Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Securing & Asuring E Governance Services
1. Securing & Assuring eGovernance Services
Prof. K. Subramanian
Director & Professor
Advanced Center for Informatics & Innovative Learning,
IGNOU
Consulting IT Adviser to CAG of India
EX-DDG(NIC), Ministry of Communication & Information Technology
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 1
2. Important Notable Quotes
“Ever since men began to modify their lives by using
technology they have found themselves in a series of
technological traps.” Roger Revelle
“The law is the last interpretation of the law given by
the last judge.”- Anon.
“Privacy is where technology and the law collide.”
--Richard Smith
(who traced the ‘I Love You’ and ‘Melissa viruses’)
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 2
3. NeGP related Policy Guidelines
1.“Policy Guidelines on the use of e-Form Technology”
2. Policy on :Identity and Access Management: An e-Governance
standards initiative to make e-Government Programs and their
services a reality
Draft Document “e-Governance Information Security Standard”
(Version 01 dated 12th October 2006)--has proposed additional
security controls for E-Governance purposes Viz., Data security
and privacy protection, Network security, and Application
security;
Draft Document “Base line security requirements & Selection of
controls” (Version 01, 12th October 2 006).
http://egovstandards.gov.in
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 3
4. Strategy-Policy-Good Practice
“Information Security Policy for Protection Critical Information
Infrastructure” (No. CERT-In/NISAP/01, issued on 1st May 2006)
Transition from IT Policy(covers only IT & ITeS Industry) to National
Informatics Policy Cutting across Governments (central/state/Local)
Departmental allocation of Business Rules.
Information & Privacy Protection Policy, apart from IT ACT & RTI
ACTS
Stopping Spam Before It Stops You – SPAM Policy to be
done
quot;Data disposal, anonymity, trust, privacy management, and systems
development activities are just a few of the many privacy concerns
organizations must address and need to thoughtfully create a privacy
strategy that is clearly and consistently supported by the top business
leaders.quot;
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 4
5. “IT Regulations and Policies-Compliance &
Management”
Pre-requisites Physical Infrastructure and Mind-set
PAST: We have inherited a past, for which we cannot be held
responsible ;
PRESENT: have fashioned the present on the basis of development
models, which have undergone many mid-course corrections
FUTURE: The path to the future -- a future in which India and Indians will
play a dominant role in world affairs -- is replete with opportunities and
challenges.
In a number of key areas, it is necessary Break from the past in order to
achieve our Vision.
We have within ourselves the capacity to succeed
We have to embrace Integrated Security & Cyber Assurance
Framework
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 5
6. e-Governance Promises
• Efficiency of Service Connotes • Citizen-Centric Service involves
Speed and timeliness of delivery of Service designing of services from user’s point of view
elegance of the user-interface
rather than agency
quality close to the user expectation developing all user interfaces in local
simplicity of user action required for obtaining
language(s)
the service. eliminating scope for ambiguity at the user end
grouping of services around user’s requirements
• User-Convenience includes and behavior patterns
easy access to the request-fulfillment cycle
User independence of time and place 24 x 7 • Cost effectiveness of Service is
available reduced direct cost compared to conventional
Single- sign-on system
Single Window access to several services reduced indirect cost involved in repeated visits
Integrated services meaning access to several reduced cost to government agency in servicing the
agencies through one request request
saving of user time and the cost and the
consequent opportunity cost of user time.
Reliability of the Service Means
●
enhanced revenue/benefit to the Govt. agency
High degree of availability – 99.99% through
disaster recovery systems and alternative
channels
bug free system that returns no error message
system that produces accurate results and
response.
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 6
7. eGovernance
Benefits
Reduce service time
Improved customer service through up-to-date, accurate data.
Business intelligence for fact based decision making
Increased Government revenue due to reduction in transmission and
distribution losses.
Risk Concerns
• Economic Risk •Users
whether Government services will be available
- Huge Investment
in a convenient way as promised
– Cost of Technology and Knowledge is high
• Policy Makers and Administrators
• Technological Risk
– Whether objectives of eGovernance are being
– High obsolence Rate achieved (Transparency, availability of Service,
compliance with Govt. Rules, procedures,
– Dependability/Reliability of Technology
decisions and Regulations)
– Use of right technology
• Solution/Service Provider
• Social Risk and User acceptability Risks
– That system meets the requirements of RFP.
– Solutions are citizen and business Centric and
touch upon sensitive service oriented issues
- High expectation
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 7
8. eGovernance - Governance
Quality is differentiator
Risks and
Concerns
Benefits
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 8
9. What is required
A Framework to ensure
■ Requirements are specified
■ Specifications are complied
■ Users are satisfied
Context specific Processes should be in Place to achieve
these and can be defined in framework known as Quality
Assurance Framework
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 9
10. Quality in eGovernance
The Service Quality can be achieved by
ensuring that best practices (as defined
in International Standards) are followed
while Designing and implementing the
processes & Products/Services.
