The Department of Information Technology (DIT) has taken a number of initiatives to bring the subject of information security (IS) to the forefront, said Mr. Brijesh Kumar, Secretary, Department of Information Technology.

Mr Kumar was addressing the Indo-US Cyber Security Forum’s seminar on “Information Security Management and Standards” jointly organized by the Standardization, Testing and Quality Certification (STQC) Directorate, Government of India, and Confederation of Indian Industry (CII) today. CII is the private sector partner of the Forum.

According to Mr Kumar, one of the major initiatives taken in this direction was to establish a robust framework of Information Security assurance in the country, steered by the STQC directorate and CERT-India, set up by DIT.

“There is an urgent need to develop information security policy directives, guidelines, standards, certification and accreditation mechanisms in tune with global practices that are appropriate for our country,” said Mr Kumar. The government would take suitable measures to promote the use of IT at all levels while protecting the public against its intentional misuse.

India and US had set up the Indo-US Cyber Security Forum to exchange views on cyber security, develop cooperative mechanisms and suggest new ideas, he added. “One of the successful programmes had been the collaboration between the National Institute of Standards and Technology (NIST), USA, and STQC in the area of IS Assurance,” said Mr Kumar.

He said the two sides had worked out a joint action plan that included the development and review of guidelines and standards on security controls, auditing, certification and accreditation as well as organizing seminars to raise awareness and disseminate information.

Mr Kumar added that IT security was critical as it was being increasingly used in e-governance, ITES and businesses. The software and services sector had grown at 32 percent over the past five years to achieve a turnover of $22.7 billion with exports of $17.2 billion in 2004-05. The government had also proposed a massive National E-Governance plan.

Mr Kumar mentioned that the government was following up the recommendations of the Inter-Ministerial Working Groups set up to examine IS-related issues. These were education and research, critical infrastructure protection, cyber laws and cyber forensics, encryption policy and assurance framework. “The Encryption Policy and Implementation Plan has been developed and projects for the development of cyber forensic tool kits and the establishment of a National Centre for Cyber Forensics are being initiated,” he added.

DIT had already set up a Security Laboratory at the National Informatics Centre and the Computer Emergency Response Team (CERT-IN), said Mr. Kumar. There was also a plan to develop a Cyber Security Assurance Framework recommended by the Inter-Ministerial working group. This would comprise the necessary infrastructure to provide IS-related services and mechanisms to ensure the implementation of security practices in the government and industry with sound legal backing.

He said DIT had launched other initiatives including training and awareness programmes in Information Security comprising six-week short term courses, two-semester diploma courses and inclusion of subject of Information Security in the formal education system at the bachelors and masters levels. DIT had also taken action to amend the IT Act 2000 to ensure security for e-society.

In his Special Address, Ron Ross, National Institute for Standards and Technology (NIST), USA, said information systems had become increasingly complex and networked. “Complexity is a major concern when addressing IS related issues,” he added.

Dr. Ross said systems must be assessed to establish priorities based on their importance to the agency’s mission. There was a continuum of criticality and sensitivity of systems to achieving the mission and objectives that determined the IS measures. “It is this philosophy that has guided the work of NIST in support of the US Federal Information Security Management Act 2002; FISMA is designed for bringing in standards and best practices in Federal Agencies” he added.

Dr. Ross said, “As India and US continue to increase trade and commerce, it is important to understand the security measures being applied to outsourced business activities.”

In his welcome address, Dr. S L Sarnot, Director General, STQC, said several working groups had been established under the Indo-US Cyber Security Forum to deal with legal cooperation and law enforcement, R&D, critical information infrastructure, watch and warning, defence cooperation and standards, and software assurance. NIST and STQC had developed a Joint Action Plan for collaboration in the development of standards and guidelines on security controls, certification and accreditation and creation of awareness and information dissemination on standards and guidelines.

He said STQC has piloted the need for IS by introducing the IS Management System certification based on BS7799. DIT was working to create a framework and guidelines to implement security in critical government and private infrastructure.

Proposing vote of thanks, Mr. Arvind Gupta Joint Secretary, National Security Council Secretariat gave details of activities under Indo US Cyber Security Forum and said that similar seminars have been held and more are being planned in partnership with CII and will be conducted in other areas concerning Information security.