Upload
subramanian-k
View
1.533
Download
0
Tags:
Embed Size (px)
Citation preview
Securing & Assuring eGovernance ServicesSecuring & Assuring eGovernance Services
Prof. K. SubramanianProf. K. Subramanian
Director & Professor Director & Professor Advanced Center for Informatics & Innovative Learning, Advanced Center for Informatics & Innovative Learning,
IGNOUIGNOU
Consulting IT Adviser to CAG of IndiaConsulting IT Adviser to CAG of IndiaEX-DDG(NIC), Ministry of Communication & Information TechnologyEX-DDG(NIC), Ministry of Communication & Information Technology
26/02/200926/02/2009 11Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
26/02/200926/02/2009 Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
22
Important Notable QuotesImportant Notable Quotes ““Ever since men began to modify their lives by using Ever since men began to modify their lives by using
technology they have found themselves in a series of technology they have found themselves in a series of technological traps.” Roger Revelletechnological traps.” Roger Revelle
“ “The law is the last interpretation of the law given by The law is the last interpretation of the law given by the last judge.”- Anon.the last judge.”- Anon.
““Privacy is where technology and the law collide.” Privacy is where technology and the law collide.” -- --Richard SmithRichard Smith (who traced the ‘I Love You’ and ‘Melissa viruses’) (who traced the ‘I Love You’ and ‘Melissa viruses’)
26/02/200926/02/2009 Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
33
NeGP related Policy GuidelinesNeGP related Policy Guidelines 1.“1.“Policy Guidelines on the use of e-Form TechnologyPolicy Guidelines on the use of e-Form Technology”” 2. Policy on :Identity and Access Management: An e-Governance 2. Policy on :Identity and Access Management: An e-Governance
standards initiative to make e-Government Programs and their standards initiative to make e-Government Programs and their services a realityservices a reality
Draft Document “e-Governance Information Security Standard” Draft Document “e-Governance Information Security Standard” (Version 01 dated 12th October 2006)--(Version 01 dated 12th October 2006)--has proposed additional has proposed additional security controls for E-Governance purposes Viz., Data security security controls for E-Governance purposes Viz., Data security and privacy protection, Network security, and Application and privacy protection, Network security, and Application security;security;
Draft Document Draft Document ““Base line security requirements & Selection of Base line security requirements & Selection of controlscontrols”” (Version 01, 12th October 2 006). (Version 01, 12th October 2 006).
http://egovstandards.gov.inhttp://egovstandards.gov.in
Strategy-Policy-Good PracticeStrategy-Policy-Good Practice ““Information Security Policy for Protection Critical Information Information Security Policy for Protection Critical Information
InfrastructureInfrastructure”” (No. CERT-In/NISAP/01, issued on 1st May 2006) (No. CERT-In/NISAP/01, issued on 1st May 2006) Transition from IT Policy(covers only IT & ITeS Industry) to National Transition from IT Policy(covers only IT & ITeS Industry) to National
Informatics Policy Cutting across Governments (central/state/Local) Informatics Policy Cutting across Governments (central/state/Local) Departmental allocation of Business Rules.Departmental allocation of Business Rules.
Information & Privacy Protection Policy, apart from IT ACT & RTI Information & Privacy Protection Policy, apart from IT ACT & RTI ACTSACTS
Stopping Spam Before It Stops YouStopping Spam Before It Stops You –– SPAM Policy to be SPAM Policy to be donedone
"Data disposal, anonymity, trust, privacy management, and systems "Data disposal, anonymity, trust, privacy management, and systems development activities are just a few of the many privacy concerns development activities are just a few of the many privacy concerns organizations must address and need to thoughtfully create a privacy organizations must address and need to thoughtfully create a privacy strategy that is clearly and consistently supported by the top business strategy that is clearly and consistently supported by the top business leaders."leaders."
