• Save
SecureIT 2014 - ICT for Infrastructure Security... -  Sailesh K Tiwari, Director, Computerisation & Information System, Railway Board, Ministry of Railways
Upcoming SlideShare
Loading in...5
×
 

SecureIT 2014 - ICT for Infrastructure Security... - Sailesh K Tiwari, Director, Computerisation & Information System, Railway Board, Ministry of Railways

on

  • 1,233 views

SecureIT 2014 - ICT for Infrastructure Security... - Sailesh K Tiwari, Director, Computerisation & Information System, Railway Board, Ministry of Railways

SecureIT 2014 - ICT for Infrastructure Security... - Sailesh K Tiwari, Director, Computerisation & Information System, Railway Board, Ministry of Railways

Statistics

Views

Total Views
1,233
Views on SlideShare
1,164
Embed Views
69

Actions

Likes
1
Downloads
0
Comments
0

2 Embeds 69

http://secureit.eletsonline.com 68
http://www.slideee.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • ForMalicious software:-Our policy forbids the use of pirated software.Antivirus software is in use in major installations.All the Critical servers are periodically updated with Virus / worm definition.Regarding Firewall/IPS/IDS:-Signatures/rules of Firewall/IPS/IDS are periodically tested and unnecessary ports and services are closed.

SecureIT 2014 - ICT for Infrastructure Security... -  Sailesh K Tiwari, Director, Computerisation & Information System, Railway Board, Ministry of Railways SecureIT 2014 - ICT for Infrastructure Security... - Sailesh K Tiwari, Director, Computerisation & Information System, Railway Board, Ministry of Railways Presentation Transcript

