Building a Successful and Demonstrable Information Technology Risk Management Programme (IT-RMP)

through Standards*

Madaswamy MoniDeputy Director General

National Informatics CentreGovernment of India

New Delhie-Mail: moni@nic.in

AbstractThe emergence of the Internet and the ubiquitous powerful PC

System together create tremendous opportunity for a new generation of large enterprise applications, which can reach millions of individual and corporate users through Rich Internet Applications (RIAs). Information is a business commodity, which should be protected and controlled. The growing importance of Information & Communication Technology (ICT) has made privacy and information security critical issues. Web-based attacks have become commonplace.

The Union Cabinet has approved the National e-Governance Programme (NeGP) with the cost of estimate of Rs. 23,000 Crores on 18th May 2006 and all measures are underway to accelerate the pace of implementation of its various components. The bottom line is to usher in “best practices, global solutions and integrated services” for reaching the Unreached, through e-Governance/e-Government Programme. Application security, and insecurity, is a rapidly evolving area. As ICT plays an increasingly pivotal role in achieving developmental projects objectives, a better understanding of how to assess, mitigate and manage information systems risks, including security risks, is expected to contribute to better project design and outcomes.

In order to achieve sectoral productivity as well as service delivery with profound ROI, of the National e-Governance Programme (NeGP), it is essential to nurture information security research and training facilitating Manpower Development, both Capacity Building and Capability Building, for the e-Government Sector. This Paper discusses various steps towards building up such a programme for the National e-Governance Programme (NeGP) so as to achieve “proactive security development process by design, coding, testing and documentation”. This measure will go a long way in building a successful and demonstrable IT Risk Management Programme in the Country.

* Invited Paper and to be presented at the National Seminar on e-Security Education through e-learning, e-learn’2007, organised by CDAC (NOIDA), 14 December 2007. Views are personal.

Page 1 of 29

Page 2 of 29

1. Problems & Challenges

1.0 The emergence of the Internet and the ubiquitous powerful PC System together has created tremendous opportunity for a new generation of large enterprise applications, which can reach millions of individual and corporate users through Rich Internet Applications (RIAs). Recent developments in technology are leading to a speedy convergence between marketing and technology in respect of two main characteristic: Rich1 and Reach2. Using technologies based on the principle of RIAs, designers can bridge the one shortcoming of online applications - what to do when the Internet isn't available? But the overall trend of RIA and Web applications puts increased pressure on the industry to start changing and recognizing this emerging trend (Sandeep Mehrotra, 2007)3.

1.1 In order to achieve goals and objectives, Government organisations frequently have to develop application solutions or customize commercial off-the-shelf software packages. These range from complex back-office database applications, CRMs and Asset Management Systems to customer-facing fat and thin applications. Web Technology based Applications offer anything from a simple brochure request to a full e-business implementation. Increasingly, these systems are exposed to larger and less trusted user-bases, from extranet business partners to the general public at large. Not only are they providing access to key assets and data, in many cases they are the business critical assets.

1 Rich is the ability to incorporate client side interactivity and intuitive UIs. 2 Reach is the ability to make application available to almost anyone, anywhere, anytime. 3Sandeep Mehrotra (2007): “Rich Internet Applications to Boost Enterprises”, CXOtoday.com, dated 4 September 2007. He is currently the Country Sales Manager of Adobe Systems India.

Page 3 of 29

1.2 While bank customers heave a collective sigh of relief, thanks to the advent of convenience banking, banks now find themselves grappling with issues like internet-enabled crimes, identity theft and frauds (Hanil Manghani & Sunil Kumar, 2007)4 and face increased security threats (Abhinna Shreshtha, 2007)5. Web-based attacks have become commonplace. Recently, a hacker blog (http://derangedsecurity.com) claimed that his actions were meant to make people aware of the severe shortcomings that government organizations exhibit as far as security is concerned (Abhinna Shreshtha, 2007)6. This is becoming a “wake-up” call to Governments (see Box-A). For quite some time, it has been growing concern that the ease with which government websites were hacked is a glaring example of fundamental weaknesses in the website infrastructure. Application security, and insecurity, is a rapidly evolving area.

Box-A

Today's software is vulnerable to attack (Operating Systems, Applications and Utilities), and Custom code can be exploited, taking advantage of known bugs, design flaws, weaknesses in platforms, unsecured communications paths and poor programming techniques);

Data can be stolen or corrupted; Networks can be compromised; Web sites can be the gold mine to organization’s profits

- or the back door to let hackers and criminals destroy its business.

