Presentation is loading. Please wait.

Presentation is loading. Please wait.

Special Security Issues Prof. WB & ADBe-Procurement conference 19th May 2006 Creating Digital Trust For G- e P Beyond PKI & Digital Signatures.

Published byLisa Swailes Modified over 9 years ago

Similar presentations

Presentation on theme: "Special Security Issues Prof. WB & ADBe-Procurement conference 19th May 2006 Creating Digital Trust For G- e P Beyond PKI & Digital Signatures."— Presentation transcript:

1 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Creating Digital Trust For G- e P Beyond PKI & Digital Signatures ID Management, Standards & Certification and Assurance Prof. K. Subramanian DDG(NIC) & IT Adviser to CAG of India

2 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Cyberspace is Dynamic, Undefined and Exponential Technology Management & Management of Technologies in general and security in particular are critical Issues of eGP Governance. Countries’ need dynamic laws, keeping pace with the technological advancements.

3 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 e-Procurement—Essentials Enablers The spread of fast, reliable broadband internet connectivity is a key factor in fuelling e-procurement /e-commerce initiativesThe spread of fast, reliable broadband internet connectivity is a key factor in fuelling e-procurement /e-commerce initiatives Internet has shrunk the cost of going into business– good for SME sectorInternet has shrunk the cost of going into business– good for SME sector A good reliable authenticated website is an essentiality—to reach customers worldwideA good reliable authenticated website is an essentiality—to reach customers worldwide Empowerment of both consumers & entrepreneursEmpowerment of both consumers & entrepreneurs With reliable, accurate and authentic information on products and servicesWith reliable, accurate and authentic information on products and services Push and Pull technology working in a collaborative mode with multimodal delivery is a reality and a enablerPush and Pull technology working in a collaborative mode with multimodal delivery is a reality and a enabler

4 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 e-Procurement—Essentials Security and Trust View Point Safety and Security is the highest prioritySafety and Security is the highest priority Creating trust and confidence is important- Third party Certification and PKI/Digital signature may be one of the SOLUTIONCreating trust and confidence is important- Third party Certification and PKI/Digital signature may be one of the SOLUTION Integration into enterprises workflow, ERP, EAI with proper identification, authorization and authentication within VPN/enterprise network or open Internet (Identity Infrastructure, Network Identity Infrastructure are utmost essential). User Permission based approach may be exploredIntegration into enterprises workflow, ERP, EAI with proper identification, authorization and authentication within VPN/enterprise network or open Internet (Identity Infrastructure, Network Identity Infrastructure are utmost essential). User Permission based approach may be explored Security has implications on Centralized & De- centralized implementationsSecurity has implications on Centralized & De- centralized implementations

5 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 e-Procurement—Success Technology Integration to Work Process The most successful e-procurement projects are those where the e-procurement function becomes totally embedded in the business process and where the system is sufficiently flexible to accommodate the rapid changes in technology which are inevitable.The most successful e-procurement projects are those where the e-procurement function becomes totally embedded in the business process and where the system is sufficiently flexible to accommodate the rapid changes in technology which are inevitable.

6 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Security concerns and desired controls framework Can we find out who is trying to reach us? Identification Authentication Authorisation Confidentiality Integrity Auditability Non-repudiation Error Correction Intrusion Detection Can we ensure that the users are the same, who they pretend to be? Can we limit/control their actions? Can we ensure that the privacy of sensitive information is maintained? Can we ensure that the data has not been manipulated during or after the transmission? Can we ensure that the sender and receiver are accountable/ responsible for their actions? Can we ensure the traceability of actions? Can we detect any unauthorised access attempts? Can we correct the errors as soon as they are detected?

7 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Main Concerns PRIVACY SAFETY SECURITY & Creating And Maintaining Trust

8 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 e-Procurement- New Avenues Internet e-procurement has huge scalability and, subject to implementation and security details, opens up a huge global market for procurement - including procurement from completely new suppliers.Internet e-procurement has huge scalability and, subject to implementation and security details, opens up a huge global market for procurement - including procurement from completely new suppliers.

