Embed Size (px)
Citation preview
Submitted by- Mr. Avinash Sadaphule
20 November 2009
Management Trainee, MKCL
Central Vigilance CommissionIndependent central bodySet up by Govt. of India in 1964Objective : Advising and guiding Central
Govt agencies in planning,executing,reviewing and reforming their anti-corruption efforts.
Aim : To curb corruptionTo stop delays & arbitrarinessTo increase transparency and
Accountability using Information Technology (I.T)
Central Technical Examiner (CTE)The Central Technical Examiner’s
organization (CTE) under the CVC inspects the organizations and points out the shortcomings in the field of public procurement.
It also suggests remedial measures to help organizations improve their systems.
The CTE directs the CVO (Central Vigilance Officer’s) to carry out systematic inspection of various ‘ works’ and ‘contracts’.
CVC guidelines for securityThe CVC guidelines for security of the e-procurement systems have been discussed in the subsequent slides
Security at Infrastructure levelPerimeter Defense : Deployment of routers,
firewalls,IPS/IDS, Remote access & network segmentation.
Authentication: Through deployment of passwordMonitoring: Deployment of logging OS/Network levelSecure configuration of Network host: Should have
safeguards in place to resist common attacks.System patching : Hosts should be patched with
latest security updates.Control of Malware: Anti-virus/anti spyware should
be deployed OR Operating system immune to virus should be deployed.
Structured Cabling: Good quality of interconnection between the hosts through structured cabling is expected.
Security at Application designAuthentication – Use SSL (Secure Sockets Layer
)Access control – Proper access control model so
that parameter available to the user cannot be used to launch any attack.
Session management- Session tokens should be protected from guessing.
Error handling – No error messages should go outside which can be used to attack the application.
Input validation –syntactic & semantic validationApplication logs & Monitoring- Log file data
should be maintained, it can be used for incident & trend analysis and for auditing purpose.
Security during Application Deployment & UseAvailability clustering – Depending on
expected hits, clustering of servers to be done.Load balancing- Depending on expected hits,
load balancing of web application to be done.Data recovery – Regular backup of data &
application Control of source code & configuration
management- Updated source code and usage of latest software is advised.
Security in Data storage & applicationsEncryption of data storage –Sensitive data should be encrypted/hashed3 types of data security :-1.Data sensitive to disclosure must be
encrypted.2. Data sensitive to tampering must have a
keyed hash value (HMAC)3.Data that can be hashed without loss of
functionalityEg: passwords
Security in Data storage & applicationsData transfer security-1.Sensitive data should be encrypted before
transmission.2. Check if intermediate components present
an undue threat to the data.3.While communicating with payment gateway
over public network, encryption methodology like SSL must be deployed.
Security in Data storage & applicationsAccess Control -1.Authorisation mechanism that provides access to
sensitive data should be given only to permitted users.
2.Role based access control at data base level & application interface to protect data base if client app. is exploited
3. Authentication should be a pre-requisite for authorization.
4.Forced entry in to the system should be logged.5.Regular testing of application on the internetConduct “Black box” as well as “informed” testing.
Other Good practicesCommon Unified Platform1.Single platform across all
state/dept/organisations2.It reduces security threat.3.Facilitates demand aggregation of common
items across all state/dept/org thereby resulting in economies of scale.
Public Key Infrastructure (PKI) Implementation
1.Vendors are issued a Digital signature certificate by a licensed certifying authority
Third party audit1.Audit by 3rd party at least once a year.
Sources1. http://www.cvc.nic.in/oecd.pdf2. http://www.cvc.nic.in/Preface.pdf3. http://www.cvc.nic.in/1%20Introduction.pdf4. http://www.cvc.nic.in/2%20Pre%20Tender
%20Stage.pdf5. http://www.cvc.nic.in/009vgl002_1892009.pdf6. http://www.cvc.nic.in/3%20Tender%20Stage.pdf7. http://www.cvc.nic.in/4%20Execution
%20stage.pdf8. http://www.cvc.nic.in/005vgl004_170709.pdf9. http://www.cvc.nic.in/009vgl002_1892009.pdf
THANK YOU