4 Hanil Manghani & Sunil Kumar (2007): “Bank Security: A Pandora's Box?” in CXOtoday.com, Mumbai, 23 June 2006.

5 Abhinna Shreshtha (2007) : in CXOtoday, Mumbai, Aug 20, 2007 ( www.cxotoday.com ). 6 Abhinna Shreshtha (2007) : “Government Organizations' Security at Stake”

in CXOtoday.com, Mumbai, 3 September 2007 .

Page 4 of 29

1.3 Despite recent dramatic advances in computer security regarding the proliferation of Services and Applications, security threats are still major impediments in the deployment of these services. Enterprise and Information Security assumes an important concern to the banking and financial institutions in the country. Stakeholders of enterprise and information security are Compliance Managers, Lawyers, Security Experts, Risk Managers, CIOs, CTOs, and Software Vendors. “Password Security” has become a critical issue, and “enterprise single-sign-on” across a mixed environment is going to be a key trend in the future.

1.4 With increasing dependence on data, the protection platforms have transformed from Pure Data Storage to Information Life Management (ILM) – the strategy of matching storage policies, processes and technologies with the value assigned to the information. Data needs to be identified, prioritized, replicated, securely transported, stored and made readily available. There is a development paradox of Cyber Security: the promotion of ICT for Development (ICT4D) comes with a warning of the very real dangers it brings. While the use of technology accelerates the pace of development, it is true that not much attention has been given for mitigating project risks, operational risks and reputation risks associated with the deployment of ICT. This limits the impact of such projects while putting at risk, a ministry or a country’s reputation as well as weakening the security of networks globally (source:

http://www.worldbank.org/edevelopment).

1.5 As Distributed Computing is going to take an important role in business automation through India, Software used must be secured

Page 5 of 29

enough to provide reliable business automation and networking environment. In the case of software or service providers, it is therefore vital that the security regime applied to the IT infrastructure is matched, and indeed exceeded, by that applied to the applications themselves. Secure development is the term largely associated with the process of producing reliable, stable, bug and vulnerability free software. With more and more vital information stored on computers, security professionals need to know how to combat threats and complications. Offering strategies to tackle these issues, Yang Xiao (2007)7 provides essential security information for researchers, practitioners, educators, and graduate students in the field. Paying serious attention to these issues, Security in Distributed, Grid, Mobile and Pervasive Computing focuses on the increasing demand to guarantee privacy, integrity, and availability of resources in networks and distributed systems.

1.6 It is important to understand the risk that the application presents. In the standard risk equation, Risk = Threat x Vulnerability x Cost, [i.e. “risk being a product of the likelihood of a successful attack together with the frequency of such attacks and the associated cost to recover from it”] (Glyn Geoghegan, 2004)8. A Secure Development Programme should be integrated with all phases of the organization’s Software Development Life Cycle (SDLC). IBM reported that the cost to fix an error found after product release was 4 to 5 times as much as one uncovered during design, and up to 100 times more than one identified in the maintenance phase.

7 Yang Xiao (2007): Security in Distributed, Grid, Mobile, and Pervasive Computing, Auerbach Publications. The Author is with the University of Alabama, Tuscaloosa, USA.8 Glyn Geoghegan (2004): A Corsaire White Paper: Secure Development Framework, http://www.corsaire .com , (research.corsaire.com/ whitepapers/ 040220-secure-development.pdf), 05 April 2004.

Page 6 of 29

Abraham Maslow, the author of groundbreaking works “Hierarchy of Needs” (1954), said: "When the only tool you own is a hammer, every problem begins to resemble a nail." 1.7 Different individuals have knowledge on different systems, and, as a result, the quality of support across systems will vary. This System Knowledge is not documented in many organisations so as to usher in profound ROI. Many organisations are still in the lower stages of Data IM, as they struggle with better ways to develop more streamlined and systematic ways to manage their data assets. With today's increasing competition, along with government mandates, it's not too soon to make the move up the continuum. It is witnessed that an organization, with an IT or Data Management Staff consumed with administration issues viz., performing fixes, patches, or various unplanned activities on a daily or weekly basis, is not in a position to effectively compete in today's data-driven marketplace. By contrast, a well-managed organization that attains a "peak performance state” of Data Infrastructure Management (Data IM), is able to devote its full attention and resources to high-value activities. According to John Bostick, while many organisations remain mired in reactive and idiosyncratic practices, high performers rely on disciplined, proactive and predictive approaches to Data Infrastructure Management (Data IM)9 .

1.8 Information is a business commodity, which should be protected and controlled. A series of Access-Related Controls (ALCs) are to be developed and implemented by management, ranging from policies, 9 John Bostick: “Ascending the Data Infrastructure Hierarchy - The Five Stages of Data Infrastructure Management Maturity”, http://www.infosectoday.com/Articles/DIH.htm (.)

