Government departments are privy to lot many secrets, hence, it is imperative to have a foolproof IT security regime.
Traditionally government is considered to be most conservative in deploying new technologies, but now the governmental machinery too cannot do without spending on IT security. When governmental spends on all sectors of IT have arisen, it is understandable that the spend on security should also go up. The recent ruling under the IT rules Act 2011 that advises security heads to protect customer data and prevent it from leakage has really increased the pressure of the CISOs, who now must endeavour to tighten the security perimeters by deploying state of art technologies.
Serious to secure
Like most industry verticals, the chief information security officers at various government, central, state, semi-government or PSUs have strict priorities for securing their infrastructure and data combined with varied challenges.
Satya Voleti, IT security specialist, Civil Supplies department of Andhra Pradesh regards the securing of assets related to sensitive business information a priority. He has system in place to identify and protect sensitive and critical information assets. There is also the effort to create awareness about security related issues in management circles and amongst users. There is a constant challenge with regard to increasing spam, malware, internal and external threats and vulnerability and patch management related tools and in finding new ways to handle them, says Satya.
The core objective of Bharat Panchal, Chief Information Security Officer, National Payments Corporation of India (NPCI) is to consolidate and integrate the multiple systems with varying service levels into nation-wide uniform and standard business process for all retail payment systems. As per the RBI regulations, security is one of the important pillars of nations payments system. It gives confidence to stakeholders that the payment systems can be trusted and are reasonably protected from threats and vulnerabilities, confirms Panchal.
The challenge for Panchal is that even though he has the best technology in place, and the best brains working on making systems highly secure, the security is not foolproof because of the causal attitude of customers. At times customers carry their user name and password in the card jacket itself.
Dr Ingalagi, Chief Manager-MIS, Bangalore Metropolitan Transport Corporation, Government of Karnataka classifies his security priorities around hardware, software and data, which needs prevention from theft, fire, damage, misuse or abuse, or corruption from virus attack.
Securing the fence
NPCI has identified the myriad risks in payment systems. Efforts are on to use best of breed solutions from varied vendors and work out a robust security framework.
Despite not being very IT savvy, BMTC's Ingalagi has deployed the end-point solutions such as anti-virus and firewalls. He has also blocked certain sensitive website. There is a regime of constant vigil and periodic modifications on the security framework. User awareness and training the staff is of importance in IT security. Prevention of data leakage is key for us, informs Ingalagi.
Satya Voleti followed a systematic approach in securing the infrastructure by designating key people to take the onus of protecting critical and sensitive information assets. He prepared and distributed the user code of practices, while also implementing patch management and end-point security using best of breed solutions from Microsoft-WSUS, Nokia Check Point firewall, and Symantec anti-virus corporate edition.
While the security heads witnessed the benefits from the existing security standards, the aspiration to evolve best security practices became the priority.
Best way to secure
The process has been to implement secure IT policies and procedures. There is the system of standardization of software, hardware and network. Network vulnerability assessment tests, awareness session on IT security to all the business users including the senior management is also a must.
For instance, Satya's department spends about Rs 20 lakhs on an average on deploying security systems. The best practices according to her would be to identity, evaluate and recommend security solutions and technologies. Preparing RFPs and have best vendor negotiations would form a key practice.
Panchal is currently working on Data Loss Prevention for internal usage and re-enforces SOC with more technology and resources. With about 8 to 10% of the capital budget going into information security controls, we are also working on to integrate our network and security events / logs to a solution to get deeper knowledge on the security events or incidents, says Panchal.
BMTC has allocated Rs 1 crore towards addressing security issues and deploying relevant technologies and tools. The problems are localised and attended by the staff deployed, and in case of unsolved problems the agencies are contacted, says Ingalagi.
How secure is the future?
Governments spending on IT has soared, and it is being estimated that a significant chunk of this spending could to to the IT security. Springboard Research, the market research and advisory firm, estimated that the IT spend by India's public sector will be in the tune of $5.1 billion this year.
The report notes that defence and public safety and taxation and finance round up the list of top three segments. About two-thirds is controlled by the central government, with states and local governments accounting for 22% and 11% respectively.
Ingalgi plans to introduce common mobility card for the users at BMTC to ensure safety of transactions in compliance with international standards.
Catching up with cloud trend, Panchal has introduced cloud services like email management and is in the process of setting new data centre in which virtualisation is considered to be one of the important steps to be implemented to ensure optimisation of resources without any security related challenges.
NPCI is operating National Finance Switch (NFS) and Interbank Mobile Payments Services (IMPS) at present. We have already launched RuPay and AADHAR (UID) enabled card for people to transact in a secure manner. In times to come, these systems will play a bigger role in all aspects of online payments in the country, says Panchal. Satya is keen on deploying web-based applications around security going forward.