Enviar pesquisa
Carregar
India Start-ups IT Security & IT Act 2008
•
0 gostou
•
1,586 visualizações
ValueMentor Consulting
Seguir
Tecnologia
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 48
Baixar agora
Baixar para ler offline
Recomendados
Indian it act 2000
Indian it act 2000
Avinash Katariya
IT Act 2000 & IT Act 2008
IT Act 2000 & IT Act 2008
Amity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
IT ACT 2000
IT ACT 2000
Sudarsan Subramanian
Information Technology Amendment Act 2008
Information Technology Amendment Act 2008
Nanda Mohan Shenoy
IT ACT, 2000 (Information Technology Act, 2000)
IT ACT, 2000 (Information Technology Act, 2000)
Ms. Parasmani Jangid
Cyber Law and Information Technology Act 2000 with case studies
Cyber Law and Information Technology Act 2000 with case studies
Sneha J Chouhan
IT ACT 2008 ALA GTU
IT ACT 2008 ALA GTU
Shrey Patel
it act
it act
9535814851
Recomendados
Indian it act 2000
Indian it act 2000
Avinash Katariya
IT Act 2000 & IT Act 2008
IT Act 2000 & IT Act 2008
Amity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
IT ACT 2000
IT ACT 2000
Sudarsan Subramanian
Information Technology Amendment Act 2008
Information Technology Amendment Act 2008
Nanda Mohan Shenoy
IT ACT, 2000 (Information Technology Act, 2000)
IT ACT, 2000 (Information Technology Act, 2000)
Ms. Parasmani Jangid
Cyber Law and Information Technology Act 2000 with case studies
Cyber Law and Information Technology Act 2000 with case studies
Sneha J Chouhan
IT ACT 2008 ALA GTU
IT ACT 2008 ALA GTU
Shrey Patel
it act
it act
9535814851
I.T ACT 2000
I.T ACT 2000
RAJ ANAND
It act 2000
It act 2000
Vidhu Arora
Objectives of it act 2000
Objectives of it act 2000
Amlin David
IT Act,2000 - Law
IT Act,2000 - Law
Apurva Kavishwar
Information technology act
Information technology act
AKSHAY KHATRI
It act 2000
It act 2000
Jaipal Dhobale
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies
Network Intelligence India
Cyber law-it-act-2000
Cyber law-it-act-2000
Mayuresh Patil
Internet Security and Legal Compliance: Cyber Law in India
Internet Security and Legal Compliance: Cyber Law in India
Rodney D. Ryder
IT act 2008
IT act 2008
sujithsunil
INDIAN CYBERLAW AND SECURITY
INDIAN CYBERLAW AND SECURITY
pattok
Information act 2000
Information act 2000
ASHAAJAYAKUMAR2
IT act 2000
IT act 2000
PAYAL SINHA
IT Act 2000
IT Act 2000
Sreelekshmi Mohan
Information technology act
Information technology act
Meghana Bhogle
Information Technology and IT act
Information Technology and IT act
Divesh Mewara
The information technology act 2000
The information technology act 2000
Naveen Kumar C
Information Technology Act
Information Technology Act
maruhope
cyber law IT Act 2000
cyber law IT Act 2000
Yash Jain
The information technology act
The information technology act
Dhii Raymond
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know
IBM Security
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
IBM Security
Mais conteúdo relacionado
Mais procurados
I.T ACT 2000
I.T ACT 2000
RAJ ANAND
It act 2000
It act 2000
Vidhu Arora
Objectives of it act 2000
Objectives of it act 2000
Amlin David
IT Act,2000 - Law
IT Act,2000 - Law
Apurva Kavishwar
Information technology act
Information technology act
AKSHAY KHATRI
It act 2000
It act 2000
Jaipal Dhobale
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies
Network Intelligence India
Cyber law-it-act-2000
Cyber law-it-act-2000
Mayuresh Patil
Internet Security and Legal Compliance: Cyber Law in India
Internet Security and Legal Compliance: Cyber Law in India
Rodney D. Ryder
IT act 2008
IT act 2008
sujithsunil
INDIAN CYBERLAW AND SECURITY
INDIAN CYBERLAW AND SECURITY
pattok
Information act 2000
Information act 2000
ASHAAJAYAKUMAR2
IT act 2000
IT act 2000
PAYAL SINHA
IT Act 2000
IT Act 2000
Sreelekshmi Mohan
Information technology act
Information technology act
Meghana Bhogle
Information Technology and IT act
Information Technology and IT act
Divesh Mewara
The information technology act 2000
The information technology act 2000
Naveen Kumar C
Information Technology Act
Information Technology Act
maruhope
cyber law IT Act 2000
cyber law IT Act 2000
Yash Jain
The information technology act
The information technology act
Dhii Raymond
Mais procurados
(20)
I.T ACT 2000
I.T ACT 2000
It act 2000
It act 2000
