Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Inside
M me b eet rsar ho ippr iso C o I peC nSD Visit: http://www.dsci.in/taxonomypage/105
Designed by Swati Communications Tel: +91-11-41659877, +91-9213132174
2PUBLIC ADVOCACY
8NEW INITIATIVES
6CAPACITY BUILDING
5THOUGHT LEADERSHIP
3OUTREACH PROGRAMS
DSCI NEWS DSCI NEWS Q U A R T E R LY N E W S L E T T E R O F D ATA S E C U R I T Y C O U N C I L O F I N D I A
APRIL - JUNE 2011 Vol. 2 No. 2
Facebook: http://www.facebook.com/dsci.connect
Linkedin: http://www.linkedin.com/company/data-security-council-of-india
Twitter: http://twitter.com/dsci_connect
Our Vision
Our Mission
Our Objectives
Harness data protection as a lever for economic development of India through global integration of practices and standards conforming to various legal regimes.
To create trustworthiness of Indian companies as global sourcing service providers, and to assure clients worldwide that India is a secure destination for outsourcing where privacy and protection of customer data are enshrined in the global best practices followed by the industry.
n Public Advocacy on Data Protection and Cyber Security
n Capacity Building on Security and Privacy
n Thought Leadership through Best Practices
n Independent Oversight for Assurance & Dispute resolution through ADR towards Self-Regulation
n Cyber Crime Speedier Trialthrough training of Law Enforcement Agencies and Judiciary
Contact Us
DATA SECURITY COUNCIL OF INDIA Niryat Bhawan, 3rd Floor, Rao Tula Ram MargNew Delhi – 110057, IndiaPhone: +91-11-26155070, Fax: +91-11-26155071Email: [email protected], Website: www.dsci.in
Editorial Board
Rahul JainSenior Consultant DSCI
Kartik KorpalAsst. Manager – Marketing & Communications, DSCI
DATA SECURITY COUNCIL OF INDIA A Initiative
Notified Rules (Sec 43A, 79– Intermediaries & Cybercafes), IT (Amendment)Act, 2008
DSCI, after consulting theindustry, had providedcomments on the draft Rulesfor sections 43A and 79 of theIT (Amendment) Act, 2008 andmany of DSCI suggestionswere incorporated in the finalset of Rules.
The Rules were notified on11th April’11 and since then,there have been a lot ofconcerns and issues in theinterpretation of the Rulesespecially with respect to thetheir applicability and impacton outsourcing, both in Indiaand abroad. DSCI consultedthe industry on the matterand consolidated industry’sconcerns for gettingclarification from theGovernment. It had severalrounds of discussions with the
Public Advocacy
Government on the possibleinterpretation and the needfor issuing a guidance note forthe industry. The Governmenthas agreed to issue aclarification on theapplicability of these Rules,which is expected to excludethe oversees clientorganizations from thepurview of these Rules. Theclarification is expected to beissued in coming weeks.Readers may please refer thelink below for further details:
Refer: http://
articles.timesofindia.indiatimes.com/
2011-06-30/india-business/
29720919_1_dsci-data-security-council-
kamlesh-bajaj
Public consultation -Discussion Draft Documenton National Cyber SecurityPolicy
Department of InformationTechnology (DIT), Ministry ofCommunications & IT, had
DSCI takes a proactive role for “policy enablement” that affects ICT -
Strong Engagement & Enactment through the Government.
2
meeting, the Grouprecommended collaborativeefforts by IBA, IDRBT and DSCIfor exploring detailed serviceprovider assessment andmonitoring frameworks andbest practices from a bankingcontext. The Group suggestedcreating customizedindigenous certificationcourses to certify specificknowledge and skill sets in IT/information security areas.Further, the Chairman of thegroup suggested that giventhe scope and scale of the taskof the Group, there is a needto look at the opportunitiesfrom strategic and operationalperspectives to form aStrategic Group comprisingthe CEOs of IDRBT, IBA, IIBFand DSCI under theChairmanship of theChairman, High PowerCommittee.
