Network and Information Security in Government: May 2007 Issue

| issue 5 | May 2007

Efficient, Costeffective Approach to Security Operations New Approach to Protecting Customer Data and Intellectual Property Assets

IS s n 0 97 3 -1 61 x

Rs 75

About Protection from Security Breaches and Hacking

volume 3

www .e g o v o n l i n e . n e t

the e-government magazine for asia & the middle east

Network and Information Security in Government

country focus: nepal

making a move towards digital nepal

S U BS C R I B ER C OP Y NO T F OR S A L E

industry perspective

citizen data hub towards trust, security and privacy in voting regional focus: karnataka

â&#x20AC;&#x153;khajaneâ&#x20AC;? - the online treasury computerisation project EVENT DIARY

exploring new vistas in IT

Perspectives on Protecting Network and Information Assets from Leading Industry Players

Get Better Results With Oracle Applications

“Oracle powered e-Governance solution to be replicated at 245 municipalities in Maharashtra”

Kalyan Dombivli Municipal Corporation

The Best Organisations Run Oracle

oracle.com email us at oracleindia_in@oracle.com or call 1 800 425 6725 / 080 4029 1176 / 78 / 80

Copyright © 2007, Oracle. All rights reserved. Oracle, JD Edwards, PeopleSoft and Siebel are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

w w w . e g o v o n l i n e . n e t | volume 3 | issue 5 | may 2007

Cover Features

24 26 30 33 34 37

About Protection from Security Breaches and Hacking

Les Howarth

Efficient, Cost-effective Approach to Security Operations

Amol Bhandarkar and Ram Gopal Gandhekar

Building Trusted Environment Interview: Vishal Dhupar, Managing Director, Symantec India

Strong Operational Foundation Interview: William Bill Boni, Corporate Vice President, Motorola

New Approach to Protecting Customer Data and Intellectual property Assets

Kartik Shahani

Protecting Network and Information Assets Interview: Sajan Paul, Chief Technology Officer, Nortel

industry perspective

Citizen Data Hub

Interview: SPS Grover, Vice President - Sales Oracle India

Towards Trust, Security and Privacy in Voting

Interview: Raymond Teo, Director of Sales for the Asia Pacific Region, Scytl

commentary

ICT in Government

Malathi Subramanian and Anupama Saxena

Web Firewalls and End-to-end Identity Infrastructure

Satyam B.

country focus: Nepal

Making a Move Towards Digital Nepal

Chola Pratapa Singh Chhetri

regional focus: karnataka

“Khajane” - The Online Treasury Computerisation Project 11 M. Prabhakara and K. T. Vijaya Krishna Kumar

EVENT DIARY

Exploring New Vistas in IT

NEWS REVIE W

World News

REGULAR FEATURES

What’s On 46

}

45 www.egovonline.net

Editorial Guidelines egov is a monthly magazine providing a much needed platform to the voices of various stakeholders in the arena of e-Government, apart from being a repository of valuable information and meaningful discussion on issues of e-governance in general, and e-Government in particular -- both to the specialist and the generalist. Contributions to egov magazine should be in the form of articles, case studies, book reviews, event report and news related to eGovernment project and initiatives, which are of immense value for practitioners, professionals, corporate and academicians. We would like the contributors to follow these guidelines, while submitting their material for publication.

Articles / Case studies should not exceed

2500 words. For book reviews and event report, the word limit is 800. An abstract of the article/case study not exceeding 200 words should be submitted along with the article/case study. All articles / case studies should provide proper references. Authors should give in writing stating that the work is new and has not been published in any form so far. Book reviews should include details of the book like the title, name of the author(s), publisher, year of publication, price and number of pages and also send the cover photograph of the book in JPEG/TIFF (resolution 300 dpi). Book reviews of books on e-Governance related themes, published from

ov year 2002 onwards, are preferable. In case of website, provide the URL. The manuscripts should be typed in a standard printable font (Times New Roman 12 font size, titles in bold) and submitted either through mail or post. Relevant figures of adequate quality (300 dpi) should be submitted in JPEG/ TIFF format. A brief bio-data and passport size photograph(s) of the author(s) must be enclosed. All contributions are subject to approval by the publisher.

Please send in your papers/articles/comments to: The Editor, egov, G-4, Sector 39, NOIDA (UP) 201 301, India. tel: +91 120 2502180-87, fax: +91 120 2500060, email: info@egovonline.net

Editorial Calendar 2007 Month

solution focus

application focus

APRIL meta data and data standards

e-procurement

MAY

national id

network and information security

JUNE rfid & smart card passport & visa JULY localisation and language technology land records AUGUST

e-forms and document management income tax/commercial taxes

SEPTEMBER interoperability and open standards

central excise

OCTOBER

wireless municipalities

NOVEMBER

e-governance architecture

courts

DECEMBER mobility police

Your daily cup of hot tea with hot e-Government news!

Log on to www.egovonline.net ov

May 2007

ov volume 3 | issue 5 | may 2007

president

Dr. M P Narayanan editor-in-chief

Ravi Gupta sr. editor

G Kalyan Kumar SR. sub editor

Prachi Shirur Marketing

Gautam Navin mob: +91 9818125257 email: gautam@csdms.in Debabrata Ray mob: +91 9899650692 email: debabrata@elets.in designed by

Bishwajeet Kumar Singh web

Zia Salahuddin circulation

Lipika Dutta (+91 9871481708) Manoj Kumar (+91 9210816901)

editorial correspondence

eGov G-4 Sector 39 NOIDA 201301, India tel: +91 120 2502181-85 fax: +91 120 2500060 email: info@egovonline.net printed by

Yashi Media Works Pvt Ltd New Delhi, India egov does not neccesarily subscribe to the views expressed in this publication. All views expressed in the magazine are those of the contributors. egov is not responsible or accountable for any loss incurred, directly or indirectly as a result of the information provided.

EDITORIAL Two Ways of Raising Competitiveness

he e-Government initiatives are really perking up the competitiveness

of the enterprises in the commercial and industrial sector. No better example will illustrate this, than the new initiative of Ministry of Company Affairs, which has announced its intention to reduce the processing time for incorporation and liquidation of companies in India. It is learnt that the ministry is reportedly planning to put in place a system for allowing electronic filing of stamp duty. This will help in setting up a company in as little as three days. At present, under the MCA-21 governance system, companies can file almost any information electronically, barring stamp duties. About 20 states have reportedly agreed for e-Filing of stamp duties, with the rest expected to join soon. Incidentally, the World Bank reportâ&#x20AC;&#x201D;Doing Business 2007, indicates that India noting that it takes over 10 years and 14 processes to close a business in India. The new changes on the anvil may certainly add new energy to corporate governance and raise the investor confidence. However, the whole talk of effective e-Governance is infructuous, if due attention is not paid to the aspect of network security or information security. Loss of trade secrets, loss of stakeholder goodwill, and regulatory penalties are stark realities before all enterprises who are too lax about protecting their data or investing in their networks. The damage to balance sheets, brands, and competitive advantage can be unthinkable and unpardonable if poor management of customer data and intellectual property assets are the reasons to it. As a matter of fact, most security programmes till date concentrate on limiting unauthorised access. They mostly try to fend off external attacks with traditional data security measures including firewalls, intrusion prevention, and anti-spyware and rely more on identity and access controls and, in some cases, data encryption to limit exposure of sensitive information. A new approach to this issue is certainly called for, as the current protections are insufficient as there is no data loss coverage. With a whopping 46 per cent of the government of Indiaâ&#x20AC;&#x2122;s revenues being spent on governance, closely followed by defence at 24 percent, there is a good case for a state level initiative in addressing this issue. To deliver good governance with augmented security for the public domain, there must be better investments in the governance projects in public and private domains to safeguard security. This will bolster the efficacy in service delivery and indirectly strengthen the hands of the tech industry as well. The current issue of the magazine has Network and Information Security as major theme, and it will be leading the readers through a slew of perspectives and learnings on cyber security. We wish the profound articles would provide a good read to all concerned and alert them about protecting their data and in raising the bar of competitiveness.

egov is published in collaboration with Elets Technomedia Pvt. Ltd. (www.elets.in) ÂŠ Centre for Science, Development and Media Studies 2007 www.csdms.in

Ravi Gupta Ravi.Gupta@csdms.in

}

www.egovonline.net

commentary

ICT in Government Technology and Change in Culture can Deliver Good Governance In India, the push for public reforms has brought in its wake the pervasive harnessing of ICT to achieve declared administrative and social goals. It is expected that the use of ICT in governance would not only improve the delivery of public services but also bring into the public domain the issues that have so far been shrouded in secrecy, mitigating corruption in public life. It would also help in improving the systemic deficiencies that allowed the wanton elements both within the government and outside, to selfishly use them for narrow objectives.` Malathi Subramanian & Anupama Saxena

he term ‘Governance’ may be described as the process by which society steers itself towards its collective goals. The beginning of the 21st century has been so dominated by Information Technology (IT) that in a lighter vein it could be said that the letter “e” is likely to precede almost every word. Perhaps, existence itself would now become e-Existence. It is, therefore, not surprising that everybody is talking about e-Governance. In order to define it we could say that ‘e-Governance’ or ‘Electronic Governance’ or ‘Digital Governance’ is the effective use of IT to improve the system of governance that is in place, and thus provide better services to the citizens. In India, the push for public reforms has brought in its wake the pervasive harnessing of ICT to achieve declared administrative and social goals. The implementation of e-Governance began with National Informatics Centres (NIC) efforts to connect all the district headquarters through computers in the 1980s. This has typically included

connectivity, networking, technology upgradation, selective delivery systems for information and services, and an array of software solutions. According to National Association of Software and Service Companies (Nasscom), an apex industry association of software and service companies in India, the e-Governance market in India is witnessing year-on-year growth. The e-Governance market grew by 18% during 2002-03, and is the fastest growing vertical in the domestic IT markets. However, the pertinent question remains whether technologies could be the answer to all our governance problems Undoubtedly, technology by itself in isolation from the social and cultural specificities cannot bring in any meaningful and substantive changes in governance or administration. There is a need to reform the administrative mindset and the entire administrative culture to exploit the true potential of ICTs in reference to the governance processes in India. There is a need to examine some of the aspects of administrative culture that needs to be transformed to suit and support the phenomena of e-Governance. e-Governance transition requisites

In India, concern about reforming administration is not something new. In 1964, Jawahar Lal Nehru was asked at a private meeting with some friends what he considered to be his greatest failure as India’s first prime minister. He replied, “I could not change the administration; it is still colonial administration.” The efforts to reform have come a long way since then and latest in the series is the Right to Information Act that has recently been implemented, which is aimed at a more open, citizen friendly and responsive government. But the impact of these efforts is still not satisfactory. It is widely perceived both by the political leaders as well as people that it is extremely difficult to change the mindset of bureaucracy to bring in effective governance reforms. The beginning of the 21st century has been dominated ov

May 2007

commentary

ict in e-Government

by ICT with immense potential for the coming decades. The ICT revolution has enabled governments towards the achievement of various goals of social equity to deliver a range of services to citizens – from ration cards, motor license and land records to health, education and municipal services – in a manner that is timely, efficient, economical, equitable, transparent and corruption free. The application of ICT to government processes, e-Governance in short, is expected to have a profound impact on the efficiency, responsiveness and accountability of the government, and thereby on the quality of life and productivity of citizens, and ultimately on the economic output, growth and development of the country as a whole. The experiences all over the world have shown that ICT can help in narrowing the gap between the citizen and the government, thus bringing the government closer to their

A close analysis of the e-Governance projects in India shows that the primary reason for the deficiencies in e-Governance projects has been that they are over-reliant on technology as the driving force for success while the internal processes and dynamics remain unaltered. So far the thrust has been on using e-Governance only as a tool that can replace or reduce the engagement of more manpower enabling machines to take on the work citizens and ultimately empowering them. However, the full potential of ICT has not been successfully exploited so far. It is estimated that approximately 35% of e-Governance projects in developing countries are total failures; approximately 50% are partial failures; and only 15% can be seen as fully successful. India, as such, is no exception to this. A close analysis of the e-Governance projects in India shows that the primary reason for the deficiencies in e-Governance projects has been that they are over-reliant on technology as the driving force for success while the internal processes and dynamics remain unaltered. So far the thrust has been on using e-Governance only as a tool that can replace or reduce the engagement of more manpower enabling machines to take on the work. The focus has been on the electronic mode

rather than on basic governance that has to reach the common Indian. There is, therefore, a need for sincere effort towards an emphasis on governance rather than only on adoption of electronic mode in e-Governance initiatives. It has been realised increasingly that merely the availability of ICTs or the automation of the government processes and services through ICT is not enough. The successful deployment of ICTs towards transitioning to the web-based government or e-Government in India requires more than ICTs; it requires a change in the entire administrative culture as well as the mindset underlying it – the mindset of those who are in administration as well as those who are administered. Given the colonial legacy of public administration structures and processes in a society, which still has feudalistic features coupled with the top down administrative approach and attitude, information is still considered as power in the hands of those who administer and not as an entitlement of citizens. Any move towards transparency of government structures and processes are thus viewed with apprehension and therefore any measure that aims at changing the status quo of this power structure is resisted. Therefore, e-Governance, which has a capacity to bridge administrative distances with its immense potential for information dissemination and its wide access, is one such measure which may be accepted technologically but viewed with apprehension where it means transparency in governance structures and processes. Added to this is the administrative arrogance and egotism sometimes, especially among the senior administrators who are not well adapted to the technological revolution, and suffer from the false ego of knowing every thing; the worst case being where they assume that any thing they do not know is worthless. This attitude is often a major hurdle in the implementation of the e-Governance projects. Deep-rooted corruption in the administrative system is one of the biggest hurdles in successful deployment of ICT in governance. A majority of those in authoritative positions in administrative departments are averse to the transparent and participative working that is associated with all applications of ICT in governance. The real challenge in the Indian context thus lies in the transformation of the nature and character of government, and consequently the governmental processes. Although ICTs itself are a major tangible lever to change – they change attitudes, work pace, even whole work culture in a way that earlier levers could not, there is still a need for nontechnology reforms prior to the use of ICTs in government. However, in the absence of such reform the potential of IT is not actualised. The areas where attention is needed ranges from infrastructural arrangements to arrangements for adequate budget, technical expertise, political will etc. Among them the most important, but rather neglected factor in the Indian context, has been the slow response to the cyber culture by all stakeholders in general and particularly by those who formulate and implement public policies. Transition to e-Governance in India, more than any thing else, needs cultural reorientation or a change in the mindset of the bureaucracy. In fact there has been a hidden resistance to the whole process of changing the government to e-Governance. www.egovonline.net

commentary

ict in e-Government

Change is always resisted and this resistance, among other things, is coming from the culture of the government organisations. The digital visionary Nicholas Negroponte has perceptively commented that when it comes to development, culture is more important than infrastructure. The problem of a feudal mindset of the officers at top level of decision-making structure is also associated with another issue related to the not-so-successful application of ICT in governance in India. It has been observed that most of the e-Governance projects have faced setbacks because of lesser public participation, which also becomes the cause of discontent for political leadership who always measure/ evaluate any government initiative by the amount of public response spread over a very short duration. However, if the response is not satisfactory it is assumed to be a failure, and there is a tendency to roll it back or put it on a back burner. The experiences in India have shown that where political leaders perceive that they stand to gain from e-Governance and support, it moves on despite other obstacles. Citizens, who are at the receiving end of e-Governance initiatives, form a very important part of the whole exercise. Most of the e-Governance initiatives have not been able to generate public momentum because of the hesitation, unwillingness or unpreparedness of the common people to accept the new phenomena and its new dimensions. Technology has always been considered by common people in India as an alien mechanism involving expertise. Mostly people are hesitant and apprehensive about experimenting with new initiatives or newer means of functioning. There may of course be other reasons for the lack of peoples’ participation. Surprisingly, so far there has been no benchmarking of e-Government initiatives to measure their benefits or success rate. For a successful transition to e-Governance that would benefit all sectors in the society, the equity dimensions of the problem also need to be addressed and innovative measures taken. The whole approach to administration would also require to be changed from an authoritative top down model to a more easily accessible, participatory, democratic, transparent and accountable system, than what exists presently. This would further require a whole change in the existing character and approach of administration in India from ‘administration of’ to one of ‘administration for’ which is more service oriented and ‘user friendly’. e-Governance has the potential to ensure that every citizen has an equal right to be a part of the decisionmaking process which affect him/her directly or indirectly, and influence the process in a manner which may best improve the condition and quality of lives. e-Governance has the potential to ensure that citizens are no longer passive consumers of services offered to them by allowing them to play a more proactive role in deciding the kind of services they want and the structures which could best provide them those services. To achieve this, following measures may be fruitful: Survey of actual needs of the people from the ground level; awareness campaigns; continuous assessment of the existing Government websites analysed for various aspects like the availability of a website, the quality of the website (design, functionality, navigation); the richness of the information displayed and its relevance for the society at large (be it businesses, 10

other government organizations, NGOs, education sector, individuals etc.); quality and timeliness of the information displayed (frequency of updating) and the e-service delivery etc.; and, exploring the maximum possibilities of two-way communication between the government and the citizens. The yawning gap between the policy statements and the actual achievements and gains from the use of ICT should be a matter of concern. At present it is a situation where hype overshadows reality. To quote Paul Appleby, “We are good at talking but when it comes to implementation we are ‘action shy’. We do not walk our talk.” And, in the case of e-Governance mere technology adoptive actions are not enough. Actions have to be initiated in a mission mode with reforms encoded therein. Electronic governance has to be viewed as a political administrative process dealing with reform of governance towards good governance eventually. And, governance reform is a slow process requiring engagement with governance institutions and bringing about both attitudinal and constitutional changes. Conclusion

In sum, it could be stated that the basic work culture and framework of the government and public administration in India at present is not conducive for e-Governance. Within the milieu described above, the potential for ICT in e-Governance initiatives to make a significant difference in actual administration on the ground level may be limited. However, this should not be the rationale for inaction. One must recognise that uncertainties come with every new measure and ICTs have the potential to act as a relatively concrete lever to unprecedented change. We have to bear in mind that technocratic responses in themselves are not a solution but only a tool. A holistic solution would be able to deploy the tool with feasibility and sustainability. Hence in this framework, there is a need to bring the objective of achieving e-Governance at the forefront, beyond mere computerisation of stand alone back office operations, and to focus on the idea of change at a more fundamental level of how the government is required to and should work in the new electronic mode and to delineate the cultural mould in which it has to be rooted and identify the new set of responsibilities which it entails. Culture here is essentially the congealed mindset and the way of doing things that flow from it. So if we really want to use the potential of ICT for better government services and good governance in the long run, the pertinent question is how to bring about the cultural change.

