Building a Successful and Demonstrable Information Technology

Risk Management Programme (IT-RMP) through Standards

Madaswamy Moni
Deputy Director General
National Informatics Centre
Government of India
New Delhi
e-Mail: moni@nic.in
Astract
!he emer"ence of the Internet and the ui#uitous powerful $C %ystem
to"ether create tremendous opportunity for a new "eneration of lar"e
enterprise applications& which can reach millions of individual and corporate
users throu"h Rich Internet !""lications (RI!s). Information is a usiness
commodity& which should e protected and controlled. !he "rowin" importance
of Information ' Communication !echnolo"y (IC!) has made privacy and
information security critical issues. *e-ased attac+s have ecome
commonplace.
!he ,nion Cainet has approved the National e-Governance $ro"ramme
(NeG$) with the cost of estimate of -s. ./&000 Crores on 12
th
May .003 and all
measures are underway to accelerate the pace of implementation of its various
components. !he ottom line is to usher in 4est practices& "loal solutions
and inte"rated services5 for reachin" the ,nreached& throu"h e-Governance6e-
Government $ro"ramme. Application security& and insecurity& is a rapidly
evolvin" area. As IC! plays an increasin"ly pivotal role in achievin"
developmental pro7ects o7ectives& a better understanding of how to assess&
miti"ate and mana"e information systems ris+s& includin" security ris+s& is
e#"ected to contriute to etter pro7ect desi"n and outcomes.
In order to achieve sectoral productivity as well as service delivery
with profound -8I& of the National e-Governance $ro"ramme (NeG$)& it is
essential to nurture information security research and training facilitatin"
Manpower Development& oth Capacity 9uildin" and Capaility 9uildin"& for the
e-Government %ector. !his $aper discusses various steps towards uildin" up
such a pro"ramme for the National e-Governance $ro"ramme (NeG$) so as to
achieve 4proactive security development process y desi"n& codin"& testin" and
documentation5. !his measure will "o a lon" way in uildin" a successful and
demonstrale I! -is+ Mana"ement $ro"ramme in the Country.
*
Invited $aper and to e presented at the National %eminar on e-%ecurity :ducation throu"h e-learnin"& e-learn;.00<&
or"anised y CDAC (N8IDA)& 1= Decemer .00<. >iews are personal.
$a"e 1 of .3
$% Problems & 'hallenges
1.0 !he emer"ence of the Internet and the ui#uitous powerful $C %ystem
to"ether has created tremendous opportunity for a new "eneration of lar"e
enterprise applications& which can reach millions of individual and corporate
users throu"h Rich Internet !""lications (RI!s). -ecent developments in
technolo"y are leadin" to a speedy conver"ence etween mar+etin" and
technolo"y in respect of two main characteristic: Rich
$
and Reach
(
. ,sin"
technolo"ies ased on the principle of -IAs& desi"ners can rid"e the one
shortcomin" of online applications - )hat to do )hen the Internet isn*t
a+ailable, 9ut the overall trend of -IA and *e applications puts increased
pressure on the industry to start chan"in" and reco"ni?in" this emer"in" trend
(%andeep Mehrotra& .00<)
/
.
1.1 In order to achieve "oals and o7ectives& Government or"anisations
fre#uently have to develop application solutions or customi?e commercial off-
the-shelf software pac+a"es. These range from com"le# back-office database
a""lications- 'RMs and !sset Management Systems to customer-facing fat
and thin a""lications. *e !echnolo"y ased Applications offer anythin" from
a simple rochure re#uest to a full e-usiness implementation. Increasingly-
these systems are e#"osed to larger and less trusted user-bases- from
e#tranet business "artners to the general "ublic at large% Not only are they
providin" access to +ey assets and data& in many cases they are the usiness
critical assets.
1
Rich is the aility to incorporate client side interactivity and intuitive ,Is.
2
Reach is the aility to ma+e application availale to almost anyone& anywhere& anytime.
3
%andeep Mehrotra (.00<): 4-ich Internet Applications to 9oost :nterprises5& C@8today.com&
dated = %eptemer .00<. Ae is currently the Country %ales Mana"er of Adoe %ystems India.
$a"e . of .3
1.. *hile an+ customers heave a collective si"h of relief& than+s to the
advent of convenience an+in"& an+s now find themselves "rapplin" with
issues li+e internet-enabled crimes& identity theft and frauds (Hanil
Manghani & Sunil Kumar, 2007)
4
and face increased security threats (Ahinna
%hreshtha& .00<)
B
. *e-ased attac+s have ecome commonplace. -ecently& a
hac+er lo" (http:66deran"edsecurity.com) claimed that his actions were
meant to make "eo"le a)are of the se+ere shortcomings that go+ernment
organi.ations e#hibit as far as security is concerned (Ahinna %hreshtha&
.00<)
6
. !his is ecomin" a 4wa+e-up5 call to Governments (see Box-A). Cor
#uite some time& it has een "rowin" concern that the ease with which
"overnment wesites were hac+ed is a "larin" eDample of fundamental
)eaknesses in the )ebsite infrastructure. !""lication security- and
insecurity- is a ra"idly e+ol+ing area.
Bo#-!
!odayEs software is vulnerale to attac+ (8peratin" %ystems&
Applications and ,tilities)& and Custom code can e eDploited&
ta+in" advanta"e of +nown u"s& desi"n flaws& wea+nesses in
platforms& unsecured communications paths and poor
pro"rammin" techni#ues)F
Data can e stolen or corruptedF
Networ+s can e compromisedF
*e sites can e the "old mine to or"ani?ation;s profits - or
the ac+ door to let hac+ers and criminals destroy its usiness.
1./ Despite recent dramatic advances in computer security re"ardin" the
proliferation of %ervices and Applications& security threats are still ma7or
impediments in the deployment of these services. /nter"rise and Information
Security assumes an important concern to the an+in" and financial
4
Aanil Man"hani ' %unil Gumar (.00<): 49an+ %ecurity: A $andoraEs 9oDH5 in C@8today.com&
Mumai& ./ Iune .003.