Trans-border Data Flow: EUDPD and restricted marketaccess to Indian IT and BPOcompanies
DSCI has been closely workingwith Department ofCommerce, Government ofIndia since October 2010. Itsubmitted a paper on therestrictions imposed by EU ontransfer of data from EU tothird country, to be raised inthe agenda of ongoing tradenegotiations between EU andIndia for Free Trade
Agreement. The paperhighlights the following threeoptions for enabling datatransfer between EU andIndia:
i) IT (Amendment) Act2008 (ITAA 2008), andRules under it make acase for initiating aprocess of incorporatingIndia in the adequacylist
ii) Establish a Safe harbormechanism for Indiabased on ITAA 2008 andthe notified Rules underthe Act
iii)Establish a Safe harbormechanism for IT andBPO companies basedon DSCI’s Self-Regulatory Organizationmechanism
Further to submission of thispaper, a meeting has beenplanned with EU technicalexpert team to discuss theabove points with DSCI andDIT. Department of Commercewill anchor the meeting.
DSCI on internationalplatforms
Roundtable meeting withAmerican Chamber ofCommerce to the EU
Hill & Knowlton Inc. set up aRoundtable Conference forDSCI with American Chambersof Commerce (AmCham) forworking together in dealing
prepared a draft discussiondocument on ‘National CyberSecurity Policy’ for publicconsultation in order tofacilitate creation of securecomputing environment andenable adequate trust &confidence in electronictransactions and also to guidestake holders’ actions forprotection of cyber space.
DSCI consulted its memberson the draft discussiondocument and submitted afinal set of comments to theDIT. The role of privateindustry, as carrier of amajority of traffic andincreasingly owning criticalinfrastructure, was articulatedby DSCI as one of theimportant point in itsrecommendation. DSCI alsoadvocated industry-to-industry coordination andpublic-private partnership inpromoting cyber security inthe country.
Meeting of the High LevelGroup on the RBI Reporton Information Security,Electronic Banking,Technology RiskManagement and CyberFrauds
Dr. Kamlesh Bajaj, CEO, DSCI isa member of RBI Group onInformation Security,Electronic Banking,Technology Risk Managementand Cyber Frauds. In its recent
3
with EU on the changes in thedata protection directive. TheRoundtable Conference washeld in Brussels and wasorganized by Digital EconomyCommittee of Chambers,represented by Industryleaders from US companies,and US government officials.DSCI was represented by Mr.Vinayak Godse, Director-DataProtection, and he presentedhis views on: (i) Evolution oflegal ecosystem for cybersecurity and policy in India(ii) Key cyber security issues(iii) Trans border data flowsand security and privacy inglobal sourcing environment(iv) DSCI, its contribution,program and activities and(v) DSCI submission to ongoingrevision to EU DPD and a needof harmonization of globalprivacy practices.
Meetings with EU Officials
The visit to Brussels wasutilized to meet the followingEU officials who are involvedwith the ongoing revision ofEU Data Protection Directive.
1. European DataProtection Supervisor
2. Head of Unit, DG JusticeC3, EuropeanCommission
Meeting with Embassy of Indiato Belgium, Luxembourg andthe European Union
Meeting with Advisor(Information and Engineering)
on proposed revision of EUDPD and review the stand ofEU with respect to India fromthe perspective of dataprotection.
These meetings opened upmany formal and informalchannels for DSCI to engagewith EU and otherstakeholders in the Europeanmarket to establishtrustworthiness of Indiancompanies.