9 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Secure e-Procurement—TCO and ROI As a business process, implementing secure electronic purchasing can be a highly effective way of reducing transaction costs and improving process efficiency. And with the savings and cost benefits going straight to the bottom line, e-procurement can deliver a significant return on investment, although analysts are divided over how long this can take.As a business process, implementing secure electronic purchasing can be a highly effective way of reducing transaction costs and improving process efficiency. And with the savings and cost benefits going straight to the bottom line, e-procurement can deliver a significant return on investment, although analysts are divided over how long this can take. Secure eGP systems are applicable to high cost or high volume Purchases to become cost effective-the inference is it is not applicable to all Purchases unless centralization is possible.

10 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Typical Network Identity Infrastructure Today Figure 3. Typical Network Identity Infrastructure TodayFigure 3. Typical Network Identity Infrastructure Today

11 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Basic Network Identity Services Functions Basic Network Identity Services Functions

12 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Network ID Management Infrastructure & Control Authentication of Appliances An intuitive GUI is accessible from web browsers. It provides a global management view of the network identity infrastructure from any location, based on that particular user’s access permissions.An intuitive GUI is accessible from web browsers. It provides a global management view of the network identity infrastructure from any location, based on that particular user’s access permissions. There are no general user-logins. For security reasons, only an administrator can configure an appliance using a web browser, communicating with the appliance over an encrypted session.There are no general user-logins. For security reasons, only an administrator can configure an appliance using a web browser, communicating with the appliance over an encrypted session.

13 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Network ID Management Infrastructure & Control Authentication of Appliances To populate the data store with each enterprise’s user and policy information, tools are available to export data from existing servers and import it into specified authorized appliances.To populate the data store with each enterprise’s user and policy information, tools are available to export data from existing servers and import it into specified authorized appliances. Network identity appliances come equipped with a rich set of standards-based reporting, logging, and advanced configuration and management features. Among them are SNMP support and web-based reporting functions. Network identity appliances come equipped with a rich set of standards-based reporting, logging, and advanced configuration and management features. Among them are SNMP support and web-based reporting functions.

14 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 First line of defense-Issues Firewall & VOIP Incompatibility To stop someone dumping a virus on your machine or defacing your homepage, it's essential to have some form of dedicated web server protection. But the use of firewalls, generally seen as the first line of defense in protecting data, has been interfering with the transmission of Voice over Internet Protocol (VoIP) calls.To stop someone dumping a virus on your machine or defacing your homepage, it's essential to have some form of dedicated web server protection. But the use of firewalls, generally seen as the first line of defense in protecting data, has been interfering with the transmission of Voice over Internet Protocol (VoIP) calls. The key problem is an incompatibility between aspects of VoIP and firewall technology.The key problem is an incompatibility between aspects of VoIP and firewall technology.

15 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Securing & Managing Interdependencies Infrastructure characteristics (Organizational, operational, temporal, spatial)Infrastructure characteristics (Organizational, operational, temporal, spatial) Environment (economic, legal regulatory, technical, social/political)Environment (economic, legal regulatory, technical, social/political) Coupling and response behavior (adaptive, inflexible, loose/tight, linear/complex)Coupling and response behavior (adaptive, inflexible, loose/tight, linear/complex) Type of failure (common cause, cascading, escalating)Type of failure (common cause, cascading, escalating) Types of interdependenciesTypes of interdependencies ( Physical, cyber, logical, geographic) ( Physical, cyber, logical, geographic) State of operationsState of operations ( normal, stressed /disrupted, repair/restoration ) ( normal, stressed /disrupted, repair/restoration ).

16 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Identity Management Identity Management

17 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 In a Virtual Space, Netizens Exist, Citizens Don’t!

