E Governance Security Standards Framework:

Similar documents
Performing Effective Risk Assessments Dos and Don ts

INFORMATION TECHNOLOGY POLICY

Legislative Language

Information Security Policy

UF IT Risk Assessment Standard

Governance and Management of Information Security

Risk Management Guide for Information Technology Systems. NIST SP Overview

BUSINESS ASSOCIATE AGREEMENT

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Information Security Policy

Standards for Security Categorization of Federal Information and Information Systems

SaaS. Business Associate Agreement

Office of Inspector General

Information Security Management Systems

Legislative Language

TITLE III INFORMATION SECURITY

Subject: Critical Infrastructure Identification, Prioritization, and Protection

Public Law th Congress An Act

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Chapter 4 Information Security Program Development

December 17, 2003 Homeland Security Presidential Directive/Hspd-7

Guideline for Mapping Types of Information and Information Systems to Security Categorization Levels SP AP-2/03-1

INFORMATION SECURITY STRATEGIC PLAN

AUDIT REPORT WEB PORTAL SECURITY REVIEW FEBRUARY R. D. MacLEAN CITY AUDITOR

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

INTRODUCTION TO NETWORK SECURITY. Nischit Vaidya, CISSP Instructor

Water Security Strategy for Systems Serving Populations Less than 100,000/15 MGD or Less

7. Public Key Cryptosystems and Digital Signatures, 8. Firewalls, 9. Intrusion detection systems, 10. Biometric Security Systems, 11.

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Gaming System Monitoring and Analysis Effort

Minimum Security Requirements for Federal Information and Information Systems

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Information Security Program CHARTER

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

TABLE OF CONTENTS Information Systems Security Handbook Information Systems Security program elements. 7

Chapter 6: Fundamental Cloud Security

Patch Management Procedure. e-governance

State of West Virginia Office of Technology Policy: Information Security Audit Program Issued by the CTO

Crew Member Self Defense Training (CMSDT) Program

BUSINESS ASSOCIATE AGREEMENT

Notes on Network Security - Introduction

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

Business Associate Management Methodology

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

H. R SEC DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION.

Regulation of Investigatory Powers Act 2000

Revenue s Data Strategy

Data Management Policies. Sage ERP Online

FREQUENTLY ASKED QUESTIONS

CMS Information Security Risk Assessment (RA) Methodology

Security Testing and Vulnerability Management Process. e-governance

BUSINESS ASSOCIATE AGREEMENT ( BAA )

Information Security Program Management Standard

NIST National Institute of Standards and Technology

Information Security Program

Guidelines 1 on Information Technology Security

Law & Ethics, Policies & Guidelines, and Security Awareness

HIPAA and Mental Health Privacy:

FISMA Implementation Project

Federal Bureau of Investigation s Integrity and Compliance Program

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

Code of Conduct for Directors and Senior Managers

SAMPLE BUSINESS ASSOCIATE AGREEMENT

Security Control Standard

Common Criteria Evaluations for the Biometrics Industry

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY

UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Work Plan ongoing and planned audit and evaluation projects. Current as of June 5, 2015

REVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013

Advanced File Integrity Monitoring for IT Security, Integrity and Compliance: What you need to know

The Protection Mission a constant endeavor

Supporting FISMA and NIST SP with Secure Managed File Transfer

BUSINESS ASSOCIATE AGREEMENT

Preservation of longstanding, roles and missions of civilian and intelligence agencies

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)

Cell All Demonstration

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Subject: Safety and Soundness Standards for Information

Transcription:

Version: 1.0 January, 2010 E Governance Security Standards Framework: An Approach Paper Government of India Department of Information Technology Ministry of Communications and Information Technology New Delhi 110 003

E Security Assurance Framework egovernance Security Standards Framework An Approach Paper STQC IT Services Version No: 1.0 January, 2010 Page 2 of 10

