r ecommendation f or sri lankan ict policy (t rust a nd s ecurity )
TRANSCRIPT
We need trust & security because
• IT an emerging industry in Sri Lanka• Tackles different industries & markets• Enables participation in digital & financial
space at individual level• Cradle to grave digital identity• Data floating everywhere
and still expanding
Responsibility ???
RecommendationsFormulate an information security policy for the
Government, as well as public and private institutions which handle public records
A secure centralized, online storage system to store documents
Use of a two-step authentication process, using a one-time password (OTP) when performing online transactions
Recommendation 1
In a government department which delivers a very important service
An attack of ‘CME-24’ aka W32.BlackMal.E worm
CERT Case Study: “The Worm – Episode 1”
Recommendation 1 Forthcoming regulations to formulate an information
security policy for government, public and private institutions who handles public records
ISO 27002 code of practice for Information Security control may be used in formulating the policy
Recommendation 2
A secure centralized, online storage system to store documents
User (accessible with Public Key)
+File 1 – Private Key 1+File 2 – Private Key 2+File 3 – Private Key 3+File 4 – Private Key 4
Government Data (R)
Personal Data (R/W)
+File 1 – Private Key 5+File 2 – Private Key 6+File 3 – Private Key 7+File 4 – Private Key 8+File 5 – Private Key 9
Institutions (accessible with Public Key)
Recommendation 2
All documents are watermarked
Government data is digitally signed (verifiable) and read only
Private keys are specific to clients and have expiry
And additional code or symbol will be added when a client
pull the document corresponding to the given private key
Government has no direct access to the private folder
Recommendation 3
Compulsory two-step authentication for online transactions
The CID has reported that banks holding NRFC account have suffered losses of over Rs. 1 Billion due to illegal withdrawals from fake email accounts.
Sunday Times, 28th June 2015
All banks registered under the Central Bank Monetary Control System, should use a two step authentication process when carrying out the online transactions.
A Discussion
Does telecom operators expose the CDR information to 3rd parties for commercial purposes?