ITA 2008 has mandated that body
corporates handling sensitive personal data need to follow "Reasonable
Security Practices" (RSP), under section 43A, failing which they will
be liable for paying compensation to any person who suffers a loss.
Similarly, under Section 79, there is
a need for "Intermediaries" to follow "Due Diligence". Though "Due
Diligence" cannot be prescribed and has to be left to be decided on a case
to case basis, in case there exists a standard security practice, it could
be a starting point to bench mark the requirements under due diligence.
ITA 2008 additionally is expected to
prescribe certain data retention norms under section 67C which should
be considered part of the "Reasonable Security Practices".
The requirements of all the above
three aspects can be met with adoption of a security framework on the lines
given here under. This security framework referred to Indian Information
Security Framework (IISF-309) is built under the following principles.
a) The framework is flexible
enough for users in different user segment with different operational
sizes to adopt practices which are appropriate and affordable. It does
not mandate any specific security standard such as ISO 27001 or any
other.
b) It incorporates the best
practices in current usage but makes fine changes as required by ITA
2008.
c) It gives value for
"Disclosure" and "Accountability". Accordingly, it recommends a security
policy to be announced by the organization and that a "Compliance
officer" to be designated.
d) It banks on a "Client Consent"
which makes framework legally binding on the prospective victim and hence
meets the first of the three criteria suggested by Section 43A under
explanation (ii) quoted below.
(ii)
"reasonable security practices and procedures" means security practices
and procedures designed to protect such information from unauthorised
access, damage, use, modification, disclosure or impairment, as may be
specified in an agreement between the parties or as may be specified in
any law for the time being in force and in the absence of such
agreement or any law, such reasonable security practices and
procedures, as may be prescribed by the Central Government in
consultation with such professional bodies or associations as it may
deem fit.
The IISF-309 follows the same 21 step
specifications that is used by LIPS-1008. Since LIPS-1008 was developed for
Legal Process Outsourcing firms, it naturally addresses the needs of other
data processing agencies as well.
It is however possible to define
different specifications for different segments such as say "Banking",
"Share Broking", "Call Centers", "KPOs", Matrimonial/Job websites,
e-commerce websites, etc. Even here, depending on the size of the
organization, different levels may be defined. In case new security threats
and remedies become relevant, additional levels can be defined hardening
the security further.
Ujvala Consultants Pvt Ltd
offers to conduct CyLawCom audits based on the following standard and
provide Certification of compliance. Ujvala would also invite other
auditors to adopt the standard and obtain Co-Certification with Ujvala.
|
Number |
Description |
Level 1 |
Level 2 |
Level 3 |
|
IISF 1 |
Client Consent |
A letter of consent to be obtained (in a form acceptable
under ITA 2008) on behalf of every data subject from the data
vendor to outsource the data as per the Privacy and Security
Practice Statement, a copy of which must be made appropriately
available to on the website. Every version of the statement from the
date of inception of the Policy shall be archived and the vendor is notified of any changes subsequent
to the date of consent with an option made available to the vendor to
refuse the changes. |
Same as Level 1 |
Same as Level 1 |
|
IISF 2 |
Employee Awareness |
Every Employee of the Organization shall be made aware
of the information privacy and security policy of the organization as
contained in the Privacy and Security Policy Statement (PSPS) and other
initiatives undertaken by the Organization towards its implementation.
The employees shall also be adequately trained in the use of any
software or hardware devices used for the implementation of the policy.
