Chapter 4

E-Government and Security

Topic
• Challenges and Approach of E-government Security;
• Security Management Model;
• E-Government Security Architecture;
• Security Standards
E-governance Security

• Security is one of the most important issues in E-governance. All of

the security approaches that are common in E-commerce/E-Business
and other commercial areas are applicable to E-governance. But E-
governance is a little different from E-commerce.

• Usually government networks can communicate to each other better

than business networks, because, most of them are connected for
transferring information, but businesses are competitors and they
don't disclose their sensitive information, so the security of E-
government is much more important as compared to E-commerce.
E-governance Security
• Today the users or programmers (Hackers or abusers!) are very smart
and intelligent, and they can attack in several forms and so the
deffent level has to be sufficiently strong and comprehensive.
• Implementation of E-governance has changed the way of living of the
people in various countries.
• At present scenario we can say our most activities or needs are totally
depend upon the E-governance, that’s why security of E-governance
is a major issue
 E-governance Security
• Security is all about protecting the Information and
Communication Technology (ICT) assets of an
organization.
• The ICT assets themselves can be of a wide variety
including the following:
• Data, Information, Knowledge Resources, Programs,
Hardware, Networks

Above we mention some ICT assets which are very

important for security perspective of E-
governance.
This is a very important responsibility of E-
governance administrators to protect these assets
Security against What?
• There are various threats to security of our ICT system, and we can’t
define or declare them exactly, it may come from various sources and
in various forms.
• So it is very necessary for egovernance administrator to identify these
threats.
• firstly give some sources of threats and then some types of threats
which affect to E-governance.
Security Concept
• Security risk refers to the potential that given threats would
exploit vulnerabilities of e-government systems, and
consequently cause harm to the organization information
assets.
• Security risks affect confidentiality, integrity and availability
(CIA) of e-government information assets while being
processed, transmitted and stored across e-government
domains.
• Security risks could be measured in terms of a combination of
the probability of an event to occur and its consequence
Security Concept
• Security threats refer to any circumstance or event with the
potential to adversely impact organizations critical assets,
through un-authorized access, destruction, disclosure, or
modification of information assets.
• Security threats exploit specific vulnerabilities within e-
government systems and applications; hence, affecting
confidentiality, integrity and availability of critical information
assets
• common threat-sources could originate from human-made,
natural calamities and/or the environment
Security Concept
• Sources of Threat
• The sources of threat can be internal or it can be external
to the government body.
• There are various internal sources of threat like the
employees who work on the E-governance project,
customers of the E-governance projects they may attempt
to access the databases for their personal financial profit.
• When we talk about external sources it may be Professional
hackers, Criminal organizations, various Intelligence
agencies or Investigation agencies.
Security Concept
• Types of Threat
• Threats may include unauthorized access, modification, and
destruction of data.
• The threats may be of different types varying from time to
time because technology changes frequently.
• The attacks on security of e-governance system can be in
different forms including- Defacing of web sites, Hacking,
Cracking, Damage to critical database and applications,
Network security check list, DSA, Viruses and Malwares etc.
the damage of ICT assets need not always be a result of such
malicious attacks as mentioned previously.
• It may be some kind of natural or environmental disasters etc.
Security Concept
• Security vulnerability refers to flaws or weaknesses in system
security procedures, design, implementation, and/or internal
controls that could be exploited by threat sources.
• Once exploited it could result into a security breach,
consequently causing harm to e-government information
assets and services

VAPT: Vulnerabilities Assessment and Penetration Testing

Security Concept
Security Concept
• The “value” of information held and processed by the
e-Governance service needs to be protected at all
levels (i.e. Application, Infrastructure, and Operation &
Management).
• E-gov security is intended to safeguard the information
assets and is determined in terms of confidentiality,
integrity and availability
Security Concept
Confidentiality: Protecting sensitive
information from unauthorized disclosure or
intelligible interception

Integrity: Safeguarding the accuracy and

completeness of information and software;
protecting data from unauthorized,
unanticipated or unintentional modification