18 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Identity Management Identity management is not new, but has evolved from the days of a single password entry onto the network to a comprehensive set of processes and systems that make it easier for all users to access information in real time and in a much more secure mannerIdentity management is not new, but has evolved from the days of a single password entry onto the network to a comprehensive set of processes and systems that make it easier for all users to access information in real time and in a much more secure manner ID management tend to center on the technical improvements in system security, the more important benefits are the opportunities gained by collaborating with vendors, suppliers, and customers across the supply chain.ID management tend to center on the technical improvements in system security, the more important benefits are the opportunities gained by collaborating with vendors, suppliers, and customers across the supply chain. A real value of an [ID management] solution enables ultimately this wide range of business enterprise. A real value of an [ID management] solution enables ultimately this wide range of business enterprise.

19 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 ID: Metrics Requirements UNIVERSALITY: Each person should have the characteristicsUNIVERSALITY: Each person should have the characteristics Distinctiveness: Any two persons should be different in terms of the characteristic.Distinctiveness: Any two persons should be different in terms of the characteristic. Permanence: The characteristic should be sufficiently in-variant (w.r.to the matching criterion) over a period of time.Permanence: The characteristic should be sufficiently in-variant (w.r.to the matching criterion) over a period of time. Collectibility: The characteristic should be quantatively measurable.Collectibility: The characteristic should be quantatively measurable.

20 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 FOUR WAYS TO BECOME AN AUTOMATED IDENTITY- FOCUSED ENTERPRISE 1. Change Current Identity Concepts Change Current Identity ConceptsChange Current Identity Concepts 2. Perform Automated User Provisioning Wisely Perform Automated User Provisioning WiselyPerform Automated User Provisioning Wisely 3. Integrate Automated Identity Management and User Provisioning Integrate Automated Identity Management and User ProvisioningIntegrate Automated Identity Management and User Provisioning 4. Control Identity Operations Control Identity OperationsControl Identity Operations

21 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 1. Change Current Identity Concepts. Many business and IT leaders correlate identity with users; this is only part of the equation. The concept of identity must be expanded to include systems, servers, applications, data, and even transactions and events. Many business and IT leaders correlate identity with users; this is only part of the equation. The concept of identity must be expanded to include systems, servers, applications, data, and even transactions and events. As auditors analyze business processes, they’ll see that all organizational components can be assigned identities that link corporate activities within the current IT infrastructure. As auditors analyze business processes, they’ll see that all organizational components can be assigned identities that link corporate activities within the current IT infrastructure. With the use of an all-encompassing identity, the road to continuous access management and compliance to regulations becomes more attainable.With the use of an all-encompassing identity, the road to continuous access management and compliance to regulations becomes more attainable. Furthermore, with automated identity management tools, an organization is able to assign a permanent identity to every user, computer, server, and application, thus, monitoring what employees can and can't access.Furthermore, with automated identity management tools, an organization is able to assign a permanent identity to every user, computer, server, and application, thus, monitoring what employees can and can't access.

22 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 2. Perform Automated User Provisioning Wisely User provisioning, the process of assigning system resources and privileges to users, automates and streamlines the creation of user accounts and the assignment of user privileges and provides account permission data. Incorporating automated user provisioning can not only help organizations comply with Sarbanes-Oxley, but also enhance their audit processes and monitoring of IT activities User provisioning, the process of assigning system resources and privileges to users, automates and streamlines the creation of user accounts and the assignment of user privileges and provides account permission data. Incorporating automated user provisioning can not only help organizations comply with Sarbanes-Oxley, but also enhance their audit processes and monitoring of IT activities