5
Ahinna %hreshtha (2007) : in C@8today& Mumai& Au" .0& .00< ( www.cDotoday.com ).
6
Ahinna %hreshtha (2007) : Government Organizations' Security at Stake in
COto!ay"com# $um%ai# & Se'tem%er 2007 "
$a"e / of .3
institutions in the country. %ta+eholders of enterprise and information security
are Compliance Mana"ers& Jawyers& %ecurity :Dperts& -is+ Mana"ers& CI8s&
C!8s& and %oftware >endors. 4Pass)ord Security5 has ecome a critical issue&
and 4enter"rise single-sign-on5 across a miDed environment is "oin" to e a
+ey trend in the future.
1.= *ith increasin" dependence on data& the protection platforms have
transformed from $ure Data %tora"e to Information 0ife Management (I0M) K
the strate"y of matchin" stora"e policies& processes and technolo"ies with the
value assi"ned to the information. Data needs to be identified- "rioriti.ed-
re"licated- securely trans"orted- stored and made readily a+ailable. !here is
a development paradoD of Cyer %ecurity: the promotion of IC! for
Development (I'T1D) comes with a warnin" of the very real dan"ers it rin"s.
*hile the use of technolo"y accelerates the pace of development& it is true
that not much attention has een "iven for miti"atin" pro7ect ris+s& operational
ris+s and reputation ris+s associated with the deployment of IC!. !his limits
the impact of such pro7ects while puttin" at ris+& a ministry or a country;s
reputation as well as wea+enin" the security of networ+s "loally (source:
http:66www.worldan+.or"6edevelopment).
1.B As Distributed 'om"uting is "oin" to ta+e an important role in usiness
automation throu"h India& %oftware used must e secured enou"h to provide
reliale usiness automation and networ+in" environment. In the case of
soft)are or ser+ice "ro+iders- it is therefore vital that the security re"ime
applied to the I! infrastructure is matched& and indeed eDceeded& y that
applied to the applications themselves. Secure de+elo"ment is the term
largely associated )ith the "rocess of "roducing reliable- stable- bug and
+ulnerability free soft)are% *ith more and more vital information stored on
computers& security professionals need to +now how to comat threats and
$a"e = of .3
complications. 8fferin" strate"ies to tac+le these issues& Lan" @iao (.00<)
<
provides essential security information for researchers& practitioners&
educators& and "raduate students in the field. $ayin" serious attention to these
issues& Security in Distributed- 2rid- Mobile and Per+asi+e 'om"uting focuses
on the increasin" demand to "uarantee privacy& inte"rity& and availaility of
resources in networ+s and distriuted systems.

1.3 It is important to understand the ris+ that the application presents. In
the standard ris+ e#uation& Risk 3 Threat # 4ulnerability # 'ost& Mi.e. 4ris+
ein" a product of the li+elihood of a successful attac+ to"ether with the
fre#uency of such attac+s and the associated cost to recover from it5N (Glyn
Geo"he"an& .00=)
2
. A %ecure Development $ro"ramme should e inte"rated with
all phases of the or"ani?ation;s %oftware Development Jife Cycle (%DJC). IBM
re"orted that the cost to fi# an error found after "roduct release )as 1 to 5
times as much as one unco+ered during design- and u" to $66 times more
than one identified in the maintenance "hase% Araham Maslow& the author
of "roundrea+in" wor+s 4Aierarchy of Needs5 (1OB=)& said: P7hen the only
tool you o)n is a hammer- e+ery "roblem begins to resemble a nail.P
1.< Different individuals have +nowled"e on different systems& and& as a
result& the #uality of support across systems will vary. !his %ystem Gnowled"e
is not documented in many or"anisations so as to usher in profound -8I. Many
or"anisations are still in the lower sta"es of Data IM& as they stru""le with
etter ways to develop more streamlined and systematic ways to mana"e their
data assets. *ith todayEs increasin" competition& alon" with "overnment
mandates& itEs not too soon to ma+e the move up the continuum. It is witnessed
that an or"ani?ation& with an I! or Data Mana"ement %taff consumed with
<

Lan" @iao (.00<): %ecurity in Distriuted& Grid& Moile& and $ervasive Computin"& Auerach $ulications. !he Author
is with the ,niversity of Alaama& !uscaloosa& ,%A.
8
Glyn Geo"he"an (.00=): A Corsaire *hite $aper: Secure De+elo"ment 8rame)ork&
http:66www.corsaire .com & (research.corsaire.com6 whitepapers6 0=0..0-secure-
development.pdf)& 0B April .00=.
$a"e B of .3
administration issues vi?.& performin" fiDes& patches& or various unplanned
activities on a daily or wee+ly asis& is not in a position to effectively compete
in todayEs data-driven mar+etplace. 9y contrast& a well-mana"ed or"ani?ation
that attains a Ppea+ performance state5 of Data Infrastructure Mana"ement
(Data IM)& is ale to devote its full attention and
resources to hi"h-value activities. Accordin" to Iohn
9ostic+& while many or"anisations remain mired in
reactive and idiosyncratic practices& hi"h performers
rely on disciplined& proactive and predictive
approaches to Data Infrastructure Mana"ement (Data
IM)
9
.
1.2 Information is a usiness commodity& which should e protected and
controlled. A series of !ccess-Related 'ontrols (!0's) are to e developed and
implemented y mana"ement& ran"in" from policies& "uidelines& and processes
to actual safe"uards that control access to information and data. :Protecting
Data; is :Protecting Business 5
(% Information Technology Security 'om"liance< =n
7>!T S'!0/,
..0 Information and the su""orting "rocesses& systems& and net)orks are
important business assets. Definin"& achievin"& maintainin"& and improvin"
information security are essential to maintain competitive ed"e& cash flow&
profitaility& le"al compliance& and commercial ima"e. !he "rowin" importance
of Information !echnolo"y has made privacy and information security critical
issues& leadin" to the passa"e of ma7or re"ulations& such as %aranes-8Dley Act
O
Iohn 9ostic+: 4Ascendin" the Data Infrastructure Aierarchy - !he Cive %ta"es of Data
Infrastructure Mana"ement Maturity5& http:66www.infosectoday.com6Articles6DIA.htm (.)
