Australia Germany India Singapore UAE UK USA

Building India the Destination for Secure Software:A Standards Driven Framework

By

Dr. Prem ChandVice President

Mahindra British Telecom

09 Sep 04

Agenda

Industry Expectations of Industry

Developing Security Engineering Expertise

Security in Business Collaboration

Provider of the Security Services

Suggested National Initiatives

Recent security incidents, home land security reports, industry initiatives are indicative of unprecedented demand for security in software

Secure software in no longer an option; it is a demand of every customer

India by its strategic investments in quality is recognized as a destination for development of quality software

This leadership position will be lost; if we do not make similar forays into security.

Somebody will answer this demand for secure software

WHO WILL THIS BE ? USA, EUROPE, CHINA, RUSSIA, KOREA OR INDIA ? CAN WE CREATE AND RIDE ANOTHER WAVE BY BUILDING INDIA THE DESTINATION FOR SECURE SOFTWARE

Background

Defense• Facilities• Command & Control Warfare• Information Warfare• Hardened Information Sites• Force Formations• Infrastructure Supporting Armed

Forces

National Core Infrastructure Water Telecommunications Transport Governance Electric Power Space Ports

Economic, Social & Political• Environment• Crime / Law Enforcement• Healthcare• Safety/Protection• Society / Culture• Economy / Finance / Banking• Political / Diplomatic• Education• Research, Design and Development

Major Commodities• Energy • Food• Chemicals• Raw materials• Irreplaceable components• Human Resource• Mines

Industry• Steel• Military Hardware• Heavy Engineering

Machinery• Electronics• Computers• Software• Information (content, IPR)• Consumer durables• Insurance• Automotive

Intangible Networks• Perceptions• Public confidence• Entertainment• Media• Legal Framework• Privacy• Trust in Institutions

Target Security Market Foot Print For Software Industry

NETWORKED GLOBAL INFRASTRUCTURES

Business Collaboration Security Secure Outsourcing Destination Secure ODC Operations Security Concerns of Large Business Operations

Provider of the Business Security Services Destination for Secure Software Development

Security Expectations of the Global Industry

Security in Business Collaboration:Secure Outsourcing Destination & Secure

ODC Operations

Security of the Global Business Foot Print

Business ContinuityDo you have the resources to deal with the financial impact of emergency situations?

Have you identified potential business disruptions? What would a day of downtime cost you?

InfrastructureAre you prepared to deal with security breaches?

Are you aware of potential liability for customer system disruptions?

IdentificationCan you positively identify and control access to your facilities, systems and borders?

Can permissions be changed in real-time?

CollaborationAre you able to securely exchange information with others?

Do you easily comply with industry standards?Do you understand your liability for security breaches?

PrivacyCan you protect the confidential data of your employees or constituents?

Are you familiar with legislation that requires safeguarding of customers personal data?

Off-shoring/ ODC/ Developmental Concerns

Managed Security ServiceResources to deal with the impact of emergency situations.

Identified potential business disruptions.

IPR Protection & Digital Rights ManagementsTracking Code & Team Personnel, Digital Signing, Logical Separation &

Physical Separation of sensitive Data & Code

Project Level Security ManagementPositive identification and controlled access to facilities, systems and borders.

Permissions and access rule can be changed in real-time.

Security Code ReviewReview & Testing of Software at Source Code/ Binary

Data Protection/ PrivacyCan protect the confidential data of employees or constituents.

Familiar with legislation that requires safeguarding of customers personal data.

ODC Secure OperationsLogical and physical separation of individual projects.

Security of the Day to Day Business Operations

Security OperationsPatch Management, Malicious code management, Secure builds,

Configuration Management, Log Analysis

Vulnerability AssessmentAsset Classification, Penetration Testing, Network Security Review

Risk Assessment, Risk Treatment

Identification, Authentication Access ControlSingle Sign On Solutions, Smart Cards, Biometrics, Digital Certificates

SAP/ CRM/ Application Security Review & Audit Role Based Controls Definition, SAP Hardening/ Internal Controls Review, Assessment &

Audit, BASIS Review, SAS 70 Controls Audit

Business Continuity PlanningContingency Planning, Disaster Planning, Recovery Planning

Information Security Management System/ ISO 17799Risk Assessment, Security Policy Development, Security Improvement Plan

Implementation, Security Training

Access

Code

Secure Development Outsourcing - Risk Mitigation

Establish a centralized Security Program Office to manage the secure development outsourcing and risk mitigation. This ensures consistency in security policies and processes that are created and implemented

across the entire environment which can be applied to all Off-Shore partners.

