53
Course: Information Security Management in e- Governance Day 1 Session 2: Introduction to Information Security in e-Governance
Course: Information Security Management in e-
Governance
Day 1
Session 2: Introduction to Information Security
in e-Governance
Agenda
� Need for Information Systems Security Policy
� Elements of Information Security Policy
� Approach for development of Information Security Policy
� Information Security Organization and roles, responsibilities
What is Information?
• BS ISO 27002:2005 definesInformation as :
• 'Information is an asset which, likeother important business assets,has value to an organization andconsequently needs to be suitablyprotected’
Slide 3
What is Information?
• Printed or written on paper
• Stored electronically
• Transmitted by post or using electronics means
• Shown on corporate videos
• Displayed / published on web
• Verbal – spoken in conversations
Information can be
Slide 4
‘…Whatever form the information takes, or means by which it isshared or stored, it should always be appropriately protected’
(BS ISO 27002:2005)
Information in Governments
– Governments are moving towards e-Governance to improve convenience, reduce time,
improve transparency in delivering services to businesses and citizens
– Businesses and citizens expect high standards of services, instant access to information,
efficient transactions and support, whenever and wherever they need it, but in a secure
fashion.
– The two major components of the approach are the information delivery and service
delivery.
– In the first component, various web-based information services are used by the
Governments of different granularity.
– On the other hand, in the second component, the citizen is given access to the
Government business related IT systems to provide transaction services (e.g. tax
payments, filing of forms, issuing certificates etc)
Slide 5
Information in Governments
– These two types of components bring the issues of information and systems security such
as architecture, standards and technology to the forefront.
– Another fundamental element of the problem is the unprecedented gap between the pace
of technological change and the inevitably glacial pace of policy and law making.
– Any good system of governance should be resilient to attacks by frauds, inadvertent virus, a
variety of motivated cyber crimes through unauthorised access and even to a nation-
sponsored cyber war and in the scenarios of disaster and warfare.
– In a networked society these kinds of threats have a potential to cripple a Government.
Slide 6
Information in Governments
– Models of e-Governance From the developmental perspective, e-Governance can
be defined as the application of electronic means (in particular the ICT) in:
(1) the interaction between Government and citizens and Government and
businesses, as well as in
(2) internal Government operations to simplify and improve democratic,
Government and business aspects of Governance
Slide 7
Some of the kind of Information
exchanged in Governments
Information types
Public Information,
Critical Information,
Comparative Data,
Feedback and Opinions,
Business Information,
and
Personalized Information.
Slide 8
Based on these classes of information, their sources and frequency of update and exchange,
various models of e-Governance projects are evolved.
Information assets in Governments
• Information can be found in various places such as :
• End user environment – Systems , documents etc.
• Servers – application (web , in house developed, mail etc) , database
server , backup servers, Domain servers and many more
• Network - Wireless Networks , Local area network , internet etc.
• Other devices such as laptops , pocket devices, smart cards, smart
phones, tablet PCs etc
Slide 9
Technology Base for e-Governance
– Communication Network: The Data and Voice Network owned by the
Government or private players.
– e-Government System Interface: Point of admission to the Government
System.
– Backend Systems: Database and Business layers of the Information
Infrastructure
Slide 10
Facets of Information assets Information available at end user levelwhich could be trusted , un-trusted , ThirdParty etc .
Service Layer – Information is availableat the applications , databases etc level
Network Layer – Information resides atthe network level which encompassesthe entire business functions of theGovernments.
Service Delivery platforms have a hugeasset in terms of government data
InternetThird-Party
Application
Untrusted
Web Tier
Application
Service Delivery Platform
Common Framework
Backbone Network
Partly
Trusted
Databases
Securing the information assets
• Security of information & information assets is becoming a major area of concern
• With every new application, newer vulnerabilities crop up, posing immense
challenges to those who are mandated to protect the IT assets
• e-Government security requirements can be studied by examining the overall
process, beginning with the citizens end and ending with the e-Gov server
• The assets that must be protected to ensure secure e-Gov include client
computers, the messages traveling on the communication channel, and the Web
and e-gov servers – including any hardware attached to the servers
Slide 12
Need for Information security in
Governments • In the current climate of elevated risk created by the vulnerabilities of and threats
to the Nations IT infrastructure, cyber security is not just a paperwork drill.
