SlideShare uma empresa Scribd logo

India Start-ups IT Security & IT Act 2008

ValueMentor Consulting
ValueMentor Consulting
Tecnologia
1 de 48
Baixar para ler offline
Information Risks, Managed The contents of this document are property and confidential to ValueMentor Consulting and shall not be disclosed in whole or part at any time, to any third party without the prior written consent of ValueMentor Consulting LLP. © ValueMentor Consulting LLP. All rights reserved. Copyright in the whole and any part of this document belongs to ValueMentor Consulting LLP. This work may not be sold, transferred, adapted, copied and / or reproduced in whole or in part, in any manner or form, on in any media, without the prior consent of ValueMentor Consulting LLP. IT Security & IT Act 2008 Binoy Koonammavu Principal Consultant | CISSP, CISA, CISM, CRISC, SBCI, CCSK Email: binoy@valuementor.com | Ph: +91-974 5767 944
© ValueMentor Consulting LLP Slide 2 Agenda • Introduction • Typical Start-up Scenario • Tips for changing the security scenario • Some clauses of IT Act 2000 (IT AA 2008) • Q & A
© ValueMentor Consulting LLP Slide 3 Shameless Advertising • Binoy Koonammavu, that’s me, works for ValueMentor Consulting LLP – a specialist Information Security Company from Kochi • 15 years in the field of IT with around 12 years of it in protecting data and complying with regulations • Previously held roles like – Practice Director – Information Security at UST Global – Manager – IT Security at Burgan bank, Kuwait • An Honouree in the Sixth Annual Asia-Pacific Information Security Leadership Achievements (ISLATM) Program • CISSP, CISM, CRISC, CISA, SBCI & CCSK and also held various vendor certification
© ValueMentor Consulting LLP Slide 4 Typical Startup Scenario
© ValueMentor Consulting LLP Slide 5 Some Startups  Happy Developers Working on the product Not worried about the security standards or best practices Driven to deliver functionality Everybody loved the new product that fixed “that” gap
© ValueMentor Consulting LLP Slide 6
© ValueMentor Consulting LLP Slide 7 Challenges / Myths • Secure software vs robust, usable & functional software • Security is considered as complex in the SDLC process • Security is considered as non-functional requirement • Hackers are targeting businesses, not software • With Agile, the development teams are required to develop functional systems in less time • Development team awareness on security is less & the skills are rare.
© ValueMentor Consulting LLP Slide 8 What is that often forgotten? • Data Protection • Regulatory requirements – Specifically, non-financial regulations • Data privacy
© ValueMentor Consulting LLP Slide 9 Data.. Lets think • Data of your company – Intellectual Property – Copyrights & Trademarks – Source code • Data of your customers – Personal Data – Sensitive / Confidential data
© ValueMentor Consulting LLP Slide 10 What is that you need to do? Protect your data Protect your customers
© ValueMentor Consulting LLP Slide 11 What Happens when your staff moves on?
© ValueMentor Consulting LLP Slide 12 What Happens when your staff move on? • To your – Intellectual Property – Source code • Get Non-Disclosure agreements signed
© ValueMentor Consulting LLP Slide 13 What if you are hacked?
© ValueMentor Consulting LLP Slide 14 What if you are hacked?
© ValueMentor Consulting LLP Slide 15
© ValueMentor Consulting LLP Slide 16
© ValueMentor Consulting LLP Slide 17 Some more myths • Security hinders usability • Security is performance hungry • Security is all about antivirus, firewalls, IPS etc… • Security is all about encryption • Security is for big companies • It is easy to fix a vulnerability once identified • Security is complex
© ValueMentor Consulting LLP Slide 18 Some tips – Data Security
© ValueMentor Consulting LLP Slide 19 There is no Silver Bullet
© ValueMentor Consulting LLP Slide 20
© ValueMentor Consulting LLP Slide 21
© ValueMentor Consulting LLP Slide 22 Design Software with Secure Features
© ValueMentor Consulting LLP Slide 23 The easiest way to break system security is often to circumvent it rather than defeat it
© ValueMentor Consulting LLP Slide 24 Know what you need to protect  Identify your critical assets  Passwords  Health information  Bank Account / Card numbers  Assess the risk  Assess threats to those assets  Determine impact of loss/compromise of assets  Define security requirements to prevent / delay the risks  Design solutions to meet your security requirements
© ValueMentor Consulting LLP Slide 25 Manage Risks • Not every system / module requires same level of security. Assess the risks
© ValueMentor Consulting LLP Slide 26 Some design considerations Adapted from the Saltzer & Schroeder Protection of Information in Computer Systems
© ValueMentor Consulting LLP Slide 27 Develop Software with Secure Features “Security is just another attribute of software like usability, performance, reliability & scalability” “The idea of incorporating security into the SDLC begins with evaluating the relative importance of this attribute and then going on to incorporating controls in line with that.” Tallah Mir, Sr. Program Manager , Microsoft
© ValueMentor Consulting LLP Slide 28 Develop Software with Security Features  Convert security design in secure code  Secure coding practices  https://www.securecoding.cert.org/confluence/display/se ccode/  Perform Security code reviews  Manual  Automated  Perform Security tests (Vulnerability Assessments & Penetration Testing)  Blackbox  Whitebox
© ValueMentor Consulting LLP Slide 29 Top 10 Secure Coding Practices 1. Validate input 2. Heed compiler warnings 3. Architect and design for security policies 4. Keep it simple 5. Default deny 6. Adhere to the principle of least privilege 7. Sanitize data sent to other systems 8. Practice defense in depth 9. Use effective quality assurance techniques 10. Adopt a secure coding standard Source: https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Sec ure+Coding+Practices
© ValueMentor Consulting LLP Slide 30 Deploy Software with Secure Features • Secure application, insecure host • Develop and Implement Security baselines for – Operating Systems – Application Server – Web Server – Database servers – Other computing devices • Release Management – How often you release code, what process you will follow.
© ValueMentor Consulting LLP Slide 31 Defense in Depth Electronic Access controls, Access cards, Manned reception, Locks, Security Guards, Fire alarms and suppression systems ACL’s, Encryption, Backup Application Hardening, ACL's, Secure applications Patch Management, Antivirus, Authentication VLAN’s, NIPS, Internet Proxy Server Firewall, VPN’s, NIPS Management Controls Policies, Procedures, Awareness & Agreements Physical Security Technical Controls Perimeter Internal Network Host Application Data Risk Assessment and Treatment, Policies, Process, NDA’s, Incident reporting, Internal Audits