Malathi Subramanian [msdrcdu@gmail.com] is Lecturer, Daulat Ram College, Delhi University, India.

Anupama Saxena [anupama66@rediffmail.com] is Head, Department of Political Science & In charge Director, Women’s Studies and Development Centre, Guru Ghasidas University, Bilaspur, Chhattisgarh, India.

www.egovonline.net

regional focus: karnataka

“Khajane”- The Online Treasury Computerisation Project The Comprehensive G2G Project of Karnataka “Khajane” is a major e-Governance initiative of the state government of Karnataka, India. It is first project of its kind in the country where the entire array of Treasury activities has been computerised. This is the only project where from the time of approval of State Budget to the point of rendering accounts to the government the entire activity can be tracked in the system. By automating procedures and internal controls, it has strengthened the financial controls and promoted accountability and resulted in huge expenditure and efficiency gains. M. Prabhakara and K.T. VijayaKrishnaKumar Context of the Innovation and Conception of the Project

Khajane project has been implemented mainly to eliminate systemic deficiencies in the manual Treasury system and for the efficient management of State finances (administrative units below districts). There are 216 Treasuries functioning across the State, of them 31 are District level Treasuries and 185 are Sub Treasuries at Taluk and Sub Taluk levels. The Treasuries in the State disburse salaries to about 700,000 Government and Grant-in-aid employees, services 430,000 Service Pensioners and 1.5 million Social Security Pensioners. 21,000 Drawing Officers from 228 Departments draw money for implementation of 2117 schemes from the Treasuries in the State. The Treasuries handle about INR 36,000 Crore of Receipts and INR 46,000 Crore of Payments annually. In addition to State Government transactions, the Treasuries also handle the Zilla Panchayat /Taluk Panchayat (Rural Local Bodies) transactions amounting to INR 8135 Crore. In the manual Treasury system, due to ever increasing volume of transactions, certain systemic deficiencies had crept in. This was mainly due to gaps in the information of budget release, funds already utilised and the balance available etc. While the information was maintained at the District level, expenditure happened at multiple points, i.e. in all sub treasuries in the district. This resulted in overdrawl and fraudulent drawl of funds in few cases. Misclassifications Website: http://www.karnataka.com/govt/khajane.shtml Started: 8th January 2001 Current Status: computerises all the 216 treasury offices in Karnataka and is connected to a central server at the State Secretariat through VSAT (Very Small Aperture Terminal)

and non-Reconciliation of expenditure. Delays in submission of accounts and in settling the claims were some of the deficiencies. Officials in treasuries had to look into multiple registers to validate a single bill. The compiled and classified expenditure and revenue details used to reach the government at least 60 days after the actual transaction. A Committee headed by the Secretary, Finance Department (FD) studied the working of Treasuries and in consultation with software and networking experts from Indian Institute of Science, Indian Institute of Management and M/s Software Technology Parks of India, Bangalore, suggested comprehensive computerisation of all the treasury activities and networking of all the treasuries in the State to eliminate the above deficiencies. The stake holders of this basically G2G project are the finance department, other departments of the government, the Accountant General and Service Pensioners, Social Security Pensioners and Grant-in-aid Institutions. They were taken into confidence before drawing the blue print for the Project. A Tripartite agreement, for the implementation of the project, between the state government, the service providerM/s.CMC Ltd., and the network provider – M/s. STPI, Bangalore was signed on 8th January 2001. The software developed was deployed, after initial trials and testing, in five pilot sites between May and October 2002. A parallel run was carried out for about 6 months. The roll out was complete and all the 215 treasuries went online from 1st November 2002. Application Software:

The software has been made modular and highly user friendly. ov

May 2007

“KHAJANE” - THE ONLINE TREASURY COMPUTERISATION PROJECT

regional focus: karnataka

The Main Menu of the application

The development of each module was supervised by a separate treasury team. The modular nature of the application software has helped the department in adding many new features to the project without disturbing or restructuring the existing basic software. The application software caters to the needs of the department covering all varieties of transactions handled by the treasuries. These modules are: i) Receipts; ii) Payments; iii) Deposits; iv) Stamps and Strong Room; v) Pensions; vi) Social Security Pensions; vii) Accounts; viii) Returns; ix) House Keeping and; x) Master Maintenance. Objectives:

The main objectives of the project were to: • Network all the Treasuries for easy access and better control. • Monitor all the transactions through the central server, Online. • Eliminate all systemic deficiencies. • Introduce effective budget monitoring and ways and means to control through the system • Automate generation of monthly accounts and • Set up a Comprehensive Financial Management Information System (FMIS) for better management of state finances and contribute for meaningful review of progress of various schemes. Salient Features of the Innovation

Networking: All the 216 treasuries in the state are connected by a V-SAT Network and all bill transactions are monitored through the central server. Master files common to all the treasuries are updated from the central server only. All the government revenue and payment details are updated online centrally. The government has access to the real time data regarding expenditure. Online data processing: bills presented to treasury are processed and passed for payment online. Various master files facilitate proper validations of the Graphic Presentation of Networking

claims ensuring adherence to the provisions of the financial code. The process encompasses related activities like cheque printing, delivery and accounting. The data captured at the time of bill entry is used for system validation of the bill, as well as for finalisation of accounts and various reports. Automated Account Generation: Data captured at the point of bill passing is used for all further processes like cheque printing, issuing and capturing payment details of cheque, reconciliation, accounting and preparation of Management Information System (MIS) reports eliminating many duplicate processes. Comprehensive Expenditure Reports: Various reports as per the needs of the Drawing and Disbursing Officers (DDOs), Controlling Officers (COs), Chief Controlling Officers (CCOs), Financial Department, Departmental Secretaries in the government are generated. Starting from providing individual DDOwise, billwise details to major headwise, schemewise, sectorwise details, a wide variety of regular and exceptional reports are generated in the system. Online Bill Clearance In The New System: In the computerised system, the role of the treasury officials is limited only to entering the details of the bills into the system. The validations of the bill against the budget availability, requirements regarding the provisions of financial code, treasury code, and manual of contingent expenditure will be validated by the system itself. The system checks for the validations and the genuineness of the drawing officer, the authority for him to draw the money for the scheme, whether it is within the financial powers. The budget availability will be validated by the system itself. The discretionary powers of the treasury officer have been brought to the bare minimum like only examining, whether certain annexures have been enclosed and certificates given by the drawing officers. If the system raises an objection, the treasury officer has no discretion to over look it. With these system validations in place, the compliance and strict adherence to the provisions of various codes is ensured. Budget Control: The system controlled budget monitoring is an important feature of this Project. The budget releases by the Head of Department (CCO) to COs are uploaded to the central server at treasury network management centre after due verification by the system. They are transferred to the COs across the state in the district servers immediately. A similar budget distribution by the COs at district level to their implementing officers (DDOs) is uploaded at the district treasuries which are again after system validations is passed to the taluk server immediately. This budget distribution is released with full particulars up to the last item of expenditure, by the time the treasury officer captures the details of the bill into the system, the system already has the information regarding the funds released for this particular scheme/DDO. If the fund is available, the bill will be cleared, otherwise system raises an objection. This has eliminated the overdrawl of funds and misclassification. Ways & Means of Control: The Finance Department can operate ways and means to control directly on the central server after taking into cognisance of the cash availability and outstanding liability for the day. The system will restrict the clearance of bill across the state for the financial limits set by www.egovonline.net

Graphic Presentation of Bill Movement in the Treasury

the finance department. This helps the government in better cash management and prevention of Overdrawls. Online Fund Transfer: In the manual system, the funds released to urban local bodies used to take minimum 4-6 weeks to reach the urban local bodies across the State and there were several stages of passing of orders and bill processing at state, district and taluk level. In the new system, Secretary, Urban Development, presents a bill at Bangalore and gives a list of urban local bodies and the amount to be transferred. The bill is cleared in Bangalore and the same day the money is transferred to urban local bodies accounts in treasuries across the State eliminating all the intermediary steps and delays. This on-line fund transfer facility is also extended to the deposits of the Deputy Commissioners. This facility could be extended to all the deposit accounts, which are held in the Treasuries. Monitoring of NDC Bills: Non-payable Detailed Contingent (NDC) bills are the final settlement bills for funds drawn as advances to meet the emergent payments by the implementing officers. In the manual system, there was no way of tracking the pending NDC bills as controlling officers were directly sending the NDC bills to the Accountant General (AG). A large number of cases of non-submission of NDC bills were observed by the AG. Now the government has implemented the procedure and the NDC bills are now being routed through the treasuries. A new provision has been made in the â&#x20AC;&#x153;KHAJANEâ&#x20AC;? software so that the system will track the pending NDC bills and it will not allow the next AC bill to be cleared if the NDC bill for the previous AC bill is not cleared within 30 days. Now the DDOs have no option, but to submit the NDC bill within 30 days if they want to draw the next AC bill. Social Security Pension Payment: The state is disbursing about 15.7 lakh social security pensions like old age pensions5.1 lakh, physically handicap pensions-3.9 lakh, destitute widow pensions-6.7 lakhs every month across the state. Each pension is Rs.200 per month. With computerisation of treasuries the printing of this voluminous money orders have been decentralised upto sub-treasury level disbursed to pensioners during first week of every month, at their doorsteps. ov

May 2007

Transparency in Treasury Transaction: To enhance the transparency in treasury transactions, the FIFO (FirstIn-First-Out) system is introduced in all the treasuries. The system will decide the seniority of the bill as soon as the bill is entered and clears it on FIFO basis. Interactive Voice Response System has been introduced to facilitate the DDOs to know the status of bill in treasuries by a mere Phone call. Man Power Savings: The implementation of the project has resulted in huge manpower saving because of automated classification and compilation of accounts at the treasury level. About 200 posts in the department of treasury have been abolished and about 300 staff members have been redeployed in A.G.â&#x20AC;&#x2122;s Office. This has resulted in saving to the government of about Rs.10 crores per annum. Though not quantifiable the elimination of overdrawls, prevention of frauds and drastic reduction in misclassifications has resulted in saving quite huge amounts. Financial Management Information System: The details captured at the time of bill entry itself are utilised for preparation of classified accounts and also to generate various financial MIS reports. These reports are used by the finance department for management of state finances and by the departments and the government for reviewing the progress of implementation of schemes. Some of the reports that are sent to FD online are reserve bank deposit statement giving the details of cash received and cash disbursed for the day, the number of cheques issued by the treasuries and the number of bills presented, and the number of bills pending in the treasury. This helps in better management of the State finances. The finance department is in a better position to monitor the ways & means position. The following reports are generated on 2nd / 3rd of every succeeding month and shared with the secretaries/heads of the departments. Tax & non-taxes Receipt of major departments with daywise and districtwise detail are also provided the departments. Major headwise expenditure, schemewise expenditure, object codewise expenditure, ministrywise / departmentwise / schemewise expenditure reports for the review of plan schems of Karnataka development programmes are generated. The fund balances of zilla panchayats and taluk panchayats. Reports on budget provisions, fund releases and expenditure incurred on district sector plan are also made available. The treasuries are also providing the details of bills drawn from the treasuries by the individual DDOs before 5th in a soft copy. This is to facilitate the reconciliation process. Major tax collecting departments are given daily collection reports so that they could take corrective steps and strengthen their recovery mechanism wherever shortfalls are noticed. Dynamic reallocation of funds to needy areas has been facilitated by the online realtime expenditure details available in the central server. Now a days all requests to the finance department for additionalities and re-appropriation are regularly referred to the central database. In many cases it has been seen that though the head of the department is under the impression that on allocation of funds to his subordinate offices, the expenditure is incurred by them. But in reality lot of funds are found unutilised with DDOs in many cases. This has eliminated the futile exercise of providing additional 13

regional focus: karnataka

â&#x20AC;&#x153;KHAJANEâ&#x20AC;? - THE ONLINE TREASURY COMPUTERISATION PROJECT

funds and later on treating them as savings as the department will not in a position to utilise these funds. Lessons Learnt

Elaborate study of the existing system and its deficiencies by a committee headed by the Secretary, (r) finance department, helped the department in determining the exact direction and objectives that had to be achieved by computerising the departmental processes. The objectives were clearly spelt out in this report and the project is based on these recommendations. Systematic reengineering was undertaken by standardising the formats and the procedures, eliminating all redundant processes. Large vaerities of bill formats used in the manual system were rationalised for computer environment and finally the number was brought down to nine standard bill formats. Redundant procedures like entering the bill details in multiple registers were eliminated. The number of Drawing Officers are brought down to around 21,000 from 40,000. Motivating the staff and keeping them informed and involved has been a major boost. Their feedback was also considered before finalising the application software. User friendliness of the software, simplification of processes, elimination of the drudgery of preparing and tallying the accounts has helped the easy acceptance of the system by the employees. The attraction of simplified accounting procedure which required no separate effort on preparation and tallying of accounts was one of the main points that caught the imagination of the staff members. Number of service providers for implementation of the project was limited to just two- service provider to develop the application software, supply hardware, bought out software (O/S & Database), UPS, LAN, and also to provide training and maintenance and - network provider for providing wide area network using V-SAT technology, and this has helped in smoother coordination. This was due to the lessons learnt by the department in their previous endeavor of district treasury computerization where because of multiplicity of vendors involved like hardware provider, O/S providers, UPS supplier and application software developer, and lack of co-operation and co-ordination between them has caused great hardship in the implementation. The pilot testing of the application software was carried out in 5 sites, which covered all types of treasuries like district treasury, sub treasury, banking treasury and non banking treasury (which existed at that time). The trial run covered all varities of treasury transactions in full scale and was carried on for sufficiently long period which enabled the department to fine tune the application, to modify and make it more user friendly and fix number of bugs. The progress of the project was very closely monitored by the two Committees, the steering committees headed by the secretary, FD and experts from IISc., IIM and other Stake Holders met once in a month and took decisions on policies and major technical, software and implementation related issues. Such regular and close monitoring led to timely 14

completion of the project as all the decisions required were taken in the committees after due deliberations. Nearly 2000 staff members were trained to handle the software and even trainers training was provided before roll out. A core team of 25 officers were trained thoroughly by M/s. CMC team regarding using the application Software, preparation of accounts, system administration etc. At least one experienced officer was included in this core team from each District. They acted as nodal officers for training at the districts. About 1400 staff members were trained on basics of computerisation, mainly data entry, 600 officials on use of application software. About 75 officials were imparted with system administrators training, and they were also used as trainers at the district level. Refresher courses are held regularly and as and when any important modifications or additional modules are introduced trainings on operating these modules are conducted to keep the knowledge base updated. Periodic trainings are being conducted to officials who are newly recruited and those who have come back from deputation from other departments. Conclusion

