Legal Compliance Requirements in Information Security Audit
Information Security Audit
Practitioners in India have been traditionally following ISO 27001
as a guideline. The amendments to ITA 2000 has now thrown a
challenge at these auditors and raised a question if such audits are
complete without a special reference to ITA 2008 (Information
Technology Act 2000 as amended by Information Technology Amendment
ITA 2008 has now defined what
is "Cyber Security", introduced the concept of "Reasonable Security
Practice" for safeguarding sensitive personal information. It has
also spoken about the need for data retention and supply to
regulatory authorities as well as assignment of compliance
responsibilities to an official in an organization.
Do IS audit practitioners
consider the provisions of ITA 2008 and its compliance before
certifying an organization's security?
When a Chief executive of an
organization declares in the annual report that the "Company is
complying with all regulatory requirements" as per SEBI's listing
requirements under Clause 49, does he also mean that the Company has
conducted an ITA 2008 gap analysis and implemented measures for
These will be the questions
that the future IS auditors need to answer.
The risk of non compliance and
a false audit certification is highest in the BFSI industry and in
Banks in particular. Indian Banks are reeling under the pressure of
technology related frauds which can most often be attributed to the
negligence of bank officials. This immediately invokes Section 85 of
ITA 2008 and makes the organization and its executives liable. ISPs
are also in a similar dilemma and can be held vicariously liable for
offences committed by their customers.
In order to discuss the
implications of ITA 2008 on Bankers in India, experts are
congregating at ITC Windsor Manor, Bangalore on 25th October 2010
for a workshop. (Details available at
It is time for IS practitioners
to consider if they need to take this opportunity to participate in
the workshop and share their views with the experts.
October 16 2010