$a"e 3 of .3

(%8@)
10
.00.& AI$AA
11
& the Gramm-Jeach-9liley Act
1.
& CI%MA
1/
& and CaliforniaEs
%9 1/23
1=
in the ,nited %tates of America (,%A). !he CI%MA Act (.00.) of ,%A
imposes a mandatory set of processes that must e followed for all information
systems used or operated& and is meant to bolster com"uter and net)ork
security within the Cederal Government and affiliated parties (such as
"overnment contractors) y mandatin" yearly audits.
..1 India;s Information !echnolo"y Act .000 (I! Act .000)
1B
provides le"al
sanctity to the use of di"ital si"nature le"al. In addition to this& India adopted
the I%86I:C 1<<OO:.00B as well as I%86I:C .<001: .00B 4Information !echnolo"y
K %ecurity !echni#ues K Information %ecurity Mana"ement %ystems5 as its
national standards& and reco"ni?ed as I%6I%86I:C 1<OOO:.00B and I%6I%86I:C
.<001: .00B. !he I%6I%86I:C .<001: .00B %tandards provides a model for
estalishin"& implementin"& operatin"& monitorin"& reviewin"& maintainin" and
10
!he Sarbanes-=#ley !ct of (66( ($u. J. No. 10<-.0=& 113 %tat. <=B)& also +nown as the
Public 'om"any !ccounting Reform and In+estor Protection !ct of (66( and commonly
called S=? or Sarbo#F is a ,nited %tates federal law si"ned into law on Iuly /0& .00. in
response to a numer of ma7or corporate and accountin" scandals includin" those affectin"
:nron& !yco International& $ere"rine %ystems and *orldCom. !hese scandals resulted in a
decline of pulic trust in accountin" and reportin" practices.
11
Aealth Insurance $ortaility and Accountaility Act (AI$AA) was enacted y the ,.%. Con"ress
in 1OO3& which re#uires the estalishment of national standards for electronic health care
transactions and national identifiers for providers& health insurance plans& and employers.
12
!he 2ramm-0each-Bliley !ct& also +nown as the Gramm-Jeach-9liley Cinancial %ervices
Moderni?ation Act& $u. J. No. 103-10.& 11/ %tat. 1//2 (Novemer 1.& 1OOO)& is an Act of the
,nited %tates Con"ress which repealed the Glass-%tea"all Act& openin" up competition amon"
an+s& securities companies and insurance companies.
13
!he Cederal Information %ecurity Mana"ement Act of .00. (CI%MA) is a ,nited %tates federal
law enacted in .00. as !itle III of the :-Government Act of .00. ($u.J. 10<-/=<&
113 %tat. .2OO)& is meant to olster computer and networ+ security within the Cederal
Government and affiliated parties (such as "overnment contractors) y mandatin" yearly
audits.
14
California %ecurity 9reach Information Act (%9-1/23)& which is effect from 1st Iuly .00/& is
a California %tate law in ,%A&re#uirin" or"ani?ations that maintain personal information aout
individuals to inform those individuals if the security of their information is compromised& and
has een created to help stem the increasin" incidence of identity theft.
15
!he MCA.1 pro7ect which is the e-"overnance pro"ramme of the ,nion Ministry of
Corporate Affairs (MCA)& has made e-filings using Digital Signatures mandatory for all the
Companies who have re"istered with the -e"istrar of Companies.
$a"e < of .3
improvin" an Information %ecurity Mana"ement %ystem (I%M%)& and adopts the
:Plan-Do-'heck-!ct; (PD'!) model to structure all I%M% processes. !he
adoption of the $CDA Model will also reflect the principles as set out in the
8:CD Guidelines (.00.)
13
. !he I%6I%86I:C 1<<OO:.00B descries 4'ode of
"ractice for information security management5. !his code of practice is a
startin" point for developin" or"anisation specific "uidelines. If re#uires&
additional controls and "uidelines may e specified to suit country specific
re#uirements.
... @!SS'=M and e4alueser+e Aoint Sur+ey (.00=)
1<
reports that Indian I!
and I!e% 8r"anisations have adopted best "ractices in data security&
protection and confidentiality& comparale to "loal companies. %ervice Jevel
A"reements (%JAs) have strict confidentiality and %ervice Clauses uilt into
them at the 4networ+ and data5 level. Indian or"anisations are& in many cases&
ahead of their western Counterparts& in their Information %ecurity Mana"ement
(I%M)& althou"h some smaller or"anisations still need to catch up. NA%%C8M has
een recommendin" that 8r"anisations hire certified security professionals to
ta+e care of security issues and levera"e their +nowled"e and eDpertise.
Accordin" to %u?anne Dic+son& yet- only a small fraction of organi.ations-
)orld)ide- are able to demonstrate IT security com"liance- )hy,
12
.
../ 8r"ani?ations that have not started a formally implemented Information
%ecurity Mana"ement %ystem (I%M%) should use IS=BI/' (C66$: (665 and the
family of standards as a "uideline to implement such a system. !hose
or"ani?ations that are conscientious aout their reputation with sta+eholders
or need a differentiation amon" their competitors need to consider third-party
certification of their I%M%. !he Indian Computer :mer"ency -esponse !eam
16
8:CD Guidelines for the %ecurity of Information %ystems and Networ+s K !owards a Culture of
%ociety& $aris: 8:CD& Iuly .00.. Attp:66www.oecd.or"
17
I!e% and 9$8 %trate"y %ummit .00= -eport
18
%u?anne Dic+son on 4Creatin" a Culture of Compliance: !he -esponsiility of :very Memer
of an 8r"ani?ation5 (http:66www.infosectoday.com).