The project is designed not only to cater to the needs of the department but also needs of the other line departments. It is an integral part of the budget system reform, hence not only designed to meet the present requirements but also to support any needs that are likely to arise later. As a management tool it provides information required for decision making from the Drawing Officerâ&#x20AC;&#x2122;s level to the highest level. Though basically anchored in the government accounting system, it is designed to generate verities of custom reports for internal and external use, apart from the regular accounting reports. The essence of the system lies in its capacity to accumulate, process, and provide information to all the parties concerned on a realtime basis, most accurately and speedily. By system validations and internal controls, this has strengthened the financial controls and accountability. Undoubtedly the project has ushered in unprecedented kind of financial discipline which augers well for the financial management of public funds. The full potential of the project in the form of huge data of high quality generated can be used better for monitoring, reviewing, planning, auditing and to study the trends and patterns of revenue receipts and expenditure etc. M. Prabhakara, (prabhakara_m@rediffmail.com) is Director of Treasuries in Karnataka, Bangalore, India. Presently is in charge of the Project as Director of Treasuries working under the Finance Department of the state government has been actively involved in the project since 2001. K.T. VijayaKrishnaKumar (kukalvijay@yahoo.co.in), Deputy Director of Treasuries in Karnataka, Bangalore, India, is in charge of the Treasury Network Management Centre and has been a part of the project right from inception.

www.egovonline.net

regional foc u s : N epal

making a move towards digital nepal This article unveils the present e-Governance initiatives in the country of Nepal. It explores all the efforts and technology resources that have been utilised so far to provide government services digitally. It also describes the recently launched e-Governance Master Plan, the road ahead, mission to be achieved, the role being played and to be played by the private sector and the civil society to make dreams come true. Chola Pratapa Singh Chhetri

-governance is the interaction between government and citizens by use of electronic technology that uplifts the quality of government services making the government more democratic. It redefines the relationship between Government and Government, Government and Citizens, Government and Business and Government and Civil Servants. • STAGES OF E-GOVERNANCE

To fully appreciate the status of e-Governance both nationally and internationally, it is important to consider the growth stages of the typical implementation of e-Governance initiatives. These growth stages can act as a yardstick or benchmark to determine who is lagging behind in the digital race. Important lessons could also be learned from other initiatives. Though people disagree about how deeply e-Governance has penetrated into government agencies, just about everybody agrees it is evolving in stages. The Gartner Group (2000) identified the following five stages: • Presence: This is just a step up from paper based administration and inaccessible databases Government agencies at the presence stage operate non-interactive web sites that contain basic organisational charts and background information about them. • Transmission: After a government agency has a presence on the web, it makes its site a channel for communication with its customers and suppliers. This can include enabling information searches. • Transactions: An agency’s web site ceases to be a static page when an e-Commerce component is added, enabling citizens and businesses to conduct online transactions such as registering for permits or paying fines. • Transformation: As the agency adds infrastructure to Website: http://www.nepalgov.gov.np Started: Nepal began IT initiatives during 1970 First IT policy promulgated: Year 2000 Current Status: e-Government Master Plan prepared to provide e-Government model for Nepal government.

16 }

conduct online transactions, it should transform internal processes rather than just automate them. Effective automation involves reengineering those processes using e-Government’s many constituent technologies. Transformation also grows out of web portals, which enable seamless service delivery from one spot, regardless of how many agencies are involved. Shock: Shock is the result of the restructuring of national, provincial and local governments using the transformative power of electronic government. For example, when portals reveal the true number of agencies and programs involved in delivering the same or similar services, combination and extinction are likely to follow.

E-GOVERNANCE INITIATIVES IN NEPAL

Though Nepal began the move towards Information Technology during the 1970s, Nepal is just in the first (Information) phase of e-Governance. It has been limited to the existence of websites of many central government authorities and the download of some forms. It is challenging but not unassailable to bring the country to the transformation phase of e-Governance. Projects that have been successful in other parts of the world, for instance, Computerised Administration of Registration Department (CARD), can be transformed contemporarily and implemented here. While the benefits of e-Government are growing, there remains a need for a better understanding and assessment of the impact and role of e-Government. Because of the tremendous resources required in implementing e-Government, sharing of knowledge and experience will help Nepal to reduce costs and avoid mistakes. The International Data Corp study (August 21, 2003, IDC) reveals that the annual spending by Asia-Pacific governments on the electronic delivery of services is projected to reach $1.48 billion in 2007 A.D. Asian governments are increasing e-Government investments because they feel a pressure to compete with other governments, and they have seen past investments provide real benefits. Importantly, e-Government initiative can also be a determining factor when foreign investors look for investment within Asia. The leading www.egovonline.net

“e-Governments” in this region are Australia, Singapore and Hong Kong. Nepal Government Portal

The official website of the government of Nepal is http:// www.nepalgov.gov.np. It has been developed as a gateway to all the government bodies and agencies, including diplomatic missions and development partners - with pertinent links. This is a bilingual website—users can switch between two languages, viz. English and Nepali. It contains various links—Nepal Government directory, development, business, travel, economy and finance, art, culture and society, and education, etc. The portal is governed by National Information Technology Center (www.nitc.gov.np), a government body under the Ministry of Environment, Science and Technology, Nepal. Government Agencies have their Websites

Nepal Government now has websites that provide the public with relevant government/ministerial information and some allow download of publications, policies and plans. e-Administration in Police: This official website of Nepal Police (www.nepalpolice.gov.np) contains information about the character certificate issued by the police to the public. Forms can be downloaded from this website for character certificate and other documents issued by the Nepal Police. It is expected that very soon citizens able to apply online for such documents. ov

May 2007

e-Administration in Army: (www.rna.mil.np) This official website of the Nepal Army that contains information, news and press releases of Nepal Army. It also contains updated information on vacancies, medals and flags, ranks and welfare activities. Online Bidding: (Public Procurement Portal www. bolpatra.com.np) This bilingual site contains free purchase advertisements for government, organisations, councils and other authorities. It also has catalogues of businessmen, contractors, industrialists and service providers. It has already been handed over to the government through High Level Commission for Information Technology (HLCIT) on March 1, 2006. IT Park : The establishment of National IT Park (area 1.28 million sq.ft. or 12 hectares or 234 ropanies) in Banepa, Kavre (30 km east from Kathmandu) has been completed with investment of over 210 million NPR. IT City: The government of Nepal envisions the development of Banepa as the IT City of Nepal. IT City Development Board has been formed, chaired by the Vice Chairman of HLCIT. Borders have so far been defined, act has been formulated. Master plan yet to be ready (as of March 2006). Computerised System for Distribution of Citizenship Certificates: The government has commenced the distribution of citizenship certificates to the public by the use of computerised systems. This has currently been under implementation in some local governing bodies like the District Administration offices in Myagdi and Kavre districts of Nepal. The government, however, plans to make it nationwide in the days to come. The advantage is that it is easy to get a duplicate (Legal) copy in case of the loss of original one (without the recommendation 17

regional focus: nepal

e-governance initiatives in nepal

from village development committee, because the database containing the record of previously distributed citizenship certificates will be in the DAO’s computer). It is managed by the Citizenship Management and Monitoring Committee coordinated by District Administration Office at Myagdi, Nepal. The funds for this task were generated from the District Development Committee Office and Village Development Committees. Distribution of Driving Licenses by Computerised System: All the tasks related to the issuance of driving licenses are being computerised by the government in Bagmati Zonal Transport Management Office, Kathmandu. The advantages include easy to get a duplicate copy in case of the loss of the original, faster renewal and type addition or removal. Once the records are kept on computers, it is expected to refrain authorities and public from the difficulties of the traditional manual system, e.g. delay in service, wrong renewal dates, unclear driving license type, mistaken names, etc. Computerisation of Account and Financial Information: With coordination from the HLCIT, Nepal, the Account Software will be made available to the government authority free of cost and this software will be able to handle Annual financial details, foreign resources details, deposits, expenses, etc. Document Management System for Government Offices: For the effective management of documents in government offices, the government is launching document management system. The memos, registration and dispatch, and record files will be computerised. By the use of computer networks, concerned officials will be able to view the memos and dispatch and registration will be done through computers. Community Information Centers : Around 200 Community Information Centers (CICs) have been established in various parts of the country by various development partners, with or without the involvement of the government. The government envisions the establishment of 1500 CICs by the end of the tenth plan (2002-2007). A Model CIC in developed at Dhulikhel, Nepal. Three people are employed in a Community Information Center named Community Corps Dhulikhel that began on April 2005. It has raised the attention of housewives. It has six computers, fax, phone and a printer. Internet is availed free of cost by Asia Online. Various materials were donated by Information Technology Forum Nepal. It plans to train 100 people for basic computing. www.chitwan.com: Hosted from Belgium, this website contains information on agriculture, tourism, sports and local events of Chitwan, a beautiful district of Nepal, that lies south of the Chure mountain range and is famous for its biodiversity and agricultural productivity. Business Incubation Centers: Business Incubation Centers are set up in Nepal at Tripureshwor and Banepa with grants from InfoDev and World Bank. Localisation: Local language computing and localisation initiatives have commenced so far. Few examples include: Development of Windows XP with Nepali language, Interface Pack Development of Nepalinux—Linux in Nepali language Awareness and Capacity Building: Various workshops and trainings are being organised to create awareness regarding 18

e-Governance with the help of various donors and agencies like Asian Development Bank Institute, the Colombo Plan Staff College for Technical Education, Korea IT Promotion Agency, Korea Agency for Digital Opportunity and Promotion (KADO), United Nation University/International Institute of Software Technology, Macao, etc. LEGISLATURE, POLICIES AND PLANS

Though not ample, quite a few amount of policies and plans have been implemented in regulating the ICT sector in Nepal, viz. : • IT policy 2000 • Telecommunication policy 2004 • Electronic Transaction Act 2004 • Electronic Transaction Act 2006 • Biotechnology Policy, 2006 IT Policy 2000: This was the first IT Policy in the country. It was promulgated with a vision—“To place Nepal on the Global Map of Information Technology within the next five years”, and with the following objectives: • To make information technology accessible to the general public and increase employment through this means. • To build a knowledge-based society. • To establish knowledge-based industries. IT Policy 2004: This policy was drafted with a new vision—“By the year 2015, Nepal will have transformed itself into a knowledge-based society by becoming fully capable of harnessing information and communication technologies and through this means, achieving the goals of good governance, poverty reduction and social and economic development”, considering the dynamism of the IT sector and continuous socioeconomic change. Electronic Transaction Act 2004, Nepal (Accepted as the First Cyber Law of Nepal): Electronic Transaction Act (ETA)was expedient to make legal provisions for authentication and regulating for the recognition, trueship, integrity and reliability of creation, production, processing, storage, communication and dissemination system of electronic records by making reliable and secured to the transactions carried out by means of electronic data interchange and other means of electronic communications, and to make provisions for controlling of unauthorised use or illegally change in any electronic record. Provisions in the ETA 2004

The ETA had made the following provisions in it for the first time in the history of Nepal • Provisions relating to Electronic Record and Digital Signature • Provision relating to Attribution, Acknowledgement and Dispatch of Electronic Records • Provisions relating to Controller and Certifying Authority • Provisions relating to Digital Signature and Certificates • Functions, Duties and Rights of Subscriber www.egovonline.net

e-governance initiatives in nepal

regional focus: nepal

Figure: Future image (Source: E-Governance Master Plan 2006 Nepal)

•

Electronic Record and Government use of Digital Signature • Provisions relating to Network Service Providers • Offence relating To Computer • Provisions relating to Cyber Tribunal • Provisions relating to Cyber Regulations Appellate Tribunal Biotechnology Policy, 2063 (2006 A.D.): The policy envisions to increase production and productivity by means of research and development of biotechnology as well as transfer of technology, and to improve the living standard of Nepali people. It is a potential milestone towards the

development of ICT in the country and the advancement towards e-Nepal. Some of its provisions include: Scholarships for master and Ph.D in science and technology shall be made available in biotechnology and bioinformatics; promotion of entrepreneurship in the related field; and establishment of bio-villages.

and takes charge of seeking cooperation from the Nepali government and the people. The Korean team analyses the advanced countries’ cases and technical trends based on its study on the ICT status, and by doing so, provide technologies required by Nepal to establish the e-Government. It is believed that through this e-Government master plan and based on studies on successful and failed cases of leading countries, the TFT is able to generate the most adequate e-Government model for the Nepali government and help it jump up to the higher level of e-Government. Vision and Mission: e-Government Vision is ‘The Value Networking Nepal’ through • Citizen-centered service, • Transparent service, • Networked government, and • Knowledge based society e-Government mission statement is — “By realising a transparent government and providing value added quality services through ICT, improve the quality of life for all the people without any discrimination among regions or races and realise socio-economic development.” Future Image: e-Nepal

The future image of Nepal’s e-Government, when the defined vision and mission for e-Government are achieved, is a government that provides administrative services to

its people through various channels and, by doing so improves the convenience of the people, a government that provides integrated and transparent administrative services for companies so that companies can have greater competitiveness, and within the government, link all the agencies and departments through network to enhance efficiency in the process. Through this, the Nepali government would realise a knowledge-based society.

e-Governance Master Plan Goals and Strategies

The e-Governance Master Plan was prepared by the e-Government master plan project as per the MoU between Korea IT Industry Promotion Agency (KIPA) and Nepal’s HLCIT (High Level Commission for Information Technology). The two countries created its own Task Force Team (TFTs) to jointly carry out the project. The Nepali team provides support in identifying the ICT status of Nepal 20

Detailed goals in establishing the e-government in Nepal are defined as the following: • G2C: Provide customer-tailored services • G2B: Provide transparent and prompt services • G2G: Networked and knowledge based government • Infrastructure: Favourable ICT infrastructure and legal framework www.egovonline.net

Expected Benefits by 2011

On-line processing of administrative procedure Knowledge based government Real time, no-visit administration of service Continuous service oriented process reform and systematic informatisation Drastic reduction of paper work Online processing of international trading, logistics and enterprise undertaking/operating service

• • • • • •

RECOMMENDATIONS

It is usually tough for human beings to remember web URLs of many government organisations. Government websites will be of less or no use if citizens are not able to locate government websites. Therefore, One Stop Government Portal will prove beneficial in the long run. The portal will act as a gateway for retrieving government information. Hence development of such a portal to provide necessary links to other authorities and bodies is essential. What needs to be done by the government?

Certain percent of budget needs to be allocated for ICT development. Encourage bilateral and multilateral as well as national and international investments and assistance. Encourage private sector participation. Provide connectivity choices and widen and improve the highway that leads to the IT Park. Involve an autonomous body for the administration and management of IT Park and IT City. Encourage and provide research and development opportunities for scholars, researchers and scientists in the field of information technology and computer science. Introduce and encourage student exchange programmes with foreign countries to make students familiar to the recent developments in other countries. Establish and promote research and Ph.D. grants to students and scholars in the field of Information Technology. Monitor and evaluate the implementation of the policies and plans formulated by the government.