26/02/200926/02/2009 44Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
26/02/200926/02/2009 Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
55
““IT Regulations and Policies-Compliance & IT Regulations and Policies-Compliance & Management”Management”
Pre-requisites Physical Infrastructure and Mind-setPre-requisites Physical Infrastructure and Mind-set
PASTPAST: : We have inherited a past, for which we cannot be held We have inherited a past, for which we cannot be held responsible ;responsible ;
PRESENTPRESENT: have fashioned the present on the basis of development : have fashioned the present on the basis of development models, which have undergone many mid-course correctionsmodels, which have undergone many mid-course corrections
FUTUREFUTURE: The path to the future -- a future in which India and Indians will : The path to the future -- a future in which India and Indians will play a dominant role in world affairs -- is replete with opportunities and play a dominant role in world affairs -- is replete with opportunities and challenges. challenges.
In a number of key areas, it is necessary Break from the past in order to In a number of key areas, it is necessary Break from the past in order to achieve our Vision. achieve our Vision.
We have within ourselves the capacity to succeedWe have within ourselves the capacity to succeed
We have to embrace Integrated Security & Cyber Assurance Framework
• Efficiency of Service Connotes Speed and timeliness of delivery of Service elegance of the user-interface quality close to the user expectation simplicity of user action required for obtaining
the service.
• User-Convenience includes easy access to the request-fulfillment cycle User independence of time and place 24 x 7
available Single- sign-on Single Window access to several services Integrated services meaning access to several
agencies through one request
• Cost effectiveness of Service is reduced direct cost compared to conventional
system reduced indirect cost involved in repeated visits reduced cost to government agency in servicing the
request saving of user time and the cost and the
consequent opportunity cost of user time. enhanced revenue/benefit to the Govt. agency● Reliability of the Service Means
High degree of availability – 99.99% through disaster recovery systems and alternative channels
bug free system that returns no error message system that produces accurate results and response.
• Citizen-Centric Service involves designing of services from user’s point of view rather than agency developing all user interfaces in local
language(s) eliminating scope for ambiguity at the user end grouping of services around user’s requirements
and behavior patterns
e-Governance Promises
26/02/200926/02/2009 66Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
eGovernanceeGovernanceBenefits
Reduce service timeReduce service time Improved customer service through up-to-date, accurate data.Improved customer service through up-to-date, accurate data. Business intelligence for fact based decision makingBusiness intelligence for fact based decision making Increased Government revenue due to reduction in transmission and Increased Government revenue due to reduction in transmission and
distribution losses.distribution losses.
Risk• Economic Risk
- Huge Investment
– Cost of Technology and Knowledge is high
• Technological Risk
– High obsolence Rate
– Dependability/Reliability of Technology
– Use of right technology• Social Risk and User acceptability Risks
– Solutions are citizen and business Centric and touch upon sensitive service oriented issues
- High expectation
Concerns•Users whether Government services will be available
in a convenient way as promised
• Policy Makers and Administrators
– Whether objectives of eGovernance are being achieved (Transparency, availability of Service, compliance with Govt. Rules, procedures, decisions and Regulations)
• Solution/Service Provider
– That system meets the requirements of RFP.
26/02/200926/02/2009 77Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
eGovernance - GovernanceeGovernance - Governance
Quality is differentiator
Benefits
Risks and Concerns
26/02/200926/02/2009 88Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
What is requiredWhat is required
A Framework to ensureA Framework to ensure■ RequirementsRequirements are specified are specified
■ Specifications are Specifications are compliedcomplied
■ Users are Users are satisfiedsatisfied
Context specific Processes should be in Place to achieve Context specific Processes should be in Place to achieve
these and can be defined in framework known as Quality these and can be defined in framework known as Quality
Assurance FrameworkAssurance Framework
26/02/200926/02/2009 99Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
Quality in eGovernanceQuality in eGovernance
The Service Quality can be achieved by The Service Quality can be achieved by
ensuring that best practices (as defined ensuring that best practices (as defined
in International Standards) are followed in International Standards) are followed
while Designing and implementing the while Designing and implementing the
processes & Products/Services.processes & Products/Services.
