australia germany india singapore uae uk usa building india the destination…
DESCRIPTION
Recent security incidents, home land security reports, industry initiatives are indicative of unprecedented demand for security in software Secure software in no longer an option; it is a demand of every customer India by its strategic investments in quality is recognized as a destination for development of quality software This leadership position will be lost; if we do not make similar forays into security. Somebody will answer this demand for secure software WHO WILL THIS BE ? USA, EUROPE, CHINA, RUSSIA, KOREA OR INDIA ? CAN WE CREATE AND RIDE ANOTHER WAVE BY BUILDING INDIA THE DESTINATION FOR SECURE SOFTWARE BackgroundTRANSCRIPT
Australia Germany India Singapore UAE UK USA
Building India the Destination for Secure Software:A Standards Driven Framework
By
Dr. Prem ChandVice President
Mahindra British Telecom
09 Sep 04
Agenda
Industry Expectations of Industry
Developing Security Engineering Expertise
Security in Business Collaboration
Provider of the Security Services
Suggested National Initiatives
Recent security incidents, home land security reports, industry initiatives are indicative of unprecedented demand for security in software
Secure software in no longer an option; it is a demand of every customer
India by its strategic investments in quality is recognized as a destination for development of quality software
This leadership position will be lost; if we do not make similar forays into security.
Somebody will answer this demand for secure software
WHO WILL THIS BE ? USA, EUROPE, CHINA, RUSSIA, KOREA OR INDIA ? CAN WE CREATE AND RIDE ANOTHER WAVE BY BUILDING INDIA THE DESTINATION FOR SECURE SOFTWARE
Background
Defense• Facilities• Command & Control Warfare• Information Warfare• Hardened Information Sites• Force Formations• Infrastructure Supporting Armed
Forces
National Core Infrastructure Water Telecommunications Transport Governance Electric Power Space Ports
Economic, Social & Political• Environment• Crime / Law Enforcement• Healthcare• Safety/Protection• Society / Culture• Economy / Finance / Banking• Political / Diplomatic• Education• Research, Design and Development
Major Commodities• Energy • Food• Chemicals• Raw materials• Irreplaceable components• Human Resource• Mines
Industry• Steel• Military Hardware• Heavy Engineering
Machinery• Electronics• Computers• Software• Information (content, IPR)• Consumer durables• Insurance• Automotive
Intangible Networks• Perceptions• Public confidence• Entertainment• Media• Legal Framework• Privacy• Trust in Institutions
Target Security Market Foot Print For Software Industry
NETWORKED GLOBAL INFRASTRUCTURES
Business Collaboration Security Secure Outsourcing Destination Secure ODC Operations Security Concerns of Large Business Operations
Provider of the Business Security Services Destination for Secure Software Development
Security Expectations of the Global Industry
Security in Business Collaboration:Secure Outsourcing Destination & Secure
ODC Operations
Security of the Global Business Foot Print
Business ContinuityDo you have the resources to deal with the financial impact of emergency situations?
Have you identified potential business disruptions? What would a day of downtime cost you?
InfrastructureAre you prepared to deal with security breaches?
Are you aware of potential liability for customer system disruptions?
IdentificationCan you positively identify and control access to your facilities, systems and borders?
Can permissions be changed in real-time?
CollaborationAre you able to securely exchange information with others?
Do you easily comply with industry standards?Do you understand your liability for security breaches?
PrivacyCan you protect the confidential data of your employees or constituents?
Are you familiar with legislation that requires safeguarding of customers personal data?
Off-shoring/ ODC/ Developmental Concerns
Managed Security ServiceResources to deal with the impact of emergency situations.
Identified potential business disruptions.
IPR Protection & Digital Rights ManagementsTracking Code & Team Personnel, Digital Signing, Logical Separation &
Physical Separation of sensitive Data & Code
Project Level Security ManagementPositive identification and controlled access to facilities, systems and borders.
