Information Security: Requirements For Regulatory Changes

It is today impossible for any organisation of a reasonable size to be in business and not collect and hold personally identifiable information i.e. names, addresses, account numbers – about employees, customers, business partners or patients. It is therefore becoming more and more important to acknowledge and act on the responsibility that this information comes with. Enterprises are slowly and surely awakening to this responsibility as loss of this information could lead to monetary and reputation loss.

In this article, I would like to stress on the role of government and industry regulators to bring forth a set of regulations and norms to ensure that enterprises value information that people entrust them with. The objective of these measures would be to provide assurance that:

1. Information is only revealed to those who have the right to access it i.e. Confidentiality
2. Information is consistent and no unauthorised change has occurred i.e. Integrity
3. Information is available and usable i.e. Availability &
4. Information disputes can be resolved i.e. Non-repudiation

The objective of these measures is to ensure that enterprises, specially the ones that handle personally-identifiable data, take enough steps to ensure the assurance listed above. At a higher level, they could be classified as:

1. Mandatory establishment of information security auditors as distinct from information security consulting companies: The prime minister has on various occasions said that India is a knowledge economy. If it is so, then knowledge needs to be treated like money i.e. just as financial transactions have to pass a financial auditor, information transactions should pass through information security auditors. Most companies handling confidential information today have an internal or outsourced information security team. The external information systems auditor would perform a role similar to that of a financial auditor i.e. monitor the activities and ensure compliance of the internal IS policies and team. This is a much required step to ensure separation of duties.

2. Complete auditing of confidential information: Enterprises need to deal with customer information like they deal with money i.e. it should be possible to

1. Keep a track of what was deposited by the consumer i.e. Opening an account
2. A track of what happened to the information since the deposit i.e. various transactions that have happened to the information
3. On request be able to delete personally-identifiable information, which is not required by the regulatory bodies i.e. Close the account

This end-to-end visibility of data in the cycle of creation-distribution-usage-archival-deletion is the only mechanism for enterprises to self monitor their information-handling processes.

3. Enactment of disclosure norms: Most countries in the world are still deciding on what stand to take on data breach disclosure norms. The issue can be summarised as follows:

“If confidential employee or customer data is lost by the enterprise, should it be mandated to disclose this to parties, which could possibly get affected by the loss??”

The argument on one side is of ‘No harm, no foul’, which means that as long as the data breach has no ‘damages’ attached to it, the company should not be penalised. Judgements in cases related to Wells Fargo and TJX are along these lines.

While the debate between enterprises facing data breaches and the possibly affected individuals will continue for some time, the enactment of disclosure norms would be a significant preventive measure as enterprises are bound to be additionally careful if the reputation risk is enhanced.

4. Establishment of a centralised information security ombudsman with international reach: The establishment of localised cybercrime cells ( http://www.cybercellmumbai.com/ ) has helped in providing a place to lodge a ‘First Information Report’, but there is a need to have a centralised, information security ombudsman, who can affect industry-specific norms as well as co-ordinate with international security agencies in cases involving international cybercrime.

The present norms for preventing and handling data breaches in India leave much to be desired. It is time for the government to step in and to have industries incorporate information security governance into the overall corporate governance practices.

_Gupta is director of Seclore Technology, India.
_