Availability: Ensuring that information and

vital IT services are available when required
Security vulnerabilities and threats
Security vulnerabilities and threats
Security vulnerabilities and threats in the e-Governance

• e-Government security requirements can be studied by

examining the overall process, beginning with the consumer
and ending with the e-Gov server.
• The assets that must be protected to ensure secure e-Gov
include
• client computers,
• the messages traveling on the communication channel, and
• the Web and egov servers including any hardware attached to the
servers.
Security vulnerabilities and threats existing in the e-
Governance
• Client Threats: Until the introduction of executable Web content, Web pages were mainly static.
Coded in Hyper Text Markup Language (HTML), static pages could do little more than display
content and provide links to related pages with additional information. But, the widespread use of
active content has changed this perception.
• Active Content: Active Contents like Java applets, ActiveX controls, JavaScript, and VBScript refer
to programmes that are embedded transparently in Web pages and that cause action to occur.
Embedding active content to Web pages involved in e-Governance introduces several security
risks. Malicious active content delivered by means of cookies can reveal the content of client-side
files or even destroy files stored on client computers.

• Malicious Codes: Computer viruses, worms and Trojan Horses are examples of malicious code.
People are aware but may not be prepared to deal with such adversaries.
Security vulnerabilities and threats existing in the e-
Governance
• Server-side Masquerading: Masquerading lures a victim into believing that the entity with
which it is communicating is a different entity. For example, if a user tries to log into a
computer across the Internet but instead reaches another computer that claims to be the
desired one, the user has been spoofed.
• Communication Channel Threats: The Internet serves as the electronic chain linking a
consumer (client) to the e-Gov server. Messages on the Internet travel randomly from a source
node to a destination node. It is impossible to guarantee that every computer on the Internet
through which messages pass is safe, secure, and non-hostile.
• Confidentiality Threats: Confidentiality is the prevention of unauthorised information
disclosure. Use of Internet definitely poses confidentiality threats to the messages sent.
• Integrity Threats: An integrity threat exists when an unauthorized party can alter a message
stream of information.Unauthorised changes and defacing of web-pages may put any e-Gov
project into jeopardy.
• Availability Threats: The purpose of availability threats, also known as delay or denial of
service threats, is to disrupt normal computer processing or to deny processing entirely.
Slowing any Internet service will detract citizens from using egov services.
Security vulnerabilities and threats existing in the e-
Governance
• Server Threats: The server is the third link in the client-Internet-server trio embodying the e-Gov
path between the citizens and the government. Servers have vulnerabilities that can be exploited by
anyone determined to cause destruction or to illegally acquire information.

• Web Server Threats: Web server software is not inherently high-risk, it has been designed with
Web service and convenience as the main design goal. The more complex the software is, the
higher the probability that it contains coding errors (bugs) and security holes.

• e-Gov Server Threats: The e-Gov server, along with the Web server, responds to requests from
Web browsers through the HTTP protocol and Common Gateway Interface (CGI) scripts. Several
pieces of software comprise the egov server software suite. Each of these softwares can have
security holes and bugs.
Security vulnerabilities and threats existing in the e-
Governance
• Database Threats: Besides government information, databases connected to the Web contain
critical and private information that could irreparably damage a enterprise or citizen if it were
disclosed or altered. Some databases store user name/password pairs in a non-secure way. If
someone obtains user authentication information, then he or she can masquerade as a legitimate
database user and reveal private and costly information.
• Common Gateway Interface Threats: A Common Gateway Interface (CGI) implements the
transfer of information from a Web server to another programme, such as a database programme.?
Because CGIs are programmes, they present a security threat if misused. Just like Web servers,
CGI scripts can be set up to run with their privileges unconstrained. Defective or malicious CGIs
with free access to system resources are capable of disabling the system, calling privileged (and
dangerous) base system programmes that delete files or viewing confidential customer information,
including user names and passwords.
• Password Hacking: The simplest attack against a password-based system is to guess passwords.
Guessing of passwords require access to the complement, the complementation functions, and the
authentication functions be obtained. If none of these have changed by the time the password is
guessed, then the attacker can use the password to access the system
 Security Architecture
• Security Architecture in the context of e-governance involves the design and
implementation of frameworks, strategies, and mechanisms to ensure the integrity,
confidentiality, availability, and authenticity of information and services.
• The security architecture of E-governance is a high level document that set the
security goals of e-governance project and describe the procedure that need to be
followed by all the e-governance hierarchy such as users, businesses, operators etc.

