1 CYBER SECURITY- EDUCATION AND AWARENESS Background Paper on Cyber Security - Education and Awareness Department of Information Technology (India) A. Background Paper Cyber Security, which is also referred to as information security, is the protection of information against unauthorized disclosure, transfer, modifications, or disclosure, whether accidental or intentional. In today s scenario computer networking is the key to flow of information. It is, therefore, important to provide cyber security i.e. protecting the Computer Systems and Networks, from hacking, information stealing and corruption etc. Worldwide IT industry both hardware and software, is working on cyber security aspects to mitigate the potential danger that has assumed significance after 11th September Information security is the key issue in today s Information Technology world. Information security is required at all levels personal level, corporate level, state and country level. There is a steady rise in the occurrence of cyber attacks (28 % rise in the first six months of 2002). As per a survey in 2001, cyber attacks cost business roughly $ 13.2 billion in damage and clean up cost while the cost in 2000 was $ 17.1 billion. Some of the institutes were even forced to shut down whole networks to fix the problem. International Data Corporation (IDC) predicted that the worldwide information security market would increase from roughly $6.7 billion in 2000 to $21 billion by In the financial services industry alone, the spending on security related products and services is expected to rise from $848 million in 2000 to $2.2 billion by Thus, there is a sizable requirement of cyber security products and services. India being a super power in software industry could contribute substantially to this. This necessitates development of specialized manpower, both at high end and low end, in the country. The manpower requirement will not only cater to world market but will also cater to country s requirement. In addition to developing specialized manpower and managers in the cyber security area, there will be a requirement of dissemination of information security related information & issues and educating/ training computer network users by and large. These training could be at various levels including introductory training, technical training in different security disciplines, master training and continued education. The whole idea being that the users contribute to the Information Security initiatives of the Government level. Realising the imperative for developing this area in the country, especially from the point of view of Education and Awareness, a Working Group on Cyber Security Education and Awareness, has been formed by Department of Information Technology. This Working Group will recommend the measures to be taken in the country to ensure development of Education in the country in the area of cyber security to induct IT related courses in the formal & non-formal education system, training both short term and long term, leading to development of indigenous hardware and software capabilities in the core area of Information Security.
2 The following could be the draft road map / approach for the Working Group: i. Identification of the thrust areas / industry requirements both hardware & software: These could include areas like Intrusion detection systems, Public Key Infrastructure, Firewalls, security assessments, cyber forensics, virtual private networks, wireless security, anti viruses, managed Security Monitoring, crypto analysis etc. Research / Technology Development programmes could be initiated in the thrust areas so identified by the Working Group at the leading institutes / research organisations in the country including setting up of a Cyber Security Institute, if required. ii. Estimate Manpower requirement, both high end and low end, to cater to the national requirements and international market. iii. Launch Nation wide information security campaign: Information on cyber security related aspects is the concern of all the computer network / Internet users. Thus, the Government should take appropriate steps to inform the public about cyber security in a well-organised manner. This could be done by organising workshops / trainings, regular discussions / talks on TV during prime time, publishing articles etc. in the leading newspapers on cyber security and counter security aspects. iv. Develop cyber security related curriculum for IT course: This will include identification of the cyber security courses which could be offered as part of IT education both in the formal and non-formal education sector. To identify the cyber security related course areas such as:- Fundamentals of Cyber Security; Cyber Security Techniques and Mechanisms; Cyber Security Protocols, Threats and Defenses; E-business Security and Information Assurance etc., a subgroup could be formed. The subgroup could include members from Academic Institutes - IITs, IISc etc.; Research institutes / labs - DRDO, ISRO, BARC, TIFR etc; Industry - WIPRO, INFOSYS, SCL etc.; certification agencies like STQC; and other leading computer organisations like CDAC etc. While developing the overall curriculum, Sub-group will take into consideration the HR requirements as projected by the Working Group. The following could be the draft road map / approach for the Working Group: i. Identification of the thrust areas / industry requirements both hardware & software: These could include areas like Intrusion detection systems, Public Key Infrastructure, Firewalls, security assessments, cyber forensics, virtual private networks, wireless security, anti viruses, managed Security Monitoring, crypto analysis etc. Research / Technology Development programmes could be initiated in the thrust areas so identified by the Working Group at the leading institutes / research organisations in the country including setting up of a Cyber Security Institute, if required. ii. Estimate Manpower requirement, both high end and low end, to cater to the national requirements and international market.