$a"e 2 of .3
(C:-!-In) of the Central Department of Information !echnolo"y has pulished
its 4Information Security Policy for Protection 'ritical Information
Infrastructure5 (No. C:-!-In6NI%A$601& issued on 1st May .003) Document.
Measures to insure that such thin"s donEt happen in the future start ri"ht from
havin" a clear-cut or"ani?ational security policy (C@8today.com& / %eptemer
.00<).
D% Trust)orthy 'om"uting (T)') < %@/T 8rame)ork +s%
SunEs A(//
/.0 Trust)orthy 'om"uting (!wC) has een applied to computin" systems
that are inherently secure& availale and reliale. Microsoft has adopted !wC
in .00.& to improve pulic trust& 4y desi"n5 view of security& in its software
and advocated Di"ital -i"hts Mana"ement (D-M) to achieve !wC. Aowever&
Cree %oftware Coundation desired to have Di"ital -estrictions Mana"ement
instead of Di"ital -i"hts Mana"ement (D-M). ,se of Di"ital -i"hts Mana"ement
was& however& made controversial. !rustworthy computin" is not a new
concept. The $9F6s sa) an increasing de"endence on com"uting systems by
the military - the s"ace "rogram - financial institutions and "ublic safety
organi.ations% !he computin" industry in ,%A e"an to identify deficiencies in
eDistin" systems and focus on areas that would address pulic concerns aout
reliance on automated systems. In 1O3<& !llen-Babcock 'om"uting identified
four areas of trustworthiness :
An ironclad o"erating system MreliailityN
,se of trust)orthy personnel MQusiness inte"rityN
:ffective access control MsecurityN
,ser re#uested o"tional "ri+acy MprivacyN
$a"e O of .3
/.1 The T)' is based on these four "rinci"les. Improved %oftware !estin"
methods have een recommended to "uarantee hi"h level of reliaility on
initial %oftware release& and pro"rammer certification as a means to "uarantee
the #uality and inte"rity of software. !he Computer Industry has een
"enerally supportive of MicrosoftEs efforts to improve the reliaility and
security of its software& throu"h Di"ital -i"hts Mana"ement (D-M) and
!rustworthy Computin" (!wC) intiatives. 9ut& the ="en-source community has
felt that a trustworthy computin" (!wC) implementation would re#uire
authenticatin" pro"rams as well as content& and such a system could e used to
hinder the pro"ress of non-Microsoft software and operatin" systems
(wi+ipedia)
1O
.
/.. !he Competin" application platforms& Microsoft;s .N:! Cramewor+ and
%un;s Iava . :nterprise :dition (I.::) offer similar architecture and
capailities. Aowever& they are completely different in their underlyin"
implementations (www.directionsonmicrosoft.com). !he .N:! Cramewor+
contains new and innovative idea considerin" software security issues and easy-
to-use toolset to uild hi"hly customi?ed and secure distriuted usiness
applications. !he .Net Cramewor+ relieves developers from writin" hu"e lines
of code and ma+in" complicated security decisions (Mohammad Alam& .00=)
.0
.
!he .N:! Cramewor+ uses Microsoft *%: (*e %ervices :nhancements) ..0&
whereas %un;s I.:: uses I*%D$ (Iava *e %ervices Developer $ac+) 1.B& both
of )hich su""ort the =!SIS 7SS $%6 standard& to enale security for *e
services& specifically throu"h messa"e inte"rity& messa"e confidentiality& and
sin"le messa"e authentication (*s-%ecurity).

19
(%ource: http:66en.wi+ipedia.or"6wi+i6!rustworthyRComputin")
20
Mohammad Ashraful Alam (.00=): P%oftware %ecurity in 9an"ladesh with .N:! Cramewor+: A
-oadmap&P itcc& p. =/2& International Conference on Information !echnolo"y: Codin" and
Computin" (I!CCE0=)& >olume .& .00=.
$a"e 10 of .3
/./ !he 8pen Information %ystem %ecurity Group (8I%%G) has announced its
fla"ship pro7ect 4Information %ystems %ecurity Assessment Cramewor+ (I%%AC)
.1
&
to de+elo" an end-to-end frame)ork for security assessment. !his I%%AC is an
evolvin" framewor+. StillSecure has unveiled its ="en-Source De+elo"ment
8rame)ork ('obia) that reflects the strate"y for the conver"ence of security
and networ+in" (http:66www.crn.com6security).
/.= As increasin" numers of enterprises use a miDture of oth Iava and
.N:! technolo"ies& intero"erability bet)een these com"eting "latforms
becomes an im"erati+e- not an o"tion. Dependin" on those reasons& and the
re#uirements of the application& one mi"ht choose a %ervice-8riented
Architecture (%8A) inte"ration& in which Iava capailities are eDposed to .N:!
as a set of we services& or a class-level inte"ration& in which Iava classes
participate in the cross-lan"ua"e development framewor+ in the same way as
other .N:! lan"ua"es. !he IN9rid"e$ro class-level rid"in" solution provides
the est comination of portaility& evolvaility& performance& conformance to
standards& and smooth interoperaility (www.7nrid"e.com)
..
. 4'om"uters do
not sol+e "roblems and they e#ecute solutions5
./

1% e-2o+ernance B e-2o+ernment Programme< !n
!""raisal
=.0 In e-Governance6e-Government& 4electronic5 means su""ort and
stimulate "ood "overnance& which is eDpected to mature in four "hases
(Gartner -eport& .000)& as "iven elow:
21
8I%%G is a not-for-profit or"ani?ation& with its vision to spread information security
awareness y hostin" an environment where security enthusiasts from all over the "loe share
and uild +nowled"e (http:66www.oiss".or")
22
www.7nrid"e.com : 4Iava .N:! Interoperaility: A Detailed Comparison of 8ptions5.
