Mais conteúdo relacionado

Apresentações para você(20)

Similar a Controls for Digital Signature (e-Sign) Cloud Network & eCommerce Application(20)


Mais de Mufaddal Nullwala(20)


Controls for Digital Signature (e-Sign) Cloud Network & eCommerce Application

  1. Controls for Digital Signature (e-Sign) Cloud Network & eCommerce Application Mufaddal Nullwala SemV- MIM 15-I-131 2015-2018
  2. General Management Controls within IT Application controls are manual or automated control procedures that typically operate at a detailed business process (cycle or transaction) level.
  3. IT Process Controls
  4. Signed Messages Message + Signature Hash Decrypt Signature With Sender’s Public Key SIGN hash With Sender’s Private key Message + signature COMPARE Calculated Hash Message Sender Receiver Hash Sent thru’ Internet if OK Signatures verified DIGITAL SIGNATURES
  5. Information Technology (IT) Act, 2000 • The Information Technology Act 2000 facilitates acceptance of electronic records and Digital Signatures through a legal framework for establishing trust in e-Commerce and e-Governance. • Controller of Certifying Authorities (CCA) appointed under Section 17 of the IT Act, 2000 to promote the use of Digital Signatures for e-Governance & e-Commerce. – Functions of CCA  Licensing Certifying Authorities (CAs) under section 21 of the IT Act and exercising supervision over their activities.  Controller of Certifying Authorities as the “Root” Authority certifies the technologies and practices of all the Certifying Authorities licensed to issue Digital Signature Certificates – Regulation of Certifying Authorities  CCA promotes the growth of E-Commerce and E-Governance through the wide use of Electronic (Digital) signatures
  6.  There are seven licensed Certifying Authorities issuing Digital signature Certificates (DSC) 1. Sify 2. IDRBT 3. NIC 4. TCS ( Not now) 5. (n)Code Solutions 6. eMudhra 7. IAF Assuranc e Level Assurance Applicability Class 0 This certificate shall be issued only for demonstration / test purposes This is to be used only for demonstration / test purposes. Class 1 This certificates shall be issued for both business personnel & private individuals use. This provides a basic level of assurance, These are given on soft tokens. Class 2 This certificates will confirm that the information in the application. Address proof and Identity Proof are required along with the application form. This level is relevant to environments where risks and consequences of data compromise are moderate. These are issued on hardware tokens. Class 3 As these are high assurance certificates, primarily intended for ecommerce applications, they shall be issued to individuals only on their personal (physical) appearance before the Certifying Authorities. This level is relevant to environments where threats to data are high or the consequences of the failure of security services are high. This may include very high value transactions or high levels of fraud risk. Classes of Certificates
  7. Digital Signature Enabled Applications • Ministry of Corporate Affairs MCA21 for e-filing • Income Tax e-filing • Indian Railway Catering & Tourism Corporation (IRCTC) • Director General of Foreign Trade (DGFT) • Reserve Bank of India (SFMS & RTGS) • Indian Farmers Fertiliser Cooperative Limited (IFFCO) • Directorate General of Supplies & Disposals (DGS&D) • Oil and Natural Gas Corporation (ONGC) • Gas Authority of India Ltd (GAIL)
  8. Enabling Digital Signatures on Mobile phones Hardware based – Cryptographic SIM cards Software based – Through APPs incorporating cryptographic algorithms Time Stamping Service • The IT (CA) Regulations mandate provisioning of Time Stamping Services by Certifying Authorities (CA) who issue Digital Signature Certificates(DSC) under the Information Technology (IT) Act, 2000 • Digitally signed Time stamps are based on time derived from National time source • Time stamps can be verified to establish the time when a document or transaction was created.
  9. Time Stamping
  10. Time Stamping Service - Benefits • Accurate time in conformance with Government Guidelines • Digitally signed time stamps – verifiable in future • Assured Integrity • Electronic Notary • Fraud detection • Time Stamped content is protected from public exposure • The only legally acceptable time stamping service
  11. Challenges in scaling up usage of electronic Signatures • Personal digital signature requires person’s identity verification and issuance of USB dongle having private key, secured with a password/pin. • Current scheme of physical verification, document based identity validation, and issuance of physical dongles does not scale to a billion people. • The major cost of the DSC is found to be the verification cost. Certifying Authorities engage Registration Authorities to carry out the verification of verification of credentials prior to issuance of certificate. • Physical USB Dongle compliant to mandated standards also adds to the cost. • Relying on the DSC applicant's information already available on the public database is an alternate to Manual verification. UIDAI provides one such alternative.
  12. eSign • Aadhaar id is mandatory for availing eSign Service. • The Unique Identification Authority of India (UIDAI) has been established with the mandate of providing a Unique Identification Number (Aadhaar Number) to all residents. • During enrolment, the following data is collected: – Demographic details such as the name of the resident, address, date of birth, and gender. – Biometric details such as the fingerprints, iris scans, and photograph; and – Optional fields for communication of such as the mobile number and email address. • eSign facilitates electronically signing a document by an Aadhaar holder using an Online Service. • Electronic Signature is created using authentication of consumer through Aadhaar eKyc service. • eSign is an integrated service that facilitates issuing a Digital Signature Certificate and performing Signing of requested data by authenticating Aadhaar holder.