3 iii. Launch Nation wide information security campaign: Information on cyber security related aspects is the concern of all the computer network / Internet users. Thus, the Government should take appropriate steps to inform the public about cyber security in a well-organised manner. This could be done by organising workshops / trainings, regular discussions / talks on TV during prime time, publishing articles etc. in the leading newspapers on cyber security and counter security aspects. iv. Develop cyber security related curriculum for IT course: This will include identification of the cyber security courses which could be offered as part of IT education both in the formal and non-formal education sector. To identify the cyber security related course areas such as:- Fundamentals of Cyber Security; Cyber Security Techniques and Mechanisms; Cyber Security Protocols, Threats and Defenses; E-business Security and Information Assurance etc., a subgroup could be formed. The subgroup could include members from Academic Institutes - IITs, IISc etc.; Research institutes / labs - DRDO, ISRO, BARC, TIFR etc; Industry - WIPRO, INFOSYS, SCL etc.; certification agencies like STQC; and other leading computer organisations like CDAC etc. While developing the overall curriculum, Sub-group will take into consideration the HR requirements as projected by the Working Group. The following could the draft Terms of Reference of the Subgroup: a. To prepare a list of courses and curriculum in cyber security which could be offered at - Certificate level (3, 6, 12 months) - Diploma level - Undergraduate level- B.Tech, MCA, B.Sc., M.Sc. etc. - Graduate level b. To prepare a list and develop courses in Information Technology Security Certification and Auditing for Information Security System Managers / administrators c. To prepare a list of courses and courseware for computer network users in general. d. To prepare a list of institutions & experts which could act as the Resource Centers for training the teachers in the area of cyber security e. To identify the institutes / centers who could offer the Information Technology Security Certification & Auditing courses to the Information Security system administrators and managers. The term of subgroup could be for a period of 4-6 months at the end of which it will submit the report to Working Group.
4 v. E-learning initiatives: The courses developed at the graduate and undergraduate level and other related information on cyber security could be put on the DIT web site for ready reference of the computer network users. While developing the courseware, special attention needs to be given to the courseware development for educating computer network users. vi. Setting up of an Information Security Technology Development Council (ISTDC): The main objective of ISTDC will be development of indigenous hardware and software capabilities in the core areas of Information security identified by the Working Group. While developing the indigenous capabilities, ISTDC should also ensure that enough opportunities are available to the specialized manpower available in the country. For development a pro-active approach will be followed under which the leading development agencies institutions will be approached with broad specifications of the project rather than organisations approaching DIT. The specifications of the project will be arrived at by the ISTDC in consultations with the industry / users etc Terms of Reference of ISTDC: i. To evaluate cyber security project proposals received and to give recommendations for further processing by DIT ii. To review the on-going projects through monitoring committees and recommended any modification in scope, funding, duration, additional inputs, termination, transfer of technology etc. iii. To recommend follow-up action on completed projects transfer of technology, initiation of next phase etc. iv. To form Project Review and Steering Groups of the Projects approved and funded by DIT Duration :- The Working Group formed will be for a period of 3 years. Budget Requirements: 1. Development of Indigenous hardware and Software capabilities Rs. 30 Crores 2. Teacher training / course development / lab setup Rs. 6 Crore 3. E-Learning Initiatives Rs. 3 Crore 4. Information Dissemination Rs. 3 Crore B. Composition of the Inter Ministerial Working Group on Cyber Security Education and Awareness 1. Shri Rajeeva Ratna Shah, Secretary, DIT - Chairman 2. Shri S Laxminarayanan, Additional Secretary, DIT - Member 3. Shri V S Pandey, Joint Secretary (Technical Education), MHRD - Member 4. Dr. R Natarajan, Chairman, AICTE - Member 5. Dr. (Mrs.) Pankaj Mittal, Joint Secretary, UGC, - Member Delhi
