Presentation is loading. Please wait.

Presentation is loading. Please wait.

Submitted by- Mr. Avinash Sadaphule 20 November 2009 Management Trainee, MKCL.

Published byEthel Lamb Modified over 9 years ago

Similar presentations

Presentation on theme: "Submitted by- Mr. Avinash Sadaphule 20 November 2009 Management Trainee, MKCL."— Presentation transcript:

1 Submitted by- Mr. Avinash Sadaphule 20 November 2009 Management Trainee, MKCL

2 Central Vigilance Commission Independent central body Set up by Govt. of India in 1964 Objective : Advising and guiding Central Govt agencies in planning,executing,reviewing and reforming their anti-corruption efforts. Aim : To curb corruption To stop delays & arbitrariness To increase transparency and Accountability using Information Technology (I.T)

3 Central Technical Examiner (CTE) The Central Technical Examiner’s organization (CTE) under the CVC inspects the organizations and points out the shortcomings in the field of public procurement. It also suggests remedial measures to help organizations improve their systems. The CTE directs the CVO (Central Vigilance Officer’s) to carry out systematic inspection of various ‘ works’ and ‘contracts’.

4 CVC guidelines for security The CVC guidelines for security of the e-procurement systems have been discussed in the subsequent slides

5 Security at Infrastructure level Perimeter Defense : Deployment of routers, firewalls,IPS/IDS, Remote access & network segmentation. Authentication: Through deployment of password Monitoring: Deployment of logging OS/Network level Secure configuration of Network host: Should have safeguards in place to resist common attacks. System patching : Hosts should be patched with latest security updates. Control of Malware: Anti-virus/anti spyware should be deployed OR Operating system immune to virus should be deployed. Structured Cabling: Good quality of interconnection between the hosts through structured cabling is expected.

6 Security at Application design Authentication – Use SSL (Secure Sockets Layer ) Access control – Proper access control model so that parameter available to the user cannot be used to launch any attack. Session management- Session tokens should be protected from guessing. Error handling – No error messages should go outside which can be used to attack the application. Input validation –syntactic & semantic validation Application logs & Monitoring- Log file data should be maintained, it can be used for incident & trend analysis and for auditing purpose.

7 Security during Application Deployment & Use Availability clustering – Depending on expected hits, clustering of servers to be done. Load balancing- Depending on expected hits, load balancing of web application to be done. Data recovery – Regular backup of data & application Control of source code & configuration management- Updated source code and usage of latest software is advised.

8 Security in Data storage & applications Encryption of data storage – Sensitive data should be encrypted/hashed 3 types of data security :- 1.Data sensitive to disclosure must be encrypted. 2. Data sensitive to tampering must have a keyed hash value (HMAC) 3.Data that can be hashed without loss of functionality Eg: passwords

9 Security in Data storage & applications Data transfer security- 1.Sensitive data should be encrypted before transmission. 2. Check if intermediate components present an undue threat to the data. 3.While communicating with payment gateway over public network, encryption methodology like SSL must be deployed.

10 Security in Data storage & applications Access Control - 1.Authorisation mechanism that provides access to sensitive data should be given only to permitted users. 2.Role based access control at data base level & application interface to protect data base if client app. is exploited 3. Authentication should be a pre-requisite for authorization. 4.Forced entry in to the system should be logged. 5.Regular testing of application on the internet Conduct “Black box” as well as “informed” testing.

11 Other Good practices Common Unified Platform 1.Single platform across all state/dept/organisations 2.It reduces security threat. 3.Facilitates demand aggregation of common items across all state/dept/org thereby resulting in economies of scale. Public Key Infrastructure (PKI) Implementation 1.Vendors are issued a Digital signature certificate by a licensed certifying authority Third party audit 1.Audit by 3 rd party at least once a year.

12 Sources 1. http://www.cvc.nic.in/oecd.pdfhttp://www.cvc.nic.in/oecd.pdf 2. http://www.cvc.nic.in/Preface.pdfhttp://www.cvc.nic.in/Preface.pdf 3. http://www.cvc.nic.in/1%20Introduction.pdfhttp://www.cvc.nic.in/1%20Introduction.pdf 4. http://www.cvc.nic.in/2%20Pre%20Tender%20Stage.pdfhttp://www.cvc.nic.in/2%20Pre%20Tender%20Stage.pdf 5. http://www.cvc.nic.in/009vgl002_1892009.pdfhttp://www.cvc.nic.in/009vgl002_1892009.pdf 6. http://www.cvc.nic.in/3%20Tender%20Stage.pdfhttp://www.cvc.nic.in/3%20Tender%20Stage.pdf 7. http://www.cvc.nic.in/4%20Execution%20stage.pdfhttp://www.cvc.nic.in/4%20Execution%20stage.pdf 8. http://www.cvc.nic.in/005vgl004_170709.pdfhttp://www.cvc.nic.in/005vgl004_170709.pdf 9. http://www.cvc.nic.in/009vgl002_1892009.pdfhttp://www.cvc.nic.in/009vgl002_1892009.pdf

13 THANK YOU

Download ppt "Submitted by- Mr. Avinash Sadaphule 20 November 2009 Management Trainee, MKCL."

Similar presentations

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.

Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
-Gunjandeep Singh Khera. C1India (security Features) Digital Signature: The solution includes capturing Digital Signature Authorized and certified by.

-Gunjandeep Singh Khera. C1India (security Features) Digital Signature: The solution includes capturing Digital Signature Authorized and certified by.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.

1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Security Controls – What Works

Security Controls – What Works
Securing the Borderless Network March 21, 2000 Ted Barlow.

Securing the Borderless Network March 21, 2000 Ted Barlow.
Information Security Policies and Standards

Information Security Policies and Standards
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.

E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.
Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.

Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.
Chapter 12 Network Security.

Chapter 12 Network Security.

Similar presentations

Ads by Google