Naavi.org

On November 7, 2023, Reserve Bank of India has made a major announcement related to Information Security Governance applicable to all Regulated entities (RE) . These guidelines will henceforth be considered as “Reasonable Security Practice” requirements and “Due Diligence” for all the entities covered under the notification for the purpose of ITA 2000 as well as DPDPA 2023.

This “Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices” will replace all earlier guidelines issued since 2002 including the GGWG guidelines of April 29, 2011 and the Cyber Security Framework of 2017.

The directions titled Reserve Bank of India (Information Security Governance, Risk, Controls and Assurance Practices) Directions 2023, will be effective from 1st April 2024.

These directions will be applicable to all Banking Companies, Corresponding New Banks, SBI, NBFCs, Credit Information Companies, Exim Bank, NABARD, National Bank for Financing Infrastructure and Development, NHB and SIDBI,

The directions are not applicable to Local Area Banks, NBFC Core Investment Companies.

The guidelines consist of the following 7 chapters.

Chapter I: Preliminary

Chapter II: IT Governance

Chapter III: IT Infrastructure & Services Management

Chapter IV: IT and Information Security Risk Management

Chapter V: Business Continuity Plan (BCP) and Disaster Recovery Management

Chapter VI: Information Systems (IS) Audit

Chapter VII: Repeal and Other provisions

The IT Governance Framework under Chapter II indicates five key focus areas namely

a) Strategic alignment

b) Risk Management

c) Resource Management

d) Performance Management and

e) Business Continuity/Disaster Recovery Management.

Under the guidelines, the REs shall put in place a robust, comprehensive and accountable framework of Governance specifying the responsibilities of the Board of Directors, Board level committee and Senior Management.

Under the guidelines, the REs shall appoint a sufficiently senior technically competent and experienced official in IT related aspects as head of IT function who will be responsible for

(i) Ensuring that the execution of IT projects/ initiatives is aligned with the RE’s IT Policy and IT Strategy;
(ii) Ensuring that there is an effective organisational structure to support IT functions in the RE; and
(iii) Putting in place an effective disaster recovery setup and business continuity strategy/ plan.

Under Chapter III on IT Infrastructure and Services Management, one of the guidelines indicated is that REs shall avoid using outdated and unsupported hardware or software and shall monitor software’s end of support date and AMC dates on an ongoing basis. This could mean that there would be an immediate refreshing of hardware and software facilities in all REs.

In third party arrangements for outsourcing, REs shall apply the RBI outsourcing directions 2023 and further put in place measures to assess and mitigate risks, including compliance of all applicable legal, regulatory requirements and standards to protect customer data.

While adopting new or emerging technologies, REs need to align the strategies with the risk appetite of the organization.

It is also specifically indicated that REs shall obtain the source codes of all critical applications from the vendors and put in place a source code escrow arrangement. REs shall also obtain a certificate or a written confirmation from the application developer or vendor stating that the application is free of known vulnerabilities, malware, and any covert channels in the code. Such a certificate or a written confirmation shall also be obtained whenever material changes to the code, including upgrades, occur. Any new IT application proposed to be introduced as a business product shall be subjected to product approval and quality assurance process.

The REs shall put in place a system for collecting and monitoring audit trails of all critical applications.

The guidelines suggest use of cryptographic controls which are internationally accepted and not deprecated and adopt a straight through processing when data is transferred from one process to another.

The access control is expected to be on a need basis and personnel with elevated access shall be based on multifactor authentication and closely supervised.

Chapter IV covers the IT and Information Security Risk Management. The guidelines require an appropriate policy that shall be reviewed at least once a year and a Cybersecurity Policy and Crisis Management Plan (CCMP) .

A senior level executive (preferably General manager level) shall be designated as the CISO who shall not have direct reporting relationship with the head of IT functions and shall not be given any business targets.

The guidelines recognize the need to report incidents to CERT-IN but no mention has been made on Data Protection Board under DPDPA 2023. This indicates that these guidelines have been developed before DPDPA 2023 was passed and hence DPDPA 2023 compliance need to be built over this Information Security guidelines.