Offshore Development Environment

Establish a trusted partner status

Rigorous BCP/DR

Onsite Production Environment

Throw a cordon around production

systems

Code Security – Storage, transmission,

development

Robust IT Infrastructure

ComprehensiveBCP

ERP controlsand assurance for

internal applications

Customer Facing Security

Strategies

Content Monitoring System for e-mail

security (CMS)

Code Access & Authorization System for Projects

Centralized Managed Security Service and Incidence Response System

IPR Protection and Digital Rights Management System

Org. wide Single Sign-on

Additional Features

End to End Infrastructure Security

Systems Availability

Support Security Compliance and Monitoring

SecurityPolicy

SecurityTechnologyManagement

ExploitationManagement

VulnerabilityManagement

Atta

ck R

espo

nse

Leve

rage

dTe

chno

logy

ManagedVulnerabilities

Threat Updates

Attack SignatureUpdates

Training &Awareness

Firewalls

IntrusionDetection

Monitoring

Systems Host

Scanners

Technology ConfigurationTechnology Trends

Technology Updates

Fault ReportingSecurity Policy

Security Mission

Securing Customer Data - Layers of Security

Base Infrastructure

and Information security

Project teams

Secure physical access

Secure network access

Secure logical access

Customer information, design, code

Regular backups: onsite and offshore

Dedicated project servers with access control

Secure access to remote servers using authentication

Dedicated and redundant links/routes

Firewalls at all access points Central monitoring for virus

protection and intrusion detection

Security awareness training NDA & IPR agreements

Secure data centers Secure project environment Secure development facility

Project Specific BCP & DRP

BCP&

DRP

For a

PROJECT

Ownership

Preparation & Testing

Review

Corporate Head

Project Manager

Corporate Head

Facilitators – MBT Security

User Provisioning & deprovisionsing

Authentication - Use of Secure ID tokens

Confidentiality agreement by MBT-Project team

Secure logon procedures

Project Data Classification & secure handling

Secure Areas: Separate Controlled Environment

Desktop & Laptop Security

Network Security

Protection of system test data

Business Continuity Planning

Compliance

Secure Project Environment

BS 7799 Based ISMS Implementation & Certification

Implementation of the ISMS framework

according toBS 7799

Security Policies, Procedures,Guidance,Controls,

Complianceand

Monitoringis as per

BS7799/ISO 17799

standard.

Certification Plan

Certification Audit every quarter

Provider of the Security Services:Develop/ Adapt Standards Based Security

Services Framework Across Software Industry

Security Framework Standards for IT Infrastructure

Legal & Regulatory Environment (Banking Act, Evidence Act, Electronic Transactions Act, Computer Misuse Act)

Availability

Accountability

Non- Repudiation

Integrity

Confidentiality

Authorization

Authentication

Processes & MethodsSecurity ServicesArchitecture & Mechanism

Best Practices (Security Organisation, Physical Security, Personnel Security, Operational Security)

Security Policy (Business & Organisation Rules)

Sec

urity

Infra

stru

ctur

e

Net

wor

k S

ecur

ity

Sec

urity

Tec

hniq

ues

Sec

urity

AP

I’s

Sec

urity

Tok

ens

Ris

k A

sses

smen

t

Sec

urity

Mon

itorin

g &

In

cide

nt M

anag

emen

t

Bus

ines

s C

ontin

uity

&

DR

PS

ecur

ity A

ssur

ance

&

Acc

redi

tatio

n

Shared Data

Assurance / Billing / Fulfillment

EXTENDED SECURITYFRAMEWORKSoftware System

Message BasedSecurity CIA

• Centralized &Policy Driven - Authentication - Privileges - User Data

OSS B2B G/W Internal Enterprise Mgmt, CORP, ERP

IP NW PSTN Wireless

Router Switches Servers

Backbone N/W

Data center, Exchange Building, Offices

ApplicationSecurity

NetworkSecurity

PhysicalSecurity

SECURITY MGMT & OPS

Information

Business Process

Network

PhysicalInfrastructure

Security Architecture for Secure Operations

Application

Access Control

• I & A• Authorisation• Decision• Empowerment

• Assigning• Binding• Representing

• Communicating & Authenticating• User to host• Peer to Peer• Third Party

Confidentiality• Security Enabled Appl.• Secure Peripherals• Operating Systems• Secure FTP• Security Protocols (IPSec, SSL)

