Let's Build a Responsible Cyber Society

Visit
www.ceac.in


Visit
www.arbitration.in

 

Suggested Information Security Framework under ITA 2008

Naavi


ITA 2008 has mandated that body corporates handling sensitive personal data need to follow "Reasonable Security Practices" (RSP),  under section 43A, failing which they will be liable for paying compensation to any person who suffers a loss.

Similarly, under Section 79, there is a need for "Intermediaries" to follow "Due Diligence". Though "Due Diligence" cannot be prescribed and has to be left to be decided on a case to case basis, in case there exists a standard security practice, it could be a starting point to bench mark the requirements under due diligence.

ITA 2008 additionally is expected to prescribe certain data retention norms under section  67C which should be considered part of the "Reasonable Security Practices".

The requirements of all the above three aspects can be met with adoption of a security framework on the lines given here under. This security framework referred to Indian Information Security Framework (IISF-309) is built under the following principles.

a) The framework  is flexible enough for users in different user segment with different operational sizes to adopt practices which are appropriate and affordable. It does not mandate any specific security standard such as ISO 27001 or any other.

b) It incorporates the best practices in current usage but makes fine changes as required by ITA 2008.

c)  It gives value for "Disclosure" and "Accountability". Accordingly, it recommends a security policy to be announced by the organization and that a "Compliance officer" to be designated.

d) It banks on a "Client Consent" which makes framework legally binding on the prospective victim and hence meets the first of the three criteria suggested by Section 43A under explanation (ii) quoted below.

(ii) "reasonable security practices and procedures" means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

The IISF-309 follows the same 21 step specifications that is used by LIPS-1008. Since LIPS-1008 was developed for Legal Process Outsourcing firms, it naturally addresses the needs of other data processing agencies as well.

It is however possible to define different specifications for different segments such as say "Banking", "Share Broking", "Call Centers", "KPOs", Matrimonial/Job  websites, e-commerce websites, etc. Even here, depending on the size of the organization, different levels may be defined. In case new security threats and remedies become relevant, additional levels can be defined hardening the security further.

Ujvala Consultants Pvt Ltd offers to conduct CyLawCom audits based on the following standard and provide Certification of compliance. Ujvala would also invite other auditors to adopt the standard and obtain Co-Certification with Ujvala.

 

Specifications of IISF-309

Number

Description

Level 1

Level 2

Level 3

IISF 1

Client Consent

A letter of consent to be obtained (in a form acceptable under ITA 2008)  on behalf of every data subject from the data vendor  to outsource the data as per the Privacy and Security Practice Statement, a copy of which must be made appropriately available to on the website. Every version of the statement from the date of inception of the Policy shall be archived and the vendor is notified of any changes subsequent to the date of consent with an option made available to the vendor to refuse the changes.

Same as Level 1

Same as Level 1

IISF 2

Employee Awareness

Every Employee of the Organization shall be made aware of the information privacy and security policy of the organization as contained in the Privacy and Security Policy Statement (PSPS) and other initiatives undertaken by the Organization towards its implementation. The employees shall also be adequately trained in the use of any software or hardware devices used for the implementation of the policy. Every employee shall undertake a “Test of Awareness” at least once each year and the performance documented in the employee service records.

Same as Level 1 Same as Level 1

IISF 3

Employee Declaration

Every Employee shall sign a declaration of Ethics in duplicate agreeing to abide by the requirements as required under the PSPS a copy of which is kept along with the service records of the employee. One copy is returned to the employee.

Same as Level 1

Same as Level 1

IISF 4

Assigned Responsibility

The responsibility for Privacy and Information security compliance shall be allocated to an official who shall provide periodical compliance reports and certificates to the management every month. The official may be holding any other responsibility additionally.

Same as Level 1 Same as Level 1

IISF 5

Employee Background Check

Every employee’s background is verified with reference to the documentary evidences submitted during the time of his employment in the application.

In addition to level-1 requirements the background is verified with reference to the “Referees” indicated in the application with written with reference to the “Referees” indicated acknowledgements duly verified for correctness. 

In addition to level-1 and level 2 requirements, the H R manager shall provide a declaration to the management that the background verification has been completed as required

IISF 6

Information Classification

Information handled by the organization shall be classified appropriately on the basis of its sensitivity.

The classification tag shall enable assignment of designated employee force for access on a need to know basis and management of access privileges

Same as Level 1 Same as Level 1

IISF 7

Employee Cyber Usage Policy

The employees will be bound by an ethical declaration and subject to a self impose discipline as defined in the security policy documents.

In addition to level-1 requirements, the employee activities on the Internet would be fully monitored and logs archived for both real time and post event audit. Any violations will be suitably recorded and sanctions invoked.  

In addition to level-1 and level 2 requirements, the employees will be allowed to use Internet only to the extent of pre-defined business purpose and a suitable firewall controlling access will be used.

IISF 8

Media Usage Policy

The employees will be bound by an ethical declaration and subject to a self imposed discipline as defined in the security policy documents

In addition to level-1 requirements, restrictions would be imposed on the use of external media and laptops to reasonably prevent unauthorized copying of data.

In addition to level-1 and level-2 requirements, employees will have access to data only through a remote access environment from thin clients and no data would be permanently storable in the local machines except under specific authorizations and in a secure manner

IISF 9

Sanction Policy

Appropriate sanctions will be imposed for violations of any of the security policies with the sanctions being commensurate with the nature of violations.

In addition to level-1 requirements,  suitable clauses would be introduced in the employee contracts and NDAs to be signed by the employees.

