DSCI NEWS. Inside Our Mission PUBLIC ADVOCACY OUTREACH PROGRAMS THOUGHT LEADERSHIP CAPACITY BUILDING CONNECT WITH DSCI. e be. o n

Transcription

1 JULY - SEPTEMBER 2011 Vol. 2 No. 3 DSCI NEWS Q U A R T E R LY N E W S L E T T E R O F D ATA S E C U R I T Y C O U N C I L O F I N D I A DATA SECURITY COUNCIL OF INDIA A Initiative Our Vision Information Security Summit December 6-7, New Delhi 2011 Harness data protection as a lever for economic development of India through global integration of practices and standards conforming to various legal regimes. Inside Our Mission To create trustworthiness of Indian companies as global sourcing service providers, and to assure clients worldwide that India is a secure destination for outsourcing where privacy and protection of customer data are enshrined in the global best practices followed by the industry. Editorial Board Rahul Jain Senior Consultant, DSCI Kartik Korpal Asst. Manager Marketing & Communications, DSCI Contact Us PUBLIC ADVOCACY OUTREACH PROGRAMS THOUGHT LEADERSHIP CAPACITY BUILDING CONNECT WITH DSCI Our Objectives Public Advocacy on Data Protection and Cyber Security Capacity Building on Security and Privacy Thought Leadership through Best Practices Independent Oversight for Assurance & Dispute resolution through ADR towards Self-Regulation Cyber Crime Speedier Trial through training of Law Enforcement Agencies and Judiciary DATA SECURITY COUNCIL OF INDIA Niryat Bhawan, 3rd Floor, Rao Tula Ram Marg New Delhi , India Phone: , Fax: info@dsci.in, Website: Facebook: C DS I Co rp Linkedin: Twitter: o ra te M e be m rsh Visit: taxonomypage/105 ip is o pe n Designed by Swati Communications Tel: ,

2 Public Advocacy DSCI takes a proactive role for policy enablement that affects ICT - Strong Engagement & Enactment through the Government. DSCI expresses relief over clarification on Rules notified u/s 43A of ITAA, 2008 IT industry has welcomed clari fication issued by the Ministry of Communications & Information Technology on the Rules notified under Section 43A of the IT (Amendment) Act, The clarification was issued vide a press note on 24 th August. ( Expressing relief over the clarification, Dr. Kamlesh Bajaj, CEO, DSCI said: The interpretation requiring companies to take written consent from individuals about the use of sensitive personal information they collect and process was a matter of concern for outsourcing organizations in India and abroad as well as service provider industry in India. It was perceived to impose additional burden on the industry and thereby adversely impacting outsourcing to India. I hope the clarification puts to rest ambiguous interpretations of these Rules. Ever since the notification of these Rules, DSCI has been conveying the concerns of the industry to the Ministry, requesting it to clarify its intent behind such Rules. The clarification clearly points out that personal data processed by service providers for outsourcing companies, whether located in India or abroad, does not attract provisions of some of these Rules since privacy principles are to be followed by the outsourcing company and not the service provider. The clarification adds: These Rules are regarding sensitive personal data or information and are applicable to the body corporate or any person located within India. Any such body corporate, providing services relating to collection, storage, dealing or handling of sen- 2

3 sitive personal data or information under contractual obligation with any legal entity located within or outside India, is not subject to the requirement of Rules 5 & 6. The above clarification implies that outsourcing organizations abroad are not required to comply with these Rules and hence are not required to adjust their existing data collection practices. Instead, these organizations are governed by the data protection legislations in their respective countries and the service providers in India, in turn, are governed by the contracts signed between them and the outsourcing organizations. This is true for outsourcers in India also. However, the service providers in India are required to follow reasonable security practices for protecting sensitive personal information processed by them, failing which they are liable to pay compensation to the person so affected. Clarification on Rules notified u/s 43A of ITAA, 2008 Service Providers are exempt from Rules 5 & 6, i.e., Requirements on Consent, Choice, Access & Correction, Retention, Discrepancies & Grievances, and Disclosure as these are the legal obligations of the outsourcing organizations which have direct relationship with the end customers, unlike service providers who are acting on behalf of such organizations. Providers of information are natural persons (individuals) who provide their sensitive personal information to a body corporate and not the outsourcing organizations in the context of outsourcing as was being interpreted by some of the law firms and attorneys. Consent under Rule 5(1) includes consent given by any mode of electronic communication and is not restricted to consent provided through letter or fax or . Refer: Further, with announcement of the notification, DSCI engaged with industry to address specific queries on security and privacy. Please visit response%20to%20members %20queries%20on%20Section%2043A.pdf for the set specific queries. DSCI presented the developments and the said notification to the CEOs of the leading BPO organizations in the country, at the CEO s Closed Group Meeting in the NASSCOM BPO Summit 2011, New Delhi. The members reflected positively on the notification and appreciated the role of DSCI in bringing it about. Planning Commission forms Privacy Group With the initiation of National programmes like Unique Identification number, NATGRID among others, most of which will be implemented through ICT platforms, concerns have been expressed on the possible invasion of citizen s privacy. Right to privacy bill is under discussion. In order to understand these concerns and identify interventions for effectively addressing these issues, Panning Commission has set up Pri- vacy Group, under the chairmanship of Justice AP Shah, Former Chief Justice of Delhi High Court and organized a meeting with all the stakeholders. As an active proponent of the privacy issues, DSCI was invited to the session to brief the members on Data Privacy & Security. The meeting was held on 30th September 2011 and Justice AP Shah, Former Chief Justice of Delhi High Court provide the key note speech while Dr. Shri Ashwani Kumar, Minister of State for Planning, S&T and Earth Sciences presided over the meeting. Each member presented their views and perspectives on privacy. During his presentation titled Evolution of Privacy in India, Dr. Kamlesh Bajaj explained how the Indian economy was facing new challenges with 3

