Read the CIO Research Center’s survey report on Enterprise Mobility.
Disclosures (as per our full disclosure policy): This research initiative is supported by RIM.

Download the report by clicking here : CIO Survey on Enterprise Mobility (980)

Hello! As always, we are back with insightful stories in the field of security. We hope you’ll be able to glean take-ways from Evalueserve’s foray into watertight security for the enterprise. Websense gives us a peek into TRITON and its unified security approach while Shobitha Hariharan elucidates regulatory security compliance. And if you’re still looking for more, do sign up for the interesting workshops offered by Websense. All in this issue!

We look forward to your views. Keep writing in!

“A single instance of data leak can impact our entire company,” says Sachin Jain, CIO at Evalueserve – a leading Knowledge Process Outsourcing (KPO) enterprise.  As a KPO, the company is privy to sensitive information from clients across sectors. This makes data security paramount. However, Sachin and his team have transformed this challenge into a key strength – clients are impressed with Evalueserve’s stringent information security processes. Read on to know how they made it happen.

Chinks in the security armour

Evalueserve began their fledgling operations in Gurgaon, India, in 2000; today, they are a team of more than 2400 people across locations. Data security has always been vital given the nature of their business – associates access sensitive client information and conduct custom research. “We even help our clients draft and file patents,” says Sachin, explaining why it is critical to keep the data, residing in their network, absolutely safe.

The company has always been aware of the responsibility such information brings; even during their early years, they had measures to safeguard it. “We had a basic set up with a firewall. But we realized the importance of stricter information security – from compliance as well as business perspectives. We formed a core team to manage enterprise security,” he says. They began by creating policies and structures that evolved with their business. Grappling with different challenges, they adopted a step-by-step approach to fix gaps through which data could be leaked. This resulted in certifications and streamlined data sharing processes.

However, as technology evolved so did the business need. Using the latest technology solutions as business enablers meant greater complexities to manage. The company needed a more robust solution to ensure that email access, inadvertent data leakages, instances of employees sharing official information through personal mail ids, etc., did not pose as risks.

Strengthening the links

This is where the Websense Data Loss Prevention (DLP) solution fit in. Implemented at the enterprise level, it covered Evalueserve’s network and also data end points. So, data on laptops, phones, and other mobile agents was secured against leaks and thefts. It also allowed blocking of a category of websites compared to a more tedious blocking of individual sites. Moreover, data on mobile devices was protected from hard-to-detect malware. Tailored workflows for different business units meant each unit could define critical information, and spot policy violations relevant to the operations.

The solution’s features ticked the other right boxes too: simple architecture, low hardware requirement, and easy integration with existing infrastructure. It also offered the requisite flexibility and came with a centralized console to simplify management and reporting.

ACPL, a Platinum partner of Websense and a leading information security solutions company, was able to successfully demonstrate through a Proof of Concept (POC), the value of Websense DLP solution in terms of data leakage protection, compliance support, policy enforcement and cost savings.

Of course, it encountered user resistance; but that faded away once the employees saw the benefits. To make change management easier, the enterprise also focused on knowledge sharing. “We have e-learning modules, quiz tests, posters, screen savers etc., to introduce and reinforce the security policies.” The company culture ensures that anyone who joins the team gets educated about the security policies and complies with them. Sachin also knows that the trick lies in keeping things simple. “It’s on the roadmap: simplifying the Websense security solution we use as much as possible, so that we don’t build complexity into it,” he says.

Safety becomes the norm

How long did the implementation take? It began with data classification where Evalueserve’s different business units had to organize data into different categories based on its sensitivity and use – from confidential to what could be in the public domain. After this, they identified keywords and sources through which data could be leaked (email, FTP, etc.). Soon, policies were aligned to strengthen the initiative. The phased implementation approach will soon see completion; but the early results have already started trickling in. These include:

• Instances of breaches and data security violations have decreased.

• Employees are more sensitive to data security policies and manage critical information better.

• Gaps in business processes (such as data leakage through personal IDs) have been fixed.

Clients have also been impressed with Evalueserve’s commitment to data security and the security framework being followed. “In one of the instances, one of our clients had asked for an hour slot to review our security policies and controls. When they saw the controls we have in place in addition to ISO 27001 certificate, we wrapped up the talks in just 5 minutes!” Smiles Sachin. Evalueserve’s commitment to information security and data protection has resulted in more business, and greater approval through client audits, which Evalueserve is open to, at any point in time.

What were the other steeping stones to this successful solution? Apart from classifying and identifying information, the team is managing false positives. The fine-tuning is still underway and will eliminate instances that seem deceptively similar to data breaches.