23
(a random #uote from http:66www.oiss".or").
$a"e 11 of .3
Box-B
Information Presence : Web sites
Interaction Intake processes : e-mail,
serach engines, download forms and documents
Transaction Complete transactions :
Network and Information Securit
Transformation Integration and Change :
!irtual counter
=.1 !he Gartner Model does not imply that all institutions have to "o throu"h
all the phases and all at the same time. Most of the "overnments start y
deliverin" on-line information& ut pulic demand and internal efficiency soon
re#uire more compleD services. !he five main tar"et "roups that can e
distin"uished in e-"overnance6e-Government concepts are Government (G)&
Citi?ens (C)& 9usiness (9)& :mployees (:) and ilateral6multilateral Institutions
(@). ! good a""roach to)ards im"lementation of e-go+ernance is to combine
short-term "roGects and long-term goals. In this re"ard& I wish to #uote the
DI%NIC $ro"ramme of NIC envisa"ed development of information system in .2
sectors and initiated an 4information system revolution5 in districts durin" the
$a"e 1. of .3
later part of 1O20s with the estalishment of NICN:! node in every districts of
the country (Moni and >i7ayaditya& 1OO0)
.=
.
=.. :ach %tate Government has now its own model for implementin" e-
"overnance initiatives 6 pro"rammes& ut the as+et of services (N:MMADI
Gendras of Garnata+a& e-%:>A of Andhra $radesh& GAMADA:N, of -a7asthan& e-
IAN %AM$A-G of Chandi"arh& SH4ID>! of PunGab& -A%I MAILAM%
of !amilnadu& INC8G-AM of Goa& C-I:ND% of Gerala& GLAN
DA-%AAN of Gu7arat& J8G>ANI of ,ttar $radesh& IAN MI!-A of
Aimachal $radesh& IAIGI%AN of ,ttra+hand& e-Gram %uvidha of Madhya $radesh&
e-%,>IDAA of CICs in North :astern %tates& NAIDI%AA of Aaryana& %,CANA
MI!-A Gendra of Chhattis"arh& etc.) remains more or less identical across
states. The 2IST@I' Programme of @I' initiated during $9I6s )as got
dro)ned in this "rocess. Accordin" to Ioya Cha+raorty& when a centrali?ed
model is developed& e it for Community Information Centres (CICs)& Common
%ervices Centres (C%Cs) or any other IC!=D initiative& the re"ional6cultural
aspects "o missin" (%ource: solutioneDchan"e-un.net.in).
=./ >arious %tudy -eports corroorate that the current state of various
"overnment departments& in terms of usa"e of IC!& is not in a 4holistic
manner5 so as to achieve profound impact on -8I Min terms of people& process
and +nowled"eN. Government Departments oth in %tates and Central
Governments are yet to announce their 4Informatics Policy5 for productivity
increase in their su7ect domain. !he su7ect domain is classified as Central
list& %tate list& Concurrent list and Jocal ody list. Their )orkflo) "rocess is
being defined through the :business of allocation5. IC! $olicy of many
"overnments is more or less related to IC! industries.
24
"oni," # !i$aadita,N %&''() : *DISNIC A NICNET Based District Government Informatics Programme
in India+, Indian Computing Congress, ,derabad %India), -ecember &''(.
$a"e 1/ of .3
=.= e-Governance -oadmaps of many Government Departments& as of now&
do not reflect the 4pyramid upside down5. G.G& G.9& G.C components of e-
Governance Cramewor+ re#uire 4institutional approach5& i.e. trainin"&
eDtension& development& education and research approach. It re#uires mo+ing
beyond 4technolo"y5 component. Mainly IC! Infrastructure is ein" used for
email& word processin"& and in some cases process ased applications (Cile
trac+in"& scheme monitorin"& pulic "rievances monitorin"& etc). 'ontent
2eneration- 7orkflo) a""lications- Decision Su""ort Systems- Data
!nalysis- 8rame)ork based 7eb Ser+ices etc%- ha+e taken a back seat. Iohn
-oerts (.001)
.B
estimated that only 10 per cent of "overnment odies around
the world would e ale to move towards to e-"overnance y .00B and India
was asent from the picture due its poor infrastructure& and its slow response
to the cyer culture. Now& we witness %*ANs and %tate Data Centres (%DCs) in
every %tate& in addition to NICN:! estalishments.
5% @ational e-2o+ernance Programme (@e2P) of India
B.0 !he ,nion Cainet has approved the National e-Governance $ro"ramme
(NeG$) with the cost of estimate of -s. ./&000 Crores on 12
th
May .003 and all
measures are underway to accelerate the pace of implementation of its various
components. !he perceptile need to institutionali?e the tas+ of codifyin"
standards and processes for ensurin" interoperaility of applications and
solutions& for rapid development and deployment across the country is also
ein" addressed. !owards this& the Central Department of Information
!echnolo"y (DI!) has set up e-Governance *or+in" Groups (eG*Gs) in the
areas of:
(a) !echnolo"y %tandards and e-Governance Architecture&
25
John P!o"erts# $ice President and Director %Gartner !esearch& in Gartner S'mmit on Information
Techno(og)# Ne* De(hi# A'g'st +,,-
$a"e 1= of .3
() Jocali?ation and Jan"ua"e !echnolo"y %tandards&
(c) !otal Suality Mana"ement and Documentation&
(d) Meta-Data and Data %tandards of Application Domains&
(e) Networ+ %ecurity and Information %ecurity&
(f) Je"al :nalement of IC! %ystems& and
(") Government $rocess -e-en"ineerin" (G$-).
to formulate& adapt and adopt %tandards and also formulate Guidelines for
their implementation to provide profound -8I impact. Domain %pecific
*or+in" Groups are also ein" estalished to wor+out 4Metadata and Data
%tandards5 and 4Di"ital Jirary %cience5 concepts to utili?e Internet resources
in an or"anised and conteDtual manner. !he ottom line is to usher in 4est
practices& "loal solutions and inte"rated services5 for reachin" the
,nreached& throu"h e-Governance6e-Government $ro"ramme.