E Security Assurance Framework Contents 1 Introduction... 4 2 Information Security Assurance Framework... 4 2.1 Information Security... 4 2.2 Assurance Framework... 5 3 Categorization of Information System... 6 4 Selection of Baseline Security... 6 5 Risk Assessment... 8 6 Refinement of the Security based on Risk Assessment... 8 7 Implementation of the Security... 8 8 Monitoring and Analysis of the Effectiveness of the Security... 9 9 Information Security Standards and Guidelines... 9 Figures Figure 1: Security Layers... 5 Figure 2: Information Security Assurance Framework... 6 Figure 3: Security... 7 Figure 4: Baseline Security... 8 Figure 5: Information Security Standards and Guidelines Framework... 10 Version No: 1.0 January, 2010 Page 3 of 10

E Security Assurance Framework 1 Introduction STQC has been entrusted with the responsibility of developing the Information Security Standards and Guidelines for egovernance in India. This paper presents an approach to identify the necessary standards and guidelines based on an Information Security Assurance Framework. 2 Information Security Assurance Framework 2.1 Information Security egovernance involves Information Technology enabled initiatives that are used for improving the interaction between Government and citizens or Government and business as well as the internal Government operations. To provide trusted services, egovernance needs to focus on Effectiveness, Efficiency, Flexibility & Transparency. If the citizen or end user is to derive maximum benefit from the provision of e Services through e Governance, the e Service must possess the following attributes. The users must know the information about the available e services; The users must be aware of the benefits of these services; The user should be able to locate the e services easily; The e services must be accessible to all members of the intended target groups; The information from the e services should be comprehensive, correct, readily available, and easy to understand with respect to language and structure; The provision of e services should be confidential, and in no way violate the privacy of either party; The design of egovernance applications should comply with the existing legal data protection requirements and relevant legal and statutory laws & acts. From the attributes it becomes evident that the value of information held and processed by the egovernance service needs to be protected at all levels (i.e. Application, Infrastructure, and Operation & Management). Information security is intended to safeguard the information assets and is determined in terms of confidentiality, integrity and availability. Confidentiality: Protecting sensitive information from unauthorized disclosure or intelligible interception Integrity: Safeguarding the accuracy and completeness of information and software; protecting data from unauthorized, unanticipated or unintentional modification Availability: Ensuring that information and vital IT services are available when required To safeguard the value of information, effective security measures (that can limit the risks and vulnerability) need to be implemented harmoniously. These security measures provide layers of Version No: 1.0 January, 2010 Page 4 of 10

E Security Assurance Framework protection to the Application, IT Infrastructure, Control & Management in a egovernance computing environment. In fact security of any information system is essentially an amalgamated output of Application Security, Infrastructure Security, and Secure Operation & Management. Enforcement of security at all levels is essential to achieve a fairly secure environment. As the probability of simultaneous failures of security at all layers is less this approach has been found to be the most effective in to day's context. This layered approach is alternatively known as 'Defense in depth'. Information Asset Application Security Infrastructure Security Operations & Management Security Figure 1: Security Layers In considering the security measures at different levels that should be put in place, a risk analysis must be performed. The risk analysis must consider the intent, motivation and capability of sources of threat, the feasibility and potential frequency of methods of attack, the nature of vulnerabilities that may be exploited, the value of assets to be protected, the consequences of a successful attack and the cost of any counter measures. 2.2 Assurance Framework It is welll established that information security can be assured through selection of suitable security controls and management of risks. The key activities in assuring information security are a) b) c) d) Categorization of information system Selection of baseline security controls Risk assessment Refinement of the security controls based on risk assessment Version No: 1.0 January, 2010 Page 5 of 10

