SlideShare a Scribd company logo

Controls for Digital Signature (e-Sign) Cloud Network & eCommerce Application

Download as PPTX, PDF
M
Mufaddal Nullwala

This document discusses controls for digital signatures and e-commerce applications in cloud networks. It provides an overview of general management controls within IT, including application controls and IT process controls. It then discusses digital signatures, the Information Technology Act 2000 in India, classes of digital signature certificates, and applications that use digital signatures. The document also discusses challenges in scaling electronic signatures and introduces eSign as an Aadhaar-based alternative. It covers cloud security controls and the Cloud Security Alliance. Finally, it discusses application controls, internal control models, and real-time auditing for e-commerce.

Software
Related topics:
Process Control InsightsCloud Security Insights
1 of 28
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Controls for Digital Signature (e-Sign) Cloud Network & eCommerce Application Mufaddal Nullwala SemV- MIM 15-I-131 2015-2018
General Management Controls within IT Application controls are manual or automated control procedures that typically operate at a detailed business process (cycle or transaction) level.
IT Process Controls
Signed Messages Message + Signature Hash Decrypt Signature With Sender’s Public Key SIGN hash With Sender’s Private key Message + signature COMPARE Calculated Hash Message Sender Receiver Hash Sent thru’ Internet if OK Signatures verified DIGITAL SIGNATURES
Information Technology (IT) Act, 2000 • The Information Technology Act 2000 facilitates acceptance of electronic records and Digital Signatures through a legal framework for establishing trust in e-Commerce and e-Governance. • Controller of Certifying Authorities (CCA) appointed under Section 17 of the IT Act, 2000 to promote the use of Digital Signatures for e-Governance & e-Commerce. – Functions of CCA  Licensing Certifying Authorities (CAs) under section 21 of the IT Act and exercising supervision over their activities.  Controller of Certifying Authorities as the “Root” Authority certifies the technologies and practices of all the Certifying Authorities licensed to issue Digital Signature Certificates – Regulation of Certifying Authorities  CCA promotes the growth of E-Commerce and E-Governance through the wide use of Electronic (Digital) signatures
 There are seven licensed Certifying Authorities issuing Digital signature Certificates (DSC) 1. Sify 2. IDRBT 3. NIC 4. TCS ( Not now) 5. (n)Code Solutions 6. eMudhra 7. IAF Assuranc e Level Assurance Applicability Class 0 This certificate shall be issued only for demonstration / test purposes This is to be used only for demonstration / test purposes. Class 1 This certificates shall be issued for both business personnel & private individuals use. This provides a basic level of assurance, These are given on soft tokens. Class 2 This certificates will confirm that the information in the application. Address proof and Identity Proof are required along with the application form. This level is relevant to environments where risks and consequences of data compromise are moderate. These are issued on hardware tokens. Class 3 As these are high assurance certificates, primarily intended for ecommerce applications, they shall be issued to individuals only on their personal (physical) appearance before the Certifying Authorities. This level is relevant to environments where threats to data are high or the consequences of the failure of security services are high. This may include very high value transactions or high levels of fraud risk. Classes of Certificates
Digital Signature Enabled Applications • Ministry of Corporate Affairs MCA21 for e-filing • Income Tax e-filing • Indian Railway Catering & Tourism Corporation (IRCTC) • Director General of Foreign Trade (DGFT) • Reserve Bank of India (SFMS & RTGS) • Indian Farmers Fertiliser Cooperative Limited (IFFCO) • Directorate General of Supplies & Disposals (DGS&D) • Oil and Natural Gas Corporation (ONGC) • Gas Authority of India Ltd (GAIL)
Enabling Digital Signatures on Mobile phones Hardware based – Cryptographic SIM cards Software based – Through APPs incorporating cryptographic algorithms Time Stamping Service • The IT (CA) Regulations mandate provisioning of Time Stamping Services by Certifying Authorities (CA) who issue Digital Signature Certificates(DSC) under the Information Technology (IT) Act, 2000 • Digitally signed Time stamps are based on time derived from National time source • Time stamps can be verified to establish the time when a document or transaction was created.
Time Stamping
Time Stamping Service - Benefits • Accurate time in conformance with Government Guidelines • Digitally signed time stamps – verifiable in future • Assured Integrity • Electronic Notary • Fraud detection • Time Stamped content is protected from public exposure • The only legally acceptable time stamping service
Challenges in scaling up usage of electronic Signatures • Personal digital signature requires person’s identity verification and issuance of USB dongle having private key, secured with a password/pin. • Current scheme of physical verification, document based identity validation, and issuance of physical dongles does not scale to a billion people. • The major cost of the DSC is found to be the verification cost. Certifying Authorities engage Registration Authorities to carry out the verification of verification of credentials prior to issuance of certificate. • Physical USB Dongle compliant to mandated standards also adds to the cost. • Relying on the DSC applicant's information already available on the public database is an alternate to Manual verification. UIDAI provides one such alternative.
eSign • Aadhaar id is mandatory for availing eSign Service. • The Unique Identification Authority of India (UIDAI) has been established with the mandate of providing a Unique Identification Number (Aadhaar Number) to all residents. • During enrolment, the following data is collected: – Demographic details such as the name of the resident, address, date of birth, and gender. – Biometric details such as the fingerprints, iris scans, and photograph; and – Optional fields for communication of such as the mobile number and email address. • eSign facilitates electronically signing a document by an Aadhaar holder using an Online Service. • Electronic Signature is created using authentication of consumer through Aadhaar eKyc service. • eSign is an integrated service that facilitates issuing a Digital Signature Certificate and performing Signing of requested data by authenticating Aadhaar holder.
eSign - Benefits
Cloud security controls • Cloud computing security or, more simply, cloud security refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security. • Cloud security architecture is effective only if the correct defensive implementations are in place. An efficient cloud security architecture should recognize the issues that will arise with security management. • The security management addresses these issues with security controls. These controls are put in place to safeguard any weaknesses in the system and reduce the effect of an attack.
• While there are many types of controls behind a cloud security architecture, they can usually be found in one of the following categories: Deterrent controls : These controls are intended to reduce attacks on a cloud system. Much like a warning sign on a fence or a property, deterrent controls typically reduce the threat level by informing potential attackers that there will be adverse consequences for them if they proceed. Preventive controls : Preventive controls strengthen the system against incidents, generally by reducing if not actually eliminating vulnerabilities. Strong authentication of cloud users, for instance, makes it less likely that unauthorized users can access cloud systems, and more likely that cloud users are positively identified.
