Thanks to the government’s Digital India programme, there has been a significant increase in the number of e-governance projects across state-owned agencies. Most of these projects are executed either through the tender or the PPP mode. However, there is a pressing need to put in place a comprehensive information security strategy in order to protect sensitive data.
In sync with this essential requirement, government agencies have started to focus on building a security framework to protect data or information collected through e-governance projects, where a service provider or a PPP is involved. The focus is to create a strategic control within government departments to have sustainable security enforcement.
“Today the criticality of information security management has increased with technology intervention because the number of users and flow of data have substantially gone up,” says Rudramurthy KG, chief information security officer— Digital India, ministry of home affairs (MHA). Agreeing with the views, Golok Kumar Simli, head of technology, passport seva project, MEA, says that the concept of e-governance is made of two interfaces—the citizen interface and the back-end interface. Both of them have to be secured enough to deliver services without any hassle. “I personally feel that the government departments are ready with the security of the back-end interface, but the major challenge is coming from the cyberspace,” he adds.
To fight the challenge, the government has taken a number of steps. MHA has recently issued a National Information Security Policy & Guidelines that could be taken as reference by all the central ministries, state governments and PSUs for developing their own information security and control mechanism. But beyond the guidelines, it is essential that for framing a policy which really serve the purpose, the government organisations must understand their requirements, their processes and functions.
According to Rudramurthy, questions such as—what kind of user life-cycle government departments have, what type of user mix they have, what type of data they need, what is the life cycle of the data—must be asked. An ideal cyber security framework is also constrained by the fact that across the world the concept of security is changing. Security is moving beyond firewalls. The old rule of anything inside firewall is good and outside is bad, and network as a perimeter are now diminishing. Now organisations are focusing on continuous monitoring of the cyber infrastructure for predicting things in advance.
Vijay Devnath, GM (infra & security) & chief information security officer, CRIS, says that organisations should try to adopt COBIT framework but security does not stop at having the right person and right solution in place.
In addition to a technology partners for e-governance projects, most of the government departments involve a consultant for the project management. This increases the number of stakeholders and the risk for the data breach. That is why Rudramurthy of MHA, says that the security measures should be part of the contract itself. The service provider must be completely checked prior to onboarding and they must also be monitored on a continuous basis during the execution.
Simli of MEA, says “Government departments must understand that outsourcing a job to the service partners does not mean outsourcing responsibility.” He gives an example of the passport division that has set rules and regulations for issuing the passport.
Above all the challenges, the good news is that these days there is enhanced awareness about cyber security. Everybody is talking about it—political leaders, bureaucrats, RBI, SEBI,