23 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 3. Integrate Automated Identity Management and User Provisioning. The ultimate goal of automation is to inject identity in every session a machine initiates, track its activities and transactions across an enterprise, and integrate this ability into the existing IT infrastructure.The ultimate goal of automation is to inject identity in every session a machine initiates, track its activities and transactions across an enterprise, and integrate this ability into the existing IT infrastructure. To integrate automated identity management and user provisioning successfully, organizations must first determine all users, assets, and applications in an identity- centric and consistent manner. This ensures user provisioning solutions are not compromised by unknown activity and are aligned with the broader IT environment.To integrate automated identity management and user provisioning successfully, organizations must first determine all users, assets, and applications in an identity- centric and consistent manner. This ensures user provisioning solutions are not compromised by unknown activity and are aligned with the broader IT environment. Only properly provisioned users and applications, based on corporate policy, should have the ability to communicate.Only properly provisioned users and applications, based on corporate policy, should have the ability to communicate. Nevertheless, organizations must be able to control these interactions fully and provide a complete audit trail of these activities.Nevertheless, organizations must be able to control these interactions fully and provide a complete audit trail of these activities. The organization must also confirm that nonauthorized users, such as employees who are no longer working for the organization, do not have access to IT resources, thus reducing the risk of invalid user actions.The organization must also confirm that nonauthorized users, such as employees who are no longer working for the organization, do not have access to IT resources, thus reducing the risk of invalid user actions.

24 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 4. Control Identity Operations To help meet Sarbanes-Oxley regulations, many organizations have given a higher priority to producing log files and report data. The reality is that many organizations don’t have the resources to process data logs, nor do they have the means to correlate information from disparate sources. Although newer security event management systems have improved, the fundamental problem of managing the data and automating its compilation still exists. To help meet Sarbanes-Oxley regulations, many organizations have given a higher priority to producing log files and report data. The reality is that many organizations don’t have the resources to process data logs, nor do they have the means to correlate information from disparate sources. Although newer security event management systems have improved, the fundamental problem of managing the data and automating its compilation still exists.

25 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Identification Why?Why? For Whom?For Whom? When?When? How?How?

26 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Identification Measures and Parametric of Personal Identity By NameBy Name –Association with Father’s/Mothers Name –Association with Family Name –Association with sir Name By Given details – Date of birth – Place of birth – Country of Birth – Country of Naturalization

27 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Biometric System Operates on VerificationVerification IdentificationIdentification

28 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006Biometrics Biometrics

29 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Bio-Metric  Unique Identifier

30 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Building and Sustaining Trust building a trusted relationship with suppliers is critical before dealing with them over the Internet.building a trusted relationship with suppliers is critical before dealing with them over the Internet. Consumer comfort-while 60 per cent said they preferred to deal with bricks-and-mortar companies rather than Internet-only traders. Consumer comfort-while 60 per cent said they preferred to deal with bricks-and-mortar companies rather than Internet-only traders. Concerns about security are paramount, even among those with significant experience of trading online with suppliers. Of the advanced users interviewed for the report, nine per cent said they had experienced security problems through e-procurementConcerns about security are paramount, even among those with significant experience of trading online with suppliers. Of the advanced users interviewed for the report, nine per cent said they had experienced security problems through e-procurement PriceWaterhouseCoopers' Survey report

31 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Security & Trust security and trust are inseparable. "Across the supply chain, people are demanding more and more exchange of current, pertinent information and they want to have confidence in their trading partners."security and trust are inseparable. "Across the supply chain, people are demanding more and more exchange of current, pertinent information and they want to have confidence in their trading partners."

32 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Definition of e-trust Development of mutual confidence within complex electronic environments through each player’s willingness to continuously demonstrate to the other player’s satisfaction that the game is honest, open, following the rules properly controlled Development of mutual confidence within complex electronic environments through each player’s willingness to continuously demonstrate to the other player’s satisfaction that the game is honest, open, following the rules properly controlled

33 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Conventional Information Security & e-trust Conventional security practices do not reveal the nature or extent of our security capabilities. To do so, is considered as an act of compromise.Conventional security practices do not reveal the nature or extent of our security capabilities. To do so, is considered as an act of compromise. The network economy requires a series of external representations that will meet the expectations and support the confidence of all players.The network economy requires a series of external representations that will meet the expectations and support the confidence of all players. DemonstrabilityDemonstrability

34 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Trust and Security Reciprocity-appropriate protection for allReciprocity-appropriate protection for all Responsibility and liabilityResponsibility and liability Standardization of processes, interfaces and technologiesStandardization of processes, interfaces and technologies

35 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 e-trust Business partners & Network Economy Can I trust the entities and infrastructures on which I depend?Can I trust the entities and infrastructures on which I depend? Can the organizations involved trust me?Can the organizations involved trust me? Together, can we trust our common infrastructure and processes?Together, can we trust our common infrastructure and processes?