Permissions and access rule can be changed in real-time.
Security Code ReviewReview & Testing of Software at Source Code/ Binary
Data Protection/ PrivacyCan protect the confidential data of employees or constituents.
Familiar with legislation that requires safeguarding of customers personal data.
ODC Secure OperationsLogical and physical separation of individual projects.
Security of the Day to Day Business Operations
Security OperationsPatch Management, Malicious code management, Secure builds,
Configuration Management, Log Analysis
Vulnerability AssessmentAsset Classification, Penetration Testing, Network Security Review
Risk Assessment, Risk Treatment
Identification, Authentication Access ControlSingle Sign On Solutions, Smart Cards, Biometrics, Digital Certificates
SAP/ CRM/ Application Security Review & Audit Role Based Controls Definition, SAP Hardening/ Internal Controls Review, Assessment &
Audit, BASIS Review, SAS 70 Controls Audit
Business Continuity PlanningContingency Planning, Disaster Planning, Recovery Planning
Information Security Management System/ ISO 17799Risk Assessment, Security Policy Development, Security Improvement Plan
Implementation, Security Training
Access
Code
Secure Development Outsourcing - Risk Mitigation
Establish a centralized Security Program Office to manage the secure development outsourcing and risk mitigation. This ensures consistency in security policies and processes that are created and implemented
across the entire environment which can be applied to all Off-Shore partners.
Offshore Development Environment
Establish a trusted partner status
Rigorous BCP/DR
Onsite Production Environment
Throw a cordon around production
systems
Code Security – Storage, transmission,
development
Robust IT Infrastructure
ComprehensiveBCP
ERP controlsand assurance for
internal applications
Customer Facing Security
Strategies
Content Monitoring System for e-mail
security (CMS)
Code Access & Authorization System for Projects
Centralized Managed Security Service and Incidence Response System
IPR Protection and Digital Rights Management System
Org. wide Single Sign-on
Additional Features
End to End Infrastructure Security
Systems Availability
Support Security Compliance and Monitoring
SecurityPolicy
SecurityTechnologyManagement
ExploitationManagement
VulnerabilityManagement
Atta
ck R
espo
nse
Leve
rage
dTe
chno
logy
ManagedVulnerabilities
Threat Updates
Attack SignatureUpdates
Training &Awareness
Firewalls
IntrusionDetection
Monitoring
Systems Host
Scanners
Technology ConfigurationTechnology Trends
Technology Updates
Fault ReportingSecurity Policy
Security Mission
Securing Customer Data - Layers of Security
Base Infrastructure
and Information security
Project teams
Secure physical access
Secure network access
Secure logical access
Customer information, design, code
Regular backups: onsite and offshore
Dedicated project servers with access control
Secure access to remote servers using authentication
Dedicated and redundant links/routes
Firewalls at all access points Central monitoring for virus
protection and intrusion detection
Security awareness training NDA & IPR agreements
Secure data centers Secure project environment Secure development facility
Project Specific BCP & DRP
BCP&
DRP
For a
PROJECT
Ownership
Preparation & Testing
Review
Corporate Head
Project Manager
Corporate Head
Facilitators – MBT Security
User Provisioning & deprovisionsing
Authentication - Use of Secure ID tokens
Confidentiality agreement by MBT-Project team
Secure logon procedures
Project Data Classification & secure handling
Secure Areas: Separate Controlled Environment
Desktop & Laptop Security
Network Security
Protection of system test data
Business Continuity Planning
Compliance
Secure Project Environment
BS 7799 Based ISMS Implementation & Certification
Implementation of the ISMS framework
according toBS 7799
Security Policies, Procedures,Guidance,Controls,
Complianceand
Monitoringis as per
BS7799/ISO 17799
standard.
