IT Security &

Emerging applications in IAAD

Mandatory Training for AAOs to be empanelled

for promotion as SAOs – Day 5 Session 2
(Common) Stream
Session Overview
 Digital certificates/ signatures
 Use of only secured departmental IT resources/ official e-mail
IDs for office work
 Awareness of MEITY’s instructions on policies relating to use
of IT in Government
 OIOS, e-office
 Role as custodian of third party data

2
Learning objective
To have an understanding of :
1. Concepts of Information Technology Act, 2000, Digital signatures /
certificates as provided in the Act
2. GoI’s (MeitY’s) IT policy
3. IT Security Policy of IAAD
4. Emerging application
 One IAAD One system (OIOS)
 e-Office
5. Role as custodian of third party data
3
References

 IT Act, 2000 on Digital certificates/ signatures

 IT Security Policy of IAAD
 MeitY’s instructions on use of IT in Government

4
Information Technology Act - 2000
Information Technology Act - 2000
Brief
 The IT Act provides a legal framework for electronic governance, e-
commerce by giving recognition to electronic records and digital
signatures.
 It also defines cyber crimes and prescribes penalties for them.
 The Act directed the formation of a Controller of Certifying Authorities to
regulate the issuance of digital signatures.
 It also established a Cyber Appellate Tribunal to resolve disputes rising
from this law.
6
Information Technology Act - 2000
History of IT Act
 The United Nations General Assembly have adopted the Model Law on
Electronic Commerce on 30th January 1997 known as United Nations
Commission on International Trade Law (UNCITRAL) on E-Commerce
 Enacted on 17th May 2000 – India is 12th nation in the world to adopt
cyber laws
 India passed the Information Technology Act, 2000 on 17th October 2000
 Amended in December 2008
 Amended Act is known as – The Information Technology (amendment)
Act, 2008 7
IT Act 2000 - contents
Information Technology Act 2000, has
13 chapters, 94 sections and 4 schedules.
 First 14 sections deals with legal aspects concerning digital

signature.
 Further sections deal with certifying authorities who are

licensed to issue digital signature certificate .

 Sections 43 to 47 provide for penalties and compensation.

 Sections 48 to 64 deals with Tribunals and appeal to high court.

 Section 65 to 79 of the act deals with offences.

 Section 80 to 94 deals with miscellaneous of the Act.

8
IT Act - 2000
Effect on other enactments

The Act also amended various sections of the

1. Indian Penal Code, 1860, the
2. Indian Evidence Act, 1872,
3. Banker's Book Evidence Act, 1891, and the
4. Reserve Bank of India Act, 1934
to make them compliant with new technologies.
9
Highlights of the IT (Amendment) Act, 2008
 It focuses on privacy issues.
 It focuses on Information Security.
 It came with surveillance on Cyber Cases.
 The Concept of Digital Signature was elaborated.
 It clarified reasonable security practices for corporate.
 Role of Intermediaries were focused.
 It came with the Indian Computer Emergency Response Team Cert-
IN.
 New facets of Cyber Crime were added. 10
IT Act - applicability
IT Act is not applicable to -
 A negotiable instrument (other than a cheque) as defined in section13 of the
Negotiable Instruments Act, 1881;
 A power-of-attorney as defined in section 1A of the Powers-of-Attorney Act,
1882;
 A trust as defined in section 3 of the Indian Trusts Act, 1882;
 A will as defined in clause (h) of section 2 of the India Succession Act, 1925
including any other testamentary disposition
 Any contract for the sale or conveyance of immovable property or any interest
in such property
 Any such class of documents or transactions as may be notified by the Central
Government 11
Digital Signatures
 What are digital signatures?

 Digital signatures mean the authentication of any electronic record

using an electronic method or procedure in accordance with
the provisions of the Information Technology Act, 2000.
 A handwritten signature scanned and digitally attached with a
document does not qualify as a Digital Signature.
 Further, digital signatures authenticate the source of messages like an
electronic mail or a contract in electronic form.