Page 7 of 29

guidelines, and processes to actual safeguards that control access to information and data. “Protecting Data” is “Protecting Business ”

2. Information Technology Security Compliance: On WHAT SCALE?

2.0 Information and the supporting processes, systems, and networks are important business assets. Defining, achieving, maintaining, and improving information security are essential to maintain competitive edge, cash flow, profitability, legal compliance, and commercial image. The growing importance of Information Technology has made privacy and information security critical issues, leading to the passage of major regulations, such as Sarbanes-Oxley Act (SOX)10 2002, HIPAA11, the Gramm-Leach-Bliley Act12, FISMA13, and California's SB 138614 in the United States of America (USA). The FISMA 10 The Sarbanes-Oxley Act of 2002 (Pub. L. No. 107-204, 116 Stat. 745), also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or Sarbox; is a United States federal law signed into law on July 30, 2002 in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Peregrine Systems and WorldCom. These scandals resulted in a decline of public trust in accounting and reporting practices.11 Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996, which requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.12 The Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), is an Act of the United States Congress which repealed the Glass-Steagall Act, opening up competition among banks, securities companies and insurance companies.13 The Federal Information Security Management Act of 2002 (FISMA) is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (Pub.L. 107-347, 116 Stat. 2899), is meant to bolster computer and network security within the Federal Government and affiliated parties (such as government contractors) by mandating yearly audits.14 California Security Breach Information Act (SB-1386), which is effect from 1st July 2003, is a California State law in USA,requiring organizations that maintain personal information about individuals to inform those individuals if the security of their information is compromised, and has been created to help stem the increasing

Page 8 of 29

Act (2002) of USA imposes a mandatory set of processes that must be followed for all information systems used or operated, and is meant to bolster computer and network security within the Federal Government and affiliated parties (such as government contractors) by mandating yearly audits.

2.1 India’s Information Technology Act 2000 (IT Act 2000)15 provides legal sanctity to the use of digital signature legal. In addition to this, India adopted the ISO/IEC 17799:2005 as well as ISO/IEC 27001: 2005 “Information Technology – Security Techniques – Information Security Management Systems” as its national standards, and recognized as IS/ISO/IEC 17999:2005 and IS/ISO/IEC 27001: 2005. The IS/ISO/IEC 27001: 2005 Standards provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS), and adopts the “Plan-Do-Check-Act” (PDCA) model to structure all ISMS processes. The adoption of the PCDA Model will also reflect the principles as set out in the OECD Guidelines (2002)16. The IS/ISO/IEC 17799:2005 describes “Code of practice for information security management”. This code of practice is a starting point for developing organisation specific guidelines. If requires, additional controls and guidelines may be specified to suit country specific requirements.

2.2 NASSCOM and eValueserve Joint Survey (2004)17 reports that Indian IT and ITeS Organisations have adopted best practices in data incidence of identity theft. 15 The MCA21 project which is the e-governance programme of the Union Ministry of Corporate Affairs (MCA), has made e-filings using Digital Signatures mandatory for all the Companies who have registered with the Registrar of Companies. 16 OECD Guidelines for the Security of Information Systems and Networks – Towards a Culture of Society, Paris: OECD, July 2002. Http://www.oecd.org17 ITeS and BPO Strategy Summit 2004 Report

Page 9 of 29

security, protection and confidentiality, comparable to global companies. Service Level Agreements (SLAs) have strict confidentiality and Service Clauses built into them at the “network and data” level. Indian organisations are, in many cases, ahead of their western Counterparts, in their Information Security Management (ISM), although some smaller organisations still need to catch up. NASSCOM has been recommending that Organisations hire certified security professionals to take care of security issues and leverage their knowledge and expertise. According to Suzanne Dickson, yet, only a small fraction of organizations, worldwide, are able to demonstrate IT security compliance, why? 18 .

2.3 Organizations that have not started a formally implemented Information Security Management System (ISMS) should use ISO/IEC 27001: 2005 and the family of standards as a guideline to implement such a system. Those organizations that are conscientious about their reputation with stakeholders or need a differentiation among their competitors need to consider third-party certification of their ISMS. The Indian Computer Emergency Response Team (CERT-In) of the Central Department of Information Technology has published its “Information Security Policy for Protection Critical Information Infrastructure” (No. CERT-In/NISAP/01, issued on 1st May 2006) Document. Measures to insure that such things don't happen in the future start right from having a clear-cut organizational security policy (CXOtoday.com, 3 September 2007).

