Information Technology (IT)
• The Information Technology Act 2000 facilitates acceptance of electronic records and
Digital Signatures through a legal framework for establishing trust in e-Commerce
• Controller of Certifying Authorities (CCA) appointed under Section 17 of the IT Act,
2000 to promote the use of Digital Signatures for e-Governance & e-Commerce.
– Functions of CCA
Licensing Certifying Authorities (CAs) under section 21 of the IT Act and exercising
supervision over their activities.
Controller of Certifying Authorities as the “Root” Authority certifies the technologies and
practices of all the Certifying Authorities licensed to issue Digital Signature Certificates
– Regulation of Certifying Authorities
CCA promotes the growth of E-Commerce and E-Governance through the wide use of
Electronic (Digital) signatures
There are seven licensed Certifying Authorities issuing Digital signature Certificates (DSC)
4. TCS ( Not now)
5. (n)Code Solutions
Class 0 This certificate shall be issued only for
demonstration / test purposes
This is to be used only for demonstration
/ test purposes.
Class 1 This certificates shall be issued for both
business personnel & private individuals use.
This provides a basic level of assurance,
These are given on soft tokens.
Class 2 This certificates will confirm that the
information in the application. Address proof
and Identity Proof are required along with the
This level is relevant to environments
where risks and consequences of data
compromise are moderate. These are
issued on hardware tokens.
Class 3 As these are high assurance certificates,
primarily intended for ecommerce
applications, they shall be issued to
individuals only on their personal (physical)
appearance before the Certifying Authorities.
This level is relevant to environments
where threats to data are high or the
consequences of the failure of security
services are high. This may include very
high value transactions or high levels of
Classes of Certificates
Digital Signature Enabled Applications
• Ministry of Corporate Affairs MCA21 for e-filing
• Income Tax e-filing
• Indian Railway Catering & Tourism Corporation (IRCTC)
• Director General of Foreign Trade (DGFT)
• Reserve Bank of India (SFMS & RTGS)
• Indian Farmers Fertiliser Cooperative Limited (IFFCO)
• Directorate General of Supplies & Disposals (DGS&D)
• Oil and Natural Gas Corporation (ONGC)
• Gas Authority of India Ltd (GAIL)
Enabling Digital Signatures on
– Cryptographic SIM cards
– Through APPs incorporating cryptographic algorithms
Time Stamping Service
• The IT (CA) Regulations mandate provisioning of Time Stamping Services
by Certifying Authorities (CA) who issue Digital Signature Certificates(DSC)
under the Information Technology (IT) Act, 2000
• Digitally signed Time stamps are based on time derived from National time
• Time stamps can be verified to establish the time when a document or
transaction was created.
Time Stamping Service - Benefits
• Accurate time in conformance with Government Guidelines
• Digitally signed time stamps – verifiable in future
• Assured Integrity
• Electronic Notary
• Fraud detection
• Time Stamped content is protected from public exposure
• The only legally acceptable time stamping service
Challenges in scaling up usage of
• Personal digital signature requires person’s identity verification and
issuance of USB dongle having private key, secured with a password/pin.
• Current scheme of physical verification, document based identity validation,
and issuance of physical dongles does not scale to a billion people.
• The major cost of the DSC is found to be the verification cost. Certifying
Authorities engage Registration Authorities to carry out the verification of
verification of credentials prior to issuance of certificate.
• Physical USB Dongle compliant to mandated standards also adds to the
• Relying on the DSC applicant's information already available on the public
database is an alternate to Manual verification. UIDAI provides one such
• Aadhaar id is mandatory for availing eSign Service.
• The Unique Identification Authority of India (UIDAI) has been established
with the mandate of providing a Unique Identification Number (Aadhaar
Number) to all residents.
• During enrolment, the following data is collected:
– Demographic details such as the name of the resident, address, date of birth, and gender.
– Biometric details such as the fingerprints, iris scans, and photograph; and
– Optional fields for communication of such as the mobile number and email address.
• eSign facilitates electronically signing a document by an Aadhaar holder
using an Online Service.
• Electronic Signature is created using authentication of consumer through
Aadhaar eKyc service.
