks to corporate security, liability, and employee productivity.
• Effective security at every network tier—especially virus protection at the Internet
gateway—is essential in today’s Internet-enabled network environments.
• Gateway Solution provides multi-layered protection against viruses, spam, and
unwanted email and Web content at the Internet gateway.
Slide 62
Managing Enterprise Network
Security
Slide 63
What are Network Monitoring Tools?
Slide 64
Network Management: Why is it needed
• Lowers costs by eliminating the need for many administrators at multiple locations
performing the same function
• Makes network administration and monitoring easier and more convenient
• Coherent presentation of data
Slide 65
Network Management: Why is it needed cont’d
Slide 66
What can we use the tools for?
Slide 67
Who? What? Where? How? When?.. Some question you need to
know
Who is accessing your network?
- students, academics, staff, visitors or others
What are they accessing your network for?
- academic study, social use, business use, illegal use
Where are they accessing your network from?
- internal, external
How are they accessing your network?
- remote user, local Ethernet, WAN, dial-up, Wi-Fi, VPN
When did they access your network?
- today, yesterday, last week, last month…
Slide 68
Active vs. Passive
• Active – relies upon data gathered from probe packets injected into the network.
Slide 69
Thank you
Course: Information Security Management
in e-Governance
Day 2
Use technology that has been provided locally (eg finance software, USB memory
sticks and mobile broadband cards)
Configure their own desktop PCs and laptops (including the operating system)
Make extensive use of the Internet for business and personal use
End users are typically employees who have access to and use
technology to perform a particular role or function within the
organization.
Slide 3
Defining end users - Characteristics
The level of technical skill, access to information and security awareness end
users have also varies with individuals being:
Temporary staff (i.e. non-employees that perform a specific role for a short period of time).
Slide 4
Some of the Information assets at end user environment
Slide 5
Factors affecting how end user environments are managed
Slide 6
Technology at end user environment
Slide 7
Technology at end user environment cont’d
Slide 8
Technology – contd..
Slide 9
Information security risks in end user
environment
Slide 10
Risks associated with end user environment if not taken
care of…..
Information in end user environments is subject to many different threats that
can result in security incidents, with varying degrees of frequency and
magnitude.
Common examples of threats include:
Fraud (e.g. through modifying business information or creating false computer transactions /
records)
Theft of computer equipment, software and business information introduction of malware (e.g.
viruses, spyware and worms)
Information leakage (e.g. when replying to emails, sending documents and participating in
teleconference calls)
Slide 11
Risks associated with end user environment if not taken
care of….. Cont’d
Social engineering attacks (e.g. by criminals that target employees to reveal confidential
business information)
Shoulder-surfing (e.g. unauthorized individuals looking over the shoulder of people who
are processing confidential information on the screen or reading confidential paperwork).
Slide 12
Challenges at end user environment
Slide 13
Impact of information security risks
Slide 14
Security Compromise : Outcome
− Theft and fraud
− Loss of confidentiality
− Loss of privacy
− Loss of integrity
− Loss of availability
Slide 15
Approach for securing end user
computing infrastructure
Slide 16
Establish a security-positive culture in the end user
environment
Threats and
vulnerabilities
addressed
Ideal security measures
• Human error
Provide end
Set objectives users with Monitor the • Information leakage
Make end • Loss of equipment containing
for security actions for behavior and
users aware of confidential information
awareness in protecting security-
information • Insider threat
the end user critical and related actions
risks
environment confidential of end users • Tendency to share business
information information with Unauthorized
parties
• Poor security behaviour
Slide 17
Establish a security-positive culture in the end user
environment
• Make end users aware (e.g. as part of security awareness) that they are
responsible for protecting business information they process, store and
transmit.
• Look for end user behavior that does not meet security requirements,
often identified during security monitoring activities (e.g. non-compliance).
Slide 18
Establish a security-positive culture in the end user
environment (cont’d)
Perform security monitoring of the end user environment, using a range of
techniques (e.g. to help determine if policy is being complied with and awareness
objectives are being adequately met).
• Performing ad hoc end user-based security assessments within the end user
environment to determine the level of information protection provided by end
users
Slide 19
Information Protection Policy Measures…..
Slide 20
Information Protection Policy Measures…..
Slide 21
Business applications Protection Policy Measures…..
Slide 22
Equipment Protection Policy Measures…..
Slide 23
Connectivity Protection Policy Measures…..
Slide 24
Locations Protection Policy Measures…..
Slide 25
Implement measures to protect critical and confidential
information
• Information leakage
• Excessive privileges and
Determine the security access rights
measures required to Apply manual controls • Disclosure or theft of
protect each stage of for information handling confidential information
• Corruption of information
the information lifecycle
• Information located beyond
the control of the
Organization
• Excess of confidential
information that has not
been classified
Slide 26
Implement measures to protect critical and confidential
information
Create
• Label information according to its level of classification (as indicated in the
organization's information classification scheme)
• Record key properties (e.g. information owner and level of classification)
within electronic documents (e.g. properties) and in an information
classification inventory (or equivalent)
Slide 27
Implement measures to protect critical and confidential
information..cont’d
Process
• Use validation routines in applications to help ensure critical information
remains accurate (e.g. using data type checks, range checks, limit checks
and presence checks)
• Process information in secure locations (e.g. offices with locked doors and
access limited to specific individuals) to avoid unauthorized access to, or
viewing of, confidential information
• Perform regular backups (e.g. by regularly saving electronic documents
and configuring auto-save) to ensure critical information remains available
at all times
Slide 28
Implement measures to protect critical and confidential
information..cont’d
Transmit
• Use secure web browser sessions (e.g. using SSL or TLS) where
possible
Slide 29
Implement measures to protect critical and confidential
information..cont’d
Store
Slide 30
Implement measures to protect critical and confidential
information..cont’d
Destroy
• Destroy business information when it is no longer required (eg according to
the organisation’s document retention policy or equivalent)
Slide 31
Implement measures to protect critical and confidential
information..cont’d
Slide 32
Deploy and protect approved end user equipment
Monitor the
Acquire and Apply software Protect
protective
use only controls to equipment
measures
approved endpoint against theft or • Loss of availability of critical
associated
equipment devices loss information
with equipment
• Theft or loss of equipment
• Introduction of malware
• Poor practices around use of
portable storage devices and
hand-held devices
• Introduction of personally-owned
equipment
Slide 33
Deploy and protect approved end user equipment
• Comply with corporate policy covering the acquisition and use of equipment
to help ensure only suitable equipment is purchased and used within the end
user environment.
• Provide standard builds for corporate-issued equipment (eg devices that use
the identical hardware setup, the same type and version of operating system
and software and are configured the same)
Slide 34
Deploy and protect approved end user equipment (Contd)
Slide 35
Develop and use desktop applications in a secure manner
Threats and
vulnerabilities addressed
Maintain an
Implement a Review the
inventory of
system development
critical user • Application failure
development Applications and use of
desktop environment
methodology desktop • Corruption of information in critical
applications
for desktop applications desktop
in the end
• Applications
• Lack of an inventory for critical
desktop applications
• No system development
methodology for critical desktop
applications
Slide 36
Develop and use desktop applications in a secure manner
(contd)
• Create an inventory of all critical desktop applications used in the end user
environment.
Slide 37
Develop and use desktop applications in a secure manner
(contd)
• Segregate the roles associated with the development and use of critical
desktop applications (to help reduce the likelihood of software bugs,
human error and fraud)
• Comply with corporate policy for developing and using critical desktop
applications (including the use of guidance and checklists).
• Review and test critical desktop applications to verify that standards for
their development and use have been followed
Slide 38
Develop and use desktop applications in a secure manner
(contd)
Slide 39
Restrict and monitor network connectivity
Threats and
vulnerabilities addressed
• Unauthorized access to
network equipment and
• networks
Ideal security measures • Cracking of wireless
encryption keys
• Eavesdropping of network
Provide Restrict the use communications
Protect network
guidance on the of network Monitor network
use of network connectivity in
and telephony-
traffic and • Unavailability of network
based connectivity
connectivity the end user connections
connectivity
techniques Environment
Slide 40
Restrict and monitor network connectivity (contd..)