• • • • • • • • •

CONCLUSION

e-Governance solutions are complex and expensive solutions that would need to be built brick by brick over a period of time, involving multiple solution providers. The early life of e-Governance initiatives has already seen a shift in understanding, from the view that increasing access to services by putting them on the web was all that was needed, to a more sophisticated notion of a transformed public realm. ICTs of course only enable this transformation, they do not create it and hence the social and political norms in any area will determine the outcome of the è-Governance’ systems. Nepal is now starting to see change in governmental institutions: a greater emphasis on `partnership working,’ both with citizens, businesses and third sector organisations; decentralisation and changes in working processes; more knowledge intensive and personalised services and in some cases, greater openness and transparency of political processes. All of these trends have a long way to go and many could be stopped in their tracks, by issues of uneven access to technology or content which alienates or patronises users. We need to develop far more sophisticated systems for capturing and measuring the impact of e-Governance, so that we can judge its success in other than just crude, àvailability’ terms. And we need to be able to judge the real impact on citizens, not just changes in production or distribution of public services. Above all, e-Governance needs to be seen as part of governance, not as an add-on. Decisions about technology - from use of open source to the treatment of personal data - are more and more in the political realm and this is to be welcomed. Because only when we can drop the è’ and return to talking about governance, can e-Governance be said to have succeeded.

Chola Pratapa Singh Chhetri (cpsingh44@yahoo. com)is currently assisting the government of Nepal in its use of information and communication technologies.

PWD Delhi Tunes Itself to Information Age The Public Works Department (PWD, http://www.pwd. delhigovt.nic.in), Delhi executes an annual work load of approx INR 1000 crore. Its various works viz construction of Hospitals/Courts/Colleges/Schools /Jails/ Fire Stations etc. and Road Infrastructure such as Flyovers/Bridges/ Pedestrian Subways/Foot over Bridges including road works of widening /strengthening/resurfacing /refurbishing etc. are now monitored through a ‘Web Based Works Information System’. Field officers executing these projects all over Delhi feed the information, regarding the status of work, including visual information in the form of latest site photos, from ov

May 2007

their respective offices; automatically compiled reports in different formats such as ‘Brief Report’ (for a given group of works e.g. Hospitals, Flyovers etc.), ‘Complete Status Report’, ‘Milestones Report’, ‘Photo Gallery’ in respect of any given work are seen by senior officers, bureaucrats and political masters for the monitoring purposes. This system, by almost doing away with the paper reports, has indeed brought PWD Delhi in tune with the times and expectations thereof, especially in the wake of Delhi to host Commonwealth Games 2010. S. Jethwani (sjethwani_11@hotmail.com), Director (Works), PWD Delhi 21

commentary

Web Firewalls and End-to-end Identity Infrastructure Requisite for e-Government Citizen Portals The article examines the vulnerabilities of growing web applications that are being deployed in eGovernance. It explains how a web firewall is essential to safeguard web applications. And also provides insight into “end to end” security measures to ensure secure and controlled access to e-Governance applications and portals. Satyam B.

applications grow to enterprise scale, the architecture evolves from a simple ‘stand alone’ or ‘two-tier’ to ‘three-tier’. Earlier user interface programmes were proprietary programmes using non-standard protocols, where very minimal logic/data was exposed to prying eyes. With the advent of Internet, the front-end user interface is increasingly standardised to a browser using HTML. HTML is standardsbased and available across any browser and connectivity, increasing the flexibility of connectivity. Yet it openly displays the ‘client source’ to any one who can do a ‘view source’. Layout of different fields, field validations and some amount of business logic is typically embedded in the HTML pages. Sometimes, even database operations are exposed in these HTML pages. And the URLs are another aspect, which allow the browser to call up different parts of the application. Clear text HTML pages and URLs pose the largest ‘application risk’ to the new generation of e-Governance applications/portals. Typical ‘network security’ consists of 1) firewalls, 2) antivirus, 3) encryption and 4) IDS/IPS (Intrusion Detection/ Prevention System). Though some parts of ‘web protection’ are built into firewalls (through deep packet inspection), majority of the complexity is still not handled by any of these products. Also, traditional firewalls cannot look into the web traffic – since they are all encrypted. The data session can be decrypted only by two parties – the ‘web server’ (inside the corporate network) and the communicating ‘web browser’ (on the user’s machine). No other programme, machine or appliance can decrypt that encrypted data in the middle. Hence, traditional firewalls are handicapped in looking into web traffic. 22 }

Web Firewalls

Instead of enforcing “practices of secure coding”, and deployment of only “secure web applications”, companies are resorting to ‘singular defense’ to their web servers – using “web firewalls” or “port 80 firewall”. A web firewall acts as an intermediary, between the user’s web browser and the web server, by ‘decrypting’, Ò filtering hacking attempts Ò and ‘encrypting’ the traffic. Althought, is not that difficult for a web server to invoke (SSL) to encrypt, and build in a few web security controls, but such methods are not scalable, beyond a few web applications or a few releases. Web firewalls are the only method, currently available, to ensure ‘uniformly high standard’ of web security, across all backend web servers and different releases and patches. Web firewalls can encrypt the traffic from user browser, using a standard method such as SSL/AES, and offload such responsibility on each backend web server. Similarly, web security controls are defined in the form of “web filters”, standard out of the box or configured to suit the complexities of a new application. Problem with too many User Ids (Identity &Access Management)

Every application, typically starts with a ‘user id’ to manage and control. As web applications are easy to develop, by different departments and for different functions – after an year of development, a division may be left with tens to hundreds of web applications. Each application with its own set of user ids. www.egovonline.net

It is understandable, how difficult id management will be! Issues are – • Same user may have different ids with different applications (so not easy to connect) • Difficult to add users into multiple related applications, if they are not centralised • More importantly, difficult to delete user ids. When not deleted in time, it will leave ‘unauthorised access’ leading to a greater application risk. • If Single Sign On is used, it is difficult to synchronise passwords across different id stores This growing situation can be handled in the following phased manner: 1. Start off by recognising the need for a ‘centralised id’ system 2. Define a central id store and implement using nationally accepted keys such as ‘PAN’ (in India) or ‘SSN’ (in US) 3. Start using Single Sign On, to automatically log into existing applications 4. For new applications, start pointing to the central id store, instead of defining a separate set Define more Controlled User Roles and Permissions

Define user roles and permissions – at application level – and using more granular policy controls based on the following 1. Time of login 2. Device, its identity (shared or personal) and the security level (based on personal firewall, local anti-virus) 3. Network from which the user logs in (public shared network, government shared network, government authorised internal network) ov

May 2007

4. Actual role of the user (end user, sophistication, from a government office, or a citizen service center) 5. Allow controlled login, to different sets of applications, rather than a network or sub network Define End-to-End Security to Access Citizen Applications End to end security to access web applications is considered as follows: 1. Identify the end device where the user is logging in from 2. Identify the security level of the end device 3. Identify the user network (shared, public, private) 4. Encrypt data, by default, from user device to the application server 5. Identify the user (from a centralised ID store) 6. Identify the applications that the user is eligible to access (based on time and other policy matters) 7. Deliver the applications that the user is eligible to access at the time 8. Apply Web Firewall to protect the backend web applications from any type of hacking attempts 9. Apply user session management across all web application access 10. Log the user out and clean up the session from the browser, without leaving any remains of key cookies or data files 11. Provide audit logs on the intermediary web firewall gateway, recording the user login, including the time, device, location and network

Satyam B.(satyambh@gmail.com) is a co-founder of NetSilica, an Application Access and Security software solutions company.

CO V ER F EA T U RE

About Protection from Security Breaches and Hacking Public Sector Web-based Applications

http://www.citrix.com

Network firewalls and intrusion prevention systems by themselves do not offer sufficient protection for Web applications. However, a comprehensive application delivery infrastructure can help governments and public sector organisations address these application vulnerabilities. More than 180,000 organisations worldwide rely on Citrix to deliver any application to users anywhere with the best performance, highest security and lowest cost. Les Howarth

In today’s electronic era, where speed and reliability are imperative, public sector organisations, and e-Governments in particular, have turned to providing convenient and easy-to-use web applications for their citizens, partners and government employees to execute day-to-day online transactions and interactions. Using Web pages as the user interface, these programs extend the reach of public sector organisations and provide a tunnel between the Internet and organisations’ backend databases, allowing them to be accessed from any computer connected to the Internet. However, as more applications become available over the Internet, hackers also gain greater opportunities to compromise entry points and seize control of sensitive national data sitting in backend systems. In fact, Gartner estimates that 75 percent of total attacks now occur on web applications. Due to the sensitive and confidential nature of information and data transmitted over public sector networks, securing access to web applications is becoming a high priority for government organisations today, and it is crucial that governments secure their web applications with a holistic application delivery infrastructure.

The stakes are becoming higher as public sector organisations migrate to an unbounded model where sensitive data can be delivered securely over even insecure networks and to untrusted systems, and the security threats that are pervasive in a dynamic world cannot go ignored. Protection in Depth

The key to keeping Web applications safe from attack is close examination of their numerous moving parts. This is exactly where network firewalls and Intrusion Prevention Systems (IPSs) come up short. Network firewalls, for example, are designed and deployed to provide basic access control by inspecting IP packets. They do not understand application languages like HTML and XML—and they do not understand HTTP sessions. Consequently, they cannot validate user inputs to a HTML application, or detect maliciously modified parameters in a URL request. This leaves the application vulnerable to a range of serious exploits. An IPS, meanwhile, can detect and block attacks within the network. However, like network firewalls, IPSs have little

The Growing Threat Landscape in a Dynamic World

International Data Corporation (IDC) predicts that government spending on Information Communication Technology (ICT) in the Asia Pacific region (excluding Japan) is expected to grow at a five-year compound annual growth rate (CAGR) of 8.7 percent to reach US$31.7 billion by 2010, up from US$22.7 billion this year (IDC, Asia/Pacific, Excluding Japan, Public Sector IT Spending 2006-2010 Forecast, May 2006). As web vulnerabilities become easier to exploit and attacks become increasingly difficult to detect with traditional security products, we can expect a significant portion of this spending to be channelled towards security, specifically around implementing a more in-depth and sophisticated security system within public sector organisations. 24 }

www.egovonline.net

or no understanding of application languages—they cannot stop session-based application-layer attacks or detect the injection of malicious code. On top of that, an IPS is known for generating false positives, so aside from leaving Web applications unprotected, it can also risk wasting valuable IT resources and frustrate application users. As application firewalls understand the language Web applications speak, they generate fewer false positives. Therein lies another important issue to keep in mind: a lot of today’s Web application traffic is encrypted for security using the Secure Sockets Layer (SSL) standard. Neither network firewalls nor most intrusion prevention systems can decrypt SSL traffic for inspection. Consequently, they are powerless to stop or even detect encrypted exploits from entering the network and striking directly at Web applications. In short, network firewalls and intrusion prevention systems by themselves do not offer sufficient protection for Web applications. However, a comprehensive application delivery infrastructure can help governments and public sector organiations address these application vulnerabilities. A Strategic Starting Point for Secure Application Delivery Holds the Key

In order to effectively defend the network against external attacks and insider threats, CIOs and IT managers within public sector organisations need a solution that makes it possible to take advantage of a range of options for delivering integrated data security. This will ensure new e-Government applications and services can be launched successfully, guaranteeing information system security without delaying projects, and that the integration of security tools into the legacy infrastructure does not cause any drop in security or productivity. With a vision of a world where anyone can work from anywhere, Citrix is committed to delivering the best access experience to public and private sector organisations, and to developing application security solutions that maximise the performance and security of web-enabled applications. This means matching any web application and user scenario by: Keeping sensitive data confidential when serving millions of citizens online. Web applications provide direct access to some of the most sensitive and valuable data in any public sector organisation. Having an architected system to forward valid inter-governmental or citizen requests to servers and to block illegitimate requests via a single, unified device is crucial. This includes built-in defences against Disk Operating System (DoS) attacks and preventing the theft of sensitive information that might be exchanged via a Web portal. Recognising that users are the weakest link. As people become more tech savvy and the adoption and role of e-Government services in Asian countries continue to increase, the role of e-Governments will change from governments pushing services to citizens pulling services. As a result, strong ov

May 2007

authentication is essential. A centralised Enterprise Single Sign-On (ESSO) for multiple resources, such as that built into Citrix Presentation Server 4.5, reduces user exposure to multiple passwords and logins. This enhances security while reducing support costs, and also enforces password policy requirements. This has been achieved by Zhejiang Communications Bureau. Responsible for all aspects of transportation policy and implementation throughout the Chinese province, the organisation in China implemented Citrix® Presentation Server so that its hundreds of officials who travel often can access and view documents from remote locations without the need to download them onto their notebook PCs. As all information is transmitted between server and user over the wireless network is encrypted using SSL technology, this holistic application delivery infrastructure has enabled the Bureau to address network access issues and safeguard network and data security. Conclusion

The nature of attacks has migrated beyond the “spray & pray” approach of general viruses and worms to highly targeted attacks against specific organisations, applications and sensitive data. By deploying a holistic application delivery infrastructure, public sector organisations can deploy technology that specifically secures critical resources and the sensitive information behind them from attack. This enables web applications to deliver the benefits envisioned by e-Governments across the Pacific. Les Howarth is Director, Application Networking Group, for Citrix Systems in the Pacific. Howarth is responsibile for driving and managing the overall growth of Citrix in the application delivery networking space, as well as strategic engagement with channel partners and customers in the region. Interested readers may contact Howarth through Regina Tan (regina.tan@citrix. com), Senior Manager, Corporate Communications– Pacific.

COVER FEATURE

Efficient, Cost-effective Approach to Security Operations IBM TivoliÂŽSecurity Operations Manager

http://www.ibm.com

etwork Security or Information Security, as many would like to call it, has evolved over years together. With evolution of Internet and its supporting technologies, access to information has been just a click away. With the ease of access to information, the misuse of the same has been a grave concern. Organisations, especially the public sector, are facing daunting tasks of providing simple, efficient access to some informations while keeping other data away from the legitimate users as well as determined hackers. In addition to the issues mentioned above, organisations have other multitude of security related issues which needs to be addressed, including physical security, internal threats, privacy concerns and evolving legal requirements. If all of the above concerns are not handled in correct manner, Organisations are put up in severe risk â&#x20AC;&#x201C; both legally and financially. Gone are the days when organisations would implement Firewalls and feel safe. As the security requirement grows, there is a need that the organisation be more proactive than being reactive. No longer are the threats frequent and severe but the cost of potential attacks are also growing.

processed, which we all call as logs. Going through these logs of various devices is intricate and that too in real-time is humanly impossible.

Multi Vendor, Multiple Domain Environments

Furthermore, as the infrastructure grows in size and complexity, it become further difficult to track the information and analyse to make sense out of it to get complete security health of the organisation.