CEO and Director-DataProtection, DSCI visitedUnited States with thefollowing objectives.
a) Interacted with clientorganizations to discussthe issue of cross-border security andprivacy issues, apprisethem about NASSCOMand DSCI initiatives.DSCI met with thesenior officials of GECorporate, Citibank andAmerican Express
b) Interaction with lawfirm specializing inPrivacy Legislations -Hunton & Williams.Rountable withFulbright & Jaworski,which included DIT too.
c) Roundtable Conferencewith US India BusinessCouncil (USIBC)
d) Attend the RISEConference onBiometrics Ethics andPrivacy
e) Interaction with
National SecurityCouncil (NSC), US TradeRepresentative (USTR),and HeritageFoundation
f) Interaction withCarnegie MellonUniversity on CloudServices MeasurementInitiative Consortium(CSMIC) for ServiceMeasurement Index.DSCI is a member of theConsortium.
Outcome
The visit providedopportunities for DSCI tounderstand the globalenvironment of dataprotection and gainrecognition as a key player indata security and privacy. Inparticular, it helped establishthe following:
i) Awareness of leadingorganizations such asGE, Citi and AmericanExpress about DSCIinitiatives and content(DSF & DPF)
ii) Feedback on NASSCOM& DSCI initiatives
iii)The need for bringingInternationalAssociation of PrivacyProfessionals (IAPP)certification to India
iv) Direct interaction withsenior official of Officeof Technology andElectronic Commerce,from Department ofCommerce.
4
Data Protection presented on‘Socio-economic impact of UIDproject in India’. Thisconference provided anopportunity to DSCI to interactwith key industry leaders,academia and theGovernment officials. Theseinclude EU Data ProtectionCommissioner, Chief PrivacyOfficer of DHS, Department ofCommerce, and White Officeof Science and Technology.
DSCI meeting withStanding Committee 7India Mirror Committee
A team of 16 members ofStanding Committee (SC) 7India Mirror Committee (IMC)team led by Dr. Gargi Keeni,Vice President – QualityConsulting, TCS and Co-Chair,participated in SC 7 Plenary atParis. A Post-Plenary meetingfor de-briefing and planningfor the next steps / actionagenda was held in Bangalore.The agenda of the meetingwas to get the updates fromthe participants of the ParisPlenary and to discuss Indianapproach and the role ofNASSCOM. The objective ofthe post plenary meeting wasas follows:
1. Share the inputs /learnings from theplenary
2. Revisit the position ofIndia based on theabove
3. Discuss what we would
v) Roundtable with USIBC,attended by thecompanies like J PMorgan Chase, WellFargo, Oracle, Google,Facebook, etc,highlighted the concernsof US companies on theRules notified under theIT (Amendment) Act,2008. The memberswere also keen tounderstand the progressof privacy regulationinitiative undertaken bythe Government of India
vi) Exchange of ideas withDirector Cyber Security,National SecurityCouncil.
vii) Discussions onDSCIFrameworks withDirector - US-CERT, onthe ServiceMeasurement Index forCloud Computing withCarnegie MellonUniversity
Project RISE – InternationalConference on Biometricsand Security
Centre for Policy on EmergingTechnology, a member of RISEconsortium, hosted‘International Conference onBiometrics and Security’ inWashington DC. CEO, DSCImade a presentation on‘Standardization of DataProtection Policies: animportant agenda ofglobalization’, while Director,
5
like to achieve by theinterim in November2011
DSCI was requested torepresent India in SC 27 whichis a standardizationcommittee in InformationTechnology - securitytechniques
NASSCOM has also taken alead in developing of astandard for ITeS/BPO sectorthrough WG7 (WorkingGroup). DSCI has also beenasked to support thisinitiative specifically for thesecurity and privacy piece.
Recommendations toWorld InformationTechnology ServicesAlliance Policy ActionReview
CEO, DSCI is a member of thereview group of WorldInformation TechnologyServices Alliance. Hepresented his review on thesection “ProtectingInfrastructure andInformation” of the draftpaper on “World InformationTechnology Services Alliance’sPolicy Actions to deliver thePromise of the Digital Age.”