5 6. Prof. Anshul Kumar, IIT Delhi - Member 7. Prof D N Buragohain, Director, IIT- Guwahati - Member 8. Prof N Balakrishnan, Indian Institute of Science, Bangalore - Member 9. Dr P N Gupta, ED, DOEACC Society, Delhi - Member 10. Shri V K Dharmadhikari, DG, CEDTI, Delhi - Member 11. Shri Gulshan Rai, ED, ERNET India, Delhi - Member 12. Mr. Kiran Karnik, President, NASSCOM, Delhi - Member 13. Prof R.K. Shyamasundar, TIFR, Mumbai - Member 14. Prof A S Kolaskar, Vice Chancellor, Univarsity of Pune, Pune - Member 15. Shri A B Saha, ED, ER&DCI, Kolkata - Member - Member 16. Shri R K Arora, Director, NCST, Mumbai - Member 17. Maj. Gen. A.S. Bhagat, SM,Additional DG SI, Sena Bhavan, New Delhi 18. Brig. G.K. Nischal, DDG (Telecommunication), Army Hqrs. New Delhi - Member - Member - Member 19. Shri Pankaj Agrawala, Joint Secretary, DIT Member Secretary 21. Dr. S L Sarnot, Director General, STQC, DIT 22. Dr. A K Chakravarty, Adviser, DIT Shri B.K. Gairola, DDG, NIC, New Delhi Member Secretary, IM-WG on Cyber Security Assurance. Member Secretary, IM-WG on Encryption Policy and IM-WG on Cyber Law and Cyber Forensics -Member Secretary, IM-WG on Critical Infrastructure Protection C. Minutes of the First Meeting of the IM WG on Cyber Security Education and Awareness held on 12th December 2002 at DIT New Delhi. 1. First Meeting of the Inter-Ministerial Working Group on Cyber Security Education and Awareness was held on 12th December 2002 at 1130 Hrs. in the E Governance Conference Hall, DIT under the Chairmanship of Shri Rajeeva Ratna Shah, Secretary DIT. 2. Secretary in his opening remarks welcomed the Members of the Working Group and emphasized that information security is a key issue in networked systems and hence there is a need to develop specialized manpower in this area along with launching awareness campaign for the network users in general. Secretary clarified that the mandate for this working group is
6 Cyber Security Education and Awareness. Research component will be looked after by Information Security Technology Development Council (ISTDC) which will be steered by Dr. AK Chakravarti, Adviser, DIT. Chairman also emphasized that like Y2K, the growing needs of Governments, Corporates & MNCs world over for Information Security offer us an opportunity of ingress into their systems by becoming a global ISMS manpower resource provider. 3. Shri Pankaj Agarawala, JS, DIT & Member Secretary of the Working Group, made a presentation on the draft Road Map on Cyber Security Education and Awareness, prepared by DIT for the discussions of the Working Group. Member Secretary made the presentation highlighting the issues like identification of the thrust areas, estimation of manpower requirement, awareness campaign, development of cyber security related curriculum for IT courses etc. Shri Agarawala emphasized that on the one hand there is a regulation driven security system and on the other the users are concerned about the vulnerability to cyber attacks and their survival. Thus, there is a need for a legal regulatory framework to remove perverse incentives and adopt appropriate policies to ensure e-security. He also emphasized that the present day market has the technologies but the ability to effectively put to use this technology is the main concern. Badly designed software is also a threat necessitating the need for re-training the existing software manpower towards information security. Thereafter the subject matter was thrown open for discussions. 4. While emphasizing the need for such a pro-active approach by DIT in this area, Prof. Balakrishnan, IISc, opined that about 10% of the companies expenses are on the information security related issues and 60% of this amount is spent on the manpower requirements, thereby underlying the importance of information security services. He further informed that instead of just system administrators / managers there is now a growing requirement of Chief Information Officer (CIO) with knowledge / experience in information security. He informed that new security concept is evolving world-over called Security Maturity Model wherein security depth upto which one can go depends on the system s complexity. He further stated that hacking in the present scenario has become simple but the attack is complicated due the complexities of the systems. Thus we need to evolve new specific packages to tackle the security hazards at the infrastructure i.e. optical fiber level, as the one size fits all solution is no more applicable now. He also stated that the global market is much larger than domestic market. Therefore, he opined that there is a requirement of manpower development in this area to cater to security requirements at all levels including industry. Therefore, an exhaustive courseware needs to be developed. 5. Supporting the views of Prof. Balakrishnan, Prof. Shyamasundar, TIFR informed that importance of training system administrators on information security is being felt by various organizations and gave the example of training BARC system administrators on information security at CAT, Indore. He further informed that this training programme is also being organized at other BARC centers. He also emphasized the need of trained manpower at different levels in an organisation.