Detective controls : Detective controls are intended to detect and react appropriately to any incidents that occur. In the event of an attack, a detective control will signal the preventative or corrective controls to address the issue.[8] System and network security monitoring, including intrusion detection and prevention arrangements, are typically employed to detect attacks on cloud systems and the supporting communications infrastructure. Corrective controls : Corrective controls reduce the consequences of an incident, normally by limiting the damage. They come into effect during or after an incident. Restoring system backups in order to rebuild a compromised system is an example of a corrective control.
• Security Architecture • Indentify and Access Management • Data Protection • Governance • Risk Management • Compliance • Availability 7 Must-Have Security Controls for Any Cloud Environment
Cloud Security Alliance (CSA) • World’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. • CSA’s comprehensive research program works in collaboration with industry, higher education and government on a global basis. • CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud.
eCommerce Application e-commerce application consists of the act of rendering effective commercial transaction, one that links two entities (customer and supplier), using the Internet as a technological platform to establish the information and communication channel between those two entities.  Authentication - guarantee of the legal entity, singular or plural, with whom we are working  Integrity - guarantee that the contents of the communication between both parts is not modified  Confidentiality - guarantee that no one, non-authorized, either intentionally or not, has access to the contents of the communication.
Application Controls Application control is a security practice that blocks or restricts unauthorized applications from executing in ways that put data at risk. The control functions vary based on the business purpose of the specific application, but the main objective is to help ensure the privacy and security of data used by and transmitted between applications. • Completeness checks – controls ensure records processing from initiation to completion • Validity checks – controls ensure only valid data is input or processed • Identification – controls ensure unique, irrefutable identification of all users • Authentication – controls provide an application system authentication mechanism • Authorization – controls ensure access to the application system by approved business users only • Input controls – controls ensure data integrity feeds into the application system from upstream sources
Benefits of Application Controls • Reliability – Reduces likelihood of errors due to manual intervention • Benchmarking – Reliance on IT general controls can lead to concluding the application controls are effective year to year without re-testing • Time and cost savings – Typically application controls take less time to test and only require testing once as long as the IT general controls are effective
Types of Application Controls. • Inherent controls are delivered with the application and do not need to be added to it • Configurable controls are automated controls to be defined at the time of system/application configuration • Security controls are generally user access, segregation of duties controls, roles and process rules • Reporting controls are those that rely on standard or ad-hoc reports from the application • Work flow controls are used to notify application users that a transaction or process is awaiting their action
Application (Internal) Control Model • It is commonly designated by internal control system the set of rules, policies and procedures (control mechanisms), involved in the management of business risk. • A control mechanism helps an operational process to reach its aim without being, necessarily, part of the process. • Control can be an excellent tool to achieve organization aims. However, its implementation should be supported by a coherent and consistent framework
• The single nature of electronic commercial transactions, transverse both to the intra-organizational environment and the inter-organizational environment, is responsible for the non-restriction of the internal control system. Thus, it is applied not only to the intra-organizational control but also to the inter-organizational control. • The intra-organizational control, when dealt with separately in the traditional commercial transactions, is extended in order to include the inter- organizational controls, which were taken in consideration separately in the traditionally transactions.
Should the organizations think of cleaving to electronic commerce strategies, two main principles of internal control should be taken in consideration: the type of controls in the e-commerce sphere of action and the availability of the mentioned organizations on what regards having a specific framework which will help them in the implementation of an adequate internal control system. One of the primary aims of the implementation of risk based internal control systems, dealing with the intra-organizational and inter-organizational controls in a holistic fashion, is the global management of auditing risk, according to three of its components: • Inherent risk – the risk of an existing error, material or important when combined with other errors; inherent risks exists, even though an auditing is done, due to the business nature • Control risk – the risk that there is a material risk, which is not prevented or quickly detected by the internal control system, according to the organization’s desire of risk and to the defined risk management criteria. • Detection risk – the risk that the information systems auditor should use inadequate test procedures and could, thus say that there are no existing material errors,
The framework released by the COSO (Committee of Sponsoring Organizations of the Treadway Commission) entitled “Enterprise Risk Management Framework” establishes a sequence of events for the enterprise risk management in control environment Consists: 1. Defining the organizations aims 2. Risk evaluation (identify it, measure it, prioritize it) 3. Risk Management (control it, avoid it, share it) The COSO ERM framework divides the organizational aims into four categories: 1. Strategic aims, aligned with and supported by the entity’s mission 2. Operational aims, related to the effective and efficient usage of the entity’s resources 3. Reporting aims, related to every organization’s needs of internally and externally reporting their performance 4. Conformity aims, related to the conformity with laws and suitable regulations
The COSO ERM Framework defines the enterprise risk management as a process, effected by an entity’s board of directors, management and other personnel, and manage risks to be within its risk appetite,to provide reasonable assurance regarding the achievement of entity objectives. The eight sub-processes that constitute it are (COSO 2003): 1. Internal Environment – Management sets a philosophy regarding risk and establishes a risk appetite. 2. Objective Setting – Objectives must exist before management can identify events potentially affecting their achievement. 3. Event Identification – Potential events that might have an impact on the entity must be identified. 4. Risk Assessment – Identified risks are analyzed in order to form a basis for determining how they should be managed. 5. Risk Response – Management selects an approach or set of actions to align assessed risks with the entity’s risk appetite,
6. Control Activities – Policies and procedures are established and executed to help ensure that the risk responses management selected are effectively carried out 7. Information and communication – Relevant information is identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. 8. Monitoring – The entire enterprise risk management process must be monitored, and modifications made as necessary. REAL-TIME E-COMMERCE AUDITING The electronic commercial transactions real-time auditing should be backed up by a strong theoretical component, which will enable its conceptualization from an epistemological point of view, making it thus easier the design of an adequate organizational and technological architecture. As we have previously mentioned this theoretic component is mainly based on the fusion of intra-organizational controls and inter-organizational controls, supported by a coherent and consistent framework, which will allow one to manage the business risk in a holistic perspective.