• Key Components:
• Authentication and Authorization:
• Data Encryption:
• Network Security:
• Application Security:
• Identity and Access Management (IAM):
• Data Governance and Compliance:
• Incident Response and Recovery:
• Monitoring and Auditing:
• Security Awareness and Training:
• Risk Management:
 Security Architecture
• A robust security architecture for e-governance is essential for maintaining trust,
protecting sensitive information, and ensuring the reliable delivery of government
services. It must be comprehensive, covering all aspects from network security to
user training, and adaptable to the evolving threat landscape.
• Appropriate legal framework is absolutely essential for the systematic and sustained
growth of e-governance.

E-Governance Security
Providing
Protection of Legal Status to
Protection of Digital
Privacy of
Public Order Transaction
Individual
and decency

Fig: E-Governance Security Architecture Components

 Security Architecture
• Protection of Public Order and Decency
• The internet is highly capable of being a saturated and versatile medium at the same
time. Its reach is very vast and due to its multimedia capability, its impact can be
immediate and profound.
• So the government has to beware of its potential to create a negative impact on society
through the promotion of terrorism, pornography, communalism, violence, etc.
• Protection of Privacy of Individuals
• Disclosure of personal information over the internet raises questions related to the
privacy of individuals.
• any organization should follow some steps when it gathered any personal information
of any individual- Notice, Choice, Onward Transfer, and Security.
• Providing Legal Status to Digital Identities and Transactions
• One of the fundamental requirements of e-governance projects is their ability to create
and sustain the operations of government agencies as well as private agencies.
• So it’s very necessary to consult the legal status of entities and actions such as ‘legal
status is to be provided to the digital identities’, ‘provide the legal recognition to digital
assets’, ‘ provide a digital authority to digital transactions, these transactions could be
in the areas of G2G, G2B, G2C, etc’
Defense in depth
• is a concept used in Information security in which
multiple layers of security controls (defense) are
placed throughout an information technology (IT)
system.
• Its intent is to provide redundancy in the event
a security control fails or a vulnerability is
exploited that can cover aspects
of personnel, procedural, technical and physical
security for the duration of the system's life cycle.
A single leak in the system can deteriorate the full e-governance architecture as all the components are
interrelated to one another
Security Controls in E-Government System
1. Administrative Controls
2. Technical Controls
3. Physical Controls
Information Security Concept: Security Technologies
• Some of the examples :
• Layer 7 Firewalls – WAF (Web Application Firewall ) – Application Level
• Intrusion Prevention Systems (IPS)/ Intrusion Detection System
• – Zero day attack - zero day vulnerabilities – behavioral based security measures-
dynamic
• Host Intrusion Prevention System (HIPS)- End Computing Devices / User Computer
• Multifactor Authentication – What you know and what you have – Username and
Password + SMS token /Email token (OTP) -
• Multi Engine Anti-Virus – Virus Signature based
• Virtual Private Network (VPN)- Remote Access VPN/ Site-to-site VPN ,
• Virtual LANs (VLAN)
• Vulnerabilities Assessments
• Network Level Firewall – Packet Level
• HoneyBots
• Access Control System
• Encryption Techniques
• Message Digest
• etc
Security Management Model
• A security management model is meant to be a generic description of
what an organization should do to provide a secure environment for
itself.
• It is generic in that it describes what should be done, but not how to
do it, which makes it flexible enough to be used by many kinds of
organizations.
• We should choose a model for our or on to follow that is "flexible,
scalable, organization robust, and sufficiently detailed.
Security Management Model
1) Access Control Models:
