Naavi.org

The Course on Certified  Data Protection Professional (CDPP) being conducted with virtual classes from Naavi  was planned to be conducted over 6 weeks with one session each on Saturday’s and Sundays starting from April 4th.

In view of the lock down conditions in the country with most professionals working from home, it has been decided to complete the course of 12 sessions over 3 weeks instead of 6 weeks, by conducting two sessions per day on Saturday’s, and Sundays on April 4, 5, 11,12, 18 and 19th.

The sessions will be conducted between 11 to 12.30 AM and 3.00 to 4.30 PM on these days.

This program will be called Module-I which is about the Indian laws regarding data protection. This is the foundation module for all Data Protection Professionals. In the coming days, FDPPI will be conducting additional modules such as Module G (Global laws including GDPR), Module T (Technology for Data Protection), Module A (Data Audit) and Module B (Behavioural skills for DPOs).

FDPPI welcomes professionals interested in entering the Data Protection domain to make use of this opportunity to upgrade their skills and knowledge and be ready before the Companies will be  looking out for professionals with the right attitude, knowledge and skills to take over the responsibility as DPOs.

Naavi

In continuation of the discussions on Work From Home requirements and keeping with the spirit of CLCC (Cyber Law Compliance Center), we are adding a draft Employee undertaking that is recommended to be taken for Work from home implementations.

Suggestions are welcome. FDPPI is also working on refining the undertaking as may be required.

The Undertaking suggested is as follows:

Quote

Employee Undertaking for Work From Home provided to ………. (The Company)

I, …………………………………………., working as ………………………………………….. at ……………………………………… hereby undertake as follows.

Where as

-a pandemic situation has arisen in the with the outbreak of COVID 19 virus,

-the Government of India has placed certain restrictions on the movement of people in the general interest of public safety,

– the requirement to work from home has arisen out of a public safety requirement,

– the Company has proposed that I shall be allowed to continue to work from home without physically attending the office,

– I as an employee of the company is responsible for the conduct of my activities in complete support of the information security requirements that are adopted by the company both as part of the legal compliance requirements as well as the industry best practices

In consideration of the company agreeing to permit me to work from home and continue to pay my emoluments as if I work from the premises of the Company as I was hither to working,

I voluntarily agree and abide that I am in receipt of a copy of the “Work From Home, Rules 2020” (WFH rules), a copy of which is enclosed in Schedule I and have understood and hereby agree to faithfully follow the instructions contained there in.

In compliance of the WHF rules, during the period this undertaking is in force, I agree that

1. 1. I shall perform my company work only using the designated computer systems as recommended by the Company, particulars of which is available under Schedule II,
   2. I agree to consider that the designated system/s mentioned in Schedule I as belonging to the Company whether the hardware was purchased by the Company or by myself, and will be considered as the extended computer network of the company
   3. The designated systems would be used in a physical environment which would be considered as the “Extended Office Space” of the company.
   4. The Company may monitor my activities on the system as part of the information security requirements of the Company
   5. The Company may audit my physical and computer facilities as it may find it necessary.
   6. I will personally undertake the responsibilities of maintaining the physical, logical and data security measures in respect of the use of the designated systems that will be required to meet the obligations of the company to its customers and the regulatory authorities.
   7. I will personally undertake that I shall not use any unlicensed software on the device for carrying on any activities of the Company.
   8. I shall at all times be available for communication through e-mail: …….. and mobile number…………….. and authorize the company to contact me.
   9. In the event that I need any clarifications on any of the above, I shall get in touch with the designated coordinator of the Company at e-mail:………………………………….,
   10. In the event that I contravene any part of this undertaking, I shall be liable for necessary disciplinary actions as per the policy of the company.

This undertaking shall be operative immediately until it is cancelled by the Company and  acknowledged through e-mail or otherwise.