© ValueMentor Consulting LLP Slide 32 Some references • OWASP Top 10 – https://www.owasp.org/index.php/Category:OWASP_Top_ Ten_Project • SANS Top 25 – http://cwe.mitre.org/top25/ – http://www.sans.org/top25-software-errors/
© ValueMentor Consulting LLP Slide 33 BUILD A CULTURE OF SOFTWARE SECURITY
© ValueMentor Consulting LLP Slide 34 IT (amendment) Act 2008 Some sections of interest
© ValueMentor Consulting LLP Slide 35 Relevance of ITA 2008 • ITAA 2008 (Information Technology (Amendment) Act, 2008) focus on covering the shortfalls of ITA 2000 • IT Act 2000 was focused on E-Commerce, Digital transactions and its legal validity • IT Act 2008 focuses on Information Security and data privacy to a great extent
© ValueMentor Consulting LLP Slide 36 Direct responsibility • The executives are directly responsible for Cyber Security • The responsibility can be attributed to – The Head of IT / IT Manager – The CEO / Founders – Under the following conditions • No Due Diligence is practiced when it comes to IT related affairs • Neglected the IT Act requirements • Willful act of Cyber security incident • Information Security is no more Data Security, but a law in India.
© ValueMentor Consulting LLP Slide 37 The importance of “Due Diligence” • Section 85: Offences by Companies – (1) Where a person committing a contravention of any of the provisions of this Act or of any rule, direction or order made there under is a Company, • every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly: • Provided that nothing contained in this sub-section shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention
© ValueMentor Consulting LLP Slide 38 Why “Due Diligence” • In a typical cyber crime, investigators will search for the origin of the incident. Mostly, by tracing the IP Address of the computer involved – If the cyber crime source is the IP Addresses controlled by your company, Sec 85 may become applicable on you. • How is that your company become part of a cyber crime? – Malicious staff members – A hacked computer in your network which is used for performing cyber crime on another company / computer • In such cases, your company may become the primary accused
© ValueMentor Consulting LLP Slide 39 Why “Due Diligence” • What happens in such scenario? Let us review Sec 85 again – Who is responsible? (Sub section (1) of 85) • Every person who, at the time of contravention was committed, was in charge of, and was responsible to, The company for the conduct of business of the company (Head of IT / CEO??) • As well as the company • Shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly; – Provided that nothing contained in this subsection shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that they exercised all due diligence to prevent such contravention
© ValueMentor Consulting LLP Slide 40 43A - Compensation for failure to protect data • Where a body corporate, • possessing, dealing or handling any sensitive personal data or information • in a computer resource which it owns, controls or operates, • is negligent in implementing and maintaining reasonable security practices and procedures • and thereby causes wrongful loss or wrongful gain to any person, • such body corporate shall be liable to pay damages by way of compensation to the person so affected
© ValueMentor Consulting LLP Slide 41 Sensitive personal data or information • Sensitive personal data or information of a person means such personal information which consists of information relating to;— – (i) password; – (ii) financial information such as Bank account or credit card or debit card or other payment instrument details ; – (iii) physical, physiological and mental health condition; – (iv) sexual orientation; – (v) medical records and history; – (vi) Biometric information; – (vii) any detail relating to the above clauses as provided to body corporate for providing service; and – (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise
© ValueMentor Consulting LLP Slide 42 Need for policies • Privacy policy – Should be made available to the person from whom the sensitive information is collected – Clear and easily accessible statements of its practices and policies; – type of personal or sensitive personal data or information collected – purpose of collection and usage of such information – disclosure of information including sensitive personal data or information – reasonable security practices and procedures
© ValueMentor Consulting LLP Slide 43 Reasonable Security Practices and Procedures • A body corporate shall be considered to have complied with reasonable security practices and procedures, if ; – they have implemented such security practices and standards and – have a comprehensive documented information security programme and – information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business
© ValueMentor Consulting LLP Slide 44 Reasonable Security Practices and Procedures • In the event of an information security breach, – the body corporate shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, – that they have implemented security control measures as per their documented information security programme and information security policies. • The international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" is one such standard – That can be considered towards reasonable security practices
© ValueMentor Consulting LLP Slide 45 What should we do now? • Perform an ITAA 2008 Risk Analysis with a focus on – Compliance level of the company with the different provisions of ITAA 2008 – Current gaps in the IT practices in relation with ITAA 2008 • Develop programs to ensure – Implement “Reasonable security practices” – Practice “Due Diligence” – Management of Information Security
© ValueMentor Consulting LLP Slide 46 Next steps • The first step to Information Security is direction – Get your policies and procedures setup • Next is awareness – Get your team undergo security awareness about your policies & allowed practices • Top Management / Founders – Invest in Secure products, security of your systems & data – Build a top down approach on information security culture – Assign compliance responsibilities – Add ITAA2008 perspective to the IS Audits
© ValueMentor Consulting LLP Slide 47 Q&A
© ValueMentor Consulting LLP Slide 48 THANK YOU Binoy Koonammavu ValueMentor Consulting LLP binoy@valuementor.com +91-974-5767-944