Objectives of it act 2000
Objectives of it act 2000
IT Act,2000 - Law
IT Act,2000 - Law
Information technology act
Information technology act
It act 2000
It act 2000
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies
Cyber law-it-act-2000
Cyber law-it-act-2000
Internet Security and Legal Compliance: Cyber Law in India
Internet Security and Legal Compliance: Cyber Law in India
IT act 2008
IT act 2008
INDIAN CYBERLAW AND SECURITY
INDIAN CYBERLAW AND SECURITY
Information act 2000
Information act 2000
IT act 2000
IT act 2000
IT Act 2000
IT Act 2000
Information technology act
Information technology act
Information Technology and IT act
Information Technology and IT act
The information technology act 2000
The information technology act 2000
Information Technology Act
Information Technology Act
cyber law IT Act 2000
cyber law IT Act 2000
The information technology act
The information technology act
Semelhante a India Start-ups IT Security & IT Act 2008
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know
IBM Security
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
IBM Security
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
OSIsoft, LLC
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
FERMA
Check Point SMB Proposition
Check Point SMB Proposition
Group of company MUK
Helping SME’S to face cybersecurity threats
Helping SME’S to face cybersecurity threats
Agence du Numérique (AdN)
Topic11
Topic11
Anne Starr
What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?
IT Governance Ltd
Security Alert - Expert Uncovers the "Dirty Little Secret" of IBM i Security
Security Alert - Expert Uncovers the "Dirty Little Secret" of IBM i Security
HelpSystems
Digital Identities in the Internet of Things - Securely Manage Devices at Scale
Digital Identities in the Internet of Things - Securely Manage Devices at Scale
ForgeRock
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber Resilient
Accenture Operations
OT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security Success
accenture
Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)
Ray Bugg
GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1
Clay Melugin
Aalto cyber-10.4.18
Aalto cyber-10.4.18
japijapi
NZISF Talk: Six essential security services
NZISF Talk: Six essential security services
Hinne Hettema
IT Risk Management
IT Risk Management
Tudor Damian
Insecurity Through Technology
Insecurity Through Technology
dfroud
Strategic Cybersecurity
Strategic Cybersecurity
ScottMadden, Inc.
Starting your Career in Information Security
Starting your Career in Information Security
Ahmed Sayed-
Semelhante a India Start-ups IT Security & IT Act 2008
(20)
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Check Point SMB Proposition
Check Point SMB Proposition
Helping SME’S to face cybersecurity threats
Helping SME’S to face cybersecurity threats
Topic11
Topic11
What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?
Security Alert - Expert Uncovers the "Dirty Little Secret" of IBM i Security
Security Alert - Expert Uncovers the "Dirty Little Secret" of IBM i Security
Digital Identities in the Internet of Things - Securely Manage Devices at Scale
Digital Identities in the Internet of Things - Securely Manage Devices at Scale
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber Resilient
OT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security Success
Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)
GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1
Aalto cyber-10.4.18
Aalto cyber-10.4.18
NZISF Talk: Six essential security services
NZISF Talk: Six essential security services
IT Risk Management
IT Risk Management
Insecurity Through Technology
Insecurity Through Technology
Strategic Cybersecurity
Strategic Cybersecurity
Starting your Career in Information Security
Starting your Career in Information Security
Último
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Pooja Nehwal
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Katpro Technologies
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Radu Cotescu
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
The Digital Insurer
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
Último
(20)
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
India Start-ups IT Security & IT Act 2008
1.