Creating the winning combination

Reflecting on the entire process, Sachin discusses the key lessons learnt. He stresses on the need to get adequate representation from all business groups for such initiatives. “You cannot drive it alone,” he points out. “Understand the nature of your business; try the solutions available and then take a decision. It is important to identify the kind of solution and tools, which are relevant to your business and do not compromise the organization’s productivity or efficiency. Strike the right balance between being nimble and fast, and staying protected and safe.”

Today’s organizations need a unified content security solution: among many other challenges, fast-evolving malware, blended threats, internally initiated data leakage, and an increasingly borderless enterprise have rendered traditional point product approaches less effective while driving up costs and complexity.

The Websense TRITON™ solution is designed to slash content security Total Cost of Ownership (TCO) while enabling organizations to safely leverage new communication, collaboration, and social web tools like Facebook and Twitter. Organizations achieve the lowest TCO through its unified content security, which consolidates web security, email security, and data loss prevention (DLP) into a highly flexible and scalable unified architecture; unified platform of on-premise and Security-as-a-Service (SaaS) deployments; unified content analysis with the real-time threat intelligence provided by the Websense Advanced Classification Engine (ACE); and unified management infrastructure.

The TRITON solution provides unrivaled visibility into an organization’s computing environment and application traffic. Unified policy management that spans on-premise and Cloud-based deployment options further ensures that remote office and mobile workers receive the same high-quality protection consistent with their headquarters-based colleagues.

Its leading features and unique capabilities include:

• Market-leading web and email security technologies. Flexible user authentication, application control, antivirus, real-time security scanning, URL filtering, advanced reputation analysis, SSL inspection, real-time updates, and integral Web DLP are all leveraged to protect against malware, improve employee productivity, and help prevent data loss while enabling safe use of dynamic Web 2.0 resources. Likewise, comprehensive protection is provided for email with a cocktail of antispam, antivirus, reputation analysis, and integral email DLP capabilities.
• Enterprise-class DLP. Leading DLP technology is designed to identify, monitor, and protect confidential data. By leveraging the unified content analysis of the TRITON solution, Websense Data Security Suite accurately prevents data loss, secures business processes, and helps organizations manage compliance and risk. Both, internally and externally initiated data loss scenarios are addressed.
• Websense Advanced Classification Engine (ACE). An advanced composite content classification engine, ACE brings individual analytic services together to deliver truly unified content analysis. ACE is the “fusion” of all the different market-leading web, security, and DLP analytics Websense has to offer.
• Websense ThreatSeeker® Network. Composed of a dedicated team of cutting-edge security researchers, a collection of more than 50 million monitoring systems that parse over one billion pieces of content daily, and numerous automated analysis routines, the ThreatSeeker Network provides ACE with real-time intelligence about newly discovered threats.
• Websense TruHybrid™ deployment. The TRITON solution supports both on-premise deployment via Websense V-Series™ appliances and Cloud-based deployment.
• Websense TRITON Console. A comprehensive management solution, the TRITON Console unifies the configuration, monitoring, and reporting capabilities for Websense Web, email, and DLP technologies into a single, web-based interface.
• Websense Global Technical Support. Top-quality support personnel with expertise spanning all lifecycle phases (e.g., plan, build, run) provide TRITON customers with technical assistance.

The strengths and benefits of a unified content security solution:

• Security risks are reduced through a combination of proactive (i.e., limiting user exposure in the first place) and reactive mechanisms (i.e., threat/attack filtering).
• Compliance posture is improved, particularly with regard to meeting standards of due care for information security and maintaining the privacy of sensitive information.
• Proprietary information is protected against unwanted exposure.
• Liability protection is provided as unwary users are shielded from offensive content.
• User productivity is improved as spam and nonwork related activities are curtailed.
• Bandwidth and other computing resources are conserved, as traffic and nonessential usage is curtailed.

For IT, the advantages of a unified content security solution are that it:

• Provides significantly greater security effectiveness. CIOs gain greater visibility into how data, applications, and the computing infrastructure in general are being used; and the benefit of being able to prevent the latest generation of blended threats and sophisticated, targeted attacks.
• Achieves greater coverage. A comprehensive and completely consistent set of content security capabilities is available for mobile and remote users as well.
• Reduces infrastructure complexity and administrative workload. Considerably fewer devices need to be implemented, integrated, and maintained. It has a single, web-based console that is accessible from anywhere.

For business management, a unified content security solution:

• Slashes TCO. The annualized TCO of Websense-hosted email security at a typical midsize company is less than one-third the cost of a comparable on-premise email security solution.
• Enables innovation and growth without compromise. Organizations can fully leverage new communication, collaboration, and Web 2.0 tools.
• Ensures compliance with regulatory requirements. Enterprise-class DLP and comprehensive content security coverage ensure superior threat prevention capabilities.