More Related Content

PDF
IRJET- Enhance Smart Cities Security by Mitigating IoT Vulnerabilities
IRJET Journal
 
PPT
Policies and Law in IT
Anushka Perera
 
PDF
Emerging Trends in Information Security and Privacy
lgcdcpas
 
PPT
Critical Security And Compliance Issues In Internet Banking
Thomas Donofrio
 
PDF
NEC Public Safety | Digital Identity for Banks
NEC Public Safety
 
PPTX
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Government Technology and Services Coalition
 
PPTX
Cyber security cgi moving forward
Nils Thulin
 
PPTX
Automotive Hacking
GAURAV. H .TANDON
 
IRJET- Enhance Smart Cities Security by Mitigating IoT Vulnerabilities
IRJET Journal
 
Policies and Law in IT
Anushka Perera
 
Emerging Trends in Information Security and Privacy
lgcdcpas
 
Critical Security And Compliance Issues In Internet Banking
Thomas Donofrio
 
NEC Public Safety | Digital Identity for Banks
NEC Public Safety
 
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Government Technology and Services Coalition
 
Cyber security cgi moving forward
Nils Thulin
 
Automotive Hacking
GAURAV. H .TANDON
 

What's hot (20)

DOCX
ResearchProjectComplete
dannyboi17
 
PDF
India Start-ups IT Security & IT Act 2008
ValueMentor Consulting
 
PDF
Internet of Things (IoT) Security Measures Insights from Patents
Alex G. Lee, Ph.D. Esq. CLP
 
