Comments
on the consultative Paper on Making Rules under ITAA 2008
Issue 1:
(a) Should it be proposed that there
should be a set of practices to be followed by all?.
(i) If so, should they be based on a
combination of ISO 27001 (or ISF), OECD Security Principles for design and
operations of ISMS as per the needs of an organization, based on
information assets and risk assessment; coupled with security assessments
based on CobIT?
(ii) If so, should an organization be
required to declare the standard it is following, apply the same with
vigour and create a mechanism for assessing security controls?. It will
outline its size and type of business and create a written document stating
the standard and the controls selected by it and how are they deployed.
(Should it be a short document in case of small organizations that provides
minimum services and collects minimum personal data?).
(b) Could this approach be construed
to constitute “reasonable security practices” ? Will failure to implement
the same be construed to be negligence on the part of the organization?
(c) Should the rule categorize body
corporates into small, medium, large size and prescribe standards?
Comments/Suggestions:
There is no doubt that known security
standards such as ISO 27001 etc present an easy option to frame rules. It
must however be remembered that ITA 2000 under its schedule had proposed a
security guidelines of its own which constituted an indigenous security
standard as per ITA 2000. Similarly, RBI had provided its own Information
Security guidelines to Banks. The principles adopted here were not in
conflict with BS 7799 or other standards but they still constituted an
indigenous standard.
However, standards such as ISO
27001 are commercial standards where the user of the standards is expected
to pay money even to know what the standards are. Hence it is not ideal for
the Indian cyber laws to be made dependent on any standard on which an
external agency is claiming proprietary rights. Adoption of such standards
will create vested interests in defining of standards, procedures for audit
and certification.
It is not necessary to introduce
such a dependency for the Indian law on foreign standards.
On the other hand, this is an
opportunity for India to either develop its own security standards.
Alternatively, it is an opportunity to prescribe a self declared security
practice with open standards. This would mean that the users would define
what standards they adopt for protecting their information assets and make
it public. The declaration would not be sufficient if it simply says that
either “ISO 27001” is being followed. The detailed security procedures
should be declared as an open standard.
As an example of how this can be
achieved, I am enclosing a draft security prescription developed by me for
the Legal Process Outsourcing Companies in India, named LIPS1008. (This was
developed as a guideline to LPOs in India by Naavi and the specifications
are considered open information to public.)
The principle adopted in
LIPS1008 and which is recommended under ITA 2008 is that the security
practice would be defined by the organization itself and disclosed for the
benefit of all stake holders including prospective customers etc. The audit
and certification process would ensure that what is declared in the policy
is actually followed. This principle is used in HIPAA where the
organization is left to use its declaration on implementing or not
implementing certain specifications.
The critical difference between
the suggested approach and other current practices is that there is no
secrecy about the information security policy being adopted by an
organization. Today the IS policy is considered as an internal document of
an organization and its customers donot have adequate information about the
policies. HIPAA therefore prescribes that the Privacy policies has to be
publicized and reasonably distributed to the stake holders. This principle
should be extended to ITA 2008.
Under this suggested approach,
every organization should develop a “Information Security Practice
Document” for the organization and publish it for public consumption. The
audit certificate should also be published with whatever comments are made
by the auditors. The stake holders are open to decide on the reliability of
the security practices based on the declared policy as well as the
credibility of the auditors.
In the enclosed suggested
standard for Legal Process Outsourcing companies in India, it is also
proposed that the auditor may classify the security practice as level I, II
or III to make it easy for organizations to adopt a base level security at
first and then gradually move up the value chain. This is also practiced in
the quality certifications.
In the event the declared
security practice is below par, then the organization is likely to lose its
credibility in the market place. There is therefore a market based self
correction mechanism. If an organization declares a higher security level
in its policy and fails to adopt the same, it would amount to a breach of
its own declared policy and constitute a criminal offence. The offence
would also get transmitted to the management both by Section 85 of ITA 2000
as well as through the operation of Clause 49 of listing regulations.