2nd IBA-DSCI BankingSecurity Conference –Enhancing Trust inElectronic Banking
DSCI organized the 2nd IBA –DSCI Banking SecurityConference focused on“Enhancing Trust in ElectronicBanking”, with Indian Banks’Association (IBA). Theconference provided a
Outreach ProgramsDSCI organizes various conferences and seminars and participates in
the events in India and abroad to draw focus on data security
and privacy concerns and DSCI’s approach towards
data protection.
platform for dialoguebetween the industry leaders,security managers, industryprofessionals, technologyexperts, and experts from thebanking industry, to addressthe challenges faced by thebanking industry such as cyberfrauds and the convergingroles of security and fraudmanagement; privacy issuesin financial transactions;
6
security technologies in thebanking industry; security incard transaction; and role ofCISOs in the Banking industry.
The Conference was chairedby Shri R. Gandhi, ExecutiveDirector, Reserve Bank ofIndia who encouraged therole of discussions anddeliberations across all thestakeholders through suchconferences andacknowledged IBA and DSCI’sefforts to transcend beyondtechnical realms, andemphasize the importance ofgaining customers’ full loyalty,which lies at the core of anybusiness success. He alsohighlighted the formulation of‘Working Group onInformation Security,Electronic Banking,Technology Risk Managementand Cyber Frauds’ and roleof DSCI as envisaged by theWorking Group.
The Conference saw seniorprofessionals from bankingindustry and associations inpanel discussions on howsecurity impacts the bankingoperations, identification ofsecurity threat vectorpertaining to banking industryand the evolution of it, reviewof the security initiativesundertaken by the industryand evaluation of differentapproaches, trends andtechnologies that have beenemerging to address thespecific challenges.
7
3rd DSCI Best Practices Meet- Promoting Dialogue forBuilding an Ecosystem forData Protection
DSCI organizedits 3rd DSCI Best PracticesMeet for Data Protectionfocused on ‘PromotingDialogue for Building anEcosystem for DataProtection’ in Bangalore.This year’s meet specificallyfocused on the regulatoryenvironment – Rules undersection 43A of the IT(Amendment) Act, 2008 andits implications on businessand privacy ecosystem inIndia; the new landscape – theCloud – and security andprivacy as importantchallenges to the adoption ofcloud computing; and thecurrent trends in securitypractices being followed inspecific disciplines like Threat& Vulnerability Management,Application Security and UserAccess & PrivilegeManagement. DSCI presentedits experience of taking the
Security (DSF©) and PrivacyFramework (DPF©) to theindustry, and took a deep divein some of the importantsecurity disciplines.
The Meet also featured therelease of the study on insiderthreat – ‘The Threat Within’ –developed by DSCI andPricewaterhouse Coopers(PwC). The Study is based on asurvey of service providerorganisations and clientorganisations and highlightssome interesting findings,reflecting the perspectives ofboth the service providers andclients.
The Meet was inaugurated byMr. KrishnakumarNatrajan, CEO& MD, Mindtree.In his inaugural address, hedrew the attention to the factthat Indian IT SolutionsProviders are now performingcore functions for their clientsand how to create anenvironment of dataprotection to make anorganization more global in its
approach. He said, “ThroughPublic Advocacy, Assessmentsand Frameworks, India willfurther enhance its status as apreferred provider of ITServices.”
Mr. Manoj Chugh, President-India SAARC, EMC Corporationpresented the Theme Addressand traced the evolution ofpractices deployed for datasecurity and privacy. Heoutlined the changing threatlandscape, persistence ofattacks and emphasized theneed for aligning securitypractices with the businessobjectives and organizationalstrategy.
The DSCI Best Practices Meetwitnessed participation ofover 200 senior levelprofessionals from servicesproviders as well as userscommunity from industryverticals like IT/BPO, Banking,Telecom and Governmententities. The paneldiscussions on the topicsranging from IT (Amendment)Act, 2008, data protectionchallenges in cloudcomputing, and on variousdisciplines of data securityand privacy focused on theways of addressing thechallenges faced by theservice providers and clients.The discussions offered a 360degree view to build anefficient ecosystem for dataprotection in the country.