Comply with corporate policy (eg acceptable usage policies) for using
network connectivity (including the use of guidance and checklists) in the
end user environment.
Slide 41
Restrict and monitor network connectivity (contd..)
Restrict the number of network connection points accessible within the end
user environment, for example by:
− keeping rooms with network access points locked
− connecting only the physical cables on network equipment (eg routers,
switches and modems) that are required by equipment in the end
− user environment, and disconnecting them when no longer required
− concealing network cabling (eg to prevent tampering and unauthorised
connection to the network).
Slide 42
Restrict and monitor network connectivity (contd..)
Slide 43
Protect physical end user locations
Slide 44
Protect physical end user locations (contd..)
Comply with corporate policy (eg an approved ‘clear desk policy’), standards
and procedures for protecting physical locations covering the end user
environment.
Slide 45
Protect physical end user locations (contd)
Slide 46
Protect physical end user locations (contd)
Slide 47
Protect physical end user locations (contd)
Slide 48
Thank you
Slide 49
Course: Information Security Management
in e-Governance
Day 2
Page 2
Physical Security: so what do you check ?
Slide 3
Physical Security: so what do you check ?
• Fire : Are there adequate fire precautions in the facility including detectors ,
alarm systems etc?
• Are all the areas kept free of combustible material ?
• Are all fire prevention and fire-fighting equipments regularly services and
checked by their manufactures ?
• Has the risks from storms and other natural disaster evaluated and catered
for ?
Slide 4
Physical and Environmental Security
Slide 5
Importance of Physical Security
Slide 6
Physical Security Baseline Definitions
• ISO 27001 role of physical security – Protect the organization’s assets by properly choosing a
facility location, maintaining a security perimeter, implementing access control and protecting
equipment.
• The physical security office is usually responsible for developing and enforcing appropriate
physical security controls, in consultation with the computer security management, program
and functional managers, and others, as appropriate. Physical security should address not
only central computer installations, but also backup facilities and office environments.
• In the government, this office is often responsible for the processing of personnel background
checks and security clearances.
• What is the impact of convergence (merging IT security and physical security) on this role and
how does it play into the responsibilities for physical security risk assessments and action
plans?
Slide 8
Understand risks surrounding physical
and environmental eco system
Slide 9
Physical Security Threats
• Weather
• Tornadoes, hurricanes, floods, lire, snow, ice, heat, cold, humidity, etc.
• Fire/chemical
• Explosions, toxic waste/gases, smoke, fire
• Earth movement
• Earthquakes, mudslides
• Structural failure
• Building collapse because of snow or moving objects (cars, trucks, airplanes,
etc.)
Slide 10
Physical Security Threats (cont’d.)
• Energy
• Loss of power, radiation, magnetic wave interference, etc.
• Biological
• Virus, bacteria, etc.
• Human
• Strikes, theft, sabotage, terrorism and war
Slide 11
Impact to the business due to these
risks
Slide 12
Physical Security Compromise : Outcome
Slide 13
Approach to Managing physical and
environmental security
Slide 14
If someone really wants to get at the information, it is not difficult if
they can gain physical access to the computer or the physical
Infrastructure !!!
Slide 15
Physical Security Planning
A physical security planning must address:
- Crime and disruption protection through deterrence (fences, security
guards, warning signs, etc.)
16
Physical and Environmental Security Policy –
Policy Sections
• Visitors and third parties should be only allowed entry to computer and
communication rooms for authorised and specific purposes only.
• The date and time of entry and departure of visitors and third parties and the
purpose of visit should be recorded in a visitor’s log.
• The date and time of entry and departure and the purpose of entry of authorised
personnel (including employees of outsourcing agencies) outside normal business
hours or assigned hours of work should be recorded in a log.
Physical Security Standards
Identification Badges
Reconciliation of badges
issued to visitors and third
parties should be done at the
end of each day.
Physical Security Standards
Identification Badges
All information storage media (e.g. hard disks, floppy disks, magnetic
tapes and CD-ROMs) containing sensitive or confidential data should
be physically secured, when not in use.
Any storage media (floppy drives, CDs, DAT tapes) should not be
allowed out of Government premises without adequate clearances
from HODs/Security Officers.
Physical Security - Standards
Offsite Facilities
Security Instructions
• Long term contractors, consultants and business associates should be
issued instructions on the security requirements of the site.
Security Inspections
• Security inspections should be made regularly. The inspection should
cover functionality and administration.
Physical Security Standards
Major Data Centres
• The following physical security controls should be followed for major data
centres in addition to the standards mentioned above:
• The electronic door locks should support anti pass back mechanism (i.e.
disallow entry for more than one time, unless an exit is recorded in the
system), remote locking and unlocking.
• Access to the security software, which validates and records the ‘swipes’
or electronic card access, should be restricted to authorised individuals.
Physical Security Standards
Major Data Centres
• The Data center and access within the facility should be monitored 24 hours a
day through the use of people manning the center, CCTV and alarm systems.
The cameras should be located at strategic points.
• Electronic access cards should be personal. In case if an electronic access card is lost
or stolen, the concerned staff should immediately report to the Chief Information Officer
or the Data Centre In-charge.
• The electronic access card, which has been reported lost, should be deactivated within
12 hours.
• The original electronic access card should be taken back wherever possible (e.g.
broken, damaged cards) while issuing a duplicate card.
• The expiration period of electronic access cards issued to long-time third parties
(e.g. employees of outsourcing agencies) should coincide with the end of the
contract period.
CCTVs
32
Environmental Security
• The most serious threat to the safety of the people who work in the
organization is the possibility of fire
• Fires account for more property damage, personal injury, and death
than any other threat
Slide 34
Floods
Cyclones and Water
Damage
Fire Detection and Response
Major
Fire
Data
Safety
Environmental
Centers
Security
Slide 35
Fire Detection Cyclones
Floods
and Water
Damage
Major
Fire
Data
Safety
Environmental
Centers
Security
Part of a complete fire safety program includes individuals that monitor the
chaos of a fire evacuation to prevent an attacker accessing offices
There are three basic types of fire detection systems: thermal detection,
smoke detection, and flame detection
• Smoke detectors operate in one of three ways: photoelectric, ionization,
and air-aspirating
Slide 36
Floods
Cyclones and Water
Damage
Slide 37
Water Sprinkler System
Slide 38
Floods
Cyclones and Water
Damage
Gaseous Emission Systems Major
Fire
Data
Safety
Environmental
Centers
Security
Slide 39
Floods
Cyclones and Water
Environmental Security Damage
• All computer systems should be moved away from windows or glass doors when a
cyclone approaches, even if the windows or doors are covered.
• All computer systems should be located on a small interior room on the first floor in
cyclone prone areas. This should ensure least impact of winds and floods.
• All server rooms should be housed in an environment equipped with moisture detectors.
• Computer and communication rooms should not be located in areas susceptible to water
seepage and flooding like the basement.
• Computer and communication rooms should be located in raised or elevated floors in flood
prone areas.
• Electrical equipment, which may have received water damage, should be checked and dried
before being returned to service.
Floods
Cyclones and Water
Damage
Environmental Security
Major
Major Data Centres Fire
Safety
Environmental
Data
Centers
Security
• The following environmental controls should be followed for major data centres and for
critical systems in addition to the standards mentioned above:
• Automatic fire suppression system, in combination with fire alarms, should be installed.
• Smoke detectors should be placed above and below the ceiling tiles. The detectors should
produce an audible alarm when activated.
• The surrounding walls should be non-combustible and resistant to fire for at least 60 minutes.
All openings to these walls (doors, ventilation ducts, etc.) should be likewise rated at least 60
minutes.
• Curtains, desks, cabinets and other general office materials in the data centre should be fire
resistant.
Floods
Cyclones and Water
Damage
• Double doors
• Data centres should be located on an interior room on the first floor in cyclone prone areas. This
should ensure least impact of winds and floods.