4 greater application of information technology. Stressing the significance of privacy in governance, commercial transactions and various other critical areas, he said: We must secure privacy of our citizens, but at the same time we must ensure that stringent privacy regulations don t hinder trans-border data flows which have brought immense economic benefits to our country in the post-globalization era. Dr. Bajaj pushed for legal recognition to self-regulatory bodies saying global experiences suggest that self-regulatory mechanisms can enforce greater business discipline than bureaucratic authorities. Dr. Bajaj further informed the Group that he had earlier made following recommendations to the committee set up by Department of Personnel and Training on framing the privacy bill: 1. Have light weight regulations based on global privacy principles that value economic benefits of data flow and usage, while guaranteeing privacy to citizens 2. Avoid bureaucratic structures that could hinder business interests and lose the spirit during implementation such as creation of a Data Protection Authority - No single authority can ensure effective enforcement of regulations across different industry verticals in such a vast country. 3. Rely on self-regulation of businesses that promote practices, making the privacy program relevant to technology advancements 4. Provide legal recognition to the role of self-regulatory bodies, promoted by industry associations, in enforcing privacy codes in the interest of citizens rights 5. Create regulatory structure that provides right incentives for organizations to do privacy 6. Establish a mechanism, in the form of public private partnership, to resolve the disputes and grievances of citizens 7. Promote trans-border data flows 8. Differentiate between Online Privacy (B2C) and Privacy in B2B environments 9. Promote Privacy by Design 10. Create provisions for continuously enhancing end user education and awareness on Privacy. The Group, along with Dr. Bajaj, is likely to be converted into a regular committee, under the chairmanship of Justice A P Shah, to provide valuable and pragmatic inputs to the government in finalizing the Right to Privacy Bill. NASSCOM-DSCI forms Cyber Security Advisory Group India s current infrastructure development process is making greater use of IT applications and thus vulnerable to cyber attacks which may have serious implications for the nation and economy at large. Recent news items highlighting cyber attacks against organizations like IMF, Citigroup, Lockheed, CIA, CBI, NIA raise concerns on the security of the critical infrastructure. Cyber security is thus clearly linked to national security. While the government is taking proactive steps such as the formulation of cyber security policy, industry has to do its bit with a view to focus on the role of private sector, since more and more of critical infrastructure is in the private domain. With a view to help develop public-private-partnerships, and policies, NASSCOM along with DSCI constituted the Cyber Security Advisory Group. The Group will work towards Public private partnership in capacity building and policy recommendations on best practices for cyber security and assurance framework, awareness and education, cyber forensics, encryption, incident management, information sharing and analysis, assurance in ICT supply chain, Research and Development and global linkages for knowledge exchange. The group comprises leaders from the Government, Law Enforcement, Industry bodies industry verticals 4