PPTX
Smart surveillance
Puneet soni
 
DOC
Certifying authorities rules 2000
Leo Lukose
 
PDF
SierraVMI Virtual Mobile Infrastructure (VMI). Android-based VDI.
Sierraware
 
PDF
Your organization is at risk! Upgrade your IT security & IT governance now.
Cyril Soeri
 
PDF
Design of a gsm based biometric access control system
Alexander Decker
 
PDF
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
DMI
 
PPTX
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Raleigh ISSA
 
PDF
Technology & Life Science Practice, FailSafe Overview
Cary Adler
 
PPTX
IT act 2000
PAYAL SINHA
 
PPTX
it act 2000
virtualatall
 
PPTX
Objectives of the it act.docx
Dr. Arun Verma
 
PPTX
Robert Nichols: Cybersecurity for Government Contractors
Government Technology and Services Coalition
 
PDF
Tech stocks to buy - Top small cap tech stocks
High Return Investments
 
PPT
Information technology-act 2000- an overview-sethassociatesppt
Diya Mirza
 
PPTX
Information Technology Act 2000
Dr. Heera Lal IAS
 
PDF
IRJET- Phishing Attack based on Visual Cryptography
IRJET Journal
 
PPTX
IT Act 2000
Sreelekshmi Mohan
 
ResearchProjectComplete
dannyboi17
 
India Start-ups IT Security & IT Act 2008
ValueMentor Consulting
 
Internet of Things (IoT) Security Measures Insights from Patents
Alex G. Lee, Ph.D. Esq. CLP
 
Smart surveillance
Puneet soni
 
Certifying authorities rules 2000
Leo Lukose
 
SierraVMI Virtual Mobile Infrastructure (VMI). Android-based VDI.
Sierraware
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Cyril Soeri
 
Design of a gsm based biometric access control system
Alexander Decker
 
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
DMI
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Raleigh ISSA
 
Technology & Life Science Practice, FailSafe Overview
Cary Adler
 
IT act 2000
PAYAL SINHA
 
it act 2000
virtualatall
 
Objectives of the it act.docx
Dr. Arun Verma
 
Robert Nichols: Cybersecurity for Government Contractors
Government Technology and Services Coalition
 
Tech stocks to buy - Top small cap tech stocks
High Return Investments
 
Information technology-act 2000- an overview-sethassociatesppt
Diya Mirza
 
Information Technology Act 2000
Dr. Heera Lal IAS
 
IRJET- Phishing Attack based on Visual Cryptography
IRJET Journal
 
IT Act 2000
Sreelekshmi Mohan
 
Ad

Similar to Controls for Digital Signature (e-Sign) Cloud Network & eCommerce Application (20)

PPSX
Digital signatures
Paresh Vadher
 
PDF
Security Terms and Concepts in Cloud Computing
SharjeelSajid5
 
PDF
[PDF Download] CCSK Certificate of Cloud Security Knowledge All-in-One Exam G...
shileboscha89
 
PDF
Cheatsheet for your cloud project
Petteri Heino
 
PPTX
KEC CCS 362 KEC CCS 362 KEC CCS 362 KEC CCS 362
thumilvannan
 
PDF
Contribution of DSC in e-Governance .docx (1).pdf
Xtratrust Digisign Pvt ltd
 
PDF
CCSK Certificate of Cloud Security Knowledge All-in-One Exam Guide Graham Tho...
savatekymla
 
PDF
Cloud Security vs. Traditional IT Security
Cybercops
 
PPTX
Digital signatures
atuljaybhaye
 
PPT
Digital signature
AJAL A J
 
PDF
Introduction to CSA Australia 2013 by David Ross
CloudSecurityAllianceAustralia
 
PDF
Compliance in Public Cloud & CSA Framework
CloudSecurityAllianceAustralia
 
PDF
CSA Introduction 2013 David Ross
Graeme Wood
 
PPTX
Introduction to the CSA Cloud Controls Matrix
John Yeoh
 
PDF
Rob kloots auditoutsourcedit
Robert Kloots
 
PDF
CCSK, cloud security framework, Indonesia
Wise Pacific Venture
 
PPT
open house electronic environment IT Act
loganathan851354
 
PDF
Assessing the Security of Cloud SaaS Solutions
Digital Bond
 
PDF
Trust based Mechanism for Secure Cloud Computing Environment: A Survey
inventionjournals
 
PDF
EuroCACS 2016 There are giants in the sky
Carlos Chalico
 
Digital signatures
Paresh Vadher
 
Security Terms and Concepts in Cloud Computing
SharjeelSajid5
 
[PDF Download] CCSK Certificate of Cloud Security Knowledge All-in-One Exam G...
shileboscha89
 