• eSign is an integrated service that facilitates issuing a Digital Signature
Certificate and performing Signing of requested data by authenticating
Cloud security controls
• Cloud computing security or, more simply, cloud security refers to a
broad set of policies, technologies, and controls deployed to protect data,
applications, and the associated infrastructure of cloud computing. It is a
sub-domain of computer security, network security, and, more broadly,
• Cloud security architecture is effective only if the correct defensive
implementations are in place. An efficient cloud security architecture should
recognize the issues that will arise with security management.
• The security management addresses these issues with security controls.
These controls are put in place to safeguard any weaknesses in the system
and reduce the effect of an attack.
• While there are many types of controls behind a cloud security architecture,
they can usually be found in one of the following categories:
Deterrent controls :
These controls are intended to reduce attacks on a cloud system.
Much like a warning sign on a fence or a property, deterrent controls typically
reduce the threat level by informing potential attackers that there will be
adverse consequences for them if they proceed.
Preventive controls :
Preventive controls strengthen the system against incidents, generally
by reducing if not actually eliminating vulnerabilities. Strong authentication of
cloud users, for instance, makes it less likely that unauthorized users can
access cloud systems, and more likely that cloud users are positively identified.
Detective controls :
Detective controls are intended to detect and react appropriately to
any incidents that occur. In the event of an attack, a detective control will signal
the preventative or corrective controls to address the issue. System and
network security monitoring, including intrusion detection and prevention
arrangements, are typically employed to detect attacks on cloud systems and
the supporting communications infrastructure.
Corrective controls :
Corrective controls reduce the consequences of an incident, normally
by limiting the damage. They come into effect during or after an incident.
Restoring system backups in order to rebuild a compromised system is an
example of a corrective control.
• Security Architecture
• Indentify and Access Management
• Data Protection
• Risk Management
7 Must-Have Security Controls
for Any Cloud Environment
Cloud Security Alliance (CSA)
• World’s leading organization dedicated to defining and raising
awareness of best practices to help ensure a secure cloud
• CSA’s comprehensive research program works in
collaboration with industry, higher education and
government on a global basis.
• CSA’s activities, knowledge and extensive network
benefit the entire community impacted by cloud.
e-commerce application consists of the act of rendering effective
commercial transaction, one that links two entities (customer and
supplier), using the Internet as a technological platform to establish the
information and communication channel between those two entities.
Authentication - guarantee of the legal entity, singular or plural, with
whom we are working
Integrity - guarantee that the contents of the communication between
both parts is not modified
Confidentiality - guarantee that no one, non-authorized, either
intentionally or not, has access to the contents of the communication.
Application control is a security practice that blocks or
restricts unauthorized applications from executing in
ways that put data at risk. The control functions vary
based on the business purpose of the specific
application, but the main objective is to help ensure the
privacy and security of data used by and transmitted
• Completeness checks – controls ensure records processing from initiation to
• Validity checks – controls ensure only valid data is input or processed
• Identification – controls ensure unique, irrefutable identification of all users
• Authentication – controls provide an application system authentication
• Authorization – controls ensure access to the application system by approved
business users only
• Input controls – controls ensure data integrity feeds into the application system
from upstream sources
Benefits of Application Controls
– Reduces likelihood of errors due to manual intervention
– Reliance on IT general controls can lead to concluding the application
controls are effective year to year without re-testing
• Time and cost savings
– Typically application controls take less time to test and only require
testing once as long as the IT general controls are effective
Types of Application Controls.
• Inherent controls are delivered with the application and do not need to
be added to it
• Configurable controls are automated controls to be defined at the time
of system/application configuration
• Security controls are generally user access, segregation of duties
controls, roles and process rules
• Reporting controls are those that rely on standard or ad-hoc reports
from the application
• Work flow controls are used to notify application users that a
transaction or process is awaiting their action
Application (Internal) Control Model
• It is commonly designated by internal control system the set of rules, policies
and procedures (control mechanisms), involved in the management of
• A control mechanism helps an operational process to reach its aim without
being, necessarily, part of the process.
• Control can be an excellent tool
to achieve organization aims.
However, its implementation
should be supported by a
coherent and consistent
• The single nature of electronic commercial transactions, transverse both to
the intra-organizational environment and the inter-organizational
environment, is responsible for the non-restriction of the internal control
system. Thus, it is applied not only to the intra-organizational control but
also to the inter-organizational control.