  13. eSign - Benefits
  14. Cloud security controls • Cloud computing security or, more simply, cloud security refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security. • Cloud security architecture is effective only if the correct defensive implementations are in place. An efficient cloud security architecture should recognize the issues that will arise with security management. • The security management addresses these issues with security controls. These controls are put in place to safeguard any weaknesses in the system and reduce the effect of an attack.
  15. • While there are many types of controls behind a cloud security architecture, they can usually be found in one of the following categories: Deterrent controls : These controls are intended to reduce attacks on a cloud system. Much like a warning sign on a fence or a property, deterrent controls typically reduce the threat level by informing potential attackers that there will be adverse consequences for them if they proceed. Preventive controls : Preventive controls strengthen the system against incidents, generally by reducing if not actually eliminating vulnerabilities. Strong authentication of cloud users, for instance, makes it less likely that unauthorized users can access cloud systems, and more likely that cloud users are positively identified.
  16. Detective controls : Detective controls are intended to detect and react appropriately to any incidents that occur. In the event of an attack, a detective control will signal the preventative or corrective controls to address the issue.[8] System and network security monitoring, including intrusion detection and prevention arrangements, are typically employed to detect attacks on cloud systems and the supporting communications infrastructure. Corrective controls : Corrective controls reduce the consequences of an incident, normally by limiting the damage. They come into effect during or after an incident. Restoring system backups in order to rebuild a compromised system is an example of a corrective control.
  17. • Security Architecture • Indentify and Access Management • Data Protection • Governance • Risk Management • Compliance • Availability 7 Must-Have Security Controls for Any Cloud Environment
  18. Cloud Security Alliance (CSA) • World’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. • CSA’s comprehensive research program works in collaboration with industry, higher education and government on a global basis. • CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud.
  19. eCommerce Application e-commerce application consists of the act of rendering effective commercial transaction, one that links two entities (customer and supplier), using the Internet as a technological platform to establish the information and communication channel between those two entities.  Authentication - guarantee of the legal entity, singular or plural, with whom we are working  Integrity - guarantee that the contents of the communication between both parts is not modified  Confidentiality - guarantee that no one, non-authorized, either intentionally or not, has access to the contents of the communication.
  20. Application Controls Application control is a security practice that blocks or restricts unauthorized applications from executing in ways that put data at risk. The control functions vary based on the business purpose of the specific application, but the main objective is to help ensure the privacy and security of data used by and transmitted between applications. • Completeness checks – controls ensure records processing from initiation to completion • Validity checks – controls ensure only valid data is input or processed • Identification – controls ensure unique, irrefutable identification of all users • Authentication – controls provide an application system authentication mechanism • Authorization – controls ensure access to the application system by approved business users only • Input controls – controls ensure data integrity feeds into the application system from upstream sources
  21. Benefits of Application Controls • Reliability – Reduces likelihood of errors due to manual intervention • Benchmarking – Reliance on IT general controls can lead to concluding the application controls are effective year to year without re-testing • Time and cost savings – Typically application controls take less time to test and only require testing once as long as the IT general controls are effective
  22. Types of Application Controls. • Inherent controls are delivered with the application and do not need to be added to it • Configurable controls are automated controls to be defined at the time of system/application configuration • Security controls are generally user access, segregation of duties controls, roles and process rules • Reporting controls are those that rely on standard or ad-hoc reports from the application • Work flow controls are used to notify application users that a transaction or process is awaiting their action
  23. Application (Internal) Control Model • It is commonly designated by internal control system the set of rules, policies and procedures (control mechanisms), involved in the management of business risk. • A control mechanism helps an operational process to reach its aim without being, necessarily, part of the process. • Control can be an excellent tool to achieve organization aims. However, its implementation should be supported by a coherent and consistent framework
  24. • The single nature of electronic commercial transactions, transverse both to the intra-organizational environment and the inter-organizational environment, is responsible for the non-restriction of the internal control system. Thus, it is applied not only to the intra-organizational control but also to the inter-organizational control. • The intra-organizational control, when dealt with separately in the traditional commercial transactions, is extended in order to include the inter- organizational controls, which were taken in consideration separately in the traditionally transactions.