7 He was also of the view that a workshop on cyber security- gap analysis for the system administrators and managers needs to be convened. He opined that while developing courseware emphasis needs to be given on updating mathematics courses, number theory / cryptography, security modeling and concept analysis. 6. Dr. A.K. Chakravarti, Adviser, DIT, was of the opinion that in the pre-market scenario, IEEE had developed courseware for computer professionals which become de-facto standards. Therefore, there is a need to identify courseware that can become standard courses in the area of information security for the next 5 years since we are still in the pre-market stage. Government will have to play a lead role. 7. Shri Kiran Karnik, President NASSCOM, also supported the importance of cyber security. In particular, he was of the view that India, being a super power in IT, should take quick measures to embed security curriculum in all the courses. Trained manpower in cyber security will get better pay. Government must play a leading role in this endeavor because pre-market conditions are prevailing at the moment. This will also improve the employment opportunities, as information security for networked systems is becoming an absolute necessity both at the domestic and global level. He further informed that while developing the courses, emphasis should also be laid on development of short-term courses for judiciary, police etc for clearing their perception about IT in general and in particular about IT security. He also emphasized the need for secured code development for IT security. 8. Certification and Auditing for information security systems is also a key area. There is a requirement of training systems administrators / managers in information security. Tailor made short-term courses could be offered to these professionals. STQC can identify and develop courseware for these short-term courses. 9. It was also brought out during the discussions that an awareness campaign on information security needs to be launched in the country. This could be done by organising workshops / training, regular discussions / talks on TV & radio during prime time, publishing articles in the leading newspapers / magazines. The IT security related information should be put on the DIT and other prominent web sites. In these campaigns information on what to do on security hazard should also be provided. 10. Summing up, Chairman said that information security is a high priority area, and hence action needs to be taken up to develop manpower, high and low end both, to cater to domestic as well as global requirements. In particular he was of the view that the following areas need to be strengthened in the country: i. Intrusion detection & prevention system ii. Perimeter Defense / Firewalls iii. Vulnerability Assessment iv. Penetration Testing v. Incident Handling
8 vi. Virus / worms notification and correction measures vii. Computer forensics viii. Disaster recovery ix. Infrastructure security x. Wireless security xi. Cryptography and Crypto-analysis xii. Survival of Network 11. Decisions taken: a. NASSCOM to i. Carryout a study on the actual manpower requirement in the area of information security at national & international level to cater the following categories of users - Govt. - Business - Academia - Small industries / small offices/ small home offices ii. Identify the broad skill sets required iii. Conduct a survey on manpower requirement on auditing and certification in the area of information security The expenditure for the survey will be met by NASSCOM. NASSCOM to submit the report within one month. b. STQC will work out a plan of action for spreading Information Security & hold a series of 5 day seminars for initiating CIOs awareness of the need for small business / offices/ home offices into carrying out gap analysis, identifying vulnerabilities & threats in their environment & carrying out rectification. c. The following Information security programs / courses should be initiated formally :- i. 6 weeks preliminary information security education programme (aiming at converting public information into knowledge). The courseware for this programme has already been developed by IISC, Bangalore under a DIT scheme. ii. Certificate course in Information Security 6 months i.e. one semester courses iii. Diploma course in information security one-year i.e. two semesters course. iv. M.Tech programme in Cyber Security. This programme will cover the areas mentioned in para 10 above.