26/02/200926/02/2009 1010Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
Quality and DocumentationQuality and Documentation
A working group (WG-5) on Quality and A working group (WG-5) on Quality and Documentation was formed to bring out guidelines Documentation was formed to bring out guidelines and best practices for Quality and Documentationand best practices for Quality and Documentation
26/02/200926/02/2009 1111Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
QualityQuality
Quality Assurance FrameworkQuality Assurance Framework
Framework which provides assurance by defining Framework which provides assurance by defining processes and services and by demonstrating processes and services and by demonstrating conformity with theseconformity with these
26/02/200926/02/2009 1212Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
Basic PrinciplesBasic Principles
DefineDefine– Quality policy, objectives and means of their achievementQuality policy, objectives and means of their achievement
Assure QualityAssure Quality– execute Processes and implement best practicesexecute Processes and implement best practices
Generate confidenceGenerate confidence– Assess conformity and analyse impactAssess conformity and analyse impact
26/02/200926/02/2009 1313Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
eGovernance Conformity Assessment - Goal
Generating Confidence of Citizen and Business on
e-Government
By assuring quality of delivered services
26/02/200926/02/2009 1414Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
e GCA - Objective
Generating Confidence of Citizen and Business on
e-Government
Through conformity assessment to user- requirements, regulations and Best Practices by Independent Third Party
Rather than
Relying solely on the assertion of the developers and solution providers
26/02/200926/02/2009 1515Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
e-Governance Evolutione-Governance Evolution
Mat
urity
of e
-Gov
erna
nce
Time
Information
Interaction
Transaction
Integration
26/02/200926/02/2009 1616Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
29th November 200529th November 2005 IT Governance-->Corporate GovernanceIT Governance-->Corporate Governance 1717
eGovernance Maturity ModeleGovernance Maturity Model
Up The Value ChainUp The Value Chain
Assured CitizenITIL, BS15000III Phase eGov
(Transformation)
Quality Assurance Framework for e-GovernanceQuality Assurance Framework for e-Governance
II Phase eGov(Transaction)
Secure CitizenIS) 27001, Q-Web
ISO 15408
QualityCertified
eGov ProductsISO 9126, ISO14598
ISO 9001-2008I Phase eGov
(Information &Interaction)
26/02/200926/02/2009 1919Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
Quality of Service to Citizen & Business
Confidence in e-Government
InfrastructureNetwork Datacentre CSC
S/W Quality IT Service LevelsIT Service Mgmt.
Security ofInformation
System
WebsiteLegal & Ethical
issues
Conformance to standards & best practices
Assured Services
Conformance Engineering
26/02/200926/02/2009 2020Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
Infrastructure• Network(SWAN&NICNET) • Data Centre• Common Service Centre
Quality components• Information Security Assessments• Application Software Testing
(Quality & Security)• IT Services – Quality Evaluation
(Service Levels)• Web-Site
(Security, Quality, Ethical & Legal Issues)• Compliance with technical standards• IT Infrastructure
(Hardware & Software)• Non-IT Infrastructure
(Compliance to requirements)• Compliance with regulatory requirements
(RTI Act, IT Act, DOPT Rules and other applicable Govt. and State Govt. Acts and Rules
e-Governance Components which needs assurancee-Governance Components which needs assurance
26/02/200926/02/2009 2121Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
Documentation (WG-5)Documentation (WG-5)
Documentation standards Particularly important - documents are the tangible manifestation Particularly important - documents are the tangible manifestation
of the software.of the software. Documentation process standardsDocumentation process standards
– Concerned with how documents should be developed, validated Concerned with how documents should be developed, validated and maintained.and maintained.
Document standardsDocument standards
– Concerned with document contents, structure, and appearance.Concerned with document contents, structure, and appearance.
Document interchange standardsDocument interchange standards
– Concerned with the compatibility of electronic documents.Concerned with the compatibility of electronic documents.
26/02/200926/02/2009 2222Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
AgendaAgenda
Develop Procedure for Standards FormulationDevelop Procedure for Standards Formulation Provide guidelines on Best Practices wherever Provide guidelines on Best Practices wherever
required ( e.g. RFP, SLA etc.)required ( e.g. RFP, SLA etc.) Develop framework for Quality AssuranceDevelop framework for Quality Assurance Develop framework for Conformity AssessmentDevelop framework for Conformity Assessment Develop Standards for documentation.Develop Standards for documentation.
