Reasonable Security Practices under Information Technology (Amendment) Act, 2008

December 12, 2011, by

Organizations are required to take “reasonable security practices and procedures” to protect personal data or information of its customers. The ICT Ministry with the recent clarification has also settled the confusion which existed regarding the application of the Rules.

This post in the FAQ format is an effort to throw light on the expression “reasonable security practices and procedures” referred in the Information Technology (Amendment) Act 2008 and the Rules thereto.

1.    What is meant by ‘reasonable security practice and procedures’?

Rule 8 (1) provides the definition for reasonable security practices and procedures. It states as follows:

“A body corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business.”

2.    What are the major standards and frameworks on information security?

There are many standards, frameworks and guidelines on information security. While some standards are very exhaustive, some are domain specific or targeted towards a particular Industry sector. Organisations can choose from a wide variety of such standards/frameworks and guidelines. A compilation of the major standards and frameworks can be found here.

3.    What is ISO and does India have a stake in it?
International Organisation for Standardization (ISO) is the world’s largest developer and publisher of International standards. It is a network of the national standards institutes of 162 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system. India is a member of ISO and is represented by the Bureau of Indian Standards (BIS).

4.    What is ISO 27001 standard?
ISO 27001 is the widely-recognized international standard for information security. This information security standard is not new to the country. According to the International Register of ISMS Accredited Certificates, India has 2nd highest number of ISO 27001 certified organisations. The best known Information Security Management System (ISMS) is provided in this standard. It has a total of 133 Controls spread across 11 domains.
 

 

 

5.    Why is ISO 27001 given preference over standards?
ISO 27001 is preferred due to the following reasons:

1.    Certifiable: It is a certifiable standard. Organisations can market their certification to earn new customers. The Certification indicates that a third party accredited independent auditor has performed an assessment of the processes and controls of the organization and confirms they are operating in alignment with the comprehensive ISO 27001 certification standard

2.    Exhaustive:   The 11 domains with 133 controls are exhaustive enough to address the major risks to any organisation.

3.    Flexibility: The standard gives management a lot of flexibility in selecting and implementing the controls in the standard. There is no stringent way prescribed for implementing the controls. ISO 27002 provides guidance on implementing the controls of ISO 27001.

4.    Broad Applicability: It is a general standard that can be applied to any sector. While other standards have a specific targeted audience /purpose
Eg:  BS 25999- Standard for Business Continuity and Disaster Management
ISO 20000-ISO standard for IT service management
PCI DSS- Information security standard for organizations that handle cardholder information

6.    Has India mandated ISO 27001 as the default security standard for the country?
Rule 8 (2) of the notification says :
The international Standard IS/ISO/IEC 27001 on "Information Technology – Security Techniques – Information Security Management System – Requirements" is one such standard referred to in sub-rule (1). It means that organization can choose and adopt standards and best practices other than ISO 27001.

However, Rule 8 (3) says that organizations using other standards “shall get its codes of best practices duly approved and notified by the Central Government for effective implementation.” The authorities to be approached or the procedure to be followed in such cases is missing in the rules. This ambiguity, legal hassles and inordinate delay that can be caused are the reasons why organizations are favouring ISO 27001 standard.
The Reserve Bank of India (RBI) too has given organizations the freedom to select their own security standards/frameworks while implementing Information Security Management Systems (ISMS).  

RBI in January, 2011 released the ‘Working Group report on information security, electronic banking, technology risk management, and cyber frauds
 
Information Security is addressed in chapter 2 of the report. In the chapter references are also found to other frameworks like COBIT and ITIL. It is also stated that “Banks may also additionally consider other reputed security frameworks and standards from well-known institutions like ISACA, DSCI, IDRBT etc.

However, a strong emphasis is laid towards implementing “ISO 27001 based Information Security Management System (ISMS) Best Practices for critical functions/processes”. Thus ISO 27001 has gradually gained acceptance as the defacto information security standard for the country.

A similar position exists in Japan, where ISO 27001 has tacitly become the National Information Security Standard.

Due to this Japan today has the highest number of ISO 27001 certified organisations.

7.    By implementing ISO 27001 are we 100 % secure?
Organisations cannot claim to be 100% secure by implementing ISO 27001. No standard or framework can guarantee 100% security. Security is not about compliance to a particular standard/framework. A good post on the topic can be found here.
 

8.    By implementing ISO 27001 can the organisations free themselves from the legal liabilities?

Compliance to ISO 27001 by itself will not absolve the organization from liabilities.
.
Rule 8 (1) states that:
“In the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies.”

Therefore organisations will have to prove that they had carried out their due diligence activities.

For Example: Under Rule 8 (4) of the notification
The audit of reasonable security practices and procedures is to be carried out by an auditor at least once a year or as and when the body corporate or a person on its behalf undertakes significant upgradation of its process and computer resource.

9.    What is the liability that can arise for being negligent in implementing and maintaining reasonable security practice and procedures?

Section 43A of Information Technology Act, 2008 speaks about the compensation to be paid for being negligent in implementing and maintaining reasonable information security practices and procedures. The section provides for damages to be paid by way of compensation to the person so affected.  

It is important to note that there is no upper limit specified for the compensation that can be claimed by the affected party in such circumstances. Compensation claims upto Rs 5 crore are now handled by Adjudicating Officers while claims above Rs 5 crore are handled by the relevant courts.

10.    Does India have its own Standard/framework?

India is keen on having a stringent framework for information security. However, a one size fits all approach cannot be taken. The country needs a framework which is flexible enough to meet the requirements of different sectors of the economy.

The Data Security Council of India has released a framework for data security and privacy. These frameworks are currently under pilot implementation in some organizations in the country. It is hoped DSCI will release detailed toolkits for its implementation.

The Reserve Bank of India (RBI) has also released several guidelines relating to security in banks. Some of these guidelines can be applied to other sectors as well. The Working Group report on information security, electronic banking, technology risk management, and cyber frauds and the checklist to facilitate conduct of computer audit are the major ones among them.

S. Jacob is a lawyer and a cyber security enthusiast. He deals with technology laws focusing on cyber/information security regulations. He has experience advising clients on IT Governance, Risk Management, Security and Privacy Compliance. He also possesses a host of information security certifications. He blogs at www.eSuraksha.net