Recomendados

Indian it act 2000
Indian it act 2000Indian it act 2000
Indian it act 2000Avinash Katariya
 
IT Act 2000 & IT Act 2008
IT Act 2000 & IT Act 2008IT Act 2000 & IT Act 2008
IT Act 2000 & IT Act 2008Amity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
IT ACT 2000
IT ACT 2000IT ACT 2000
IT ACT 2000Sudarsan Subramanian
 
Information Technology Amendment Act 2008
Information Technology Amendment Act 2008Information Technology Amendment Act 2008
Information Technology Amendment Act 2008Nanda Mohan Shenoy
 
IT ACT, 2000 (Information Technology Act, 2000)
IT ACT, 2000 (Information Technology Act, 2000)IT ACT, 2000 (Information Technology Act, 2000)
IT ACT, 2000 (Information Technology Act, 2000)Ms. Parasmani Jangid
 
Cyber Law and Information Technology Act 2000 with case studies
Cyber Law and Information Technology Act 2000 with case studiesCyber Law and Information Technology Act 2000 with case studies
Cyber Law and Information Technology Act 2000 with case studiesSneha J Chouhan
 
IT ACT 2008 ALA GTU
IT ACT 2008 ALA GTUIT ACT 2008 ALA GTU
IT ACT 2008 ALA GTUShrey Patel
 
it act
it act it act
it act 9535814851
 

Recomendados

Indian it act 2000
Indian it act 2000Indian it act 2000
Indian it act 2000Avinash Katariya
 
