VOL. 3, NO.

7, July 2012 ISSN 2079-8407

Journal of Emerging Trends in Computing and Information Sciences
©2009-2012 CIS Journal. All rights reserved.

http://www.cisjournal.org

Information Security Framework for E-Government Implementation in Nepal

1
Pranita Upadhyaya, 2 Subarna Shakya, 3 Manish Pokharel
1, 3
Department of Computer Science & Engineering/Kathmandu University, Kavre, Nepal.
2
Department of E&C and Computer, Pulchowk Campus/Institute of Engineering /Tribhuvan University, Pulchowk, Lalitpur, Nepal.
1
[email protected], 2 [email protected], 3 [email protected],

ABSTRACT
E-government security is considered one of the crucial factors for achieving an advanced stage of e-government. As the
number of e-government services introduced to the user increases, a higher level of e-government security is required. Since
Nepal is an underdeveloped country whose development can be rapid through proper E-Government implementation.
Presently, it is in infancy stage. One of the major failure factors identified at this stage is the improper security consideration.
This paper contributes in proposing a cost effective security framework for underdeveloped country - Nepal. This paper also
contributes to the e-government literature by establishing a comparative and suggestive framework for understanding,
clarification and investigation of the security issues involved in improving e-government security in technologically-
underdeveloped countries. It first presents a review of existing global issues of e-government security in the public sector. The
paper then identifies the e-government security issues within the context of developing country - Nepal. Three cases are taken
into consideration. To identify optimal solution; categorized and suggested according to their maturity levels. This is an issue
which has not yet been widely addressed in the open literature.

Keywords: E-Government, E-Services, Security, IRD, SCN, NIBL

1. INTRODUCTION
In the rapidly growing world of ICT, various public Government to Citizen (G2C) have been categorized and
sector organizations including e-government have focused discussed namely
their efforts towards digitalizing their services to their
customers or citizens through the Internet so that users can a. Application layer security
easily use the available services from any place and at any b. Network layer security
time considering the fact that they are convenient to them c. Data security
through WWW browsers

[1],[2]. Such digitizing of information is known as a. Application Layer Security

e-services .However, a major concern over trust, protection
and safety of such information demands a high level of According to Manish Mehta et al.[2}, The
security within e-government organizations. In this context, following issues are needed to be managed at this layer:
the role of e-government, trust and information security Authentication , Data Integrity, Trust , User Anonymity and
activities is to ensure confidentiality, availability, integrity, Security Dependencies,
authentication and non repudiation of information in
addition to providing more comprehensive understanding of The security features described above are at the
user acceptance of such electronic service. service level (application level). Other Security features may
be needed at lower layers in the TCP/IP suite [2],[3].
2. TECHNICAL SECURITY
REQUIREMENTS FOR E-SERVICES b. Network Layer Security

There exists a set of ‘core’ security features that TCP/IP can be made secure with the help of
may be required by an e-service application. Some of these cryptographic methods and protocols that have been
security features are described below. developed for securing communications on the Internet.
These protocols include SSL and TLS for web traffic, PGP
Dealing with e-Government in a comprehensive for email, IPsec for the network layer security, MIME to
view is a big challenge and quite a complex task. With the expand the capacity of e-mail, S/MIME to enhance security
aid of different layers, modular extensions of whole systems in MIME data, Message Authentication Code to encrypt a
and the operability between different applications can be message and Firewalls for control of access between
granted [10]. Several generic models are already available networks, Circuit-level gateways, Application-level
that address distinct issues of a complex system on different gateways[3],[4][9].
levels. Three different levels of security of e-services or

1074
 VOL. 3, NO. 7, July 2012 ISSN 2079-8407
Journal of Emerging Trends in Computing and Information Sciences
©2009-2012 CIS Journal. All rights reserved.