3. Trustworthy Computing (TwC) : .NET Framework vs. Sun’s J2EE

18 Suzanne Dickson on “Creating a Culture of Compliance: The Responsibility of

Every Member of an Organization” (http://www.infosectoday.com).

Page 10 of 29

3.0 Trustworthy Computing (TwC) has been applied to computing systems that are inherently secure, available and reliable. Microsoft has adopted TwC in 2002, to improve public trust, “by design” view of security, in its software and advocated Digital Rights Management (DRM) to achieve TwC. However, Free Software Foundation desired to have Digital Restrictions Management instead of Digital Rights Management (DRM). Use of Digital Rights Management was, however, made controversial. Trustworthy computing is not a new concept. The 1960s saw an increasing dependence on computing systems by the military , the space program , financial institutions and public safety organizations. The computing industry in USA began to identify deficiencies in existing systems and focus on areas that would address public concerns about reliance on automated systems. In 1967, Allen-Babcock Computing identified four areas of trustworthiness :

An ironclad operating system [reliability] Use of trustworthy personnel [~business integrity]

Effective access control [security]

User requested optional privacy [privacy]

3.1 The TwC is based on these four principles. Improved Software Testing methods have been recommended to guarantee high level of reliability on initial Software release, and programmer certification as a means to guarantee the quality and integrity of software. The Computer Industry has been generally supportive of Microsoft’s efforts to improve the reliability and security of its software, through Digital Rights Management (DRM) and Trustworthy Computing (TwC) intiatives. But, the Open-source community has

Page 11 of 29

felt that a trustworthy computing (TwC) implementation would require authenticating programs as well as content, and such a system could be used to hinder the progress of non-Microsoft software and operating systems (wikipedia)19.

3.2 The Competing application platforms, Microsoft’s .NET Framework and Sun’s Java 2 Enterprise Edition (J2EE) offer similar architecture and capabilities. However, they are completely different in their underlying implementations (www.directionsonmicrosoft.com). The .NET Framework contains new and innovative idea considering software security issues and easy-to-use toolset to build highly customized and secure distributed business applications. The .Net Framework relieves developers from writing huge lines of code and making complicated security decisions (Mohammad Alam, 2004)20. The .NET Framework uses Microsoft WSE (Web Services Enhancements) 2.0, whereas Sun’s J2EE uses JWSDP (Java Web Services Developer Pack) 1.5, both of which support the OASIS WSS 1.0 standard, to enable security for Web services, specifically through message integrity, message confidentiality, and single message authentication (Ws-Security).

3.3 The Open Information System Security Group (OISSG) has announced its flagship project “Information Systems Security Assessment Framework (ISSAF)21, to develop an end-to-end framework for security assessment. This ISSAF is an evolving

19 (Source: http://en.wikipedia.org/wiki/Trustworthy_Computing) 20 Mohammad Ashraful Alam (2004): "Software Security in Bangladesh with .NET Framework: A Roadmap," itcc, p. 438,  International Conference on Information Technology: Coding and Computing (ITCC'04), Volume 2,  2004. 21 OISSG is a not-for-profit organization, with its vision to spread information security awareness by hosting an environment where security enthusiasts from all over the globe share and build knowledge (http://www.oissg.org)

Page 12 of 29

framework. StillSecure has unveiled its Open-Source Development Framework (Cobia) that reflects the strategy for the convergence of security and networking (http://www.crn.com/security).

3.4 As increasing numbers of enterprises use a mixture of both Java and .NET technologies, interoperability between these competing platforms becomes an imperative, not an option. Depending on those reasons, and the requirements of the application, one might choose a Service-Oriented Architecture (SOA) integration, in which Java capabilities are exposed to .NET as a set of web services, or a class-level integration, in which Java classes participate in the cross-language development framework in the same way as other .NET languages. The JNBridgePro class-level bridging solution provides the best combination of portability, evolvability, performance, conformance to standards, and smooth interoperability (www.jnbridge.com) 22 . “Computers do not solve problems and they execute solutions”23

4. e-Governance / e-Government Programme: An Appraisal

4.0 In e-Governance/e-Government, “electronic” means support and stimulate good governance, which is expected to mature in four phases (Gartner Report, 2000), as given below:

22 www.jnbridge.com : “Java .NET Interoperability: A Detailed Comparison of Options”.23 (a random quote from http://www.oissg.org).