5 such as IT/BPO, Bank, Telecom, Energy, Legal, etc. It is chaired by Chairman of NASSCOM Executive Council while CEO, DSCI is Member Secretary. CSCAP holds its first meeting in Malaysia The Council for Security Cooperation in the Asia Pacific (CSCAP) is a non-governmental (second track) process for dialogue on security issues in the Asia Pacific region. CSCAP provides an informal mechanism for scholars, officials and others in their private capacities to discuss political and security issues and challenges facing the region. The Council held its fi rst meeting in Malaysia with representation from member countries. From India, Along with DIT, DSCI was nominated by the Ministry of External Affairs, GoI, to be a part of the Study Group of the Council to promote joint efforts towards increasing cyber security in Asia Pacific countries and prepare a memorandum on cyber security for the region. EU representatives requested for Safe Harbour framework with India In a meeting organized by Ministry of commerce with EU officials, a group of Indian IT experts explained how Indian legislations were commensurate with EU adequacy standard for privacy protection and requested EU representatives to develop a Safe Harbour framework with India considering strong economic engagements between the two sides. The group, led by Dr. Gulshan Rai, DG, CERT-In, included DSCI CEO Dr. Kamlesh Bajaj and Director Mr. Vinayak Godse. Referring to various provisions of the IT (Amendment) Act 2008 and Rules notified under it, the group pointed out that Indian legal framework fixed strict accountabilities on body corporate to maintain privacy of personal data and stipulated stringent penalties in the event of failure to protect sensitive personal information. European Commission s Directive on Data Protection prohibits transfer of personal data to non-european Union countries that do not meet EU adequacy standard for privacy protection. Indian IT industry, especially the BPO sector is of the view that EU Directive acts as stumbling blocks to free movement of data to a third country as the cost of compliance is prohibitively high. A section of the industry further believes that such Directive works as non-tariff barriers and denies market access to them against the principles of free trade enunciated by the WTO. XII five-year plan on Information Technology sector: Cyber Security Government of India s Xll five-year plan on Information Technology Sector includes cyber security as an important agenda item. The Plan takes into account the specific topics related to the cyber security and explores the opportunity for public-private partnership in addressing these. DSCI provided thought leadership in the following 4 areas of the Plan, with suggestion for PPP opportunities: Security Policy Compliance & Assurance - Creation of National cyber security index - Development of Sectoral cyber security frameworks - Cyber security studies & surveys - Security audits, assessments, certifications, metrics, maturity Security Incident Early Warning & Response - National framework for responding to cyber threats - Botnet cleaning centers - Cyber forensics techniques, standards Capacity building & Security Training - Security education & skill building - Training & Awareness - Content Development, Labs, Certifications, Platforms Collaboration - International Engagement UN, Asia-Pacific, etc. - Information Sharing, events, workshops, seminars - Development of International Standards 5

6 Outreach Programs DSCI organizes various conferences and seminars and participates in the events in India and abroad to draw focus on data security and privacy concerns and DSCI s approach towards data protection. DSCI CEO addresses international conference on Internet at Sonipat Information & communication technologies are now invading the privacy of individuals firstly, through a centralized database, secondly, through profiling by co-relating multiple databases and thirdly, through social networking in which the data subject is data creator also - said Dr. Kamlesh Bajaj, CEO, DSCI at an international conference held in Sonipat. The conference, titled The Internet and a Changing World, was jointly organized by Jindal School of International Affairs, United Nations University (Tokyo), and the Campaign for a United Nations Parliamentary Assembly. Dr. Bajaj chaired the thematic panel on The Internet and Privacy. Outlining the evolution of the concept of privacy, Dr. Bajaj said: Privacy concerns in the context of technology dates back to 1890s when the printing press was used to invade the privacy of the influential people through magazines and newspapers. The concept of right to be let alone emerged as a consequence of this, and today, privacy is considered to be a part of Right to Liberty guaranteed under Article 21 of Indian Constitution. He also explained how surveillance technology was invading privacy of individuals and how the state should respond to protect national security by ensuring privacy. Dr. Bajaj responded to several questions from the audience ranging from the right to privacy, surveillance technology invading privacy and the State s enlarged role for protecting national security that seems to compromise individual privacy. Indo-French Technological Meet: DSCI Director speaks about privacy issues Ubifrance and the French Trade Commission in India jointly organized Indo-French Technology Meet 2011 from 19 th September to 1 st October across the three cities - New Delhi, Mumbai and Bengaluru. The Meet showcased French expertise and state-of-the-art technologies from France in five key sectors: secure payment and identification systems, green building, sustainable mobility, nuclear energy and aerospace. 6 DSCI Director Mr. Vinayak Godse spoke about security and privacy issues in ID projects with specific reference to smart card and bio-metrics technology in a closed door meeting with business leaders held on the sidelines of the Meet in New Delhi.