• Location of data• Type of data• Amount/Parts of data• Value of data

• Data Protection• Data Separation• Traffic Flow• Frequency HoppingAvailability• H/W Resources• Software Resources

• Quality of Service• Throughput

• Protection from Attack• Protection from unauthorised use• Resistance to routine failure

Integrity

• Single Data Unit• Stream of Data

Mapping Security Needs of Software Elements

• With proof of origin• With proof of delivery• Auditing Services

Non-Repudiation

Enhanced Telecom

Operations

Shared Info / Data Model

Contracts /Interfaces

TechnologyNeutral

Architecture

Compliance

Software System Core Elements

Relate Security Goals, Services & the Technology

Identification Authentication Authorization / Access Administer Audit

TechnologyG

oalsService

s

Smart Cards

Card Readers

Biometrics

Tokens

User IDs

X.509 Certificates

PKI

DCE / Kerberos

X.509 Certificates

Firewalls

RemoteAccessCryptography

Security Domains

Access ControlAdministration

Certificate Authority

Sign-on

Audit Tools

Monitor/Filter

NetworkIntegrityIntrusionDetection

VirusProtection

Confidentiality

Access

Integrity

Non-Repudiation

Availability

IT E

nviro

nmen

t People Process Technology

Security Management Requirements

• Policy• Certification & Accreditation• Key Management• Access control and management• Readiness Assessment• Security management• Recovery & Reconstruction

• Policies & Procedures• Security Administration• Physical Security• Personnel Security• Monitoring• Training/Awareness

• IA Architecture• IA Criteria (Security,

Interoperability with PKI)

• Evaluated Products• Risk Assessment

Statutory Regulations, Technological Developments &

Management Expectations

Secure Infrastructure& Network

Secure Data & Operations

SecurityManagement

SupportInfrastructureIE

Env

ironm

ent

Initiation Design /Develop

Test / Implement Maintain Dispose

ISO 15408/ CC : Evaluate the products to EAL 2ISO 17799 : Build secure operations/ AuditsNIST TR 13339 : Build Credible metricsITAF 3,1v Build Robust Risk ModelISO 13335 (FRISTA): IT Assurance

ISO 21827/ SSE-CMM : enable security throughout the life cycle and ensure that it is applied across products. Appraisal at SSE-CMM Level 3

Complementary

SDLC

SSE-CMMand CC &ISO 17799

Standards Based Security & Assurance Framework

Supporting Standards

Architecture & Framework for Security Management ISO 10181 : OSI Security Framework ISO TR 13335 : IT Security Management ISO17799 : Code of Practice & Specification for ISMS SS 493 : IT Security Framework SSEM/ DoD : System Security Engineering Mode ISO 21827 : Security Maturity Model

Development & Implementation Technologies/ Mechanisms Application Protocols : SSL, S- HTTP Authentication : Kerberos, RADIUS, SAML Cryptography: : RSA, DSA, ECC, DES, AES, SHA- 1 Messaging : S/ MIME, PEM, XMLDSIG,XMLENC Application Security : CORBA, WS Directory Authentication : ITU- T x.509

Security - Adapt Standards ( Contd.)

Methodology Standards AS/ NZS 4360 Risk Management OCTAVE Critical Threat, Asset, and Vulnerability Evaluation OSTMM v2 Penetration Testing ISO15408 Evaluation criteria for IT Security FIPS PUB 140- 2 Cryptographic Modules SP 800-55 Security Metrics

Training & Competencies CISSP, SSCP CISA, CISM

Financial Services COBIT ANSI x.9

Industry Leadership Goals

Enhance Software Security Across all Verticals

Meet all requirements for Unique, High Assurance Solutions

Promote Security Across all Business Verticals

Champion Information Security for the Software Industry

Forge Innovative Customer Driven Security

Forge PoC’s & CoE’s for Software Security across Industry

Leadership & Technical Support Areas

Secure OperationsAwareness & Education

Clearing HouseCertification & Accreditation

Product EvaluationSecurity Engineering

Design Guidance

Architectural DefinitionRequirement Assessment

Architectural Definition

Test Security in Each Layer

ISO 17799, COBIT, ISO TR 13335

OSTMM v 2, ISO 21827, ISO 10181

ISO 15408

Secure System(Network,

Operations & Management)