36 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Major Challenges and Issues authentication of identity is the main issue. "People need to be satisfied about who they're dealing with.authentication of identity is the main issue. "People need to be satisfied about who they're dealing with. They need to know that their messages have not been intercepted or corrupted on the way,They need to know that their messages have not been intercepted or corrupted on the way, and, most importantly, that they are legally non- repudiable - meaning that the other party can't walk away from it in a court of law." and, most importantly, that they are legally non- repudiable - meaning that the other party can't walk away from it in a court of law."

37 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Security fears are well-founded with the study showing that remarkably few companies had implemented the latest technology to secure business transactions.with the study showing that remarkably few companies had implemented the latest technology to secure business transactions. Nearly two-thirds of companies said they rely solely on password protection when dealing with suppliers over the Internet.Nearly two-thirds of companies said they rely solely on password protection when dealing with suppliers over the Internet. PriceWaterhouseCoopers' report PriceWaterhouseCoopers' report

38 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Security Standards & Certification

39 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 National CRYPTOGRAPHY POLICY Complex area with : Scientific, Technical, Political, Social, Business Economic Dimensions

40 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Importance of Group Standards -no one standard meets all requirements ISO 27001/BS7799 Vs COBIT Vs CMM Vs ITIL Mission Business Objectives Business Risks Applicable Risks Internal Controls Review

41 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Compliance to Security Standards and Good Practices Indian & International Standards IS 14356-1996 guide for Protection of Information ResourcesIS 14356-1996 guide for Protection of Information Resources IS 14357-1996 guide for Practice for Information SecurityIS 14357-1996 guide for Practice for Information Security ISO-17799-1:2000 Code of practice of ISM and will replace IS 14356-1996ISO-17799-1:2000 Code of practice of ISM and will replace IS 14356-1996 ISO/IEC 15483 STANDARDS FOR TCSEC(IS14990:1 2001ISO/IEC 15483 STANDARDS FOR TCSEC(IS14990:1 2001 ISO/IEC 15408 STANDARDS FOR TCSEC(IS14990:1 2001) ISO/IEC 15408 STANDARDS FOR TCSEC(IS14990:1 2001) New Integrated Harmonized Indian standard on ISMS IS 15150Nov 2002New Integrated Harmonized Indian standard on ISMS IS 15150Nov 2002 ISO/IEC 21827 - Information Technology - Systems Security Engineering - Capability Maturity Model (SSE-CMM ) ISO/IEC 21827 - Information Technology - Systems Security Engineering - Capability Maturity Model (SSE-CMM ) Information Technology-systems security engineering—Capability Maturity Model with PCMM—July 2006Information Technology-systems security engineering—Capability Maturity Model with PCMM—July 2006 BS 7799-1:1999 Code of Practice for Information Security Management BS 7799-2:1999 Specification for Information Security Management Systems BS 7799-1:2000 revised standard (Code of Practice for Information Security Management) BS 7799-2:2002 Sep 2002 ISO 27001-Oct 2005

42 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Business Assurance and Certification

43 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 9 Rules of Risk Management There is no return without riskThere is no return without risk –Rewards to go to those who take risks. Be TransparentBe Transparent –Risk is measured, and managed by people, not mathematical models. Know what you Don’t knowKnow what you Don’t know –Question the assumptions you make CommunicateCommunicate –Risk should be discussed openly DiversifyDiversify –Multiple risk will produce more consistent rewards Sow DisciplineSow Discipline –A consistent and rigorous approach will beat a constantly changing strategy Use common senseUse common sense –It is better to be approximately right, than to be precisely wrong. Return is only half the questionReturn is only half the question –Decisions to be made only by considering the risk and return of the possibilities. RiskMetrics Group RiskMetrics Group