This approach of self
declaration of security practice will obviate the need to categorize
corporates into small, medium etc since security requirements need not
necessarily depend on the size of the organization whether defined in terms
of turnover or manpower.
Issue 2:
Should personal information be defined as information relating to an
identified or identifiable natural person.?
(An identifiable person is one who
can be identified directly or indirectly in particular by reference to an
identification number or to one or more factors specific to his physical,
physiological, mental, economic, cultural or social identity.)
Should sensitive personal information be defined
to include data such as that pertaining to racial or ethnic origins
political or religious beliefs or health or sex life?
Comments/Suggestions :
In the absence of a detailed Privacy
Protection Act, we need to provide a comprehensive definition of what is
“Sensitive Personal Information”. While the objective is to protect the
individual privacy, it should be ensured that criminals donot take
advantage of the information to hide and launch criminal activities. There
is also an issue of whether the protection of privacy is restricted to a
living person or extends to a dead person at least for a certain length of
time.
In defining the personal information, the
critical aspects are “Health” and “Financial”. “Religious” and “Political
affiliations” are factors used in UK Data Protection Act. Information on
legal aspects pertaining to a person, educational details, salary and
employment particulars etc are also sensitive information. Contact
information such as mobile number, street address and personal identity
details such as Bank account number, PAN Card number, Passport number etc
are also sensitive. In the internet arena, IP address, “Who Is”
information, personal e-mail also may be considered as “sensitive
information”. The list is therefore exhaustive and can be covered only by
an inclusive definition. It may also be a matter of personal choice that
some information is considered sensitive by some and not so by others.
Obviously, any information that is not
identifiable to an individual is considered “De identified information”
and is to be excluded from the need to be protected. However certain
information becomes identifiable in the hands of certain persons and
remain de identified in the hands of others. For example, IP address in the
hands of an ISP is identifiable but not in the hands of other members of
public. Hence, a blog in which IP address of the person posting the
information is not a sensitive personal information. Similarly, the e-mail
service provider need not hide the IP address of the sender from the header
information since it is not independently identifiable information in the
hands of the recipient.
It is also possible to define “Sensitive
Personal Information” under two categories namely, what the rules define
and what the individual prefers to.
We need to therefore define “Personal
Sensitive Information” as
“In the absence of any agreement
to the contrary, Sensitive Personal information related to an individual
means any information which in the hands of the receiver is capable of
being used to identify the individual with or without any collateral
information that the receiver may possess and has the potential to be used
to cause wrongful harm to such a person”.
Explanation: Sensitive Personal
information includes, as the context may determine, the name, street
address, telephone number, mobile, PAN card number, Passport Number,
educational details, parental details, e-mail address, IP Address, IMEI
number, political, religious or political affiliations.
This definition provides that any service
provider who obtains information from an individual may have to at the time
of obtaining the information, provide an option to the individual to check
any or all of the information as “Sensitive personal information” not to be
parted with unless a specific authorization is provided.
Exception to this rule has to be the
requirements of law enforcement, public interest and national interest.
The above definition restricts the coverage
to natural living persons only. There does not appear to be an adequate
case to extend the definition to dead persons and other than natural
persons.
Issue 3:
Should an Intermediary be required to store
traffic data that identifies a subscriber or a user relating to a
transaction or communication conducted by him, for a period of 6 months
following the time of transaction, in a secure way and make it available to
authorized persons within a reasonable time?
-If so what should constitute a reasonable time?
- Should the content be required to be stored?
-If so then the question of the format and
duration need to be addressed.
Comments/Suggestions :
There is no second thought that traffic data
needs to be stored. T the same time the period of 6 months as suggested is
not adequate. The absolute minimum is one year and desirable period is
around 3 years.
Content need not be stored since it becomes
subject matter of confidentiality disputes and also leads to arguments of
unmanageable storage requirements.