http://www.cisjournal.org
c. Data Security and monitor security investment, management and
organizational audit[12];
Application-level gateways are notable for
analyzing entire messages rather than individual packets of Here, we applied the models proposed by Geoffrey
data when the data are being sent. Karokola et al.[6] and identified (with the help of various
questioners) the gaps between the present scenario and the
Some data is also confidential; not only do you not required security framework.
want to lose it, you don't want others to even view it without
authorization. Exposure of your social security number, However, they are identified for global scenario,
credit card, and bank account information could subject you for developing/underdeveloped countries extra features like
to identity theft. Company documents may contain trade security culture, security and privacy legislation,
secrets, personal information about employees or clients, or management commitment, management style, senior
the organization's financial records. Some ways to protect management and user awareness, skills and training,
your all-important user data from loss and/or unauthorized management change and information security infrastructure
access are required , this is done by Data Security which are also to be taken care off[7].
means protecting a database from destructive forces and the
unwanted actions of unauthorized users[5],[8]. It 3. RESEARCH METHODOLOGY
incorporates the following measures: Back up early and
often, Use file-level and share-level security, Password- The research methodology used in this study is
protect documents, Use EFS encryption, Use disk based on qualitative and quantitative methods. The process
encryption, make use of a public key infrastructure, Hide was divided into two phases. Phase one was to conduct a
data with steganography, Protect data in transit with IP desk review in the area of e-government, e-government
security, Secure wireless transmissions and user rights development models, and security documentations. The
management to retain control. second phase employs a research survey where
The above mentioned security measures are identified for an questionnaires and in depth interviews were conducted. This
ideal case i.e. for fully matured system. However, applying it phase was later complemented with documentation reviews
all at the preliminary stage may be quite costly affair. Since, from the studied settings such as e-government strategies,
Nepal is an underdeveloped country where quality and cost and ICT security policies. Three cases were taken. Analysis
both needs to be managed hand in hand. Optimal security were grouped based on layers discussed above. The
requirements in every case needs to be identified i.e. before Contacted groups were at the strategic level, tactical level
applying security measures we need to identify which level and operational level. All interviewees were in one way or
are we presently in and then propose a solution. In light of other responsible for delivery of e-government services to
the above, there are several models called “e-Government the public.*Grading is based on the set of questionnaires
Maturity Models (eGMMs)” developed by the international asked during Case Study. Multiple questions for each
organizations, consulting firms, academia, and individual category were prepared. Those fulfilling all the criteria –
researchers with the purpose of guiding and benchmarking Grade 5, with majority of the criteria –Grade 4., fulfilling
stage-wise e-government systems implementation and half of the criteria – Grade 3.,with partial criteria – Grade -2
service delivery. A maturity stage in eGMM reflects the and with minimal criteria – Grade -1.
level of e-government maturity; degree of technology
complexity; degree of systems sophistication; and the level 4. NEPAL’S SCENARIO
of interaction with users. Also, it offers governments the
abilities to measure the progress of e-government Various organizations have been using e-services
implementation [11]. Thus, in this paper we have taken with some preliminary security measures. Here we have
three different cases for study and have tried to identify chosen the better few for our case study.
different levels of e-services based on e-Government
maturity models (eGMM), Since, eGMM only provides a. Inland Revenue Department (IRD):
quantitative measure[6], on the basis of it, information
security Maturity Model(ISMM) are identified which Inland Revenue Department (IRD) of Government of
outlines qualitative measure . There are a number of Nepal is currently responsible for the administration of Value
Information Security Maturity Models (ISMMs) developed Added Tax, Income Tax, and Excise Duty. Likewise, the IRD
by the international organizations, consulting firms, is also responsible for monitoring non-tax revenue of the
academia, and individual researchers with main foci on government. Service is their motto and goal is to optimizing
offering security services to the organizations. ISMMs the inland revenue through fair, efficient and effective tax
proposes a structured collection of security elements needed system. Maximizing voluntary tax compliance and providing
at different levels that help organizations to easily identify taxpayer friendly services are their standing objectives. They
and understand existing security gaps; monitor the progress provide services through 51 field offices
of security implementation, practices, policies and quality;

1075
 VOL. 3, NO. 7, July 2012 ISSN 2079-8407
Journal of Emerging Trends in Computing and Information Sciences
©2009-2012 CIS Journal. All rights reserved.

http://www.cisjournal.org
Types of e-services providing are E-PAN, E-TDS,
E-Returns & E-SMS. According to e-government maturity
models presented by Geoffrey Karokola, et al[6] ; it is at
maturity level 2 –Interaction: Refer Table-1

Table 1: *eGMM Level 2 Interaction

S.No Requirements Available

1 Government provides enhanced Yes
interactive websites with more
capabilities.

2 Websites are used as tools for Yes

interaction between government and Fig 1: ISMM Grading1
citizens
3 Available Yes b. Supreme Court of Nepal (SCN):
services include search engines
4 Documents downloading, filling forms Yes The Constitution provides three tiers of Court
online, chart rooms, and emails. which include the Supreme Court of the Kingdom of Nepal,
*eGMM- e-government maturity model the Court of Appeal and the District Courts. Supreme Court
is the Apex Court. There is no distinction between Criminal
Identified Critical Levels of Information Security and Civil court except some basic procedures.
Maturity Model (ISMM) at this stage are:
Type of e-services presently being provided are old
letter management system, appeal court case management
Table 2: ISMM Level 2 Defined system, district court case management system, Legal
information center, suggestions & complains through email
S.No. Requirements Ava *Grading at Chief Justice Office and availability of digital archive.
ilabl (out 0f 5)
e According to e-government maturity models
1 Organizations with Yes 1 (eGMM) presented by Geoffrey Karokola, et al [6], it is at
normal information maturity level 2 – Interaction (Refer Table 1 & 2 ) .
security targets (IST) in a
normal security risk c. Nepal Investment Bank Limited:
environment.
2 Process metrics used Yes 1 Nepal Investment Bank Ltd. (NIBL), previously
3 Security policies Yes 1 Nepal Indosuez Bank Ltd., was established in 1986 as a joint
including awareness, venture between Nepalese and French partners.
visions, and strategies
are reviewed and Types of e-services being provided are: Third party
updated. transfer, Utility payment, Self transfer, Statement view and
4 Security risk reduction Yes 1 internet banking. It is categorized in Maturity Stage 3 –
mechanism to be used Transaction (Refer Table 3 & 4).
from technical and non-
technical security threats Table 3: eGMM Model 3 Transaction