Cheatsheet for your cloud project
Petteri Heino
 
KEC CCS 362 KEC CCS 362 KEC CCS 362 KEC CCS 362
thumilvannan
 
Contribution of DSC in e-Governance .docx (1).pdf
Xtratrust Digisign Pvt ltd
 
CCSK Certificate of Cloud Security Knowledge All-in-One Exam Guide Graham Tho...
savatekymla
 
Cloud Security vs. Traditional IT Security
Cybercops
 
Digital signatures
atuljaybhaye
 
Digital signature
AJAL A J
 
Introduction to CSA Australia 2013 by David Ross
CloudSecurityAllianceAustralia
 
Compliance in Public Cloud & CSA Framework
CloudSecurityAllianceAustralia
 
CSA Introduction 2013 David Ross
Graeme Wood
 
Introduction to the CSA Cloud Controls Matrix
John Yeoh
 
Rob kloots auditoutsourcedit
Robert Kloots
 
CCSK, cloud security framework, Indonesia
Wise Pacific Venture
 
open house electronic environment IT Act
loganathan851354
 
Assessing the Security of Cloud SaaS Solutions
Digital Bond
 
Trust based Mechanism for Secure Cloud Computing Environment: A Survey
inventionjournals
 
EuroCACS 2016 There are giants in the sky
Carlos Chalico
 
Ad

More from Mufaddal Nullwala (20)

PPTX
Guide to Networking in Canada for Newcomers
Mufaddal Nullwala
 
PPTX
Canada for Newcomers - Economy and Employment
Mufaddal Nullwala
 
PPTX
Winters in Toronto - Self help guide for New Immigrants (PR's, Open Work Perm...
Mufaddal Nullwala
 
PPTX
ORGANISATIONAL MANAGEMENT - BOOK REVIEW - COMMUNICATING WITH EMPLOYEES IMPROV...
Mufaddal Nullwala
 
PPTX
FINANCIAL ANALYSIS - BOOK REVIEW - FAULT LINES - HOW HIDDEN FRACTURES STILL T...
Mufaddal Nullwala
 
PPTX
Environmental Management - Energy Audit & Features
Mufaddal Nullwala
 
PPTX
LEADERSHIP IN ORGANISATION (Organisational Leadership)
Mufaddal Nullwala
 
PPTX
Marketing Management - Product Differentiation
Mufaddal Nullwala
 
PPTX
Blockchain Technology
Mufaddal Nullwala
 
PPTX
Robotic Process Automation (RPA)
Mufaddal Nullwala
 
PPTX
SCM || CRM || Intrasoft - Case Study
Mufaddal Nullwala
 
PPTX
Business Ethics - Metaphysics of Morals by Immanuel Kant
Mufaddal Nullwala
 
PPTX
PRINCIPLES OF MANAGEMENT - PLANNING
Mufaddal Nullwala
 
PDF
Indian Economy & Startups generating Business & Jobs
Mufaddal Nullwala
 
PPTX
Marketing Management - Brand Building (eg.of Big Bazaar, WestSide, Globus)
Mufaddal Nullwala
 
PPTX
R Tribha - Business Plan for Waste Utiliszation
Mufaddal Nullwala
 
PPTX
International Labor Organisation - Labor Law
Mufaddal Nullwala
 
PPTX
Organizational Change Management
Mufaddal Nullwala
 
PPTX
Change Management - Principles of Management
Mufaddal Nullwala
 
PPT
Knowledge Management Solution
Mufaddal Nullwala
 
Guide to Networking in Canada for Newcomers
Mufaddal Nullwala
 
Canada for Newcomers - Economy and Employment
Mufaddal Nullwala
 
Winters in Toronto - Self help guide for New Immigrants (PR's, Open Work Perm...
Mufaddal Nullwala
 
ORGANISATIONAL MANAGEMENT - BOOK REVIEW - COMMUNICATING WITH EMPLOYEES IMPROV...
Mufaddal Nullwala
 
FINANCIAL ANALYSIS - BOOK REVIEW - FAULT LINES - HOW HIDDEN FRACTURES STILL T...
Mufaddal Nullwala
 
Environmental Management - Energy Audit & Features
Mufaddal Nullwala
 
LEADERSHIP IN ORGANISATION (Organisational Leadership)
Mufaddal Nullwala
 
Marketing Management - Product Differentiation
Mufaddal Nullwala
 
Blockchain Technology
Mufaddal Nullwala
 
Robotic Process Automation (RPA)
Mufaddal Nullwala
 
SCM || CRM || Intrasoft - Case Study
Mufaddal Nullwala
 
Business Ethics - Metaphysics of Morals by Immanuel Kant
Mufaddal Nullwala
 
PRINCIPLES OF MANAGEMENT - PLANNING
Mufaddal Nullwala
 
Indian Economy & Startups generating Business & Jobs
Mufaddal Nullwala
 
Marketing Management - Brand Building (eg.of Big Bazaar, WestSide, Globus)
Mufaddal Nullwala
 
