A security policy is a document which lists plans to protect the physical and information technology (IT) assets and is continuously updated as technology and requirements change. It may include an acceptable use policy, a description of how to educate employees, security measurements to enforce and a procedure for evaluating the effectiveness of the security policy to ensure that necessary corrections will be made.
An information security management system (ISMS) is a collection of policies and procedures for management of crucial data. The aim is to minimize risk and ensure business continuity by pro-actively limiting the impact of a security and data breach. An ISMS is usually focused on employee behavior and processes as well as particular type of data, such as customer data. ISO 27001 is a specification for creating an ISMS which does not mandate specific actions, but includes suggestions for documentation, internal audits, continual improvement, and corrective and preventive action.
Any good system of governance should be resilient to attacks by frauds, inadvertent virus, and a variety of motivated cyber crimes through unauthorized access and even to a nation-sponsored cyber war and in the scenarios of disaster and warfare.
With every new application, newer vulnerabilities crop up, posing immense challenges to those who are mandated to protect the IT assets. E-Government security requirements can be studied by examining the overall process, beginning with the citizens end and ending with the e-Gov server. The assets that must be protected to ensure secure e-Gov include client computers, the messages traveling on the communication channel, and the Web and e-Government servers – including any hardware attached to the servers.
Need
- Adversaries are capable of launching harmful attacks on IT systems, networks, and information assets.
- Enterprise concerns have been heightened by increasingly sophisticated hacker attacks and identity thefts, warnings of cyber terrorism, and the pervasiveness of IT uses.
- A breach of security could lead to lost opportunities, defamation, loss of goodwill, repudiation loss, financial loss , transactional loss , loss of citizens confidence and many others
- A defacement / hacking of a public website can cause loss of reputation
- Vital data i.e. databases can be lost if unauthorized entry is not checked properly
- A e-procurement website stops functioning all of a sudden
- A disaster strikes and the processes gets standstill
- Repudiation loss – One party of a transaction denies having received a transaction nor can the other party deny having sent a transaction.
Security Measures
- Data Center Security – Use Firewalls
- Web-site Security – Use Anti-virus and Anti-phishing tools
- Physical Office Security – Implement restricted accessibility and do regular checks & reviews
- Secured Working Processes – Planning long-term solutions and implementing the process-Cycle to be followed (PDCA Cycle – Plan, Do, Check & Assess Cycle )
Issues in implementing security
- Letting vendors define “good security”
- Underestimating the required security expertise
- Assigning untrained people to maintain security
- Relying primarily on a firewall.
- Firstly think of budget concerns, neglecting the value of their information and organizational reputations.
- Authorizing reactive, short-term fixes so problems re-emerge rapidly.
- Lack of internal Technical capacities
- Loopholes in the applications and databases
- Exit management
- Complex e-Governance Projects
- High performance & response time
- High Security desired on operations but not a top priority to start with
- Multiple Legacy Environments
- Low priority for implementation of Security Standards
- Low priority for implementation of suitable access controls and authorization
- Inadequate preparation of RFPs which captures all the security requirements