• Information processing facilities should be equipped with water or moisture detectors. The
detectors should produce an audible alarm, when activated.
• Data centres should be located in raised or elevated floors in flood prone areas.
Power Supplies
Slide 46
Uninterruptible Power Supplies (UPSs)
The true online UPS works in the opposite fashion to a standby UPS
since the primary power source is the battery, with the power feed
from the utility constantly recharging the batteries
• this model allows constant feed to the system, while completely
eliminating power quality problems
Slide 47
Emergency Shutoff
• Most computer rooms and wiring closets are equipped with an emergency
power shutoff, which is usually a large red button, prominently placed to
facilitate access, with an accident-proof cover to prevent unintentional use
Slide 48
Power Supplies
Power-off Switches
The following controls should be followed for major data centres and for time-
sensitive systems
The following controls should be followed for major data centres and for
sensitive or critical systems
- Installation of armoured conduit and locked rooms or boxes at inspection and
termination points
- Use of alternate routings or transmission media
Physical Security of Laptops
Policy Statement
• The physical security of laptops, as well as the security of the data
residing in these systems, should be ensured.
Responsibility
• Employees to whom laptop computers are issued should be
responsible for its safe custody.
Physical Security Controls
- All laptops should have a ‘power-on’ password.
- Laptops should not be left on the desk or in the work area or any other
visible location overnight. It should be locked in a secure area at the end
of the workday.
• Laptops should be locked inside luggage and kept out of sight, when left in
hotel rooms.
• The concerned staff should file a police report immediately in the event a
laptop is stolen. The staff should also notify the Systems Security
Administrator and the Head of Department within one business day of the
theft.
Additional Devices
• Any removable media devices, such as CD Writers, Zip drives and Tape
drives, should not be added to individual laptops unless authorised by the
Head of Department.
A clear desk and a clear screen policy for information processing facilities
should be adopted.
• Computer terminals and printers should not be left logged on, when unattended.
• Key locks, power-on and screensaver passwords, or other controls should be used
to protect them when not in use.
• Computer media should be stored in suitable locked cabinets when not in use,
especially after working hours.
• Incoming and outgoing mail points and unattended fax and telex machines should
be protected from unauthorised use outside normal working hours.
• Photocopiers should be locked or protected from unauthorised use outside normal
working hours.
• ‘Top Secret’, ‘Secret’ and ‘Confidential’ information and storage media should be
locked (ideally in a fire-resistant safe or cabinet) when not required.
And finally……………….. Back Up your System
Day 2
• Poor security can leads to inability to function and lose of data, incur more
cost to fix and recover data, disruption to government operation, and
damage reputation.
Slide 3
Security Policy contd..
Slide 4
A well defined Security Policy will help government organizations
Slide 5
A well defined Security Policy will help government organizations
contd..
Slide 6
Information security policies
• Lays down the rules through which people are given access to an
organization’s technology, system and information assets.
Slide 7
Information security policies contd..
• Security policies define the overall security and risk control objectives that
an organization endorses
• Set of detailed rules as to what is allowed on the system and what is not
allowed.
• The security policy defines what business and security goals and
objectives management desires, but not how these solutions are
engineered and implemented.
Slide 8
Purposes of a Security Policy
Slide 9
Security Principles
Slide 10
The principles for security policies are based upon the following
goals:
Slide 11
Security Policy Goals
Slide 12
The policy deals with the following domains of security
Slide 13
Types of information security policy documents
Slide 14
Elements of an information security policy document
Slide 15
Policy Hierarchy
Slide 16
Characteristics of good security policies
• They must clearly define the areas of responsibility for the users,
administrators, and management.
Slide 17
Policy Flexibility
• In order for a security policy to be viable for the long term, a security
policy should be independent of specific hardware and software
decisions, as specific systems choices change rapidly.
• This includes the process, the people involved, and the people who must
sign-off on the changes.
Slide 18
Security Policy Communication
Slide 19
Policy Management
Slide 20
Relationship to Standards and Procedures
• These must ensure that all operations are consistent with the intent of the
security policies.
Slide 21
Relationship to Standards and Procedures
Slide 22
Security Policy Structure
The basic structure of a security policy should contain the following components:
• A statement of the issue that policy addresses.
• A statement about your position on the policy.
• How the policy applies in the environment.
• The roles and responsibilities of those affected by the policy.
• What level of compliance to the policy is necessary.
• What actions, activities and processes are allowed and which are not.
• What are the consequences of non-compliance.
Slide 23
Roles and Responsibilities
The development of security policies is predicated upon the participation of various
organizations.
• Business management
• Technical management
• Data security
• Risk management
• Systems operations
• Application development
• Network engineering
• Systems administration
• Internal audit
• Legal
• Human resources
Slide 24
Recommended Development Method
The following provides an outline of the tasks used to develop security policies
• All responsible organizations and stakeholders are identified and their roles,
obligations and tasks detailed.
− It is important to understand how your organization is structured, who will be
the responsible owner of the security policy and also who will function as its
custodian.
− Critical to obtain the appropriate level of consensus to ensure that the security
policy properly reflects the issues, concerns, requirements, goals, and
objectives for your organization.
− Representation should be as broad as practical but at a minimum include:
data security, legal, human resources, internal audit, operations, and
development organizations.
Slide 25
Recommended Development Method (contd..)
Slide 26
Recommended Development Method (contd..)
Slide 27
Recommended Development Method (contd..)
All applicable data and processing resources are identified and classified.
• For that reason, cataloging your data and processing resources enables
you to more easily make qualified and informed decisions about their use
and value.
• This then enables you to later apply the most cost effective controls on
those assets.
Slide 28
Recommended Development Method (contd..)
A data flow analysis is performed for the primary data classifications, from
generation through deletion.
• The purpose of a data flow analysis is to allow you to identify all of the
trust points that touch your data.
• By tracing the flow of your data assets through your processing assets,
you can later determine the type and placement of logical and physical
controls to protect those assets.
Slide 29
Recommended Development Method (contd..)
The primary threats that can reasonably be expected in one’s environment are
outlined.
• The development of a threat profile enables you to decide what type of threats
exist in your particular environment, what the probability is of a threat manifesting
itself into an actual problem, and what the ramifications, costs and consequences
are of those threats being realized.
Slide 30
Recommended Development Method (contd..)
• After your data and processing assets are identified and a threat profile
created, the next step is to determine what general security services
would be appropriate in your environment.
• These security services are high-level and can include for example:
accountability, authorization, availability, identification, authentication,
confidentiality, integrity, and non-repudiation.
• Knowing what security services your environment requires will drive the
selection of the types of security policies you will need as well as the
specific content or components of those policies.
Slide 31
Recommended Development Method (contd..)
• This step is used to articulate the specific topics that you consider
necessary for each security policy.
Slide 32
Recommended Development Method (contd..)
• The last step before actually drafting the security policies themselves is to
identify all of the security policy focus areas that must be addressed.
• The creating of this list is based upon the results of the above steps.
Slide 33
Security Policy Implementation
Once you’ve created your policy, you need to roll it out to your organization.
• Go through each policy and think about how it will be applied within the
organization.
• Make sure that the tools are in place to conform to the policy.
Slide 34
Security Policy Implementation contd..
• If a policy specifies that visitors must agree to the Acceptable Use Policy
before using the network, make sure that there is a process in place to
provide visitors with the Acceptable Use Policy.
Slide 35
Security Policy Implementation contd..
• A training session should be held to go over the specific policies that will
impact users, as well as provide basic information security awareness
training.
Slide 36
Security Policy Implementation contd..
• No matter how well thought out, no policy will be 100% applicable for
every scenario, and exceptions will need to be granted.
• It should be made clear from the outset that the policy is the official
standard, and an exception will only be granted when there is an
overwhelming business need to do so.
Slide 37
Policy Review
• After the security policy has been in place for some period of time, the
Organization’s information security controls should be audited against the
applicable policies.
• Make sure that each policy is both A) being followed, and B) still
appropriate to the situation.
Slide 38
Policy Review contd..
• Review should occur both at certain intervals (i.e., once per year), and
when certain business changes occur (i.e., the company opens a new
location).
