Recently, Vishal Gupta had written an article about Information Security Regulations in India, and what steps need to be taken to make them effective. Here is an excerpt of the article:
Today, no business can run without information, be it i.e. names, addresses, account numbers – about employees, customers, business partners. So the enterprises should also bear the responsibility of keeping all this information. This is however, not reflected from the frequent data breaches of the recent times.
Government and industry regulators should bring forth a set of regulations and norms to ensure that enterprises value information that people entrust them with.
The purpose being:
1. Confidentiality: Information is only revealed to those who have the right
2. Integrity: No unauthorized change has occurred
3. Availability: Information is available and usable i.e.
4. Non-Repudiation: Information disputes can be resolved i.e.
Measures should be taken to ensure that the enterprises that handle personally identifiable data acts responsibly. This could be classified as:
1.Mandatory establishment of information security auditors: The Prime Minister has said that India is a knowledge economy. So here, knowledge has to be treated like money. Just as financial transactions have to pass a financial auditor, information transactions should pass through the information security auditors, who are different from company’s own IS team.
2. Complete auditing of confidential information: Enterprises need to deal with customer information the same way as they deal with money. It should be possible to:
• Keep a track of the information deposit i.e. Opening an account
• A track of the events post deposit i.e. Various transactions
• Ability to delete all information on request i.e. Closing the account
3. Enactment of disclosure norms: Most countries are still debating if it should be mandatory to inform people affected in a data breach? The argument is that as long as there’s no damage done, the company should not be penalized. Judgments in cases related to Wells Fargo and TJX are along these lines. While this debate will continue for some time, the enactment of disclosure norms would be a significant preventive measure since enterprises would be careful if their reputations are risked.
4.Establishment of a centralized information security ombudsman with international reach: We need to have a centralized, information security ombudsman which can affect industry specific norms as well as co-ordinate with international security agencies in cases involving international cyber crime.
To conclude, the present norms in India leave much to be desired. See what Shojan Jacob , Advocate at Kerala High Court has to say about this. It is time for the government to step in and to have industries take information security more seriously.
The purpose being:
1. Confidentiality: Information is only revealed to those who have the right
2. Integrity: No unauthorized change has occurred
3. Availability: Information is available and usable i.e.
4. Non-Repudiation: Information disputes can be resolved i.e.
Measures should be taken to ensure that the enterprises that handle personally identifiable data acts responsibly. This could be classified as:
1.Mandatory establishment of information security auditors: The Prime Minister has said that India is a knowledge economy. So here, knowledge has to be treated like money. Just as financial transactions have to pass a financial auditor, information transactions should pass through the information security auditors, who are different from company’s own IS team.
2. Complete auditing of confidential information: Enterprises need to deal with customer information the same way as they deal with money. It should be possible to:
• Keep a track of the information deposit i.e. Opening an account
• A track of the events post deposit i.e. Various transactions
• Ability to delete all information on request i.e. Closing the account
3. Enactment of disclosure norms: Most countries are still debating if it should be mandatory to inform people affected in a data breach? The argument is that as long as there’s no damage done, the company should not be penalized. Judgments in cases related to Wells Fargo and TJX are along these lines. While this debate will continue for some time, the enactment of disclosure norms would be a significant preventive measure since enterprises would be careful if their reputations are risked.
4.Establishment of a centralized information security ombudsman with international reach: We need to have a centralized, information security ombudsman which can affect industry specific norms as well as co-ordinate with international security agencies in cases involving international cyber crime.
To conclude, the present norms in India leave much to be desired. See what Shojan Jacob , Advocate at Kerala High Court has to say about this. It is time for the government to step in and to have industries take information security more seriously.
Posts
0 comments:
Post a Comment