IT Act 2000 & IT Act 2008
IT Act 2000 & IT Act 2008IT Act 2000 & IT Act 2008
IT Act 2000 & IT Act 2008Amity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
IT ACT 2000
IT ACT 2000IT ACT 2000
IT ACT 2000Sudarsan Subramanian
 
Information Technology Amendment Act 2008
Information Technology Amendment Act 2008Information Technology Amendment Act 2008
Information Technology Amendment Act 2008Nanda Mohan Shenoy
 
IT ACT, 2000 (Information Technology Act, 2000)
IT ACT, 2000 (Information Technology Act, 2000)IT ACT, 2000 (Information Technology Act, 2000)
IT ACT, 2000 (Information Technology Act, 2000)Ms. Parasmani Jangid
 
Cyber Law and Information Technology Act 2000 with case studies
Cyber Law and Information Technology Act 2000 with case studiesCyber Law and Information Technology Act 2000 with case studies
Cyber Law and Information Technology Act 2000 with case studiesSneha J Chouhan
 
IT ACT 2008 ALA GTU
IT ACT 2008 ALA GTUIT ACT 2008 ALA GTU
IT ACT 2008 ALA GTUShrey Patel
 
it act
it act it act
it act 9535814851
 
I.T ACT 2000
I.T ACT 2000 I.T ACT 2000
I.T ACT 2000 RAJ ANAND
 
It act 2000
It act 2000It act 2000
It act 2000Vidhu Arora
 
Objectives of it act 2000
Objectives of it act 2000Objectives of it act 2000
Objectives of it act 2000Amlin David
 
IT Act,2000 - Law
IT Act,2000 - LawIT Act,2000 - Law
IT Act,2000 - LawApurva Kavishwar
 
Information technology act
Information technology actInformation technology act
Information technology actAKSHAY KHATRI
 
It act 2000
It act 2000It act 2000
It act 2000Jaipal Dhobale
 
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies Network Intelligence India
 
Cyber law-it-act-2000
Cyber law-it-act-2000Cyber law-it-act-2000
Cyber law-it-act-2000Mayuresh Patil
 
Internet Security and Legal Compliance: Cyber Law in India
Internet Security and Legal Compliance: Cyber Law in IndiaInternet Security and Legal Compliance: Cyber Law in India
Internet Security and Legal Compliance: Cyber Law in IndiaRodney D. Ryder
 
IT act 2008
IT act 2008IT act 2008
IT act 2008sujithsunil
 
INDIAN CYBERLAW AND SECURITY
INDIAN CYBERLAW AND SECURITYINDIAN CYBERLAW AND SECURITY
INDIAN CYBERLAW AND SECURITYpattok
 
Information act 2000
Information act 2000Information act 2000
Information act 2000ASHAAJAYAKUMAR2
 
IT act 2000
IT act 2000 IT act 2000
IT act 2000 PAYAL SINHA
 
IT Act 2000
IT Act 2000IT Act 2000
IT Act 2000Sreelekshmi Mohan
 
Information technology act
Information technology actInformation technology act
Information technology actMeghana Bhogle
 
Information Technology and IT act
Information Technology and IT actInformation Technology and IT act
Information Technology and IT actDivesh Mewara
 
The information technology act 2000
The information technology act 2000The information technology act 2000
The information technology act 2000Naveen Kumar C
 
Information Technology Act
Information Technology ActInformation Technology Act
Information Technology Actmaruhope
 
cyber law IT Act 2000
cyber law IT Act 2000cyber law IT Act 2000
cyber law IT Act 2000Yash Jain
 
The information technology act
The information technology actThe information technology act
The information technology actDhii Raymond
 
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should KnowIBM Security
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsIBM Security
 

Mais conteúdo relacionado

Mais procurados

I.T ACT 2000
I.T ACT 2000 I.T ACT 2000
I.T ACT 2000 RAJ ANAND
 
Objectives of it act 2000
Objectives of it act 2000Objectives of it act 2000
Objectives of it act 2000Amlin David
 
Information technology act
Information technology actInformation technology act
Information technology actAKSHAY KHATRI
 
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies Network Intelligence India
 
Internet Security and Legal Compliance: Cyber Law in India
Internet Security and Legal Compliance: Cyber Law in IndiaInternet Security and Legal Compliance: Cyber Law in India
Internet Security and Legal Compliance: Cyber Law in IndiaRodney D. Ryder
 