• Access controls regulate the admission of users into trusted areas of organization-
both the logical and physical. Access policies, programs control is to carry maintained
by out those means of a collection of policies, and technologies. that enforce
policies.
• The general application of access control comprises four processes: identification,
authentication, authorization, and accountability.
2) Security Architecture Models:
• It illustrates information security Implementations. It can help organizations quickly
through adaption.
• Some models are implemented make Improvements into computer hardware and
software, Some are policies and practices, Some are Implemented in both.
Security Management Model
3) Bell-LaPadula Confidentiality Model:
• It is a state machine-based multilevel security policy. The model was originally
designed for military applications.
• State machine models define states with current permissions and current instances
of subjects accessing
• The security of the system transitions from satisfied by one secure state to the other
with no failures.
• 4) Biba Integrity Model:
• It is a formal state transition system of data security policies designed to express a
set of access control ensure data integrity.
• Data and subjects are rules in order to ensure date ordered by their levels of integrity
into Like other models, this model supports subjects and objects, groups or
arrangements. the access control of both subjects and objects.
Security Management Model
• 5) The Clark-Wilson Model:
• It is integrity model which focus to protect integrity of data. It consists of
subject/program/object triples and rules about dat , application programs and
triples, security policy model seeks to formalize the principles of accounting security
that have collected over centuries of experimental bookkeeping.
• 6) The Graham-Deming -Denning access control model:
• This is a computer security model that shows how subjects and objects should be
securely created and deleted.
• It also addresses how to assign Specific access rights. It is mainly used In access
control mechanisms for distributed systems, there are three main parts to the
model:
→A Set of Subjects,
→A Set of objects,
→A Set of Eight Rules.
Security Management Model
7) Harrison-Ruzzo-Ullman Model:
• The security model proposed by Harrison, Ru220, and Ullman (HRV) is a flexible
access control model. In HRU, the current set of access rights at any given time can
represented by be re a matrix, with one row for each subject and one column for
each subject and object, Each cell in table contains the list of access rights.
• The components of HRD model Include:
→ A set of subjects,
→A set of objects,
→ A set of access rights,
→An access matrix.
• 8) Brewer-Nash Model:
• The Brewer and Nash model also known as Chinese wall, was constructed to provide
information security. access controls that can change dynamically. provide controls
that mitigate conflict It was designed to of interest In commercial organizations, and
is built upon an information flow model.
Security Management Model of E-Governance.
• the security of the e-governance system has to be managed
systematically in three levels, this model is explained with the help of
this figure
Security Management Model of E-Governance.
1) Security at User Level
• Security at the user level is a very important issue. We can classify user-level
security management into three parts:- a) Identify management b) Access
Management System, c) Interaction Management System
Security Management Model of E-Governance.
1) Security at User Level
• a) Identity Management
• The main purpose of this is to create a unique digital identity or credential for all legal users by providing a
unique user name and password, to create and manage ICT systems that ensure that the digital identities are
secure.

• b) Access Management System

• At this level, the unique credentials which are provided to the user at the identity level are matched to
identify the user, that he/she is actually the authentic person.

• c) Interaction Management System

• Interaction management is a most comprehensive and complex phase. It includes assurance of Integrity,
Confidentiality, and Non-repudiation principles of comprehensive security.