F% e-2o+ernance B e-2o+ernment Solutions based on
Standards
3.0 %tandards are re"ulated definitions of data formats or processes& and are
created and maintained y industry "roups& "overnments& and or"ani?ations.
!here are three asic cate"ories of standards vi?.: De Iure %tandards& De Cacto
%tandards& and Mandated %tandards (9oD-9).
Box - B
De J're Standards : are those formats and
processes directl de/eloped and o/erseen b
industr standards groups0
De .acto Standards work in re/erse - their
standardi1ation is dri/en b market adoption. The
emerge when a particular format or process
$a"e 1B of .3
becomes o/erwhelmingl pre/alent. -e 2acto
standards can be de/eloped b anone, and are
often the result of widespread adoption of
commercial specifications0
/andated Standards are formats and processes
that are specificall re3uired and controlled b
go/ernments or corporations. 4dherence to a
mandated standard ma be a prere3uisite for
interacting with a particular corporation or
go/ernment0
Any of these three types of standards can also e an ="en Standard& which
means that some sort of Committee controls the nature of the standard and
that the specification is pulicly availale.

C% Information Technology Risk Management
Programme (IT-RMP) < Role of @I'
<.0 National Informatics Centre (NIC) has een entrusted with the
responsiility of formulatin" e-Governance %tandards throu"h these e-
Governance *or+in" Groups& in view of its eDpertise in "overnment
computeri?ation for aout three decades. !he e-Governance *or+in" Group on
4@et)ork and Information Security5 has pulished the followin" documents
for pulic scrutiny in the wesite http:66e"ovstandards."ov.in :-
Draft Document 4e-Governance Information %ecurity %tandard5
(>ersion 01 dated 1.
th
8ctoer .003)
.3
has proposed additional
security controls for /-2o+ernance "ur"oses >i?.& Data
security and privacy protection& Networ+ security& and
Application securityF
26
see http:66e"ovstandards."ov.in
$a"e 13 of .3
Draft Document 49ase line security re#uirements ' %election of
controls5 (>ersion 01& 1.
th
8ctoer . 003).
<.1 !he Industry and Government sta+eholders of the e-Governance
$ro"ramme have welcomed the strate"y adopted y NIC for *or+in" Group
Meetin"s throu"h 9rainstormin" %essions& %tate Jevel *or+shops. Many
technical papers& advisory notes& and su""estions have een pulished in the
(http:66e"ovstandards."ov.in) $ortal for peer review. In this process& areas&
which will have a "reater impact for accelerated development and deployment
of IC! systems& as "iven elow& have een identified for discussion and
formulation of policy "uidelines& throu"h National %ummits.
Bo#-'
e-Corm
Identity and Access Mana"ement (IAM)
Networ+ %ecurity K Client level security
Information %ecurity K Joc+ or Jose
Automatic Identification !echnolo"ies (9io-metric&
%martcard& 9arcode& -CID etc)
e-Mail %ervices ' Architecture
*e %ervices ' Architecture
Applications Development %trate"y
Di"ital $reservation ' Jife Cycle Mana"ement
Jan"ua"e Computin"
e-8ffice (e-Corm& e-Document& *e services&
*or+flow systems)
Intranet %olution
8nline Auditin"
<.. !echnolo"y ecomes successful only when it is made affordale and
availale at "rassroots level for the Citi?ens to "et enefited from e-
"overnance 6 e-Government applications. Appropriate policy "uidelines to use
4appropriate technolo"y5 and 4technolo"y appropriately5 ecome necessary.
,nder the e-Governance standards initiative& efforts have een underta+en to
formulate such policy "uidelines in the identified areas (9oD: C). Jet me detail
$a"e 1< of .3
out efforts underta+en in areas such as e-Corm and Identity and Access
Mana"ement (IAM) in the followin" sections.
I% ="en Standards based e-8orm Technology !do"tion<
! e-2o+ernance standards initiati+e to bridge the
:"a"er-digital; di+ide
2.0 e-8orm is an electronic form which enhances and simplifies data
capturin" with inuilt data validation& data calculations& electronic si"natures&
and dataase inte"ration. It has een reali?ed that use of e-form technolo"y
can accelerate the e-Governance initiative& if it is used effectively. It can cut
down the !""lication De+elo"ment Time (!DT) and help the citi?en in
electronic preparation and filin" of information for various "overnment
services. Identify & !ccess Management (IAM) issues ecome more important
when usin" e-Corms.
2.1 As the Deputy Director General (e-Governance %tandards) in NIC& I felt
the need for a 4Policy 2uidelines5 for implementation of e-Corm !echnolo"y in
e-Governance $ro"ramme. I conducted a @ational Summit on e- 8orms
Technology in Iune .003& which was attended y many vendors and e-
Governance $ro"ramme Administrators. !he I! %ecretary of the ,nion
Government "ave the +eynote Address. As a follow up of this %ummit& a
National !as+ Corce was set up to wor+out 4Policy 2uidelines on the use of e-
8orm Technology5& under the Chairmanship of Dr. %. C. Gupta& %enior
!echnical Director& NIC. !he -eport of the Committee is eDpected.
9% Identity and !ccess Management< !n e-2o+ernance
standards initiati+e to make e-2o+ernment Programs and
their ser+ices a reality
$a"e 12 of .3
O.0 !his is a 4participation a"e5 where people (customer& citi?en&
"overnment& traders& employees etc) interact with each other on-line as ne+er
before. !his is the result of advances in Internet technolo"y& "loal
availaility of networ+ed communications& and an eDplosion of access devices.