• The intra-organizational control, when dealt with separately in the traditional
commercial transactions, is extended in order to include the inter-
organizational controls, which were taken in consideration separately in the
Should the organizations think of cleaving to electronic commerce
strategies, two main principles of internal control should be taken in consideration:
the type of controls in the e-commerce sphere of action and the availability of the
mentioned organizations on what regards having a specific framework which will
help them in the implementation of an adequate internal control system.
One of the primary aims of the implementation of risk based internal
control systems, dealing with the intra-organizational and inter-organizational
controls in a holistic fashion, is the global management of auditing risk, according
to three of its components:
• Inherent risk – the risk of an existing error, material or important when
combined with other errors; inherent risks exists, even though an auditing is
done, due to the business nature
• Control risk – the risk that there is a material risk, which is not prevented or
quickly detected by the internal control system, according to the organization’s
desire of risk and to the defined risk management criteria.
• Detection risk – the risk that the information systems auditor should use
inadequate test procedures and could, thus say that there are no existing
The framework released by the COSO (Committee of Sponsoring
Organizations of the Treadway Commission) entitled “Enterprise Risk
Management Framework” establishes a sequence of events for the enterprise
risk management in control environment Consists:
1. Defining the organizations aims
2. Risk evaluation (identify it, measure it, prioritize it)
3. Risk Management (control it, avoid it, share it)
The COSO ERM framework divides the organizational aims into four categories:
1. Strategic aims, aligned with and supported by the entity’s mission
2. Operational aims, related to the effective and efficient usage of the entity’s
3. Reporting aims, related to every organization’s needs of internally and
externally reporting their performance
4. Conformity aims, related to the conformity with laws and suitable regulations
The COSO ERM Framework defines the enterprise risk management as a
process, effected by an entity’s board of directors, management and other
personnel, and manage risks to be within its risk appetite,to provide reasonable
assurance regarding the achievement of entity objectives.
The eight sub-processes that constitute it are (COSO 2003):
1. Internal Environment – Management sets a philosophy regarding risk and
establishes a risk appetite.
2. Objective Setting – Objectives must exist before management can identify
events potentially affecting their achievement.
3. Event Identification – Potential events that might have an impact on the entity
must be identified.
4. Risk Assessment – Identified risks are analyzed in order to form a basis for
determining how they should be managed.
5. Risk Response – Management selects an approach or set of actions to align
assessed risks with the entity’s risk appetite,
6. Control Activities – Policies and procedures are established and executed to
help ensure that the risk responses management selected are effectively
7. Information and communication – Relevant information is identified,
captured and communicated in a form and timeframe that enable people to
carry out their responsibilities.
8. Monitoring – The entire enterprise risk management process must be
monitored, and modifications made as necessary.
REAL-TIME E-COMMERCE AUDITING
The electronic commercial transactions real-time auditing should be
backed up by a strong theoretical component, which will enable its
conceptualization from an epistemological point of view, making it thus easier
the design of an adequate organizational and technological architecture. As we
have previously mentioned this theoretic component is mainly based on the
fusion of intra-organizational controls and inter-organizational controls,
supported by a coherent and consistent framework, which will allow one to
manage the business risk in a holistic perspective.
Notas do Editor
Reliability - Application controls are more reliable than manual controls when evaluating the potential for control errors due to human intervention. Once an application control is established, and there is little change to the application, database, or supporting technology, the organization can rely on the application control until a change occurs.
Benchmarking - If IT general controls that are used to monitor program changes, access to programs, and computer operations are effective and continue to be tested on a regular basis, the auditor can conclude that the application control is effective without having to repeat the previous year's control test. This is especially true if the auditor verifies that the application control has not changed since the auditor last tested the application control. Benchmarking is particularly effective when companies use pre-packaged software that doesn't allow for any source code development or modification. In cases like these, the company needs to consider more than just the code change. An application control within a complex application, such as SAP or Oracle Financials, can be changed, disabled, or enabled easily without any code change.
Time and Cost - Application controls typically take less time to test than manual controls. This is because sample sizes for manual controls are tied to the frequency with which the controls are performed (i.e., daily, weekly, monthly, quarterly, or annually), while the sample size of the application controls often does not depend on the frequency of the control's performance (i.e., application controls are either operating effectively or not). In addition, application controls are typically tested one time as long as the ITGCs are effective. As a result, all of these factors can potentially accumulate to a significant savings in the number of hours required to test an application control versus a manual control.