  25. Should the organizations think of cleaving to electronic commerce strategies, two main principles of internal control should be taken in consideration: the type of controls in the e-commerce sphere of action and the availability of the mentioned organizations on what regards having a specific framework which will help them in the implementation of an adequate internal control system. One of the primary aims of the implementation of risk based internal control systems, dealing with the intra-organizational and inter-organizational controls in a holistic fashion, is the global management of auditing risk, according to three of its components: • Inherent risk – the risk of an existing error, material or important when combined with other errors; inherent risks exists, even though an auditing is done, due to the business nature • Control risk – the risk that there is a material risk, which is not prevented or quickly detected by the internal control system, according to the organization’s desire of risk and to the defined risk management criteria. • Detection risk – the risk that the information systems auditor should use inadequate test procedures and could, thus say that there are no existing material errors,
  26. The framework released by the COSO (Committee of Sponsoring Organizations of the Treadway Commission) entitled “Enterprise Risk Management Framework” establishes a sequence of events for the enterprise risk management in control environment Consists: 1. Defining the organizations aims 2. Risk evaluation (identify it, measure it, prioritize it) 3. Risk Management (control it, avoid it, share it) The COSO ERM framework divides the organizational aims into four categories: 1. Strategic aims, aligned with and supported by the entity’s mission 2. Operational aims, related to the effective and efficient usage of the entity’s resources 3. Reporting aims, related to every organization’s needs of internally and externally reporting their performance 4. Conformity aims, related to the conformity with laws and suitable regulations
  27. The COSO ERM Framework defines the enterprise risk management as a process, effected by an entity’s board of directors, management and other personnel, and manage risks to be within its risk appetite,to provide reasonable assurance regarding the achievement of entity objectives. The eight sub-processes that constitute it are (COSO 2003): 1. Internal Environment – Management sets a philosophy regarding risk and establishes a risk appetite. 2. Objective Setting – Objectives must exist before management can identify events potentially affecting their achievement. 3. Event Identification – Potential events that might have an impact on the entity must be identified. 4. Risk Assessment – Identified risks are analyzed in order to form a basis for determining how they should be managed. 5. Risk Response – Management selects an approach or set of actions to align assessed risks with the entity’s risk appetite,
  28. 6. Control Activities – Policies and procedures are established and executed to help ensure that the risk responses management selected are effectively carried out 7. Information and communication – Relevant information is identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. 8. Monitoring – The entire enterprise risk management process must be monitored, and modifications made as necessary. REAL-TIME E-COMMERCE AUDITING The electronic commercial transactions real-time auditing should be backed up by a strong theoretical component, which will enable its conceptualization from an epistemological point of view, making it thus easier the design of an adequate organizational and technological architecture. As we have previously mentioned this theoretic component is mainly based on the fusion of intra-organizational controls and inter-organizational controls, supported by a coherent and consistent framework, which will allow one to manage the business risk in a holistic perspective.

Notas do Editor

  1. Reliability - Application controls are more reliable than manual controls when evaluating the potential for control errors due to human intervention. Once an application control is established, and there is little change to the application, database, or supporting technology, the organization can rely on the application control until a change occurs. Benchmarking - If IT general controls that are used to monitor program changes, access to programs, and computer operations are effective and continue to be tested on a regular basis, the auditor can conclude that the application control is effective without having to repeat the previous year's control test. This is especially true if the auditor verifies that the application control has not changed since the auditor last tested the application control. Benchmarking is particularly effective when companies use pre-packaged software that doesn't allow for any source code development or modification. In cases like these, the company needs to consider more than just the code change. An application control within a complex application, such as SAP or Oracle Financials, can be changed, disabled, or enabled easily without any code change. Time and Cost - Application controls typically take less time to test than manual controls. This is because sample sizes for manual controls are tied to the frequency with which the controls are performed (i.e., daily, weekly, monthly, quarterly, or annually), while the sample size of the application controls often does not depend on the frequency of the control's performance (i.e., application controls are either operating effectively or not). In addition, application controls are typically tested one time as long as the ITGCs are effective. As a result, all of these factors can potentially accumulate to a significant savings in the number of hours required to test an application control versus a manual control.