Every employee shall undertake a “Test of Awareness” at least once each
year and the performance documented in the employee service records. |
Same as Level 1 |
Same as Level 1 |
|
IISF 3 |
Employee Declaration |
Every Employee shall sign a declaration of Ethics in
duplicate agreeing to abide by the requirements as required under the
PSPS a copy of which is kept along with the service records of the
employee. One copy is returned to the employee. |
Same as Level 1 |
Same as Level 1 |
|
IISF 4 |
Assigned Responsibility |
The responsibility for Privacy and Information security
compliance shall be allocated to an official who shall provide
periodical compliance reports and certificates to the management every
month. The official may be holding any other responsibility
additionally. |
Same as Level 1 |
Same as Level 1 |
|
IISF 5 |
Employee Background Check |
Every employee’s background is verified with reference
to the documentary evidences submitted during the time of his
employment in the application.
|
In addition to level-1 requirements the background is
verified with reference to the “Referees” indicated in the application
with written with reference to the “Referees” indicated
acknowledgements duly verified for correctness.
|
In addition to level-1 and level 2 requirements, the H R
manager shall provide a declaration to the management that the
background verification has been completed as required |
|
IISF 6 |
Information Classification |
Information handled by the organization shall be
classified appropriately on the basis of its sensitivity.
The classification tag shall enable assignment of
designated employee force for access on a need to know basis and
management of access privileges |
Same as Level 1 |
Same as Level 1 |
|
IISF 7 |
Employee Cyber Usage Policy |
The employees will be bound by an ethical declaration
and subject to a self impose discipline as defined in the security
policy documents. |
In addition to level-1 requirements, the employee
activities on the Internet would be fully monitored and logs archived
for both real time and post event audit. Any violations will be
suitably recorded and sanctions invoked.
|
In addition to level-1 and level 2 requirements, the
employees will be allowed to use Internet only to the extent of
pre-defined business purpose and a suitable firewall controlling access
will be used. |
|
IISF 8 |
Media Usage Policy |
The employees will be bound by an ethical declaration
and subject to a self imposed discipline as defined in the security
policy documents |
In addition to level-1 requirements, restrictions would
be imposed on the use of external media and laptops to reasonably
prevent unauthorized copying of data. |
In addition to level-1 and level-2 requirements,
employees will have access to data only through a remote access
environment from thin clients and no data would be permanently storable
in the local machines except under specific authorizations and in a
secure manner |
|
IISF 9 |
Sanction Policy |
Appropriate sanctions will be imposed for violations of
any of the security policies with the sanctions being commensurate with
the nature of violations. |
In addition to level-1 requirements, suitable clauses would be introduced in
the employee contracts and NDAs to be signed by the employees. |
In addition to level-1and level 2 requirements, NDAs are obtained both at the time of employment and at the time each
major assignment is handled. |
|
IISF 10 |
Privacy
and Security Practice Statement |
Organization will develop a detailed Privacy and
Security Policy Statement which would be approved by the Board and
signed by the CEO and CTO. The statement would be adequately
communicated to all the employees as well as the clients and business
associates of the organization. A copy should be made available through
the website of the Company. The organization may develop different
versions of the statement for the public and internal use as the
management may find it necessary. |
Same as Level 1 |
Same as level 1 |
|
IISF 11 |
Physical Security |
Organization shall have appropriate policies and
procedures to ensure that only authorized persons will have access to
the working area containing IT assets including the Wireless
perimeters. An appropriate documentation would be maintained for guest
access provided.
|
In addition to level-1 requirements, the access points
shall be monitored by appropriate electronic access monitoring devices.
|
In addition to level-1 and level 2 requirements, the
entry and exit of authorized persons to the work area would be linked
to the attendance and any anomalies recorded as a security breach
incident. |
|
IISF 12 |
Logical Access Security |
Policies and Procedures shall be implemented for
ensuring that access to any IT device is made available only with
appropriate access authentication such as Passwords. Appropriate
measures shall be initiated for ensuring that a strong password policy
is maintained across the organization. |
Same as level 1 |
Same as level 1 |
|
IISF 13 |
Information Storage Security |
Policies and Procedures shall be appointed to ensure
that information under storage is accessible only by authorized persons
on a “Need to Know” basis.
|
In addition to level-1 requirements information under storage is kept in encrypted for. .