Secure Installation ( Network,

Infrastructure, Application S/w,

Database)

S/w & H/w components

Systems

Installations

Components

Electronic TransactionsSystems Testing

Secure Document Management Services

Licensed Evaluation Facility(NGOSS Components)

Security Validation(Network, Operations)

Inter-operability Testing Common Criteria Testing

Basic Security Integration & Testing Framework

Security Policy & Business Process Integration

Product 1 Product 2 Service 1 Product x

Focus on Testing & Evaluation Framework

Security Leadership Focus: Nasscom

Provide leadership in security products, and services necessary to enable software industry to protect sensitive information in information systems in consonance with laws and national security policies

Provide technical support to the software industry‘s

efforts to incorporate information systems security into the software (Networks, Infrastructure, Interfaces,Operations, Management)

Support customer’s risk management processes by providing information needed to make informed trade-offs between systems’ security, risk, cost, schedule, and mission requirements

Support certification and accreditation

Provide support for future efforts in security design guidance, inject security into early design phases of software and adapt commercial secure products

Security Leadership Focus: Contd…

Promote Security Services Across the Software Industry

System Security Assessments Information System Security Education, Training and

Awareness Security Engineering and Consulting Product Evaluation Clearinghouse for Security Technical Information Security Infrastructure

Make recommendations regarding the technical and economic feasibility of security features which should be used (or are planned to be used) to mitigate, minimize or transfer risks in the software environment

Security Leadership Focus: Contd…

Develop Comprehensive Security Services Portfolio

Typical Security Service Offerings

Enterprise Security Consulting

Security Technology Solutions

Security Engineering Practice

Application Security

ISMS

BCP

Secure Network Architecture

Managed Security Services

Secure Automation Solutions

Professional Services Organization

Digital Rights Management

Penetration Testing

Security Code Audit

SSE-CMM Consultancy

Enterprise Business Assurance Services

Destination for Secure Software Development: Develop Standards Driven Security Engineering Framework

Security Engineering Pervasiveness

Classic INFOSEC Techniques

Major System Solution Roles

LifeCycle

Phases

MajorEngineeringDisciplines

SecurityEngineering

EnterpriseModeling

SystemsEngineering

SoftwareEngineering

HardwareEngineering

TestEngineering

Buy

er/U

ser

Aut

horit

yA

ccre

ditin

g

Cer

tifie

r

Eva

luat

or

Dev

elop

er

Acquisition

Development

Integration

Operation

Maintenance

CO

MP

US

EC

CO

MS

EC

INFO

SE

C

Sec

urity

Info

rmat

ion

OP

SE

C

Design / Development Integration Deployment Operation

E.g. Product Evaluation

Assurance,Development

Assurance

E.g. Assessment, Certification Assurance,

TestingAssurance

E.g. System Accreditation

Assurance

E.g. SecurityManagement Assurance

Lifecycle Approach to Security- Step

Process

Deliverable(Product,

System, or Service)

Environment(Personnel & Organization)

Design / Development

Integration Deployment Operation

Assurance Approach

Assurance Stages

AssuranceMethod C

AssuranceMethod A

AssuranceMethod B

AssuranceMethod D

AssuranceMethod E

AssuranceMethod F

AssuranceMethod G

AssuranceMethod H

Applying Systems Security Engineering to NGOSS

“The systems security engineering process is the process of discovering stakeholders’, customers’ and users’ information protection needs and then designing and making information systems, with economy and elegance, so they can safely resist the forces to which they may be subjected.” [IATF 3.1]

System Engineering

Assess Effectiveness

Implement System

Develop Detailed Design

Design System Architecture

Define System Requirements

Discover Needs

Systems Security Engineering

Assess Information Protection Effectiveness

Implement System Security

Develop Detailed Security Design

Design System Security Architecture

Define System Security Requirements

Discover Information Protection Needs

Methodology for Security Requirement Assessment

InformationManagementModel [ IMM ]

RevisedIMM

Mission / BusinessFunctions

Structured Analysis ofInformation

Applying LeastPrivilege Concept

Threat AnalysisInformationProtection

Policy [ IPP ]

Preparing Information Protection Policy (IPP(PP,ST))

Protection Need Elicitation

Security Engineering :Process Maturity Dimension

Level 1

Performed Informally

Planned &Tracked

Well Defined

QuantitativelyControlled

ContinuouslyImproving

Level 2 Level 3 Level 4 Level 5

SSE-CMM Based Process Maturity Levels

Environment’s Security Guidelines & Process Creation

Assurance

Ass

uran

ce P

roce

sses

Security Model of the NGOSSRis

k P

roc.