• Adversaries are capable of launching harmful attacks on IT systems, networks, and
information assets.
• Enterprise concerns have been heightened by increasingly sophisticated hacker
attacks and identity thefts, warnings of cyber terrorism, and the pervasiveness of
IT uses.
• Many in the industry and critical infrastructure organizations have come to
recognize that their continued ability to gain citizens confidence will depend on
improved software development, systems engineering practices and the adoption
of strengthened security models and best practices.
Slide 13
Need for Information security in
Governments (contd..) • Governments amass a great deal of confidential information about their
employees, customers, products, research, and financial status.
• Most of this information is now collected, processed and stored on
electronic computers and transmitted across networks to other
computers.
• A breach of security could lead to lost opportunities, defamation, loss of
goodwill, repudiation loss, financial loss , transactional loss , loss of
citizens confidence and many others
Slide 14
Need for Information security in
Governments (contd..) • Example include many such as
• A defacement / hacking of a public website can cause loss of
repudiation
• Vital data i.e. databases can be lost if unauthorized entry is not
checked properly
• A e-procurement website stops functioning all of a sudden
• A disaster strikes and the processes gets standstill
• Repudiation loss: One party of a transaction denies having received a
transaction nor can the other party deny having sent a transaction ??
• Protecting confidential information is a business requirement, and in
many cases also an ethical and legal requirement!!
Slide 15
Understanding Security Measures
• Data Center Security
• Use Firewalls
• Web-site Security
• Anti-virus tools
• Anti-phishing tools
• Physical Office Security
• Restricted Accessibility
• Regular checks & reviews
• Secured Working Processes
• Planning long-term solutions
• Process-Cycle to be followed (PDCA Cycle – Plan, Do, Check & Assess Cycle )
Slide 16
Categorization of Information Systems
• Categorize Information based on
• Hardware
• Software
• Data
• Documentation
• Personnel
• Procedures
• Models etc
Slide 17
Challenges & Issues - Security
• • Data & Application security
• PPP models (service delivery model)
• Lack of internal Technical capacities
– Loopholes in the applications and databases
– Knowledge transfer
– Exit management
• • Complex e-Governance Projects
– High performance & response time
– High Security desired on operations but not a top priority to start with
• • Multiple Legacy Environments
• Security framework
• Implementation of Security Standards
• Implementation of suitable access controls and authorization
• Preparation of RFPs which captures all the security requirements
Slide 18
Points of concern in Governments
• Letting vendors define “good security”
• Underestimating the required security expertise
• Assigning untrained people to maintain security
• Relying primarily on a firewall.
• Firstly think of budget concerns, neglecting the value of their information
and organizational reputations.
• Authorizing reactive, short-term fixes so problems re-emerge rapidly.
Slide 19
Top Security Myths
Security myths
Firewalls make your
data secure.
Encryption makes your
data secure.
Hackers cause most
security breaches.
In fact, 80% of data loss is caused by
insiders.
In fact, encryption is only one
approach to securing data. Security
also requires access control, data
integrity, system availability, and
auditing.
In fact, 40% of Internet break-ins
occur in spite of a firewall being in
place!!!!
Defining the risks , threats and vulnerabilities
– Risk: A possibility that a threat exploits a vulnerability in an asset and
causes damage or loss to the asset
– Threat: Something that can potentially cause damage to the
organization, IT Systems or network.
– Vulnerability: A weakness in the organization, IT Systems, or network
that can be exploited by a threat
Slide 21
Threats
– External Parties
– Low awareness of security issues
– Employees
– Growth in networking and distributed computing
– Growth in complexity and effectiveness of hacking tools and viruses
– Natural Disasters eg. fire, flood, earthquake
Slide 22
Generic Threat Profile
Slide 23
Critical Information Assets
Disclosure
Modification
Loss, Destruction
Interruption
Disclosure
Modification
Loss, Destruction
Interruption
Disclosure
Modification
Loss, Destruction
Interruption
Disclosure
Modification
Loss, Destruction
Interruption
Accidental
Accidental
Deliberate
Deliberate
Inside
Outside
Information Security Threats and
Vulnerabilities • Client Threats: Until the introduction of executable Web content, Web pages were
mainly static. Coded in Hyper Text Markup Language (HTML), static pages could do
little more than display content and provide links to related pages with additional
information.