At the user level, we can use various tools such as digital identity token, public key infrastructure (PKI), digital
signature, asymmetric key cryptography, etc. to provide or enhance security at the user level.
•
Security Management Model of E-Governance.
• 2)Security at Transport Level
• At this level, we consider e-governance security in two aspects which are
security within LAN and WAN, and the second one is Security over the
Internet.
• This security level is classified into two systems, i.e. Secure Communication
System and Cryptographic System.
• The data and information reach through user to ICT assets or vice-versa, and
when the data is in between these two i.e. in transmission medium which can
be either LAN, WAN, or any wireless or any other medium whatever, then we
need higher security.
• For this e-governance administrator use various tools or techniques like
creating a Virtual Private Network (VPN), installing Firewalls, using higher and
complex Encryption or decryption techniques, etc.
Security Management Model of E-Governance.
Security Management Model of E-Governance.
• 3)Security at ICT Assets level
• ICT assets are the most precious for any organization or institution, so
to secure this level we have two broad categories of security
treatment i.e. Physical security and Electronic security.
Security Management Model of E-Governance.
• a) Physical Security
• It is used to protect the data against physical damages or losses like-
natural disasters etc. to protect data at this security level we take some
steps such as:- the security level of data centers are highly secured by
using the biometric-controlled system, in data centers provision of dust-
proof environment, fire protection systems, security alarms, CCTV
monitoring of data center, etc. automated backup system. By using some
basic instructions we easily secure the data physically.

• b) Electronic Security
• To give protection against digital threats we want to use electronic security.
We have various electronic security tools, and we can manage them in two
categories:-Antivirus System, Firewalls
Security Management Model of E-Governance.
Security Management Model of E-Governance.
• Anti-virus System
• When we discuss digital threats the first thing in our mind is a virus, which
affects our ICT assets in various ways such as:- slowing down of the system,
occupy disk space, corrupt our valuable data or storage medium, etc. it is
also known as malware, worms, and Trojan horses.

• Firewalls
• “A system designed to prevent unauthorized access to or from a private
network”. A firewall is a security device that can be hardware or software
that is mainly used to separate a secure area from a less secure area and to
control communications between the two. We have several firewall
techniques such as Packet filter, Application gateway, Circuit-level gateway,
Proxy server.
• There are many different brands of software firewalls, some of them are
ZoneAlarm, BlackICE and Kerio, etc.
Security Management Model of E-Governance.

Ten-stage Security
Management Strategy
Model
Security Management Models
Security Management Models
• A security management model is meant to be
a generic description of what an organization should do to provide a
secure environment for itself. ISO 27000 ISMS
• It is generic in that it describes what should be done, but not how to
do it, which makes it flexible enough to be used by many kinds of
organizations
• Many security management models exist, some of which are
discussed in detail .
• Once organization chooses a security management model, it
should create a custom version of it that applies to your organization,
this refers to security blueprint.
• In the course of developing security blueprint, we may need to
create an outline to follow, which is called security framework
Security Management Models
• To put those terms in perspective, imagine three phases of a
project to develop your security management standards:
1.First, select a security management model that fits your organization's
needs and goals.
2.Second, write a security framework document,
• a plan that outlines the work needed to adapt the model to the realities of your
organization.
3.Third, create the security blueprint,
• which is a working, operational document.
• It describes how your organization will meet each applicable
requirement of your security model, through the goals that are
established in your framework.

• Note: you need to create the framework and the blueprint, but your first
goal is to select a model that makes sense
Security Management Models
• Example of Security Management Models
• ISO 27000 Series (International Organization for Standardization)

• NIST (National Institute of Standards and Technology) Models

• COBIT (Control Objectives for Information and Related Technology)

• ITIL (formerly Information Technology Infrastructure Library, now just

ITIL) - it was created by the British government and has become a

world wide standard

Security Standards
• A security standard is "a published specification that establishes a
common language, and contains a technical specification or other
precise criteria and is designed to be used consistently, as a rule,
a guideline, or a definition.“
• Are collections of best practice, created by experts to protect
organisations from information/cyber security threats.
• The goal of security standards is to improve the security of
information technology (IT) systems, networks, and critical
infrastructures.
• standards and frameworks are generally applicable to all
organizations, regardless of their size, industry or sector.
Security Standards
• The standard for information security was set by the BS 7799, being its popularity
it was adopted by ISO as ISO 17799 and its sequel BS 7799-2 that prescribes the
specification for Information Security Management.
• “The ISO 27001 standard was published in October 2005, essentially replacing the
old BS 7799-2 standard. It is the specification for an Information Security
Management System”.
• “ISO 17799 defines 127 security controls structured under 10 major headings to
enable the information security manager to identify the particular safeguards
that are appropriate to there specific area of responsibility
Security Standards

