G o v e r n m e n t o f I n d i a M i n i s t r y o f C o m m u n i c a t i o n s a n d I n f o r m a t i o n T e c h n o l o g y D e p a r t m e n t

N

N

N

e

e

e

t

t

t

w

w

w

o

o

o

r

r

r

k

k

k

a

a

a

n

n

n

d

d

d

I

I

I

n

n

n

f

f

f

o

o

o

r

r

r

m

m

m

a

a

a

t

t

t

i

i

i

o

o

o

n

n

n

S

S

S

e

e

e

c

c

c

u

u

u

r

r

r

i

i

i

t

t

t

y

y

y

S

S

S

t

t

t

a

a

a

n

n

n

d

d

d

a

a

a

r

r

r

d

d

d

s

s

s

f

f

f

o

o

o

r

r

r

E

E

E

-

-

-

G

G

G

o

o

o

v

v

v

e

e

e

r

r

r

n

n

n

a

a

a

n

n

n

c

c

c

e

e

e

--

-

A

A

A

n

n

n

A

A

A

p

p

p

p

p

p

r

r

r

o

o

o

a

a

a

c

c

c

h

h

h

P

P

P

a

a

a

p

p

p

e

e

e

r

r

r

-

-

G o v e r n m e n t o f I n d i a M i n i s t r y o f C o m m u n i c a t i o n s a n d I n f o r m a t i o n T e c h n o l o g y D e p a r t m e n t o f I n f o r m a t i o n T e c h n o l o g y N a t i o n a l I n f o r m a t i c s C e n t r e http://egovstandards.gov.in

Network and Information Security

Standards

-

Prepared by:

T.M.Rao, Senior Technical Director

Reviewed by:

Deputy Director General NIC

Approved by:

Director General

No part of this document shall be reproduced without prior permission of Director General, National Informatics Centre

Amendment Log ... 4

1.

Introduction ... 5

1.1 BACKGROUND... 5

1.2 PURPOSE... 6

1.3 SCOPE... 6

2.

Need for Standards... 6

3.

Areas of Network and Information Security Standards... 7

4. National and International Initiatives on Standards ... 8

4.1 ISO ... 8

4.2 BIS ... 8

4.3 STATE GOVERNMENTS... 9

Amendment Log

Version No.

Date Change Number

Brief Description Sections Changed

1. Introduction

With the introduction of computers, the need for automated tools for protecting files and other information stored on computers became evident. The information security is essential for a shared system, such as a time sharing system, and the need is even more acute for systems that can be accessed over public telephone or data network. The second major change that affected security is the introduction of distributed systems and the use of networks and communication facilities for carrying data between terminal user and computer and between computer and computer. Network security measures are needed to protect data during their transmission because virtually all business, Government and academic organizations are interconnected their systems with a collection of networks referred as Internet.

A new approach to the standards based e-Governance that simultaneously provides for the security and availability of network resources is the need of the hour. This approach keeps information safe, yet available whenever, wherever and to whomever the needs dictate. The Network and Information security standards need to be put in place for prevention of intrusions, detecting and removing malicious code, managing the organizations security systems, ensuring the service continuity with proper disaster management, data protection with data back up and recovery procedures and many more.

1.1 Background

Recognizing the critical role that standards play in the rapid growth of e-Governance, the Department of Information Technology (DIT), has constituted an “Apex Body on Standards in DIT”, vide its notification No. 14 (3)04-EGD dated

for setting as well as development of standards for the e-Governance initiatives in India.

Network and Information security is one of the key priority area identified under the National e-Governance Programme (NeGP).National Informatics Centre (NIC) has been entrusted with this major task of the formulation of standards.

Working groups are being set up for each of the above area of Standards. Originating white papers on all desired standards to serve, as discussion papers for Working Groups to develop standards need to be prepared at the first instance.

1.2 Purpose

To act as a base document that can be submitted to the working group to deliberate and come out with white papers on Network and Information Standards for e_Governance.

1.3 Scope

The scope of this document is to introduce the Network and Information security needs of e_Governance and to identify the various areas of Network and Information Security where standards need to be put in place.

2. Need for Standards

With the e-Governance initiatives taken up in a large scale both at Central and State Government level, it is essential to have a broad national level policy framework of standards to ensure seamless integration and inter operability of applications and services in a secured manner across the country. The Policy

services are being offered to the citizens by the State Governments independently on various State subjects that need to be in line with the Central Government initiatives. For example, State Governments are setting up SWAN that need to be established on global standards to integrate with national level NICNET which is again reaching up to block level shortly.

3. Areas of Network and Information Security

Standards

Following are some of the areas of Network and Information Security where Standards need to be put in place in the context of e_Governance.

?? Data protection and Retention

?? Back up and Recovery (Including Disaster Recovery and Service

Continuity)

?? Security Appliances (Firewalls, VPN Gateways, Content filtering,

Wi-Fi and more)

?? Electronic Mail

?? SPAM Prevention

?? Anti Virus

?? Password Selection

?? Early Warning Systems (Intrusion Prevention)

?? Computer Emergency Response Teams (CERT)

?? Digital Signature

4. National and International Initiatives on

Standards

Following are some of the agencies working towards defining standards in the

area of Network and Information Security

.

4.1 ISO

ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management:

Security policy; organization of information security; asset management; human resources security; physical and environmental security; communications and operations management; access control; information systems acquisition; development and maintenance; information security incident management; business continuity management.

4.2 BIS

BIS is engaged in formulation of Indian Standards for the sector Electronics and Information Technology supervised by a division counsel in which Network and Information Security is a part. BIS publishes detailed Work Programme for each of the Division Council once in a year. The Work Programme, besides giving scope of Division Council and Sectional Committees, contains committee wise position of standards published and draft standards (like preliminary, wide circulation and finalized draft standards) at different stages of preparation. The copies of Work Programme (and also of wide circulation drafts for comments

during the wide circulation period) can be obtained from the Director of the

4.3 State Governments

Some State Governments like Andhra Pradesh have released their own IT policy documents with the help of consultants in which the Network and Information Security standards and IT architecture form a part.

5. Abbreviations

Abbreviation Description

BIS Bureau of Indian Standards

DIT Department of Information Technology

e_Governance E Governance

IEC Institute of Electronics Communications

ISO International Standards Organization

IT Information Technology

NIC National Informatics Centre

NICNET NIC Network

SWAN State Wide Area Network

VPN Virtual Private Network