9 d. In addition to above, the existing B.Tech & M.Tech courses in computer science & engineering need to be retrofitted with information security related subjects. Extensive hands-on-training should be an in-built component in all these courses. e. For curriculum planning & preparation of courseware for all courses in 11 (c) & (d), the following sub-group was constituted :- i. Prof. N. Balakrishanan, IISc, Bangalore - Convenor ii. Prof. R.K. Shyamasunder, TIFR, Mumbai - Member iii. Prof. Anshul Kumar, IIT Delhi - Member iv. Dr. C.E. Veni Madhvan, DRDO, Delhi - Member It was also decided that the committee could co-opt other members. The committee will submit the report by 15th January f. Formalize short-term courseware for information security auditing and certification in consultation with STQC. 12. The next meeting of the committee will be held in the 4th week of January 2003 after receiving of the NASSCOM report on manpower and sub-group report on courses & curriculum. C. Minutes of the Second Meeting of the Inter-Ministerial Working Group on Cyber Security Education and Awareness held on 12th March 2003 at DIT New Delhi. 1. Second Meeting of the Inter-Ministerial Working Group on Cyber Security Education and Awareness was held on 12th March 2003 at 1530 Hrs. in DIT under the Chairmanship of Shri Rajeeva Ratna Shah, Secretary DIT. The list of participants is at Annexure. 2. Secretary, in his opening remarks welcomed the members of the Working Group. Pankaj Agrawala, Joint Secretary, DIT & Member Secretary of the Working Group briefed the Members about the discussions in the First Meeting of the Working Group, deliverables identified and action taken status. Member Secretary highlighted that the consultant appointed by NASSCOM has submitted its report on IS Manpower Demand Estimation and the sub-group under the convenorship of Prof. Balakrishnan has prepared the syllabus for INCERT Courses, Certificate Course in Information Security, and Masters in Information Security (renamed M.Tech. in Information Security). 3. Kiran Karnik, President NASSCOM presented the consultants report on IS Manpower Demand Estimation. The IDC report presents rising demand for Information Security professionals in the next five years, based on the Global IS market opportunity. The forecast also provides manpower requirement spread over different IS market segments given the growth prospects and the evolving market conditions. Rapid growth of this market has created opportunities for software professionals with experience in network and system integration, IT product, telecommunication, and management consulting markets. In addition, the market landscape has created a new form of professionals which combines business acumen, technical know-how, and strategic skills to exclusively serve this market Kiran Karnik presented the contours of the emerging Information Security market and key market trends. Demand Estimation by Technology and by Activity Segment in India as well as
10 demand estimation by Geographic Region, and demand estimation by Vertical Industry was also indicated in the presentation. He mentioned that market environment for IS services continues to be highly competitive and highly dynamic in the segments of Network / Systems Integrators, Service Providers, Technology owners, Management Consultants, and Pure-plays. Market trends depends on breadth of services offered, service delivery capabilities, skills, target markets, manpower requirement, technology areas, spending pattern, hiring and size of the market. Market trends indicate concerns about network security vulnerabilities, budgetary pressures with respect to staffing levels, and higher levels of network accessibility & security, third party assistance for IT issues especially in the areas of Network and Security Services, and overall shortage of IT professionals in Information Security. The US market for security consulting and integration services will be the largest ISS market in Managed security and education and training services will be the second- and third-largest markets. Rise in security awareness has also driven interest in security training and education programmes for which US is to spend $ 856 million by Estimates of global demand for IS professionals is displaying Compound Annual Growth Rate (CAGR) of 21% from 2002 and In 2001, the worldwide market for ISS grew approximately to $ 8 billion from $ 6.7 billion in By the end of 2006, the worldwide ISS market is expected to almost triple to $ 23.6 billion at a CAGR of approximately 24.1% over the period between 2001 and Estimates of total Information Security Professionals in the Indian security market in 2002 was 19,000, and this is expected to grow at a CAGR of 26% to reach 77,000 in This demand is for various technologies i.e IDnA (Intrusion Detection & Vulnerability Assessment) Software, Security 3A (Administration, Authorization, and Authentication) Software, Encryption Software, SCM (Secure Content Management), Firewall/VPN Software and S/W Exports and various IS Services i.e. Consulting Services, Implementation Services, Management Services, and S/W Services. The financial services (Banking) sector will be the single largest source of ISS spending and demand for IS professionals as compared to discrete / process manufacturing, communications and media, Central Government and other services. Worldwide demand for IS manpower for the global region was close to 60,000 professionals in 2002 which is expected to increase to 1,88,000 by 2008 displaying a CAGR of 21 % between 2001 and Prof. RK Shyamsunder, TIFR Mumbai and Member of the Sub-Group for preparation of courseware presented the syllabus for INCERT courses, Certificate Course in Information Security (6 Months Course), and Masters in Information Security. INCERT courses are related to System Administration Course, Network and Systems Security Course, Network Monitoring Course, Computer Security and Incident Response Course, Setting up the INCERT, Certified Information Security Professional (CISSP) course Months Certificate Course in Information Security consists of Security Management Practices; Physical Security; Access Control; Security Models and Architecture; Cryptography; Networks; Viruses and Worms; Vulnerability Analysis; Disaster Recovery and Business Continuity; Law, Investigation, and Ethics; Application and System Development; and Operations Security M.Tech. in Information Security (Masters in Information Security) have Hardcore ( Introduction to Operating Systems, Data Structures and Algorithms, System Administration of Single and Networked Systems, Information Security Fundamentals, Introduction to Data
11 Networks, Cryptography), Softcore ( Network Security, Intrusion Detection Systems and Firewalls, Wireless Security, Information Warfare, Data Privacy and International Public Policy in the Internet Age, Statistical Methods for Intrusion Detection, Number Theory, Data Mining, Compilers, Security Practices, and Pattern Recognition), Elective Courses (Economics of Managing Information Security, Legal and Ethical Issues in Information Security, Rights in the Digital Age, Survivability of Network Analysis, Network Programming, Network Security, Computer Architecture, Neural Networks, and Stochastic Models and Applications). Prof. Shyamsunder mentioned that courseware takes care of Security Core, Technical Core and Management Core. Selection of courses would provide the option to students for choosing a dual degree in different areas. He also mentioned that IIT Bombay and IIT Delhi have very good courseware in Information Security. 5. Working Group discussed the issues related to web-based tutorial programmes in Information Security, role of examining body like DOEACC to conduct the examinations and award the certificates, problems of hands-on-training for courses in e-learning mode. Mrs. Pankaj Mittal from UGC mentioned that UGC has a system of equivalence of degrees. Therefore, the nomenclature for Masters Programme in Information Security should be changed to MS/ME/M.Tech. in Information Security. Prof Sen from Pune University was of the view that the curriculum design for IT Security must be approached in a wholistic manner lest we confuse the threat with the subject matter. It was felt that DOEACC can play a significant role in this exercise. DOEACC has 800 accreditated institutions with laboratories which could be used for hands-on-training and courseware could be made available either through CDs or on the Web. Further NIIT and Aptech. can also be involved in this exercise. Shri PN Gupta, Executive Director DOEACC confirmed that DOEACC can take a lead role in this initiative. Shri Jatinder Kumar, Senior Director, DIT also informed that 5-days Network Security Training Programme is being organized by R&D in Convergence, Communication and Broadband Technologies Group of the Department of Information Technology. The programme is aimed to give the professionals a deep understanding of the threats to a network and mechanisms for properly defending systems. 6. Summing up, Chairman thanked the NASSCOM for quick analysis of manpower requirement in Information Security sector. Chairman also thanked the Sub-Group for bringing out a courseware in Information Security for various levels. 7. Decisions taken : i. The Sub-Group of Prof. Balakrishnan and Prof. Shyamsunder was requested to submit complete courseware document for : a.* 6 weeks preliminary information security education programme, b.** 6 months Certificate Course in Information Security, c. 1 year Diploma course in Information Security, and d.* ** M.Tech. course in Information Security.