INDIAN CYBERLAW AND SECURITY
INDIAN CYBERLAW AND SECURITYINDIAN CYBERLAW AND SECURITY
INDIAN CYBERLAW AND SECURITYpattok
 
Information technology act
Information technology actInformation technology act
Information technology actMeghana Bhogle
 
Information Technology and IT act
Information Technology and IT actInformation Technology and IT act
Information Technology and IT actDivesh Mewara
 
The information technology act 2000
The information technology act 2000The information technology act 2000
The information technology act 2000Naveen Kumar C
 
Information Technology Act
Information Technology ActInformation Technology Act
Information Technology Actmaruhope
 
cyber law IT Act 2000
cyber law IT Act 2000cyber law IT Act 2000
cyber law IT Act 2000Yash Jain
 
The information technology act
The information technology actThe information technology act
The information technology actDhii Raymond
 

Mais procurados (20)

I.T ACT 2000
I.T ACT 2000 I.T ACT 2000
I.T ACT 2000
 
It act 2000
It act 2000It act 2000
It act 2000
 
Objectives of it act 2000
Objectives of it act 2000Objectives of it act 2000
Objectives of it act 2000
 
IT Act,2000 - Law
IT Act,2000 - LawIT Act,2000 - Law
IT Act,2000 - Law
 
Information technology act
Information technology actInformation technology act
Information technology act
 
It act 2000
It act 2000It act 2000
It act 2000
 
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies
 
Cyber law-it-act-2000
Cyber law-it-act-2000Cyber law-it-act-2000
Cyber law-it-act-2000
 
Internet Security and Legal Compliance: Cyber Law in India
Internet Security and Legal Compliance: Cyber Law in IndiaInternet Security and Legal Compliance: Cyber Law in India
Internet Security and Legal Compliance: Cyber Law in India
 
IT act 2008
IT act 2008IT act 2008
IT act 2008
 
INDIAN CYBERLAW AND SECURITY
INDIAN CYBERLAW AND SECURITYINDIAN CYBERLAW AND SECURITY
INDIAN CYBERLAW AND SECURITY
 
Information act 2000
Information act 2000Information act 2000
Information act 2000
 
IT act 2000
IT act 2000 IT act 2000
IT act 2000
 
IT Act 2000
IT Act 2000IT Act 2000
IT Act 2000
 
Information technology act
Information technology actInformation technology act
Information technology act
 
Information Technology and IT act
Information Technology and IT actInformation Technology and IT act
Information Technology and IT act
 
The information technology act 2000
The information technology act 2000The information technology act 2000
The information technology act 2000
 
Information Technology Act
Information Technology ActInformation Technology Act
Information Technology Act
 
cyber law IT Act 2000
cyber law IT Act 2000cyber law IT Act 2000
cyber law IT Act 2000
 
The information technology act
The information technology actThe information technology act
The information technology act
 

Semelhante a India Start-ups IT Security & IT Act 2008

10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should KnowIBM Security
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsIBM Security
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftOSIsoft, LLC
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016FERMA
 
What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?IT Governance Ltd
 
Security Alert - Expert Uncovers the "Dirty Little Secret" of IBM i Security
Security Alert - Expert Uncovers the "Dirty Little Secret" of IBM i SecuritySecurity Alert - Expert Uncovers the "Dirty Little Secret" of IBM i Security
Security Alert - Expert Uncovers the "Dirty Little Secret" of IBM i SecurityHelpSystems
 
Digital Identities in the Internet of Things - Securely Manage Devices at Scale
Digital Identities in the Internet of Things - Securely Manage Devices at ScaleDigital Identities in the Internet of Things - Securely Manage Devices at Scale
Digital Identities in the Internet of Things - Securely Manage Devices at ScaleForgeRock
 
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientHow to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientAccenture Operations
 
OT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security SuccessOT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security Successaccenture
 
Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)Ray Bugg
 
GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1Clay Melugin
 
Aalto cyber-10.4.18
Aalto cyber-10.4.18Aalto cyber-10.4.18
Aalto cyber-10.4.18japijapi
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesHinne Hettema
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
Insecurity Through Technology
Insecurity Through TechnologyInsecurity Through Technology
Insecurity Through Technologydfroud
 
Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information SecurityAhmed Sayed-
 

Semelhante a India Start-ups IT Security & IT Act 2008 (20)

10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
 
Check Point SMB Proposition
Check Point SMB PropositionCheck Point SMB Proposition
Check Point SMB Proposition
 
Helping SME’S to face cybersecurity threats
Helping SME’S to face cybersecurity threatsHelping SME’S to face cybersecurity threats
Helping SME’S to face cybersecurity threats
 
Topic11
Topic11Topic11
Topic11
 
What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?
 