Fig-Major Security Areas of ISO 27000

Security Standards
• Need of Security Standard
• The use of standards is unanimously accepted and gives the possibility of
comparing a personal security system with a given frame of reference adopted at
an international level.
• A good example is the ISO 9000 set of standards regarding the quality
management system, which is a common reference regardless of the industry in
which a certain company activates.
• Standards ensure desirable characteristics of products and services such as
quality, safety, reliability, efficiency, and interchangeability and at an economical
cost.
• We need information security standards in order to implement information
security controls to meet an organization's requirements as well as a set of
controls for business relationships with other organizations and the most
effective way to do this is to have a common standard on best practices for
information security management such as ISO/IEC 17799 2005.
• Organizations can then benefit from common best practices at an international
level and can prove the protection of their business processes and activities in
order to satisfy business needs.
Security Standards
• The ISO/IEC 27000 family is one of the most widely referred codes of
practice for information security and management. It is based on ISO
17799
• The ISO 27000 family provides standards for best practice guidelines on
system design, information security management, and controls.
• It comprises of, at least the following:
• ISO 27001 covers information security management systems requirements
certification standard/ specification including standards for establishment,
implementation, control and improvement of the information security management
system (ISMS),
• ISO 27002 describes code of practice for information security management including
a comprehensive set of information security controls
• And the ISO 27005 was designed to give security advice on information risk
management
Security Standards
• ISO stands for International Organization for Standardization
• ISO 27000 Series - The ISO 27000 series can be categorized into many
types. They are-
• ISO 27001-
• allows us to prove the clients and stakeholders of any organization to
managing the best security of their confidential data and information.
• This standard involves a process-based approach for establishing,
implementing, operating, monitoring, maintaining, and improving our
ISMS.
• ISO 27000-
• provides an explanation of terminologies used in ISO 27001.
• ISO 27002-
• provides guidelines for organizational information security standards
and information security management practices.
• It includes the selection, implementation, operating and management
of controls taking into consideration the organization's information
security risk environment(s).
Security Standards
• ISO 27005-
• supports the general concepts specified in 27001. It is designed to provide the
guidelines for implementation of information security based on a risk management
approach.
• To completely understand the ISO/IEC 27005, the knowledge of the concepts,
models, processes, and terminologies described in ISO/IEC 27001 and ISO/IEC
27002 is required.
• This standard is capable for all kind of organizations such as non-government
organization, government agencies, and commercial enterprises.
• ISO 27032-
• It is the international Standard which focuses explicitly on cybersecurity.
• This Standard includes guidelines for protecting the information beyond the
borders of an organization such as in collaborations, partnerships or other
information sharing arrangements with clients and suppliers.
Security Standards
The twelve guiding security control principles of the ISO/IEC 27002 are:
• (i)Risk assessment and treatment: provides guiding principles
on how to perform risk assessment and treatment. It includes
systematic methods for assessing threats and vulnerabilities, and
comparing assessed risks against established risk criteria;
• (ii) Security policy: gives guidance and directives to the security management;
• (iii) Organisation of information security: provides detailed description on how
the internal security structures should be organised, and governance of
information security;
• (iv) Assets management: gives ways and best approach on inventory and
classification of information assets;
• (v) Human resource security: provides directives on security issues for
employees who are joining and/or leaving the organisation;
• (vi) Physical and environmental security: gives guidance on the protection of
computer facilities;
Security Standards
The twelve guiding security control principles of the ISO/IEC 27002 are:
• (vii) Communications and operations: provides guidance on management of
technical security controls in systems and networks;
• (viii) Access control: provides guidelines for restrictions of access rights to
networks, systems, applications, functions and data;
• (ix) Information systems acquisitions, development and maintenance: provides
instruction about building security into systems applications;
• (x) Information security incident management: provides guidance on how to
respond appropriately to information security breaches;
• (xi) Business continuity management: gives guidelines on protecting, maintaining
and recovering of business-critical processes and systems; and
• (xii) Compliance: ensures conformance with information security policies,
standards, guidelines, laws and regulations.
 Security Standards
ISO/IEC 21827: Systems Security Engineering Capability Maturity Model
• The Systems security engineering capability maturity model (SSE-CMM) is
considered to be the foundation for building maturity models such as
information security maturity models whose security services maturity levels
are designed in incremental order.