44 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Risk The lack of a trusted third party to guarantee online transactions is a key factor in companies' limited security.The lack of a trusted third party to guarantee online transactions is a key factor in companies' limited security. Unlike the stock exchange, which underwrites transactions between traders, most online marketplaces merely facilitate the transaction between two parties. They simply warn businesses that they trade at their own risk.Unlike the stock exchange, which underwrites transactions between traders, most online marketplaces merely facilitate the transaction between two parties. They simply warn businesses that they trade at their own risk.

45 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 PKI & Trusted Third Party Certificate Many believe that confidence in online transactions would be dramatically increased by the use of public key infrastructure and encryption technologies to encrypt and seal messages.Many believe that confidence in online transactions would be dramatically increased by the use of public key infrastructure and encryption technologies to encrypt and seal messages. But while the use of digital certificate technology would certainly increase confidence, the problem is finding a trusted third party to issue such a certificate. But while the use of digital certificate technology would certainly increase confidence, the problem is finding a trusted third party to issue such a certificate. who would be suitable to guarantee the security of e-business transactions, most public survey said they would rather rely on an accounting or telecoms firm than the Government?who would be suitable to guarantee the security of e-business transactions, most public survey said they would rather rely on an accounting or telecoms firm than the Government?

46 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Enhancement to certification Certification alone cannot absolutely guarantee the trustworthiness of certificate holders or the organizations they represent.Certification alone cannot absolutely guarantee the trustworthiness of certificate holders or the organizations they represent. Creating a family of certificates to enhance the confidence level.Creating a family of certificates to enhance the confidence level. Recognition of certification is not only based on knowledge, but also one’s identity.Recognition of certification is not only based on knowledge, but also one’s identity.

47 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Certification and Cost IT certifications "are a commendable thing to do for a variety of reasons." However, they "require a considerable investment, and the benefit must be weighed against other needs and priorities for scarce resources“.IT certifications "are a commendable thing to do for a variety of reasons." However, they "require a considerable investment, and the benefit must be weighed against other needs and priorities for scarce resources“.

48 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Comparison of Seals WEB Certification ProductCost Privacy of Data Security of Data Business Policies Transaction Processing Integrity BBB OnlineLowNo Lightly Covered No TRUSTeLowYesNo Veri-Sign Low to Medium No Yes: Data Transmittal No: Data Storage No ICSAHighYes Somewhat Covered Lightly Covered WebTrustHighYes

49 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 The need and to do Strong, demonstrable security and assurance process and the best practitioners to design, build and manage them.Strong, demonstrable security and assurance process and the best practitioners to design, build and manage them. Ensuring all the time the practices, products and personnel can pass the closest scrutiny.Ensuring all the time the practices, products and personnel can pass the closest scrutiny. Anticipate and keep pace with the security needs of the information market placeAnticipate and keep pace with the security needs of the information market place Protective measures, architecture, philosophy and best practices are as dynamic as the information process they support.Protective measures, architecture, philosophy and best practices are as dynamic as the information process they support. Ensure not just the currency of knowledge, but must anticipate new requirements and environmentsEnsure not just the currency of knowledge, but must anticipate new requirements and environments

50 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 The need and to do Ready to respond with new certification offerings, updates examinations, expanded knowledge bases, publications, training and communicationsReady to respond with new certification offerings, updates examinations, expanded knowledge bases, publications, training and communications Generate global trust without compromise to trustworthiness.Generate global trust without compromise to trustworthiness.