Under Chapter V, the BCP and DR policy requirements are indicated and shall include the interconnected systems of vendors and partners. It is expected that REs shall achieve minimal RTO (Recovery Time Objective) as approved by the IT Security Committee and near zero RPO (Recovery Point Objective) for critical information systems.

Information Systems (IS) audit under Chapter VI indicate that there shall be an IS audit policy along with a governance mechanism.

An annexure along with Chapter VII ensures that multiple regulations of the earlier years are promptly repealed so that this guideline will become an unambiguous guideline applicable from 1st April 2024.

Information and Data Security professionals need to take note of this guideline not only for sectoral regulations but also as a general guideline on industry practices.

Naavi

Indian Data Protection Summit (IDPS), is FDPPI’s flagship annual event, which brings together experts and speakers from India and abroad to delve into various facets of data protection in India.  IDPS 2023, the fourth edition, is jointly organized with Manipal Law School, a constituent institute of Manipal Academy of Higher Education (MAHE), an Institution of Eminence Deemed to be University.

Theme: This year, IDPS 2023 is set to explore the profound impact of emerging technologies, including AI, Meta Verse, Blockchain, Quantum Computing, and Neuro Science, with a unique focus on privacy and data protection.

Event Highlights: Key note addresses, Panel Discussions, Industry Awards, paper presentation from academia and exhibition opportunity for organisations to showcase their products and services. The participation to the event is by delegate fee and invitations. The program will also be webcast and recordings made available for access post the event.

Date & Venue: Nov 24 & 25, MAHE Campus, Yelahanka, Bangalore

Participation Fee:

Physical Participation for two days – Rs 3,000

Virtual Participation for two days – Rs 1, 500

For Queries: Write to fdppi4privacy@gmail.com

We refer to the newspaper reports about the data leak at ICMR. It is stated that data of 81.5 crore citizens is up for sale in the dark web.

While there can be a separate discussion on the possible security failure at ICMR and how such data breaches will be handled in the post DPDPA 2023 scenario, I would like to bring to the discussion table an entirely different perspective.

When such data breaches occur and the victim is a Government body, all professionals end up blaming the Government. Media by their nature also blames the Government and probably Mr Modi for batting for digital India.

But has any body blamed the hackers who have made it a habit to attack Indian Government assets to display their hacking skills as if it is a fair game and no adverse consequences to follow?

Just as Lutiyan media, Left liberals and UN blames Israel without condemning the Hamas attack, media only blames the Government without condemning the hackers who steal data and post it in the DarkWeb as if it is their right to do so. Crime is not a right and we need the society to understand this.

According to the report in news 18 CERT IN has roped in multiple agencies of the Government and considering the breach as a sensitive data breach involving Aadhaar and Passport data.

I hope this report is true because in the past CERT IN or MeitY has not shown the necessary concern to address such data breaches. When a Government asset is breached, CERT IN feels shy thinking that it is guilty of lack of its own inability in enforcing information security within the Government bodies and would be inclined to underplay the incident.

The tendency of the Government/CERT IN/MeitY is similar to a corporate executive who tries to delay reporting of an incident because he is shamed by a data breach in his company and unable to go to his CEO immediately and say… Sorry, I made a mistake. Instead, he tries to resolve the issue first and in the process create more damage than what was necessary.

In the ICMR Case, it is evident that the scale of data breach and the nature of personal data and the intention of making it available on the Darkweb to any enemy of the country indicate that this incident reflects an unauthorized access and a Section 66F offence under ITA 2000.

If the Government is serious, they have to put the fear of God in the hackers who attempt at hacking Indian Government websites and data bases and steal the data.

I would have loved to read in the News18 report that ICMR is filing an FIR under Section 66F against unknown hacker who has placed the data for sale and in conspiracy with others who must have assisted him. Further investigations would reveal whether it was an information security gap or there was any insider involvement or whether it had any involvement of the supply chain system.

Government/ICMR need to announce an attractive reward for any information leading to the finding of the source of the ICMR hacking and some security expert may be able to find out the identity of the person who has posted the data for sale in the dark web.

I donot think that hacking into Government data assets is different from Chinese intrusion into Ladakh or Pakistan intrusion into Kargil. The Government should not be soft to such activities and take such action which would deter them from trying such things once again.