• The ordering is similar to that of e-government services in the eGMM stages.
SSE-CMM is a security standard developed by the International systems
security engineering association (ISSEA).
• Also, it is known as the ISO/IEC 21827 standard.
• The main objectives of SSE-CMM were to address security engineering
activities, in particular to secure system life cycles.
• The processes include products/ system concepts definitions, requirements
analysis, design, development, integration, installation, operations,
maintenance and commissioning.
Security Standards
 Security Standards
• Level 1: performed informally, focuses on organizations when conducting processes
that incorporate the base practices;
• level 2: planned and tracked, focuses on project definition, planning and
performance issues; and level
• 3: well defined, focuses on defining the processes within an organization. Other
levels are: level
• 4: quantitatively controlled, focuses on measurement being tied to the business
goals of the organization, and level
• 5: continuously improving, deals with leveraging management practices
improvement. In general the SSE-CMM is focused on security engineering and
software design .
 Security Standards
ISO/IEC 15408: The Common Criteria (CC)
• The Common Criteria (CC) provides broad basis for achieving functional and
assurance requirements for IT products, such as e-government systems
applications and infrastructures.
• CC is an internationally approved set of security standards (ISO/IEC 15408)
based on a framework that offers measurable levels of assurance for computer
products and systems.
• CC certifications up to level 4 are mutually recognised among the members of
the common criteria recognition arrangement (CCRA) which is an
internationally recognised body.
 Security Standards
National Institute of Standard and Technology (NIST) on e-Government
• The National institute of standard and technology (NIST) has maturity levels for security services which
are designed in incremental order, which are similar to e-government services in e-GMMs maturity
stages.
• This gave a good basis for the model to be considered and applied in modelling security services in e-
GMMs.
• NIST has developed a number of guiding documents for information security that could also be
adopted and applied in enhancing e-government security services.
• These include: managing risk from information systems – an organisational perspective (NIST special
publication 800-39), Risk management guide for information technology systems (NIST special
publication 800-30), and the Methodology for evaluation information security maturity (ISM) of
organisations (NIST IR7358).
• These documents present the framework for managing risks in an organisational environment. They
further provide guidelines and directives on how to select, implement, and assess security controls.
• Additionally, they give instructions on how to monitor the states of security from an organisational
perspective [NIST, 2008]. Moreover, NIST [2007b] identified five levels (aspects) that are necessary for
any organisation to attain security maturity: an up-to-date security policy, security procedures, security
implementation, security test, and security integration.
• According to NIST [2007b] higher level of maturity can only be attained if and only if the previous
maturity level is attained. This implies that if there is no policy for a specific criterion, none of the
maturity levels will be attained for the specific criterion. NIST is focused towards the level of security
documentation.
 Security Standards
Information Security Management Maturity Model (ISM3)
• As for the previous security maturity models, Information security management
maturity model (ISM3) has maturity levels for security services which are
designed in incremental order, which are similar to e-government services in
maturity stages of eGMMs.
• This gave good basis for the model to be applied in modelling security services
in eGMMs. ISM3 was proposed by the consortium for assessment and
management of risk based processes oriented within organisations.
• The model has five security maturity levels: undefined, defined, managed,
controlled, and optimized.
 Security Standards
• Information Security Management Maturity Model (ISM3)
• The model offers a practical and efficient approach to managers and
auditors for evaluating, specifying, implementing and enhancing process-
oriented information security management systems.
• The strength of the model is based on the inclusion of coverage and
capability maturity levels. ISM3 can be applied to any organization
regardless of its size, context and resources.
• It gives a clear description of responsibilities for technical/operational
personnel responsible for executing defined goals by means of technical
processes.
• Tactical personnel deals with design and implementation of information
security management systems; and strategic personnel deals with broad
goals, coordination, and provision of resources.
• However, the current ISM3 (version 2.10) does not measure risk or security
directly, nor does it provide best practices for security implementation.
Metrics are process-based, measuring activities, scope, effectiveness,
efficiency and quality. Every process in ISM3 is assumed to contribute
Security Standards
• Federal Information Security Management Act (FISMA)
• The Federal Information Security Management Act (FISMA) is a United States
federal law that was enacted as Title III of the E-Government Act of 2002.
• FISMA was put in place to strengthen information security within federal
agencies, NIST, and the OMB (Office of Management and Budget).
• It requires federal agencies to implement information security programs to
ensure the confidentiality, integrity, and availability of their information and IT
systems, including those provided or managed by other agencies or contract