Security Alert - Expert Uncovers the "Dirty Little Secret" of IBM i Security
Security Alert - Expert Uncovers the "Dirty Little Secret" of IBM i SecuritySecurity Alert - Expert Uncovers the "Dirty Little Secret" of IBM i Security
Security Alert - Expert Uncovers the "Dirty Little Secret" of IBM i Security
 
Digital Identities in the Internet of Things - Securely Manage Devices at Scale
Digital Identities in the Internet of Things - Securely Manage Devices at ScaleDigital Identities in the Internet of Things - Securely Manage Devices at Scale
Digital Identities in the Internet of Things - Securely Manage Devices at Scale
 
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientHow to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber Resilient
 
OT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security SuccessOT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security Success
 
Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)
 
GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1
 
Aalto cyber-10.4.18
Aalto cyber-10.4.18Aalto cyber-10.4.18
Aalto cyber-10.4.18
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security services
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
Insecurity Through Technology
Insecurity Through TechnologyInsecurity Through Technology
Insecurity Through Technology
 
Strategic Cybersecurity
Strategic CybersecurityStrategic Cybersecurity
Strategic Cybersecurity
 
Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information Security
 

Último

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Último (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

India Start-ups IT Security & IT Act 2008

  • 1. Information Risks, Managed The contents of this document are property and confidential to ValueMentor Consulting and shall not be disclosed in whole or part at any time, to any third party without the prior written consent of ValueMentor Consulting LLP. © ValueMentor Consulting LLP. All rights reserved. Copyright in the whole and any part of this document belongs to ValueMentor Consulting LLP. This work may not be sold, transferred, adapted, copied and / or reproduced in whole or in part, in any manner or form, on in any media, without the prior consent of ValueMentor Consulting LLP. IT Security & IT Act 2008 Binoy Koonammavu Principal Consultant | CISSP, CISA, CISM, CRISC, SBCI, CCSK Email: binoy@valuementor.com | Ph: +91-974 5767 944
  • 2. © ValueMentor Consulting LLP Slide 2 Agenda • Introduction • Typical Start-up Scenario • Tips for changing the security scenario • Some clauses of IT Act 2000 (IT AA 2008) • Q & A
  • 3. © ValueMentor Consulting LLP Slide 3 Shameless Advertising • Binoy Koonammavu, that’s me, works for ValueMentor Consulting LLP – a specialist Information Security Company from Kochi • 15 years in the field of IT with around 12 years of it in protecting data and complying with regulations • Previously held roles like – Practice Director – Information Security at UST Global – Manager – IT Security at Burgan bank, Kuwait • An Honouree in the Sixth Annual Asia-Pacific Information Security Leadership Achievements (ISLATM) Program • CISSP, CISM, CRISC, CISA, SBCI & CCSK and also held various vendor certification
  • 4. © ValueMentor Consulting LLP Slide 4 Typical Startup Scenario
  • 5. © ValueMentor Consulting LLP Slide 5 Some Startups  Happy Developers Working on the product Not worried about the security standards or best practices Driven to deliver functionality Everybody loved the new product that fixed “that” gap
  • 7. © ValueMentor Consulting LLP Slide 7 Challenges / Myths • Secure software vs robust, usable & functional software • Security is considered as complex in the SDLC process • Security is considered as non-functional requirement • Hackers are targeting businesses, not software • With Agile, the development teams are required to develop functional systems in less time • Development team awareness on security is less & the skills are rare.
  • 8. © ValueMentor Consulting LLP Slide 8 What is that often forgotten? • Data Protection • Regulatory requirements – Specifically, non-financial regulations • Data privacy
  • 9. © ValueMentor Consulting LLP Slide 9 Data.. Lets think • Data of your company – Intellectual Property – Copyrights & Trademarks – Source code • Data of your customers – Personal Data – Sensitive / Confidential data
  • 10. © ValueMentor Consulting LLP Slide 10 What is that you need to do? Protect your data Protect your customers
  • 11. © ValueMentor Consulting LLP Slide 11 What Happens when your staff moves on?
  • 12. © ValueMentor Consulting LLP Slide 12 What Happens when your staff move on? • To your – Intellectual Property – Source code • Get Non-Disclosure agreements signed
  • 13. © ValueMentor Consulting LLP Slide 13 What if you are hacked?
  • 14. © ValueMentor Consulting LLP Slide 14 What if you are hacked?