It appears that many hackers are using Government assets as target practice for honing their hacking skills and we need to put an end to such a practice.

We often hesitate to use the available laws and this attitude needs to change.

I am stating this with my own personal experience of instances when Cyber Terrorism instances were brought to the attention of CERT In and MeitY and they failed to take it to a logical conclusion.

One was a case of Digilocker which was hacked and unauthorized access was gained to around 3 billion documents and the hacker boldly published his exploit on the web. When CERT In and Digilocker came to know if it, they did not lodge any FIR on the hacking irrespective of whether there was any vulnerability in the security or not.

Such softness create an impression that Indian enforcement system is not good enough to be feared by hackers.

Let us now wait and see if the MHA wakes up at least in the case of ICMR hacking and file a Section 66F complaint. Even in other cases, MHA should at least send notices and demand admitted hackers to show cause why a Cyber Terrorism complaint cannot be launched against them.

If MHA is watching this website as they should, they can respond with filing a Cyber Terrorism case in this instance and have a NIA-CBI investigation.

Naavi

ISO auditors have been one of the class of professionals who have been productively engaged in the audit and assessment services. ISO gives many opportunities for certification but one of the major activities has been ISO 27001. Now as the ISO 27001:2019 moves to ISO 27001: 2022, post 1st November, auditors have to gear up for the new framework. A few of these auditors had stepped into ISO 27701 and offering their services for GDPR compliance to Indian companies.

So far, we could tell a company that India does not have a data protection law and therefore go for GDPR compliance and implementation of ISO 27701 which along with ISO 27001 can be certified.

But the scenario has now changed. India has passed DPDPA 2023 which is applicable to collection of personal data in India. It will therefore be foolish to apply GDPR to Indian Personal Data and feel that compliance is achieved.

If so, how can an Indian Data Fiduciary go for compliance? particularly if it intends to get third party certified?

Enter DGPSI the Futuristic framework

Thanks to forward looking organizations like FDPPI, an unique framework for implementation of Compliance by Design, Certifiable third party audit and Maturity assessment is now available for organizations.

The framework is called DGPSI (Digital Governance and Protection Standard of India) and the system built under DGPSI guidance is the DGPMS or Digital Governance and Protection Management System.

So, DGPMS is now the organizational goal pushing aside ISMS and PIMS.

In this scenario, ISO auditors cannot depend on ISO 27001/ISO 27701 audit for their bread and butter. They need to find new avenues to leverage their years of experience.

DGPSI is the biggest disruptor in the IT audit domain. It brings three kinds of professionals namely the Business Managers, the CISOs and the DPOs into one platform and own the implementation.

Audit or implementation s no longer a proposal from CISO or DPO which the CFO or CMO shoots down. It is a proposal in which the CFO and CMO have equal interest along with CISO or DPO or even the CRO or CCO.

DGPSI directly addresses the compliance of DPDPA 2023 with about 35 controls.

At the same time it also picks up the 25 compliance requirements related to Privacy Risks identified by the Bureau of Indian Standards in their draft standard document released at the same time when DPDPA 2023 was passed by the Parliament and 33 controls required for ITA 2000 compliance.

The DGPSI additionally addresses the requirements of 93 controls of ISO 27001 and 49 controls of ISO 27701 which are suggested for application to Personal Data protection.

Thus, a Total of 200 non DPA controls are merged with 35 DPDPA specific controls and addressed through only 50 Model Implementation specification under DGPSI.

It is simpler but effectively includes the essence of the essence. More over the DTS component of assessment provides a maturity assessment of the organization’s compliance status also.

DGPSI is therefore likely to be the only choice of wise Business Managers in the industry.

Before organizations gear up to opt for DGPSI compliance, professionals need to transform themselves from their current expertise to DGPSI expertise and an opportunity is flying past you.

On October 28/29 and November 4 and 5, FDPPI/Naavi is conducting a 12 hour Virtual program to impart the necessary requirements of this DGPSI framework the best practices of the industry.

Visit www.fdppi.in and register yourself today .

Don’t miss the bus… board the C.DPO.DA band wagon today….

