Securing & Asuring E Governance Services

Securing & Assuring eGovernance ServicesSecuring & Assuring eGovernance Services

Prof. K. SubramanianProf. K. Subramanian

Director & Professor Director & Professor Advanced Center for Informatics & Innovative Learning, Advanced Center for Informatics & Innovative Learning,

IGNOUIGNOU

Consulting IT Adviser to CAG of IndiaConsulting IT Adviser to CAG of IndiaEX-DDG(NIC), Ministry of Communication & Information TechnologyEX-DDG(NIC), Ministry of Communication & Information Technology

26/02/200926/02/2009 11Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services

26/02/200926/02/2009 Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services

22

Important Notable QuotesImportant Notable Quotes ““Ever since men began to modify their lives by using Ever since men began to modify their lives by using

technology they have found themselves in a series of technology they have found themselves in a series of technological traps.” Roger Revelletechnological traps.” Roger Revelle

“ “The law is the last interpretation of the law given by The law is the last interpretation of the law given by the last judge.”- Anon.the last judge.”- Anon.

““Privacy is where technology and the law collide.” Privacy is where technology and the law collide.” -- --Richard SmithRichard Smith (who traced the ‘I Love You’ and ‘Melissa viruses’) (who traced the ‘I Love You’ and ‘Melissa viruses’)


33

NeGP related Policy GuidelinesNeGP related Policy Guidelines 1.“1.“Policy Guidelines on the use of e-Form TechnologyPolicy Guidelines on the use of e-Form Technology”” 2. Policy on :Identity and Access Management: An e-Governance 2. Policy on :Identity and Access Management: An e-Governance

standards initiative to make e-Government Programs and their standards initiative to make e-Government Programs and their services a realityservices a reality

Draft Document “e-Governance Information Security Standard” Draft Document “e-Governance Information Security Standard” (Version 01 dated 12th October 2006)--(Version 01 dated 12th October 2006)--has proposed additional has proposed additional security controls for E-Governance purposes Viz., Data security security controls for E-Governance purposes Viz., Data security and privacy protection, Network security, and Application and privacy protection, Network security, and Application security;security;

Draft Document Draft Document ““Base line security requirements & Selection of Base line security requirements & Selection of controlscontrols”” (Version 01, 12th October 2 006). (Version 01, 12th October 2 006).

http://egovstandards.gov.inhttp://egovstandards.gov.in

Strategy-Policy-Good PracticeStrategy-Policy-Good Practice ““Information Security Policy for Protection Critical Information Information Security Policy for Protection Critical Information

InfrastructureInfrastructure”” (No. CERT-In/NISAP/01, issued on 1st May 2006) (No. CERT-In/NISAP/01, issued on 1st May 2006) Transition from IT Policy(covers only IT & ITeS Industry) to National Transition from IT Policy(covers only IT & ITeS Industry) to National

Informatics Policy Cutting across Governments (central/state/Local) Informatics Policy Cutting across Governments (central/state/Local) Departmental allocation of Business Rules.Departmental allocation of Business Rules.

Information & Privacy Protection Policy, apart from IT ACT & RTI Information & Privacy Protection Policy, apart from IT ACT & RTI ACTSACTS

Stopping Spam Before It Stops YouStopping Spam Before It Stops You –– SPAM Policy to be SPAM Policy to be donedone

"Data disposal, anonymity, trust, privacy management, and systems "Data disposal, anonymity, trust, privacy management, and systems development activities are just a few of the many privacy concerns development activities are just a few of the many privacy concerns organizations must address and need to thoughtfully create a privacy organizations must address and need to thoughtfully create a privacy strategy that is clearly and consistently supported by the top business strategy that is clearly and consistently supported by the top business leaders."leaders."


http://www.infosectoday.com/Articles/Stopping_Spam.htm


55

““IT Regulations and Policies-Compliance & IT Regulations and Policies-Compliance & Management”Management”

Pre-requisites Physical Infrastructure and Mind-setPre-requisites Physical Infrastructure and Mind-set