26/02/200926/02/2009 2323Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
26/02/200926/02/2009 Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
2424
eSecurity TechnologieseSecurity Technologies Cryptography & CryptologyCryptography & Cryptology SteganographySteganography Digital water markingDigital water marking Digital Rights ManagementDigital Rights Management Cyber Defence technologies (Firewall, IDS/IPS, Cyber Defence technologies (Firewall, IDS/IPS,
Perimeter and Self-Defence )Perimeter and Self-Defence ) Access Control &ID Management (Rule, Role, Access Control &ID Management (Rule, Role,
Demand Based)Demand Based) Signatures (Digital/Electronic)Signatures (Digital/Electronic) Cyber Forensics & Cyber AuditCyber Forensics & Cyber Audit
26/02/200926/02/2009 Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
2525
26/02/200926/02/2009 Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
2626
FRAUD& THEFT
SCAVENGINGVIRUS
ATTACK
ACCIDENTALDAMAGE
NATURAL DISASTER
UNAUTHORISED ACCESS
INTERCEPTION
TROJAN HORSES
INCOMPLETE PROGRAMCHANGES
HARDWARE /SOFTWARE
FAILURE
SOCIAL ENGINEERING
ATTACK
DATA DIDDLING
IS
PASSWORDS
ENCRYPTIONANTI-VIRUS
BACKUPS
HARDWARE MAINTENANCESECURITY
GUARDS
INPUT VALIDATIONS
AUDIT TRAILS
PROGRAM CHANGE DOCUMENTATION
AUTHORISATION
BUSINESS CONTINUITY PLAN
LOSING TO COMPETITION
LOSS OF CUSTOMERS
LOSS OF CREDIBILITY
EMBARRASSMENT
FINANCIALLOSS
26/02/200926/02/2009 Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
2727
2(1)(zd)(d)
2(1)(zd)(b)
2(1)(zd)(a)
2(1)(zd)(c)
IndianIT Act
reference
Reliability of information
Compliance
Availability
IntegrityConfidentiality
Efficiency
Effectiveness
IT ActCOBITControl Theory
FrameworkAttributes
e-Security & eAudite-Security & eAuditObjectives and Certification FrameworkObjectives and Certification Framework
26/02/200926/02/2009 Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
2828
Transition :Audit to AssuranceTransition :Audit to Assurance CyberCyber Management AssurancesManagement Assurances
Layered Layered FrameworkFramework Management & Operational Assurance (Risk Management & Operational Assurance (Risk
& ROI)& ROI) Technical AssuranceTechnical Assurance (Availability, Serviceability & Maintainability)(Availability, Serviceability & Maintainability) Revenue Assurance Revenue Assurance (Leakage & Fraud)(Leakage & Fraud) Legal Compliance & Assurance (Governance)Legal Compliance & Assurance (Governance)
26/02/200926/02/2009 Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
2929
Standards, Standards, StandardsStandards, Standards, Standards Technical Vs Management Technical Vs Management
SecuritySecurity AuditAudit InteroperabilityInteroperability Interface Interface
(systems/devises/communications)(systems/devises/communications) Architecture/Building Blocks/reusableArchitecture/Building Blocks/reusable HCI (Human Computer Interface)HCI (Human Computer Interface) Process (Quality & Work)Process (Quality & Work) Environmental (Physical, Safety, Environmental (Physical, Safety,
Security)Security) Data Interchange & mail messaging Data Interchange & mail messaging
(Information/Data Exchange)(Information/Data Exchange) Layout/ImprintLayout/Imprint
Technical Standards-Technical Standards-Specifications-mainly for Specifications-mainly for interoperability, interoperability, accessibility and accessibility and InteractivityInteractivity
Management standards-Management standards-Auditable & Verifiable-Auditable & Verifiable-Certification & Certification & ComplianceCompliance
26/02/200926/02/2009 Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
3030
Cyber Assurance & IT Governance - Cyber Assurance & IT Governance - Final MessageFinal Message
““In Governance matters In Governance matters PastPast is no guarantee; is no guarantee; PresentPresent is imperfect and is imperfect and FutureFuture is uncertain“ is uncertain“
““Failure is not when we fall down, but when we fail to get up”Failure is not when we fall down, but when we fail to get up”
26/02/200926/02/2009 Prof. ks@2009 NPC Program securing & Assuring Prof. ks@2009 NPC Program securing & Assuring eGov serviceseGov services
3131
FOR FURTHER INFORMATION PLEASE CONTACT :-E-MAIL: [email protected]@ignou.ac.in91-11-23219857Fax:91-11-23217004Office of the CAG,10, B.Z. Marg,New Delhi-110002