This reJuires ubiJuitous access. $articipation re#uires trust& which re#uires
identity. Identity Mana"ement is a +ey enaler of the $articipation a"e. ,se of
Internet technolo"y and access mechanisms (i.e. Internets as well as Intranets)
as a primary medium for official transactions has rou"ht in a new set of
concerns vi?.& security- "ri+acy and management. Deployin" an Identity and
Access Mana"ement (IAM) solution entails a compleD set of challen"es to
alance: the need for security and privacy& demand for online services& and
issuance and mana"ement of di"ital identities& to ma+e e-Government
$ro"rams and their services a reality. !his re#uires& amon" the others& an
integrated frame)ork of laws& policies& operational est practices and
"uidelines& technolo"y& and institutionali?ation.
O.1 Many e-Governance initiatives are done in isolation. In the asence of
any standards the inte"ration of e-Governance applications ecomes difficult.
Most of the e-Governance applications uild their own mechanism for Identity
and Access Mana"ement (IAM) resultin" in identity silos& duplicate efforts and
dis7ointed collection of service points. !hese applications are seldom
interoperale even thou"h many have similar features and functionalities. Ai"h
eDpectations of the citi?ens 6 customers for improved services and re#uirement
of the "overnment and private or"ani?ations to e efficient has resulted in the
proliferation of online services. Ai"hly sophisticated information technolo"y
ased solutions and telecommunication-networ+ed environments have made it
possile for the or"ani?ations to provide the user the fastest and easiest means
to avail the services online. 8r"ani?ations want to deliver the online services
securely without any ris+ of unauthori?ed access to their resources. As
transactions are carried out invisily& there is need to +now who is at the other
end of the transaction. 8n the other hand& user re#uires an or"ani?ation to
$a"e 1O of .3
protect inte"rity and confidentiality of their identity information and ensure
safety of their transaction. In these circumstances& identity has ecome a +ey
asset to or"ani?ations.
O.. An inte"rated and comprehensive Identity and Access Mana"ement (IAM)
approach can address all the identity related issues of the or"ani?ations as well
as users. Identities need to e mana"ed to facilitate the ri"ht access to the
ri"ht resources. Identity and Access Mana"ement (IAM) provides consistent&
efficient and secure method to mana"e identities oth internally and
eDternally. !he use of the IAM system is eDpected to provide the followin"
enefits:
a. :limination or si"nificant reduction in storin"
duplicate identities
. %in"le and comprehensive view of an identity
c. Interoperaility of applications y enforcement of
Data standardi?ation throu"h IAM
d. %in"le %i"n 8n Cacility to the ,sers
e. More %ecure Access
f. -eduction in the ris+ of unauthori?ed access to and
modification or destruction of "overnment
information assets.
". Control& enforce and monitor access to resources
throu"h auditin"
h. Improved user;s participation
i. Improved performance
7. Improved service delivery to citi?en
+. Improved re"ulatory capailities
l. Improved availaility
O./ !he Country has witnessed some related cases from the 4outsourced
7o5 companies in India. It can e made secure throu"h encryption and e
authenticated usin" di"ital certificates. It will ecome very difficult to issue
di"ital si"natures to all possile users of G.C. 9ut the NeG$ may facilitate to
issue 4di"ital si"natures5 to approved Notaries (e-Notary) at !ehsil 6 !alu+a
$a"e .0 of .3
and other intermediaries with appropriate authority so as to facilitate to those
who do not have di"ital si"natures& especially for G.C domain applications.
O.= In this re"ard& I wish to mention that there is a need for a national
"olicy on :identity !ccess and Management (I!M); for @e2P Programme. !o
facilitate this& I conducted a national summit on 4Identity Access and
Mana"ement (IAM)5 durin" .003 and as a follow up& a National !as+ Corce was
set up under the Chairmanship of $rofessor %yed Ismail Ahson& Department of
Computer %cience& Iamia Milia Islamia (A Central ,niversity). !his !as+ Corce&
after havin" a lot of delierations with all relevant sta+eholders& has sumitted
its report to the e-Governance %tandards Division of NIC. !his IAM $olicy will
ta+e care of 4privacy and security5 issues. Details are availale at the wesite
http:66e"ovstandards."ov.in. !he formulation of e-Governance standards
"uidelines will promote the uniform& consistent and coherent approach& which
in turn will help in uildin" interoperale applications to deliver inte"rated
services to citi?ens.

$6% Information Security Research & Training (ISRT)<
@eed of the >our
10.0 As the Internet "rows in importance (e.". in e-Government %ector)
applications vi?.& G.G& G.9 and G.C& are ecomin" hi"hly interconnected. 8ver
the last few years& the Internet has ecome much more hostile and new threats
are emer"in". !hreats Chan"e& and so should us. There is no re"lacement for
good coding skills and tools can hel" le+erage the "rocess. !he impetus for
$a"e .1 of .3
the *indows %ecurity $ush was 9ill Gate;s 4Trust)orthy 'om"uting5 memo of
Ianuary 1B& .00.& which outlines a hi"h-level strate"y to deliver a new reed of
computer systems& systems that are more secure and availale.
10.1 !he conse#uences of compromised systems are many and varied&
includin" loss of production& loss of consumer faith and loss of money.
Protecting "ro"erty from theft and attack has been a time-"ro+en "ractice%
It is +nown that software always have vulnerailities& re"ardless of how much
time and effort one spends tryin" to develop secure software& simply ecause
one cannot predict future security research. %ecure %oftware is a suset of
#uality software and reliale software (Michael and David& .00/)
.<
. 7hen is to
o+ercome :the !ttackerEs !d+antage and the DefenderEs Dilemma;
syndromeH It re#uires all of us to underta+e 4proactive %ecurity development
process5 y desi"n& codin"& testin"& and documentation.
10.. !he main o7ective of this *or+shop is the Man"o)er De+elo"ment and
Training in the area of Soft)are Security. !his *or+shop envisa"es havin"
technical discussions in the areas of& ut not limited to:
Identity Mana"ement and Access Control
:-Governance
%ecure -e#uirement :n"ineerin"
Dataase and Application %ecurity and Inte"rity
Intrusion Detection and Avoidance
%ecurity >erification
:-%ecurity
%ecure *e %ervices
Cault !olerance and -ecovery Methods for %ecurity
Infrastructure
27
Michael Aoward and David Je9lanc (.00/) : 4*ritin" %ecure Code5 & Microsoft .
nd
:dition& *$
$ulishers ' Distriutors ($) Jimited& 9an"alore (India)& .00/.
