N
N
N
e
e
e
t
t
t
w
w
w
o
o
o
r
r
r
k
k
k
a
a
a
n
n
n
d
d
d
I
I
I
n
n
n
f
f
f
o
o
o
r
r
r
m
m
m
a
a
a
t
t
t
i
i
i
o
o
o
n
n
n
S
S
S
e
e
e
c
c
c
u
u
u
r
r
r
i
i
i
t
t
t
y
y
y
S
S
S
t
t
t
a
a
a
n
n
n
d
d
d
a
a
a
r
r
r
d
d
d
s
s
s
f
f
f
o
o
o
r
r
r
E
E
E
-
-
-
G
G
G
o
o
o
v
v
v
e
e
e
r
r
r
n
n
n
a
a
a
n
n
n
c
c
c
e
e
e
--
-
A
A
A
n
n
n
A
A
A
p
p
p
p
p
p
r
r
r
o
o
o
a
a
a
c
c
c
h
h
h
P
P
P
a
a
a
p
p
p
e
e
e
r
r
r
-
-
G o v e r n m e n t o f I n d i a M i n i s t r y o f C o m m u n i c a t i o n s a n d I n f o r m a t i o n T e c h n o l o g y D e p a r t m e n t o f I n f o r m a t i o n T e c h n o l o g y N a t i o n a l I n f o r m a t i c s C e n t r e http://egovstandards.gov.in
Network and Information Security
Standards
-
Prepared by:
T.M.Rao, Senior Technical Director
Reviewed by:
Deputy Director General NIC
Approved by:
Director General
No part of this document shall be reproduced without prior permission of Director General, National Informatics Centre
Amendment Log ... 4
1.
Introduction ... 5
1.1 BACKGROUND... 5
1.2 PURPOSE... 6
1.3 SCOPE... 6
2.
Need for Standards... 6
3.
Areas of Network and Information Security Standards... 7
4. National and International Initiatives on Standards ... 8
4.1 ISO ... 8
4.2 BIS ... 8
4.3 STATE GOVERNMENTS... 9
Amendment Log
Version No.
Date Change Number
Brief Description Sections Changed
1. Introduction
With the introduction of computers, the need for automated tools for protecting files and other information stored on computers became evident. The information security is essential for a shared system, such as a time sharing system, and the need is even more acute for systems that can be accessed over public telephone or data network. The second major change that affected security is the introduction of distributed systems and the use of networks and communication facilities for carrying data between terminal user and computer and between computer and computer. Network security measures are needed to protect data during their transmission because virtually all business, Government and academic organizations are interconnected their systems with a collection of networks referred as Internet.
A new approach to the standards based e-Governance that simultaneously provides for the security and availability of network resources is the need of the hour. This approach keeps information safe, yet available whenever, wherever and to whomever the needs dictate. The Network and Information security standards need to be put in place for prevention of intrusions, detecting and removing malicious code, managing the organizations security systems, ensuring the service continuity with proper disaster management, data protection with data back up and recovery procedures and many more.
1.1 Background
Recognizing the critical role that standards play in the rapid growth of e-Governance, the Department of Information Technology (DIT), has constituted an “Apex Body on Standards in DIT”, vide its notification No. 14 (3)04-EGD dated
for setting as well as development of standards for the e-Governance initiatives in India.
Network and Information security is one of the key priority area identified under the National e-Governance Programme (NeGP).National Informatics Centre (NIC) has been entrusted with this major task of the formulation of standards.
Working groups are being set up for each of the above area of Standards. Originating white papers on all desired standards to serve, as discussion papers for Working Groups to develop standards need to be prepared at the first instance.
1.2 Purpose
To act as a base document that can be submitted to the working group to deliberate and come out with white papers on Network and Information Standards for e_Governance.
1.3 Scope
The scope of this document is to introduce the Network and Information security needs of e_Governance and to identify the various areas of Network and Information Security where standards need to be put in place.
2. Need for Standards
With the e-Governance initiatives taken up in a large scale both at Central and State Government level, it is essential to have a broad national level policy framework of standards to ensure seamless integration and inter operability of applications and services in a secured manner across the country. The Policy
services are being offered to the citizens by the State Governments independently on various State subjects that need to be in line with the Central Government initiatives. For example, State Governments are setting up SWAN that need to be established on global standards to integrate with national level NICNET which is again reaching up to block level shortly.
3. Areas of Network and Information Security
Standards
Following are some of the areas of Network and Information Security where Standards need to be put in place in the context of e_Governance.
?? Data protection and Retention
?? Back up and Recovery (Including Disaster Recovery and Service
Continuity)
?? Security Appliances (Firewalls, VPN Gateways, Content filtering,
Wi-Fi and more)
?? Electronic Mail
?? SPAM Prevention
?? Anti Virus
?? Password Selection
?? Early Warning Systems (Intrusion Prevention)
?? Computer Emergency Response Teams (CERT)
?? Digital Signature
4. National and International Initiatives on
Standards
Following are some of the agencies working towards defining standards in the
area of Network and Information Security
.
4.1 ISO
ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management:
Security policy; organization of information security; asset management; human resources security; physical and environmental security; communications and operations management; access control; information systems acquisition; development and maintenance; information security incident management; business continuity management.
4.2 BIS
BIS is engaged in formulation of Indian Standards for the sector Electronics and Information Technology supervised by a division counsel in which Network and Information Security is a part. BIS publishes detailed Work Programme for each of the Division Council once in a year. The Work Programme, besides giving scope of Division Council and Sectional Committees, contains committee wise position of standards published and draft standards (like preliminary, wide circulation and finalized draft standards) at different stages of preparation. The copies of Work Programme (and also of wide circulation drafts for comments
during the wide circulation period) can be obtained from the Director of the
4.3 State Governments
Some State Governments like Andhra Pradesh have released their own IT policy documents with the help of consultants in which the Network and Information Security standards and IT architecture form a part.
5. Abbreviations
Abbreviation Description
BIS Bureau of Indian Standards
DIT Department of Information Technology
e_Governance E Governance
IEC Institute of Electronics Communications
ISO International Standards Organization
IT Information Technology
NIC National Informatics Centre
NICNET NIC Network
SWAN State Wide Area Network
VPN Virtual Private Network