Let's Build a Responsible Cyber Society




Legal Compliance Requirements in Information Security Audit in India


Information Security Audit Practitioners in India have been traditionally following ISO 27001 as a guideline.  The amendments to ITA 2000 has now thrown a challenge at these auditors and raised a question if such audits are complete without a special reference to ITA 2008 (Information Technology Act 2000 as amended by Information Technology Amendment Act 2008).

ITA 2008 has now defined what is "Cyber Security", introduced the concept of "Reasonable Security Practice" for safeguarding sensitive personal information. It has also spoken about the need for data retention and supply to regulatory authorities as well as assignment of compliance responsibilities to an official in an organization.

Do IS audit practitioners consider the provisions of ITA 2008 and its compliance before certifying an organization's security?

When a Chief executive of an organization declares in the annual report that the "Company is complying with all regulatory requirements" as per SEBI's listing requirements under Clause 49, does he also mean that the Company has conducted an ITA 2008 gap analysis and implemented measures for compliance?

These will be the questions that the future IS auditors need to answer.

The risk of non compliance and a false audit certification is highest in the BFSI industry and in Banks in particular. Indian Banks are reeling under the pressure of technology related frauds which can most often be attributed to the negligence of bank officials. This immediately invokes Section 85 of ITA 2008 and makes the organization and its executives liable. ISPs are also in a similar dilemma and can be held vicariously liable for offences committed by their customers.

In order to discuss the implications of ITA 2008 on Bankers in India, experts are congregating at ITC Windsor Manor, Bangalore on 25th October 2010 for a workshop. (Details available at http://www.workshop.cyberlawcollege.com).

It is time for IS practitioners to consider if they need to take this opportunity to participate in the workshop and share their views with the experts.


October 16 2010

Related Articles:


Comments are Welcome at naavi@vsnl.com