Information under this section should be
furnished if called for by a designated authority expeditiously and not
later than 48 hours. In the event such retrieval is not possible, a
suitable notice in reply has to be provided to the authority explaining the
reasons for which the delay is inevitable indicating the time frame within
which the information will be furnished which should be reasonable.
Failure to meet the obligation is any way punishable under the act itself.
Issue 4:
Should the guidelines u/s 79/2 prescribe that an
intermediary be required to declare its privacy policy, security policy,
and the operations policy and process with respect to handling of third
party content and expect its subscribers to read and agree with the same?
-Should the intermediary be required to give an
undertaking to cooperate with and work under the direction of officers
designated by the government under various sections of the IT Amendment Act
2008?
-Should it undertake to act within 24-72 hours of
receiving any orders for removing any offensive content?
-Should it be obliged to take any action on any
offensive content hosted by it on its infrastructure from any person other
than the designated government officers?
Comment/Suggestion:
It should be part of the “Due Diligence” obligations of an intermediary
that appropriate disclosures are made which are truthful and adequately
followed.
There is no need for a separate undertaking
to be given by an intermediary to cooperate with the enforcement
authorities. This is an obligation under the act.
Removal of “Offensive Content” is a
sensitive issue since the power to take a final judgment of whether a
content is fit for removal cannot be delegated without appropriate
evaluation in a judicial perspective.
If the intermediary refuses to act when
notified by an appropriate authority, he anyway takes on the liability for
the offence.
However, there needs to a safeguard that the
powers of blocking, interception etc may not be abused either because of
political or other considerations. Hence it is necessary that a “Netizen
Protection Commission” or in its absence a “Netizen Protection Advisory
Board” be constituted as an agency which may consider any request for
exercise of powers under the Act by Government agencies and the Police for
interception etc and advise the intermediary suitably.
If such a body is constituted, the notices
received from the public if any about offensive content may also be sent to
the same authority for directions. It can also take a view like an
ombudsman when the designated authority does not concur with the view of a
complainant and refuse to get the alleged offensive content removed.
Though the power of mandatory blocking or
removal of content be exercised only after the designated Government
official issues the orders, an intermediary may under the “Due Diligence”
be expected to act and suspend publication of any content if a notice is
received from any other person and the intermediary considers the notice as
tenable in principle. The content may be restored or removed upon suitable
directions being received later by the designated agency.
For this purpose each intermediary may be
required to keep an internal mechanism to receive and act on such notices.
For example if an intermediary receives a credible notice that a content in
say a social networking site is against the national interest and a notice
is received by them, the matter has to be attended to expeditiously without
waiting for formalities such as getting the directions from an appropriate
authority.
Annexure
(Comments on the consultative Paper
on Making Rules under ITAA 2008)
P.S: This is A suggested information Security
framework for Legal Process Outsourcing Companies in India prepared by
Naavi which is indicative of the framework under which a reasonable
security standard be developed under ITA 2008. The detailed action plan is
left to the discretion of the management.
Specifications of LIPS 1008
|
Number |
Description |
Level 1 |
Level 2 |
Level 3 |
|
LIPS 1 |
Client Consent |
A letter of consent to be obtained from every client
whose information is processed authorizing the organization to
outsource the data as per the Privacy and Security Practice Statement,
a copy of which must be made appropriately available to every client.
Every version of the statement from the date of inception of the Policy
shall be archived and the client is notified of any changes subsequent
to the date of consent with an option made available to the client to
refuse the changes. |
A letter of consent to be obtained from every client
whose information is processed authorizing the organization to
outsource the data as per the Privacy and Security Practice Statement,
a copy of which must be made appropriately available to every client.
Every version of the statement from the date of inception of the Policy
shall be archived and the client is notified of any changes subsequent
to the date of consent with an option made available to the client to
refuse the changes. |
A letter of consent to be obtained from every client
whose information is processed authorizing the organization to
outsource the data as per the Privacy and Security Practice Statement,
a copy of which must be made appropriately available to every client.