Need of Proactive Security Management

There are quite a few security point products that address different issues in building and maintaining secure infrastructure. Technologies like firewalls, intrusion detection/ prevention systems, content management systems, strong authentication mechanisms, access control (Authorisation) systems etc. have been addressing the security concern in their own way. However, the problem with these security elements/ devices are that they have their own paraphernalia, their own mechanism of collecting information and their own way of altering the security personnel of possibility of security breaches. In addition, these security devices/elements generate plethora of data on the information it collected and 26 }

SIEM : Tackling the Security Threats in Proactive Manner

Security information and event management (SIEM) systems helps users to gather, store, correlate and analyse security log data from many different information systems. This data may prove valuable as part of a network security, organisationâ&#x20AC;&#x2122;s immediate response to an attack, making it possible to see, for example, all the virtual private network connections that were active, when a behind-the-firewall server came under attack. Or in the case of an incident discovered after the fact, such as the theft of credit card numbers, the system could produce reports for police and regulators from the archived log data. www.egovonline.net

•

Susceptibility correlation — helps determine the likelihood of exposure for any given system. Additionally, Tivoli Security Operations Manager can use one’s business priorities to weigh the importance of assets during the correlation process in order to prioritise security activities. When security analysts use the console, they see not an endless list of security events, but meaningful information that has been prioritised in alignment with your goals and policy. SIEM functionality

IBM provides IBM Tivoli® Security Operations Manager — a Security Information and Event Management (SIEM) platform designed to improve the effectiveness, efficiency and visibility of security operations and information risk management. Tivoli Security Operations Manager centralises and stores security data from entire technology infrastructure so that one can: • Automate log aggregation, correlation and analysis. • Recognise, investigate and respond to incidents automatically. • Streamline incident tracking and handling. • Enable monitoring and enforcement of policy. • Provide comprehensive reporting for compliance efforts Tivoli Security Operations Manager automates many repetitive, time-intensive activities required for effective security operations. The result is an efficient, cost-effective approach to security operations. Tivoli Security Operations Manager provides a platform from which organiations can automatically aggregate host logs, security events, asset data and vulnerability data. One can select how much data one wants for the software to draw in — and from which sources — and Tivoli Security Operations Manager gathers the data using standard and native protocols such as Extensible Markup Language (XML), syslog, Simple Network Management Protocol (SNMP), Simple Mail Transfer Protocol (SMTP), CheckPoint OPSEC, Sourcefire eStreamer and many more. It can also use its own low-impact universal agent to collect information. Tivoli Security Operations Manager collects event and log data from hundreds of different devices today “out of the box.” Additionally, one can add support for custom devices and internal applications. Improve Incident Detection by Correlating Across Devices

Drawing on information from across the infrastructure, Tivoli Security Operations Manager can help detect attacks, misuse and anomalous activity. The software analyses and prioritises event data using four complementary correlation techniques: • Rule-based correlation — detects known attacks and policy violations. • Vulnerability correlation — maps known attacks to known system vulnerabilities. • Statistical correlation — identifies anomalies by performing advanced analysis of events and hosts. ov

May 2007

TSOM Dashboard

Reduce Time to Mitigation through Integrated Incident Investigation and Response

To help drastically reduce the time it takes to handle attacks, misconfigurations and misuse, Tivoli Security Operations Manager tightly integrates its investigation and response tools. The software also facilitates the escalation and tracking process. Investigative features include the following: • Integrated one-click investigation tools. • Automated responses to block threats and close the loop. • Geographic tracking of suspicious activity. • Security-oriented ticketing system. Improve Efficiency through Operational Integration

Tivoli Security Operations Manager addresses operational inefficiencies experienced by siloed IT organisations by facilitating the flow of incident management data between security, network and systems management operations teams. For example, Tivoli Security Operations Manager integrates closely with enterprise network and system management products — including event managers and dashboards, as well as IBM Tivoli Enterprise Console® — and IT help-desk ticketing systems. One can leverage these integrations to: • Support business and service assurance requirements. • Correlate security insights with information from the broader operations environment. • Further facilitate incident remediation. Tivoli Security Operations Manager also integrates with IBM 27

cover feature

Efficient, cost-effective approach to security operation

Tivoli Identity Manager and IBM Tivoli Access Manager for e-Business to provide monitoring and oversight for customer’s identity and access policies — enforcing policies, and quickly detecting and addressing potential misuse attempts. Deepen Understanding through Comprehensive Reporting

The on-the-fly data mining, historical reporting, self-auditing and tracking capabilities in Tivoli Security Operations Manager provide critical components for understanding security trends. What’s more, these reports help IT communicate relevant security information to other audiences, such as management and audit teams. Features include: • Standard and customisable report templates. • An automated report scheduler. • HTML, PDF and XML exporting of all graphs and charts. • Self-auditing and tracking of all security activities. Tivoli Security Operations Manager draws on information stored in a security event database to deliver on demand historical reporting and trending.

Conclusion

Security breaches can have serious, measurable consequences: lost revenue, downtime, damage to reputation, damage to IT assets, theft of proprietary or customer information, cleanup and restoration costs, and potential litigation costs. To reduce these risks, security organisations need the capability to quickly identify and react to attacks. Tivoli Security Operations Manager provides a holistic view of an organisation security posture and the abilities to drill down and investigate attacks quickly. As a result, it is a valuable tool in helping prevent intrusions and helping maximise the security of one’s business. Amol Bhandarkar (amol.bhandarkar@in.ibm.com) is the Security Consultant for Tivoli Security, working with IBM Software Group, IBM India. In his current role Amol drives the Security Management portfolio across the country and provides technical sales and consulting support across India for the Tivoli family of security management products.

Ram Gopal Gandhekar (rgandhek@in.ibm.com) is the Software Speciality Sales Manager Automation Lead – India, Software Group - Tivoli IBM India Private Limited.

Information Security Information security is the process of protecting data from unauthorized access, use, disclosure, destruction, modification, or disruption. The terms information security, computer security and information assurance are frequently used interchangeably. These fields are interrelated and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them. These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms. The ISO-17799:2005 Code of practice for information security management recommends the following be examined

during a risk assesment: security policy, organization of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development and maintenance, information security incident management, business continuity management, and regulatory compliance. In broad terms the risk management process consists of: 1. Identification of assets and estimating their value. Include: people, buildings, hardware, software, data (electronic, print, other), supplies. 2. Conduct a threat assessment. Include: Acts of nature, acts of war, accidents, malicious acts originating from inside or outside the organization. 3. Conduct a vulnerability assessment, and for each vulnerability, calculate the probability that it will be exploited. Evaluate policies, procedures, standards, training, physical security, quality control, technical security. 4. Calculate the impact that each threat would have on each asset. Use qualitative analysis or quantitative analysis. 5. Identify, select and implement appropriate controls. Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset. 6. Evaluate the effectiveness of the control measures. Ensure the controls provide the required cost effective protection without discernable loss of productivity. Source: http://en.wikipedia.org/wiki/Information_security

www.egovonline.net

news review

Denmark Tops in the WEF’s Global Information Technology Report 2006 - 07

Stage Set to Strengthen the IT Security in Key Infrastructure Sectors in IndiA

Denmark ranks top for the first time in the World Economic Forum’s (WEF) Global Information Technology Report 2006 - 2007’s ‘Networked Readiness Index’. The study examines the preparedness of countries to use Informtion Communication Technology (ICT) effectively on three dimensions: the general business, regulatory and infrastructure environment for ICT; the readiness of three stakeholders individuals, businesses and governemnt to use and benefit from ICT; and their actual usage of the latest ICT available. It measures the propensity of countries to leverage the opportunities offered by Information and Communication Technology (ICT) for development and increase competitiveness. The survey covered 122 economies worldwide and published for the sixth consecutive year.

As a measure to beef up the Information Technology (IT) security in key infrastructure sectors, the Informtion Technology (IT) Ministry, Government of India has initiated the process to amend the IT Act 2000. The proposed amendment will necessitate, having Chief Information Security Officers (CISOs) in both public and private key infrastructure sectors. The central and state government ministries and public organisations will have senior government officials such as the secretary as CISOs. In private sector, the Administrator himself will serve as the CISO. These CISOs have to share data with Computer Emergency Response Team-India (CERT-In) when deemed necessary. In turn CERT-In will prescribe guidelines for the specific organisations

The result shows that Denmark ranks top for the first time, due to its strong regulatory framework, coupled with a clear government leadership and vision in leveraging ICT for growth and promoting ICT penetration and usage. India and China slipped down to 44th and 59th ranks respectively due to their weak infrastructure and low level of individual ICT usage for India and of individual and business readiness and usage for china. The Nordic countries have been in the top 10 list for the last 6 years due to its strong focus on education which has enable a culture of innovation and business-friendly environment and readiness by the key national stakeholders to adopt the latest technologies.

UAE plans advancement in its ID Card Technology UAE plans to add Iris technology as a second biometric identifier into its ID smart card to expatriate workers and citizens. Iris recognition is an attractive technology for identity authentication for several reasons. Like a snowflake, the iris - the externally visible colored ring around the pupil - of every human eye is absolutely unique. Of all the biometric technologies used for human authentication today, it is generally conceded that iris recognition is the most accurate.

The ID card was introduced two years back with fingerprints of the card holder. The country has an estimated 80% of 5 million is made up of foreign workers. The card is being used to secure its borders, reduce identity theft and keep better track of the expatriates. It plans to run multiapplication on the same ID card, as health card, as e-Passport within the gulf region, as an ATM and e-Purse card and as an authentication for e-Government services.

to secure IT systems and provide actionable data to such organisations. It will alert the administrator for the presence of viruses and worms in the IT system of an organisation. The depatment has already sent out the template that would help them in creating information which will be required by CERT-In.

Indian Government signs MoU with Microsoft and McAfee, to tighten the cyber security The Department of Information Technology (DIT), Government of India has signed MoUs with Microsoft and McAfee to check the increasing threat from viruses and worms. According to the Computer Emergency Response Team - India (CERT-In) more than 400 Indian websites were attacked by Hackers during December 2006 and a total number of 5200 websites were defaced during 2006. The government is planning for new strategies like planting of baits in the cyber space. These baits will attract unusual Internet traffic patterns, which will be analysed and then early warnings will be issued to prevent damages. If the project is successful, it will help in zero in on viruses and worms entering through different Internet Service Providers (ISPs) in critical sector organisations such as banks, railways and airports. The current initiative is a part of bigger aim of DIT to make a successful country-level view of the security status of the Net traffic. Even though currently the ISP-level view of the security status exists in the country, a country-level view will enable an early monitoring of cyber crimes.

IRS failed to protect taxpayers data The Internal Revenue Services (IRS) has failed to protect the taxpayers data which could have lead to data theft or other financial fraud said a US government report. According to the report, the IRS has not given adequate attention to protect information in 52,000 laptops and other storage systems. Despite the early warnings about the security problems in 2003 and February 2006, the IRS had not turned its ears to the issue. Nearly 500 laptops of IRS were lost or stolen during that three and a half years period. Recently, inspector general’s staff tested 100 laptops used by IRS employees and found that 44 of them had unencrypted sensitive

May 2007

data, including taxpayers and employee personnel data. The new report also found similar security holes in the backup systems at IRS field and processing offices around the country. The report attributes the newly identified short comings at IRS offices “to a lack of emphasis by management.” The Privacy Rights Clearinghouse, a non-profit research and advocacy group says more than 100 million records of U.S. residents have been exposed by security breaches since February 2005. Mark W. Everson, IRS Commissioner, said “protection of taxpayer data is a top priority” and the agency has “moved aggressively” to remedy security flaws from the second half of the last year. 29

COVER FEATURE

Building Trusted Environment Symantec Information Security http://www.symantec.com/

Please tell us about the security and storage solutions that Symantec offers, being the global leader in security technology and protecting information, to enterprises and the public sector? The important thing to remember is comprehensive protection – end-to-end protection encompassing infrastructure, information and interaction. Symantec offers the following solutions for enterprises and public sector: • A full spectrum of IT risk: security, availability, compliance and performance • A full spectrum of users: consumers, SMBs, large enterprises • A full spectrum of devices: handhelds, laptops/notebooks, desktops, servers, networks • A full spectrum of Operating Systems: Windows, Linux, UNIX, Windows CE.

“Today’s threats tend to exploit vulnerabilities in client-side applications such as Web browsers, email clients, or other applications that require a degree of user interaction (word processing, presentation, and spreadsheet programs). In addition, the number of zero-day attacks continues to rise, leaving systems more susceptible to compromise.” Informs Vishal Dhupar, Managing Director, Symantec India (Vishal_Dhupar@ symantec.com) to egov magazine. 30 }

What are the top information security threats to the networks and data? What aspects of Internet infrastructure are most vulnerable to attack? Attackers are moving away from large, multipurpose attacks on network perimeters towards smaller, more focused attacks on desktop computers. The new threat landscape will likely be dominated by emerging threats such as bot networks, customisable modular malicious code, and targeted attacks on Web applications and Web browsers. Instances of cybercrime and cyber fraud became widespread with more Indian enterprises conducting business online and with business critical information being made accessible online. Spyware and phishing emerged as two of the largest threats to corporate computing amongst the enterprises. Phishing emerged as Internet’s biggest identity theft scam. Over the last one year, there has been a sharp increase in phishing attacks on Indian enterprises. Spyware has been used to launch corporate espionage, wherein unauthorised business-critical information, has been acquired and sold to rivals. Using a single password for all applications on a network exposes an organisation to greater risk of spyware attacks. Symantec brings out the Internet Security Threat Report, which provides a six-month update of Internet threat activity. It includes analysis of network-based attacks, a review of known vulnerabilities, and highlights of malicious code and phishing, spam and security risks. The 10th volume covers the six-month period from January 1, 2006 to June 30, 2006 www.egovonline.net

and these are some of the interesting findings. Over the first six months of 2006, the Symantec Probe Network detected 157,477 unique phishing messages. This is an increase of 81% over the 86,906 unique phishing messages that were detected in the last half of 2005. Financial services was the most heavily phished sector. Spam made up 54% of all monitored email traffic, up from 50% in the last period. The most common type of spam detected in the first six months of 2006 was related to health services and products at 26%. Fifty-eight percent of all spam detected worldwide originated in the United States. Eight of the top ten reported security risks were adware programs. The current Internet security threat environment continues to be populated by lower- profile, targeted attacks as cyber criminals identify new ways to steal information or provide remote access to user systems. The attacks propagate at a slower rate in order to avoid detection and increase the likelihood of successful compromise before security measures can be put in place. As technological solutions are proving to be increasingly more effective, attackers are reverting to older, non-technical means of compromise—such as social engineering—in order to launch successful attacks. Today’s threats tend to exploit vulnerabilities in client-side applications such as Web browsers, email clients, or other applications that require a degree of user interaction (word processing, presentation, and spreadsheet programs). In addition, the number of zero-day attacks continues to rise, leaving systems more susceptible to compromise. Symantec has shifted its focus from security devices to protecting information. What are the solutions Symantec has to prevent data threats? Cybercrimes often involve theft of personal or financial data, and threats targeting that kind of information are on the rise. In the last half of 2005, Symantec found that 80% of the top 50 reported threats could be used for data theft. Unfortunately, it appears profit is the new motive for Internet threats, and the pride of one-upmanship—which used to inspire many cyberattacks—is giving way to calculated criminal intent. As cybercrime proliferates, the odds of becoming a victim also increase. Fortunately, there are plenty of things that a consumer can do and learn to reduce their risks. As far as solutions go, a program like Norton Internet Security automatically blocks hackers, viruses, spam, dangerous spyware, and it can even detect when stealthy programs try to transmit stolen data from the personal computer. Easily and automatically updatable, it’s also the best way to make sure you’re protected as new threats emerge. In its recent report, Symantec has highlighted that home users are less likely to have established security measures in place, they are being increasingly targeted by attackers for identity theft, fraud and other financially motivated crimes. Is Symantec prepared to deal with this scenario? Yes. The recent ISTR (Internet Security Threat Report) released by Symantec identified that home users are being increasingly targeted, accounting for 86% of all targeted ov

May 2007

attacks, for identity theft, fraud, or other financially motivated crime. As home users are less likely to have established security measures in place, they are ‘the weakest link in the security chain.’ Given the effect this has on the large and growing customer base for Symantec, we have tried to further understand how to better protect customers against these security concerns in years to come. As a category leader in security, it is Symantec’s agenda to educate and raise the level of awareness on security for consumers. Our Norton 2007 range of product portfolio provides the consumer a comprehensive security solution that combines antivirus, firewall, intrusion detection, and vulnerability management for maximum protection against malicious code and other threats. In addition, business is conducted over constantly changing connected value chains and success demands that you’re able to trust these connected value chains – Symantec is committed to helping build these trusted environments

Fortunately, there are plenty of things that a consumer can do and learn to reduce their risks. As far as solutions go, a program like Norton Internet Security automatically blocks hackers, viruses, spam, dangerous spyware, and it can even detect when stealthy programs try to transmit stolen data from the personal computer. Easily and automatically updatable, it’s also the best way to make sure you’re protected as new threats emerge. Symantec provides the expertise, services, and products required to design, implement, and manage a trusted environment that enables the business. The components of a trusted environment: • Secure – The IT infrastructure is safe and protected. You can trust the information that you create, share, and use. And, you recognise who you interact with and know that you can trust them. • Available – The IT infrastructure is highly available and resilient. The information is there when you need it. You can interact whenever, wherever, and however you want. • High Performance – The IT infrastructure is scalable, flexible, and efficient, optimising your investment. The information flows freely, without interruption or loss. The interactions are easy, efficient, and fast. • Compliant – The IT infrastructure is compliant with IT policies, regulations, and aligned with business requirements. Your information management is compliant and information can be discovered. Your interactions are compliant with IT policies and aligned with business requirements. Only Symantec can provide true Comprehensive Protection – end-to-end protection encompassing an enterprise’s infrastructure, information and interactions. 31

cover feature

building trusted environment

The public at large has not much knowledge about security technology. How do you see the role of Symantec in creating the desired awareness? Symantec is the leader in Consumer PC Security, with a history and commitment to the marketplace. Our competitive differentiators are our expertise, our customer base and brand, and our market reach/partnerships. Symantec protects more people from more online threats than anyone in the world and the Norton brand is the most trusted and recognized security brand in the world • Largest installed base of users with over 50 million active subscribers; • Protecting over 370 million computers or email accounts • Filters about 259% of world’s internet email • Worldwide best sellers in NAV/ NIS and NSW Symantec, with its unmatched depth and breadth of security knowledge has over 40,000 DeepSight Sensors across 180 countries; 4 SOCs and 8 Security Response Labs. The information gathered from this comprehensive source of information is incorporated into our product portfolio making our Norton range of products better with every version. Symantec spent 15 percent of its total revenue on research and development in FY06. (Source: Symantec Investor Relations, 6/06). The endeavor at Symantec is to constantly stay ahead of the cyber criminals ensuring our products and the information we send

As a category leader in security, it is Symantec’s agenda to educate and raise the level of awareness on security for consumers. Our Norton 2007 range of product portfolio provides the consumer a comprehensive security solution that combines antivirus, firewall, intrusion detection, and vulnerability management for maximum protection against malicious code and other threats.

out to our consumers provides them the protection they need! Symantec effectively addresses its customers’ needs around: • Infrastructure - IT evolution continues from ad hoc operations through standardization, virtualisation and eventually to service-based and policy-based operations • Information - security threats are evolving from graffiti to bank robbery; confidential information and financial gain are today’s drivers; exponential data growth is driving changes in the way businesses assure the security and availability of information and systems • Interactions - Just as attacks against businesses are becoming more financially driven, stealthy and insidious, so are the attacks against individual consumers which negatively impacts their confidence in conducting online transactions. What are some of your future plans? We give consumers the freedom to work and play in the connected world, protected from fear, frustration, loss, and chaos. Our plan is to move past the protect-the-PC mentality and focus on the end-to-end process of protecting consumers’ activities and information-as it’s created, transmitted and stored. Trust is the foundation of the online world and our latest product offerings will provide consumers with the freedom to enjoy their favourite online activities with the confidence that they are secure, and protected from the latest threats.

