Disaster Management
Information Security
Hocus-Focus
Summer China ZTE v/s India
Internship @
doms.edu
From the Editor’s Desk
Dear Reader,
Animesh Agrawal
Editor – “DoMination”
(Department of Management Studies, IIT-Roorkee.)
Department of Management Studies, IIT Roorkee
1
It should not have happened –
The Mangalore Air-Crash
- Animesh Agrawal
DoMS, IIT-Roorkee
3
Disaster Management
- Animesh Agrawal
DoMS, IIT-Roorkee
6
ZTE- China v/s Indian Government over information
security concern - Animesh Agrawal
DoMS, IIT-Roorkee
7
Information Risk Management Practices In
Indian Public Sector Banks
- Animesh Agrawal
DoMS, IIT-Roorkee
9 11
Medical Tourism Qutopia - 5
& India -J. Arjun & Mayur Gurjar
- Gaurab Biswas DoMS, IIT-Roorkee
DoMS, IIT-Roorkee
13
Hocus-Focus
Summer Internship @ doms.edu
Department of Management Studies, IIT Roorkee
1
- Animesh Agrawal
DoMS, IIT-Roorkee
We mourn the deaths of „AI Flight IX-812 f‟ rescue teams could not access the crash site due to
passengers on Saturday, 22th may 2010. We the difficult terrain (a valley) for over an hour after
express deep condolences for the families of the the incident, even though it was close to the
deceased and pray that their souls rest in peace. airport,‟‟ the ESG said.
This won‟t happen until the time guilty are
Various groups like the Vimana Nildana
identified and punished . We wish that God gives
Vistharana Virodhi Samithi (Local Communities
strength to their families, friends and citizens of
Alliance Against Airport Expansion), Bajpe and
this country to fight for their justice.
Environment Support Group have been opposing
The state-of-the-art Boeing 737-800, which was the expansion of the Mangalore airport since the
inducted on January 15, 2008 and piloted by British late 1990s. They had held demonstrations stating
national of Serbian origin Capt Zlatko Glusica , that the site chosen for expansion at Bajpe was
had 166 passengers and a six-member crew on surrounded by deep valleys on three sides of the
board the budget carrier, flight IX-812. The runway and did not provide for emergency landing
passengers included four infants. areas as required.
Glusica (55) had 10,000 hours of flying experience.
Flight IX-812 from Dubai
to Mangalore crashed into the thick forested valley
off the runway after slamming through the
boundary wall. The runway at Mangalore airport is
situated on a hillock, which in aviation parlance is
known as a table top runway. Basically, the runway
strip is built on flat land, but the area situated at
either end of the runway, and its sides slope
downwards. In such cases pilots have to be extra
careful during landing and take-off, as any error in
judgment can lead to a major disaster.
It accused them of criminal negligence.
„„The likelihood of this kind of crash was
predicted. A series of public interest litigations
were fought to stop the construction of this
second runway because the design did not conform
to the most basic national and international
standards. The PILs also highlighted the fact that
the airport does not conform to the minimum
safeguards for emergency situations, particularly
during landings and takeoffs, and could not have
emergency approach roads within a kilometre on
all sides as required,‟‟ said an ESG statement
released on Saturday, 22nd May 2010. „„It is quite
possible that many lives were lost as emergency
Contd..
- Animesh Agrawal
DoMS, IIT-Roorkee
Though it is not possible to completely avoid There can be cases under debate that would say
the disasters, but the sufferings can be minimized do such systems have enough of business utility to
by creating proper awareness of the likely disasters get involved in. A statistician would say such
and its impact by developing a suitable warning systems would have very less probability of
system, disaster preparedness and management of occurrence. Such arguments may lead to put a
disasters can be aided at its best through question on such systems of very less frequent use.
application of information technology tools. The So one may think should they really invest in such
changing trends have opened up a large number of systems?
scientific and technological resources and skills to
Well there is only one thing that can answer
reduce disaster risk.