Every version of the statement from the date of inception of the Policy
shall be archived and the client is notified of any changes subsequent
to the date of consent with an option made available to the client to
refuse the changes. |
|
LIPS 2 |
Employee Awareness |
Every Employee of the Organization shall be made aware
of the information privacy and security policy of the organization as
contained in the Privacy and Security Policy Statement (PSPS) and other
initiatives undertaken by the Organization towards its implementation.
The employees shall also be adequately trained in the use of any
software or hardware devices used for the implementation of the policy.
Every employee shall undertake a “Test of Awareness” at least once each
year and the performance documented in the employee service records. |
Every Employee of the Organization shall be made aware
of the information privacy and security policy of the organization as
contained in the Privacy and Security Policy Statement (PSPS) and other
initiatives undertaken by the Organization towards its implementation.
The employees shall also be adequately trained in the use of any
software or hardware devices used for the implementation of the policy.
Every employee shall undertake a “Test of Awareness” at least once each
year and the performance documented in the employee service records. |
Every Employee of the Organization shall be made aware
of the information privacy and security policy of the organization as
contained in the Privacy and Security Policy Statement (PSPS) and other
initiatives undertaken by the Organization towards its implementation.
The employees shall also be adequately trained in the use of any
software or hardware devices used for the implementation of the policy.
Every employee shall undertake a “Test of Awareness” at least once each
year and the performance documented in the employee service records. |
|
LIPS 3 |
Employee Declaration |
Every Employee shall sign a declaration of Ethics in
duplicate agreeing to abide by the requirements as required under the
PSPS a copy of which is kept along with the service records of the
employee. One copy is returned to the employee. |
Every Employee shall sign a declaration of Ethics in
duplicate agreeing to abide by the requirements as required under the
PSPS a copy of which is kept along with the service records of the
employee. One copy is returned to the employee. |
Every Employee shall sign a declaration of Ethics in
duplicate agreeing to abide by the requirements as required under the
PSPS a copy of which is kept along with the service records of the
employee. One copy is returned to the employee. |
|
LIPS 4 |
Assigned Responsibility |
The responsibility for Privacy and Information security
compliance shall be allocated to an official who shall provide
periodical compliance reports and certificates to the management every
month. The official may be holding any other responsibility
additionally |
The responsibility for Privacy and Information security
compliance shall be allocated to an official who shall provide
periodical compliance reports and certificates to the management every
month. The official may be holding any other responsibility
additionally |
The responsibility for Privacy and Information security
compliance shall be allocated to an official who shall provide
periodical compliance reports and certificates to the management every
month. The official may be holding any other responsibility
additionally |
|
LIPS 5 |
Employee Background Check |
Every employee’s background is verified with reference
to the documentary evidences submitted during the time of his
employment in the application.
|
Every employee’s background is verified with reference
to the documentary evidences submitted during the time of his
employment and with reference to the “Referees” indicated in the
application with written with reference to the “Referees” indicated
acknowledgements duly verified for correctness.
|
Every employee’s background is verified with reference
to the documentary evidences submitted during the time of his
employment and with reference to the “Referees” indicated in the
application with written acknowledgements duly verified and supported
by independent agency. The H R manager shall provide a declaration to
the management that the background verification has been completed as
required |
|
LIPS 6 |
Information Classification |
Information handled by the organization shall be
classified appropriately on the basis of its sensitivity. The
classification tag shall enable assignment of designated employee force
for access on a need to know basis and management of access privileges |
Information handled by the organization shall be
classified appropriately on the basis of its sensitivity. The
classification tag shall enable assignment of designated employee force
for access on a need to know basis and management of access privileges |
Information handled by the organization shall be
classified appropriately on the basis of its sensitivity. The
classification tag shall enable assignment of designated employee force
for access on a need to know basis and management of access privileges |
|
LIPS 7 |
Employee Cyber Usage Policy |
The employees will be bound by an ethical declaration
and subject to a self impose discipline as defined in the security
policy documents. |
The employees will be bound by an ethical declaration
and subject to a self impose discipline as defined in the security
policy documents. Additionally, the employee activities on the Internet
would be fully monitored and logs archived for both real time and post
event audit. Any violations will be suitably recorded and sanctions
invoked.