For users, a unified content security solution:

• Enhances their computing experience. No matter where they are, users can be treated with the same, consistent set of policies.
• Removes roadblocks to increased productivity. Users gain the freedom to find and take advantage of new sites, services, and tools.

The Websense TRITON solution is the industry’s first and only solution that fully meets enterprises’ requirements by combining market-leading web, email, and data loss prevention security technologies into one unified architecture. The benefits of this approach are extensive and include comprehensive security coverage for today’s borderless enterprises.

An article by Shobitha Hariharan, CCA and CISO, Shoppers Stop

Often, regulatory compliance fuels information security (info-sec) practices in organizations. In the absence of external pressures, the triggers could include – questions raised by internal/external auditors; client requirement; and quick fixes or inadequate, case-specific, one-time resolutions. These make it necessary to introduce global information security best practices into the organization.

Recently, a few enterprises faced info-sec breaches. The reputational and financial damage they suffered highlights the need to focus on information security as an essential part of business. There is a need to stitch together a security approach and policy, which can be applied across enterprise functions. For large organizations, a common baseline for all the different business verticals is a good starting point.

For a comprehensive info-sec implementation, people, process, and technology need to be aligned. People are the weakest link – not because they are unaware of data security requirements in general, but because of the gap between ‘jaankaari’ [awareness] and ‘jagruti’ [alertness]. An engaging and sustained awareness program helps them understand the need for appropriate security measures. However, this necessitates consistent effort over the long term.

The reference point for security implementation is usually a suitable ISO standard/a more stringent set of controls. While these standards provide a list of ‘good to haves’, the rigidity in enforcement or the ‘must haves’ are industry-specific.

Regulatory compulsion and the need to get and remain certified are business continuity requirements and mandate all recommended controls. Therefore, it is vital to take a hard look at the business goals and the existing business processes before undertaking the actual implementation. Further, streamlining the critical processes across a few locations and teams helps define the ‘scope’ for applying the controls. This contains the flow of critical information, and facilitates concise documentation and review practices that are essential for evidencing the existence of periodic checks and balances.

Security standards typically specify threshold levels for certification. Smaller companies, where certification may not be mandatory, need to diligently carry out periodic self-assessments and take remediation measures where
required. Moreover, in the absence of external pressures, organizations may tilt more towards bringing about discipline and efficiencies in business processes and ensuring a high level of awareness of info-sec policies. 

Key learnings from my experience

Engage expert consultants. At the onset, the right kind of assistance is crucial. A consultant who brings in domain-expertise and best practices, and blends them with the organizational culture, is essential for the success of the initiative. The Information Security leader is but a project coordinator across business verticals/functions. Of course, the security officer continues to drive the security program as part of the internal team.

Engage with business users and application owners at the ground level. The implementations on the ground help the organization’s DNA imbibe info-sec best practices. Wherever possible, information security should be built into business processes. Making efforts to understand and appreciate the business users’ work encourages consultative interaction and keeps the security team informed. This in turn can infuse acceptable practices into the process.

Compliance versus risk reduction. The information security function is regarded as the ‘enforcer’ who tells people what they ‘can’t’ do and is often viewed as an ‘auditor’ who is out of sync with the mundane requirements of running a business. It is important to communicate to business users and technology teams alike, and explain that adhering to globally-accepted norms is less about compliance and more about reduction of avoidable risk. Collaboration between business users, the functional leads, and the technology team, enables user-friendly business processes that are less person dependent. Technology thus becomes the enabler of a well-integrated environment. 

Insecurity. Coordination between the technology and business operations teams, mediated by functional experts who are fully aligned to info-sec practices, helps bring down feelings of irritation and insecurity. Regular open dialogues and participation in business processes eliminate unnecessary restrictions under the guise of security best practices; this goes a long way in creating a better working environment for employees. Elucidating the value/benefit of the risk mitigation steps helps drive this home.

As in any business process reengineering exercise, information gathering is an extremely crucial step here, which leads to informed decision-making. Also, intuitively, one needs to know when to hold fast and when to let go, and have the conviction to see the program through. Winning friends and influencing people helps in building better collaborative relationships.

Communicate…engage…communicate is the mantra!

Today’s APTs target confidential data and proprietary corporate information. From Aurora and Stuxnet to RSA and Sony, ATPs are becoming increasingly frequent and affect corporations across the globe. Security breaches affect not just users, but also companies who then have to deal with damaged reputation and financial loss.

Websense’s Security Workshop on APTs is designed to help you better understand how to address these threats within your own environment. Participants learn about:

• What is an APT?
• What makes APTs different from traditional attacks?
• What are some examples of APTs and how are they different from blended threats?
• How does Websense address both APTs and blended threats?