PASTPAST: : We have inherited a past, for which we cannot be held We have inherited a past, for which we cannot be held responsible ;responsible ;

PRESENTPRESENT: have fashioned the present on the basis of development : have fashioned the present on the basis of development models, which have undergone many mid-course correctionsmodels, which have undergone many mid-course corrections

FUTUREFUTURE: The path to the future -- a future in which India and Indians will : The path to the future -- a future in which India and Indians will play a dominant role in world affairs -- is replete with opportunities and play a dominant role in world affairs -- is replete with opportunities and challenges. challenges.

In a number of key areas, it is necessary Break from the past in order to In a number of key areas, it is necessary Break from the past in order to achieve our Vision. achieve our Vision.

We have within ourselves the capacity to succeedWe have within ourselves the capacity to succeed

We have to embrace Integrated Security & Cyber Assurance Framework

• Efficiency of Service Connotes Speed and timeliness of delivery of Service elegance of the user-interface quality close to the user expectation simplicity of user action required for obtaining

the service.

• User-Convenience includes easy access to the request-fulfillment cycle User independence of time and place 24 x 7

available Single- sign-on Single Window access to several services Integrated services meaning access to several

agencies through one request

• Cost effectiveness of Service is reduced direct cost compared to conventional

system reduced indirect cost involved in repeated visits reduced cost to government agency in servicing the

request saving of user time and the cost and the

consequent opportunity cost of user time. enhanced revenue/benefit to the Govt. agency● Reliability of the Service Means

High degree of availability – 99.99% through disaster recovery systems and alternative channels

bug free system that returns no error message system that produces accurate results and response.

• Citizen-Centric Service involves designing of services from user’s point of view rather than agency developing all user interfaces in local

language(s) eliminating scope for ambiguity at the user end grouping of services around user’s requirements

and behavior patterns

e-Governance Promises


eGovernanceeGovernanceBenefits

Reduce service timeReduce service time Improved customer service through up-to-date, accurate data.Improved customer service through up-to-date, accurate data. Business intelligence for fact based decision makingBusiness intelligence for fact based decision making Increased Government revenue due to reduction in transmission and Increased Government revenue due to reduction in transmission and

distribution losses.distribution losses.

Risk• Economic Risk

- Huge Investment

– Cost of Technology and Knowledge is high

• Technological Risk

– High obsolence Rate

– Dependability/Reliability of Technology

– Use of right technology• Social Risk and User acceptability Risks

– Solutions are citizen and business Centric and touch upon sensitive service oriented issues

- High expectation

Concerns•Users whether Government services will be available

in a convenient way as promised

• Policy Makers and Administrators

– Whether objectives of eGovernance are being achieved (Transparency, availability of Service, compliance with Govt. Rules, procedures, decisions and Regulations)

• Solution/Service Provider

– That system meets the requirements of RFP.


eGovernance - GovernanceeGovernance - Governance

Quality is differentiator

Benefits

Risks and Concerns


What is requiredWhat is required

A Framework to ensureA Framework to ensure■ RequirementsRequirements are specified are specified

■ Specifications are Specifications are compliedcomplied

■ Users are Users are satisfiedsatisfied

Context specific Processes should be in Place to achieve Context specific Processes should be in Place to achieve

these and can be defined in framework known as Quality these and can be defined in framework known as Quality

Assurance FrameworkAssurance Framework


Quality in eGovernanceQuality in eGovernance

The Service Quality can be achieved by The Service Quality can be achieved by

ensuring that best practices (as defined ensuring that best practices (as defined

in International Standards) are followed in International Standards) are followed

while Designing and implementing the while Designing and implementing the

processes & Products/Services.processes & Products/Services.


