Title: Country Report Security Practices in Bhutan CERT Best Practices September 2004
1Country ReportSecurity Practices in BhutanCERT
Best Practices - September 2004 -
- Karma Dhendup
- ICT Security Coordinator
- Department of Information Technology, Ministry
of Information and Communications
2About Bhutan
- Location Eastern Himalaya
- Population 600,000
- Land Area 46,500 square Km
- Economy Agriculture(90), Hydro Power and
Tourism
- Government Monarchy
- Religion Buddhism
- Development Philosophy GNH
3ICT status in Bhutan
- ICT development is still new in Bhutan.
Tele-density (fix line) Urban 15, rural 1
Electrification (via power grid) 20 30
About 8,000 10,000 computers1 in the country
Only one ISP in service, started in 1999 (2,600
dial-up subscribers, 30 leased lines2)
Internet Users appx. 0.73 VSAT OPGW3 just lau
nched in urban area 12 Internet Cafes, 15 IT Vend
ors, 18 IT Training Institutes
KEY FIGURES
Bhutan ICT Policy and Strategy (BIPS) endorsed
ICM Act drafted, awaiting to be passed
MoIC established in 2003, ICT Units are to be
established in all Ministries
RECENT GOVT ACTIONS
DIT/BT estimates as of September 2003, 2.
Druknet figure as of September 2003, 3. Optical
Power Ground Wire
4Security situation in Bhutan
- E-Security Practice is still at an infant stage
- No CERT established so far
- Security threats virus, SPAM, intrusions
- Security Working Group has just been formed by
DIT to address IT security issues (June, 2004)
5About Security WG
- Objective to solve common security problems
collectively in the government
- Scope Limited to government agencies (expand it
to the whole country in future)
- Members Network administrators in every
Ministrys ICT Unit
- Progress So far 5 meetings held, methodology
and activities are identified
6Methodology (1/5)
- Hold a meeting twice a month and share security
problems in individual organizations.
- Inform new threats and viruses that they have
encountered in recent days.
- Find solutions for the new threat and discuss
measures to prevent the similar threats for other
organizations.
- Discuss new techniques and methods that are
available in the Operating Systems that are used
in the organizations.
7Methodology (2/5)
- Compare firewall setups and the services each
organizations are using.
- Interview members about the kind of services they
are using and threats involved for each service.
- Identify the types of servers organizations use
(Windows server/Linux/Solaris) for the firewall.
- Evaluate the access lists in the routers and
server firewalls.
8Methodology (3/5)
- Draft a security policy
- Policy for the User
- Policy for the System Administrator
- Files and folders management policy
- Data management policy
- Firewall management policy
- Location and safety of server rooms
9Methodology (4/5)
- Prepare questionnaire and survey the security
measures.
- The operating systems that are used on desktops
- Databases used within the organization
- The kind of threats they encounter
- The kind of software that they use
10Methodology (5/5)
- Saving bandwidth from downloads and software
updates and threats,
- Set rules for the software updates
- Use common software within the organizations like
the Anti virus software corporate edition and
centrally monitor virus definition updates and
patches. - Set download rules and use network bandwidth
monitoring tools to monitor the bandwidth usage.
- Finally conduct a workshop for wider audience.
11Future prospective
- As ICT infrastructure comes up, security issue
becomes a growing concern
- Security coordination will be a continuous
effort
- Lack of security expertise is a challenge for
Bhutan
- CERT as our solution??
12- Thank you for your attention
- Your suggestions are welcomed
Tashi Delek!! kdhendup_at_dit.gov.bt