|
: The employees will be bound by an ethical declaration
and subject to a self impose discipline as defined in the security
policy documents. Additionally, the employees will be allowed to use
Internet only to the extent of pre-defined business purpose and a
suitable firewall controlling access will be used. The activities will
be fully monitored and logs archived for both real time and post event
audit. Any violations will be suitably recorded and sanctions invoked. |
|
LIPS 8 |
Media Usage Policy |
The employees will be bound by an ethical declaration
and subject to a self impose discipline as defined in the security
policy documents |
The employees will be bound by an ethical declaration
and subject to a self impose discipline as defined in the security
policy documents. Additionally, restrictions would be imposed on the
use of external media and laptops to reasonably prevent unauthorized
copying of data. |
The employees will be bound by an ethical declaration
and subject to a self impose discipline as defined in the security
policy documents. Additionally, employees will have access to data only
through a remote access environment from thin clients and no data would
be permanently storable in the local machines except under specific
authorizations and in a secure manner |
|
LIPS 9 |
Sanction Policy |
Appropriate sanctions will be imposed for violations of
any of the security policies with the sanctions being commensurate with
the nature of violations. |
Appropriate sanctions will be imposed for violations of
any of the security policies with the sanctions being commensurate with
the nature of violations.
Additionally, suitable clauses would be introduced in
the employee contracts and NDAs to be signed by the employees. |
Appropriate sanctions will be imposed for violations of
any of the security policies with the sanctions being commensurate with
the nature of violations.
Additionally, suitable clauses would be introduced in
the employee contracts and NDAs to be signed by the employees and such
NDAs are obtained both at the time of employment and at the time each
major assignment is handled. |
|
LIPS 10 |
Privacy
and Security Practice Statement |
Organization will develop a detailed Privacy and
Security Policy Statement which would be approved by the Board and
signed by the CEO and CTO. The statement would be adequately
communicated to all the employees as well as the clients and business
associates of the organization. A copy should be made available through
the website of the Company. The organization may develop different
versions of the statement for the public and internal use as the
management may find it necessary. |
Organization will develop a detailed Privacy and
Security Policy Statement which would be approved by the Board and
signed by the CEO and CTO. The statement would be adequately
communicated to all the employees as well as the clients and business
associates of the organization. A copy should be made available through
the website of the Company. The organization may develop different
versions of the statement for the public and internal use as the
management may find it necessary. |
Organization will develop a detailed Privacy and
Security Policy Statement which would be approved by the Board and
signed by the CEO and CTO. The statement would be adequately
communicated to all the employees as well as the clients and business
associates of the organization. A copy should be made available through
the website of the Company. The organization may develop different
versions of the statement for the public and internal use as the
management may find it necessary. |
|
LIPS 11 |
Physical Security |
Organization shall have appropriate policies and
procedures to ensure that only authorized persons will have access to
the working area containing IT assets including the Wireless
perimeters. An appropriate documentation would be maintained for guest
access provided.
|
Organization shall have appropriate policies and
procedures to ensure that only authorized persons will have access to
the working area containing IT assets including the Wireless
perimeters. An appropriate documentation shall be maintained for guest
access provided. The access points shall be monitored by appropriate
electronic access monitoring devices.
|
Organization shall have appropriate policies and
procedures to ensure that only authorized persons will have access to
the working area containing IT assets including the Wireless
perimeters. An appropriate documentation shall be maintained for guest
access provided. The access points shall be monitored by appropriate
electronic access monitoring devices. The entry and exit of authorized
persons to the work area would be linked to the attendance and any
anomalies recorded as a security breach incident. |
|
LIPS 12 |
Logical Access Security |
Policies and Procedures shall be implemented for
ensuring that access to any IT device is made available only with
appropriate access authentication such as Passwords. Appropriate
measures shall be initiated for ensuring that a strong password policy
is maintained across the organization. |
Policies and Procedures shall be implemented for
ensuring that access to any IT device is made available only with
appropriate two factor access authentication such as Passwords along
with any other factor such as biometric or an external token.