this; could you afford losses if that so called „very
Disaster management systems are in talks since less probabilistic event‟ occurs? Some casual
long time. Disaster Recovery on one hand is the thoughts would appeal for keeping away from this
system that comes into play when business under as they may say they don‟t have much to lose;
consideration undergoes a catastrophic or close to answer to which could be- “can this trigger a chain
catastrophic circumstances. Such circumstances reaction of losses?”
have potential to cause a damage that could prove
Making decision on this would always be
fatal for an organization, an industry or probably
ongoing fight between high optimism and
for entire society.
pessimism. The answer to which lies within the
Disaster management system calls for action proximity of a stake holder (affected civilians,
before the event of catastrophe has occurred. That police, fireman, Non Government Organizations
is, precautionary measures kept in place, to help (NGO), etc.).
combat against such events.
Disaster Management Actors / Entities:
•Volunteer Entities
Associations Assisting
•Public Awareness & Education, Exercise support
Disaster Management
Contd..
Contd..
A Conceptual Flow of Information in DMIS:
Disaster
Management
Community
Actions: Problem:
Measurable Disaster Events &
Outcomes Phenomenology
Delivery
Product: Communicating &
Actionable Disseminating Requirement
Information Infrastructure
Data
Exploitation
Government has formed the Emergency for emulation by all of India, however, at the
Management and Research Institute (EMRI). This moment, it operates in the Indian states of Andhra
group represents a public/private partnership, and Pradesh, Uttarakhand, Goa, Tamil Nadu, Rajasthan,
aimed at improving the general response of Karnataka ,
communities to emergencies, in addition to those AI flight crash:
incidents which might be described as disasters. Helpline information were shared as Mangalore
Some of the groups' early efforts involve the Authorities set up telephone helplines to facilitate
provision of emergency management training for dissemination of information regarding the air
first responders (a first in India), the creation of a crash. The helplines were set up in Delhi,
single emergency telephone number, and the Mangalore and Bangalore.
establishment of standards for EMS staff, Air India announced setting up of a control
equipment and training. room at the airport following the AI aircraft crash
at Mangalore.
It is hoped that this effort will provide a model
Business Challenges
Companies increasingly need a competitive edge to maintain profitability and stay in
business; improved availability and outage avoidance becomes vital to their success. In
this environment, well-planned business continuity/disaster recovery solutions
become critical to an organization.
Watch out in our next edition for "Disaster Recovery Planning"
Department of Management Studies, IIT Roorkee
6
- Animesh Agrawal
DoMS, IIT-Roorkee
With stated news snippet regarding ZTE- China v/s Indian Government over
information security concern alongside a much publicized political showdowns, exchange
of statements "controversy surrounding Union environment minister Jairam Ramesh's
remark against the home ministry"
We find ourselves accountable to present before our readers
"Information Risk Management Practices In Indian Public Sector Banks"
- Animesh Agrawal
DoMS, IIT-Roorkee
The current scenario of competition sensitive technology related frauds such as leaking
environment, it is vital to safeguard information electronic records etc., misuse of electronic
against its malevolent use. Security awareness to medium are not mentioned at all as these
customers, each employee as well as to employer regulations were framed much before technology
representatives is inevitable a necessity to be came into use in the banks. And hence the
catered to. Especially with advent of technology chances of employees involved in electronic data
comes its cautious use to safeguard your assets. thefts and going Scot free in the court of law is
We would focus here on Public Sector Banks in very high. So an immediate amendment to HR
India. conducts regulations is needed.
Current IT Security Policy Planning Preparedness
For any organization that wants to protect The IT security group in some PSU banks has
itself from IT security related threats, the a Chief Information Security Officer (CISO).
foremost thing for it is to look for, the This has taken place quite recently with few
international standards used widely by exceptions. The IT Security group has 2 to 6
organizations of same nature in its country, or members with a couple of Chief Information
standards developed by its country„s standards Security Auditor (CISA) experts and the
institute and then form its security policies in remaining IT professionals. Many of the PSU
similar lines. Except for basic guidelines from the banks don„t have their CISO as CISA auditors.
regulator, and no specific security standards
Some PSU banks have formed temporarily
specified by the Bureau of Indian Standards, the
different specialized area groups in formulating
public sector banks in India mostly look up to
the IT security policies for areas such as network
ISO 17799 and ISO 27001 as the standards to be
security, internet banking security, Backup and
used for forming their IT security policies. They
recovery email, etc. And some other PSU banks
have realized the immediate need in framing their
use outside consultant to review its policies;
IT security policies; have geared up by setting up
whereas the rest all do neither of these as they are
IT Security group as a separate organizational
in initial stages of policy formation.
component. Most of the Public Sector Banks
(PSBs) have done this very recently, not more The Governing board of all the banks needs
than a year back. to fully support the endeavor of IT security policy
making process.