In addition to level-1and level 2  requirements, NDAs are obtained both at the time of employment and at the time each major assignment is handled.

IISF 10

   Privacy and Security Practice Statement

Organization will develop a detailed Privacy and Security Policy Statement which would be approved by the Board and signed by the CEO and CTO. The statement would be adequately communicated to all the employees as well as the clients and business associates of the organization. A copy should be made available through the website of the Company. The organization may develop different versions of the statement for the public and internal use as the management may find it necessary. 

Same as Level 1 Same as level 1

IISF 11

Physical Security

Organization shall have appropriate policies and procedures to ensure that only authorized persons will have access to the working area containing IT assets including the Wireless perimeters. An appropriate documentation would be maintained for guest access provided.

 

In addition to level-1 requirements, the access points shall be monitored by appropriate electronic access monitoring devices.

 

In addition to level-1 and level 2 requirements, the entry and exit of authorized persons to the work area would be linked to the attendance and any anomalies recorded as a security breach incident.

IISF 12

Logical Access Security

Policies and Procedures shall be implemented for ensuring that access to any IT device is made available only with appropriate access authentication such as Passwords. Appropriate measures shall be initiated for ensuring that a strong password policy is maintained across the organization.

Same as level 1 Same as level 1

IISF 13

Information Storage Security

Policies and Procedures shall be appointed to ensure that information under storage is accessible only by authorized persons on a “Need to Know” basis.

 

In addition to level-1 requirements information under storage is kept in encrypted for. . 

 

 

In addition to level-1and level 2 requirements,  access shall be backed up by data integrity control, audit trail monitoring and archival.

IISF 14

Information Transmission Security

Transmission of Information into and out of the systems would be monitored by a suitable Firewall and appropriate polices and procedures shall be implemented to ensure that viruses and other malicious codes are filtered effectively.

In addition to level-1 requirements, appropriate audit trail would be maintained and archived to ensure future reference if required. All confidential mails shall be appropriately encrypted. 

In addition to level-1 and level 2, requirements all outward mails likely to cause any liability to the organization shall be digitally signed by the sender.

IISF 15

Hardware/Software Policy

Policies and Procedures shall be put in place to ensure that any hardware or software or hardware used by the organization is certified by the supplier to be free from known security vulnerabilities.

In addition to level-1 requirements, Policies and procedures shall be put in place to ensure that Hardware and Software used by an organization shall be tested by a third party security auditor and certified to be free of known security vulnerabilities.

In addition to level-1 and level 2 requirements, Policies and Procedures shall be put in place to ensure that Hardware and Software used by the organization is backed by a source code audit certificate from a third party.

IISF 16

Web Presence Policy

Policies and Procedures shall be put in place to ensure that the domain name, hosting facilities and content used by the organization is adequately protected against malicious attacks, unauthorized alteration and IPR infringement. Suitable Privacy Policy and Disclosure Documents indicating the identity of the owner of the web content shall be provided on the website of the organization.

In addition to level-1 requirements, the web content is monitored by the organization at periodical intervals and self certified for data integrity.

Same as level 2

IISF 17

Grievance Redressal Policy

The organization shall designate an official as “Security Grievance Resolution Officer” (SGRO) to be the single point contact person accountable for handling all disputes related to the information security and contact details of such a person including e-mail and physical address is provided on the website. 

In addition to level-1 requirement, the organization shall also designate an external person of repute as an “Ombudsman” to resolve the disputes which cannot be resolved by the SGRO. 

In addition to level-1 and level 2 requirements, the organization shall also set in place an arbitration mechanism to handle disputes which are not resolved by the Ombudsman.

IISF 18

         BA Agreement Policy

Policies and Procedures shall be put in place to ensure that the Information security responsibilities of an organization shall also be followed by any external agency which is provided access to the protected information by a suitable contractual arrangement with appropriate indemnity provisions.

Same as level 1 Same as level 1

IISF 19

DLP-OLR Policy

Policies and Procedures shall be put in place by the Organization to maintain incident monitoring system and an appropriate Disaster Recover and Business Continuity Plan to meet any contingencies arising out of security breach incidents.

In addition to level-1 requirements, appropriate evidence archival systems shall be maintained to ensure capability for “Defensive Legal Protection” against any liability claims that may arise on the organization

In addition to level-1 and level 2 requirements. appropriate evidence archival systems shall be maintained to empower the organization to launch  “Offensive Legal Remedy” procedures

IISF 20

Policy Documentation

The organization shall retain all Policy documents related to information security for a period of a minimum of 3 years either in print or electronic form.    Data which is part of a security breach incident, is kept indefinitely.

Same as level 1 Same as level 1

IISF 21

Management Certificate/Audit Policy

The operational management shall submit a certificate of compliance of information security to the Board of Directors once a year recording there in the observed short comings and how they are proposed to be remedied with appropriate implementation schedules. 

In addition to level-1 requirements, the Board of Directors shall incorporate a certificate of compliance of information security in the annual report to the share holders of the Company recording there in the observed short comings and how they are proposed to be remedied with appropriate implementation schedules.

In addition to level-1 and level 2 requirements the Board of Directors shall incorporate a certificate of compliance of information security in the annual report to the share holders of the Company recording there in the observed short comings by an external auditor, the management’s perceptions and how the management proposes to meet the audit suggestions.

  Back to main Article

Naavi

March 21, 2009

Visit
www.Naavi.net

Visit
www.lookalikes.in