Department of Information Technology,
Ministry of Communications and Information Technology,
Government of India
Overview and Scope
Aim of the project is to develop standardized and validated processes
and methodologies for intranet, internet and extranet security, which
will enable Organizations to venture into E-businesses, E-governance,
Distance Learning, etc., using Web-technology without compromising
Confidentiality, Integrity and Availability of the resources of the
Organization and its customers / users, including customization
guidelines to reduce time-to-market.
The scope of work includes the development of the following:
1. A Security Requirement Specification Language
2. Guidelines for formulation of Security Policies
3. Advisory system for Security Infrastructure Implementation
4. Security Validation Techniques
5. A Laboratory set-up for Testing Security of Web-based systems
The primary objective of the project was to develop the idea of
systematic design and management process of Information System Security
of Web-based Enterprises. The team has put forward the idea of the
Security Engineering Life-cycle comprising of the following phases:
1. Security Requirement Analysis phase.
2. Security Policy formulation phase.
3. Security Infrastructure Advisory phase.
4. Security Infrastructure selection, installation & configuration
5. Security Testing phase.
This is required to ensure that enterprise security is survivable in the
face of relatively frequent changes in the organization, the
infrastructure, vulnerability and threat scenarios.
The project work resulted into the following theoretical developments:
1. Security Requirement Analysis Methodology.
2. An XML-based Language to express the Requirement Specification.
3. Security Risk Analysis Methodology.
4. Identification of Baseline and Detailed Policies, Guidelines and
5. Methodology to generate infrastructure advisory.
6. Methodology to generate the compliance test cases from the
A major strength of the concepts developed is that all the concepts have
been correlated with the ISO 17799 Standard on Best Practices for
Information Security Management System.
The complexity and large volume of the security related data for even
medium sized enterprises led the team to develop a suite of tools, which
has been developed for partial automation of the security design and
management activities of Enterprises, based on the concepts developed
and the ISO Standard. The suite consists of the following tools:
1. A security requirement analysis tool.
2. A security policy formulation tool.
3. A security infrastructure advisory generation tool.
4. An automatic test case generation and penetration testing tool.