• Widespread use of active content has changed this perception.
• Active Content: Active Contents like Java applets, ActiveX controls, JavaScript, and
VBScript refer to programmes that are embedded transparently in Web pages and
that cause action to occur.
• Embedding active content to Web pages involved in e-Governance introduces
several security risks.
• Malicious active content delivered by means of cookies can reveal the content
of client-side files or even destroy files stored on client computers.
Slide 24
Information Security Threats and
Vulnerabilities• Malicious Codes: Computer viruses, worms and Trojan Horses are examples of malicious
code. People are aware but may not be prepared to deal with such adversaries.
• Server-side Masquerading: Masquerading lures a victim into believing that the entity with
which it is communicating is a different entity.
• For example, if a user tries to log into a computer across the Internet but instead reaches
another computer that claims to be the desired one, the user has been spoofed.
• Communication Channel Threats: The Internet serves as the electronic chain linking a
consumer (client) to the e-Gov server.
• Messages on the Internet travel randomly from a source node to a destination node.
• Impossible to guarantee that every computer on the Internet through which messages
pass is safe, secure, and non-hostile.
Slide 25
Information Security Threats and
Vulnerabilities• Confidentiality Threats: Confidentiality is the prevention of unauthorised
information disclosure. Use of Internet definitely poses confidentiality threats to
the messages sent.
• Availability Threats: The purpose of availability threats, also known as delay or
denial of service threats, is to disrupt normal computer processing or to deny
processing entirely. Slowing any Internet service will detract citizens from using
egov services.
• Server Threats: The server is the third link in the client-Internet-server trio
embodying the e-Gov path between the citizens and the Government. Servers
have vulnerabilities that can be exploited by anyone determined to cause
destruction or to illegally acquire information.
Slide 26
Information Security Threats and
Vulnerabilities
• Web Server Threats: Web server software is not inherently high-risk, it has been designed
with Web service and convenience as the main design goal. The more complex the software
is, the higher the probability that it contains coding errors (bugs) and security holes.
• e-Gov Server Threats: The e-Gov server, along with the Web server, responds to requests
from Web browsers through the HTTP protocol and Common Gateway Interface (CGI) scripts.
Several pieces of software comprise the egov server software suite. Each of these softwares
can have security holes and bugs.
• Database Threats: Besides Government information, databases connected to the Web
contain critical and private information that could irreparably damage a enterprise or citizen
if it were disclosed or altered.
• Some databases store user name/password pairs in a non-secure way.
• If someone obtains user authentication information, then he or she can masquerade as a
legitimate database user and reveal private and costly information.
Slide 27
Information Security Threats and
Vulnerabilities• Common Gateway Interface Threats: A Common Gateway Interface (CGI) implements the
transfer of information from a Web server to another programme, such as a database
programme. Because CGIs are programmes, they present a security threat if misused
• Password Hacking: The simplest attack against a password-based system is to guess
passwords.
• Guessing of passwords require access to the complement, the complementation
functions, and the authentication functions be obtained.
• If none of these have changed by the time the password is guessed, then the attacker
can use the password to access the system.
Slide 28
Threat Sources
Slide 29
Source Motivation Threat
External HackersChallenge Ego Game Playing
System hacking
Internal HackersDeadline Financial problems
Backdoors Fraud Poor documentation
External Agents Revenge Political
System attacks Letter bombs Viruses Denial of service
Poorly trained employees
Unintentional errors Programming errors Data entry errors
Corruption of data Malicious code introduction System bugs Unauthorized access
Threat Sources
Slide 30
Categories of Threat Example
Human Errors or failures Accidents, Employee mistakes
Compromise to Intellectual Property Piracy, Copyright infringements
Deliberate Acts or espionage or trespass Unauthorized Access and/or data collection
Deliberate Acts of Information extortion Blackmail of information exposure / disclosure
Deliberate Acts of sabotage / vandalism Destruction of systems / information
Deliberate Acts of theft Illegal confiscation of equipment or information
Deliberate software attacks Viruses, worms, macros Denial of service
Deviations in quality of service from service provider Power and WAN issues
Forces of nature Fire, flood, earthquake, lightening
Technical hardware failures or errors Equipment failures / errors
Technical software failures or errors Bugs, code problems, unknown loopholes
Technological Obsolesce Antiquated or outdated technologies
Threat Sources
Slide 31
High User Knowledge of IT
Systems
Theft, Sabotage, Misuse
Virus Attacks
Systems & Network Failure
Lack Of Documentation
Natural Calamities &
Fire
Lack of security
Relationships between assets , risks,
threats , vulnerabilities
Slide 32
Threats Agents
Threat
Vulnerability
Risks
Asset
Exposure
Safeguard
Gives Rise to
Exploits
Leads to
Can damage
And cause an
Can be countered by
Information Security
• Information security means protecting information and information
systems from unauthorized access, use, disclosure, disruption, modification or
destruction.