Information Risks, Managed The contents
of this document are property and confidential to ValueMentor Consulting and shall not be disclosed in whole or part at any time, to any third party without the prior written consent of ValueMentor Consulting LLP. © ValueMentor Consulting LLP. All rights reserved. Copyright in the whole and any part of this document belongs to ValueMentor Consulting LLP. This work may not be sold, transferred, adapted, copied and / or reproduced in whole or in part, in any manner or form, on in any media, without the prior consent of ValueMentor Consulting LLP. IT Security & IT Act 2008 Binoy Koonammavu Principal Consultant | CISSP, CISA, CISM, CRISC, SBCI, CCSK Email: binoy@valuementor.com | Ph: +91-974 5767 944
2.
© ValueMentor Consulting
LLP Slide 2 Agenda • Introduction • Typical Start-up Scenario • Tips for changing the security scenario • Some clauses of IT Act 2000 (IT AA 2008) • Q & A
3.
© ValueMentor Consulting
LLP Slide 3 Shameless Advertising • Binoy Koonammavu, that’s me, works for ValueMentor Consulting LLP – a specialist Information Security Company from Kochi • 15 years in the field of IT with around 12 years of it in protecting data and complying with regulations • Previously held roles like – Practice Director – Information Security at UST Global – Manager – IT Security at Burgan bank, Kuwait • An Honouree in the Sixth Annual Asia-Pacific Information Security Leadership Achievements (ISLATM) Program • CISSP, CISM, CRISC, CISA, SBCI & CCSK and also held various vendor certification
4.
© ValueMentor Consulting
LLP Slide 4 Typical Startup Scenario
5.
© ValueMentor Consulting
LLP Slide 5 Some Startups Happy Developers Working on the product Not worried about the security standards or best practices Driven to deliver functionality Everybody loved the new product that fixed “that” gap
6.
© ValueMentor Consulting
LLP Slide 6
7.
© ValueMentor Consulting
LLP Slide 7 Challenges / Myths • Secure software vs robust, usable & functional software • Security is considered as complex in the SDLC process • Security is considered as non-functional requirement • Hackers are targeting businesses, not software • With Agile, the development teams are required to develop functional systems in less time • Development team awareness on security is less & the skills are rare.
8.
© ValueMentor Consulting
LLP Slide 8 What is that often forgotten? • Data Protection • Regulatory requirements – Specifically, non-financial regulations • Data privacy
9.
© ValueMentor Consulting
LLP Slide 9 Data.. Lets think • Data of your company – Intellectual Property – Copyrights & Trademarks – Source code • Data of your customers – Personal Data – Sensitive / Confidential data
10.
© ValueMentor Consulting
LLP Slide 10 What is that you need to do? Protect your data Protect your customers
11.
© ValueMentor Consulting
LLP Slide 11 What Happens when your staff moves on?
12.
© ValueMentor Consulting
LLP Slide 12 What Happens when your staff move on? • To your – Intellectual Property – Source code • Get Non-Disclosure agreements signed
13.
© ValueMentor Consulting
LLP Slide 13 What if you are hacked?
14.
© ValueMentor Consulting
LLP Slide 14 What if you are hacked?
15.
© ValueMentor Consulting
LLP Slide 15
16.
© ValueMentor Consulting
LLP Slide 16
17.
© ValueMentor Consulting
LLP Slide 17 Some more myths • Security hinders usability • Security is performance hungry • Security is all about antivirus, firewalls, IPS etc… • Security is all about encryption • Security is for big companies • It is easy to fix a vulnerability once identified • Security is complex
18.
© ValueMentor Consulting
LLP Slide 18 Some tips – Data Security
19.
© ValueMentor Consulting
LLP Slide 19 There is no Silver Bullet
20.
© ValueMentor Consulting
LLP Slide 20
21.