S.No Requirements Available

1 This is enhanced stage with more Present
sophisticated technologies.

2 Citizens(users) can conduct complete Yes

on-line transactions of values
3 Available services include taxes Yes
assessment and payment

1076
 VOL. 3, NO. 7, July 2012 ISSN 2079-8407
Journal of Emerging Trends in Computing and Information Sciences
©2009-2012 CIS Journal. All rights reserved.

http://www.cisjournal.org
Identified Critical Levels of Information Security Alfawaz et al in their paper [7]; initial indications are that,
Maturity Model (ISMM) at this stage are: Refer Table-4 although the technology itself is essentially the same
globally, environmental factors influence its application and,
Table 4: ISMM Level 3 Managed hence, impact on the resulting degrees of success of e-
government implementations. The environmental factors
Grading identified for e- government security for developing
S.No Requirements Available
(Out 0f 5) countries are security culture, security and privacy
Organizations with legislation, management commitment, management style,
normal information senior management and user awareness, skills and training,
1 security targets (IST) in Yes 2 management change and information security infrastructure.
a normal/high security This too should be included in our framework.
risk environment.
The research findings from the three institutions
2 Process metrics used Yes 2 revealed that Nepal has e-government implementation
Security policies strategy. The latter can be propagated to the ministries,
including awareness, departments and agencies.
3 visions, and strategies Yes 2 This paper contributes in proposing a cost effective
are reviewed and Information Security Framework for E-Government
updated. Implementation in Nepal (if adapted from the beginning).
High risk reduction
mechanism to be used 6. CONCLUSION
4 from technical and non- Yes 3
technical security The majority of ICT management standards and
threats best-practice guidelines have been developed by
technologically-leading countries. The management of e-
government security assurance is a relatively recent focus
with which even technologically-leading countries have
unresolved issues. For countries which are still developing
and underdeveloped technologically, e-government security
management has added issues. Looking at the existing global
scenario, in Nepal there exists E-Government system but at
early infancy stage. Here security should have been one of
the key factors during implementation and is much lagging
behind. In the absence of previous research of the sort, this
paper tries to bring out the existing scenario and projects the
tentative framework needed for future security measures and
at the same time being cost effective.

REFERENCES
Fig 2: ISMM Grading2
[1] Mini-track title: E-Government Trust and Information
Security Issues and Concerns Track: E-Government
5. DISCUSSION Mini-track Chair(s):Dr Ramzi et al.

As deduced from the tables, Nepal is lagging [2] Security in E-Services and Applications , Manish
behind even at the initial stage of E-Government ehta, Sachin Singh, Yugyung Lee
implementation as obtained from the basis of security
measures taken. Out of three cases, two are in the defined [3] Rhee, M. Y. (2003). Internet Security: Cryptographic
level and one is at the managed level. NIBL is now heavily Principles, Algorithms & Protocols.
enhancing its ICT infrastructure and resources to meet stage
three functional and operational requirements. However, [4] IJCSNS International Journal of Computer Science
they are still lagging behind from security management and Network 2008 Security, VOL.8 No.5, May 2008 ,
perspective. In short, security issues have been found Zhitian Zhou, Congyang Hu
neglected & may create various types of hazards.
[5] Information security policy British Colombia, version
Besides, Tables 2 & 4 depicts the global scenario. 2.1, March 2011, Office of the Government Chief
For developing countries, as suggested by Salahuddin

1077
 VOL. 3, NO. 7, July 2012 ISSN 2079-8407
Journal of Emerging Trends in Computing and Information Sciences
©2009-2012 CIS Journal. All rights reserved.

http://www.cisjournal.org
Information Officer Ministry of Labour, Citizens’ Engineering Institute, Qingdao Technological
Services and Open Government. University Qingdao 266520, P. R. China

[6] Secure e-Government Services: Towards A [10] E-Government: Aspects of Security on Different
Framework for Integrating IT Security Services into Layers ,Maria Wimmer et al, Institute of Applied
e-Government Maturity Models, Geoffrey Karokola, Computer Science, University of Linz, Austria
et al.
[11] Karokola, & L. Yngström, “Discussing e-Government
[7] E-government security in developing countries: A Maturity Models for the Developing World – Security
managerial conceptual framework; Salahuddin View”. Proceedings of the 8th ISSA 2009 conference
Alfawaz¹, Lauren May¹, Kavoos Mohanak² on Information Security,

[8] E-Government: Aspects of Security on Different [12] G. Karokola, S. Kowalski, & L. Yngström, “Towards
Layers Maria Wimmer et. al. Institute of Applied an Information Security Maturity Models for Secure
Computer Science, University of Linz, Austria e-Government Services: A Stakeholders View”.
Proceedings of the 5th HAISA2011 Conference,
[9] E-government Information Security: Challenges and London, UK,
Recommendations Wei Zhang, Computer

1078