• This will ensure that the policy does not get “stale” and will continue to be
a useful management tool for years to come
Slide 39
End of Session
Slide 40
Course: Information Security Management
in e-Governance
Day 2
• IT is becoming the key enabler for many government and public sector
organizations in achieving the business objectives
• Many organizations are moving towards mandatory electronic transactions
eliminating the manual working methods completely
• E.g. Ministry of Corporate Affairs (MCA21 Project)
• E-Procurement initiatives in Andhra Pradesh, Karnataka, DGS & D etc.
• Passport issuance…
• More and more information is stored electronically
• NeGP is driving IT incubation in all key government sectors/
departments…
Slide 3
Defining a Disaster
Slide 4
Defining a Disaster (contd..)
A disaster may impact in various ways that could affect the organisation’s ability
to carry on operations. For example, it may:
• not be able to operate from the affected site
• lose critical resources (systems, documents, data)
• lose ability to interact with citizens, businesses, employees, other
government agencies..
• not be able to service citizens etc.
Slide 5
Defining a Disaster (contd..)
Slide 6
The Cost/Impact of Disaster..
LEGAL/REGULATORY
•Contractual Requirements REVENUE
PRODUCTIVITY
•SLAs •Direct Loss
• Loss Of Productivity
•Regulatory Requirements •Deferred Losses
• Employees Impacted
•Compensatory Payments
•Lost Future Revenue
•Billing Losses
•Investment Losses
REPUTATION
FINANCIAL
•Customers
•Suppliers PERFORMANCE
•Business Partners •Revenue Recognition
•Etc. •Cash Flow
•Payment Guarantees
OTHER EXPENSES
•Temporary employees,
•Equipment Rental,
•Overtime,
•Etc.
Disaster Recovery Planning
Slide 8
Objectives of Disaster Recovery Plan (DRP)
• Identify key individuals and define their roles and responsibilities, in process of
recovering after DRP event
• Catalog probable resources and vendors that could assist in the recovery
process.
Slide 9
Examples of Events without and with a DR Plan
Without a DR plan
Server Crash & Several days of rebuild
data corruption data from backup media
With a DR plan
Without a DR plan
Hurricane etc Several days’ outage
With a DR plan
Slide 10
Examples of Events without and with a DR Plan
Without a DR plan
With a DR plan
Slide 11
Dangerous Excuses for not implementing a Disaster Recovery Plan
12
Approach for Development of DRP
Step 2: Business Impact Analysis: Analyze the impact of identified risks to the
business
Step 5: Testing and Maintenance: Testing the validity of the plan and keeping
the plan updated inline with the changes in IT environment
DRP Approach: Step 1 – Risk Assessment
Slide 16
DRP Approach: Step 1 – Risk Assessment
Illustrative Risks surrounding Business Data/Database systems
Slide 17
DRP Approach: Step 1 – Risk Assessment
Illustrative Risks surrounding Network, Computing and Security Infrastructure
External firewall
Router
Internet
Slide 18
DRP Approach: Step 1 – Risk Assessment
Illustrative Risks surrounding Facilities and support infrastructure
• PC/Disk failure
• Theft of PCs/Laptops/Data
• Virus attacks
• Installation/usage of unlicensed software
• Printer/Scanner failure…
Slide 20
Risk Assessment – A continuous process
Threat /Risk
Threat
Threat Impact Assessment
Asset Value
Assessment Assessment
Assessment
Vulnerability Mitigation
Mitigation Options
Vulnerability Risk Management (Decision)
Decision
Assessment
Assessment
Risk
Risk Assessment
Assessment Cost Analysis
Activities
Benefit Analysis (Risk Mgmt)
Slide 21
Phase II - Business Impact Analysis
• Provide basis for determining cost effective strategies for risk mitigation
Slide 22
Phase II BIA - Objectives
• Describe functions
• Suggest importance
• Describe resources
– System applications
– Business Dependencies
• Processing time frames
• Describe contributions
• Estimate impacts due to identified risks
• Describe recovery time frame priorities
Understanding RTO & RPO
• The Recovery Time Objective (RTO) for an application is the goal for how quickly you need
to have that application’s information back available after downtime has occurred.
• The Recovery Point Objective (RPO) for an application describes the point in time to which
data must be restored to successfully resume processing (often thought of as time between
last backup and when an “event” occurred)
100%
Service
RPO
RTO
Time
Scheduled Back up Disaster DRP Normalcy
Back up taken Strikes invoked restored
Slide 25
Understanding RTO & RPO
Days
Hours
Slide 26
Phase - III: Strategy Selection
• Objective
Define the action items needed to best protect the organisation and to select the most
appropriate recovery solutions for IT systems supporting critical business functions.
• Key Activities
Strategy selection
Phase III Strategy Selection –
Range of Strategies for Risk Mitigation
We will discuss illustrative strategies available for the following components:
• Application Software
• Data Recovery and Protection
• IT Infrastructure – Networks , Computing and Storage infrastructure etc.
• Facilities
• End user environment..
Slide 28
Phase III Strategy Selection –
Range of Strategies for Risk Mitigation
Slide 29
Phase III Strategy Selection –
Range of Strategies for Risk Mitigation
Slide 30
Phase III Strategy Selection –
Range of Strategies for Risk Mitigation
Slide 32
Phase III Strategy Selection –
Range of Strategies for Risk Mitigation
Slide 33
Phase III Strategy Selection –
Range of Strategies for Risk Mitigation
Cold Site
• Have basic environment (power, electric wiring, AC , flooring etc. )
• Ready to receive equipments but do not offer any components at the site in
advance
• Activation of the site may take several weeks
Warm Sites
• Partially configured with network connections & selected peripherals
equipments such as disk drives , tape drives and controllers but without the
main computing infrastructure
• Sometimes equipped with a less powerful central processing unit
Slide 34
Phase III Strategy Selection –
Range of Strategies for Risk Mitigation
Hot site
• Fully configured and ready to be operated in some hours
• Generally intended for emergency operations of a limited time period and not for
long extended use
• Components of the DR plan for network connectivity to a hot site over a public
switched network should address issuers as redundancy and maintaining
sufficient capacity on diverse paths to re-routed path
Reciprocal arrangements
• Arrangement between two or more organizations that possesses similar
facilities
Slide 35
User (workstation) Environment - Range of Strategies
Slide 36
Phase III Strategy Selection –
Range of Strategies for Risk Mitigation
Slide 37
Phase III Strategy Selection –
Cost vs Benefit Analysis of the Strategies - Example
Cost
Load balancing
Mirroring
Standard Vaulting
Recovery
Source : Gartner
Slide 38
Phase III Strategy Selection –
Strategy Selection - Decision
• Alternatives are heavily dependent upon the identified recovery time
objectives
• The faster a function is required the more expensive the solution will
typically be
• Interdependencies need to be covered during the selection process
• Select the most appropriate recovery strategy
Phase IV: Plan Development
• DR Plan contains an integrated set of procedures and resource information that is used to
recover from an event that has caused a disruption to business operations
• It answers questions on responding to a disaster in terms of:
– Who
– What
– When
– Where
– Why
– How
• Plans Contain
– Each failure scenario has one or more approved alternatives
– Preparation Plan
• Advance steps to prepare for the implementation of the alternatives
• Not all alternatives require preparation
– Execution Plan
• The steps to follow if a failure/disaster occurs
• Includes identification of internal and external dependent groups
Phase IV: Plan Development
1. DISASTER RECOVERY PLANNING 14. CMT RECOVERY ACTIONS
OVERVIEW 15. FACILITIES RECOVERY TEAM (FRT)