7 7

8 Thought Leadership DSCI regularly undertakes study and surveys to develop reports on the various facets of data security and privacy in India. These reports, jointly produced by various corporate entities including major consulting firms amongst others, highlight the current state and concern of data security and privacy. DSCI Excellence Awards

9 Hon ble Union Minister of State for Communications & IT, Mr. Sachin Pilot gave away the 1 st DSCI Excellence Awards at a ceremony held in Hotel Imperial in New Delhi on 22 July. Eight business enterprises were awarded for their excellence in adopting proactive and innovative data security measures. Two business leaders were honoured with Security Leader of the Year Award for their individual contributions towards data security. Mr. Pilot congratulated DSCI on bringing focus on data security practices and initiatives being undertaken by the industry and encouraged the role of an independent body focused on promoting a culture of data protection in India. He lauded the steps taken by the winning organizations and individuals in establishing safe practices in their organizations and also highlighted the initiatives being taken by the Government towards promoting data protection while emphasizing the role of public partnership in building trustworthiness of Indian companies. DSCI instituted DSCI Excellence Awards to annually honour organizations and individuals who have taken strategic, proactive and innovative security efforts to help their organization address real risks; elevate the role of security function and its contribution in the overall business ecosystem of an organization; and bring about awareness towards the need for information Security within organizations and society at large to harness security as a lever for economic growth. The organizations which were honoured with DSCI Excellence Awards are: Bharti Airtel Limited for Security in Telecom HDFC Bank Ltd. For Security in Bank Cognizant Technology Solutions for Security in IT Services Company (Large) IBM Daksh Business Process Services Pvt. Ltd. For Security in Global BPO Financial Technologies (India) Limited for Security in IT Services Company (SME) Hewlett Packard GBS, Global E-Business Operations Private Limited for Security in Captive BPO CSC for Raising Security Awareness For their individual contribution, DSCI honoured Mr. Felix Mohan, Global CISO, Bharti Airtel Limited and Mr. Raja Vijay Kumar Adapa, VP & Global Information Security Leader, Genpact with Security Leader of the Year Award. W I N N E R S The Awards ceremony was the culmination of a detailed evaluation process developed by DSCI, in consultation with Pricewaterhouse Coopers, with eminent experts from the industry serving on the Jury panel to decide the winners. The Jury comprised the following: Mr. Jerry Rao, Founder Mphasis and former Chairman, NASSCOM Dr. Ganesh Natarajan, CEO, Zensar Technology Dr. K. Ramakrishnan, CEO, Indian Bankers Association Dr. D.P.S. Seth, Former Chairman BSNL & Member TRAI DSCI is focussed on promoting data protection in the country while assuring the clients worldwide that India is a secure destination for outsourcing. While on one hand, DSCI promotes data security through its Frameworks DSF(C) and DPF(C), it has also decided to recognise organizations and individuals who have implemented strong, effective and resilient security programs and have shown high level of preparedness and dedication in increasing information security awareness, through DSCI Excellence Awards which have been instituted this year. This will boost the confidence of the industry and also inspire others to strengthen their security practices to match global standards. Bharti Airtel Limited HDFC Bank Ltd. Cognizant Technology Solutions IBM Daksh Business Process Services Pvt. Ltd. Financial Technologies (India) Limited Hewlett Packard GBS CSC 9 9

10 First draft of CSMIC released DSCI is a member of Cloud Services Measurement Initiative Consortium (CSMIC) led by Carnegie Mellon University (CMU), US. CSMIC aims to address the need for industrywide, globally accepted measures for calculating the benefits and risks of cloud-computing services. The major product of the consortium s efforts is the Service Measurement Index (SMI), a set of businessrelevant Key Performance Indicators (KPI s) that provide a standardized method for measuring and comparing a business service. Features of SMI and High Level Attributes of Service Measurement Index (SMI) have been finalized post public consultation. These include two important attributes suggested by DSCI - Security Capabilities and Threat & Vulnerability Management. The consortium will now develop metrics under each attribute. DSCI will contribute in development of Security & Privacy related metrics which will help businesses ascertain and compare capabilities of cloud service providers in the area of security and privacy. This, along with other parameters of the framework, will help businesses select the right cloud service provider. Members are advised to refer the current version of the framework at documents/10508/186d5f13-f40e-47adb9a6-4f246cf7e34f and share their observations with DSCI. Development of Security Framework for Banks CEO, DSCI is a member of Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds created by Reserve Bank of India. The Group aims at collaborative efforts by members for exploring detailed service provider assessment and monitoring frameworks and best practices from a banking context. RBI in its e-banking report had recommended development of Security Framework for the Banks. DSCI submitted the Proposal for Development of Security framework for banking industry to High Level Group. The HLG has in principle approved the proposal and would work with RBI & Indian Banks Association for funding the project. The framework will help in areas relating to IT Governance, Information security, IT operations, Information system audit, Cyber frauds, Business Continuity Planning, customer education and legal issues arising out of use of IT in Banking. DSCI Best Practices Frameworks DSCI Frameworks, DSF and DPF through their best practices help bring about dynamism into security and privacy to enable an organization respond to ever increasing threats enterprise wide. The Frameworks are endorsed by the industry and also by analyst firms like Gartner and Forrester, and have been recommended by RBI in its Electronic Banking Committee Report. With the Data Centric approach of the Frameworks, wherein consolidation of detailed assessment of the enterprise s security and risk management requirements are considered, DSCI is working towards establishing the Frameworks as a Standard for security practices in the organizations. DSF is expected to fulfill the requirements of Reasonable Security Practices under Rule 8 of Rules notified u/s 43A. DSCI is engaged with Bureau of Indian Standards for recognizing DSF as a Standard. White Paper on Types of Attacks With the ongoing digitization of the business world, our cyberspace is experiencing newer and newer threats. In order to understand and address them, DSCI has brought out a white paper providing comprehensive details on the nature and extent of these threats. Please visit files/type%20of%20attacks_dsci _White%20Paper_1.pdf and share with us your comments and suggestions to make it more informative. Members are invited to contribute to the growing repository of information and updates on DSCI Website, in form of articles, white papers etc.