Certification Plan
Certification Audit every quarter
Provider of the Security Services:Develop/ Adapt Standards Based Security
Services Framework Across Software Industry
Security Framework Standards for IT Infrastructure
Legal & Regulatory Environment (Banking Act, Evidence Act, Electronic Transactions Act, Computer Misuse Act)
Availability
Accountability
Non- Repudiation
Integrity
Confidentiality
Authorization
Authentication
Processes & MethodsSecurity ServicesArchitecture & Mechanism
Best Practices (Security Organisation, Physical Security, Personnel Security, Operational Security)
Security Policy (Business & Organisation Rules)
Sec
urity
Infra
stru
ctur
e
Net
wor
k S
ecur
ity
Sec
urity
Tec
hniq
ues
Sec
urity
AP
I’s
Sec
urity
Tok
ens
Ris
k A
sses
smen
t
Sec
urity
Mon
itorin
g &
In
cide
nt M
anag
emen
t
Bus
ines
s C
ontin
uity
&
DR
PS
ecur
ity A
ssur
ance
&
Acc
redi
tatio
n
Shared Data
Assurance / Billing / Fulfillment
EXTENDED SECURITYFRAMEWORKSoftware System
Message BasedSecurity CIA
• Centralized &Policy Driven - Authentication - Privileges - User Data
OSS B2B G/W Internal Enterprise Mgmt, CORP, ERP
IP NW PSTN Wireless
Router Switches Servers
Backbone N/W
Data center, Exchange Building, Offices
ApplicationSecurity
NetworkSecurity
PhysicalSecurity
SECURITY MGMT & OPS
Information
Business Process
Network
PhysicalInfrastructure
Security Architecture for Secure Operations
Application
Access Control
• I & A• Authorisation• Decision• Empowerment
• Assigning• Binding• Representing
• Communicating & Authenticating• User to host• Peer to Peer• Third Party
Confidentiality• Security Enabled Appl.• Secure Peripherals• Operating Systems• Secure FTP• Security Protocols (IPSec, SSL)
• Location of data• Type of data• Amount/Parts of data• Value of data
• Data Protection• Data Separation• Traffic Flow• Frequency HoppingAvailability• H/W Resources• Software Resources
• Quality of Service• Throughput
• Protection from Attack• Protection from unauthorised use• Resistance to routine failure
Integrity
• Single Data Unit• Stream of Data
Mapping Security Needs of Software Elements
• With proof of origin• With proof of delivery• Auditing Services
Non-Repudiation
Enhanced Telecom
Operations
Shared Info / Data Model
Contracts /Interfaces
TechnologyNeutral
Architecture
Compliance
Software System Core Elements
Relate Security Goals, Services & the Technology
Identification Authentication Authorization / Access Administer Audit
TechnologyG
oalsService
s
Smart Cards
Card Readers
Biometrics
Tokens
User IDs
X.509 Certificates
PKI
DCE / Kerberos
X.509 Certificates
Firewalls
RemoteAccessCryptography
Security Domains
Access ControlAdministration
Certificate Authority
Sign-on
Audit Tools
Monitor/Filter
NetworkIntegrityIntrusionDetection
VirusProtection
Confidentiality
Access
Integrity
Non-Repudiation
Availability
IT E
nviro
nmen
t People Process Technology
Security Management Requirements
• Policy• Certification & Accreditation• Key Management• Access control and management• Readiness Assessment• Security management• Recovery & Reconstruction
• Policies & Procedures• Security Administration• Physical Security• Personnel Security• Monitoring• Training/Awareness
• IA Architecture• IA Criteria (Security,
Interoperability with PKI)
• Evaluated Products• Risk Assessment
Statutory Regulations, Technological Developments &
Management Expectations
Secure Infrastructure& Network
Secure Data & Operations
SecurityManagement
SupportInfrastructureIE
Env
ironm
ent
Initiation Design /Develop
Test / Implement Maintain Dispose
ISO 15408/ CC : Evaluate the products to EAL 2ISO 17799 : Build secure operations/ AuditsNIST TR 13339 : Build Credible metricsITAF 3,1v Build Robust Risk ModelISO 13335 (FRISTA): IT Assurance
ISO 21827/ SSE-CMM : enable security throughout the life cycle and ensure that it is applied across products. Appraisal at SSE-CMM Level 3
Complementary
SDLC
SSE-CMMand CC &ISO 17799
Standards Based Security & Assurance Framework
Supporting Standards
Architecture & Framework for Security Management ISO 10181 : OSI Security Framework ISO TR 13335 : IT Security Management ISO17799 : Code of Practice & Specification for ISMS SS 493 : IT Security Framework SSEM/ DoD : System Security Engineering Mode ISO 21827 : Security Maturity Model
Development & Implementation Technologies/ Mechanisms Application Protocols : SSL, S- HTTP Authentication : Kerberos, RADIUS, SAML Cryptography: : RSA, DSA, ECC, DES, AES, SHA- 1 Messaging : S/ MIME, PEM, XMLDSIG,XMLENC Application Security : CORBA, WS Directory Authentication : ITU- T x.509
Security - Adapt Standards ( Contd.)