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 10
11. Quality and Documentation
A working group (WG-5) on Quality and
Documentation was formed to bring out guidelines
and best practices for Quality and Documentation
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 11
12. Quality
Quality Assurance Framework
Framework which provides assurance by defining
processes and services and by demonstrating
conformity with these
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 12
13. Basic Principles
Define
– Quality policy, objectives and means of their achievement
Assure Quality
– execute Processes and implement best practices
Generate confidence
– Assess conformity and analyse impact
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 13
14. eGovernance Conformity Assessment - Goal
Generating Confidence of Citizen and Business
on
e-Government
By assuring quality of delivered services
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 14
15. e GCA - Objective
Generating Confidence of Citizen and Business
on
e-Government
Through conformity assessment to user- requirements,
regulations and Best Practices by Independent Third
Party
Rather than
Relying solely on the assertion of the developers and solution
providers
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 15
16. e-Governance Evolution
Maturity of e-Governance
Integration
Transaction
Interaction
Information
Time
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 16
19. Quality Assurance Framework for e-Governance
Assured Citizen
III Phase eGov
ITIL, BS15000
(Transformation)
Secure Citizen
IS) 27001, Q-Web
ISO 15408
Quality
Certified
eGov Products
ISO 9126, ISO14598
I Phase eGov II Phase eGov
ISO 9001-2008
(Information & (Transaction)
Interaction)
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 19
20. Confidence in e-Government
Quality of Service to
Assured Services
Citizen & Business
Infrastructure
Conformance
Engineering
Network Datacentre CSC
Conformance to
standards & best
practices
Website
Security of
IT Service Levels
S/W Quality Legal & Ethical
Information
IT Service Mgmt.
System issues
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 20
21. e-Governance Components which needs assurance
Infrastructure
• Network(SWAN&NICNET)
• Data Centre
• Common Service Centre
Quality components
• Information Security Assessments
• Application Software Testing
(Quality & Security)
• IT Services – Quality Evaluation
(Service Levels)
• Web-Site
(Security, Quality, Ethical & Legal Issues)
• Compliance with technical standards
• IT Infrastructure
(Hardware & Software)
• Non-IT Infrastructure
(Compliance to requirements)
• Compliance with regulatory requirements
(RTI Act, IT Act, DOPT Rules and other applicable Govt. and State
Govt. Acts and Rules
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 21
22. Documentation (WG-5)
Documentation standards
Particularly important - documents are the tangible manifestation
of the software.
Documentation process standards
– Concerned with how documents should be developed, validated
and maintained.
Document standards
– Concerned with document contents, structure, and appearance.
Document interchange standards
– Concerned with the compatibility of electronic documents.
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 22
23. Agenda
Develop Procedure for Standards Formulation
Provide guidelines on Best Practices wherever
required ( e.g. RFP, SLA etc.)
Develop framework for Quality Assurance
Develop framework for Conformity Assessment
Develop Standards for documentation.
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 23
24. eSecurity Technologies
Cryptography & Cryptology
Steganography
Digital water marking
Digital Rights Management
Cyber Defence technologies (Firewall, IDS/IPS,
Perimeter and Self-Defence )
Access Control &ID Management (Rule, Role,
Demand Based)
Signatures (Digital/Electronic)
Cyber Forensics & Cyber Audit
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 24
25. 26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 25
26. ACCIDENTAL
DATA EMBARRASSMENT
LOSS OF DAMAGE
CREDIBILITY DIDDLING
INTERCEPTION
AUTHORISATION
SOCIAL
PROGRAM CHANGE
ENGINEERING PASSWORDS
DOCUMENTATION
ATTACK SCAVENGING
AUDIT TRAILS VIRUS
ATTACK
INPUT BACKUPS
NATURAL
IS
VALIDATIONS
DISASTER
ANTI-VIRUS
ENCRYPTION
TROJAN HARDWARE /
HARDWARE
HORSES SECURITY MAINTENANCE SOFTWARE
GUARDS FAILURE
BUSINESS
FINANCIAL INCOMPLETE FRAUD
CONTINUITY
LOSS PROGRAM & THEFT
PLAN
CHANGES UNAUTHORISED
ACCESS
LOSS OF LOSING TO
CUSTOMERS COMPETITION
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 26
27. e-Security & eAudit
Objectives and Certification Framework
Indian
Framework Control COBIT IT Act
IT Act
Theory
Attributes
reference
2(1)(zd)(c)
Effectiveness
Efficiency
2(1)(zd)(a)
Confidentiality
2(1)(zd)(b)
Integrity
Availability
2(1)(zd)(d)
Compliance
Reliability of
information
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 27
29. Standards, Standards, Standards
Technical Vs Management
Technical Standards-
Security
Specifications-mainly for
Audit
Interoperability
interoperability,
Interface
accessibility and
(systems/devises/communications)
Architecture/Building Blocks/reusable
Interactivity
HCI (Human Computer Interface)
Process (Quality & Work)
Management standards-
Environmental (Physical, Safety,
Security)
Auditable & Verifiable-
Data Interchange & mail messaging
Certification &
(Information/Data Exchange)
Layout/Imprint
Compliance
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 29
30. Cyber Assurance & IT Governance -
Final Message
“In Governance matters Past is no guarantee;
Present is imperfect and Future is uncertain“
“Failure is not when we fall down, but when we fail to get up”
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 30
31. FOR FURTHER
INFORMATION PLEASE
CONTACT :-
E-MAIL: ksdir@nic.in
ksmanian@ignou.ac.in
91-11-23219857
Fax:91-11-23217004
Office of the CAG,
10, B.Z. Marg,
New Delhi-110002
26/02/2009 Prof. ks@2009 NPC Program securing & Assuring 31