Page 13 of 29

Box-B

Information Presence : Web sites Interaction Intake processes :

e-mail, serach engines, download forms and documents

Transaction Complete transactions : Network and Information Security

Transformation Integration and Change : Virtual counter

4.1 The Gartner Model does not imply that all institutions have to go through all the phases and all at the same time. Most of the governments start by delivering on-line information, but public demand and internal efficiency soon require more complex services. The five main target groups that can be distinguished in e-governance/e-Government concepts are Government (G), Citizens (C), Business (B), Employees (E) and bilateral/multilateral Institutions (X). A good approach towards implementation of e-governance is to combine short-term projects and long-term goals. In this regard, I wish to quote the DISNIC Programme of NIC envisaged development of information system in 28 sectors and initiated an “information system revolution” in districts during the later part of 1980s with the

Page 14 of 29

establishment of NICNET node in every districts of the country (Moni and Vijayaditya, 1990)24.

4.2 Each State Government has now its own model for implementing e-governance initiatives / programmes, but the basket of services (NEMMADI Kendras of Karnataka, e-SEVA of Andhra Pradesh, KAMADHENU of Rajasthan, e-JAN SAMPARK of Chandigarh, SUVIDHA of Punjab, RASI MAIYAMS of Tamilnadu, INFOGRAM of Goa, FRIENDS of Kerala, GYAN DARSHAN of Gujarat, LOKVANI of Uttar Pradesh, JAN MITRA of Himachal Pradesh, JAIKISAN of Uttrakhand, e-Gram Suvidha of Madhya Pradesh, e-SUVIDHA of CICs in North Eastern States, NAIDISHA of Haryana, SUCHNA MITRA Kendra of Chhattisgarh, etc.) remains more or less identical across states. The GISTNIC Programme of NIC initiated during 1980s was got drowned in this process. According to Joya Chakraborty, when a centralized model is developed, be it for Community Information Centres (CICs), Common Services Centres (CSCs) or any other ICT4D initiative, the regional/cultural aspects go missing (Source: solutionexchange-un.net.in).

4.3 Various Study Reports corroborate that the current state of various government departments, in terms of usage of ICT, is not in a “holistic manner” so as to achieve profound impact on ROI [in terms of people, process and knowledge]. Government Departments both in States and Central Governments are yet to announce their “Informatics Policy” for productivity increase in their subject domain. The subject domain is classified as Central list, State list, Concurrent list and Local body list. Their workflow process is being defined

24 Moni,M & Vijayaditya,N (1990) : “DISNIC – A NICNET Based District Government Informatics Programme in India”, Indian Computing Congress, Hyderabad (India), December 1990.

Page 15 of 29

through the “business of allocation”. ICT Policy of many governments is more or less related to ICT industries.

4.4 e-Governance Roadmaps of many Government Departments, as of now, do not reflect the “pyramid upside down”. G2G, G2B, G2C components of e-Governance Framework require “institutional approach”, i.e. training, extension, development, education and research approach. It requires moving beyond “technology” component. Mainly ICT Infrastructure is being used for email, word processing, and in some cases process based applications (File tracking, scheme monitoring, public grievances monitoring, etc). Content Generation, Workflow applications, Decision Support Systems, Data Analysis, Framework based Web Services etc., have taken a back seat. John Roberts (2001)25 estimated that only 10 per cent of government bodies around the world would be able to move towards to e-governance by 2005 and India was absent from the picture due its poor infrastructure, and its slow response to the cyber culture. Now, we witness SWANs and State Data Centres (SDCs) in every State, in addition to NICNET establishments.

5. National e-Governance Programme (NeGP) of India

5.0 The Union Cabinet has approved the National e-Governance Programme (NeGP) with the cost of estimate of Rs. 23,000 Crores on 18th May 2006 and all measures are underway to accelerate the pace of implementation of its various components. The perceptible need to

25 John P.Roberts, Vice –President and Director (Gartner Research) in Gartner Summit on Information Technology, New Delhi, August 2001.

Page 16 of 29

institutionalize the task of codifying standards and processes for ensuring interoperability of applications and solutions, for rapid development and deployment across the country is also being addressed. Towards this, the Central Department of Information Technology (DIT) has set up e-Governance Working Groups (eGWGs) in the areas of:

(a) Technology Standards and e-Governance Architecture, (b) Localization and Language Technology Standards, (c) Total Quality Management and Documentation, (d)Meta-Data and Data Standards of Application Domains, (e) Network Security and Information Security, (f) Legal Enablement of ICT Systems, and (g)Government Process Re-engineering (GPR).

to formulate, adapt and adopt Standards and also formulate Guidelines for their implementation to provide profound ROI impact. Domain Specific Working Groups are also being established to workout “Metadata and Data Standards” and “Digital Library Science” concepts to utilize Internet resources in an organised and contextual manner. The bottom line is to usher in “best practices, global solutions and integrated services” for reaching the Unreached, through e-Governance/e-Government Programme.