51 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Reliability of national/Global critical infrastructure Measuring system risk and resiliencyMeasuring system risk and resiliency Understanding and managing interdependenciesUnderstanding and managing interdependencies Overcoming barrier to technological changeOvercoming barrier to technological change Selecting appropriate forms of infrastructure governanceSelecting appropriate forms of infrastructure governance Developing efficient incentive structuresDeveloping efficient incentive structures Adopting an integrated systems perspectiveAdopting an integrated systems perspective

52 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Risk and Resiliency Economic consequencesEconomic consequences Non-economic consequencesNon-economic consequences Environmental risk assessmentsEnvironmental risk assessments Socio-community and individual risk perceptionsSocio-community and individual risk perceptions

53 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 The interface between technology and human behavior is an important subject for investigation.The interface between technology and human behavior is an important subject for investigation. The use of detection/prevention technologiesThe use of detection/prevention technologies The ways in which deployment of technologies can complement or conflict with the values of privacy and civil libertyThe ways in which deployment of technologies can complement or conflict with the values of privacy and civil liberty The factors influence the trustworthiness of individuals in a position to compromise or thwart securityThe factors influence the trustworthiness of individuals in a position to compromise or thwart security

54 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Conclusion Technology alone is not going to guarantee cyber and critical infrastructure reliability and securityTechnology alone is not going to guarantee cyber and critical infrastructure reliability and security Policies and approaches that recognize that critical national/global infrastructure are complex adaptive systems, with behaviors and responses that may not be well understood.Policies and approaches that recognize that critical national/global infrastructure are complex adaptive systems, with behaviors and responses that may not be well understood. A better grasp on how to measure infrastructure risk, and how better to create the governance and incentive systems—including the human factors—to improve reliability.A better grasp on how to measure infrastructure risk, and how better to create the governance and incentive systems—including the human factors—to improve reliability.

55 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 E-Procurement & Cyber Security - Final Message “In security matters Past is no guarantee; Present is imperfect and Future is uncertain“ “Failure is not when we fall down, but when we fail to get up”

56 Special Security Issues Prof. KS @2006 WB & ADBe-Procurement conference 19th May 2006 Than k You THANK YOU For Interaction: Prof. K. Subramanian ksdir@nic.inksmanian48@gmail.comksmanian20032004@yahoo.com Tele: 23239560

Download ppt "Special Security Issues Prof. WB & ADBe-Procurement conference 19th May 2006 Creating Digital Trust For G- e P Beyond PKI & Digital Signatures."

Similar presentations

Chapter 3 E-Strategy.

Chapter 3 E-Strategy.
1 K P M G L L P A D V I S O R Y Changes in the IT Audit Profession Stephen G. Hasty, Jr. National Partner in Charge IT Advisory Savannah, GA January 4,

1 K P M G L L P A D V I S O R Y Changes in the IT Audit Profession Stephen G. Hasty, Jr. National Partner in Charge IT Advisory Savannah, GA January 4,
Agenda What is Compliance? Risk and Compliance Management

Agenda What is Compliance? Risk and Compliance Management
DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.

DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Global Information Systems

Global Information Systems
2 An Overview of Telecommunications and Networks Telecommunications: the _________ transmission of signals for communications (home net) (home net)

2 An Overview of Telecommunications and Networks Telecommunications: the _________ transmission of signals for communications (home net) (home net)
Security Controls – What Works

Security Controls – What Works
The Information Opportunity Instructor: Pankaj Mehra Teaching Assistant: Raghav Gautam Lec. 2 April 1, 2010 ISM 158.

The Information Opportunity Instructor: Pankaj Mehra Teaching Assistant: Raghav Gautam Lec. 2 April 1, 2010 ISM 158.
02/12/00 E-Business Architecture

02/12/00 E-Business Architecture
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,

Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,
Enterprise Systems Organizations are finding benefits from using information systems to coordinate activities and decisions spanning multiple functional.

Enterprise Systems Organizations are finding benefits from using information systems to coordinate activities and decisions spanning multiple functional.
SaaS, PaaS & TaaS By: Raza Usmani

SaaS, PaaS & TaaS By: Raza Usmani

Similar presentations

Ads by Google