R Tribha - Business Plan for Waste Utiliszation
Mufaddal Nullwala
 
International Labor Organisation - Labor Law
Mufaddal Nullwala
 
Organizational Change Management
Mufaddal Nullwala
 
Change Management - Principles of Management
Mufaddal Nullwala
 
Knowledge Management Solution
Mufaddal Nullwala
 

Recently uploaded (20)

PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PPTX
Essential Infomation Tech presentation.pptx
pradeepjava2016
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
Essential Infomation Tech presentation.pptx
pradeepjava2016
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
System and Network Administration Chapter 2
jaramharo
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 

Controls for Digital Signature (e-Sign) Cloud Network & eCommerce Application

  • 1. Controls for Digital Signature (e-Sign) Cloud Network & eCommerce Application Mufaddal Nullwala SemV- MIM 15-I-131 2015-2018
  • 2. General Management Controls within IT Application controls are manual or automated control procedures that typically operate at a detailed business process (cycle or transaction) level.
  • 4. Signed Messages Message + Signature Hash Decrypt Signature With Sender’s Public Key SIGN hash With Sender’s Private key Message + signature COMPARE Calculated Hash Message Sender Receiver Hash Sent thru’ Internet if OK Signatures verified DIGITAL SIGNATURES
  • 5. Information Technology (IT) Act, 2000 • The Information Technology Act 2000 facilitates acceptance of electronic records and Digital Signatures through a legal framework for establishing trust in e-Commerce and e-Governance. • Controller of Certifying Authorities (CCA) appointed under Section 17 of the IT Act, 2000 to promote the use of Digital Signatures for e-Governance & e-Commerce. – Functions of CCA  Licensing Certifying Authorities (CAs) under section 21 of the IT Act and exercising supervision over their activities.  Controller of Certifying Authorities as the “Root” Authority certifies the technologies and practices of all the Certifying Authorities licensed to issue Digital Signature Certificates – Regulation of Certifying Authorities  CCA promotes the growth of E-Commerce and E-Governance through the wide use of Electronic (Digital) signatures
  • 6.  There are seven licensed Certifying Authorities issuing Digital signature Certificates (DSC) 1. Sify 2. IDRBT 3. NIC 4. TCS ( Not now) 5. (n)Code Solutions 6. eMudhra 7. IAF Assuranc e Level Assurance Applicability Class 0 This certificate shall be issued only for demonstration / test purposes This is to be used only for demonstration / test purposes. Class 1 This certificates shall be issued for both business personnel & private individuals use. This provides a basic level of assurance, These are given on soft tokens. Class 2 This certificates will confirm that the information in the application. Address proof and Identity Proof are required along with the application form. This level is relevant to environments where risks and consequences of data compromise are moderate. These are issued on hardware tokens. Class 3 As these are high assurance certificates, primarily intended for ecommerce applications, they shall be issued to individuals only on their personal (physical) appearance before the Certifying Authorities. This level is relevant to environments where threats to data are high or the consequences of the failure of security services are high. This may include very high value transactions or high levels of fraud risk. Classes of Certificates
  • 7. Digital Signature Enabled Applications • Ministry of Corporate Affairs MCA21 for e-filing • Income Tax e-filing • Indian Railway Catering & Tourism Corporation (IRCTC) • Director General of Foreign Trade (DGFT) • Reserve Bank of India (SFMS & RTGS) • Indian Farmers Fertiliser Cooperative Limited (IFFCO) • Directorate General of Supplies & Disposals (DGS&D) • Oil and Natural Gas Corporation (ONGC) • Gas Authority of India Ltd (GAIL)
  • 8. Enabling Digital Signatures on Mobile phones Hardware based – Cryptographic SIM cards Software based – Through APPs incorporating cryptographic algorithms Time Stamping Service • The IT (CA) Regulations mandate provisioning of Time Stamping Services by Certifying Authorities (CA) who issue Digital Signature Certificates(DSC) under the Information Technology (IT) Act, 2000 • Digitally signed Time stamps are based on time derived from National time source • Time stamps can be verified to establish the time when a document or transaction was created.
  • 10. Time Stamping Service - Benefits • Accurate time in conformance with Government Guidelines • Digitally signed time stamps – verifiable in future • Assured Integrity • Electronic Notary • Fraud detection • Time Stamped content is protected from public exposure • The only legally acceptable time stamping service
  • 11. Challenges in scaling up usage of electronic Signatures • Personal digital signature requires person’s identity verification and issuance of USB dongle having private key, secured with a password/pin. • Current scheme of physical verification, document based identity validation, and issuance of physical dongles does not scale to a billion people. • The major cost of the DSC is found to be the verification cost. Certifying Authorities engage Registration Authorities to carry out the verification of verification of credentials prior to issuance of certificate. • Physical USB Dongle compliant to mandated standards also adds to the cost. • Relying on the DSC applicant's information already available on the public database is an alternate to Manual verification. UIDAI provides one such alternative.
  • 12. eSign • Aadhaar id is mandatory for availing eSign Service. • The Unique Identification Authority of India (UIDAI) has been established with the mandate of providing a Unique Identification Number (Aadhaar Number) to all residents. • During enrolment, the following data is collected: – Demographic details such as the name of the resident, address, date of birth, and gender. – Biometric details such as the fingerprints, iris scans, and photograph; and – Optional fields for communication of such as the mobile number and email address. • eSign facilitates electronically signing a document by an Aadhaar holder using an Online Service. • Electronic Signature is created using authentication of consumer through Aadhaar eKyc service. • eSign is an integrated service that facilitates issuing a Digital Signature Certificate and performing Signing of requested data by authenticating Aadhaar holder.