Quality and DocumentationQuality and Documentation

A working group (WG-5) on Quality and A working group (WG-5) on Quality and Documentation was formed to bring out guidelines Documentation was formed to bring out guidelines and best practices for Quality and Documentationand best practices for Quality and Documentation


QualityQuality

Quality Assurance FrameworkQuality Assurance Framework

Framework which provides assurance by defining Framework which provides assurance by defining processes and services and by demonstrating processes and services and by demonstrating conformity with theseconformity with these


Basic PrinciplesBasic Principles

DefineDefine– Quality policy, objectives and means of their achievementQuality policy, objectives and means of their achievement

Assure QualityAssure Quality– execute Processes and implement best practicesexecute Processes and implement best practices

Generate confidenceGenerate confidence– Assess conformity and analyse impactAssess conformity and analyse impact


eGovernance Conformity Assessment - Goal

Generating Confidence of Citizen and Business on

e-Government

By assuring quality of delivered services


e GCA - Objective

Generating Confidence of Citizen and Business on

e-Government

Through conformity assessment to user- requirements, regulations and Best Practices by Independent Third Party

Rather than

Relying solely on the assertion of the developers and solution providers


e-Governance Evolutione-Governance Evolution

Mat

urity

of e

-Gov

erna

nce

Time

Information

Interaction

Transaction

Integration


29th November 200529th November 2005 IT Governance-->Corporate GovernanceIT Governance-->Corporate Governance 1717

eGovernance Maturity ModeleGovernance Maturity Model

Up The Value ChainUp The Value Chain

Assured CitizenITIL, BS15000III Phase eGov

(Transformation)

Quality Assurance Framework for e-GovernanceQuality Assurance Framework for e-Governance

II Phase eGov(Transaction)

Secure CitizenIS) 27001, Q-Web

ISO 15408

QualityCertified

eGov ProductsISO 9126, ISO14598

ISO 9001-2008I Phase eGov

(Information &Interaction)


Quality of Service to Citizen & Business

Confidence in e-Government

InfrastructureNetwork Datacentre CSC

S/W Quality IT Service LevelsIT Service Mgmt.

Security ofInformation

System

WebsiteLegal & Ethical

issues

Conformance to standards & best practices

Assured Services

Conformance Engineering


Infrastructure• Network(SWAN&NICNET) • Data Centre• Common Service Centre

Quality components• Information Security Assessments• Application Software Testing

(Quality & Security)• IT Services – Quality Evaluation

(Service Levels)• Web-Site

(Security, Quality, Ethical & Legal Issues)• Compliance with technical standards• IT Infrastructure

(Hardware & Software)• Non-IT Infrastructure

(Compliance to requirements)• Compliance with regulatory requirements

(RTI Act, IT Act, DOPT Rules and other applicable Govt. and State Govt. Acts and Rules

e-Governance Components which needs assurancee-Governance Components which needs assurance


Documentation (WG-5)Documentation (WG-5)

Documentation standards Particularly important - documents are the tangible manifestation Particularly important - documents are the tangible manifestation

of the software.of the software. Documentation process standardsDocumentation process standards

– Concerned with how documents should be developed, validated Concerned with how documents should be developed, validated and maintained.and maintained.

Document standardsDocument standards

– Concerned with document contents, structure, and appearance.Concerned with document contents, structure, and appearance.

Document interchange standardsDocument interchange standards

– Concerned with the compatibility of electronic documents.Concerned with the compatibility of electronic documents.


AgendaAgenda

Develop Procedure for Standards FormulationDevelop Procedure for Standards Formulation Provide guidelines on Best Practices wherever Provide guidelines on Best Practices wherever

required ( e.g. RFP, SLA etc.)required ( e.g. RFP, SLA etc.) Develop framework for Quality AssuranceDevelop framework for Quality Assurance Develop framework for Conformity AssessmentDevelop framework for Conformity Assessment Develop Standards for documentation.Develop Standards for documentation.