Handling of misconduct—IT security policies
state that the failure to abide by the policies shall
be treated as misconduct and will be dealt with
suitably under the provisions of bank officer
employees conduct regulations 1976, Bank officer
employees (Discipline and appeal regulations
1976), Bank service code, etc., bipartite
settlements; these basically take care of employees
behaviour, rules of conduct, actions to be taken
in cases of violation of frauds, disclosures , acts
involving banks business. It is observed that
Contd..
Implementation and fallouts Camera enabled phones, Paper reports being
(General Observations): carried out without any manual log entries,
Implementation of these polices asks for a Password sharing. Revealing account details
detailed plan and these banks are yet to formulate without authenticating enquirer.
detailed methodology for their implementation. In case of electronic data, proper encryption
Some banks have made its data center should be used to avoid transit thefts. Not many
infrastructure ISO 27001 compliant, few are of the PSU banks strictly follow the encryption
planning for it. mechanism. There is no periodic audit on the
Data are already classified to certain extent. same.
There is no elaborate documentation on the
CBS / IT vendors / third party software
vulnerabilities to which they are exposed to and
related risks specifically during data migration.
no risk mitigation plans are available.
Rigorous work on data ownership issues With the banks taking care of network related
required due to imprecisely defined mechanisms threats by using IDS, firewalls and VPN, the
for defining ownership. The data ownership major concern is internet related issues. The
framed before CBS are not appropriate as there is Public Sector Banks (PSBs) have already become
a paradigm shift from “branch banking” to “bank a victim to Phishing and some have taken
banking OR branch-free banking”, so all the data corrective measures by way of educating their
are visible to all branches. customers by posting on their web site and by
Banks use role based access controls which sending emails about phishing. Pharming is
get implemented within the parameters of DBMS another form of online fraud which the banks
access control mechanisms whereas a have to take care of as none of the banks have so
combination of process and role based far reported of pharming related frauds.
mechanisms are more apt. General Security measures as an answer to
Data leaks: vulnerabilities in the current above could be: During Hiring: back ground
IT security set up checks, agreements, awareness induction training.
Banks are exposed to security risks within the Security technology systems awareness, usage and
bank; and also by external entities. The data leaks responsiveness. Logging of activities of each
could occur within the bank that includes Branch system. Physical checks on entry / exit, using fax,
level, Offsite Backups related, corporate office or other means of information flow. Regular
/RO level and CBS related risks. Alongside monitoring and inspection. Security theft drills
external forces, that spans network and internet (like fire drills).
related threats, vendor related risks and Self Though the bankers are not technologists, their
service channels, credit card/debit card related awareness to security related risks is very much evident
frauds. from their preparedness in framing of their IT security
Banks’ Security Status: Branches have policies. As many Public Sector Banks (PSBs) are yet to
security policies, but they lack in terms of implement them, the above recommendations can greatly
infallible implementation, inspection and help them in successfully carrying out this endeavor. Lastly,
compliancy. Occurrences where security lapses the Public Sector Banks (PSBs) should not only
are noticed are: implement their security policies, but also follow them in
Employees carrying any storage media without full spirit, monitor, be update in security related risks and
any authentication, No audit trial of back up keep revisiting their information security management
taken by the Database Administrators (DBAs) at practices whenever needed.
the branch (applicable to non CBS systems),
- Gaurab Biswas
DoMS, IIT-Roorkee
Medical tourism can be broadly defined as While Thailand and Singapore with their
provision of 'cost effective' private medical care advanced medical facilities and built-in medical
in collaboration with the tourism industry for tourism options have been drawing foreign
patients needing surgical and other forms of patients of the order of a couple of lakhs per
specialized treatment. This process is being annum, the rapidly expanding Indian corporate
facilitated by the corporate sector involved in hospital sector has been able to get a few
medical care as well as the tourism industry - thousands for treatment.
both private and public.