  • 14. Cloud security controls • Cloud computing security or, more simply, cloud security refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security. • Cloud security architecture is effective only if the correct defensive implementations are in place. An efficient cloud security architecture should recognize the issues that will arise with security management. • The security management addresses these issues with security controls. These controls are put in place to safeguard any weaknesses in the system and reduce the effect of an attack.
  • 15. • While there are many types of controls behind a cloud security architecture, they can usually be found in one of the following categories: Deterrent controls : These controls are intended to reduce attacks on a cloud system. Much like a warning sign on a fence or a property, deterrent controls typically reduce the threat level by informing potential attackers that there will be adverse consequences for them if they proceed. Preventive controls : Preventive controls strengthen the system against incidents, generally by reducing if not actually eliminating vulnerabilities. Strong authentication of cloud users, for instance, makes it less likely that unauthorized users can access cloud systems, and more likely that cloud users are positively identified.
  • 16. Detective controls : Detective controls are intended to detect and react appropriately to any incidents that occur. In the event of an attack, a detective control will signal the preventative or corrective controls to address the issue.[8] System and network security monitoring, including intrusion detection and prevention arrangements, are typically employed to detect attacks on cloud systems and the supporting communications infrastructure. Corrective controls : Corrective controls reduce the consequences of an incident, normally by limiting the damage. They come into effect during or after an incident. Restoring system backups in order to rebuild a compromised system is an example of a corrective control.
  • 17. • Security Architecture • Indentify and Access Management • Data Protection • Governance • Risk Management • Compliance • Availability 7 Must-Have Security Controls for Any Cloud Environment
  • 18. Cloud Security Alliance (CSA) • World’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. • CSA’s comprehensive research program works in collaboration with industry, higher education and government on a global basis. • CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud.
  • 19. eCommerce Application e-commerce application consists of the act of rendering effective commercial transaction, one that links two entities (customer and supplier), using the Internet as a technological platform to establish the information and communication channel between those two entities.  Authentication - guarantee of the legal entity, singular or plural, with whom we are working  Integrity - guarantee that the contents of the communication between both parts is not modified  Confidentiality - guarantee that no one, non-authorized, either intentionally or not, has access to the contents of the communication.
  • 20. Application Controls Application control is a security practice that blocks or restricts unauthorized applications from executing in ways that put data at risk. The control functions vary based on the business purpose of the specific application, but the main objective is to help ensure the privacy and security of data used by and transmitted between applications. • Completeness checks – controls ensure records processing from initiation to completion • Validity checks – controls ensure only valid data is input or processed • Identification – controls ensure unique, irrefutable identification of all users • Authentication – controls provide an application system authentication mechanism • Authorization – controls ensure access to the application system by approved business users only • Input controls – controls ensure data integrity feeds into the application system from upstream sources
  • 21. Benefits of Application Controls • Reliability – Reduces likelihood of errors due to manual intervention • Benchmarking – Reliance on IT general controls can lead to concluding the application controls are effective year to year without re-testing • Time and cost savings – Typically application controls take less time to test and only require testing once as long as the IT general controls are effective
  • 22. Types of Application Controls. • Inherent controls are delivered with the application and do not need to be added to it • Configurable controls are automated controls to be defined at the time of system/application configuration • Security controls are generally user access, segregation of duties controls, roles and process rules • Reporting controls are those that rely on standard or ad-hoc reports from the application • Work flow controls are used to notify application users that a transaction or process is awaiting their action
  • 23. Application (Internal) Control Model • It is commonly designated by internal control system the set of rules, policies and procedures (control mechanisms), involved in the management of business risk. • A control mechanism helps an operational process to reach its aim without being, necessarily, part of the process. • Control can be an excellent tool to achieve organization aims. However, its implementation should be supported by a coherent and consistent framework
  • 24. • The single nature of electronic commercial transactions, transverse both to the intra-organizational environment and the inter-organizational environment, is responsible for the non-restriction of the internal control system. Thus, it is applied not only to the intra-organizational control but also to the inter-organizational control. • The intra-organizational control, when dealt with separately in the traditional commercial transactions, is extended in order to include the inter- organizational controls, which were taken in consideration separately in the traditionally transactions.