Appropriate measures shall be initiated for ensuring that the policy is
complied with across the organization. |
Policies and Procedures shall be implemented for
ensuring that access to any IT device is made available only with
secured digital signatures which include hashing, asymmetric encryption
and use of a cryptographic token. Appropriate measures shall be
initiated for ensuring that the policy is complied with across the
organization. |
|
LIPS 13 |
Information Storage Security |
Policies and Procedures shall be appointed to ensure
that information under storage is accessible only by authorized persons
on a “Need to Know” basis.
|
Policies and Procedures shall be appointed to ensure
that information under storage is kept in encrypted form and accessible
only by authorized persons on a “Need to Know” basis.
|
Policies and Procedures shall be appointed to ensure
that information under storage is kept in encrypted form and accessible
only by authorized persons on a “Need to Know” basis. Access shall be
backed up by data integrity control, audit trail monitoring and
archival. |
|
LIPS 14 |
Information Transmission Security |
Transmission of Information into and out of the systems
would be monitored by a suitable Firewall and appropriate polices and
procedures shall be implemented to ensure that viruses and other
malicious codes are filtered effectively. |
Transmission of Information into and out of the systems
would be monitored by a suitable Firewall and appropriate polices and
procedures shall be implemented to ensure that viruses and other
malicious codes are filtered effectively. Appropriate audit trail would
be maintained and archived to ensure future reference if required. All
confidential mails shall be appropriately encrypted.
|
Transmission of Information into and out of the systems
would be monitored by a suitable Firewall and appropriate polices and
procedures shall be implemented to ensure that viruses and other
malicious codes are filtered effectively. Appropriate audit trail would
be maintained and archived to ensure future reference if required. All
confidential mails shall be appropriately encrypted. All outward mails
likely to cause any liability to the organization shall be digitally
signed by the sender. |
|
LIPS 15 |
Hardware/Software Policy |
Policies and Procedures shall be put in place to ensure
that any hardware or software or hardware used by the organization is
certified by the supplier to be free from known security
vulnerabilities. |
Policies and procedures shall be put in place to ensure
that Hardware and Software used by an organization shall be tested by a
third party security auditor and certified to be free of known security
vulnerabilities. |
Policies and Procedures shall be put in place to ensure
that Hardware and Software used by the organization is backed by a
source code audit certificate from a third party. |
|
LIPS 16 |
Web Presence Policy |
Policies and Procedures shall be put in place to ensure
that the domain name, hosting facilities and content used by the
organization is adequately protected against malicious attacks,
unauthorized alteration and IPR infringement. Suitable Privacy Policy
and Disclosure Documents indicating the identity of the owner of the
web content shall be provided on the website of the organization.
|
Policies and Procedures shall be put in place to ensure
that the domain name, hosting facilities and content used by the
organization is adequately protected against malicious attacks,
unauthorized alteration and IPR infringement. Suitable Privacy Policy
and Disclosure Documents indicating the identity of the owner of the
web content shall be provided on the website of the organization. The
web content is monitored by the organization at periodical intervals
and self certified for data integrity. |
: Policies and Procedures shall be put in place to
ensure that the domain name, hosting facilities and content used by the
organization is adequately protected against malicious attacks,
unauthorized alteration and IPR infringement. Suitable Privacy Policy
and Disclosure Documents indicating the identity of the owner of the
web content shall be provided on the website of the organization. The
web content is monitored by a security monitoring agency at periodical
intervals and certified for data integrity. |
|
LIPS 17 |
Grievance Redressal Policy |
The organization shall designate an official as
“Security Grievance Resolution Officer” (SGRO) to be the single point
contact person accountable for handling all disputes related to the
information security and contact details of such a person including
e-mail and physical address is provided on the website.