2. OBJECTIVE OF THE DRP 16. CLASSIFICATIONS OF DRP EVENTS
3. ASSUMPTIONS (L1, L2, L3..)
4. CLASSIFICATION OF A DRP EVENT 17. DRP ADMINISTRATION
5. SITE DETAILS 18. PLAN ADMINISTRATION & TESTING
6. DRP EVENT HANDLING STRATEGY 19. PLAN MAINTENANCE
7. DRP RECOVERY ORGANISATION 20. PLAN DISTRIBUTION
8. FIRST CONTACT AND EVENT 21. COMPLIANCE AUDIT
REPORTING
9. DECLARATION OF DRP EVENT
10. MEDIA MANAGEMENT PLAN
11. EVACUATION PROCEDURES
12. CRISIS MANAGEMENT TEAM
13. ROLES & RESPONSIBILITIES OF CMT
Phase IV: Plan Development
1. EMERGENCY CONTACT NUMBERS
2. DETAILED DAMAGE ASSESSMENT AND SALVAGE CONTROL SHEET
3. PROPERTY REMOVAL FORM
4. LIST OF IT VENDORS & SERVICE PROVIDERS
5. LIST OF ADMINSTRATION VENDORS
6. IT HARDWARE INVENTORY
7. INSURANCE DETAILS
8. NETWORK DIAGRAM
9. DRP MAINTENANCE CHECKLIST
10. DRP CHANGE REQUEST FORM
Phase IV: Plan Development – Details for failure Scenario
Failure Scenario
Possible Causes
Enablers impacted Processes Impacted Departments/Functions
impacted
Emergency
Recovery
Objectives:
• Establish testing and maintenance procedures and timetable
• Testing the plan and procedures
• Finalise and maintain DRP
Benefits:
• Determine if documented recovery strategies & associated recovery
procedures are viable to recover critical business functions within their
stated recovery time objectives
• Validates planning assumptions
• Identifies strengths and weaknesses
• Provides the opportunity for all parties (IT & other Business Units) to
participate together
Testing - Component Testing
• Effective for identifying and resolving issues that may adversely affect
the successful completion of a full interruption test.
Types of Tests
Until you thoroughly test all the recovery procedures, the organization
shouldn’t expect those procedures to save it from ruin if a disaster strikes.
• Checklist tests
• Preliminary test where the DR plan is reviewed to ensure that it addresses all
the procedures and critical areas
• Simulation test
• All the operational and support personnel are expected to perform in case of
disaster meet for practice session.
• Typically goes to the point of relocating to alternate site but does not perform
actual recovery
• Parallel test
• Test processes runs parallel to the real processes.
• Goal is to ensure that critical systems will run at the alternate site if required
• Full interruption test
• Disaster is replicated to the point of ceasing normal production operations.
Absolute way to test whether the DR sites works or not .
Slide 46
Thank you…..
Slide 47
Course: Information Security Management
in e-Governance
Day 3
Slide 2
Security Audits - FAQ
Slide 3
Answers
• Firewalls and other devices are simply tools to help provide security. They do not, by
themselves, provide security.
• Using a castle as an analogy, think of firewalls and other such tools as simply the walls and
watch towers. Without guards, reports, and policies and procedures in place, they provide
little protection.
• Security audits, like financial audits should be performed on a regular basis.
Slide 4
Security Audit…
Testing/auditing security:
• periodically
• by validation of information security risks,
mitigation measures, controls, polices and
procedures in the organization
• Comparison with the industry best practices…
Slide 5
Audit forms an integral part of security monitoring processes
Preventative Detective
Slide 6
Defining security audit
Security Audit :
• Identifying the information security risks to the organization and evaluation of
Information security measures and effectiveness
• auditing information security covers topics from auditing the physical security of
data centers to the auditing logical security of databases and application..
Slide 7
Why do u need a Security Audit?
• Most businesses are connected to the Internet and have implemented measures
(policies, systems) to protect themselves from unauthorised access/transactions
• IT can be at risk, even with all the right technology, if security policy and procedures
are poorly implemented or outdated
• A few software vulnerabilities account for majority of successful attacks
• Hackers/attackers are opportunistic – taking the easiest and most convenient route.
• Hacking exploits the best-known flaws with the most effective and widely available
attack tools
• It counts on organizations not fixing the problems, and they often attack
indiscriminately, by scanning the Internet for vulnerable systems.
Slide 8
Need for IT Security Audit
• To ensure that the security is in order to ensure that organizations security systems
and processes are working as intended
• To verify and ensure compliance with some the legislations and acts
• To identify the gaps in the existing defenses…
Slide 9
IT Security Audit – Where does it fall
Slide 10
Types of Security Audit
Slide 11
External Audit Assessment
Slide 12
External Audit-Public Information Gathering
Slide 13
Internal Audit
Slide 14
Focus of IT Security Audit (Illustrative)
Slide 15
Security Audit Horizon….. Business Applications for core and support
functions of the Government
Access Controls
Data Integrity controls
Business Configuration controls
Audit & Accounting policies
Applications
Operating systems hosting business applications and
databases
Databases User Management and Password policies
Access Controls
Accounting & Audit policies
Operating Systems Service packs and security patches
Network
Network infrastructure comprising of LAN and
IT Processes Internet supporting administrative access
Access controls
Technical Security policies
Controls Management and Monitoring controls
Architecture, Policy and Procedures
Physical access Controls
Environmental Controls
Backup procedures
Asset Management Processes
Insurance Policies
Slide 16
Security Audit Horizon…..
Physical Database
Security & Management Integrity
Environmental Database
server
Operating
Change
System Security Application Control
server
Slide 17
What does IT Security Auditing involves..
Some standard techniques
IT security auditing to assess the security posture of systems and networks can include a
combination of the following:
• Network Scanning
• Vulnerability Scanning
• Password Cracking
• Log Review
• Integrity Checkers
• Virus Detection
Slide 18
Network Scanning
• Involves using a port scanner to identify all hosts potentially connected to an organization's
network, the network services operating on those hosts and specific application running the
identified service.
• Provides a comprehensive list of all active hosts and services, printers, switches, and routers
operating in the address space scanned by the port-scanning tool, i.e., any device that has a
network address or is accessible to any other device.
• Port scanners first identify active hosts in the address range specified by the user using
Transport Control Protocol/Internet Protocol (TCP/IP) Internet Control Message Protocol
(ICMP) ECHO and ICMP ECHO_REPLY packets
Slide 19
Network Scanning (contd..)
Identify
Check for deviations Assist in the
unauthorized from the configuration
hosts Identify allowed Prepare for of the Collect
connected to vulnerable services penetration intrusion forensics
the services defined in the testing detection evidence.
organization’s organization’s system (IDS)
network security and
policy
Slide 20
Network Scanning (contd..)
Slide 21
Vulnerability Scanning
• Vulnerability scanning identifies hosts and open ports, together with information on
the associated vulnerabilities
Slide 22
Vulnerability Scanning (contd..)
Slide 23
Vulnerability Scanning (contd..)
The following corrective actions may be necessary as a result of vulnerability scanning:
• Improve configuration management program and procedures to ensure that systems are
upgraded routinely
• Assign a staff member to monitor vulnerability alerts and mailing lists, examine their
applicability to the organization's environment and initiate appropriate system changes
Slide 24
Password Cracking
• Password cracking verifies that users are employing sufficiently strong passwords.
• Passwords hashes can be intercepted when they are transmitted across the
network (using a network sniffer) or they can be retrieved from the targeted system.
• Once the hashes are obtained, an automated password cracker rapidly generates
hashes until a match is found.
Slide 25
Log Reviews
• Various system logs can be used to identify deviations from the organization's security policy,
• Review focuses on firewall logs, IDS logs, server logs, and any other logs that are collecting
audit data on systems and networks
• Log review and analysis can provide a dynamic picture of ongoing system activities that can
be compared with the intent and content of the security policy.
• Essentially, audit logs can be used to validate that the system is operating according to
policies.
Slide 26
Log Reviews (contd..)
The following actions can be taken if a system is not configured according to policies:
• Remove vulnerable services if they are not needed.
• Reconfigure the system as required to reduce the chance of compromise.
• Change firewall policy to limit access to the vulnerable system or service.
• Change firewall policy to limit accesses from the IP subnet that is the source of compromise.
Slide 27
Virus Detectors
• All organizations are at risk of “contracting” computer viruses, Trojans and worms if they are
connected to the Internet, or use removable media (e.g., floppy disks and CD-ROMs), or use
shareware/freeware software.
