Cyber Laws For CxO
Be Aware... Be Empowered
January 2010
Editor
Naavi
www.naavi.org
Publisher
Ujvala Consultants Pvt Ltd
www.ujvala.com
Contents
Interview of the Month-2
Rajat Mohanty is co-founder and CEO of Paladion one of the prominent players in Information Security audit and implementation, in India. An alumnus of IIT and IIM Kolkata, he brings a deeply analytical mind to solve business problems. He has set up a successful business around Information Security at Paladion. As part of Paladion, Rajat has worked with leading financial services firms across Asia, assisting in development of security architecture and strategy. Rajat has over 15 years of experience in information risk management and technology operations
Do you think Information Technology Act has relation to the functional responsibilities of a CxO?
Information Technology Act, as amended in 2008, has several provisions that impacts how enterprises create, use, share and retain electronic data, including protection of private data. A failure to meet these requirements can result in significant penalties, liability and damage to the organization's reputation.
From a regulatory perspective, top management is responsible for promoting a self sustaining level of operations that minimizes impact to the business through breaches of laws.Top management therefore need to take into account the amended IT Act which has become effective recently.
In my view, Information Technology Act not just impacts the IT department but several other business functions in today’s enterprise. To take few instances- It can impact various contractual relations created, explicitly or implicitly, over electronic format, or It can impact the services offered to end customer, which are electronic in nature like e-commerce, e-banking, e-auction and others, or It can also impact an organization for any wrongful use of information assets by its employees. As you can see, these relate to functional activities of departments such as finance, delivery channels and human resources apart from IT and audit departments.
How does the Act impact the information security activities within a corporate?
Information technology Act requires organizations to apply the principle of due diligence for protecting the sensitive electronic data. While it has not yet prescribed the nature of protection measures, it calls for establishing reasonable security practices in the organization.
It is usually difficult to quantify what level of security can be called as reasonable for an organization, but adopting global standards of security and business continuity, such as ISO 27001 and BS 25999 certainly will help. However organizations will need to carry out detailed risk analysis of sensitive customer/ personal data stored & managed by them and apply greater protection which can be demonstrated as being at par with similar technology or practices adopted by similar organizations worldwide.
As mentioned earlier, some of the activities around logging, monitoring, data retention and encryption will need to be aligned with the provisions of the Act. Also the end user awareness training will need to incorporate sessions on IT Act awareness.
What are the steps you suggest for a company to comply with ITA 2008?
As a first step, it is imperative that management interpret the applicability of relevant provisions of the Act to their specific business functions and assess the level of compliance. A quick exercise to determine the gaps that exist in business processes and IT processes will not take more than 2-3 weeks in most organization.
Based on results of such gap assessment, top management thereafter can direct necessary resources for staying compliant with the Act and for building appropriate culture for compliance.
Specifically, some of the actions that will be required for compliance will revolve around-
Ø Identification of personally sensitive data within the enterprise that needs to be protected
Ø Setting up reasonable level of security based on size and complexity of each organization
Ø Use of encryption and electronic signature systems
Ø Personal data acquisition and retention strategies
Ø Logging and monitoring of access and usage of personal data
Ø Policies on acceptable usage of information assets
Ø Contractual liabilities established with customers and partners
How can Information Security practitioners incorporate Legal Compliance under ITA 2008 into IS audits?
Organizations that are ISO 27001 certified needs to demonstrate compliance to relevant regulatory requirements. In the Indian context, IT Act will definitely become relevant for consideration under ISO 27001 certification. Therefore, the periodic audits carried out for maintenance and improvement of ISMS under the standard, will need to incorporate checks from provisions of IT Act.
Some of the checks can be-
v Whether organizations periodically carry out identification and risk assessment of sensitive private data
v Whether data retention schemes are in place and in compliance with regulatory requirements
v Whether authentication schemes are in compliance with the Act specially for contractual arrangements
v Whether system exists for adequate monitoring and collection of data pertaining to cyber incidents and computer misuse
v Whether end users are appropriately informed about their responsibilities for protection of electronic data
A PDF Copy of the News Letter would be sent by e-mail to all persons who subscribe. Subscription is free.