U  N  I  V  E  R  S  I  T  Y
Centre for Distributed Computing




Development of Web-Service based Security Management Framework for Critical Sector Information Infrastructure Protection 

Funded By

Department of Information Technology,
Ministry of Communications and Information Technology, Government of India


A critical infrastructure (CI) is an infrastructure or asset the incapacitation or destruction of which would have a debilitating impact on the national security and the economic and social welfare of a nation. It has been established that key sectors of modern society, including those vital to national security and to the essential functioning of industrialized economies, rely on a spectrum of highly interdependent national and international software-based control systems for their smooth, reliable, and continuous operation. This critical information infrastructure (CII) underpins many elements of the CI, as many information and communication technologies (ICT) have become all-embracing, connecting other infrastructure systems and making them interrelated and interdependent. Not only are information systems exposed to failures, they are also potentially attractive targets for malicious attacks.

  In India, many efforts in the field of critical information infrastructure protection (CIIP) were triggered by the governments’ goal of making the country a leading knowledge-driven global economy by boosting IT and e-business. All critical infrastructures are increasingly dependent on the information infrastructure for a variety of information management, communications, and control functions. This dependence has a strong national security component, since information infrastructure enables both economic vitality and military and civilian government operations.

  At present, however, open, pressing, but unanswered questions abound in the field of CIIP. As a result, there is huge research gap to be filled. Aim of the project is to develop a robust and survivable Critical Sector Information Infrastructure Protection and Management Framework. The framework and the theory behind it will be used to develop a set of metrics for measuring Critical Sector Information Infrastructure Protection capability and performance. This will help in Management decision-making and provide assurance of RoI. Based on the above framework and the metrics, WISSDOM has been enhanced with a number of components, for the protection and management of Critical Sector Information Infrastructure.

 WISSDOM2 (Web enabled Information System Security Design and Operational Management Version 2), a tool suite for managing information security in an enterprise, has been developed by the Centre for Distributed Computing, Dept. of Computer Science & Engineering, Jadavpur University, Kolkata. The following services have been developed as part of the tool suite:

        Organization Categorization and Baseline Controls Selection (based on ISO 27002)

        ISMS Scope definition and Corporate Policy formulation

        Control Gap Analysis

        Risk Management

        Controls Selection and Statement of Applicability (SoA) generation

        Generation of Protective Measures

        Information Security Policy Formulation

        Technical Vulnerability Analysis

        Information Security Metrics

        Internal Audit and Compliance


An organization is first categorized as low, medium, or high baseline. The categorization of organization is done based on the analysis of its financial, social, legal, and national impact. The analysis is done by means of a questionnaire. Then, baseline controls are selected considering ISO 27002 as per the categorization (low, medium, or high baseline) of organization. After this, the scope of implementation of Information Security Management System (ISMS) in the organization is identified. It includes exclusions, if any, along with proper justification. ISMS Corporate Policy is a set of high level statements describing the objectives, beliefs and goals of the organization as far as security is concerned.  ISMS policies define the overall security and risk control objectives that an organization endorses. Control Gap Analysis (CGA) is performed based on the controls of ISO 27001 and 27002. “Implementation reference” is provided by the organization for the already implemented controls. Then, risk management is done comprising of: identification of vulnerabilities, and threats, generation of Risk Analysis report, identification of controls, and generation of Risk Treatment Plan (RTP). The references of already implemented controls are available from control gap analysis. These references, along with the applicable controls suggested by risk analysis, are used to generate the Statement of Applicability (SoA). Then, protective measures, including infrastructure and security mechanisms, are generated based on the controls suggested in the Risk Analysis phase. Finally, the Security Policy manual, Procedures manual and Guidelines manual are generated.



CDC-JU © All Rights Reserved