E Security Assurance Framework e) f) Implementation of the security controls Monitoring and analysis of the effectiveness of the security controls The detail Information Security Assurance Framework will be described in ISF 01. Categorization of information System Baseline Control Selection Risk Assessment Refinement of Implementaton of Monitoring Effectiveness of Figure 2: Information Security Assurance Framework 3 Categorization of Information System The security categorization are done based on the potential impact on an organization, should certain events occur which jeopardizes the information system needed by the organization to accomplish its assigned mission, protect its assets, fulfil its legal responsibilities, maintain its day to day functions, and protect individuals. Security categorization should also consider the vulnerability and threat informationn corresponding to the information system. All information systems can be categorized as LOW IMPACT, MEDIUMM IMPACT and HIGH IMPACT depending on the assessed impacts. A detail guideline document (GD 100) will be developed for this purpose. 4 Selection of Baseline Security Baselinee Security are the minimum informationn security requirements ( Application Security, Infrastructure Security and Operations and Management Security) for information and information systems in each security category (LOW IMPACT, MEDIUM IMPACT and HIGH IMPACT). A guideline document (GD 200) will be developed whichh will list all possible security controls and act as a master catalog of all security controls.. Baseline security controls are subset of controls taken from the master Version No: 1.0 January, 2010 Page 6 of 10

E Security Assurance Framework catalog. There will be three baseline documents LOW BASELINE (GD 201), MEDIUM BASELINE(GD 202), HIGH BASELINE (GD 203). Catalog of Security HIGH BASELINE MEDIUM BASELINE LOW BASELINE Figure 3: Security LOW BASELINE: Subset of basic level security controls taken from the master catalog of controls. MEDIUMM BASELINE: Builds on LOW BASELINE with additional controls taken from the master catalog of controls. HIGH BASELINE: Builds on MEDIUM BASELINE with additional controls taken from the master catalog of controls. Version No: 1.0 January, 2010 Page 7 of 10

E Security Assurance Framework Master Catalog of Security GD 200 LOW BASELINE GD 201 MEDIUM BASELINE GD 202 HIGH BASELINE GD 202 Figure 4: Baseline Security 5 Risk Assessment Over and above the baseline security controls depending on the operating environment and technology there can be some specific security requirements. These security requirements can be identified through a risk assessment process. Guideline document GD 300 will be developed to outline risk assessment and management methodologies. 6 Refinement of the Security based on Risk Assessment Based on the outcome of the risk assessment additional controls will be selected from the master catalog of controls. 7 Implementation of the Security After identification of the security controls it is necessary to implement the security controls in the respective information systems through managed processes. A guideline document GD 210 will be prepared which will outline implementation guidelines in details. Version No: 1.0 January, 2010 Page 8 of 10

E Security Assurance Framework 8 Monitoring and Analysis of the Effectiveness of the Security Monitoring and analysis of the effectiveness of the security controls can be conducted through periodic testing, evaluation, review of the implemented controls. A guideline document GD220 will be developed outlining the procedures of assessment of the effectiveness of the implemented security controls. 9 Information Security Standards and Guidelines Document No. Document Title ISF 01 GD 100 GD 200 GD 201 GD 202 GD 203 GD 210 GD 220 GD 300 Information Security Assessment Framework Guidelines for Security Categorization of egovernance Information Systems Catalog of Security Baseline Security for LOW IMPACT INFORMATION SYSTEMS Baseline Security for MEDIUM IMPACT INFORMATION SYSTEMS Baseline Security for HIGH IMPACT INFORMATION SYSTEMS Guidelines for Implementation Security Guidelines for Assessment of Effectiveness of Security Guidelines for Information Security Risk Assessment and Management Version No: 1.0 January, 2010 Page 9 of 10

E Security Assurance Framework ISF 01 Categorization of information System GD 100 Baseline Control Selection GD 200/201/202/ /203 Risk Assessment GD 300 Risik Management GD 300 Implementaton of GD 210 Monitoring Effectiveness of GD 220 Figure 5: Information Security Standards and Guidelines Framework Version No: 1.0 January, 2010 Page 10 of 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information