Methodology Standards AS/ NZS 4360 Risk Management OCTAVE Critical Threat, Asset, and Vulnerability Evaluation OSTMM v2 Penetration Testing ISO15408 Evaluation criteria for IT Security FIPS PUB 140- 2 Cryptographic Modules SP 800-55 Security Metrics
Training & Competencies CISSP, SSCP CISA, CISM
Financial Services COBIT ANSI x.9
Industry Leadership Goals
Enhance Software Security Across all Verticals
Meet all requirements for Unique, High Assurance Solutions
Promote Security Across all Business Verticals
Champion Information Security for the Software Industry
Forge Innovative Customer Driven Security
Forge PoC’s & CoE’s for Software Security across Industry
Leadership & Technical Support Areas
Secure OperationsAwareness & Education
Clearing HouseCertification & Accreditation
Product EvaluationSecurity Engineering
Design Guidance
Architectural DefinitionRequirement Assessment
Architectural Definition
Test Security in Each Layer
ISO 17799, COBIT, ISO TR 13335
OSTMM v 2, ISO 21827, ISO 10181
ISO 15408
Secure System(Network,
Operations & Management)
Secure Installation ( Network,
Infrastructure, Application S/w,
Database)
S/w & H/w components
Systems
Installations
Components
Electronic TransactionsSystems Testing
Secure Document Management Services
Licensed Evaluation Facility(NGOSS Components)
Security Validation(Network, Operations)
Inter-operability Testing Common Criteria Testing
Basic Security Integration & Testing Framework
Security Policy & Business Process Integration
Product 1 Product 2 Service 1 Product x
Focus on Testing & Evaluation Framework
Security Leadership Focus: Nasscom
Provide leadership in security products, and services necessary to enable software industry to protect sensitive information in information systems in consonance with laws and national security policies
Provide technical support to the software industry‘s
efforts to incorporate information systems security into the software (Networks, Infrastructure, Interfaces,Operations, Management)
Support customer’s risk management processes by providing information needed to make informed trade-offs between systems’ security, risk, cost, schedule, and mission requirements
Support certification and accreditation
Provide support for future efforts in security design guidance, inject security into early design phases of software and adapt commercial secure products
Security Leadership Focus: Contd…
Promote Security Services Across the Software Industry
System Security Assessments Information System Security Education, Training and
Awareness Security Engineering and Consulting Product Evaluation Clearinghouse for Security Technical Information Security Infrastructure
Make recommendations regarding the technical and economic feasibility of security features which should be used (or are planned to be used) to mitigate, minimize or transfer risks in the software environment
Security Leadership Focus: Contd…
Develop Comprehensive Security Services Portfolio