Organisation’s Security Processes

Authentication

Eng

inee

ring

Pro

cess

es

TMF can leverage SSE-CMM to

• Assist in defining the desired process maturity levels for the identified areas

• Work out the process improvement plans right from the design phase and put in place a process monitoring and control framework

• Help to evaluate service providers using SSAM appraisals

Classification of Process Areas

Value Addition to SOFTWARE Program

SOFTWARECOMPONENTS

Adopting Security Engineering

Improved process maturity

Improved Risk Mitigation

Better Assurance Evidence

Facilitate Evaluation againstCommon Criteria

RequirementCapture

Design / Development Delivery

Secure Software Development Lifecycle

BusinessRequirements

FunctionalRequirements

Coding Testing

Guiding Principles of Software Security

Secure Coding Practices

Security Testsw.r.t CEM

SecurityFunctional

Requirements

SecurityRisk

Management

SecurityAssurance

Requirements

SecurityRisk

Management

Tool Driven Development Framework

Secure Software

Development Tools

User Inputs

Security RequirementSpecifications

MS Visio

Development Environment

Secure Coding practices

Use Case Diagrams implementing securityClass DiagramsImplementing SecuritySequence DiagramsImplementing Security

Guidelines for Secure Coding Practices in .NET

Queries to the User

Assurance Guidelines

Generating a CM Plan

Assurance Guidelines

Secure DeliveryOperationsLife CycleSupport Guidelines

DesignPhase (to be generated manually)

Development Phase

Delivery Phase

Requirement Capture Phase Visual Studio.NET

Practices to be followed for

Assurancemeasures

Software Security Framework Goals

Build Software security upfront; avoid bolting it down as an afterthought

Build End to End security, collaboratively for all stakeholders Follow standards & industry best practices across lifecycle Plug-in legacy & be future proof, evolve a robust framework Allow global play with local solutions; universalization with least

architecture and technology constraints. As a beginning Formalize Framework Outlines:

Examine the work already done by industry Survey IT Security Standards and frameworks, map their applicability to

software Establish the framework outlines Identify focus areas & prioritize actions

Deliverables Consistent, state of the practice and cost effective SOFTWARE SECURITY

FRAMEWORK A basket full of guidelines, mandates, clearances, industry best practices, PoCs

and a map to navigate across all software building blocks for “Cradle to Grave” support to all stake holders in the Software Security

Standards for Security & Assurance Framework

Use of Security Engineering Processes of ISO 21827/ SSE-CMM in conjunction with ITAF 3.1 or its equivalent standard can assist in risk assessment/ security requirement formulation, detailed design and implementation. This step can ensure building security into the software lifecycle.

Assurance framework built around ISO 15443/ FRITSA, ISO 15408/ Common Criteria and ISO 21287/ SSE-CMM can ensure that security is implemented throughout software lifecycle and can be applied to all products, services and components

Both SSE-CMM and CC are complementary to each other. Thus, the appraisal of software components and products at SSE-CMM level 3 will facilitate the evaluation of products and services at EAL level 2 or above against CC.

The ISO 17799 based controls can ensure secure operations

NIST/ SP 800-55 can facilitate metrics for cost, ROI, effectiveness etc.

Building blocks of Security & Assurance Framework

Security Framework: The Security Engineering Processes of ISO 21827/ SSE-CMM can be used to define requirements. These requirements can be realized using ITAF 3.1 or any of its equivalent methodology for building Information Management Model/ Risk Assessment/ Information Protection Profile

Assurance framework: The ISO 21827/ SSE-CMM, ISO 15453/ FRISTA & ISO 15408/ Common Criteria can be used to build assurance into the life cycle. This will guarantee that the security is implemented throughout software lifecycle and that it is applied to all components, products, services appropriately. Both SSE-CMM and CC are complementary to each other. Thus, the appraisal of NGOSS components and products at SSE-CMM level 3 will facilitate the evaluation of products and services of NGOSS at EAL level 2 or above against CC. The FRITSA will assist in

Assessment of deliverables Assessment of products Assessment of environment Evaluation Assurance related to parts of design, development and operation Development Assurance related to development stages Testing Assurance related to tests at each stage of lifecycle

Secure Operations: The ISO 17799 based controls/ audits and SSE- CMM based process maturity will ensure secure operations

Building Blocks of Security …Contd

Metrics: Till such time an ISO standard emerges, NIST/ SP 800-55 can be used as a guide line to develop metrics for security cost overheads, ROI, effectiveness etc.

