Over the years, a large number of transformation and mission mode projects have been undertaken by various central ministries and state governments in order to provide quality services to the citizen in a more transparent and efficient manner. These services involve information transaction and processing, and in some cases e-payment services are being offered to the citizens. An increased usage of IT in providing these services has also exposed the government organizations to increased number of sophisticated attacks. It is therefore essential to ensure that disruptions of critical government information systems are contained and managed effectively in order to minimize their impact.
Organizations have started defining security requirements from the project initiation stage itself. They have been referring to various guidelines issued by the Department of Electronics and Information technology (DeitY) and the CERT-In to define their security strategy. Most of these government organizations have adopted ISO 27001 in order to define the security framework and the certification requirements are clearly laid down in the tender or Request for Proposal (RFP) documents for IT projects.
A few organizations providing e-services to citizens have a dedicated information security committee headed by the senior most member of the organization. These committees have representation from both, internal as well as external stakeholders such as departmental heads, independent advisors and representatives from service providers. Some of the organizations have a designated chief information security officer (CISO), who is assigned to oversee the implementation and effectiveness of the implemented security framework. Further key responsibility areas (KRAs) have been defined in order to create the ownership and accountability within the organization. Some organizations have specific service level agreements (SLAs) related to information security and penalties are levied on the third parties or vendor, in case some gaps have been identified.
Most government organizations have undertaken conscious effort to protect business critical data through the implementation of business continuity and disaster recovery (DR) plans for their datacenter. The testing of these DR plans is performed regularly in order to check the efficiency and effectiveness of the implementation. Various encryption mechanisms are being used to protect the confidentiality of data. Security incident and event management (SIEM) solutions are deployed in order to have a real-time view of the threat landscape. Security incidents are reported to the respective stakeholders who in turn, take corrective actions.
The applications used by organizations follow a software development lifecycle methodology and user acceptance testing is conducted before moving to production. Vulnerability assessment and penetration testing is performed by third parties appointed for networks and application infrastructure and independent code reviews help plug the vulnerabilities and thus yield performance benefits. In some of the G2B and G2C services, transactional security is ensured by SSL, secure file transfers and digital certificates. In cases where high probability of spoofing instances are likely multi-factor authentication like biometric, OTP based authentication and digital signature on public key infrastructure are used for a high degree of authentication assurance.
Creating awareness within the government sector is the most challenging aspect due to the scale and stakeholder maturity. Some organizations are using various mechanisms in order to create awareness including class room training and computer-based training program. Various security advisories are issued by the senior management to all project locations on a regular basis. Security newsletters are published in a bi-lingual format including English and Hindi, which have been well appreciated by stakeholders and have been able to create an impact at the ground level. Various quizzes are being organized and deserving officers are appreciated and encouraged by senior members to create a visibility within the organization.
About DSCI Excellence Awards
Data Security Council of India institutionalized DSCI Excellence Awards in 2011 to recognize, honor and reward organizations and individuals who have implemented strong, effective and resilient data protection programmes to help them address real risks, build resilience, increase trustworthiness and create an environment conducive to business. There are 12 categories in the corporate segment. For law enforcement segment, DSCI recognizes and honors state police and investigation agencies for capacity building of police officers for investigating and solving cybercrime cases and individual officers who have shown excellence in cybercrime investigation. DSCI received 60 nominations representing 52 organizations across 10 categories in the corporate segment while 24 nominations were received in LEA segment in the first edition. In 2012, 78 nominations were received in corporate segment while 17 were received for LEA segment. This year, the number of categories has increased and new players are expected to challenge past winners.
Nominations for DSCI Excellence Awards 2013 are open till 23rd September only. To apply click here, www.dsci.in/taxonomypage/814
---
Autor(en)/Author(s): Rahul Sharma,
Quelle/Source: InformationWeek India, 18.09.2013
Bitte besuchen Sie/Please visit:
