KSHRC Issues notice to IT Secretary Karnataka on Adjudication Issue

Posted on April 7, 2013 by Vijayashankar Na

The undersigned has been pursuing a series of complaints with the Government of Karnataka on the denial of Adjudication facility in the state of Karnataka.

Such complaints have been sent int he past to the Chief Ministers as well as the law Minister, the Chief Secretary etc. The last complaint made in this regard, a copy of which is available here.

Even this letter has not evoked any response from the Government.

In the meantime, by a letter dated 21/3/2013, I am informed that the Karnataka Human Rights Commission has taken note of the complaint and has issued a notice to the IT Secretary to send his reply by 30th May 2013. If nothing else, it will at least make the new IT Secretary to read the complaint and understand the issue
Netizens of Karnataka await postive developments regarding the same.

The undersigned has also submitted a “Charter of Demand” to some of the political parties seeking election in Karnataka including Loksatta Party and BJP which also includes a demand for action for setting up a functional Adjudication system in Karnataka.

The Charter of demand includes the following.

1. Digital ID for all (like Aadhar number)
2.Internet access for all at affordable cost
3.Cyber Security policy for the State
4. Adjudication facility to be made functional
5. Netizen Rights Commission for the State
6. E Consumer Protection
7. Centralized Cyber Teaching upto X standard

More details are available at www.aifon.org.in
Attempts are being made to reach the Charter of demand to the candidates wherever the e-mail addresses are available. Readers may send the available email addresses of prominent candidates who are seeking election in Karnataka.

Posted in Uncategorized | Leave a comment

Mr Katju advocates Social Media Regulation

Posted on April 6, 2013 by Vijayashankar Na

Mr Katju, the Chair person of Press Council of India has become popular in recent days as a “Mercy Pleader” for Sanjay Dutt and other convicts. Though enjoying a Government appointment as a former Judge of Supreme Court, his actions in recent days have been completely political.

Now Mr Katju seems to have turned his attention on the Social Media which has been critical of his politically motivated actions. It is reported (See report) that addressing a meeting in Hyderabad yesterday related to the Press Council enquiry, he has expressed an opinion that “Online censorship should not stop with amendments to ITA 2000 and checks and balances are necessary..”

Just as Mr Kapil Sibal advocated earlier, Mr Katju prefers a pre-publication censorship of social media content and says “There should be a process of filtering content which goes online.”

It is to be noted that when persons like Mr Katju join hands with politicians, danger lurks in the corner.

Naavi

Posted in ITA 2008 | Leave a comment

UIDAI to use Digital Signatures to authenticate e aadhar

Posted on April 4, 2013 by Vijayashankar Na

After a long time UIDAI has realized what was evident all along that that it had an option to issue digitally signed letters to confirm aadhar numbers electronically.  UIDAI has now announced that e aadhar numbers will now be issued with digital signatures.

Amongst other thins this will enable a greater recognition to “Digital Signatures” as a means of authentication and ensure that other institutions such as Banks who have been resisting its use will now have weaker excuses.

More information

Naavi

Posted in Uncategorized | 2 Comments

Hong Kong set to become another Nigeria in Cyber Crimes

Posted on March 30, 2013 by Vijayashankar Na

Cyber Crime observers are well aware of “Nigerian Frauds” where people from Nigeria cheat persons globally on false allurements. Exporters to Nigeria are aware from times immemorial that remittances from Nigeria are unreliable. Bankers refuse to finance exporters for exports to Nigeria.

Now it appears that Hong Kong is also becoming a country like Nigeria where criminals are opening bank accounts to commit frauds on the global netizens.

In one of the cases reported in India, an importer has been lured to transfer money due to the Chinese Company to an account in Hong Kong which happenned to be a fraudulent account.

It is also reported that Hong Kong is trying to develop “Secret Banking” on the Swiss Banking model so that tax evaders and criminals in the world can now switch their Swiss Bank accounts to Hong Kong.

In view of the above if any remittance is sent to a bank in Hong Kong, the remitter may find it very difficult to recover the money through normal legal course.

I therefore urge Reserve Bank of India to send an advisory to all Banks that any remittances to a Bank in Hong Kong should be subjected to a check on the authenticity of the recipient. The receiving Bank must give an undertaking that any customer recipient of a remittance from India is not a criminal and the remittance is not part of money laundering.

Naavi

Posted in Uncategorized | Leave a comment

Making managements realize the Risk situation

Posted on March 30, 2013 by Vijayashankar Na

I refer to my earlier article on “Risk Appetite” where I had highlighted the fact that many managements are unaware of risks and hence keep on consuming the risks until one day it is too late to correct.