Typical Security Service Offerings
Enterprise Security Consulting
Security Technology Solutions
Security Engineering Practice
Application Security
ISMS
BCP
Secure Network Architecture
Managed Security Services
Secure Automation Solutions
Professional Services Organization
Digital Rights Management
Penetration Testing
Security Code Audit
SSE-CMM Consultancy
Enterprise Business Assurance Services
Destination for Secure Software Development: Develop Standards Driven Security Engineering Framework
Security Engineering Pervasiveness
Classic INFOSEC Techniques
Major System Solution Roles
LifeCycle
Phases
MajorEngineeringDisciplines
SecurityEngineering
EnterpriseModeling
SystemsEngineering
SoftwareEngineering
HardwareEngineering
TestEngineering
Buy
er/U
ser
Aut
horit
yA
ccre
ditin
g
Cer
tifie
r
Eva
luat
or
Dev
elop
er
Acquisition
Development
Integration
Operation
Maintenance
CO
MP
US
EC
CO
MS
EC
INFO
SE
C
Sec
urity
Info
rmat
ion
OP
SE
C
Design / Development Integration Deployment Operation
E.g. Product Evaluation
Assurance,Development
Assurance
E.g. Assessment, Certification Assurance,
TestingAssurance
E.g. System Accreditation
Assurance
E.g. SecurityManagement Assurance
Lifecycle Approach to Security- Step
Process
Deliverable(Product,
System, or Service)
Environment(Personnel & Organization)
Design / Development
Integration Deployment Operation
Assurance Approach
Assurance Stages
AssuranceMethod C
AssuranceMethod A
AssuranceMethod B
AssuranceMethod D
AssuranceMethod E
AssuranceMethod F
AssuranceMethod G
AssuranceMethod H
Applying Systems Security Engineering to NGOSS
“The systems security engineering process is the process of discovering stakeholders’, customers’ and users’ information protection needs and then designing and making information systems, with economy and elegance, so they can safely resist the forces to which they may be subjected.” [IATF 3.1]
System Engineering
Assess Effectiveness
Implement System
Develop Detailed Design
Design System Architecture
Define System Requirements
Discover Needs
Systems Security Engineering
Assess Information Protection Effectiveness
Implement System Security
Develop Detailed Security Design
Design System Security Architecture
Define System Security Requirements
Discover Information Protection Needs
Methodology for Security Requirement Assessment
InformationManagementModel [ IMM ]
RevisedIMM
Mission / BusinessFunctions
Structured Analysis ofInformation
Applying LeastPrivilege Concept
Threat AnalysisInformationProtection
Policy [ IPP ]
Preparing Information Protection Policy (IPP(PP,ST))
Protection Need Elicitation
Security Engineering :Process Maturity Dimension
Level 1
Performed Informally
Planned &Tracked
Well Defined
QuantitativelyControlled
ContinuouslyImproving
Level 2 Level 3 Level 4 Level 5
SSE-CMM Based Process Maturity Levels
Environment’s Security Guidelines & Process Creation
Assurance
Ass
uran
ce P
roce
sses
Security Model of the NGOSSRis
k P
roc.