• Information security enables a Organizations to meet its business objectives by
implementing business systems with due consideration of information
technology (IT)- related risks to the organization, business and trading partners,
technology service providers, and most importantly CITIZENS.
• The terms information security, computer security and information
assurance are frequently incorrectly used interchangeably.
• These fields are interrelated often and share the common goals of protecting the
confidentiality, integrity, availability , accountability and assurance of information.
Slide 33
IT Security
• IT Security means eliminating the disruption of business operations and reducing
the exposure to various attacks.
• IT Security deals with several different “trust aspects” of information.
• Information security involves the architecture where an integrated combination
of appliances, systems and solutions, software, surveillance, and vulnerability
scans working together
• IT Security is not just confined to computer systems, it applies to all aspects of
protecting information or data, in whatever form. i.e. Physical, People etc.
• Security is achieved using several strategies simultaneously or used in
combination with one another
Slide 34
Security objectives
Organizations meet this goal by striving to accomplish the following objectives:
• Availability—The ongoing availability of systems addresses the processes, policies,
and controls used to ensure authorized users have prompt access to information. This
objective protects against intentional or accidental attempts to deny legitimate users
access to information or systems.
• Integrity of Data or Systems—System and data integrity relate to the processes,
policies, and controls used to ensure information has not been altered in an
unauthorized manner and that systems are free from unauthorized manipulation that
will compromise accuracy, completeness, and reliability.
• Confidentiality of Data or Systems —Confidentiality covers the processes, policies,
and controls employed to protect information of customers and the institution against
unauthorized access or use.
Security objectives (contd..)
• Accountability —Clear accountability involves the processes, policies, and
controls necessary to trace actions to their source. Accountability directly
supports non-repudiation, deterrence, intrusion prevention, security
monitoring, recovery, and legal admissibility of records.
• Assurance —Assurance addresses the processes, policies, and controls used to
develop confidence that technical and operational security measures work as
intended.
Slide 36
Information security focus
Information Security focus
• Protection of information assets
• Protection of Computer systems
• Protection of Data networks
• Protection of Databases & Applications
• Protection of end user environments
• Protection of Physical and environmental
• Security measures in Third Party Outsourcing
• Logical access control
• Disaster recovery Planning
• Security Audit
• Public Key Infrastructure
• Legal Frameworks and various initiatives by GoI
Technology which our
Business use
Elements of Information Security…
Slide 38
Technology
Process
People
Organization
Staff
Our Business
Process
Elements of Security….. People & Processes
• Management
• Employees
• Business Partners
• Service providers
• Contractors
• Citizens
• Regulators etc…
People who use or interact with the Information
Slide 39
• Helpdesk / Service management
• Incident Reporting and Management
• Change Requests process
• Request fulfillment
• Access management
• Identity management
• Service Level / Third-party Services Management
• IT procurement process etc...
The processes refer to "work practices" or workflow.
Technology “what we use to improve what we do”
Network Infrastructure
• Cabling, Data/Voice Networks and equipment
• Telecommunications services (PABX), including VoIP services , ISDN , Video Conferencing
• Server computers and associated storage devices
• Operating software for server computers
• Communications equipment and related hardware.
• Intranet and Internet connections
• VPNs and Virtual environments
• Remote access services
• Wireless connectivity
Application software
• Finance and assets systems, including Accounting packages, Inventory management, HR systems, Assessment and reporting systems
• Software as a service - instead of software as a packaged or custom-made product.