12 Suggested course inputs for retrofitting existing B.Tech and M.Tech courses in Computer Science and Engineering may also be added to the list of deliverables. ii. As 16,000 professionals per year for next 5 years are required, an Action plan need to be drawn clearly mentioning the implementation strategy and resources required, giving break-up of manpower requirement, identification of institutions, target groups for various courses mentioned above in e-learning mode or actual class-room mode. Harnessing the role of DOEACC for value-addition programmes may also be considered. NIIT, Aptech. and IGNOU could also be involved. Action plan alongwith budget requirement to be submitted by Manpower Division in the DIT. iii. Capacity Building in Institutions and Summer Programs in Information Security may be initiated immediately. 8. The next and last meeting of the Working Group will be held after a fortnight after receiving the above document on courseware and action plan. a.* SHORT TERM COURSES (Course Curriculum) 1. System Administration Course 1.1 System Administration of Standalone Systems Booting and Shutting the system User Management File systems Managing System Resources Backup and Restore Serial devices and Printers System Accounting Automating System Administration Miscellaneous 1.2 System Administration of Networked System Networking Concepts for System Administration Configuring TCP/IP for Unix Domain Name System Network Information Service Network File System Electronic Mail Systems
13 1.2.7 Introduction to WWW Services Network Management and Debugging 2. Network and Systems Security Course 2.1 Design and evaluation of Physical Security 2.2 Design and evaluation of Access Controls 2.3 Routers 2.4 Packet Filters 2.5 Firewalls 2.6 Intrusion Detection Systems 2.7 Virtual Private Network 2.8 Cryptography 2.9 Vulnerability Assessment 2.10 Risk Evaluation Ethics 2.11 Law 2.12 Security Policies and their implementation 2.13 Security Architecture and models 3. Network Monitoring Course 3.1 Test Preparation 3.2 Penetration Testing 3.3 Violation Analysis and Auditing 3.4 Reporting Incidents 4. Computer Security and Incident Response Course 4.1 Basic Framework of CSIR Team 4.2 Incident Response (IR) Service 4.3 Advanced Incident Handling 4.4 CSIRT Operations 4.5 Survivability Systems Analysis 4.6 Digital Assets 4.7 Security Maturity Models 5. Setting up the InCERT 5.1 Introduction 5.2 Operational Elements 5.3 Policies 6. CISSP Certification Course
14 6.1 Security Management Practices 6.2 Access Control 6.3 Security Models and Architecture 6.4 Physical Security 6.5 Telecommunications and Networking Security 6.6 Cryptography 6.7 Disaster Recovery and Business Continuity 6.8 Law, Investigation and Ethics 6.9 Application and System Development 6.10 Operations Security b.** CERTIFICATE COURSE IN INFORMATION SECURITY (6 Month Course) (Course Curiculum) 1. Security Management Practices 2. Physical Security 3. Access Control 4. Security Models and Architecture 5. Cryptography 6. Networks 7. Viruses and Worms 8. Vulnerability Analysis 9. Disaster Recovery and Business Continuity 10. Law, Investigation and Ethics 11. Application and System Development 12. Operations Security d.*** M.Tech IN INFORMATION SECURITY (Course Curriculum) Course Categories 1. Hardcore 1.1 Introduction to Operating Systems 1.2 Data Structures and Algorithms 1.3 System Administration of Single and Networked Systems 1.4 Information Security Fundamentals 1.5 Introduction to Data Networks 1.6 Cryptography 2. Softcore 2.1 Network Security 2.2 Intrusion Detection Systems and Firewalls
15 2.3 Topics in Cryptology 2.4 Wireless Security 2.5 Information Warfare 2.6 Data Privacy and International Public Policy in the Internet Age 2.7 Statistical Methods for Intrusion Detection 2.8 Number Theory 2.9 Data Mining 2.10 Compilers 2.11 Security Practices 2.12 Pattern Recognition 3. Electives 3.1 Economics of Managing Information Security 3.2 Legal and Ethical Issues in Information Security 3.3 Rights in the Digital Age 3.4 Survivability of Networks Analysis 3.5 Network Programming 3.6 Network Security 3.7 Computer Architecture 3.8 Neural Networks 3.9 Stochastic Models and Application D. For suggestions / comments, contact :- 1. Shri Pankaj Agrawala, Joint secretary, Department of Information Technology, New Delhi Phone: Fax: Dr. J.S. Sehra, Director. Department of Information Technology, New Delhi Phone: , Fax: , Sunil Alag, Director Department of Information Technology, New Delhi Phone: Source: 04/01/2003