Submitted by- Mr. Avinash Sadaphule 20 November 2009 Management Trainee, MKCL.

Slides:

Advertisements

Similar presentations

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Advertisements

Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Network Security Essentials Chapter 11

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

-Gunjandeep Singh Khera. C1India (security Features) Digital Signature: The solution includes capturing Digital Signature Authorized and certified by.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Security Controls – What Works

Securing the Borderless Network March 21, 2000 Ted Barlow.

Information Security Policies and Standards

Security+ Guide to Network Security Fundamentals

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.

Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.

Chapter 12 Network Security.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.

Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Stephen S. Yau CSE , Fall Security Strategies.

Chapter 20: Network Security Business Data Communications, 4e.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

A Survey on Interfaces to Network Security

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

1 Chapter 8 Securing Information Systems. Outline Security Threats (External: malware, spoofing/phishing, sniffing, & data theft: Internal: unauthorized.

Chapter 3 Mohammad Fozlul Haque Bhuiyan Assistant Professor CITI Jahangirnagar University.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Terminal Services in Windows Server ® 2008 Infrastructure Planning and Design.

Securing Information Systems

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.

Intranet, Extranet, Firewall. Intranet and Extranet.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.

Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.

Chapter 8 Technology and Auditing Systems: Hardware and Software Defenses.

X-Road – Estonian Interoperability Platform

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Information Systems Security Operational Control for Information Security.

Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Section 12.1 Discuss the functions of a Web site Create a feedback form Compare and contrast option buttons and check boxes Section 12.2 Explain the use.

Systems Analysis and Design in a Changing World, 6th Edition 1 Chapter 12 Databases, Controls, and Security.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

1 Class 15 System Security. Outline Security Threats (External: malware, spoofing/phishing, sniffing, & data theft: Internal: unauthorized data access,

12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,

Module 11: Designing Security for Network Perimeters.

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

CPT 123 Internet Skills Class Notes Internet Security Session B.

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.

By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.

Security on OpenStack 11/7/2013

Critical Security Controls

Security and Encryption

Goals Introduce the Windows Server 2003 family of operating systems

Systems Design Chapter 6.

Presentation transcript:

Submitted by- Mr. Avinash Sadaphule 20 November 2009 Management Trainee, MKCL

Central Vigilance Commission Independent central body Set up by Govt. of India in 1964 Objective : Advising and guiding Central Govt agencies in planning,executing,reviewing and reforming their anti-corruption efforts. Aim : To curb corruption To stop delays & arbitrariness To increase transparency and Accountability using Information Technology (I.T)

Central Technical Examiner (CTE) The Central Technical Examiner’s organization (CTE) under the CVC inspects the organizations and points out the shortcomings in the field of public procurement. It also suggests remedial measures to help organizations improve their systems. The CTE directs the CVO (Central Vigilance Officer’s) to carry out systematic inspection of various ‘ works’ and ‘contracts’.

CVC guidelines for security The CVC guidelines for security of the e-procurement systems have been discussed in the subsequent slides

Security at Infrastructure level Perimeter Defense : Deployment of routers, firewalls,IPS/IDS, Remote access & network segmentation. Authentication: Through deployment of password Monitoring: Deployment of logging OS/Network level Secure configuration of Network host: Should have safeguards in place to resist common attacks. System patching : Hosts should be patched with latest security updates. Control of Malware: Anti-virus/anti spyware should be deployed OR Operating system immune to virus should be deployed. Structured Cabling: Good quality of interconnection between the hosts through structured cabling is expected.

Security at Application design Authentication – Use SSL (Secure Sockets Layer ) Access control – Proper access control model so that parameter available to the user cannot be used to launch any attack. Session management- Session tokens should be protected from guessing. Error handling – No error messages should go outside which can be used to attack the application. Input validation –syntactic & semantic validation Application logs & Monitoring- Log file data should be maintained, it can be used for incident & trend analysis and for auditing purpose.

Security during Application Deployment & Use Availability clustering – Depending on expected hits, clustering of servers to be done. Load balancing- Depending on expected hits, load balancing of web application to be done. Data recovery – Regular backup of data & application Control of source code & configuration management- Updated source code and usage of latest software is advised.

Security in Data storage & applications Encryption of data storage – Sensitive data should be encrypted/hashed 3 types of data security :- 1.Data sensitive to disclosure must be encrypted. 2. Data sensitive to tampering must have a keyed hash value (HMAC) 3.Data that can be hashed without loss of functionality Eg: passwords

Security in Data storage & applications Data transfer security- 1.Sensitive data should be encrypted before transmission. 2. Check if intermediate components present an undue threat to the data. 3.While communicating with payment gateway over public network, encryption methodology like SSL must be deployed.

Security in Data storage & applications Access Control - 1.Authorisation mechanism that provides access to sensitive data should be given only to permitted users. 2.Role based access control at data base level & application interface to protect data base if client app. is exploited 3. Authentication should be a pre-requisite for authorization. 4.Forced entry in to the system should be logged. 5.Regular testing of application on the internet Conduct “Black box” as well as “informed” testing.

Other Good practices Common Unified Platform 1.Single platform across all state/dept/organisations 2.It reduces security threat. 3.Facilitates demand aggregation of common items across all state/dept/org thereby resulting in economies of scale. Public Key Infrastructure (PKI) Implementation 1.Vendors are issued a Digital signature certificate by a licensed certifying authority Third party audit 1.Audit by 3 rd party at least once a year.

Sources

THANK YOU