DATA SECURITY AND STORAGE MANAGEMENT SOLUTIONS FOR THE PUBLIC SECTOR Many public sector organisations now operate online, making public and transactional services available to citizens and businesses over the internet. Public Sector organisations also see a need to improve the mobility of staff, enable interoperability and collaboration with other public entities, and ensure the integrity and transparency of public administration. While battling with these challenges, those responsible for IT in the public sector face a shortfall of in-house resources, as well as complicated and sometimes conflicting, legal and operational obligations. Providing new and improved services to a diverse range of

citizens, public sector organisations have to work all the while within limited budgets. Meeting the challenges of serving the public and protecting vital resources, public sector organiSations need a trusted partner with vast IT experience. As a worldwide leader in data security and storage management, Symantec provides the cost-effective solutions and expertise needed to protect infrastructure, information and interactions across numerous and complex IT systems. By delivering an integrated approach to information and systems management, Symantec helps organisations create a trusted IT environment; one that is free from security breaches, complies with regulations and is available and high performing at every level.

www.egovonline.net

COVER FEATURE

Strong Operational Foundation Pre-requisite for Security

http://www.motorola.com

What is the vision and goal of Motorola’s security solutions for the public sector? Current and next generation mobile technologies are enabling government agencies to realise many of the productivity improvements achieved in the private sector, resulting in reduced costs and greater responsiveness to consituent needs. However, greater utilisation of information technologies comes with increased security risks. Motorola’s global security services team helps public and private sector customers define, design and deploy cost effective strategies to address the security, regulatory compliance and operational risks inherent in communications technologies. How important in your opinion is the whole issue of network and information security for the government? In the digital era, access to information and the sharing of knowledge have created a new global currency that is transforming the fundamental economic, educational and social constructs of society, creating unprecedented opportunities for positive change. But with this potential for positive changes also exists the reality that criminal and terrorist organisations are using technology technology today to commit financial fraud, disrupt society and facilitiate acts of terror. In this contest between positive and negative forces, governments must take a leadership role in network and information security to fulfill their most fundamental obligation of protecting the public they serve. Tell us about Motorola’s network security services. One of the common misperceptions about security is that weaknesses in the technical infrastructure can be addressed by adding more layers of technology. While new technologies are needed, the weakest links that are exploited today frequently exist within the realm of people, policy and process. Unlike many security companies that exist primarily to market security technologies, Motorola provides security services that help customers cost-effectively define, design and deploy holistic solutions that intergate people,

May 2007

of major programmes are accountable for effective security/risk managment. Technology alone is not sufficient to ensure secure operations; it requires the proper mix of policy, process, people and technology. Information security leaders and staff must act both as champions for the necessary protections and monitor ongoing operations to ensure that protections are sustained and evolve for the entire lifecycle of the project/programme.

Interview with William Bill Boni (Bill.Boni@motorola. com), Corporate Vice President, Motorola policy, process and technology to mitigate the risks of current and next generation technologies. What are your suggestions to the government officials planning and implementing the e-Government projects and programmes in terms of security risk management? Government officials must understand that in the 21st century information risk management is a foundational expectation of citizens. Even systems and applications that are expected to be “protected” from attacks must be designed, built and tested to confirm they are secure against cyber attackers who may operate from anywhere in the world, including inside the sponsoring governments networks. Too often projects are only evaluated on their ability to meet identified positive “use cases”. Its especially important that e-Government projects which provide benefits (financial, informational, operational) to society must also be assessed with “abuse cases” that can reflect the criminal mindset and the tool kits of malacious attackers. It is also crucial to ensure that leadership

The developing countries also need to strike the right balance and spend as little as possible to get the highest level of security. What is your take on this? Your question goes to the core of the role of IT risk management, which is to balance the investment of resources to achieve optimal reduction of risk. Absolute protection is impossible and all information assets cannot be protected equally. Developing countries must balance the benefits of investing in next generation technollgies and infrastructure, with investments in security programs that are designed to address prioritised risks. What future plans does Motorola have for increasing its Government IT market share in emerging markets, especially in India? Emerging markets and India in particular are in a unique position to invest in infrastructure that surpasses the legacy networks in more developed nations. For example, Motorola’s enhanced IP-based TETRA communications solutions, Wi4 wireless broadband solutions, and IP-based solutions for telecommunications and network service providers are enabling both government and industry to reduce the cost of “everywhere anywhere access” to information, including voice, video and data. Motorola security services professionals work along side our product and engineering teams to help ensure that the environments within which these new solutions are deployed leverage best practices for achieving defense in depth security. In today’s increasingly connected world, where the security of one network directly impacts other networks, building a strong operational foundation for security is essential to the benefits of new technology. 33

C O V ER F EA T U RE

New Approach to Protecting Customer Data and Intellectual Property Assets

http://www.mcafee.com

All

IT security revolves around the fact that one critical asset is protected which is “data”. Regardless of whether data loss happens accidentally or as a result of malicious activity, the effect on the organisation can be severe: loss of trade secrets, loss of customer goodwill, and regulatory penalties. To stem the damage to balance sheets, brands, and competitive advantage, organisations must adopt a new approach to protecting customer data and intellectual property assets. The current protections are insufficient as there is no data loss coverage. Driven by industry regulations and internal governance policies, most security programs still concentrate on limiting unauthorised access. They fend off external attacks with traditional data security measures including firewalls, intrusion prevention, and anti-spyware. They rely heavily on identity and access controls and, in some cases, data encryption to limit exposure of sensitive information. But these approaches leave coverage gaps that enable an insider threat: inadvertent and deliberate loss by authorised users. Though the focus is around “Intrusions” (External threats) there is less focus on “Extrusion” (Internal Threats).

34 }

The Insider Data Loss Problem

In a typical month, data loss incidents make mainstream news more often than violations of the Sarbanes-Oxley Act (SOX). While hacking gets justified attention, a great number of losses are due to authorised users inside the organisations. According to the 2006 CSI/FBI Computer Crime and Security Survey, a remarkable 68 percent of survey respondents had experienced tangible losses attributed to insiders. These losses tarnish reputations and brands, jeopardise competitive advantage, and require costly remediation. Consider 2006. • One of the most high-profile of the incidents made public was in July last year when an employee of HSBC Electronic Data Processing Pvt. Ltd—a Bangalore-based captive back office outfit of HSBC Bank Plc—was arrested after he allegedly siphoned off nearly INR 20 million from the accounts of 20 bank customers in the United Kingdom (UK). • Earlier in 2005, workers at the BPO services division of Mphasis BFL Ltd, which counted Citibank as one of its key clients, defrauded some of the US bank’s customers of nearly half a million dollars. • Same year in June, an undercover reporter from UK’s The Sun tabloid bought information of 1,000 UK bank account details from an Infinity e-Search employee in Gurgaon, India. Some other examples around the world are: • Industrial espionage charges were filed against a ChineseCanadian engineer for theft of military training software • The Republican National Committee inadvertently emailed a list of donors’ names, Social Security numbers (SSNs), and races to a New York Sun reporter What do these losses have in common? Authorised users. Users already inside the organisation had a business need to view and handle sensitive information. Through uninformed misuse, errors in judgment, or malicious intent, their legitimate access to information led to losses that caused www.egovonline.net

financial and legal liability, and public relations headaches. Are these losses new? In some cases, yes, as more business and government practices go online to support distributed, just-in-time operations. In other cases, they are simply visible now. There is hence a body proposed in India called SRO (Self Regulation Organisation) and is designed by trade body National Association of Software and Service Companies (NASSCOM) in September 2006 to identify and enforce a set of security and privacy standards that member companies will be expected to adhere to. So Far, Not So Good

The traditional approach to data security emphasises “keeping the bad guys out” using firewalls, intrusion prevention, anti-spyware, and data encryption products. To control unauthorised information usage by insiders, many companies deploy identity management systems and use access control lists. These traditional security and access controls are helpful, but they do not fully protect companies from data loss. In February 2006, Gartner Content Monitoring and Filtering Research indicated that the market would likely evolve to the “successful blocking of all channels on the network and hosts from which data can be stolen. This would include host-based agents that can stop someone from downloading sensitive data—for example, through a Universal Serial Bus (USB) drive—and printing it and walking out the door.” (Paul E. Proctor and Rich Mogull, 23 February 2006)

In addition to accidental or malicious IT security policy breaches caused by an end user actions, organisations need to protect their systems from targeted Trojans, file-sharing applications and worms that use employee credentials to access sensitive information and send it externally without the end user or organisation even being aware that it is happening. In today’s world, protecting the organisation against these risks is an absolute necessity, and in many cases, a properly installed security measure is mandated by regulations. There are many

What are some examples of data loss?

•

Emailing of a confidential document to a competitor (or other unauthorised recipient) Printing of financial documents (and leaving in the printer tray) Copying customer record files to a USB drive (easily taken offsite)

• •

May 2007

•

Sending an internal document via Hotmail These simple everyday tasks have escalated data loss into the limelight with its tremendous impact and damage to organisations and consumers alike. So how does data loss occur and why is this becoming a mission critical issue for organisations?

The life blood of every business and institution is its core information assets, such as financial documents, customer data, source codes, intellectual property and more. These pieces of data are potentially just a few mouse-clicks away from being distributed to inappropriate recipients and exposing the organisation to the risk of data loss. In order to minimise the risk of data loss, organisations must gain full control and retain absolute visibility of the data leaving the employees’ end-stations, including emails, instant messaging, printed documents, USB drives, floppy disks, etc. In addition to accidental or malicious IT security policy breaches caused by an end user actions, organisations need to protect their systems from targeted Trojans, file-sharing applications and worms that use employee credentials to access sensitive information and send it externally without the end user or organisation even being aware that it is happening. In today’s world, protecting the organisation against these risks is an absolute necessity, and in many cases, a properly installed security measure is mandated by regulations. There are many data loss channels. To simplify, let’s group data loss channels into three groups • Physical--copying files from the desktop or laptop onto a storage device (USB, iPod, CD, DVD, and other removable storage, printer, fax) • Network--sending sensitive data from the endpoint (LAN, WiFi, FTP, HTTP, HTTPS) • Applications—email, webmail, Instant Messenger, screenscrape, P2P, Skype or malware (Trojan horses, spyware, worms,etc.) A Data Loss Prevention solution must cover all of the above data loss channels. Anything less puts organiations at risk. It is clear that organisations need to protect their confidential data. 35

cover feature

new approach to protecting customer data and intellectual property assets

What has been their approach?

Traditional security technologies has meant using access control – i.e. ensure that the information access is enabled to the authorised persons with the organisation and restricted to the types of information and resources that are required for the person to do their job. However, that is not enough. Organisations need to think differently… So, why is a paradigm shift needed?

Legitimate access to information does not grant the user the right to remove it from the enterprise (organisation) Data loss usually happens unintentionally and usually by people authorised to access the data. • Employees are authorised to access the data to complete their work assignments. • However, that does not mean they are authorised to transfer the data as they please. • Access control does not provide visibility or control over where or to whom the information can go next. As you can see, access controls are not enough. Access controls cannot solve this problem. Organisations need Data Loss Prevention. Universal protection prevents data loss for the user at work, at home, and on the road • Network--LAN, WiFi, SMTP, FTP, HTTP, HTTPS • Physical devices--USB, iPod, CD, DVD, etc. • Applications--email, webmail, instant messaging, P2P Content-aware protection prevents data loss even when data is modified, copied, pasted, compressed, or encrypted support for over 390 file types

There are McAfee solutions available around safegauarding DATA termed as DLP (Data Loss Prevention). As we realise from the above discussions, the fact is neither are traditional solutions or is Access control sufficient as a methodology for dat protection. A new data loss prevention solution from McAfee® closes this gap. It combines host and network protections throughout the data usage lifecycle, from creation and manipulation to transfer and transmission. Organisations gain consistent, reliable data loss prevention across applications, network channels, and even physical devices

• •

Modified, copied, pasted, compressed, zipped, or encrypted (for the use case when the file is encrypted on the host) Allow organisations to focus on monitoring only the scenarios in which a user attempts on sending out sensitive data Advanced forensics gather evidence on instantly blocked and monitored data loss events

• •

Sender, recipient, timestamp, and sensitive data evidence Details enable proper and prompt response

Summary

With data being the Key Asset at government agencies the legitiamate access and control will play an important role. Especially in the highly sensitive spaces of: • Internal security • Law and Judiciary • Military and Paramilitary • Homeland Security • Internal Reveue • Development (Scientific and ancillary) There are McAfee solutions available around safegauarding DATA termed as DLP (Data Loss Prevention). As we realise from the above discussions, the fact is neither are traditional solutions or is Access control sufficient as a methodology for data protection. A new data loss prevention solution from McAfee® closes this gap. It combines host and network protections throughout the data usage lifecycle, from creation and manipulation to transfer and transmission. Organisations gain consistent, reliable data loss prevention across applications, network channels, and even physical devices. The McAfee Data Loss Prevention (DLP) solution makes it possible for organisations to enforce policies and monitor and report on improper usage—even when laptops are physically disconnected from the network. It helps inform users of proper policies while preventing losses. It also offers new visibility into actual data handling to help security managers appropriately direct investments in safeguards, training, and process improvement. Because this protection comes from McAfee, it complements and reinforces other network and host-based defenses. The McAfee DLP solution closes the authorised-user coverage gap and provides an easily managed element of any security risk management programme. Kartik Shahani is The Regional Director, India, McAfee Inc, McAfee Pvt. Ltd. Kartik manages the operations for the country and has the responsibility of developing the market for the Indian Subcontinent in terms of the McAfee suite of security products/solutions.

www.egovonline.net

COVER FEATURE

Protecting Network and Information Assets Nortel

http://www.nortel.com

“Nortel believes that any network that is built has to be optimised , trustworthy , and dependable . This means a lot in the networking world. Nortel solutions are focused around the four tenets - resilliency, performance, security and simplicity”. Says Sajan Paul, Chief Technology Officer, Nortel (skpaul@nortel.com), to egov magazine. What is the e-Government vision and goal of Nortel? Nortel has been associated with mission critical solutions for government, federal and defense establishments. In ov