11 Capacity Building DSCI has been actively involved in developing and imparting training and capacity building for various government and corporate entities. DSCI opens another Cyber Lab at Kolkata West Bengal Minister for Information Technology, Shri. Partha Chatterjee, inaugurated the 8 th Cyber Lab of DSCI at Lalbazar in Kolkata on 10 August. DSCI Cyber Labs, established at the locations of cyber crime cells in the country, have so far trained over 9,000 police officers. The training seeks to enable law enforcement officials to track down and bring cyber criminals to justice with the help of computer forensic tools. DSCI Cyber Labs DSCI Training Programs on Cyber Crimes DSCI organized a Level 3 Advanced Training Program on cyber crime for police officers at Central Bureau of Investigation Academy in Ghaziabad. The five-day training course covered advanced concepts in cyber crime investigation and cyber forensics. The training was attended by over 30 police officers from National Investigation Agency, Myanmar Police, Nepal Police and other state police of India. The experience of running Cyber Labs and these programs helped DSCI formulate Standard Operating Procedures for cyber crime investigation in Cyber Crime Investigation Manual. The Manual was released early this year by the then Union Home Secretary, Shri, G K Pillai and has been distributed to all the police stations across the Country. DSCI is now in process of developing Cyber Crime Training Material. Cyber Crime Investigation Program DSCI is working closely with the Ministry of Home Affairs on the Cyber Crime Investigation Program (CCIP) on a country wide basis since cyber crimes are no longer confined to cities that are important to the IT/ BPO companies. This proposal has been approved in principle and the MHA and the Home Secretary will inaugurate the DSCI Workshop on CCIP for state DGPs, likely to be held in next quarter. 11

12 Connect with DSCI DSCI understands the value of engaging security and privacy professionals across the globe in its efforts to promote data protection in the country and organizations, and provides with multiple options and channels to connect with stakeholders. DSCI Chapter Fraternity is now 1200 member strong and DSCI Corporate Members are now over 605. Collectively, DSCI Members represent over 500 companies across all major verticals including IT/BPO, Bank, Telecom, Energy, Manufacturing, etc. DSCI welcomes all the new members and looks forward to collective efforts towards increasing awareness on data security. This quarter saw Chapters organizing meetings on Measuring Effectiveness Infosec Controls, IT Privacy law viz. 43A, DDOS Attack and Resolution from Experience and Social Networking & Controls towards Information Security & Privacy. The members actively contribute to the Knowledge Corner on DSCI website. Pl visit taxonomypage/226. DSCI members can also connect with us, and more than 300 members, through the following social media platforms. 1. DSCI Website: incorporates interactive Web 2.0 features. DSCI content is forthcoming and the site offers easy browsing of DSCI consultation papers, policy papers and reports. It provides means for sharing the content with social networking sites, interactive updates on DSCI events and has details on the programs for different target groups. It provides emergency services contact and gives an opportunity for security skill registry (an individual can register their security skills with DSCI) and many such features. Register your skills with DSCI at 2. Social Media: DSCI provides updates, notification, event details on the social media sites in an endeavor to connect with security and privacy professionals, industry, international bodies, etc. Follow us on... Facebook: connect Twitter: LinkedIn : 3. RSS Feed: Subscribe RSS feed for update on DSCI position papers, consultation papers and study and survey reports at DSCI homepage at Papers/Reports tab or dsci.in/rss.xml DSCI members are invited to avail Members Discount at the NASS- COM-DSCI Annual Information Security Summit