13
 Features of digital signature
 The three important features of digital signature are:
 Authentication – They authenticate the source of messages. Since
the ownership of a digital certificate is bound to a specific user, the
signature shows that the user sent it.
 Integrity – Sometimes, the sender and receiver of a message need an
assurance that the message was not altered during transmission. A digital
certificate provides this feature.
 Non-Repudiation – A sender cannot deny sending a message which has a
digital signature.

14
 Digital Signature – IT Act
 According to the Information Technology Act, 2000, digital signatures
mean authentication of any electronic record by a subscriber by means of
an electronic method or procedure in accordance with the provisions of
section 3. Further, the IT Act, 2000 deals with digital signatures under
Sections 2, 3, and 15.
Section 2(1)(p)
 According to Section 2(1)(p), digital signature means ‘authentication of

any electronic record using an electronic method or procedure in

accordance with the provisions of Section 3’.
 Further, authentication is a process for confirming the identity of a person

or proving the integrity of information. Authenticating messages involves

determining the source of the message and verifying that is has not been
altered or modified in transit 15
Digital Signatures – IT Act
Section 3
 Section 3 of the Information technology Act, 2000 provides certain

provisions for the authentication of electronic records. The provisions are:

 Subject to the provisions of this section, any subscriber can affix his digital

signature and hence authenticate an electronic record.

 An asymmetric crypto system and hash function envelop and transform the

initial electronic record into another record which affects the

authentication of the record.
 Also, any person in possession of the public key can verify the electronic

record.
 Further, every subscriber has a private key and a public key which are

unique to him and constitute a functioning key pair.

16
Digital Signatures – IT Act

Secure Digital Signature (Section 15)

Let’s say that two parties agree to apply a certain security procedure. If it is
possible to verify that a digital signature affixed was:
 Unique to the subscriber affixing it.
 Capable of identifying the subscriber.
 Created in a manner under the exclusive control of the subscriber.
 Also, it is linked to the electronic record in such a manner that a change in
the record invalidates the digital signature
If these conditions are satisfied, it is a secure digital signature.
17
 Digital Signature vs Electronic Signature
Basis for comparison Digital signature Electronic signature
Basic Digital signature can be Electronic signature could be
visualized as an electronic any symbol, image, process
"fingerprint". that is encrypted attached to the message or
and identifies the person's document signifies the
identity who actually signed it. signer's identity and act an
consent on it.
Authentication mechanism Certificate-based digital ID Verifies signer’s identity
through email, phone, PIN,
etc.
Used for Securing a document Verifying a document
Validation Performed by trusted certificate No specific validation process
authorities or trust service
providers
Security Highly secure Vulnerable to tampering
18
GoI security policy & MeitY guidelines

Reference : GOI – MeitY IT policies

 GOI security policies

Ministry of Electronics and Information Technology (MeitY) has framed polices for
various areas of IT.
Few of them is listed below:
 Policy on Use of IT Resources

 National Cyber Security Policy-2013

 Policy for .IN Internet Domain Registration

 Internet Domain Name-Policy Framework and Implementation

 Policy on Adoption of Open Source Software for GoI

 Email Policy

 National Policy on Software Products – 2019

 Framework & Guidelines for Use of Social Media for Government Organisations

20
GoI policies in guidelines
In Brief :
 All government officials are expected to use only official email ID

provided by NIC for official communications. (Email policy)

 All software projects should strive to use free open source software

and open source API (Open source software policy)

 All GoI Department’s website should be under gov.in and should

follow security policy and design guidelines (Domain registration

policy)
 Official should not resort to social media to air their personal

opinions or grievances. (Guidelines for Use of Social Media)