Organisation’s Security Processes
Authentication
Eng
inee
ring
Pro
cess
es
TMF can leverage SSE-CMM to
• Assist in defining the desired process maturity levels for the identified areas
• Work out the process improvement plans right from the design phase and put in place a process monitoring and control framework
• Help to evaluate service providers using SSAM appraisals
Classification of Process Areas
Value Addition to SOFTWARE Program
SOFTWARECOMPONENTS
Adopting Security Engineering
Improved process maturity
Improved Risk Mitigation
Better Assurance Evidence
Facilitate Evaluation againstCommon Criteria
RequirementCapture
Design / Development Delivery
Secure Software Development Lifecycle
BusinessRequirements
FunctionalRequirements
Coding Testing
Guiding Principles of Software Security
Secure Coding Practices
Security Testsw.r.t CEM
SecurityFunctional
Requirements
SecurityRisk
Management
SecurityAssurance
Requirements
SecurityRisk
Management
Tool Driven Development Framework
Secure Software
Development Tools
User Inputs
Security RequirementSpecifications
MS Visio
Development Environment
Secure Coding practices
Use Case Diagrams implementing securityClass DiagramsImplementing SecuritySequence DiagramsImplementing Security
Guidelines for Secure Coding Practices in .NET
Queries to the User
Assurance Guidelines
Generating a CM Plan
Assurance Guidelines
Secure DeliveryOperationsLife CycleSupport Guidelines
DesignPhase (to be generated manually)
Development Phase
Delivery Phase
Requirement Capture Phase Visual Studio.NET
Practices to be followed for
Assurancemeasures
Software Security Framework Goals
Build Software security upfront; avoid bolting it down as an afterthought
Build End to End security, collaboratively for all stakeholders Follow standards & industry best practices across lifecycle Plug-in legacy & be future proof, evolve a robust framework Allow global play with local solutions; universalization with least
architecture and technology constraints. As a beginning Formalize Framework Outlines:
Examine the work already done by industry Survey IT Security Standards and frameworks, map their applicability to
software Establish the framework outlines Identify focus areas & prioritize actions
Deliverables Consistent, state of the practice and cost effective SOFTWARE SECURITY
FRAMEWORK A basket full of guidelines, mandates, clearances, industry best practices, PoCs
and a map to navigate across all software building blocks for “Cradle to Grave” support to all stake holders in the Software Security
Standards for Security & Assurance Framework
Use of Security Engineering Processes of ISO 21827/ SSE-CMM in conjunction with ITAF 3.1 or its equivalent standard can assist in risk assessment/ security requirement formulation, detailed design and implementation. This step can ensure building security into the software lifecycle.
Assurance framework built around ISO 15443/ FRITSA, ISO 15408/ Common Criteria and ISO 21287/ SSE-CMM can ensure that security is implemented throughout software lifecycle and can be applied to all products, services and components
Both SSE-CMM and CC are complementary to each other. Thus, the appraisal of software components and products at SSE-CMM level 3 will facilitate the evaluation of products and services at EAL level 2 or above against CC.
The ISO 17799 based controls can ensure secure operations
NIST/ SP 800-55 can facilitate metrics for cost, ROI, effectiveness etc.
Building blocks of Security & Assurance Framework
Security Framework: The Security Engineering Processes of ISO 21827/ SSE-CMM can be used to define requirements. These requirements can be realized using ITAF 3.1 or any of its equivalent methodology for building Information Management Model/ Risk Assessment/ Information Protection Profile
Assurance framework: The ISO 21827/ SSE-CMM, ISO 15453/ FRISTA & ISO 15408/ Common Criteria can be used to build assurance into the life cycle. This will guarantee that the security is implemented throughout software lifecycle and that it is applied to all components, products, services appropriately. Both SSE-CMM and CC are complementary to each other. Thus, the appraisal of NGOSS components and products at SSE-CMM level 3 will facilitate the evaluation of products and services of NGOSS at EAL level 2 or above against CC. The FRITSA will assist in
Assessment of deliverables Assessment of products Assessment of environment Evaluation Assurance related to parts of design, development and operation Development Assurance related to development stages Testing Assurance related to tests at each stage of lifecycle
Secure Operations: The ISO 17799 based controls/ audits and SSE- CMM based process maturity will ensure secure operations
Building Blocks of Security …Contd
Metrics: Till such time an ISO standard emerges, NIST/ SP 800-55 can be used as a guide line to develop metrics for security cost overheads, ROI, effectiveness etc.