May 2007

North America, Nortel has an exclusive division only to address federal government requirements. In response to today’s radically escalating threat environment and the

corresponding need for more capable, cost-effective security and business protection solutions, Nortel Government Solutions offers a holistic, mission-centric Information Assurance (IA) solution suite that delivers: • Proven solutions used by the world’s most security-conscious organisations • Lower cost of risk protection • Solutions aligned with the strategic and operational business goals • Widely accepted, standards-based PKI solutions for confidentiality, integrity and authentication across users, data and applications • Systems and applications easily and rapidly integrated with existing IT infrastructure and business processes • Systems engineering, policy development and management support for streamlined operations throughout a system’s entire lifecycle • Reduced downtime and higher productivity • Quicker, cost-effective disaster recovery • Simplified certification and accreditation • Stronger Rate on Investment (ROI) Nortel believes that any network that is built has to be optimised , trustworthy and dependable. This means a lot in the networking world. Nortel solutions are focused around the four tenets resilliency, performance, security and simplicity. Functionally, the network should invade to common man and make changes in the way business is done with citizens. Network and services should grow to a level that it should be indispensable in the life of common man and businesses. 37

cover feature

Protecting Network and information assets

Please tell us about the Nortel communications networking solutions to strengthen e-Government initiatives of the public sector. Nortel plays in the following areas of e-Government solution a) Connectivity - Nortel has world class solution for optical, wired and wireless networks. Nortel optical solutions are the backbone of many mission critical, high bandwidth networks. WiMax solutions are also emerging in the 802.16e and 802.16d and Nortel is in the forefront of these developments and there are quite a few trials are underway worldwide. Multiservice routing is another key area that is used for low speed connectivity . b) Security - Networks of small to big sizes are equally vulnerable from hacking, impersonisation, denial of service, viruses and un-authorised access etc. Public network once commissioned will have thousands of secure transactions through the network. A well designed network should have a layered approach to the security and Nortel is pioneering in this area with its industry firewall, threat protection, end point security, VPN, secure network access. Nortel’s philosophy is to provide security at wirespeed. We have industry alignments with the best in class security solutions which will be part of the e-Government solutions c) Telephony, Video and application integration - Nortel, with it’s leading IP telephony solutions, is one of the few vendors who are engaged in an end to end telephony solution for our customers . Nortel succession series of scalable IP telephony system can scale to over 20,000 end points and works on leading protocols like SIP and H.323. Each IP phone may be used as a rich application delivery platform with the integration with application gateway. Government agencies can benefit from these secure applications delivered on the phone. There is a series of video phone and video terminals as part of the multimedia solutions . d) Disaster Recovery and Business continuity plan – Nortel optical solution 38

with the introduction of OM 5200 and BCS 3000 provides DR connectivity with secure replication and bandwidth efficient features . Security is a concern, especially for the government for its data and information. What is your opinion regarding security as being built-in feature in e-Government systems from the beginning? This is absolutely true, especially in government solutions. Since a lot of critical information is at stake, security has to be given utmost importance. Security should be an inherent feature rather than an after-thought. Security in the DNA is our philosophy.

Nortel, in various countries are engaged in building mission critical networks. Some of the largest public networks in India is built around Nortel technology. In China, Nortel provide high performance optical backbone, Multiservice switching and security solution, IP telephony and Video conferencing solutions.

in building mission critical networks. Some of the largest public networks in India is built around Nortel technology. In China, Nortel provides high performance optical backbone, multiservice switching and security solution, IP telephony and video conferencing solutions. We are exploring WiMax based local access solutions in many countries where last mile access is the biggest challenge. We have been able to provide un-precidented uptime, by careful selection of solution and proper engineering . In Taiwan, we have deployed a city wide WiFi network using our secure wireless mesh technology. This provides seamless internet access to common man . What is your plan for similar public sector partnerships in India? Nortel works with public and private sector partners to help build advanced e-Goverment solutions. This alignment works very well in India and there are many skilled system integration partners engaged in this. Nortel is also looking at working directly through it’s services organisation to help deliver some of the egov solutions.

What are the main security threats for networks and what are some of the solutions offered by Nortel? As mentioned earlier, security is always a layered approach. No single box can manage the ever increasing security threats. Government networks are targeted by un-lawful persons and groups to bring down credibility and steal databases, medical records and many other important data . Nortel security solution covers i) perimeter security; ii) Network security; iii) core security; and iv) Multimedia security

How is Nortel security solutions positioned itself in view of other major market players in this sector? Each Network vendor has it’s strengths and weaknesses. We have partnered with industry leaders like Checkpoint, Source fire, Symantec and Microsoft for advanced security solutions and integrate them with network infrastructure. The key in providing high performance and reliable network is to use the best in breed solutions and adapt them to the network conditions. For example, Nortel accelerated firewall running checkpoint engine provides industry’s first accelerated firewall platform with over 7 Gbps of thruput.

China has deployed the Wide Area Network solutions from Nortel for its Taxation system to provide uninterrupted access to critical taxation management information and applications. Please tell us more about this initiative. Nortel, in various countries is engaged

What is your take on public-private partnership in implementing the e-Government programme in India? Public- Private partnership is the key to success in many countries like ours. This ensures a faster turn around, latest technology solutions and tremendous accountability www.egovonline.net

news review

World

Legislators to get Training in ICT Skills for Good Governance: Uganda The Parliamentary Information and Communication Technology Committee, Uganda is working on a new strategy to enable legislators to use Information and Communication Technology (ICT). This will enable the legislators to acquire relevant development information from the developed markets. With the new ICT skills, the legislators will be in a position to get information from all over the world and will be informed better than ever before. This will result in skilled governance and development in their respective constituencies. Edward Kafufu Baliddawa, Chairperson, ICT Committee, said “At a meeting held in Rome, many of the legislators from around the globe recommended that ICT can be employed in Parliaments, especially in developing countries as a tool aimed at enhancing good governance and information dissemination to ease development.”

Malta ranked second in the WEF’s Global Information Technology Report 2006 - 2007 The World Economic Forum (WEF) has ranked the government of Malta as the second most successful government in the world promoting the use of Information and Communication Technologies (ICT). The government has an ambitious vision to become a world-leader in the technological stream which is the basis for tomorrow’s economy. Malta is in the worldwide top 10 rankings for the strong priority the government gives to ICTs, for the availability and efficiency of online services and for the per capita quantity of high-tech exports. It is also the world leader for high-speed monthly broadband subscriptions. Though initially the government received a discouraging reaction from the opposition, the Maltese business community had worked with the government and its global allies to provide the best technology at prices aimed at encouraging demand. Minister Austin Gutt said “We have realised our vision but this is no time to rest. Staying on top is as tough as getting there. Our new National ICT Strategy for the next three years will be even more ambitious than the two documents that mapped out our work of the last six years.”

Internet Access to Amazon Tribes In an effort to protect the world’s biggest rain forest Amazon, the Brazilian government will provide free Internet access to the tribes. An agreement between the Forest People’s Network and the Ministers of Environment and Communication is signed to provide Internet signal by satellite to 150 communities, most of them reachable only by riverboat. Francisco Costa of the Environment Ministry said the goal of the initiative is to “encourage those people to join the public powers in the environmental management of the country. The government intends to strengthen the Forest People’s Network, a digital web for monitoring, protection and education.” According to the ministry, city and state governments must first install telecentres and then the federal government will provide the satellite connection. A native Indian tribe has said there are currently a few telecentres on the outskirts of cities, and these new telecentres installed at the deep forest and will allow them to access public officials easily so that they can alert them of illegal miners, loggers and ranchers. It would also strenthen indigenous culture by linking them and providning environmental education.

May 2007

Taiwan gets High Rating in e-Government Service Over the past twenty years, Taiwan’s government has achieved much in terms of providing people with prompt and efficient services through various administrative reform processes including the deployment of e-Government systems to provide up-to-date information on government policies and activities. Research, Development and Evaluation Commission (RDEC) under the Cabinet is the nodal agency to oversee the administrative

efficiency and modernisation at all levels of government. RDEC in conjunction with National Science Council, Council for Economic Planning and Development, and Central Personnel Administration formed a task force to oversee administrative reform and modernisation, technological development, economic development and management of government of personnel. The country’s achievement in providing e-Government services are admired by many countries. Most importantly, this is leading to saving of billions of dollars of taxpayers’ money each year. The government based on its past experiences plans to expand its e-Government services to enable everyone to pay electric, water and telephone bills, make tax payments, and record changes in property registration, etc.

Read daily e-Government news update at www.egovonline.net 39

Industry perspective

Citizen Data Hub Integrating Government Processes therefore one of the best ways for effective integration across various departments is to bring the permanent citizen data hub in one place, which can then be used by different entities across the country to provide a uniform service experience to the citizens. The data hub also needs to be secured to safeguard citizens’ data.

“Once you have the master data and the unique IDs are created, you can use it for any kind of application starting from any kind of rural development applications, civil supplies, passport, employment, over all national security projects and the implications are huge, even the ministry of finance, department of income tax everywhere it is required”, says SPS Grover, Vice-President -Sales, Oracle India, (s.grover@oracle.com), in an interview with egov magazine What are the aims and objectives behind the citizen data hub? The key objective is to integrate various government processes and the key entity for the government is its citizens. There are two ways of doing this. One is that you can have a quick enterprise resource planning solution for the government. This is an end-to-end solution, where everybody works on the same system so that citizens’ information gets transferred, from one department to another. This is not practical and 40 }

Which are the countries this is in operation currently? Different countries have achieved this kind of an objective in a different way. Some countries have social security numbers, and they have used different technologies to achieve this objective. Citizen data hub or the product we brought out is based on our experience of working with some of the world’s large organisations bringing the metadata together – and this is applicable to both, government organisations and enterprise customers. Our government entities are spread across multiple locations, so the task is to bring these entities together. So we thought of two products, one is the customer data hub, which caters to the enterprise customers and the other is the citizen data hub for the government sector. How does the citizen data hub function and what are its applications in the public sector? It has the ability to create meta data depending on the data available, which may be required for the citizens and its various attributes. That means during the life cycle you can continue to add more attributes without having to change the complete schema and you can bring data in from various sources and duplicate it and create the master data and continue to populate it onto various systems. The Citizen Data Hub has a hub and spoke architecture that means it can synchronize consistent

http://www.oracle.com customer data and processes across the enterprise. For example, if a change happens in one spoke, it is sent to the hub, which is then replicated across the different spokes. And if any spoke does not want any replication, it can check with the hub for the necessary data. Once you have the master data and the unique IDs are created, you can use it for any kind of application starting from any kind of rural development applications, civil supplies, passport, employment, over all national security projects etc. The implications are huge and can be used even by the Ministry of Finance, Department of Income Tax among others. Please tell us something about how secure this solution is, especially for governments who need to keep the sensitive data secure? What we provide is technology infrastructure. This means our technology can enable the collection of data, duplication of data, providing unique IDs and all those things in a secure environment. A lot of policies are associated with this, which are beyond the purview of technology deployment. As far as the protection of the data is concerned, all the security validations are built on the Oracle database and the data is only meant to be available to people on a need basis. Security is embedded in the whole infrastructure. Technology features that are necessary in managing such kind of sensitive data is in-built in our infrastructure environment. What are the plans to work in partnership with Indian government in implementing National ID project through Data Hub solution of Oracle? We are already working with the National Informatics Centre. I bewww.egovonline.net

segment and has partnered with the Indian government in various projects Oracle is carrying out eGovernance projects in all 28 States in India and has more than 100 live government projects. The Government of Uttaranchal is using the Citizen Data Hub and we are providing solutions through our Government Centre of Excellence (CoE).

lieve the necessary electoral data is being loaded into the system to initiate the process of removing duplication. Oracle is the technology provider and our involvement is to provide technology to users like Department of Information Technology, National Informatics Centre etc. Oracle pro-

vides robust and scalable technology to enable e-Government application deployments. What future plans does Oracle have for increasing its Government IT market share in India? Oracle India is active in the government

Are you also working on technology solutions that will have compatibility between the Central data and State data ? We are working with government agencies on different aspects of e-Government deployments at the Central and State levels. How the data is used and shared between the Centre and State can be answered best by the respective government

Sage Report of McAfee: For Security Executives McAfee, Inc. has released its second issue of Sage, a semiannual security journal designed to update and inform technical personnel and security executives on cutting-edge topics that can help them make better informed security decisions. The new issue of Sage includes articles from McAfee researchers, managers and evangelists, on topics including cybercrime, Microsoft Windows Vista security, spyware, spam, cell phone security, data leakage and security risk management. Some of these are summarised below: • The Future of Cybercrime: Cybercrime follows money. Today, the majority of cybercriminals target PC users, but we can expect more attackers to branch out to other areas of technology, such as voice over internet protocol and radio frequency identifications (RFID), as those technologies become more widely adopted. • Securing Applications: Application security is continual race and developers are struggling to keep up. As more information comes to light about the nature of computer software bugs and how they might be exploited, hackers can apply this information to their discovery process and find vulnerabilities previously considered secure. • The Future of Security, Vista Edition: While Microsoft has taken steps to make the base of Microsoft Windows Vista more secure, the improvements both weaken thirdparty efforts to secure systems and don’t go far enough to do the job alone. • Spyware Grows Up: Although programmers add some security measures during development, new spyware ov

May 2007

technology often far surpasses the best planning of even the most diligent engineers, opening new fronts of attacks. Spyware will follow us into new technologies, such as Bluetooth and RFID. • Emails Spam Plague Persists: McAfee expects to see very little increase in the percentage of spam volume over the next two years, but overall spam volume will increase as worldwide bandwidth grows. Image spam is the latest way for spam writers to dodge defenses. • Online Crime Migrates to Mobile Phones: While current mobile phone service is generally considered safe, McAfee is seeing a rapid growth in mobile attacks with increasingly technical diversification. • Closing the Data Leakage Tap: Data Leakage is an emerging security concern and has an enormous impact on the reputation of a business. While drive encryption is the only preventative technology that’s reasonably mature, McAfee expects that basic data leakage prevention and disk encryption will be fairly ubiquitous in regulated enterprises within the next five years. • Managing Risk: Security risk management is an important strategy issue for IT managers. Organisations that fail to select a risk management process, and resign themselves to reactive threat management, will find that the businesses they are chartered with protecting will sail on without them. Sage is available for download through the McAfee Threat Center: http://www.mcafee.com/us/threat_center/default.asp. 41

INDIA

2007 31 July - 03 August, Hotel Taj Palace, New Delhi e-Agriculture 2007 is introduced as a new track in the countryâ&#x20AC;&#x2122;s biggest ICT event, eINDIA2007. The event seeks to provide a national level platform to policy makers, corporate stakeholders, researchers, ICT professionals working in domain of agriculture and allied fields, and farmers. The conference is conceived as an opportunity of great importance in light of improving progress of our economy and still more important in context of our primary sector as it faces a host of challenges ahead. It will be instrumental in the development of an approach, to make best use of the contemporary breakthroughs in ICT, for an integrated development of the sector. With rapid structural changes happening in Agriculture, the focus is shifting from production to technological interventions, management of finance, capacity building, and marketing. Developing farm-level information systems to fulfill these needs is a major challenge, which calls for a paradigmatic shift in strategies.

Conference Key Topics

Call for Papers

Policy paradigm in India Second green revolution ICT for well-informed decision-making in agriculture Who owns the productive lands and natural resources? Role of ICTs - land records, mapping, and conflict resolution, etc. Agri-Marketing Agriculture marketing and ICT Accessing global markets through ICT Agriculture Extension Transfer of technology- concept of knowledge systems (Local and Global) Development of ICT sector for agriculture and role of Public Private Partnership (PPP) Agriculture Production Food security through ICT Precision farming- optimum use of available resources Agri-Finance Agri-finance management with ICT Innvoative Financial Products: Agriculture credit and insurance solutions with ICT Agri- Education and Research Making ICTs usable & useful in context of Indian Agriculture Higher Education in agriculture - are they ICT ready?