6. e-Governance / e-Government Solutions based on Standards

6.0 Standards are regulated definitions of data formats or processes, and are created and maintained by industry groups, governments, and

Page 17 of 29

organizations. There are three basic categories of standards viz.: De Jure Standards, De Facto Standards, and Mandated Standards (Box-B).

Box - B De Jure Standards : are those formats and

processes directly developed and overseen by industry standards groups;

De Facto Standards work in reverse - their standardization is driven by market adoption. They emerge when a particular format or process becomes overwhelmingly prevalent. De Facto standards can be developed by anyone, and are often the result of widespread adoption of commercial specifications;

Mandated Standards are formats and processes that are specifically required and controlled by governments or corporations. Adherence to a mandated standard may be a prerequisite for interacting with a particular corporation or government;

Any of these three types of standards can also be an Open Standard, which means that some sort of Committee controls the nature of the standard and that the specification is publicly available.

7. Information Technology Risk Management Programme (IT-RMP) : Role of NIC

7.0 National Informatics Centre (NIC) has been entrusted with the responsibility of formulating e-Governance Standards through these e-Governance Working Groups, in view of its expertise in government computerization for about three decades. The e-Governance Working Group on “Network and Information Security” has published the

Page 18 of 29

following documents for public scrutiny in the website http://egovstandards.gov.in :-

Draft Document “e-Governance Information Security Standard” (Version 01 dated 12th October 2006)26 has proposed additional security controls for E-Governance purposes Viz., Data security and privacy protection, Network security, and Application security;

Draft Document “Base line security requirements & Selection of controls” (Version 01, 12th October 2 006).

7.1 The Industry and Government stakeholders of the e-Governance Programme have welcomed the strategy adopted by NIC for Working Group Meetings through Brainstorming Sessions, State Level Workshops. Many technical papers, advisory notes, and suggestions have been published in the (http://egovstandards.gov.in) Portal for peer review. In this process, areas, which will have a greater impact for accelerated development and deployment of ICT systems, as given below, have been identified for discussion and formulation of policy guidelines, through National Summits.

Box-C e-Form Identity and Access Management (IAM) Network Security – Client level security Information Security – Lock or Lose Automatic Identification Technologies (Bio-

metric, Smartcard, Barcode, RFID etc) e-Mail Services & Architecture Web Services & Architecture Applications Development Strategy Digital Preservation & Life Cycle Management Language Computing e-Office (e-Form, e-Document, Web services,

Workflow systems) Intranet Solution Online Auditing

26 see http://egovstandards.gov.in

Page 19 of 29

7.2 Technology becomes successful only when it is made affordable and available at grassroots level for the Citizens to get benefited from e-governance / e-Government applications. Appropriate policy guidelines to use “appropriate technology” and “technology appropriately” become necessary. Under the e-Governance standards initiative, efforts have been undertaken to formulate such policy guidelines in the identified areas (Box: C). Let me detail out efforts undertaken in areas such as e-Form and Identity and Access Management (IAM) in the following sections.

8. Open Standards based e-Form Technology Adoption:

A e-Governance standards initiative to bridge the “paper-digital” divide

8.0 e-Form is an electronic form which enhances and simplifies data capturing with inbuilt data validation, data calculations, electronic signatures, and database integration. It has been realized that use of e-form technology can accelerate the e-Governance initiative, if it is used effectively. It can cut down the Application Development Time (ADT) and help the citizen in electronic preparation and filing of information for various government services. Identify & Access Management (IAM) issues become more important when using e-Forms.

8.1 As the Deputy Director General (e-Governance Standards) in NIC, I felt the need for a “Policy Guidelines” for implementation of e-Form Technology in e-Governance Programme. I conducted a National Summit on e- Forms Technology in June 2006, which was attended by many vendors and e-Governance Programme Administrators. The IT Secretary of the Union Government gave the keynote Address. As a follow up of this Summit, a National Task Force was set up to workout

Page 20 of 29

“Policy Guidelines on the use of e-Form Technology”, under the Chairmanship of Dr. S. C. Gupta, Senior Technical Director, NIC. The Report of the Committee is expected.

9. Identity and Access Management: An e-Governance standards initiative to make e-Government Programs and their services a

reality

9.0 This is a “participation age” where people (customer, citizen, government, traders, employees etc) interact with each other on-line as never before. This is the result of advances in Internet technology, global availability of networked communications, and an explosion of access devices. This requires ubiquitous access. Participation requires trust, which requires identity. Identity Management is a key enabler of the Participation age. Use of Internet technology and access mechanisms (i.e. Internets as well as Intranets) as a primary medium for official transactions has brought in a new set of concerns viz., security, privacy and management. Deploying an Identity and Access Management (IAM) solution entails a complex set of challenges to balance: the need for security and privacy, demand for online services, and issuance and management of digital identities, to make e-Government Programs and their services a reality. This requires, among the others, an integrated framework of laws, policies, operational best practices and guidelines, technology, and

institutionalization.