Consultancy Framework: A rich consultancy repository of know-how and industry best practices can be created to build a strategic view of software security as a life cycle activity. This initiative will help to create Security Certified Professionals in Consultancy Space, a unique industry strength to provide the following
Design Guidance Risk Management Security Engineering Product Evaluation Certification & Accreditation Clearing House Functions Awareness & Education Secure Operations
SSE-CMM WILL ACT AS A GLUE TO BIND ALL THE OTHER STANDARDS, GUIDELINES, BEST PRACTICES & SUPPORT MATERIAL
Advantages of Composite Framework
A formal approach to security engineering using ISO standards & industry best practices will help industry to upfront build the security foundations into the software engineering framework rather than addressing it piecemeal as an afterthought.
This framework would address the software security at the level of processes, products, services, people, technology and environment for all the stakeholders. SSE-CMM processes will support creation of ST and PP, in turn helping in certifications
SSE-CMM Appraisals and CC Assurance Evaluations are both conducted using active investigations. The CC Assurance Classes have a corresponding Process Area or Base Practice in SSE-CMM. CC Assurance Evaluation evidence closely matches SSE-CMM Appraisal work products. Following complementary frameworks and methodologies will further bring completeness and comprehensiveness in the framework
Risk assessment using IATF 3.1 Management of security operations and residual risks using ISO17799 Security metrics using SP 800-55 Evaluation of NGOSS products using CC/ ISO 15408
COMPOSITE FRAMEWORK WILL PROVIDE ANSWERS TO SOFTWARE SECURITY
Recommended Framework Standards
ISO 21827 SSE-CMM for engineering security across NGOSS lifecycle
IATF v 3.1 to complement ISO 17799/ SSE-CMM for Risk Assessment/ Requirement Elicitation
ISO 15408/ Common Criteria to complement ISO 21827/ SSE-CMM for Product/ Service Assurance/ Certification
ISO 15443 (FRISTA) focus on IT assurance
ISI 17799 for building operational controls & audits
NIST SP 800-55 Guidelines for building metrics
Way Forward
Security Framework Assurance framework
Assessment of deliverables Assessment of products Assessment of environment Evaluation Assurance related to parts of design, development and
operation Development Assurance related to development stages Testing Assurance related to tests at each stage of lifecycle
Secure Operations Framework Metrics Consultancy Framework
Design Guidance Risk Management Security Engineering Product Evaluation Certification & Accreditation Clearing House Functions Awareness & Education Secure Operations
Suggested National Initiatives
Suggested National Initiatives
Government Invest liberally in manpower development. Involve Universities,
IITs / IIITs / IIMs / IISc and private industry to create Security awareness, training, education and research initiatives.
Invest in development & Promotion of Sector Specific Security Pilot projects in 10 areas viz finance, banking, insurance, governance,transport, energy, defense etc..
Invest in the development of National Information Infrastructure Assurance Program through industry participation and strategic alliances with overseas partners.
Formalise the NII Security Policy Framework and institute compliance through governments at center & state levels.
Invest liberally in RD&D Initiatives in e-Security.
NIAP DEC 02
Suggested National Initiatives……Contd
IndustryFund industry to foster a world class Security Practice
Framework till a critical mass in its acceptance by ICT end users reaches. Industry is reluctant to invest in the prevailing circumstances. Make monetary concessions to end users in certification programs.
Involve indigenous industry in large System Interfraction Partnership in the ICT sectors through tie-ups at global level.
Promote Secure Managed Security Services & Secure Web Services out of India.
Align security with software business in sector specific verticals, viz. Telecom, business, banking, defence, insurance, governance etc.
Initiate and promote World Class Secure Software development as per ISO 15408/ ISO 21827/ ISO 17799
Build secure development sites for offshore work
NASSCOM
Commission a consultant to provide global e-Security window to industry.
Nucleate an e-Security working group.
Promote BS7799 , ISO15408, ISO 21827 initiatives.
Foster strategic alliances for brand building.
Project India as destination for secure software development, security services and secure outsourcing destination
Suggested National Initiatives……Contd
THANK YOU
Australia Germany India Singapore UAE UK USA