Signed by:

On:

Witness:

Enclosures:

Schedule I: Work from home procedure 2020

Schedule II: Detailed of designated systems for use of the employee

 Unquote

The current crisis created by the Corona virus and the lock down has forced most companies to permit their IT workers to work from home. This has simultaneously created issues in meeting the security requirements related to the operations and also the policy corrections that needs to be made. The two are inter related.

Some of the large companies had already enabled BYOD on their network. Some of them might have also moved to Zero Trust Architecture linking access to device identity and user identity possibly with multi factor authentication. Such companies have allowed the registered devices (Laptops or Desktops) to be carried home so that they can log on to the corporate network as securely as they were otherwise doing except that they will be coming through a public internet access instead of an internal network.

However there is a need to ensure that the working environment within the house is as secure as it can be as per the physical security policies that the organization would be currently adopting. There is no physical guard to prevent entry of unauthorised persons into the work room, there is no guarantee that the worker has not allowed his friends to look over his shoulder on what he is doing and also his network being compromised in some manner.

Some of these issues has to be controlled by making the employee responsible for the physical security as if he is the guard himself. An undertaking to this effect has to be taken along with the awareness training that is required to make the individual realize that the company is today an “Aggregation of Each of its employees” and each work unit represents the employee and his working computer along with its surroundings.

Every employee should be asked to take a video of the surroundings under which he works and register it with the company.

The Company may declare that the surroundings under which the person works will be the “Work place” and “Belongs to the Company”. The work space therefore becomes the extended work space of the organization and the employee continues to work within the “Premises”. The only difference is that the “Premises” has dis-integrated and moved to different locations.

In a way the “Virtualization” concept gets re-defined by virtualization of the work space surrounding the virtual data space.

If possible, the Company should incorporate this in the Work From Home (WFH) Policy.

The Company should also declare in the WHF policy that until further notice the employee would be the  IS manager for his work environment and would be personally responsible for any data breach arising out of his negligence.

In order to enable the individual to understand his IS role, an immediate training of the broad requirements of the employee in his extended role should be provided.

If the working person and work place is secured from intrusion, then the device security can be handled through appropriate software devices that create a secure connectivity and also enabling the centralized IS team to audit each device remotely to ensure that the individual has not compromised the configuration that has been set by the company.

If the devices used are enabled with audio and video capabilities, the security agent should be enabled for auditing the environment by randomly taking a snap of the employee and listening to sounds captured by the device to ensure that no third party is shoulder surfing.

Yes..this is spying on the employee… not permitted under Privacy considerations…but essential in the extraordinary circumstances in which we are now functioning.

Comments?….

Naavi

The crisis created by the Corona virus in the corporate circles have put the BCP processes in these organizations to test and it appears that most companies have not been able to come out with any degree of success.

So far, companies thought that BCP issues will arise only when there is a fire or flood but they were unprepared for the situation that has developed now.

Some organizations have resolved the issue by resorting to Work From Home (WFH) which is good enough for certain types of operations. But wherever there is a security concern of the WFH facility causing a compromise, the companies are stuck in their own policy constraints.

In order to meet the current situation, the policies had to be tweaked to pack the Desktops of most of the employees to be taken home so that any security which was tagged to the device identity could be used along with the operator identity.

Had the system of homomorphic encryption been tested and installed earlier, perhaps some companies could have made use of that environment so that data security could be protected when data is processed remotely.  Otherwise the virtualized environments are the best approximations.

Some organizations could have  hardened the security to prevent ex filtration of data which may be confidential. But as in all such cases, the possibility of shoulder surfing in the home environment always exists and hence the data security is not perfect. In such cases the distributed model of information security responsibility envisaged under the PDPSI (Personal Data protection Standard of India) could come in handy.

While technology people may be able to find some workable solutions, what may pose hurdles in implementation could be the need for policy changes to be approved both internally and by their customers, releasing them from the indemnity obligations which are likely to be there in the contracts.