 All IT resources should be protected and passwords should be as per

password policy (Policy on Use of IT Resources) 21

IAAD security policy & guidelines

(Reference : Information Systems Security Handbook for IAAD and

CAG Guidelines on administration of email IDs
Security policy - IAAD
 The security policy of IAAD is contained in the Information Systems
Security Handbook for Indian Audit & Accounts Department. (Released
2003)
 The Security Handbook contains 3 parts
 Part I – Information Technology Security Policy

 Part II – Domain Specific security Instruction

 Part III – Subsidiary security policies

 Part IV – Guidelines and methodologies

 Apart from these detailed Guidelines in administration of email IDs and

other circulars are periodically issued by CAG Office. These are generally
based on MeitY, Cert-In and NIC circulars on security issues.

23
IAAD security policy statement
It is the policy of the organisation to ensure that:
1. Assets will be classified as to the level of protection required

2. Information will be protected against unauthorised access

3. Confidentiality of information will be assured

4. Integrity of information will be maintained

5. Business requirements for the availability of information and

information systems will be met
6. Personnel security requirements will be met

7. Physical, logical, and environmental security (including

communications security) will be maintained
24
IAAD security policy statement

8. Legal, regulatory, and contractual requirements will be met

9. Systems development and maintenance will be performed using a life
cycle methodology
10. Business continuity plans will be produced maintained and tested
11. Information security awareness training will be provided to staff
12. All breaches of information systems security, actual or suspected will be
reported to, and promptly investigated by the Information Security
Officer
13. Violations of information Security Policy will result in penalties or
sanctions.
25
Emerging Applications

One IAAD One System (OIOS)

 Background
 Individual offices/ officers in the past have taken the initiative to develop
systems to assist in audit process. (IR MAIN, AMS, OPTIMA- AG TN, IRPS- AG
HP, BI Dashboard-AG Tripura etc.)
 These systems served the intended limited purposes, but being localized, in-
house efforts, could not scale up and also had other inherent drawbacks.
 In certain cases, Audited organisation has gone to the extent of developing
systems for us like “ OCAMP*” & “APMS#”.
 Audited organisation profile is changing and for a better informed audit we
need systems to assist us.
 The idea to channelize the scarce resources and develop one system, that
would assist all our audit came up in this background.

*OCAMP :Odisha Central Audit Management Portal #

APMS: Audit Process Management System
27
 One IAAD One System (OIOS)
OIOS

Audit Process Management System Audit Knowledge Management Admin

(APAS) System (Audit KMS) CAG Website Systems

Audited organisation Audited organisation

Universe Audit Guidance HR
Information / Profile

Audit Planning and Design Regulations, Structured Data (Fin. & Training
Standards, Operational Data)
Guidelines,
Audit Execution and
Documentation Manuals Semi/Un Structured Data
Asset Inventory
(e.g. GOs/ OMs/Reports)
Budget
Audit Reporting and Repository
Follow Up of Audit IFMS, VLC, PFMS Expenditure
Checklists Monitoring

28
 Audit Process Management System (APMS)
 Primary system of record (Single Source of Truth) for the entire chain of audit
activities
 From audit planning and design through audit execution to issue and follow-up of
Inspection Reports (IRs) to processing and finalisation of Audit Reports
 Activities through the IT system, not post facto recording
 Will ensure consistent, reliable data in a uniform format across all Audit Offices
 Dispense with numerous monthly/ quarterly returns – internal to Field Audit
Office (FAO) and to CAG’s office
 Supports better and real-time monitoring of the audit process, especially audit
execution
 Integration/ linkage with HR and Training systems
 Integrated with Audit KMS (Knowledge Management System)
29
 Audit Process Management System (APMS)
 Workflow-based; primary system of record for all audit processes
 Not post facto data entry
 Maintaining the Audited organisation Universe (Apex Auditable Entities; Audit
Units and Implementing Units)
 Online preparation of Audit Memos/ Requisitions
 Online preparation/ processing of Inspection Reports
 Uploading of supporting documentation
 Follow-up of IRs
 ATN/ATRs processing
 Covers all types of audit – Compliance, Performance, Financial audit
 RFP* to include requirement of local language support
 Interface with Audited organisation
30
*RFP : Request for Proposal
Audit KMS
 Audit Guidance
 Regulations; Auditing Standards
 Auditing Guidelines; Guidance Notes; Practice Guides
 Manuals (CAG’s Office and Field Office)
 Repository of audit checklists (by type of Audited organisation)
 For adapting and use, as appropriate, by different Field Audit Offices
 Audited organisation Information
 Will not be uniform; will vary across audit offices/ audit streams
 Unstructured information (e.g. GOs/ GRs; Budget papers; Annual/ longer term Plans; DPRs;
Procurement Documentation; Evaluation Reports)
 Data marts –databases from Audited organisation organisations, e.g. All-India/ Central databases
like NREGASOFT; U-DISE*
 Financial systems – State IFMS; VLC; Central PFMS
 Continuously growing/ updating; will need strong moderating (centrally and locally) to maintain documentation
relevance