|
In addition to level-1and level 2 requirements,
access shall be backed up by data integrity control, audit trail
monitoring and archival. |
|
IISF 14 |
Information Transmission Security |
Transmission of Information into and out of the systems
would be monitored by a suitable Firewall and appropriate polices and
procedures shall be implemented to ensure that viruses and other
malicious codes are filtered effectively. |
In addition to level-1 requirements, appropriate audit
trail would be maintained and archived to ensure future reference if
required. All confidential mails shall be appropriately encrypted.
|
In addition to level-1 and level 2, requirements all
outward mails likely to cause any liability to the organization shall
be digitally signed by the sender. |
|
IISF 15 |
Hardware/Software Policy |
Policies and Procedures shall be put in place to ensure
that any hardware or software or hardware used by the organization is
certified by the supplier to be free from known security
vulnerabilities. |
In addition to level-1 requirements, Policies and procedures shall be put in place to ensure
that Hardware and Software used by an organization shall be tested by a
third party security auditor and certified to be free of known security
vulnerabilities. |
In addition to level-1 and level 2 requirements, Policies and Procedures shall be put in place to ensure
that Hardware and Software used by the organization is backed by a
source code audit certificate from a third party. |
|
IISF 16 |
Web Presence Policy |
Policies and Procedures shall be put in place to ensure
that the domain name, hosting facilities and content used by the
organization is adequately protected against malicious attacks,
unauthorized alteration and IPR infringement. Suitable Privacy Policy
and Disclosure Documents indicating the identity of the owner of the
web content shall be provided on the website of the organization.
|
In addition to level-1 requirements, the web content is
monitored by the organization at periodical intervals and self
certified for data integrity. |
Same as level 2 |
|
IISF 17 |
Grievance Redressal Policy |
The organization shall designate an official as
“Security Grievance Resolution Officer” (SGRO) to be the single point
contact person accountable for handling all disputes related to the
information security and contact details of such a person including
e-mail and physical address is provided on the website.
|
In addition to level-1 requirement, the organization shall
also designate an external person of repute as an “Ombudsman” to
resolve the disputes which cannot be resolved by the SGRO.
|
In addition to level-1 and level 2 requirements, the organization shall also set in place an arbitration
mechanism to handle disputes which are not resolved by the Ombudsman.
|
|
IISF 18 |
BA Agreement Policy |
Policies and Procedures shall be put in place to ensure
that the Information security responsibilities of an organization shall
also be followed by any external agency which is provided access to the
protected information by a suitable contractual arrangement with
appropriate indemnity provisions. |
Same as level 1 |
Same as level 1 |
|
IISF 19 |
DLP-OLR Policy |
Policies and Procedures shall be put in place by the
Organization to maintain incident monitoring system and an appropriate
Disaster Recover and Business Continuity Plan to meet any contingencies
arising out of security breach incidents. |
In addition to level-1 requirements, appropriate
evidence archival systems shall be maintained to ensure capability for
“Defensive Legal Protection” against any liability claims that may
arise on the organization |
In addition to level-1 and level 2 requirements.
appropriate evidence archival systems shall be maintained to empower
the organization to launch “Offensive Legal Remedy” procedures |
|
IISF 20 |
Policy Documentation |
The organization shall retain all Policy documents
related to information security for a period of a minimum of 3 years
either in print or electronic form. Data which is
part of a security breach incident, is kept indefinitely. |
Same as level 1 |
Same as level 1 |
|
IISF 21 |
Management Certificate/Audit Policy |
The operational management shall submit a certificate of
compliance of information security to the Board of Directors once a
year recording there in the observed short comings and how they are
proposed to be remedied with appropriate implementation schedules. |
In addition to level-1 requirements, the Board of Directors shall incorporate a certificate
of compliance of information security in the annual report to the share
holders of the Company recording there in the observed short comings
and how they are proposed to be remedied with appropriate
implementation schedules. |
In addition to level-1 and level 2 requirements the Board of Directors shall incorporate a certificate
of compliance of information security in the annual report to the share
holders of the Company recording there in the observed short comings by
an external auditor, the management’s perceptions and how the
management proposes to meet the audit suggestions. |