$a"e .. of .3
!hreats& >ulnerailities and -is+ Mana"ement
I! %ecurity %tandards
%ecure 87ect 8riented %oftware Desi"nin"
%ecurity !ools for -e#uirement and Desi"n phase
%ecure %oftware Development Cramewor+
-is+ Analysis
%ecurity $olicies
Crypto"raphy& $GI and Di"ital Certificates
10.3 In order to implement National e-Governance $ro"ramme (NeG$) for
sectoral productivity as well as service delivery with profound -8I& it is
essential to nurture information security research and training& in consortium
mode& involvin" II%c& II!s& IIMs& NI!s and aout 1B00 Computer %ciences
Departments (%tate ,niversities& Central ,niversities& Deemed ,niversities %elf-
financin" Colle"es& Government-aided Colle"es and Government Colle"es)& in
the followin" areas:-
:ncryption technolo"iesF
Inte"rity& authori?ation& authentication services& +ey
mana"ement& $GI and Di"ital si"natures
Dataase securityF
Intrusion detection and information hidin".
%ecurity "ateway productsF
Certification of security products and servicesF
Durin" the :leventh $lan period (.00<-1.)& NIC has proposed to estalish a
4'entre of /#cellence in Information Security Research & Training ('/-
ISRT)5
.2
. !his 'entre of /#cellence is eDpected to facilitate Manpower
Development& oth Capacity 9uildin" and Capaility 9uildin"& with respect to
the followin" cate"ories:
28
%ource : NIC;s :leventh Cive Lear $lan .00<-1. and Annual $lan .00<-02 Document
$a"e ./ of .3
$$% Securing e-2o+ernment Ser+ices < ! Korean case
Study
11.0 *idespread Internet Access is ma+in" it possile for "overnments around
the world to move information and services online& providin" sustantial
savin"s in cost& time& and laour. 9y lettin" Citi?en interact with the
Government from their own computer rather than in person& e-Government
enhances #uality of services and accessiility. >o)e+er- economy and
con+enience must be traded off against security. 8nline systems are
ecomin" vulnerale to hac+ers& and the Government has an oli"ation to
prevent the unauthori?ed disclosure of personal information as well as prevent
for"ery and alternation of official documents. Gorea Institute of $ulic
Administration (GI$A) (www.+ipa.re.+r) is a "overnment-funded research
institute that provides policy "uidelines for all national-scale I! pro7ects and e-
Government initiatives. GI$A has recommended that Government a"encies that
currently issue or plan to issue documents online implement several
technolo"ies& out of which& the followin" are very si"nificant:-
$a"e .= of .3
Soft)are !rchitects and De+elo"ers to desi"n and
write secure applicationsF
TestBL! Professionals to ensure that applications
meet security re#uirementsF

Systems and De+elo"ment Managers to ensure that
eDistin" applications are protected a"ainst attac+.
Ai"h-density (D bar codes that can store ori"inal
documents and therey prevent their for"ery or
alterationF
Digital signatures )ith "ublic-key-infrastructure ($GI)
certification to authenticate or"anisation and
documentsF
Digital )atermarking to protect the official seal of
document-issuin" or"anisationsF
Applyin" Screen 'a"ture Pre+ention Technology to
ostruct users from capturin" seals& lo"os& and other
official mar+s from *e sites y copin" ima"esF and
Adoption of Print 'ontrol and Digital Rights
Management (DRM) technologies to secure official
document contents durin" transmission etween
%ervers and Clients.
11.1 ,ntil secure di"ital documents delivery systems are ui#uitous& the need
for "overnment-issued paper certificates will continue. Incorporatin"
technolo"ies that prevent for"ery or unauthori?ed alteration of online
documents& therey enalin" users to print out such documents on their own
with out "oin" to a "overnment office& will "o a lon" way toward improvin" the
value of e-Government services (Ion"-*eon Gim& Gyu-!ae Gim and Ion"-,+
Choi& .003)
.O
. Cominin" eDistin" technolo"ies would let users print out le"ally
valid e-Government documents.
$(% Building a Successful and Demonstrable Information
Technology Risk Management Program
29
Ion"-*eon Gim& Gyu-!ae Gim and Ion"-,+ Choi (.003): 4%ecurin" e-Government %ervices5& pulished in *e
!echnolo"ies& Novemer .003.
$a"e .B of .3
1..0 IC! is ecomin" increasin"ly pervasive in development pro7ects& and is
often cited as a tool to reduce corruption and improve the efficiency of
"overnment services. As a result& e-security is ecomin" a si"nificant challen"e
for developin" and transition countries& especially those that are ill-prepared
to deal with technolo"y ris+s. !his re#uires a better understanding of how to
assess& miti"ate and mana"e information systems ris+s& includin" security ris+s&
so as to contriute to etter pro7ect desi"n and outcomes. I& therefore
stron"ly recommend& as it have already een done for e-Corm and IAM Areas&
to have 4Action $lan5 for discussion and formulation of policy "uidelines&
throu"h National %ummits in the areas as identified in (9oD-C)& so as to achieve
4proactive security development process y desi"n& codin"& testin" and
documentation5. !his measure will "o a lon" way in uildin" a successful and
demonstrale I! -is+ Mana"ement $ro"ramme in the Country. e-Jearnin"
capailities to meet the emer"in" e-%ecurity Challen"es are to e
stren"thened.
4All truths are easy to understand once they are discovered. !he point is
to discover them5 K Galileo& the Astronomer
4Doin" it the hard way is always easier in the lon" run5 K Murphy;s Jaw

$a"e .3 of .3