We invite you to participate actively in this event and send us relevant papers for presentation. Submit your abstracts online at www.eINDIA.net.in/eAgriculture/abstractonline.asp Abstract submission : 25 May 2007 Abstract Acceptance : 6 June 2007 Full Paper Submission : 30 June 2007 Contact Details: Anaam Sharma anaam@csdms.in or call at +91 9910597744 Centre for Science, Development and Media Studies (CSDMS) G-4, Sector - 39, Noida, Uttar Pradesh - 201301 Phones: +91-120-2502180-85 Fax: 91-120-2500060

www.eINDIA.net.in/eAgriculture

Industry perspective

Towards Trust, Security and Privacy in Voting Scytl e-Voting Solutions

http://www.scytl.com

How is your company engaged in e-Government initiatives? Scytl is a software company specialised in application-level cryptography and a worldwide leader in the development of secure e-Voting/e-Participation solutions. Scytl works closely with related Government agencies to provide e-Democracy solutions such as electronic voting and citizen consultation programmes. Tell us something about your e-Voting solutions. Which are the countries they have been deployed? Our company has developed Pnyx, a family of products that enable all kinds of electoral processes (elections, referendums, consultations, labour union elections, shareholders’ meetings, etc.) to be carried out by electronic means with the same level of trust, security and privacy that exist in conventional paper-based elections, and with the advantages that electronic systems can offer: accessibility, flexibility, cost and speed in the tallying of votes. With over 12 years of R&D experience in the field of electronic voting, Scytl has become a worldwide leader in the development of secure multi-channel e-Voting solutions with customers in Europe, Americas and Asia-Pacific that are leading references in the electronic voting industry. Our e-Voting solutions have been used in countries such as Spain, Switzerland, Finland, United Kingdom, Argentina, Mexico and Australia. Based on the experiences from these countries, tell us briefly some of the success stories. State of Victoria (Australia): Scytl, in ov

May 2007

with total privacy and without needing the assistance from third parties. Canton of Neuchâtel (Switzerland): The Swiss Canton of Neuchâtel selected Scytl’s technology to enhance the security of its electronic voting system available at their e-Government portal (Guichet Sécurisé Unique). This platform is one of the only two permanent Internet voting platforms in the world for binding elections and consultations. The platform is used to carry from three to six citizen consultations and elections each year.

“With the use of digital envelope, voter privacy is protected at all times. Every voter can individually verify that his/her vote has been properly counted by means of voting receipts. The voting receipt is designed in such a way that it does not allow coercion or vote-selling”, says Raymond Teo, Director of Sales for the Asia Pacific region, Scytl (raymond. teo@scytl.com), in an exclusive interview with egov magazine partnership with HP, carried out the first e-Voting elections in the state of Victoria (Australia) during their parliamentary election in November 2006. In this election, blind and visually impaired voters could, for the first time, cast votes from electronic voting terminals

City of Madrid (Spain): In 2004, the City of Madrid chose Scytl’s secure multi-channel e-Voting platform to carry out ‘Madrid Participa’, one of largest eParticipation events in Europe. Over 136,000 citizens had the opportunity to vote on a number of political issues through a variety of voting channels ranging from polling stations equipped with electronic voting terminals to mobile devices. After this initial experience, the City of Madrid has continued using Scytl’s multi-channel e-Voting platform and, for example, it carried out 21 e-Consultations during 2006, involving nearly 3 million citizens. The aim of the democratic nations is to ensure free and fair elections. How efficient and secure are the e-Voting solutions? Scytl provides e-Voting solutions for all types of electoral processes with the same levels of trust, security and transparency that exist in conventional paper-based elections. Using split knowledge and asymmetric cryptography, the whole 43

industry perspective

towards trust, security and privacy in voting

electoral process is controlled entirely by the Electoral Board and cannot be manipulated by system technicians. Digital signatures and other open cryptography protocol are used to ensure that only strongly authenticated voters are allowed to participate in the voting process. With the use of digital envelope, voter privacy is protected at all times. Every voter can individually verify that his/her vote has been properly counted by means of voting receipts. The voting receipt is designed in such a way that it does not allow coercion or vote-selling. The solution ensures full integrity of election results, preventing the modification and deletion of votes, and the addition of bogus votes and secrecy of partial results is guaranteed. Tell us about your penetration in the Asian market and what are some of your future plans for developing

countries especially in South Asia and Africa. The rapid increase in implementation of electronic voting in Western Europe and United States is closely watched by the rest of the world. Scytl’s e-Voting technology is designed to be highly secure and scalable to achieve economies of scale. With a flexible deployment and procurement model, the cost barrier of implementing e-Voting in developed countries is low. The important benefits provided by e-Voting at no additional cost to the government are likely to attract more deployment in South Asia and Africa. We opened an office in Singapore for the Asia-Pacific region a few months ago and we have already closed contracts in the Philippines and Australia. How do you think private partners can add value to e-Government?

In recent years, there is a rise of “Public Private Partnership” (PPP) programme worldwide for e-Government projects. This clearly indicates that there is an interest in collaboration between government and private business at a deeper level. Private partners can definitely bring value to e-Government projects as they have important takeaways from other similar project experiences. What do you think will be the big issues in e-Governance in the next five years? There are many e-Governance initiatives that are on-going such as government-government, government-citizen services. However, many are silo services which are not interoperable. The next five years could see development in establishing a common identity and protocol for delivering e-Government services.

Protection from Spyware: Technical Notes by CPNI Centre for the Protection of National Infrastructure (CPNI, http://www.cpni.gov.uk/), United Kingdom (UK) provides integrated (combining information, personnel and physical) security advice to the businesses and organisations which make up the national infrastructure which are crucial to the continued delivery of essential services to the UK. It provides Technical Notes which are designed to offer practical advice on dealing with topical issues and are aimed at information security professionals.

What is Spyware?

Spyware is a malicious software. It means that it does things which are not desired or authorised by the owner of the computer on which it is running, or by the custodian of the information on that computer. It enters into a computer, when the user clicks on some part of a web page they are looking at, or installs some apparently useful item of software without full understanding of its capabilities. Once a machine has spyware running on it, control of that machine and the information on it has effectively passed to the attacker.

How to Mitigate it?

Prepare: Preparation goes far beyond the purely technical. In order to maximise the benefit of any security measures it is essential to have the buy-in of all participants, from senior managers to temporary system users. Detect: Early detection of a spyware infestation is highly

desirable, both to highlight failures in the preceding Preparation stage, and to allow subsequent Containment and Eradication stages to be efficiently targeted. Contain: Containment centres on both incident-specific efforts and networked system design measures which work together to limit the impact of a spyware infection. It includes measures to limit the ability of spyware to propagate, to download further functionality from the Internet, and to limit its access to sensitive information and/or its ability to modify configuration settings. Eradicate: Eradication measures remove the malicious software. Eradication measures may be specific and ‘surgical’ – appropriate when there is one specific infection for which an effective removal procedure is available; or they may be ‘broad-spectrum’, concentrating on returning the affected systems to a ‘known good’ state. Recover: While eradication deals with the immediate removal of the spyware, recovery is a process over a less frantic timescale which aims to more precisely characterise the harm done to the organisation’s information assets by the infection. In the case of spyware, this includes an assessment of the probable information losses, and dealing with the consequences. Follow-up:This final stage feeds back to the first stage of Prevention, to improve the robustness of the information system against similar threats in the future. For detailed information read the report online at http://www.cpni.gov.uk/docs/re-20060601-00384.pdf

www.egovonline.net

event diary

Exploring New Vistas in IT Conference Report

two-day National Conference on “Emerging Technologies and Trends in IT” was organised by the Institute of Technology and Science (ITS), Ghaziabad on 6th & 7th April, 2007 at Jacaranda Hall, India Habitat Center, New Delhi. The objective of the conference was to bring together researchers and practitioners for sharing and exploring new vistas of research and developments in Information Technology (IT). The Inaugural session started with a brief overview of the conference by Prof Abhay Bansal, the Convener of the conference. In his welcome address, Prof. Shekhar Ghose, Director General, ITS said that the conference aims at providing an opportunity of retrospection and forecasting IT and its applications for growth and success of IT and mankind. He was of the view that IT has reduced distance between people and has helped provide knowledge to the deprived. Dr P V Indiresan, Padma Bhushan and Former Director, Indian Institute of Technology, Madras (Chennai, India) was the chief Guest. In his inaugural address stressed upon the need for adventure of ideas and its experimentation. He stressed on the need for innovative thinking to develop and open new vistas of technology applications. Dr Y S Rajan, Principal Advisor, Confederation of Indian Indstries (CII), was the Guest of Honour and Key Note Speaker. Dr. Y.S. Rajan in his deliberations presented a brief history

May 2007

of Technology Development in India, post 1991 scenario in IT and various social and economic challenges faced by India. He was of the opinion that IT may be helpful in reducing rural poverty by integrating villages with global markets. Inaugural session was followed by the power panel discussion on “Impact of IT

on Society”. K.Subramanian said that IT has removed the barriers that impede the development. He stressed on the need to create the robust infrastructures for good health & hygiene, diffusion of old innovations and human skills. Md. Shahabuddin, mentioned that the significant impact of IT industry is that any one job in IT creates four new jobs in other supporting areas. S K Gupta said that IT might be useful to common man through Database & Communication. Chetan Sharma stated that there is no sector where IT cannot be applied. IT may be very useful in solving social problems like poverty alleviation, employment generation and empowerment of weaker section of the society. Power Panel discussion was followed by five different sessions namely IT-Applications, Challenges & Remedies in Computer Networks, Solutions to Complex Problems using Algorithm, Data Base Technologies, Trends in Software Engineering. The conference covering various new aspects in the field of IT and from different parts of the country. In the Valedictory Session, the Chief Guest K. K. Bhardwaj, Managing Director, Vidyatech Solutions Pvt. Ltd. called for Indians to be technopreneurs rather than technocrats. Finally Dr.V.B.Dhawan, Director-IT, ITS concluded the Conference and proposed vote of thanks.

whats on

8 - 10 May 2007 International Conference on Security of Information and Networks North Cyprus, Turkey

23 July 2007 The first International Workshop on Web Mining for E-commerce and E-services Tokyo, Japan

www.sinconf.org/

http://www-users.cs.york.ac.uk/~derrick/WMEE2007

9 - 12 May 2007 4th International Conference on Informatics in Control, Automation and Robotics Angers, France www.icinco.org/

3 - 5 August 2007 12 - 14 June 2007 Knowledge Process Outsourcing and Offshoring 2007 Raffles City Convention Centre, Singapore

15-17 May 2007 2nd Annual WiMAX Asia Shangri-la Hotel, Singapore

http://www.terrapinn.com/2007/kpo_SG

http://www.wimax-vision.com/newt/l/wimaxvision/asia

14 - 15 June 2007

26-30 May 2007 13th GCC eGovernments and eServices Forum Dubai, United Arab Emirates http://www.datamatixgroup.com/conferences/agenda. asp?id=306

30-1 May 2007

The Third Annual Government Health IT Conference and Exhibition Washington, DC, U.S.A. http://www.e-gov.com/EventOverview.aspx?Event=GHIT 07&NoCache=633131329273813516

21 - 2 2 June 2007

European Forum on Electronic Signature 2007 Miedzyzdroje, Poland http://www.efpe.eu

29 - 31 May 2007 The Asia Pacific E-Gov Forum 2007 Kuala Lumpur, Malaysia

ECEG 2007: 7th European Conference on eGovernment The Hague, The Netherlands www.academic.conferences.org/eceg/eceg2007/eceg07home.htm

EEE â&#x20AC;&#x2DC;07 - The 2007 International Conference on e-Learning, e-Business, Enterprise Information Systems, and e-Government Nevada, USA www.world-academy-of-science.org/worldcomp07/ws/ EEE07

8 - 11 July 2007 11th World Multi-Conference on Systemics, Cybernetics and Informatics Florida, USA www.mait.com/newsletters/news183-MAIT%20Events%2 0Guide%2023.pdf

7th International Conference on Web Engineering Como, Italy http://icwe.como.polimi.it/index.php?option=com_ frontpage&Itemid=1

22 - 25 July 2007

www.icsoft.org/index.htm

Near Field Communications World Australia 2007 Sydney, Australia

Hotel Taj Palace, New Delhi , India www.eIndia.net.in

http://www.terrapinn.com/2007/nfc_au

3 - 7 September 2007 The International Conference of the EGOV Society Regensburg, Germany http://www.egov-society.org

18 - 19 September 2007 Global Biometrics Summit 2007 Brussels, Belgium

19 September 2007 World e-ID 2007 Sophia Antipolis, France www.strategiestm.com/conferences/we-id/07/index.htm

09 October 2007 eGovINTEROPâ&#x20AC;&#x2122;07 - eGovernment Interoperability Campus 2007 Paris, France http://www.egovinterop.net/SHWebClass.ASP?WCI=Sho wDoc&DocID=2736&LangID=1

24 October 2007 http://www.echallenges.org/e2007/

09 November 2007 2nd Annual Data Protection Practical Compliance Conference Dublin, Ireland

27 - 29 November 2007 WIMAX Eastern Europe Eastern Europe

17 - 20 December 2007 4th International Conference on Distributed Computing and Internet Technology Bangalore, India http://www.kiit.org/icdcit2007

23 - 25 July 2007 2nd International Working Conference on Evaluation of Novel Approaches to Software Engineering Barcelona, Spain www.enase.org/index.htm

46 }

http://www.terrapinn.com/2007/gtw_nz

http://www.wimax-vision.com/newt/l/wimaxvision/

23 - 25 July 2007

31 July- 03 august 2007

Government Technology World New Zealand 2007 Wellington, New Zealand

http://www.pdp.ie/

2nd International Conference on Software and Data Technologies Barcelona, Spain

ommun ty Rad o

20 - 22 August 2007

Challenges e-2007 Conference and Exhibition The Hague, The Netherlands

16 - 20 July 2007

India's Premier ICT4D event

www.pes.edu/mcnc/icemc2/index.html

www.biometricssummit.com

25 - 28 June 2007

http://cto.int/index.php?dir=02&sd=12&id=165&back=inde x.php%3Fdir%3D02%26sd%3D10

2nd International Conference on Embedded Systems, Mobile Communication and Computing Bangalore, India

28 - 30 December 2007 Fifth International Conference on e-Governance Hyderabad, India http://www.iceg.net/2007

www.egovonline.net

From now on, I'll connect... my own way

INDIA

2007 Discuss your stories at mServe India 2007 held along with eINDIA 2007 at Hotel Taj Palace from July 31 till August 3, 2007. Log on to www.eINDIA.net.in/mserve

INDIA

2007 31 July - o3 August, Hotel Taj Palace, New Delhi

Call for Papers Introduction The egov INDIA 2007 Conference Series being organised as part of eIndia event intends to assess the National eGovernance Plan (NeGP) implementation. The plan launched by the Ministry of Communications and Information Technology is a comprehensive programme designed to leverage the capabilities of ICT to promote good governance across the country. egov INDIA 2007 aims to discuss in detail about the progress on NeGP, success stories, failures, statewise progress and learning from the states which are far ahead in implementing the Mission Mode Projects (MMPs). The annual conference will bring together policymakers, practitioners, industry leaders and academicians from India, South Asia and beyond, to forge the path to good governance for citizens and businesses in India, ensuring exchange of information & knowledge.

Structure of the Conference & Key Topics e-Government Implementation in key sectors in MMPs will be discussed and deliberated upon from 3 different angles: G2G, G2B and G2C.These sectors include: • Citizen Centric Services • Land Records • Income tax/Commercial tax • Passport department • Municipal e-Government • Postal department • Police departments • Registration services • Transport • Treasuries automation • National ID Card The implementation process, successes, failures, key issues and future plans will be discussed through panel discussions, workshops and presentations of case studies and best practices. The conference will also cover wide range of topics, such as: • e-Democracy and Citizen Participation • e-Government Design and Architecture Framework • e-Procurement • e-Administration • Interoperability and Standards, Semantic and Technical Interoperability • International and Regional Projects Case Studies and Best Practices • Trust and Security: Provisions and Instruments • Emerging Technologies in e-Government - Mobile and Wireless Technologies, RFID and Smart Cards • And more...

Individuals working in central/state government departments, national/international government agencies, bi-lateral/multilateral organisations, research and academic institutes, development organisations and NGOs and IT/Telecom companies involved with e-Government and/or public sector ICT projects, technology development, policy research, implementation etc. are encouraged to submit abstracts of original papers for presentation in the conference. The abstract should summarise and indicate the key research/points to be further presented and discussed in the session. After evaluation of abstracts, selected authors would be asked to send full paper.

Submit your abstract at www.eINDIA.net.in/egov/abstractonline.asp Important Dates: Abstract Submission : 25 May 2007 Abstract Acceptance : 06 June 2007 Full Paper Submission : 30 June 2007 For more information contact: Prachi Shirur (Mob. +91-9312907675, email: prachi@csdms.in Contact Details eINDIA 2007 Secretariat Centre for Science, Development and Media Studies (CSDMS) G-4, Sector 39, Noida, India - 201301 Tel. : +91-120-2502181- 87, Fax: +91-120-2500060