*Unified District Information System for Education 31

 Audit KMS

MIS Dashboard
Document Management System

Content Forum Wiki Search Tool

Technical Support
Business Rule Machine Sharing of
Import Data Collection Analysis
Engine Learning results
Quality
SoF DP DAN ML AR Follow-up
Assurance
Risk Field Preparation of Quality Pursuance & Certification of
assessment audit Draft IR Assurance (IR) Settlement accounts

Job Allocation Audit Team Composition Leave Tour Training

Audit Universe Audited organisation Interface Communication

Personnel Master Signature Organisational Structure E-Authentication

32
 Technology and Sourcing
 Web enabled
 Online and Offline features ( for Field Audit parties)
 Comprehensive IT system across Audit Offices
 Common core structure and minimum required mandatory functionality
 Customize/ adapt other functionality (‘desirable’) across offices
 MIS with customizable dashboards and drill-down feature to required level of detail
 Accessible from anywhere and across all types of devices
 Accessible to staff members on need-to-know basis; bring empowerment and sense of
ownership
33
 Main Modules
 01 – Organization  08 – Audit Follow-up
 02 – Personnel  09 – ITA/ Peer Review
 03 – Audited organisation  10 – KMS/ Data Repository
Universe  11 – Business Intelligence
 04 – Audit Planning
 05 – Audit Design
 12 – TGS* for ULBs and PRIs
 06 – Audit Execution
 13 - Administration
 07 – Audit Reporting

Each Module will have sub-modules (not detailed here)

* TGS – Technical Guidance and Supervision
* ULB – Urban Local Bodies
* PRI - Panchayati Raj Institution
34
 Phase I (Q1-Q2 2020)
 01 – Organization
 02 – Personnel
 Employee Master; Employee Profile; Posting/ Transfer
 03 – Audited organisation Universe
 04 – Audit Planning
 Annual Audit Plan
 05 – Audit Design
 Audit Design Matrix
 06 – Audit Execution and Reporting
 From Audit Requisition to issue of Inspection Report
 Plus Proof of Concepts (PoCs*)
*PoCs :an exercise to determine the feasibility of the idea or to verify that the idea will
35
function as envisioned
ISSUES/ CHALLENGES

1. What are the major changes (before/ after) that OIOS introduces?

2. How do we ensure that the initial implementation puts OIOS on a path

of no return?
36
Challenges
 Installing confidence in the Project and overcoming the fatigue that will
result in eventually.
 Communicating effectively the empowerment this would bring and allaying
fears of centralization, rigidity, micro management.
 Handholding and incentivizing nearly 25000 employees to shift to a digital
environment.
 Aggressive timeline.
 Government Process Re-engineering required.
37
Challenges
 Psychological barrier/ inertia of staff to shift to a new system
 Network Connectivity of adequate speed for Field Audit Parties to upload Key
Documents
 Capturing all supporting documentation digitally and additional demand on
time for the same.
 Legacy data capture
 Skill gap of staff for using IT system for vetting
 Continuity of Nodal officers
 Interfaces - cooperation from Audited organisations 38
Other developments
 Agile Methodology for development.
 practice of continuous iteration of development and testing throughout the software
development lifecycle (SDLC) unlike a waterfall model

