Information Security is No Security if it is Not Techno Legal Security

.

 

Recognizing the need for concerted action from the industry on Information Security, Nasscom has launched a security forum led by MphasiS BFL CEO Jerry Rao to create awareness about data protection and security among Indian IT companies. One of the objectives of this forum would be to to create awareness about data protection and security among Indian IT companies.

The Nasscom security forum aims to promote of enhancing international competitiveness of the Indian IT industry. The forum will exchange reports with member companies on market trends, issues and challenges of the security market; create awareness on protecting sensitive information from unauthorised disclosure or intelligible interception; and help in formulating stringent legal frameworks to deal with data protection and intellectual property rights.

In this defining moment in the history of Information Security management in India, Naavi would like to place a few points for serious debate in the industry.

1. Is Information Security meaningful if it remains in the Technical Security domain and not evolve itself into Techno Legal Security?

2. Can there be a development of Information Security Insurance if Information Security is not Techno Legal Security?

3. Will ISO/BS/CMM/Six Sigma continue to represent quality of an organization if Cyber Law Compliance is not ensured?

Naavi would like Nasscom to organize a seminar to discuss the above three themes and arrive at a proper structure for Information Secuirty for the coming digital era.

Let me also elaborate a few points why I strongly feel that there is a need for change in the Security perspective.

Technical Security which encompasses Firewalls, IDS and keeps Disaster Recovery and BCP as its end objective has a limitation. It can restore lost data but not compensate for the consequences of loss of data which may result in financial losses.

Any technical security person will admit that Technical Security is vulnerable and will be breached from time to time either because the attack is led by or assisted by an insider or the technology has some bugs or the attacker is more sophisticated than the asset owner or simply the security specialist is momentarily negligent.

In such an event the asset owner suffers losses and liabilities. While technical security measures such as Disaster recovery can limit the damage and IDS captures vital evidence to trace the attacker, it is the follow up legal measures that can either enable the asset owner to recover damages from the attacker or protect himself from being sued for damages by his customers.

It is in this context that "Legal Security" is the second and very important line of defence.

The Information Insurance industry when it becomes active would also place enormous reliance on the legal remedies available to the victim since after settlement of the claim, it has to step into the shoes of the victim and continue efforts to recover the money lost through legal channels.

In the context of quality metrics to certify the long term viability of business and desirability of working with a Company, the standards such as ISO/BS/CMM/Six Sigma have been doing a good job. However all these suffer from a total lack of /an inadequate attention to the fact that if a Company is not complying with Cyber Laws, it is continuously exposing itself to risks that can crystalize some time into a liability and affect the business continuity.

Naavi therefore is of the opinion that any Security initiative is incomplete without an adequate coverage of measures that ensure that all known  Cyber Law violations are plugged in a systematic manner.

In order to ensure this Naavi proposes the CyLawCom programme which ensures creation of Techno Legal Awareness amongst the staff of a Company at all levels, incorporation of Cyber Law Compliance culture in the business processes and strategic thinking of an organization. This is achieved through a CyLawCom certification programme with CyLawCom audits conducted by trained CyLawCom examiners.

Cyber Law College is dedicated to work towards the objective of developing CyLawCom examiners through a system of certification through an examination system. (Details available here )

Naavi

February 5, 2003

(Comments are Welcome)