• With any malicious code, there is also the risk of exposing or destroying sensitive or
confidential information.
• Virus detectors support in identifying the existing virus programmes on the systems
Slide 28
Virus Detectors (contd..)
• The virus detector installed on the network infrastructure is usually installed on mail servers or
in conjunction with firewalls at the network border of an organization.
• Server based virus detection programs can detect viruses before they enter the network or
before users download their e-mail.
• The other type of virus detection software is installed on end-user machines.
• Software detects malicious code in e-mails, USB disks, hard disks, documents and the like but
only for the local host
• The software also sometimes detects malicious code from web sites.
• This type of virus detection program has less impact on network performance but generally
relies on end-users to update their signatures, a practice that is not always reliable.
Slide 29
Virus Detectors (contd..)
Slide 30
Penetration Testing
• Penetration testing is security testing in which evaluators attempt to circumvent the security
features of a system based on their understanding of the system design and implementation.
• However, it is a very labor-intensive activity and requires great expertise to minimize the risk
to targeted systems.
• It may slow the organization's networks response time due to network scanning and
vulnerability scanning.
Slide 31
Penetration Testing (contd..)
This rules of engagement, should include:
• Specific IP addresses/ranges to be tested
• Any restricted hosts (i.e., hosts, systems, subnets, not to be tested)
• A list of acceptable testing techniques (e.g. social engineering, DoS, etc.) and tools
(password crackers, network sniffers, etc.)
• Times when testing is to be conducted (e.g., during business hours, after business hours,
etc.)
• Identification of a finite period for testing
• IP addresses of the machines from which penetration testing will be conducted so that
administrators can differentiate the legitimate penetration testing attacks from actual
malicious attacks
• Points of contact for the penetration testing team, the targeted systems, and the networks
• Measures to prevent law enforcement being called with false alarms (created by the
testing)
• Handling of information collected by penetration testing team.
Slide 32
Penetration Testing (contd..)
• To simulate an actual external attack, the testers are not provided with any real information
about the target environment other than targeted IP address/ranges and they must covertly
collect information before the attack.
• An internal penetration test is similar to an external except that the testers are now on the
internal network (i.e., behind the firewall) and are granted some level of access to the network
(generally as a user but sometimes at a higher level).
• The penetration testers will then try to gain a greater level of access to the network through
privilege escalation
Slide 33
Internet Audit – Security Policy Review
Slide 34
Internal Audit-Information gathering
Slide 35
Internal Audit-Environment & Physical Security
Slide 36
Internal Audit-Penetration
Slide 37
Internal Audit-Network
Slide 38
Internal Audit-Perimeter Devices
Firewall rules
Logging methods
Slide 39
Internal Audit-Server & OS
• Identify mission critical servers like application, database, DNS, Email and
others..
• Examine OS and the patch levels
• Examine the ACL on each servers
• Examine the management control-acct & password
• Placement of the servers
• Backup and redundancy
Slide 40
Internal Audit-Application & Services
Slide 41
Internal Audit-Monitor & Response
Audit should check for procedures on
Slide 42
Internal Audit-Analysis and Report
Analysis result
- Check compliance with security policy
- Identify weakness and vulnerabilities
- Cross check with external audit report
Report- key to realizing value
- Must be 2 parts
• Not technical (for management use)
• Technical (for IT staff)
- Methodology of the entire audit process
- Separate Internal and External
- State weakness/vulnerabilities
- Suggest solution to harden security
Slide 43
Guidelines for auditee organizations for Security Audit –
Issues by Cert India
Slide 44
Guidelines for auditee organizations for Security Audit
Slide 45
Guidelines for auditee organisations for Security Audit
• The auditor’s responsibilities need to articulate not just the audit tasks, but
also the documentation of their activities, reporting their actions etc
Slide 46
Auditee roles and responsibilities for Security Audit
• Auditee refrains from carrying out any unusual or major network changes during
auditing/testing.
• To prevent temporary raises in security only for the duration of the test, the auditee notifies
only key people about the auditing/testing. It is the auditee’s judgment, which discerns who
the key people are, however it is assumed that they will be people at policy making level,
managers of security processes, incident response, and security operations.
• If necessary for privileged testing, the auditee provides for necessary access tokens whether
they be logins and passwords, certificates, secure ID numbers, etc. and they are typical to
the users of the privileges being tested.
Slide 47
List of typical reviews and tests
Slide 48
List of typical reviews and tests
Slide 49
Role of Auditors….
Slide 50
Role of Auditors
To determine whether
- Appropriate controls supporting integrity of business processes have been
incorporated
- Appropriate security controls have been designed to minimise the risks of
unauthorised access
- Appropriate controls exist surrounding the multi-platform Client server
environment
Slide 51
Selecting external security consultants – Questions you need to
ask !!
Slide 52
End of Session
Slide 53
Course: Information Security Management
in e-Governance
Day 3
Slide 2
Why a Regulatory Framework?
Slide 3
Electronic Transactions: How are they different?
Slide 4
Legal Obstacles to e-Commerce
Slide 5
Achieving Functional Equivalence
Slide 6
Providing legal backing for Functional Equivalence
Slide 7
Genesis of IT Act - The UNCITRAL Model Law
Slide 8
Objectives of the Model Law
• Came into effect from October 17th, 2000 on the lines of the UNCITRAL Model Law
• India is the 12th nation in the world to adopt Cyber Laws
• The Act applies to the whole of India and also applies to any offence or
contravention there under committed outside India by any person irrespective of his
nationality, if such act involves a computer, computer system or network located in
India
• 94 Sections segregated into 13 Chapters and 4 Schedules
• IT Act 2000 was amended through the Information Technology Amendment Act,
2008 which came into effect from October 27, 2009
Slide 11
IT Act – Important Definitions
• “access” means gaining entry into ,instructing or communicating with the logical,
arithmetic or memory function resources of a computer, computer resource or
network;
• "computer" means electronic, magnetic, optical or other high-speed date
processing device or system which performs logical, arithmetic and memory
functions by manipulations of electronic, magnetic or optical impulses, and includes
all input, output, processing, storage, computer software or communication facilities
which are connected or relates to the computer in a computer system or computer
network;
• "computer network" means the inter-connection of one or more computers through-
(i) the use of satellite, microwave, terrestrial lime or other communication media;
and (ii) terminals or a complex consisting of two or more interconnected computers
whether or not the interconnection is continuously maintained;
Slide 12
IT Act – Important Definitions
• "electronic record" means date, record or date generated, image or sound stored,
received or sent in an electronic form or micro film or computer generated micro
fiche;
• “security procedure” means the security procedure prescribed by the Central
Government under the IT Act, 2000.
• secure electronic record – where any security procedure has been applied to an
electronic record at a specific point of time, then such record shall be deemed to be
a secure electronic record from such point of time to the time of verification
Slide 13
Admissibility of Electronic Records
Slide 14
Electronic Records in Government Service Delivery
“Such requirement shall be deemed to have been satisfied if such filing, issue,
grant, receipt or payment, as the case may be, is effected by means of such electronic
form as may be prescribed by the appropriate Government”
The Law also gives recognition for publication of Rules, Regulation etc in Electronic
Gazette
Slide 15
Authentication of Electronic Records
Slide 16
Retention of Electronic Records
Slide 17
Attribution of Electronic Records
Slide 18
Acknowledgement of receipt of Electronic Records
Slide 19
Digital Signatures – IT Act Amendment
• The PKI Digital Signature Regime proposed by IT Act of 2000 is
Technology specific
• This is against the global best practices as envisaged in the
UNCITRAL Model Law on e-Signatures – 2001:
Any electronic signature technology which fulfills the criteria of equivalence
between handwritten and electronic signatures, should be admissible
• Accordingly, the IT Act Amendments of 2008 provided recognition to
other electronic signature technologies, which are identified by the
Central Government
Slide 20
Major themes of IT Amendment Act, 2008
Slide 21
Other Amendments in ITAA 2008
To be taken up in subsequent sessions:
Slide 22
Statutory bodies under IT Act and its Amendments
Slide 23
Indian Computer Emergency Response Team (CERT – in)
Slide 24
CERT – in : Mission and Mandate
by
‘Enhancing the security of communications and Information
infrastructure’
through
‘Proactive action and effective collaboration aimed at security
incident prevention, prediction, response & recovery and security
assurance’
Slide 25
Functions of CERT - in
• Following are the the functions of CERT-in:
collection, analysis and dissemination of information on cyber incidents;
forecast and alerts of cyber security incidents;
emergency measures for handling cyber security incidents;
coordination of cyber incidents response activities;
issue guidelines, advisories, vulnerability notes and whitepapers relating to
information security practices, procedures, prevention, response and reporting
of cyber incidents;
such other functions relating to cyber security as may be prescribed.