  • 25. Should the organizations think of cleaving to electronic commerce strategies, two main principles of internal control should be taken in consideration: the type of controls in the e-commerce sphere of action and the availability of the mentioned organizations on what regards having a specific framework which will help them in the implementation of an adequate internal control system. One of the primary aims of the implementation of risk based internal control systems, dealing with the intra-organizational and inter-organizational controls in a holistic fashion, is the global management of auditing risk, according to three of its components: • Inherent risk – the risk of an existing error, material or important when combined with other errors; inherent risks exists, even though an auditing is done, due to the business nature • Control risk – the risk that there is a material risk, which is not prevented or quickly detected by the internal control system, according to the organization’s desire of risk and to the defined risk management criteria. • Detection risk – the risk that the information systems auditor should use inadequate test procedures and could, thus say that there are no existing material errors,
  • 26. The framework released by the COSO (Committee of Sponsoring Organizations of the Treadway Commission) entitled “Enterprise Risk Management Framework” establishes a sequence of events for the enterprise risk management in control environment Consists: 1. Defining the organizations aims 2. Risk evaluation (identify it, measure it, prioritize it) 3. Risk Management (control it, avoid it, share it) The COSO ERM framework divides the organizational aims into four categories: 1. Strategic aims, aligned with and supported by the entity’s mission 2. Operational aims, related to the effective and efficient usage of the entity’s resources 3. Reporting aims, related to every organization’s needs of internally and externally reporting their performance 4. Conformity aims, related to the conformity with laws and suitable regulations
  • 27. The COSO ERM Framework defines the enterprise risk management as a process, effected by an entity’s board of directors, management and other personnel, and manage risks to be within its risk appetite,to provide reasonable assurance regarding the achievement of entity objectives. The eight sub-processes that constitute it are (COSO 2003): 1. Internal Environment – Management sets a philosophy regarding risk and establishes a risk appetite. 2. Objective Setting – Objectives must exist before management can identify events potentially affecting their achievement. 3. Event Identification – Potential events that might have an impact on the entity must be identified. 4. Risk Assessment – Identified risks are analyzed in order to form a basis for determining how they should be managed. 5. Risk Response – Management selects an approach or set of actions to align assessed risks with the entity’s risk appetite,
  • 28. 6. Control Activities – Policies and procedures are established and executed to help ensure that the risk responses management selected are effectively carried out 7. Information and communication – Relevant information is identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. 8. Monitoring – The entire enterprise risk management process must be monitored, and modifications made as necessary. REAL-TIME E-COMMERCE AUDITING The electronic commercial transactions real-time auditing should be backed up by a strong theoretical component, which will enable its conceptualization from an epistemological point of view, making it thus easier the design of an adequate organizational and technological architecture. As we have previously mentioned this theoretic component is mainly based on the fusion of intra-organizational controls and inter-organizational controls, supported by a coherent and consistent framework, which will allow one to manage the business risk in a holistic perspective.

Editor's Notes

  • #22: Reliability - Application controls are more reliable than manual controls when evaluating the potential for control errors due to human intervention. Once an application control is established, and there is little change to the application, database, or supporting technology, the organization can rely on the application control until a change occurs. Benchmarking - If IT general controls that are used to monitor program changes, access to programs, and computer operations are effective and continue to be tested on a regular basis, the auditor can conclude that the application control is effective without having to repeat the previous year's control test. This is especially true if the auditor verifies that the application control has not changed since the auditor last tested the application control. Benchmarking is particularly effective when companies use pre-packaged software that doesn't allow for any source code development or modification. In cases like these, the company needs to consider more than just the code change. An application control within a complex application, such as SAP or Oracle Financials, can be changed, disabled, or enabled easily without any code change. Time and Cost - Application controls typically take less time to test than manual controls. This is because sample sizes for manual controls are tied to the frequency with which the controls are performed (i.e., daily, weekly, monthly, quarterly, or annually), while the sample size of the application controls often does not depend on the frequency of the control's performance (i.e., application controls are either operating effectively or not). In addition, application controls are typically tested one time as long as the ITGCs are effective. As a result, all of these factors can potentially accumulate to a significant savings in the number of hours required to test an application control versus a manual control.