  • 17. © ValueMentor Consulting LLP Slide 17 Some more myths • Security hinders usability • Security is performance hungry • Security is all about antivirus, firewalls, IPS etc… • Security is all about encryption • Security is for big companies • It is easy to fix a vulnerability once identified • Security is complex
  • 18. © ValueMentor Consulting LLP Slide 18 Some tips – Data Security
  • 19. © ValueMentor Consulting LLP Slide 19 There is no Silver Bullet
  • 22. © ValueMentor Consulting LLP Slide 22 Design Software with Secure Features
  • 23. © ValueMentor Consulting LLP Slide 23 The easiest way to break system security is often to circumvent it rather than defeat it
  • 24. © ValueMentor Consulting LLP Slide 24 Know what you need to protect  Identify your critical assets  Passwords  Health information  Bank Account / Card numbers  Assess the risk  Assess threats to those assets  Determine impact of loss/compromise of assets  Define security requirements to prevent / delay the risks  Design solutions to meet your security requirements
  • 25. © ValueMentor Consulting LLP Slide 25 Manage Risks • Not every system / module requires same level of security. Assess the risks
  • 26. © ValueMentor Consulting LLP Slide 26 Some design considerations Adapted from the Saltzer & Schroeder Protection of Information in Computer Systems
  • 27. © ValueMentor Consulting LLP Slide 27 Develop Software with Secure Features “Security is just another attribute of software like usability, performance, reliability & scalability” “The idea of incorporating security into the SDLC begins with evaluating the relative importance of this attribute and then going on to incorporating controls in line with that.” Tallah Mir, Sr. Program Manager , Microsoft
  • 28. © ValueMentor Consulting LLP Slide 28 Develop Software with Security Features  Convert security design in secure code  Secure coding practices  https://www.securecoding.cert.org/confluence/display/se ccode/  Perform Security code reviews  Manual  Automated  Perform Security tests (Vulnerability Assessments & Penetration Testing)  Blackbox  Whitebox
  • 29. © ValueMentor Consulting LLP Slide 29 Top 10 Secure Coding Practices 1. Validate input 2. Heed compiler warnings 3. Architect and design for security policies 4. Keep it simple 5. Default deny 6. Adhere to the principle of least privilege 7. Sanitize data sent to other systems 8. Practice defense in depth 9. Use effective quality assurance techniques 10. Adopt a secure coding standard Source: https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Sec ure+Coding+Practices
  • 30. © ValueMentor Consulting LLP Slide 30 Deploy Software with Secure Features • Secure application, insecure host • Develop and Implement Security baselines for – Operating Systems – Application Server – Web Server – Database servers – Other computing devices • Release Management – How often you release code, what process you will follow.
  • 31. © ValueMentor Consulting LLP Slide 31 Defense in Depth Electronic Access controls, Access cards, Manned reception, Locks, Security Guards, Fire alarms and suppression systems ACL’s, Encryption, Backup Application Hardening, ACL's, Secure applications Patch Management, Antivirus, Authentication VLAN’s, NIPS, Internet Proxy Server Firewall, VPN’s, NIPS Management Controls Policies, Procedures, Awareness & Agreements Physical Security Technical Controls Perimeter Internal Network Host Application Data Risk Assessment and Treatment, Policies, Process, NDA’s, Incident reporting, Internal Audits
  • 32. © ValueMentor Consulting LLP Slide 32 Some references • OWASP Top 10 – https://www.owasp.org/index.php/Category:OWASP_Top_ Ten_Project • SANS Top 25 – http://cwe.mitre.org/top25/ – http://www.sans.org/top25-software-errors/
  • 33. © ValueMentor Consulting LLP Slide 33 BUILD A CULTURE OF SOFTWARE SECURITY
  • 34. © ValueMentor Consulting LLP Slide 34 IT (amendment) Act 2008 Some sections of interest
  • 35. © ValueMentor Consulting LLP Slide 35 Relevance of ITA 2008 • ITAA 2008 (Information Technology (Amendment) Act, 2008) focus on covering the shortfalls of ITA 2000 • IT Act 2000 was focused on E-Commerce, Digital transactions and its legal validity • IT Act 2008 focuses on Information Security and data privacy to a great extent
  • 36. © ValueMentor Consulting LLP Slide 36 Direct responsibility • The executives are directly responsible for Cyber Security • The responsibility can be attributed to – The Head of IT / IT Manager – The CEO / Founders – Under the following conditions • No Due Diligence is practiced when it comes to IT related affairs • Neglected the IT Act requirements • Willful act of Cyber security incident • Information Security is no more Data Security, but a law in India.
  • 37. © ValueMentor Consulting LLP Slide 37 The importance of “Due Diligence” • Section 85: Offences by Companies – (1) Where a person committing a contravention of any of the provisions of this Act or of any rule, direction or order made there under is a Company, • every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly: • Provided that nothing contained in this sub-section shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention
  • 38. © ValueMentor Consulting LLP Slide 38 Why “Due Diligence” • In a typical cyber crime, investigators will search for the origin of the incident. Mostly, by tracing the IP Address of the computer involved – If the cyber crime source is the IP Addresses controlled by your company, Sec 85 may become applicable on you. • How is that your company become part of a cyber crime? – Malicious staff members – A hacked computer in your network which is used for performing cyber crime on another company / computer • In such cases, your company may become the primary accused
  • 39. © ValueMentor Consulting LLP Slide 39 Why “Due Diligence” • What happens in such scenario? Let us review Sec 85 again – Who is responsible? (Sub section (1) of 85) • Every person who, at the time of contravention was committed, was in charge of, and was responsible to, The company for the conduct of business of the company (Head of IT / CEO??) • As well as the company • Shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly; – Provided that nothing contained in this subsection shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that they exercised all due diligence to prevent such contravention
  • 40. © ValueMentor Consulting LLP Slide 40 43A - Compensation for failure to protect data • Where a body corporate, • possessing, dealing or handling any sensitive personal data or information • in a computer resource which it owns, controls or operates, • is negligent in implementing and maintaining reasonable security practices and procedures • and thereby causes wrongful loss or wrongful gain to any person, • such body corporate shall be liable to pay damages by way of compensation to the person so affected
  • 41. © ValueMentor Consulting LLP Slide 41 Sensitive personal data or information • Sensitive personal data or information of a person means such personal information which consists of information relating to;— – (i) password; – (ii) financial information such as Bank account or credit card or debit card or other payment instrument details ; – (iii) physical, physiological and mental health condition; – (iv) sexual orientation; – (v) medical records and history; – (vi) Biometric information; – (vii) any detail relating to the above clauses as provided to body corporate for providing service; and – (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise
  • 42. © ValueMentor Consulting LLP Slide 42 Need for policies • Privacy policy – Should be made available to the person from whom the sensitive information is collected – Clear and easily accessible statements of its practices and policies; – type of personal or sensitive personal data or information collected – purpose of collection and usage of such information – disclosure of information including sensitive personal data or information – reasonable security practices and procedures
  • 43. © ValueMentor Consulting LLP Slide 43 Reasonable Security Practices and Procedures • A body corporate shall be considered to have complied with reasonable security practices and procedures, if ; – they have implemented such security practices and standards and – have a comprehensive documented information security programme and – information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business
  • 44. © ValueMentor Consulting LLP Slide 44 Reasonable Security Practices and Procedures • In the event of an information security breach, – the body corporate shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, – that they have implemented security control measures as per their documented information security programme and information security policies. • The international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" is one such standard – That can be considered towards reasonable security practices
  • 45. © ValueMentor Consulting LLP Slide 45 What should we do now? • Perform an ITAA 2008 Risk Analysis with a focus on – Compliance level of the company with the different provisions of ITAA 2008 – Current gaps in the IT practices in relation with ITAA 2008 • Develop programs to ensure – Implement “Reasonable security practices” – Practice “Due Diligence” – Management of Information Security
  • 46. © ValueMentor Consulting LLP Slide 46 Next steps • The first step to Information Security is direction – Get your policies and procedures setup • Next is awareness – Get your team undergo security awareness about your policies & allowed practices • Top Management / Founders – Invest in Secure products, security of your systems & data – Build a top down approach on information security culture – Assign compliance responsibilities – Add ITAA2008 perspective to the IS Audits
  • 47. © ValueMentor Consulting LLP Slide 47 Q&A
  • 48. © ValueMentor Consulting LLP Slide 48 THANK YOU Binoy Koonammavu ValueMentor Consulting LLP binoy@valuementor.com +91-974-5767-944