Slide 40
Technology “what we use to improve what we do”
Physical Security components
• CCTV Cameras
• Clock in systems / Biometrics
• Environmental management Systems: Humidity Control, Ventilation , Air Conditioning, Fire Control systems
• Electricity / Power backup
Access devices
• Desktop computers
• Laptops, ultra-mobile laptops and PDAs
• Thin client computing.
• Printers, Scanners, Photocopier etc.
Slide 41
42
Confidentiality
Information Security
Integrity Availability Authenticity
Security PolicyPeople
Process
Technology
Regulatory Compliance
Access Control
Security Audit
User Awareness Program
Incident Response
Firewall, IPS/IDS
Encryption, PKI
Antivirus
Information Security Management
Assurance
Security Audit
A Structured Approach to
Security Design• For security to be effective it must be designed as a whole and applied consistently
across an organization and its IT infrastructure.
• The steps to design security of a system is to model the system, identify the security properties to be preserved, model the adversary, and then ensure that the security properties are preserved under attacks.
• Detailed modeling of the system and identification of the required security properties are possible.
• But it is almost impossible to accurately model the adversaries and vulnerabilities of the system exploited by those adversaries.
• The result is that there is nothing called absolute security.
Security Engineering Life Cycle
Slide 44
Security requirement
Security Policy
Security Infrastructure Specification
Security Infrastructure Implementation
Security Testing
Requirement Validation
Security Engineering Life Cycle
• Security Requirement Specification and Risk Analysis
• The first phase in the Security Engineering Life Cycle collects information regarding assets
of the organisation that needs to be protected, threat perception on those assets,
associated access control policies, existing operational infrastructure, connectivity
aspects, services required to access the asset and the access control mechanism for the
services.
• Security Policy Specification
• Security Requirement Specification and Risk Analysis Report as input and generates a set
of e-Gov security policies.
• The policy statements are high-level rule-based and generic in nature and thereby, does
not provide any insight to system implementation or equipment configuration.
Slide 45
Security Engineering Life Cycle
• Security Infrastructure Specification
• This phase analyses the Security Requirement Specification and the Security
Policy Specification to generate a list of security tools that are needed to
protect the assets.
• It also provides views on the location and purpose of the security tools.
• Security Infrastructure Implementation
• The organisation, in this phase, procures, deploys, and configures the
selected security infrastructure at the system level.
Slide 46
Security Engineering Life Cycle
• Security Testing
• In this phase, several tests are carried out to test the effectiveness of the security
infrastructure, functionality of the access control mechanism, specified operational
context, existence of known vulnerabilities in the infrastructure etc.
• Requirement Validation
• This phase analyses the extent of fulfillment of the security requirements for
implementing e-Governance organization by the corresponding security policy and
the implemented security infrastructure.
• Change in the service goal, operational environment, and technological
advancement may lead to a fresh set of security requirements and thereby,
triggering a new cycle of the Security Engineering Life Cycle.
Slide 47
e-Governance Security Assurance
Framework (eSAFE)
Slide 48
Categorization of Information
Systems
Baseline Control
SelectionRisk assessment
Refinement of controls
Implementation of controls
Monitoring Effectiveness of
Controls
Baseline Control Selection
Slide 49
Master Catalog of Security Controls
Complete Set of Security Controls and Control Enhancements
Low Baseline
Controls
Medium Baseline
Controls
High Baseline
Controls
Low Baseline
Selection of a subset of security
controls from the master catalog—
consisting of basic level controls
Medium Baseline
Builds on Low Baseline with
additional controls, and control
enhancements selected from the
master catalog
High Baseline
Builds on Medium Baseline with
additional controls, and control
enhancements selected from the
master catalog
Risk Assessment
• Identify risks based on
• Asset value
• Impacts
• Threats
• Vulnerabilities
• Asset loss exposure
Slide 50
Refinement & implementation of
controls
• Determine desirable and mandatory controls
• Evaluate existing and mandatory controls
• Determine the refinements needed in the
controls
• Implement controls
Slide 51
Monitoring Effectiveness of Controls
• Monitor the controls in place
• Encourage testing
• Have security audit
• Move towards complying to information
security standards
Slide 52
References
• www.mit.gov.in
• www.egovonline.net
Slide 53
