Department of Information Technology, Ministry of Communications and Information Technology, Government of India
Overview and Scope
Aim of the project is to develop standardized
and validated processes and methodologies for intranet, internet and extranet
security, which will enable Organizations to venture into E-businesses,
E-governance, Distance Learning, etc., using Web-technology without compromising Confidentiality, Integrity and
Availability of the resources of the Organization and its customers / users,
including customization guidelines to reduce time-to-market.
The scope of work includes the development of the following:
1. A Security Requirement Specification Language
2. Guidelines for formulation of Security Policies
3. Advisory system for Security Infrastructure Implementation
4. Security Validation Techniques
5. A Laboratory set-up for Testing Security of Web-based systems
The primary objective of the project was to develop the idea of systematic design and
management process of Information System Security of Web-based Enterprises. The
team has put forward the idea of the Security Engineering Life-cycle comprising
of the following phases:
This is required to ensure that enterprise security is survivable in the face of
relatively frequent changes in the organization, the infrastructure,
vulnerability and threat scenarios.
The project work resulted into the following
theoretical developments:
1. Security Requirement Analysis Methodology
2. An XML-based Language to express the Requirement Specification
3. Security Risk Analysis Methodology
4. Identification of Baseline and Detailed Policies, Guidelines and Procedures
5. Methodology to generate infrastructure advisory
6. Methodology to generate the compliance test cases from the Requirement Specification
A major strength of the concepts developed is that all the concepts have been correlated with
the ISO 17799 Standard on Best Practices for Information Security Management System.
The complexity and large volume of the security
related data for even medium sized enterprises led the team to develop a suite
of tools, which has been developed for partial automation of the security
design and management activities of Enterprises, based on the concepts
developed and the ISO Standard. The suite consists of the following tools:
1. A security requirement analysis tool
2. A security policy formulation tool
3. A security infrastructure advisory generation tool
4. An automatic test case generation and penetration testing tool
Publication
Conferences, Workshops, and Seminars:
1. Sengupta, A., GhoshDastidar, K., Roy, J.,
Barik, M.S., and Mazumdar, C., “ESRML: A MARKUP LANGUAGE FOR ENTERPRISE
SECURITY REQUIREMENT SPECIFICATIONâ€, in Proceedings of IEEE INDICON 2004, held
at IIT, Kharagpur, from December 20-22, 2004
Journals:
1. Sengupta, A., Mazumdar, C. and Barik, M.S., “e-Commerce
security – A life cycle approachâ€, in Sadhana, Journal of the Indian Academy of
Sciences, Bangalore, India, Vol. 30, Part 2 & 3, April/June 2005, Pages
119-140.(http://www.ias.ac.in/sadhana/).
Contact Us
Prof. Chandan Mazumdar Center for Distributed Computing, Department Of Computer Science & Engineering, Jadavpur University, Kolkata - 700032, India Tel: +91 33 24146209 Fax: +91 3 24133599 Email:
chandan.mazumdar@gmail.com