• FIPS - Security Requirement for Cryptographic module of security Devices –

It has different Levels FIPS Level 1-4
• Federal Information Processing Standard (FIPS) 140-2, Security Requirements for
Cryptographic Modules - HSM- Hardware Security Module
• ICAO – Smart Card --- Travel Card / MRPS/ Identity Card – Security
Standards
Security Standards
• Health Insurance Portability and Accountability Act (HIPAA)
• The Health Insurance Portability and Accountability Act (HIPAA), also
known as the Kennedy–Kassebaum Act, is a federal law that was
enacted in 1996.
• It aims to make it easier for people to keep their health insurance when
they change jobs, to protect the confidentiality and security of health
care information, and to help the health care industry control its
administrative costs.
Security Standards
• ISO 22301
• The international standard ISO 22301:2012 provides a best-
practice framework for implementing an optimised BCMS
(business continuity management system).
• This enables organizations to minimise business disruption
and continue operating in the event of an incident.
Security Standards
• NIST Cybersecurity Framework (CSF)
• The NIST CSF is a voluntary framework primarily intended
for critical infrastructure organizations to manage and
mitigate cybersecurity risk based on existing best practice.
• However, the NIST CSF has proven to be flexible enough to
also be implemented by non-US and non-critical
infrastructure organizations
.
Security Standards
• PCI SECURITY- PAYMENT CARD INDUSTRY
•

The PCI Security Standards Council touches the lives of hundreds of millions of people
worldwide. A global organization, it maintains, evolves and promotes Payment Card
Industry standards for the safety of cardholder data across the globe.

• ISO 27000 – it is generic and applied to any kind

of organization
Information Security Program Example
Information Security Policy
• Information security policy is a document which is prepared by an
organization to addresses on the following terms- “why, information
security is important for an organization?”, “What are the possible
security attacks?”, “What are the communication channels and ICT
assets, which want to protect” etc. that why it is also known as
Information Security Management System (ISMS).
• ISMS is a set of policies which are concerned with security risk’s
which are related to Information and Communication Technology.
• “The establishment, maintenance and continuous update of an ISMS
provide a strong indication that a company is using a systematic
approach for the identification, assessment and management of
information security risks. Furthermore such a company will be
capable of successfully addressing information confidentiality,
integrity and availability requirements “
Information Security Policy
Security Policy

ISMS Scope

Risk Assessment

Risk Management

Applicability Statement

Fig: Framework for Information Security Policy defined in ISMS 27000

• What makes a vulnerability a zero-day?
• The term “zero-day” refers to a newly discovered software vulnerability.
Because the developer has just learned of the flaw, it also means an
official patch or update to fix the issue hasn’t been released.
• So, “zero-day” refers to the fact that the developers have “zero days” to
fix the problem that has just been exposed — and perhaps already
exploited by hackers.
• Once the vulnerability becomes publicly known, the vendor has to work
quickly to fix the issue to protect its users.
• But the software vendor may fail to release a patch before hackers
manage to exploit the security hole. That’s known as a zero-day attack.