|
The organization shall designate an official “Security
Grievance Resolution Officer” (SGRO) to be the single point contact
person accountable for handling all disputes related to information
security and contact details of such a person including e-mail and
physical address is provided on the website. The organization shall
also designate an external person of repute as an “Ombudsman” to
resolve the disputes which cannot be resolved by the SGRO.
|
The organization shall designate an official “Security
Grievance Resolution Officer” (SGRO) to be the single point contact
person accountable for handling all disputes related to information
security and contact details of such a person including e-mail and
physical address is provided on the website. The organization shall
also designate an external person of repute as an “Ombudsman” to
resolve the disputes which cannot be resolved by the SGRO.
The organization shall also set in place an arbitration
mechanism to handle disputes which are not resolved by the Ombudsman. |
|
LIPS 18 |
BA Agreement Policy |
Policies and Procedures shall be put in place to ensure
that the Information security responsibilities of an organization shall
also be followed by any external agency which is provided access to the
protected information by a suitable contractual arrangement with
appropriate indemnity provisions. |
Policies and Procedures shall be put in place to ensure
that the Information security responsibilities of an organization shall
also be followed by any external agency which is provided access to the
protected information by a suitable contractual arrangement with
appropriate indemnity provisions. |
Policies and Procedures shall be put in place to ensure
that the Information security responsibilities of an organization shall
also be followed by any external agency which is provided access to the
protected information by a suitable contractual arrangement with
appropriate indemnity provisions. |
|
LIPS 19 |
DLP-OLR Policy |
Policies and Procedures shall be put in place by the
Organization to maintain incident monitoring system and an appropriate
Disaster Recover and Business Continuity Plan to meet any contingencies
arising out of security breach incidents. |
Policies and Procedures shall be put in place by the
Organization to maintain incident monitoring system and an appropriate
Disaster Recover and Business Continuity Plan to meet any contingencies
arising out of security breach incidents. Appropriate evidence archival
systems shall be maintained to ensure capability for “Defensive Legal
Protection” against any liability claims that may arise on the
organization |
Policies and Procedures shall be put in place by the
Organization to maintain incident monitoring system and an appropriate
Disaster Recover and Business Continuity Plan to meet any contingencies
arising out of security breach incidents. Appropriate evidence archival
systems shall be maintained to ensure capability for “Defensive Legal
Protection” against any liability claims that may arise on the
organization by virtue of any security breach and also empower the
organization to launch “Offensive Legal Remedy” procedures |
|
LIPS 20 |
Policy Documentation |
The organization shall retain all Policy documents
related to information security for a period of a minimum of 5 years
either in print or electronic form. |
The organization shall retain all Policy and other
compliance documents related to compliance of information security for
a period of a minimum of 5 years either in print or electronic form. |
The organization shall retain all Policy and other
compliance documents related to compliance of information security for
a period of a minimum of 5 years both in print or electronic form. |
|
LIPS 21 |
Management Certificate/Audit Policy |
The operational management shall submit a certificate of
compliance of information security to the Board of Directors once a
year recording there in the observed short comings and how they are
proposed to be remedied with appropriate implementation schedules. |
The Board of Directors shall incorporate a certificate
of compliance of information security in the annual report to the share
holders of the Company recording there in the observed short comings
and how they are proposed to be remedied with appropriate
implementation schedules. |
The Board of Directors shall incorporate a certificate
of compliance of information security in the annual report to the share
holders of the Company recording there in the observed short comings by
an external auditor, the management’s perceptions and how the
management proposes to meet the audit suggestions. |
Back
to main Article
Naavi
March 21, 2009