9.1 Many e-Governance initiatives are done in isolation. In the absence of any standards the integration of e-Governance applications becomes difficult. Most of the e-Governance applications build their

Page 21 of 29

own mechanism for Identity and Access Management (IAM) resulting in identity silos, duplicate efforts and disjointed collection of service points. These applications are seldom interoperable even though many have similar features and functionalities. High expectations of the citizens / customers for improved services and requirement of the government and private organizations to be efficient has resulted in the proliferation of online services. Highly sophisticated information technology based solutions and telecommunication-networked environments have made it possible for the organizations to provide the user the fastest and easiest means to avail the services online. Organizations want to deliver the online services securely without any risk of unauthorized access to their resources. As transactions are carried out invisibly, there is need to know who is at the other end of the transaction. On the other hand, user requires an organization to protect integrity and confidentiality of their identity information and ensure safety of their transaction. In these circumstances, identity has become a key asset to organizations.

9.2 An integrated and comprehensive Identity and Access Management (IAM) approach can address all the identity related issues of the organizations as well as users. Identities need to be managed to facilitate the right access to the right resources. Identity and Access Management (IAM) provides consistent, efficient and secure method to manage identities both internally and externally. The use of the IAM system is expected to provide the following benefits:

a. Elimination or significant reduction in storing duplicate identities

b. Single and comprehensive view of an identityc. Interoperability of applications by enforcement

of Data standardization through IAMd. Single Sign On Facility to the Userse. More Secure Accessf. Reduction in the risk of unauthorized access to

Page 22 of 29

and modification or destruction of government information assets.

g. Control, enforce and monitor access to resources through auditing

h. Improved user’s participationi. Improved performancej. Improved service delivery to citizenk. Improved regulatory capabilitiesl. Improved availability

9.3 The Country has witnessed some related cases from the “outsourced job” companies in India. It can be made secure through encryption and be authenticated using digital certificates. It will become very difficult to issue digital signatures to all possible users of G2C. But the NeGP may facilitate to issue “digital signatures” to approved Notaries (e-Notary) at Tehsil / Taluka and other intermediaries with appropriate authority so as to facilitate to those who do not have digital signatures, especially for G2C domain applications.

9.4 In this regard, I wish to mention that there is a need for a national policy on “identity Access and Management (IAM)” for NeGP Programme. To facilitate this, I conducted a national summit on “Identity Access and Management (IAM)” during 2006 and as a follow up, a National Task Force was set up under the Chairmanship of Professor Syed Ismail Ahson, Department of Computer Science, Jamia Milia Islamia (A Central University). This Task Force, after having a lot of deliberations with all relevant stakeholders, has submitted its report to the e-Governance Standards Division of NIC. This IAM Policy will take care of “privacy and security” issues. Details are available at the website http://egovstandards.gov.in. The formulation of e-Governance standards guidelines will promote the uniform, consistent and coherent approach, which in turn will help in building interoperable applications to deliver integrated services to citizens.

Page 23 of 29

10. Information Security Research & Training (ISRT): Need of the Hour

10.0 As the Internet grows in importance (e.g. in e-Government Sector) applications viz., G2G, G2B and G2C, are becoming highly interconnected. Over the last few years, the Internet has become much more hostile and new threats are emerging. Threats Change, and so should us. There is no replacement for good coding skills and tools can help leverage the process. The impetus for the Windows Security Push was Bill Gate’s “Trustworthy Computing” memo of January 15, 2002, which outlines a high-level strategy to deliver a new breed of computer systems, systems that are more secure and available.

10.1 The consequences of compromised systems are many and varied, including loss of production, loss of consumer faith and loss of money. Protecting property from theft and attack has been a time-proven practice. It is known that software always have vulnerabilities, regardless of how much time and effort one spends trying to develop secure software, simply because one cannot predict future security research. Secure Software is a subset of quality software and reliable software (Michael and David, 2003)27. When is to overcome “the Attacker’s Advantage and the Defender’s Dilemma” syndrome? It requires all of us to undertake “proactive 27 Michael Howard and David LeBlanc (2003) : “Writing Secure Code” , Microsoft 2nd Edition, WP Publishers & Distributors (P) Limited, Bangalore (India), 2003.

Page 24 of 29

Security development process” by design, coding, testing, and documentation.