Internally there has to be a special “WFH Data Security Policy” which takes care of imposing  responsibilities on the employee for not only the functional aspects of his/her work but also for the data security. A remote audit mechanism* may also have to be designed.

As regards contracts with customers, the government notifications issued  for WFH may be considered as the basis on which the Force Majeure clause can be invoked. Under this provision, the contractual obligations can be modified to a reasonable extent. It may be better if a “Disaster Policy” document is drawn up as part of the “Legitimate Interest Policy ” of the organization. But a notice may have to be issued to the clients to avoid complications. A notice applicable to data subjects should also be displayed on the websites so that dilution of compliance can be justified as a temporary measure.

Draft policies for some of the above purposes may be drafted by industry leaders for the benefit of all companies.

Naavi

*(One such remote audit program had been structured by the undersigned for HIPAA compliance by home based Medical transcription workers several years ago when the Privacy and Security issues were not as grave as it is now)

With the entire world being disrupted with the  outbreak of COVID 19, there is a diversion of Government attention to the immediate task of fighting the menace of the Virus. Since the Virus seems to have threatened even the Parliament members, it would not be surprising if the Government takes steps to curtail the Parliament session and defer some of the activities.

It was expected that the Joint Parliamentary Committee was to hold its consultations during the next two months and prepare the bill for final passing into an Act. One can expect that this activity might be delayed unless the JPC adopts a “Virtual Meeting” mode as the entire industry is doing.

If the JPC takes this step, it would be a path breaking decision in the history of the Indian legislative system.

I would urge the JPC to take this bold step so that passing of the PDPA does not get delayed on account of the Corona Virus. The Indian Corporate world already has access to the virtual meetings and it is time for the legislature also to move in this direction.

The proceedings can be recorded and even certified under Section 65B of Indian Evidence Act as suggested under www.odrglobal.in  where a working model for such remote meetings has been presented.

What we need is an effective virtual conferencing platform, supported by identity verification system which can use the digital signature or e-Sign and a recording of the proceedings. The MeitY and NIC are more than capable of making such arrangements immediately.

What may be required is to include such “Virtual Meeting with identification of participants and Section 65B certified recording of the proceedings” as acceptable procedure for such meetings under the Parliamentary procedures/guidelines.

I request the Chairperson of the JPC Mrs Meenakshi Lekhi to take up the matter with the Government and the Speaker to initiate this progressive method of meeting which can come to use not only now with the Corona issue in the background but also in future for speeding up similar proceedings.

Indian law permits such meetings…What is required is for the Parliamentarians to show the will to defeat Corona with the power of the Internet…

The Chairperson of JPC could go down in history as a reformer who initiated this change in the Indian Parliamentary system… if…this becomes a reality.

…Who knows…this could be the forerunner for the Virtual parliamentary attendance in future…

Naavi

Also Read :

Karnataka High Court introduces video conferencing.:

Organizations like COAI and IAMAI are associations of business organizations with the basic objective of working towards  the benefit of the industry which their members represent.

In the current context when Corona threat has quarantined the entire population at home and the entire activity of connecting to internet has shifted from the dedicated broad band cables and Satellite connections to personal WiFi connections and mobile internet service.

It is obvious that the band width in this segment will choke and also create  security issues.

At this time, the IAMAI and COAI have to come up with their own contribution on how to increase the bandwidth and ensure security and convenience. They should increase the usage limits and also reduce the marginal cost.

Corporates who may have surplus bandwidths should think of sharing their bandwidth with public WiFi hot spots with security of which they are familiar.

I hope these organizations try to fulfill these responsibilities.

The DOT has to ensure that this widening of the personal internet bandwidth and data packages happens immediately.

Recently IAMAI pursued a Supreme Court case just to facilitate money laundering through Bitcoin exchanges and COAI has raised objections on some data collection exercise that the DOT is undertaking to verify the call drop problems. Instead of wasting their energies on such anti Government activities, these associations should focus more on positive contribution they can make to the society at this hour of crisis.

Naavi