But, things are going to change drastically in
Medical or Health tourism has become a favour of India, especially in view of the high
common form of vacationing, and covers a quality expertise of medical professionals,
broad spectrum of medical services. It mixes backed by the fast improving equipment and
leisure, fun and relaxation together with nursing facilities, and above all, the cost-
wellness and healthcare. effectiveness of the package.
The idea of the health holiday is to offer Medical Tourism Statistics and Facts
you an opportunity to get away from your daily
In a global economy characterized by better
routine and come into a different relaxing
access to information and lower transportation
surrounding. Here you can enjoy being close to
costs, North American consumers are
the beach and the mountains. At the same time
discovering that they can get high-quality health
you are able to receive an orientation that will
care more cheaply and more quickly in some
help you improve your life in terms of your
developing countries. Rising health care costs in
health and general well being. It is like
the United States and longer waiting times in
rejuvenation and cleanup process on all levels -
Canada are inducing patients to seek treatment
physical, mental and emotional.
overseas. The appeal of this phenomenon is
Many people from the developed world driven by cost savings as high as 90%,
come to India for the rejuvenation promised by depending on the procedure and the country in
yoga and Ayurvedic massage, but few consider which it is performed, and virtually no wait
it a destination for hip replacement or brain times.
surgery. However, a nice blend of top-class
There are more than 45 million U.S.
medical expertise at attractive prices is helping a
citizens without health insurance, and even
growing number of Indian corporate hospitals
more with health coverage that they consider
lure foreign patients, including from developed
inadequate. While U.S. consumers are
nations such as the UK and the US.
concerned mainly with the exorbitant cost of
As more and more patients from Europe, care, Canadians are more troubled by wait
the US and other affluent nations with times for certain treatments. Indeed,
expensive healthcare ameneties look for approximately 1 million Canadians claim to be
effective options; India is pitted against experiencing difficulties in access to care.
Thailand, Singapore and some other Asian
countries, which have good hospitals,
salubrious climate and tourist destinations.
Contd..
Official statistics on medical tourism have not markers, spiral CT scan and high strength MRI.
been collected, but an estimated 150,000 Each test is carried out by professional M.D.
foreigners sought care in 2004 in India alone- physicians, and is comprehensive yet pain-free.
-and this number is growing at a rate of about
All medical investigations are conducted on
15% annually. Most of these patients are from
the latest, technologically advanced diagnostic
the Middle East or Asia, but the proportion of
equipment. Stringent quality assurance exercises
U.S. citizens and Canadians is rising. Although
ensure reliable and high quality test results.
providers offer a diverse range of services, the
most common procedures are elective. The Apollo Group, Escorts Hospitals in New
Delhi and Jaslok Hospitals in Mumbai are to
Why is India most suitable?
name a few which are established names even
Indian corporate hospitals excel in cardiology
abroad. A list of corporate hospitals such as
and cardiothoracic surgery, joint replacement,
Global Hospitals, CARE and Dr L.V. Prasad
orthopedic surgery, gastroenterology,
Eye Hospitals in Hyderabad, The Hindujas and
ophthalmology, transplants and urology to name
NM Excellence in Mumbai, also have built
a few.
capabilities and are handling a steadily increasing
The various facilities in India include full flow of foreign patients. India has much more
body pathology, comprehensive physical and expertise than say Thailand or Malaysia. The
gynecological examinations, dental checkup, eye infrastructure in some of India's hospitals is also
checkup, diet consultation, audiometry, very good. What is more significant is that the
spirometry, stress & lifestyle management, gold costs are much less, almost one-third of those in
standard DXA bone densitometry, body fat other Asian countries.
analysis, coronary risk markers, cancer risk
Animesh Agrawal:
ani85pdm@iitr.ernet.in, animeshagr@gmail.com, Studies,09368090764
Mobile:
Department of Management IIT Roorkee