8
9
DSCI engagements withEastWest Institute
DSCI has been activelyinvolved with EWI in ongoingefforts on data protection andto mobilize for internationalactions
EastWest Institute SecondWorldwide CybersecuritySummit
CEO, DSCI was invited to the2nd Wordwide CybersecuritySummit of EWI in London. Thisyear’s Summit had thefollowing objectives:
1. To mobilize new
commitments byleading businesses andgovernments of Cyber40 countries to addresscross-border cybersecurity challenges.
2. To set in place newmodels for privatesector leadership inaddressing high priorityvulnerabilities andthreats associated withglobal Internetconnectivityand ICT development.
3. To make advances onthe most pressing issuesin global managementof critical information
infrastructure withcollaborative interna-tional breakthroughs.
Dr. Bajaj was a panelist in thesession on the BreakthroughGroup as part of the LondonProcess which reviewed therecommendations of SevenBreakthrough Groups underthe theme of building trust,rules of the road in terms ofpolicies for cyberinfrastructure, andoperational risk managementon the availability ofunderground sea cables andinternational prioritycommunication in times ofsabotage and catastrophe.
Mr. Som Mittal, President,NASCOM, in his addressinvited the audience toparticipate in the Cyberecurity2012 Summit scheduled to beheld in Delhi.
NASSCOM - DSCI Roundtablewith EastWest Institute onWorldwide Cybersecurity
DSCI organized a Roundtablemeeting with EastWestInstitute on Global Cybersecurity scenario. TheRoundtable focused on theInternational cooperationrequired to secure cyberspaceand highlighted that not onlygovernments, but public-private partnerships acrossnations hold the key tosecuring global informationinfrastructure.
Dr. Gulshan Rai, DirectorGeneral – CERT-In, DIT,presented his views on cybersecurity and underlined theimportance of Public PrivatePartnership in all areas ofcyber security, including EarlyWatch and Warning Systemwhich CERT-In was leading inthe country.
The Roundtable featuredpresentation on “ China-USTrack-II on SPAM – FightingSPAM to build Trust” -developed in public-privatepartnership by Mr. KarlFrederick Rauscher, ChiefTechnology Officer &Distinguished Fellow,EastWest Institute. It
witnessed participation ofthought leaders from acrossthe industries and helped inexploring the avenues forcollaboration and joint effortsfor building an environmentof data protection.
International Conferenceon “Safeguarding theDigital Economy”
The 4th InternationalConference on ‘Safeguardingthe Digital Economy’ featuredparticipation fromGovernment, LawEnforcement Agencies andindustry in panel discussions.Mr. Rahul Jain, Sr. Consultant,DSCI was a part of Panel on‘Innovation Trends in CyberSecurity’ and presented hisviews on the subject relatingto the need for innovation incyber security and theinnovative mechanismsadopted / in discussionaround the world.
10
Thought LeadershipDSCI regularly undertakes study and surveys to develop reports on the various facets
of data security and privacy in India. These reports, jointly produced by
various corporate entities including major consulting firms amongst
others, highlight the current state and concern of
data security and privacy.
This quarter saw release offollowing study report:
The Threat Within – A Studyon Insider Threat
DSCI, in collaboration withPwC, conducted a study tounderstand the challengesand risks associated withinsider threats and developeda Study Report - ‘The ThreatWithin’. The Study Report isbased on a survey of serviceprovider and clientorganisations and highlightssome interesting findings,reflecting the perspectives ofboth the service providers andclients. The Study Report wasreleased by Mr. KrishnakumarNatrajan, CEO& MD, Mindtree in the recently concludedBest Practices Meet inBangalore.
The survey used a three-pronged approach i.e.
industry survey and inputs,analysis of the insider theftcases and secondary researchto understand the securityenvironment of the Indian IT/BPO industry from an insiderthreat perspective and theperceptions of theorganisations.