Consultancy Framework: A rich consultancy repository of know-how and industry best practices can be created to build a strategic view of software security as a life cycle activity. This initiative will help to create Security Certified Professionals in Consultancy Space, a unique industry strength to provide the following

Design Guidance Risk Management Security Engineering Product Evaluation Certification & Accreditation Clearing House Functions Awareness & Education Secure Operations

SSE-CMM WILL ACT AS A GLUE TO BIND ALL THE OTHER STANDARDS, GUIDELINES, BEST PRACTICES & SUPPORT MATERIAL

Advantages of Composite Framework

A formal approach to security engineering using ISO standards & industry best practices will help industry to upfront build the security foundations into the software engineering framework rather than addressing it piecemeal as an afterthought.

This framework would address the software security at the level of processes, products, services, people, technology and environment for all the stakeholders. SSE-CMM processes will support creation of ST and PP, in turn helping in certifications

SSE-CMM Appraisals and CC Assurance Evaluations are both conducted using active investigations. The CC Assurance Classes have a corresponding Process Area or Base Practice in SSE-CMM. CC Assurance Evaluation evidence closely matches SSE-CMM Appraisal work products. Following complementary frameworks and methodologies will further bring completeness and comprehensiveness in the framework

Risk assessment using IATF 3.1 Management of security operations and residual risks using ISO17799 Security metrics using SP 800-55 Evaluation of NGOSS products using CC/ ISO 15408

COMPOSITE FRAMEWORK WILL PROVIDE ANSWERS TO SOFTWARE SECURITY

Recommended Framework Standards

ISO 21827 SSE-CMM for engineering security across NGOSS lifecycle

IATF v 3.1 to complement ISO 17799/ SSE-CMM for Risk Assessment/ Requirement Elicitation

ISO 15408/ Common Criteria to complement ISO 21827/ SSE-CMM for Product/ Service Assurance/ Certification

ISO 15443 (FRISTA) focus on IT assurance

ISI 17799 for building operational controls & audits

NIST SP 800-55 Guidelines for building metrics

Way Forward

Security Framework Assurance framework

Assessment of deliverables Assessment of products Assessment of environment Evaluation Assurance related to parts of design, development and

operation Development Assurance related to development stages Testing Assurance related to tests at each stage of lifecycle

Secure Operations Framework Metrics Consultancy Framework

Design Guidance Risk Management Security Engineering Product Evaluation Certification & Accreditation Clearing House Functions Awareness & Education Secure Operations

Suggested National Initiatives

Suggested National Initiatives

Government Invest liberally in manpower development. Involve Universities,

IITs / IIITs / IIMs / IISc and private industry to create Security awareness, training, education and research initiatives.

Invest in development & Promotion of Sector Specific Security Pilot projects in 10 areas viz finance, banking, insurance, governance,transport, energy, defense etc..

Invest in the development of National Information Infrastructure Assurance Program through industry participation and strategic alliances with overseas partners.

Formalise the NII Security Policy Framework and institute compliance through governments at center & state levels.

Invest liberally in RD&D Initiatives in e-Security.

NIAP DEC 02

Suggested National Initiatives……Contd

IndustryFund industry to foster a world class Security Practice

Framework till a critical mass in its acceptance by ICT end users reaches. Industry is reluctant to invest in the prevailing circumstances. Make monetary concessions to end users in certification programs.

Involve indigenous industry in large System Interfraction Partnership in the ICT sectors through tie-ups at global level.

Promote Secure Managed Security Services & Secure Web Services out of India.

Align security with software business in sector specific verticals, viz. Telecom, business, banking, defence, insurance, governance etc.

Initiate and promote World Class Secure Software development as per ISO 15408/ ISO 21827/ ISO 17799

Build secure development sites for offshore work

NASSCOM

Commission a consultant to provide global e-Security window to industry.

Nucleate an e-Security working group.

Promote BS7799 , ISO15408, ISO 21827 initiatives.

Foster strategic alliances for brand building.

Project India as destination for secure software development, security services and secure outsourcing destination

Suggested National Initiatives……Contd

THANK YOU

Australia Germany India Singapore UAE UK USA