10.2 The main objective of this Workshop is the Manpower Development and Training in the area of Software Security. This Workshop envisages having technical discussions in the areas of, but not limited to:

Identity Management and Access Control E-Governance Secure Requirement Engineering Database and Application Security and Integrity Intrusion Detection and Avoidance Security Verification E-Security Secure Web Services Fault Tolerance and Recovery Methods for Security

Infrastructure Threats, Vulnerabilities and Risk Management IT Security Standards Secure Object Oriented Software Designing Security Tools for Requirement and Design phase Secure Software Development Framework Risk Analysis Security Policies Cryptography, PKI and Digital Certificates

10.3 In order to implement National e-Governance Programme (NeGP) for sectoral productivity as well as service delivery with profound ROI, it is essential to nurture information security research and

training, in consortium mode, involving IISc, IITs,

IIMs, NITs and about 1500 Computer Sciences

Page 25 of 29

Departments (State Universities, Central Universities,

Deemed Universities Self-financing Colleges,

Government-aided Colleges and Government

Colleges), in the following areas:-

Encryption technologies; Integrity, authorization, authentication services, key

management, PKI and Digital signatures Database security; Intrusion detection and information hiding. Security gateway products; Certification of security products and services;

During the Eleventh Plan period (2007-12), NIC has proposed to establish a “Centre of Excellence in Information Security Research & Training (CE-ISRT)”28. This Centre of Excellence is expected to facilitate Manpower Development, both Capacity Building and Capability Building, with respect to the following categories:

11. Securing e-Government Services : A Korean case Study

28 Source : NIC’s Eleventh Five Year Plan 2007-12 and Annual Plan 2007-08 Document

Page 26 of 29

Software Architects and Developers to design and write secure applications;

Test/QA Professionals to ensure that applications meet security requirements;

Systems and Development Managers to

ensure that existing applications are protected against attack.

11.0 Widespread Internet Access is making it possible for governments around the world to move information and services online, providing substantial savings in cost, time, and labour. By letting Citizen interact with the Government from their own computer rather than in person, e-Government enhances quality of services and accessibility. However, economy and convenience must be traded off against security. Online systems are becoming vulnerable to hackers, and the Government has an obligation to prevent the unauthorized disclosure of personal information as well as prevent forgery and alternation of official documents. Korea Institute of Public Administration (KIPA) (www.kipa.re.kr) is a government-funded research institute that provides policy guidelines for all national-scale IT projects and e-Government initiatives. KIPA has recommended that Government agencies that currently issue or plan to issue documents online implement several technologies, out of which, the following are very significant:-

High-density 2D bar codes that can store original documents and thereby prevent their forgery or alteration;

Digital signatures with public-key- infrastructure (PKI) certification to authenticate organisation and documents;

Digital watermarking to protect the official seal of document-issuing organisations;

Applying Screen Capture Prevention Technology to obstruct users from capturing seals, logos, and other official marks from Web sites by coping images; and

Adoption of Print Control and Digital Rights Management (DRM) technologies to secure official document contents during transmission between Servers and Clients.

Page 27 of 29

11.1 Until secure digital documents delivery systems are ubiquitous, the need for government-issued paper certificates will continue. Incorporating technologies that prevent forgery or unauthorized alteration of online documents, thereby enabling users to print out such documents on their own with out going to a government office, will go a long way toward improving the value of e-Government services (Jong-Weon Kim, Kyu-Tae Kim and Jong-Uk Choi, 2006)29. Combining existing technologies would let users print out legally valid e-Government documents.

12. Building a Successful and Demonstrable Information Technology Risk Management

Program

12.0 ICT is becoming increasingly pervasive in development projects, and is often cited as a tool to reduce corruption and improve the efficiency of government services. As a result, e-security is becoming a significant challenge for developing and transition countries, especially those that are ill-prepared to deal with technology risks. This requires a better understanding of how to assess, mitigate and manage information systems risks, including security risks, so as to contribute to better project design and outcomes. I, therefore strongly recommend, as it have already been done for e-Form and IAM Areas, to have “Action Plan” for discussion and formulation of policy guidelines, through National Summits in the areas as identified in (Box-C), so as to achieve “proactive security development process by design, coding, 29 Jong-Weon Kim, Kyu-Tae Kim and Jong-Uk Choi (2006): “Securing e-Government Services”, published in Web Technologies, November 2006.

Page 28 of 29

testing and documentation”. This measure will go a long way in building a successful and demonstrable IT Risk Management Programme in the Country. e-Learning capabilities to meet the emerging e-Security Challenges are to be strengthened.

“All truths are easy to understand once they are discovered. The point is to discover them” – Galileo, the Astronomer

“Doing it the hard way is always easier in the long run” – Murphy’s Law

Page 29 of 29