The incidence of Covid and the forced need for Work From Home (WFH) as a part of an organizational culture is a disruptive change to our life style that all of us need to adopt and adapt.
As Covid appears to be peaking out, companies have reached a stage where they will have to re-assess their strategies on how to return to their earlier operational methods or retain the current norm as the “New Normal”.
In all ISMS concepts, we try to identify what is “Reasonable”, “Commensurate with the Risks” and “Best Industry Practices” based on which we chose options. The “New Normal” if accepted now makes it necessary for us to consider whether our current practices require a permanent change.
For example the WFH situation has made
a) BYOD as more the norm than an exception. Access devices are mostly the laptops of the individuals where the user has to also manage his personal banking transactions, e-commerce, gaming, personal communication, entertainment etc. unless it is possible for every body to maintain a separate laptop for office purpose.
b) Physical security as less relevant than before as the heavily guarded corporate premises with access controls at the gate, biometric attendance, electronic door locks have been replaced by the home offices where workers work from their bed room, with children falling over the laptops, friends, relatives and family members walking all over.
c) The monitoring of the worker with a centralized IS department has lost its meaning since even the CISO may be operating from his drawing room on his laptop
d) Security is therefore confined to network access security fortified by the integrity of the individual
e) Firewalls have to be liberal to accommodate access through public networks and monitoring of logs has become a bigger challenge as one has to watch a distributed work force.
f) The contractual agreements where the company had committed that the operations will be carried out in a given premises with audit access to the customer etc has lost meaning since hither to one building floor which housed 1000 workers has now spread out into 1000 different households in different towns and cities.
If we donot appreciate this change and be prepared to accept that all our principles of Information security require a complete overhaul, then we are cheating ourselves.
Hence rigid information security management systems based on international standards need to be flexible with appropriate work arounds.
In terms of Privacy, it is time for us to realize that “Privacy” as a right under Article 21 of the Indian constitution subject to “Reasonable Exemptions” under Article 19(2), needs to be revisited to set proper priorities between Article 21 and Article 19.
Perhaps we need to reverse the priorities between the two articles and recognize that Privacy is a right under the “Right to Security” that is indicated as Article 19(2) as a sub part of the Right to Freedom of Expression.
I am sure that some of the committed Privacy activists would swear by the Puttaswamy judgement and the last word on Privacy has been laid in stone.
However, we must appreciate that Puttaswamy judgment was a view in the Pre-Covid situation and may need a re-look in the Post-Covid situation. The need for such a question arose in the Aarogya Setu app where the debate was whether an individual’s right to privacy was higher than the right of another individual’s right to remain at a safe distance from the pandemic risk.
If Aarogya Setu is mandatory for Mr A because Mr B wants to know if it is safe to come near that person or having come near that person and later the person being adjudged covid +ve Mr B wants to be made aware of the risks, then the decision on what is correct or wrong depends on whether the Right to Security of B is as much or more valuable than the Right to Privacy of Mr A.
Similarly, in the Cyber Crime prevention scenario, insisting on Aadhaar as an ID for a certain service is violation of privacy or is a security measure also need to be re-assessed.
Some puritans may wonder, whether we can question the Constitution, disagree with what is written in the constitution and what the Supreme Court has interpreted. But it is necessary for us to also remember that our constitution has been amended more than 100 times. Many of these amendments have been against the basic concept of equality and justice to all because they were held inconsistent with the right to correct the past oppression of a section of the society.
Hence what the Constitution or the Supreme Court says today is only a temporary guideline and “Jurisprudence” is always under development and may change the concepts which we otherwise may consider as set in stone.
The ISMS practitioners and Data Protection professionals need to therefore have an open mind to recognize that the Post Covid information management is a new era and many of the principles which we thought as sacrosanct in the past may need to be amended.
Data protection professionals also therefore need to be flexible enough to adapt to the new norm and shed their dogmas.
As an example if ISO 27001 was the bible of Information Security practice so far, it need not be so in the coming days. May be PDPSI is the Bhagavadgita of Data Security and can be more relevant and effective as the ISMS guide in the Post Covid era.
(Comments and Criticisms welcome)