Home  |  Newsletter | Feedback | Advertise - Online  | Help
Google
Web dqindia.com
Search by issue  | Sitemap

• Visit pcquest.com to know all about the business benefits of IT infrastructure outsourcing • Ad : Play and Plug ERP by IBM

 
 RSS |  Follow Us on twitter
Home > E-GOVERNANCE

Burning Needs
Retaining strategic control within government departments needs focused attention while delivering e-governance services
Friday, March 20, 2009
Print Comment Email DiggDigg DeliciousDel.icio.us RedittReddit TwitterTwitter

Retaining the ownership and supervisory control over data, information and other critical assets always has hidden challenges, especially when several agencies are involved. It is more challenging when technology is used to protect the same. On the one hand, intervention and support of ICT tools along with applications software have boosted the reach of e-governance to a wider arena on a speedy track but on the other hand, it has exposed new challenges in keeping complete control of the critical assets including data and information.

True to my knowledge and experience, whenever we talk about process improvement and service delivery using specific information infrastructure and application software, government departments necessarily join hands with the private players/service providers/system integrators to accomplish a particular task/project. In the process, departments get into a scenario where things become complex for the department in keeping control of its data and information infrastructure.

Service Delivery
When it comes to service delivery to citizens, the expectation is to provide timely, transparent, secure and easily available service delivery mode. In effect, crucial actors get into action while interfacing between citizens and government departments. These actors are: network service provider, system integrator, application software, OEMs, technology domain experts like application administrator, database administrator, network and security experts, back-up operators, BCP drill team, data center team, DRC team and many more.

While the project passes through various phases right from conceptualization to O&M, supervising and controlling these actors in retaining the ownership of the project without compromising the security and integrity of the data is a major challenge. To have effective control mechanism over data and information inspite of various actors playing their respective role, government departments need to have in-depth exercise and methodologies with their own personnel in place.

It is essential for departments to create an institutional mechanism in the form of program management unit having a sufficient number of functional and technology personnel required for the project. Make sure that this continues for the entire life-cycle of the project and is a continuous process. These multifaceted personnel would help the department and decision makers in assuring that ownership of the data, information and critical assets remain within both de-jure and de-facto.

Retention of Controls
When departments decide to perform high risk roles that are deeply technical in nature such as application software, ICT infrastructure, data security, etc, they invariably opt to source the role by engaging domain experts. This results in departments needing to believe that the ER or external resource will not abuse the power vested in the role. To reduce the risk due to the assumption of such trust on integrity of the ER, departments should follow a policy of retention of controls.

This policy has the following elements:

  • Actions by all high-risk roles that can result in significant damage to department shall be limited to as few as possible, pre-planned where possible, and performed with explicit approval otherwise
  • The approval of such actions shall be by an appointed government officer. The officer may consult technical personnel (domain experts) if needed before approving such actions
  • Performance of any action by highly privileged roles shall require a secure authentication process to be completed, and the performance of such actions shall be audited by a secure audit mechanism
  • The authentication system will be such that the inputs required for authentication to succeed can be split among multiple people. For example, if password based authentication is used, the password shall be split into parts requiring multiple people to enter parts of the password
  • At least one among multiple people required for authentication shall be a government officer appointed for this purpose
  • The actual number of government officers and others required to complete an authentication scheme shall depend on the risk associated with the action. A separate list of high-risk roles and the number of people required to complete the authentication for each role shall be prepared and reviewed by the department
  • To provide against the eventuality of one of these authentication participants of a set being unavailable, the use of a key recovery mechanism or alternate sets of authentication, participants need further consideration
  • In any case every successful and failed authentication attempt shall be audited automatically by the system. The audit logs shall be backed up on a periodic basis. The backup itself shall be secured by confidentiality, authenticity and integrity protection mechanisms and shall be under the control of a government officer who is not one of the authentication participants
  • The audit log shall be reviewed on a periodic basis by an appointed government officer
  • For further security, certain high-risk roles shall demand multi-factor authentication to be completed (eg, password + fingerprint)
  • Responsibility for action after authentication shall be accountable to the person playing the technical role. The accountability of authentication itself shall be all the participants of the authentication

A few important points of data security are:

  • Encrypt confidential data through industry-standard encryption mechanisms
  • Digitally sign data using industry-standard digital signature mechanisms
  • Store cryptographic hashes of data created through industry-standard hashing mechanisms for protecting the integrity of data. Secure the hash itself through a digital signature
  • Securely store cryptographic material such as keys and certificates used in the above
  • Adopt a PKI scheme and obtain certificates, CRLs, etc from well-known certificate authorities

It is important to note that strategic control in a scenario where system development has been outsourced to a PPP operator (Service Provider), it does not involve control over every last line of code. In any case, controlling code writing or dictating finer aspects of design would only serve to reduce the degrees of freedom available to service provider in configuring their solution to meet the service level obligations under the contract. Hence, department personnel so engaged to exercise the strategic control role should comprehend the complexity of service delivery process.

Golok Kumar Simli
The author is principal consultant technology, Passport Seva Project, MEA
maildqindia@cybermedia.co.in

Page(s)   1  

Print Comment Email DiggDigg DeliciousDel.icio.us RedittReddit TwitterTwitter



ZTE:Leading CDMA Technology

Extraordinary Networks:Freedom of Choice





Collective Intelligence @ Work

Analysts: Guiding Stars or Shepherds?

How's the 'pitch' looking?

What's your Everest?

 

 

 

 

 

 

Magazine Subscription | Sitemap | Contact Us | About Us | Advertising Print | Mediakit Print | jobs@cybermedia
Other CyberMedia web sites
  [Voice&Data]  [CIOL]  [PCQuest]  [Living Digital]  [IDC India]
  [CIOL Shop]  [DQ Channels]  [DQweek]  [CyberMedia Events]
  [Cybermedia Digital]  [CyberMedia India]   [Cyber Astro
  [Global Services Media ]  [BioSpectrum]  [BioSpectrum Asia]

Copyright © CyberMedia. All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.
Usage of this web site is subject to terms and conditions.