The Report seeks to provide abetter understanding of thechallenges and risksassociated with insiderthreats and an enhancedability to manage them forboth the industry serviceproviders and organisations inthe Indian IT/BPO space. Themagnitude of the impact of anattack from an insider isestimated to be at least tentimes more than that of thetotal impact that an externalattacker can cause, though thelikelihood of the attack frominsiders may be very low ascompared to external threats.
11
Some of the other keyfindings of the DSCI–PwCsurvey:
Behavioural motivationto break existing normsis the primary motiveleading to insider threatas per 89% of the serviceprovider organisationswhile 75% of clientorganisations believepersonal financial gainto be the prime motiveat service providerorganisations.All client organisations
have mandated theirservice providers toconduct employeebackground; butemployee verificationprocesses are notstandardised asproviders are subject toclient-driven data.All service providerorganisations believecurrent employees areprimary source ofinsider incidents.More than 50% of theservice providerorganisations revealed
12
that insiders who arenot working in ITdepartment andtherefore not havingprivileged access havecarried out insiderincidents at theirorganisations.All client organisationsand only 33% of serviceprovider organisationsbelieve that lack ofeducation andawareness is a majorbarrier in addressinginsider threats.More than half of therespondents believedthat social engineeringand ‘someone else’scomputer account’ isused by insiders tocommit a breach inservice providerorganisations.89% of service providerorganisations resolvedthe cases of insiderincidents internally,without involving a legalagency. Only 22% serviceproviders initiated legalaction againstperpetrators.Almost 67% serviceprovider organisationsand 75% of clientorganisations believedthat unintentionalexposure of private andsensitive information isstill one of the majorchallenges faced by bothservice provider andclient organisations.
Refer: http://www.dsci.in/node/781
12
Cyber Labs
DSCI through its Cyber Labsprogram trains LawEnforcement Agencies oncyber crime investigation. Inthis quarter, 637 officers fromPolice &Department of PublicProsecution were trained on“Basics of Cyber CrimeInvestigation” from the labs atMumbai, Pune, Thane,Bangalore, Haryana andChennai.
243 personnel were trained inshort courses conducted atPune Cyber Lab. In addition tothese trainings, a 5 day
Capacity BuildingDSCI has been actively involved in developing and imparting
training and capacity building for various government and
corporate entities.
13
training program wasconducted at CBI, Ghaziabadfor police officers.
DSCI is working closely withthe Government to ensurethat the NASSCOM-DSCI CyberLabs program is taken to ahigher level in the form ofCyber Crime InvestigationProgram (CCIP) since cybercrimes are no longer confinedto cities with highconcentration of IT/BPOcompanies. A detailed projectproposal for the same wasprepared by DSCI andsubmitted to the Ministry ofHome Affairs.
Vendor Interface Meet
DSCI Vendor InterfaceProgram (VIP) is an initiativewhich provides an opportunityto the security product andservices vendors to showcasetheir products and servicesthrough DSCI. DSCI revived theprogram by organizing aVendor Interface Meet in NewDelhi, with an objective tounderstand how DSCI as anindustry body can support thevendor community for theirgrowth and outreach bycreating a platform where‘users of the technology’ and‘providers of the technology‘can interface with each other.
The Meet featured over 20professionals from leadingSecurity Solutions providersand IT Services companies asthey engaged in discussionsover DSCI’s initiatives, theeffectiveness of Frameworks,
New InitiativesWith a view to engage and update stakeholders in an ever
changing threat landscape, DSCI has been identifying
and developing new and relevant initiatives to
re-enforce its drive in promoting
data protection.
the IT (Amendment) Act 2008and how the vendorcommunity should associatewith DSCI in conceptualizingtheir set of offerings and howto market them. The membersshared their experience asproviders of solutions andsuggested ways to developeffective partnerships acrossstakeholders through DSCIprograms.
14