CISO s by virtue of their exposure to threat environments may try to keep their managements informed from time to time the need to undertake “Risk Assessments” and initiate “Risk Mitigation” efforts. But often in organizations which have a low Information Security awareness, CISO even if one such designation exists may not have adequate authority to reach out to the top management. In many organizations there will be only an IT Manager and no CISO. Only if the IT manager has adequate security exposure, he tries to bring it to the notice of the management the need for a risk assessment and initiate some action leading to Risk assessment.

In this context when the need for Information Security is presented as a “Legal Compliance” mandate, the possibilities of the top managements understanding the implications are higher. If the Chairman is made aware that he may personally go to jail if adequate security is not in place, then only the Board of Directors will call for a presentation from the IT head on the need for creating a Information Security department and proceed further.

The path to Information Security implementation is therefore through the fear of legal consequences. This needs to be communicated to the top management through various means to kink off the IS process.

Even after this, before the top management can agree to an Information Security program, they need to be aware of the compliance requirements and consequences of non compliance. Hence building the “Awareness about Legal aspects of Information Security” often becomes the starting point for Information Security in an organization.

It is for this reason that the undersigned often recommends that the IT department may organize an “Awareness Workshop” for top management before even discussing the details of what is the Risk assessment program, how much it may cost, how long it may take and what benefits that the organization may expect.

This “Information Security/Assurance Feasibility Workshop” is one of the services that the undersigned has proposed to help the CISOs break the barriers of communication.

I hope more and more companies will opt for such a workshop which is a low cost investment before they take the decision to proceed further.

Naavi

Posted in Uncategorized | Leave a comment

How Much is our Risk Appetite?

Posted on March 29, 2013 by Vijayashankar Na

In Information Assurance/Security management we often feel that organizations are not as receptive as we the consultants feel they should to emerging threats. For those of us who follow the incidence of Cyber Threats around the world, there appears to a minefield of risks in everything we do. If we are recruiting a key employee, we worry if he is a mole from the competitor. If we receive an email, we suspect it to contain a virus. If somebody offer freebies, we think it must have some embedded risk. ..In fact we live in a state of constant fear.

On the other hand when as consultants we approach a corporate which we think should jump at our offer of consultancy for risk assessment and mitigation, we are surprised at the cold reception we may recieve. Some managements think that a consultant speaks of risk because of his own benefit and fail to see any counter benefit which the company may have. Some times this doubt stops the very consulting proposal itself and some times it goes beyond into assessment of the pricing of the consultancy service.

While the consultant feels that he is providing a high value service which should reasonably be priced at say Rs x, the corporate intending to buy the risk is not so sure about the value of the service and therefore rejects the offer or provide a counter offer which the consultant decides to pass off.

In the bargain the Company continues to bask in the feeling “All is Well” until disaster hits one day to consume the organization in full.

I was recently reading a literature on a research in psychology where a researcher was testing when will a house fly stop eating. He found that the food which the fly consumes passes through the gullet where there is a nerve which recognizes how much food has passed through. The desire to consume itself is triggered by another nerve in its legs so that when these sensors sense food it will start eating and when the gullet nerve indicates enough is enough, it will stop eating. The researcher continued his experiment by surgically removing the gullet nerve and found that the fly went on consuming food though it bloated the fly to a level where it could burst. This tendency is also found in ants who serve as store houses of food and keep bloating unmindful of its consequences.

bloated_ant

Are Our Corporates bursting with risks?

This example is very relevant for the Indian Companies when we talk of Information Security risks or ITA 2008 compliance requirements. It appears that the corporates have no means of measuring how much of risk they are consuming and maintain an infinite risk appetite. In the field of financial investments the market is more mature and corporates have some measure of their risk appetite and a sense of how far they can go before they say “Enough is enough” and pull out their risky investments. Unfortunately in the field of “Information Risk” managements donot have the same understanding of the risk environment, the threats and vulnerabilities and therefore fail to take appropriate risk mitigation measures. Even those who have crossed this threshold for various reasons and instituted some kind of risk management measures also may fail to understand the efficacy of “Controls” and be satisfied with “Controls for the sake of audits” rather than “Controls for the sake of security”.

CISOs in every organization therefore have the biggest task of trying to get the attention of the top management to their field of work and often find it the more challenging aspect of their job. The problem with many CISOs is that they are good in their security related knowledge but are weak in public relations or communication capabilities.

I therefore suggest that CISO s should consider “Communication Skills” as part of their required skill sets and keep enhancing their skills through appropriate training on this facet of management from time to time. This could result in a better communication of risk to the top management and ensure that the risk appetite of an organization does not cross the limit of danger.

I invite CISOs to share their views on “What is the risk appetite of my organization?” and share what risk appetite measurement strategies they adopt in their organization.

Naavi

Posted in Information Assurance, Uncategorized | 4 Comments