2424

eSecurity TechnologieseSecurity Technologies Cryptography & CryptologyCryptography & Cryptology SteganographySteganography Digital water markingDigital water marking Digital Rights ManagementDigital Rights Management Cyber Defence technologies (Firewall, IDS/IPS, Cyber Defence technologies (Firewall, IDS/IPS,

Perimeter and Self-Defence )Perimeter and Self-Defence ) Access Control &ID Management (Rule, Role, Access Control &ID Management (Rule, Role,

Demand Based)Demand Based) Signatures (Digital/Electronic)Signatures (Digital/Electronic) Cyber Forensics & Cyber AuditCyber Forensics & Cyber Audit


2525


2626

FRAUD& THEFT

SCAVENGINGVIRUS

ATTACK

ACCIDENTALDAMAGE

NATURAL DISASTER

UNAUTHORISED ACCESS

INTERCEPTION

TROJAN HORSES

INCOMPLETE PROGRAMCHANGES

HARDWARE /SOFTWARE

FAILURE

SOCIAL ENGINEERING

ATTACK

DATA DIDDLING

IS

PASSWORDS

ENCRYPTIONANTI-VIRUS

BACKUPS

HARDWARE MAINTENANCESECURITY

GUARDS

INPUT VALIDATIONS

AUDIT TRAILS

PROGRAM CHANGE DOCUMENTATION

AUTHORISATION

BUSINESS CONTINUITY PLAN

LOSING TO COMPETITION

LOSS OF CUSTOMERS

LOSS OF CREDIBILITY

EMBARRASSMENT

FINANCIALLOSS


2727

2(1)(zd)(d)

2(1)(zd)(b)

2(1)(zd)(a)

2(1)(zd)(c)

IndianIT Act

reference

Reliability of information

Compliance

Availability

IntegrityConfidentiality

Efficiency

Effectiveness

IT ActCOBITControl Theory

FrameworkAttributes

e-Security & eAudite-Security & eAuditObjectives and Certification FrameworkObjectives and Certification Framework


2828

Transition :Audit to AssuranceTransition :Audit to Assurance CyberCyber Management AssurancesManagement Assurances

Layered Layered FrameworkFramework Management & Operational Assurance (Risk Management & Operational Assurance (Risk

& ROI)& ROI) Technical AssuranceTechnical Assurance (Availability, Serviceability & Maintainability)(Availability, Serviceability & Maintainability) Revenue Assurance Revenue Assurance (Leakage & Fraud)(Leakage & Fraud) Legal Compliance & Assurance (Governance)Legal Compliance & Assurance (Governance)


2929

Standards, Standards, StandardsStandards, Standards, Standards Technical Vs Management Technical Vs Management

SecuritySecurity AuditAudit InteroperabilityInteroperability Interface Interface

(systems/devises/communications)(systems/devises/communications) Architecture/Building Blocks/reusableArchitecture/Building Blocks/reusable HCI (Human Computer Interface)HCI (Human Computer Interface) Process (Quality & Work)Process (Quality & Work) Environmental (Physical, Safety, Environmental (Physical, Safety,

Security)Security) Data Interchange & mail messaging Data Interchange & mail messaging

(Information/Data Exchange)(Information/Data Exchange) Layout/ImprintLayout/Imprint

Technical Standards-Technical Standards-Specifications-mainly for Specifications-mainly for interoperability, interoperability, accessibility and accessibility and InteractivityInteractivity

Management standards-Management standards-Auditable & Verifiable-Auditable & Verifiable-Certification & Certification & ComplianceCompliance


3030

Cyber Assurance & IT Governance - Cyber Assurance & IT Governance - Final MessageFinal Message

““In Governance matters In Governance matters PastPast is no guarantee; is no guarantee; PresentPresent is imperfect and is imperfect and FutureFuture is uncertain“ is uncertain“

““Failure is not when we fall down, but when we fail to get up”Failure is not when we fall down, but when we fail to get up”


3131

FOR FURTHER INFORMATION PLEASE CONTACT :-E-MAIL: [email protected]@ignou.ac.in91-11-23219857Fax:91-11-23217004Office of the CAG,10, B.Z. Marg,New Delhi-110002

mailto:[email protected]