© ValueMentor Consulting
LLP Slide 21
22.
© ValueMentor Consulting
LLP Slide 22 Design Software with Secure Features
23.
© ValueMentor Consulting
LLP Slide 23 The easiest way to break system security is often to circumvent it rather than defeat it
24.
© ValueMentor Consulting
LLP Slide 24 Know what you need to protect Identify your critical assets Passwords Health information Bank Account / Card numbers Assess the risk Assess threats to those assets Determine impact of loss/compromise of assets Define security requirements to prevent / delay the risks Design solutions to meet your security requirements
25.
© ValueMentor Consulting
LLP Slide 25 Manage Risks • Not every system / module requires same level of security. Assess the risks
26.
© ValueMentor Consulting
LLP Slide 26 Some design considerations Adapted from the Saltzer & Schroeder Protection of Information in Computer Systems
27.
© ValueMentor Consulting
LLP Slide 27 Develop Software with Secure Features “Security is just another attribute of software like usability, performance, reliability & scalability” “The idea of incorporating security into the SDLC begins with evaluating the relative importance of this attribute and then going on to incorporating controls in line with that.” Tallah Mir, Sr. Program Manager , Microsoft
28.
© ValueMentor Consulting
LLP Slide 28 Develop Software with Security Features Convert security design in secure code Secure coding practices https://www.securecoding.cert.org/confluence/display/se ccode/ Perform Security code reviews Manual Automated Perform Security tests (Vulnerability Assessments & Penetration Testing) Blackbox Whitebox
29.
© ValueMentor Consulting
LLP Slide 29 Top 10 Secure Coding Practices 1. Validate input 2. Heed compiler warnings 3. Architect and design for security policies 4. Keep it simple 5. Default deny 6. Adhere to the principle of least privilege 7. Sanitize data sent to other systems 8. Practice defense in depth 9. Use effective quality assurance techniques 10. Adopt a secure coding standard Source: https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Sec ure+Coding+Practices
30.
© ValueMentor Consulting
LLP Slide 30 Deploy Software with Secure Features • Secure application, insecure host • Develop and Implement Security baselines for – Operating Systems – Application Server – Web Server – Database servers – Other computing devices • Release Management – How often you release code, what process you will follow.
31.
© ValueMentor Consulting
LLP Slide 31 Defense in Depth Electronic Access controls, Access cards, Manned reception, Locks, Security Guards, Fire alarms and suppression systems ACL’s, Encryption, Backup Application Hardening, ACL's, Secure applications Patch Management, Antivirus, Authentication VLAN’s, NIPS, Internet Proxy Server Firewall, VPN’s, NIPS Management Controls Policies, Procedures, Awareness & Agreements Physical Security Technical Controls Perimeter Internal Network Host Application Data Risk Assessment and Treatment, Policies, Process, NDA’s, Incident reporting, Internal Audits
32.
© ValueMentor Consulting
LLP Slide 32 Some references • OWASP Top 10 – https://www.owasp.org/index.php/Category:OWASP_Top_ Ten_Project • SANS Top 25 – http://cwe.mitre.org/top25/ – http://www.sans.org/top25-software-errors/
33.
© ValueMentor Consulting
LLP Slide 33 BUILD A CULTURE OF SOFTWARE SECURITY
34.
© ValueMentor Consulting
LLP Slide 34 IT (amendment) Act 2008 Some sections of interest
35.
© ValueMentor Consulting
LLP Slide 35 Relevance of ITA 2008 • ITAA 2008 (Information Technology (Amendment) Act, 2008) focus on covering the shortfalls of ITA 2000 • IT Act 2000 was focused on E-Commerce, Digital transactions and its legal validity • IT Act 2008 focuses on Information Security and data privacy to a great extent
36.
© ValueMentor Consulting
LLP Slide 36 Direct responsibility • The executives are directly responsible for Cyber Security • The responsibility can be attributed to – The Head of IT / IT Manager – The CEO / Founders – Under the following conditions • No Due Diligence is practiced when it comes to IT related affairs • Neglected the IT Act requirements • Willful act of Cyber security incident • Information Security is no more Data Security, but a law in India.