  • Computerisation and Information Systems Railway Board, Ministry of Railways Government of India By Shailesh K Tiwari Director (electronics)
  • Internet revolution and E- Security  Internet revolution  Unprecedented growth , development and changes  Greater comfort  Hassle free life  Ore avenues of happiness ???  But it has also made our life vulnerable  Evolution of Technology focuseds on ease of use.  Leads us to increased Network environment and highly network dependent application.  As an Organisation one need to make sure the balance between Security- Functionality-Ease of Use.
  • Indian Railways Core Values View slide
  • Indian Railways  Core values of Indian Railways  Safety  Security  Punctuality View slide
  • E-Securing Indian Railways  Citizen’s security  Integrated Security System for passengers and Assets  IT systems security  Information Systems Security  Network Security
  • Electronic Security of People and Assets over Indian Railways
  • IR – Electronic Surveillance  Railway Protection Force  A dedicated security organisation –handles all physical security of people and assets  Similar to Police Organisation  In recent times Extensive Use of technology  RPF Control rooms  End to end computerisation  Fully networked.
  • IR – Electronic Surveillance  RPF help line  Centralised system at New Delhi  Similar to dial 100  All India roll out  Passengers can dial 1322  GPS and GIS integration to know exact location of aggrieved passengers planned  Support for Hindi/English and other languages
  • IR – Electronic Surveillance  Integrated security system  CCTV based Electronic Surveillance  IP based video cameras  Network Video recorder etc  Access control system  Under vehicle scanner  Personal and baggage screening system  Bomb detection and disposal system
  • Information Security over Indian Railways
  • INDIAN RAILWAYS- POLICY INITIATIVES ON E- SECURITY  CERT-RAIL  set up under C&IS Directorate in the Railway Board.  Functions :-  Monitors the progress of IT Security adoption measures in all units of Railways.  Guidance to CRIS’ IT Security group,  Ensures that the Baseline Security Policy is kept updated with the latest knowledge and disseminated to the individual units.  Interacts with Ministry of IT, Cert-In, and other IT Security related forums  Co-opt experts from industry and academia  Monitors overall IT Security environment
  • Classification of IT security needs-  System Types  Large centrally administered applications  PRS, FOIS, UTS  Batch-type Local applications  Payroll systems:  MIS applications,  Control Office application,  Workshop systems,  Zone / Production Unit systems and applications such as PRIME, AFRES  PCs, small servers, and other equipment, used for general information processing
  • Classification of IT security needs  Data Security  E-Tendering, Employee Records, Vigilance related data (Data Confidentiality)  PRS, Financial applications (Data integrity)  Control Charting, UTS (Data availability)  Program Security  IPR issues, Encryption algorithms (Program Confidentiality)  Inadvertent changes to program integrity can cause programs to fail (Program integrity)  Malicious changes may lead to fraud (Program integrity)  Restricted access: Licensing & Legal Requirements
  • Classification of IT security needs IT Asset type Examples IT Security procedures to be managed by 1 Centrally Administered Applications PRS, FOIS, UTS CRIS / C&IS Dte of Railway Board 2 Zone Based Applications PRIME, AFRES, MMIS CCA Dte of Railway Board / Zonal EDP Centres 3 Distributed Applications MIS applications MIS Dte of Railway Board 4 Production Unit Applications Systems in RCF, ICF, DLW CM-IT of the PU 5 Batch type applications Payroll EDP centres 6 General purpose IT equipment PCs, servers, placed in all offices Concerned departments
  • Indian Railways- cyber security Policy  Cyber Security policy component  People:-Security Training and awareness of Employee.  Process:-Process to detect, protect and respond to Security Threat/attack and Vulnerability.  Technology:-Technology required to assist people and strengthening of the Process to improve the Security.
  • INFORMATION SECURITY MANAGEMENT Confidentiality INFORMATION SECURITY Integrity Availability Authenticity Security Policy People Process Technology Regulatory Compliance Access Control Security Audit User Awareness Program Incident Response Firewall, IPS/IDS Encryption, PKI Antivirus
  • IT Security- People  Technical Manpower at CRIS  Ensures secuirty of all IT apploications.  Plan and deploy state of the art information security systems  Technical advice to Zonal Railways  Zonal/ divisional level  User awareness training program  Training of manpower in technical issues to tackle immediate crisis
  • IT Security-Process  Security Audit  Vulnerability Assessment and Penetration of critical apps - done by STQC, a division of the Ministry of IT and  recommendations/suggestions have been incorporated into the system.  Regulatory Compliance:- All the regulatory compliance related to Information Security, Digital Signature are followed. Some of them are  IT Act, 2000 and IT (Amendment) Act 2008  Best Practices ISO 27001  Cyber Security Guidelines for Government of India.  Guidelines for Indian Government Website.
  • IR IT Security-Technology  Security of any IT system is divided in following areas  Network Security:-  Major applications -hosted in CRIS Data Center.  Firewall, IPS/IDS, host-based firewall, network access control etc on the Perimeter.  A common secure Internet gateway is implemented for all the IR applications hosted by CRIS.  Host-based Firewalls and SIEM (Security Information and Event Management) Tools is under process. This will provide a higher level of layered security for all applications.
  • IR IT Security-Technology  Malicious software:-  Indian Railways policy forbids the use of pirated software.  Antivirus software is in use in major installations.  All the Critical servers are periodically updated with Virus / worm definition.  Firewall/IPS/IDS:-  Signatures/rules of Firewall/IPS/IDS are periodically tested and unnecessary ports and services are closed.
  • IT Network Architecture-Technology ….. Common Internet Gateway Internet L-3 Switch Firewall •Stateful Inspection of Packets •Access Control •Traffic Filtering •Authentication •Authorization •Security Policies/Rules Intrusion Prevention System (IPS) •Mitigate DoS/DDoS attacks •Blocks Virus/Spyware etc. •Deep Packet Inspection •Traffic Behaviour Analysis •Mitigation of Attacks by analysing traffic behavior
  • IR Security-Technology…..  Application Security  Vulnerability Assessment and Penetration Testing for FOIS,PRS,UTS applications had been done.  Recommendations of STQC have been implemented in all applications.  Security Testing of EPS application is also being done periodically for various modules.  Security audit periodically done
  • Future Road Map- for securing Government’s Information Systems  The security of Information systems of Government are a big challenge because its prone to attack from  hackers, freakers etc.  Anti national elements  Terrorists organisations  Unfriendly countries
  • Future Road Map- for securing Government’s Information Systems  Build a dedicated private IP VPN network for all Government apps (GOV-Net)  Move applications to cloud (Government Cloud ?)  Have only few POPs- may be 4-5 , connecting Gov-Net to internet.
  • Future Road Map- for securing Government’s Information Systems  Build robust security infrastructure at the POPs connecting to internet.  Additionally secure each of data centres.  Any access of apps through internet to be strictly monitored- may be access granted to devices of known MAC addresses