U  N  I  V  E  R  S  I  T  Y
Centre for Distributed Computing



Funded By

Department of Information Technology,
Ministry of Communications and Information Technology,
Government of India 

Overview and Scope

Aim of the project is to develop standardized and validated processes and methodologies for intranet, internet and extranet security, which will enable Organizations to venture into E-businesses, E-governance, Distance Learning, etc., using Web-technology without compromising Confidentiality, Integrity and Availability of the resources of the Organization and its customers / users, including customization guidelines to reduce time-to-market.

The scope of work includes the development of the following:

1. A Security Requirement Specification Language
2. Guidelines for formulation of Security Policies
3. Advisory system for Security Infrastructure Implementation
4. Security Validation Techniques
5. A Laboratory set-up for Testing Security of Web-based systems


The primary objective of the project was to develop the idea of systematic design and management process of Information System Security of Web-based Enterprises. The team has put forward the idea of the Security Engineering Life-cycle comprising of the following phases:
1. Security Requirement Analysis phase.
2. Security Policy formulation phase.
3. Security Infrastructure Advisory phase.
4. Security Infrastructure selection, installation & configuration phase.
5. Security Testing phase.

This is required to ensure that enterprise security is survivable in the face of relatively frequent changes in the organization, the infrastructure, vulnerability and threat scenarios.

The project work resulted into the following theoretical developments:

1. Security Requirement Analysis Methodology.
2. An XML-based Language to express the Requirement Specification.
3. Security Risk Analysis Methodology.
4. Identification of Baseline and Detailed Policies, Guidelines and Procedures.
5. Methodology to generate infrastructure advisory.
6. Methodology to generate the compliance test cases from the Requirement Specification.

A major strength of the concepts developed is that all the concepts have been correlated with the ISO 17799 Standard on Best Practices for Information Security Management System.
The complexity and large volume of the security related data for even medium sized enterprises led the team to develop a suite of tools, which has been developed for partial automation of the security design and management activities of Enterprises, based on the concepts developed and the ISO Standard. The suite consists of the following tools:

1. A security requirement analysis tool.
2. A security policy formulation tool.
3. A security infrastructure advisory generation tool.
4. An automatic test case generation and penetration testing tool.




CDC-JU © All Rights Reserved