• Section 70B (6): CERT – in may call for information and give direction to the service
provides, intermediaries, data centres, body corporate and any other person.
• No court shall take cognizance of any offence under this section, except on a
complaint made by an officer authorized in this behalf by CERT - in
Slide 26
Agenda for the session
Slide 27
Impact of e-Governance on Legal Framework
Slide 28
Government Processes are related to Legal Framework..
Slide 29
Many a time, process / service delivery problems can be traced
back to legislative intent…
Delivery
Legislative Process Delivery
Channel
Intent Problems Problems
Problems
Slide 30
Process problems arose due to the focus on control…
Delivery
Legislative Process Delivery
Channel
Intent Problems Problems
Problems
Slide 31
Which was compounded by problems in delivery channels…
Delivery
Legislative Process Delivery
Channel
Intent Problems Problems
Problems
Slide 32
Which ultimately resulted in degraded service delivery…
Delivery
Legislative Process Delivery
Channel
Intent Problems Problems
Problems
Slide 33
Some of the considerations when processes were designed...
…are no longer true with advances in technology
Decision
Managers make Decision-making is a
Support
ALL the decisions part of everyone’s job
Systems
Slide 35
But they are no longer valid in the e-Government context (2/2)
High
Plans get revised Plans get revised
Performance
periodically dynamically
Computing
Slide 36
Illustrative Case: MCA21
• MCA21 is one of the Central Mission Mode Projects, designed for electronic service
delivery by the Ministry of Company Affairs (MCA)
Slide 37
MCA21 – Background
Slide 38
Situation before MCA21
Slide 39
MCA21 impact
Slide 40
Snapshot of MCA21 implementation (1/3)
Slide 41
Snapshot of MCA21 implementation (2/3)
Slide 42
Source: MCA21 Process Handbook, Ministry of Company Affairs
Snapshot of MCA21 implementation (3/3)
Slide 43
Legal Framework for the MCA21 project
• The processes of Company Registration and Compliance filing were based on
the Companies Act, 1956 (and the Rules made there-under) and the Monopolies
and Restrictive Trade Practices Act 1969
Slide 44
Why do we need legal amendments?
• The following questions arise…
Does the electronic
records have the same
validity as the paper
records
Slide 45
Providing Legal Framework for the MCA21 project
• Some of these legal questions are answered by IT Act:
- Digital Signature signing and submission of e-forms
- Equivalence of electronic and paper records…
• But the domain legislation needs to be amended to reflect the new processes
and procedures..
Slide 46
Amendment to Companies Act, 1956
Amendments to mandate Director Identification Number:
• Amendments to sections 253 & 266 A to 266F to mandate every Director to obtain a DIN.
No Director to be re-appointed without obtaining a DIN
Slide 48
End of Session
Slide 49
Course: Enterprise Applications and Open
Source Systems for e-Governance
implementation
Day 3
• Governments are more closely linked to Citizens , internal staffs and its
suppliers.
• Sometimes they were loosely interfaced and sometimes they were more
tightly interfaced.
IT Scenario………Before ERP
Result
Too many home grown , independent, standalone and non-integrated software
systems
in the organization
Traditional File System
System 1 System 2
Program 1 Program 2 Program 1 Program 2
File 1 File 1 File 1 File 1
File 2 File 2 File 2 File 2
File 3 File 3 File 3 File 3
6
Disadvantages of multiple systems
Finance HR / training
Costing Product Engineering
System 1 System 2
Program 1 Program 2 Program 1 Program 2
DBMS
9
Business Integration?
I Suppliers
V n
e t
r e
ti g Production Sales Logistics Horizontal
c r Department Department Department Integration
a a
l ti
o
n
Citizens
10
So can we integrate existing systems to make our own ERP?
Solution
Readymade Software with built-in integration
called as ERP
Enterprise Resource Planning (ERP) systems
Production
Department Warehousing
Process1 Process2
Process1 Process2
HR Logistics
Department Common Department
Process1 Process2 Database Process1 Process2
Legal Accounting
Department Department
Process1 Process2 Process1 Process2
ERP system
12
Enterprise Resource Planning
14
Entreprise Resource planning
Internal department Human resource
Enquiry Hiring/training
Two-tier Implementations
• The clients are responsible for presenting the data and passing user input
back to the server.
• While there may be multiple servers and the clients may be distributed
across several types of local and wide area links, this distribution of
processing responsibilities remains the same.
ERP Architecture
Transaction Engine
Core software that manages
transaction flow among
applications and handles tasks
like security and data integrity
Lower Costs
Empower Employees
Enables Eliminates
Integrates Employ Use of
Organizational Information
Activities "Best Practices“
Standardization Asymmetries
How does ERP create value?...cont’d
Allows
Facilitates Intra- Facilitates Inter-
Simultaneous
Provides On- Organization Organization
Access to the
Line and Real- Communication Communication
Same Data for
Time Information and and
Planning and
Collaboration Collaboration
Control
Advantages of ERP
Tangible benefits:
• Improves the productivity of process and personnel
• Lowering the cost of products and services purchased
• Paper and postage cost reductions
• Inventory reduction
• Lead time reduction
• Reduced stock obsolescence
• Faster product / service look-up and ordering saving time and money
• Automated ordering and payment, lowering payment processing and
paper costs
Advantages of ERP
Intangible benefits:
• Increases organizational transparency and responsibility
• Accurate and faster access to data for timely decisions
• Can reach more vendors, producing more competitive bids ;
• Improved customer response
• Saves enormous time and effort in data entry ;
• More controls thereby lowering the risk of mis-utilization of resources
• Facilitates strategic planning
• Uniform reporting according to global standards
Advantages/Disadvantages of ERP
Advantages: Disadvantages:
• Information entered once • Implementation is expensive
into system
and lengthy
• Allows customization
• Maintenance is costly and
• Provides functionality to time consuming
interact with other modules
• Data errors are replicated
through the system
What is an ERP – Key Characteristics
Integration
Packages
• IT Infrastructure costs
• Cost of maintaining parallel Systems
• Opportunity cost for using Internal Resources during ERP
Implementations
• Follow up service cost !!!
Why does ERP project fails…
Top management
commitment and
support
Visioning and
planning
Implementation
strategy and
timeframe
Project management
& Change
Management
Tactical critical success factors
Project cost
Empowered Team morale
planning and
decision makers and motivation
management
BPR and
software
configuration
Tactical critical success factors..cont’d
Legacy system
IT infrastructure Client consultation
consideration
Consultant selection
Selection of ERP
and relationship
Tactical critical success factors..cont’d
Post implementation
System testing
evaluation
Thank You…
Course: Enterprise Applications and Open
Source Systems for e-Governance
implementation
Day 3
• Example where open source systems can be used (positioned) for better Return
on Investments
Open-Source in India
In the year 2010, if FOSS is adopted at 50 per cent levels across the
economy, India can save around $2 billion (around Rs 9,800 crore), suggests
a study conducted by the Indian Institute of Management-Bangalore.
Source: http://www.business-standard.com/india/news/open-source-software-can-
save-india-2-bn/369858/
Technology Architectures
1998
2002
2006
2010
Application Usage
Time
License
Fee
+ ∑ y=1
Annual
S&M
Why would Governments use or create OSS (value for
Government)?