 Looking for Application Programming Interface (API) based

open & Modular architecture
 Web APIs are specialized interface between a client and a server,
 if the client makes a request in a specific format, it will always get a response in a specific format

39
Emerging Applications

eOffice
Introduction to eOffice
A Digital Workplace Establish a Single
Solution in Product for reuse in
Government offices the Government

eOffice
Initiated in 2009. Based on Central
Developed and Secretariat Manual of
Implemented by National e-Office Procedure
Informatics Centre (NIC) (CSMeOP)
41
eOffice - benefits
Enhance transparency

Increase accountability

Assure data security and data integrity

Transform the government work culture and ethics

Promote innovation by releasing staff energy and time from

unproductive procedures
42
 File Management System (eFile)
eFile is a workflow based system that replaces the existing manual handling of files with a more efficient
electronic system. This include diarization of inward correspondence, creation of files, movement of
correspondences and files it’s, electronic noting and archival of records.

Receipts Files

• Diarization – Electronic / Email / Physical • File Creation – Electronic and Physical

• Acknowledgement Generation • Notings (Green and Yellow Note)
• Receipt to Receipt and File Attachment • Correspondence
• VIP Letter Tracking • Draft for Approval (DFA)
• Address Book • Referencing
• Signing on remarks • Digital Signatures on Noting and DFA
• Legends on priority • File to File and Receipt Attachment
• Advanced Search on metadata • Linking of File
• Receipt Status Monitoring System • Closing of File
• Closing of Receipts • Advanced Search on metadata

Dispatch Reports

• Templates Selection • MIS Reports

• Digital Signatures  File/Diary Register Report
• Advanced Search on metadata  File/Diary Movement Report
• Reminders and Follow-ups  File/Diary Pendency Reports
• Dispatch sent through email and post ….. many more
43
eFile Process

44
Role as custodian of
third party data

(Reference: CAG Office security hand book and guidelines on data analytics and big
data management)
Ownership of data
 With rapid computerisation, most of the activities of auditable entities are being
recorded electronically, in various IT systems
 This data is available to audit, in different forms and from different sources.
 The auditor should obtain a certificate stating that the data is complete and the
same as in the IT system of the audited entity at the time of receiving data.
 The ownership of the data sets remains that of the audited entity
 IA&AD holds this data only in a fiduciary capacity.
 HoDs are to assume the ownership of the data sets and exercise such controls on
security and confidentiality of the data as envisaged for the data owner.

46
Data security as custodian of data
 In case of electronic records, making multiple copies, modifying data, deleting etc. are
easier.
 Hence, the data provided by data sources must be kept in safe custody for reference.
 all analysis must be undertaken only in copies of the source data.
 Compliance to all rules, procedures and agreements regarding data security,
confidentiality and use of data of the audited entity/ third party must be ensured by
audit.
 within the overall framework of data protection and security prescribed by IA&AD
from time to time.
 Complete and chronological record of all data shared between data source owner and
the auditor should be stored in an unaltered and secure manner.
47
Data security as custodian of data
 While handling data, limit to the bare necessity, the number of personnel
with access to the raw data
 Establish a trail of personnel who have accessed data.
 Computers which are used for data analytics are not connected to internet
 Data obtained from the audited entity, should be handled due diligence to
avoid any kind of unauthorised disclosure
 The concerns and instructions of the owners of data, if any, should be
ascertained and kept in view.
 Field offices may obtain data sets whose ownership is not with auditable
entities under their audit jurisdiction. Security of such data sets also need to
ensured.
48
Thanks