Naavi

FDPPI has been in the forefront of empowerment of Professionals and Organizations for Personal Data Protection in India.

During the five years since its inception, FDPPI has introduced India specific Certification Program for Data Protection Professionals and today if any person is aspiring to be a DPO or undertake the profession of a Data Auditor, the clear destination is FDPPI.

Similarly if any organization is looking for a framework for compliance of DPDPA and Indian Data Protection Regime, the clear and only choice is DGPSI or Data Governance and Protection Standard of India.

While FDPPI’s C.DPO.DA. Certification program is the preferred choice for professionals over every other certification program on the basis of content and DGPSI based audit and assessment is the only choice for organizations for Certification for DPDPA compliance, FDPPI would like to be an organization that takes along all organizations and professionals with similar objectives to come together as a “Federation of Data Protection Professionals” in India.

FDPPI therefore has introduced a “Cross Certification Program” to recognize the efforts and investments made by professionals in acquiring qualifications like CIPP or CDPSE Certification and provide them an exemption from part of the training of C.DPO.DA. Though these programs only focussed on GDPR and not on DPDPA, considering the general training they have received in Privacy, we would provide them a short cut to completion of C.DPO.DA.

Currently auditors certified as “Lead Auditors” of ISO 27001 or ISO 27701 or PCI DSS, undergo intense training in audit aspects but not necessarily in any law since these audits are purely technical in nature and not Techno Legal in nature. However, considering their exposure to the industry, Accredited ISO lead auditors will be provided an accelerated path to becoming C.DPO.DA. auditor.

This is an attempt to follow the principle of “Sab Ka Sath-Sab Ka Vishwas” .

The accelerated path to C.DPO.DA. works as under.

Currently C.DPO.DA consists of three parts namely Module I, Module G and Module A.

Module I covers DPDPA and ITA 2000 (DIA when available)

Module G covers GDPR, US Data Protection laws, Singapore/DIFC laws

Module A is sub divided into two parts namely the first part consisting of essence of Audit Principles, ISO 27001 and ISO 27701 and second part which consists of DGPSI framework.

In what is proposed, professionals with current active certifications from IAPP and ISACA can directly take up Module A (both Part 1 and part 2 required). The Accredited ISO auditors can directly take Part 2 of Module A.

All professionals need to take the online examination for C.DPO.DA and pass through in one or more attempts. They can opt to take the training if required at any point of time though video streaming.

The Cost of the these accelerated programs from 1st November will be as follows:

Module A: Both Part 1 and Part 2: Rs 24000/- Plus GST of 18%

Module A-Part 2 only: Rs 12000/- plus GST

Examination fee: Rs 10000/- for first attempt and Rs 5000/- for second and subsequent attempts (plus GST)

Next Program for Module A will commence on October 28,29 and November 3/4

Naavi

Commemorating of October 17 every year as the day on which Indian Digital Society was born since the legal recognition of electronic document was first provided in India through ITA 2000 which was notified on October 17, 2000, has been a practice of Naavi for last two decades.

Last year we had a great virtual event under FDPPI banner. This year we had Manipal Law School (MLS) also join in the activity. I was doubly happy since even KLE Society with which I had conducted many such events in the past also was present on the occasion,.

The event was titled as “Jago Regulators Jago” recognizing that the “Awareness” programs which we are conducting for several years now to say that “Public need to be aware of Cyber Risks”, need to be elevated to an awareness of the regulators.

By regulators in the context of Cyber Crimes, we include Police, the Adjudicators under ITA 2000, the MeitY, MHA and the CERT IN.

The event saw the participation of Dr Triveni Singh along with a battery of professionals from industry, academia. Several advocates also participated in the half day conference held at MLS campus, Yelahanka, Bengaluru and also webcast in real time. Mr Balu Swaminathan, President of Cyber Society of India, Chennai who was associated with Naavi on several Cyber Crime investigations in Chennai was a special guest on the occasion. Dr Gulshan Rai could not join due to urgent alternate commitments.

Some very good suggestions have come forth during the event which will be added to this first report of the event.

The video of the event is available below.

Some of the photographs marking the attention are here

Naavi