Rs. IT Budget
Business Solutions
Business Applications &
Business Components
Infrastructure Software
(Core & Technology Services)
Why would Governments use or create OSS (value for
Government)?
For many Governments the world over, the choice of Open Source is a strategic one.
• The preference towards Open Source platforms is firstly because, acquiring and
upgrading proprietary software is expensive.
• There is also the proposition that it is safer to entrust knowledge in the public
domain to Open Source, which is also in the public domain, than to proprietary
platforms.
• Thirdly, using open source would enable India to encourage our own software
professionals to provide software support in the form of add-on applications that
could be written at a cost much smaller than that required to buy multi-featured
packaged software.
Source : http://dqindia.ciol.com/content/top_stories/103101501.asp
Retrieved on 12th July 2010
Simply put……………
• Cost savings
• Security
• Reliability
• Open standards, avoidance of vendor lock-in
• Reduced reliance on imports
• Developing local software industry
• Localization
Weighing Benefits
http://www.apdip.net
• Internet Payment Gateway (IPG) has been developed using LAMP (Linux,
Apache, MySQL, PHP) for Guwahati Municipal Corporation
( www.myguwahati.in) for payment of online property taxes by the
citizens.
• The IPG has also been implemented for the e-Tendering System and
International Payments are accepted online.
• No cost for software – staff time only for evaluation, deployment, and maintenance
Project lead
volunteer
volunteer
volunteer
volunteer
Understanding Open Source Software (OSS)
Code locked
via binary and
Code distributed
sent to
to users
customers
Users create
binary
Customers
run program
Users distribute
modifications
Understanding Open Source Software (OSS).. contd..
• Once a program has been "compiled" into a form which can be installed
and run on a computer, its source code is irretrievable.
Understanding Open Source Software (OSS).. contd..
• If a program's license includes the right to modify the program, this right is
meaningless unless the source code is readily available.
Understanding Open Source Software (OSS).. .contd..
• The Free Software movement and the Open Source movement are
separate but have overlapping goals
The Open Source Definition is used by the Open Source Initiative to determine
whether or not a software license can be considered open source.
a) Free Redistribution
• The license shall not restrict any party from selling or giving away the software as
a component of an aggregate software distribution containing programs from
several different sources.
• The license shall not require a royalty or other fee for such sale.
Open Source Definition- As per Open Source initiative
..contd..
b) Source Code
The program must include source code, and must allow distribution in source code as
well as compiled form.
c) Derived Works
The license must allow modifications and derived works, and must allow them to be
distributed under the same terms as the license of the original software
d) Distribution of License
The rights attached to the program must apply to all to whom the program is
redistributed without the need for execution of an additional license by those parties
Open Source Definition- As per Open Source initiative
..contd..
• The term "open standard" is sometimes coupled with "open source" with
the idea that a standard is not truly open if it does not have a complete
free/open source reference implementation available.
• The Open Source Initiative defines the requirements and criteria for open
standards as follows:
• An "open standard" must not prohibit conforming implementations in open
source software.
• To comply with the Open Standards Requirement, an "open standard" must
satisfy the following criteria.
• If an "open standard" does not meet these criteria, it will be discriminating
against open source developers.
Open Standards contd..
Other elements of "Open Standards" include, but are not limited to:
• Collaborative process – voluntary and market driven development (or approval) following a
transparent consensus driven process that is reasonably open to all interested parties.
• Reasonably balanced – ensures that the process is not dominated by any one interest
group.
• Quality and level of detail – sufficient to permit the development of a variety of competing
implementations of interoperable products or services.
Open Standards contd..
• It ensures that only one entity -- the company or individual that created
the software -- has the right to make changes or even see the software's
internal structure.
• They complete a program and then try to remove as many flaws (software
errors or "bugs," and security "holes") as possible before the software
goes to market.
Open Source Software vs. Proprietary software contd..
• Any flaws which remain after shipping time become the consumers
problem, leading to lost work and frustration.
• Even if users know how to solve a flaw, the software license prohibits
them from making the fix themselves.
Comparing GOTS, COTS Proprietary, and COTS OSS
100
• Studies have found OSS apps
significantly more reliable [U Wisconsin]
–Proprietary
Unix failure rate: 28%,23%
–OSS: Slackware Linux 9%, GNU utilities 6%
0
Failure Rate
–Windows: 100%; 45% if forbid certain Win32 message formats
[See http://www.dwheeler.com/oss_fs_why.html]
Myth 4 : Open Source Software Is Too Risky for IT Security
• Ability to fit local needs: Availability of the source code means that
you can modify and enhance the software to more closely fit your own
needs.
• Low cost: no charge for the software itself. If other libraries share
their efforts, each user’s cost is reduced. Pay only for needed support
or any additional products & services if required. Even then huge
savings than commercial SW.
• Due to the nature of free and open source software deployment, there is a
dearth of open source experts in case of troubleshooting.
• There is no clear ownership for free and open source software. As it’s a
“global public good” responsibility lies in the cyberspace.
OSS: Weaknesses.. contd..
Pay-for-Support companies and service providers of OSS are using all state-
of-the-art technologies and processes to keep OSS products competitive
against their commercial competitors.
Some of the open source initiatives in India
http://bosslinux.in/
Bharat Operating System Solutions - BOSS contd..
• The accessibility of BOSS Linux will have a constructive impact on the digital
divide in India as more people can now have access to software in their local
language to use the Internet and other information and communications
technology (ICT) facilities.
• Community Information centers (CIC’s) and internet cafes will also benefit from
BOSS GNU/Linux as this software can be utilized to power these outlets and is
affordable and easy to install, use and support.
http://bosslinux.in/
FOSS in State Government
http://osindia.blogspot.com/2009/12/yet-another-indian-state-Government.html
Retrieved on 12th July 2010
IT@Schools
The South Indian state of Kerala, pioneered open source in schools with its
famous IT@Schools project, that now covers three million students from the 5th-10
standards, involves 200,000 teachers across 4071 schools.
− Since then, other Indian states like Karnataka, Gujarat, Assam, West Bengal and
others have made open source a key part of their school education initiatives.
− a study by the Indian Institute of Management, Bangalore, found that the
Kerala Government's usage of OSS saved it Rs 49 crore ($10.2 million).
http://opensource.com/Government/10/4/oss-one-best-tools-modernizing-india-education-system
• The Open Source Simple Computer for Agriculture in Rural Areas (OSCAR)
project involves the prototyping of an application software for weed identification
and control of the rice and wheat crop systems of the Indo-Gangetic Plains.
• OSCAR is unique in that it is the first of its kind within the domain of information
and communications technology (ICT) applications for agriculture.
• The OSCAR project aims to address the issue of declining agricultural productivity
in South Asia by producing a tool for decision-making in weed identification and
control.
• The project has tested the application with various target groups in the four
countries of the IGP – Bangladesh, India, Nepal and Pakistan, with encouraging
results.
eBiz
• The Government of India has started its eBiz initiative - a project to build
a framework for Government to Business (G2B) services where services
from the federal, state and local Government agencies will be made
available through a single portal.
Dspace
• DSpace captures data in any format – in text, video, audio, and data. It
distributes it over the web. It indexes the contents, so users can
search and retrieve items. It also preserves digital work over the long
term.
• DSpace provides a way to manage research materials and
publications in a professionally maintained repository to give them
greater visibility and accessibility over time.
• DSpace is freely available as open source software.
Few other worldwide examples
Eprint
Drupal
Drupal is a free software package that allows an individual or a community of users
to easily publish, manage and organize a wide variety of content on a website.
It enables features such as:
* Content Management Systems
* File uploads and downloads, etc
Joomla
Joomla! is an Open Source Content Management System.
It is used for creating simple websites to complex corporate applications.
Wikipedia
Wikipedia has become the world’s largest encyclopedia due to adoption of an open
source model.
http://www.dwheeler.com/numbers
http://eGovstandards.Gov.in
Course: Information Security Management
& EA
Q&A
Slide 3 Slide 3
Feedback from Audience (30 Mins)
Slide 4 Slide 4
Thank You
Slide 5 Slide 5