37.
© ValueMentor Consulting
LLP Slide 37 The importance of “Due Diligence” • Section 85: Offences by Companies – (1) Where a person committing a contravention of any of the provisions of this Act or of any rule, direction or order made there under is a Company, • every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly: • Provided that nothing contained in this sub-section shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention
38.
© ValueMentor Consulting
LLP Slide 38 Why “Due Diligence” • In a typical cyber crime, investigators will search for the origin of the incident. Mostly, by tracing the IP Address of the computer involved – If the cyber crime source is the IP Addresses controlled by your company, Sec 85 may become applicable on you. • How is that your company become part of a cyber crime? – Malicious staff members – A hacked computer in your network which is used for performing cyber crime on another company / computer • In such cases, your company may become the primary accused
39.
© ValueMentor Consulting
LLP Slide 39 Why “Due Diligence” • What happens in such scenario? Let us review Sec 85 again – Who is responsible? (Sub section (1) of 85) • Every person who, at the time of contravention was committed, was in charge of, and was responsible to, The company for the conduct of business of the company (Head of IT / CEO??) • As well as the company • Shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly; – Provided that nothing contained in this subsection shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that they exercised all due diligence to prevent such contravention
40.
© ValueMentor Consulting
LLP Slide 40 43A - Compensation for failure to protect data • Where a body corporate, • possessing, dealing or handling any sensitive personal data or information • in a computer resource which it owns, controls or operates, • is negligent in implementing and maintaining reasonable security practices and procedures • and thereby causes wrongful loss or wrongful gain to any person, • such body corporate shall be liable to pay damages by way of compensation to the person so affected
41.
© ValueMentor Consulting
LLP Slide 41 Sensitive personal data or information • Sensitive personal data or information of a person means such personal information which consists of information relating to;— – (i) password; – (ii) financial information such as Bank account or credit card or debit card or other payment instrument details ; – (iii) physical, physiological and mental health condition; – (iv) sexual orientation; – (v) medical records and history; – (vi) Biometric information; – (vii) any detail relating to the above clauses as provided to body corporate for providing service; and – (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise
42.
© ValueMentor Consulting
LLP Slide 42 Need for policies • Privacy policy – Should be made available to the person from whom the sensitive information is collected – Clear and easily accessible statements of its practices and policies; – type of personal or sensitive personal data or information collected – purpose of collection and usage of such information – disclosure of information including sensitive personal data or information – reasonable security practices and procedures
43.
© ValueMentor Consulting
LLP Slide 43 Reasonable Security Practices and Procedures • A body corporate shall be considered to have complied with reasonable security practices and procedures, if ; – they have implemented such security practices and standards and – have a comprehensive documented information security programme and – information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business
44.
© ValueMentor Consulting
LLP Slide 44 Reasonable Security Practices and Procedures • In the event of an information security breach, – the body corporate shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, – that they have implemented security control measures as per their documented information security programme and information security policies. • The international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" is one such standard – That can be considered towards reasonable security practices
45.
© ValueMentor Consulting
LLP Slide 45 What should we do now? • Perform an ITAA 2008 Risk Analysis with a focus on – Compliance level of the company with the different provisions of ITAA 2008 – Current gaps in the IT practices in relation with ITAA 2008 • Develop programs to ensure – Implement “Reasonable security practices” – Practice “Due Diligence” – Management of Information Security
46.
© ValueMentor Consulting
LLP Slide 46 Next steps • The first step to Information Security is direction – Get your policies and procedures setup • Next is awareness – Get your team undergo security awareness about your policies & allowed practices • Top Management / Founders – Invest in Secure products, security of your systems & data – Build a top down approach on information security culture – Assign compliance responsibilities – Add ITAA2008 perspective to the IS Audits
47.
© ValueMentor Consulting
LLP Slide 47 Q&A
48.
© ValueMentor Consulting
LLP Slide 48 THANK YOU Binoy Koonammavu ValueMentor Consulting LLP binoy@valuementor.com +91-974-5767-944
Baixar agora