Towards an ungraded information security policy for Indian railways

Abstract

Information Security is for sure, one of the most critical element in any information system and its management. Indian Railway has so far not adopted a very robust and comprehensive information security policy all across the country. Railway has created a dedicated organization called CRIS (Centre of Railway Information System), which mostly looks after Passenger Reservation System (PRS), Freight Operation Information System (FOIS), e-tendering/e-procurement related issues etc. etc. On top tier, Indian Railway has an IT Directorate at railway board level, which mainly looks after the policy issues. One of the major objective of carrying out this research is to analyze the different kind of vulnerabilities and attacks that can be mounted upon railways information assets and find out ways and means for its e-security, and also come up with a comprehensive frame work policy, technically and administratively suitable for Indian Railways. In this research, an effort has been made towards incorporating the best practices prevalent all over the world, related with data, network and web application securities. This policy includes how to deal with different type of attacks on network, data and web applications, and how to secure information/data flow. Special emphasis has been given on legal aspects arising out of adoption of electronic transactions (both data/message and monetary transaction), contract formulation and electronic archiving. Indian Railway doesn t have a well defined policy for establishing a full fledged etender/e-procurement cell at all its zonal and divisional level, which can take care of compliances issues related with ISO 17799 standards, impart in house training, increase awareness within and outside the organization (for more industrial participation) and can also conduct audit. IR also doesn t have any definite policy for digital archiving, well planned e-tender box opening strategy and payment gateway integration policy with different banks and revenue department. In this thesis, an attempt has been made towards addressing these issues.