Dates: Bangalore – 15^th September, 2011

               Chennai – 16^th September, 2011

Register: Email your contact details to Manish Bansal at mbansal@websense.com for more details.

Websense recently launched Cloud-based Security-as-a-Service (SaaS) solutions for Indian companies, facilitating locally hosted security solutions necessary for data compliance.

Websense Security-as-a-Service (SaaS) provides a fast and easy deployment path for the Websense Hosted Web Security and Websense Hosted Email Security products. SaaS shifts security inspection, enforcement, and management processes from the customer’s location to globally available datacenters ‘in the Cloud’. With this, infrastructure, web, and email security services can be deployed across large and small offices located around the world in minutes.

The benefits of SaaS to Indian companies include:

• Sophisticated real-time security
• No hardware or software to buy or maintain
• Reduce bandwidth costs
• Ease of scalability
• Automatic spooling for email backup
• Carrier-grade data center availability and security
• Web and email security

It’s not everyday that an organization can claim to be a door-opener in their space or chosen initiative. But Nucleus Software, featured in our lead story in this issue of Security Practices Knowledge Circle (SPKC), can safely say that of their web and data security initiative. Nucleus partnered with Websense to find the right web and data security solution, which not only helped them keep their IP and data protected even with a mobile workforce but also opened up the Internet access for business leverage. Interestingly, it also threw up a number of facets that the Nucleus ISO hadn’t tracked. But not before Websense also challenged itself to define and deliver a solution like never before. Learn more about that in this issue.

Taking a cue, other organizations are eager to protect their confidential data, and also look to allow free Internet access enterprise wide but only after ensuring protection from real time web-threats and malware for their employees. Which is why, our second story throws light on the types of security you should look at, as you do this. We close with an interesting piece by Parag Deodhar of Bharati AXA General Insurance Company Limited. Parag throws light on the recently formalized IT Rules 2011 by the Government of India and explores areas of security that are impacted by these rules. Data capturing, storing, transfer, and destruction all fall under the purview of these laws and this story equips you to handle these sensitive areas in your organization.

As always, we continue to dig for stories that will add value to your role and enterprise. Look out for the next issue, as we announce workshops that will enlighten CIOs on security trends. Do write to us with feedback, suggestion, and initiatives that you would like us to cover.

The social web
Social networking and Web 2.0 are all the rage. With Facebook, Twitter, Bebo, YouTube, Google, Yahoo, Flickr, LinkedIn, WordPress, and more, there are over a billion socially active people today — a number that continues to grow at an astounding rate. The social web has emerged as a valuable business tool for the modern enterprise, touting rich applications with real-time interaction and user-generated content.

But along with its enormous popularity come significant risks. So in the race to maximize its potential, enterprises must take due care to protect the business. The following are three must-haves to securing the social web:

Acceptable use policy control

The URL is no longer sufficient for acceptable use policy controls. Web is the content the employee sees on the page. Facebook, for example, is a social networking site, but the content on any given page within it could be entertainment, gambling, pornographic, or a security risk. So to provide acceptable use policy controls in today’s social web, you need technology that scans the content on the page (not just the URL) in real time, as the user accesses it, and can control access to discrete portions of content (not just the entire page), as well as applications (e.g., Farmville, MafiaWars) used within it. This is called real-time content classification and must be done at the Internet gateway for both HTTP and HTTPS protocols

(since Facebook and many other sites support SSL). Only with real-time content classification can you get visibility and control to enforce acceptable use policy in the social web. 

Malware protection

Attackers are now social too, which is why we’re seeing an increase in security threats on social networking sites, both old-style attacks being reborn in the social Web medium as well as new and sophisticated threats that target vulnerabilities in the browser and gaps in antivirus solutions. The social web is built on a platform that is dynamic and script-based, and so too is the modern malware that lives within it. Like real-time content classification used for acceptable use policy control, enterprises must be able to perform real-time security scanning for malware on the social web. This includes scanning all code on the page in real time, at the Internet gateway for both HTTP and HTTPS protocols, going beyond signature and reputation-based scanning (since sites like Facebook, for example, are reputable) to decompile Flash, JavaScript, and the rest of the code on the page, on the fly, to inspect for both legacy and modern attacks. Only with real-time security scanning can you get protection from modern malware in the social web. 

Data loss prevention

39 percent of malicious web attacks include data-stealing code. And one of the prime benefits of social networking is that users can share content. Of course, with all the malware out there and user’s ability to share content, comes big risk. While your first instinct may be to block all posts to Facebook, this can erode the utility of the application. What’s more, how you identify data loss is critical to stopping it. Using basic keywords and regular expression-based detection can often lead to false positives and negatives, and may lack the necessary workflow and reporting to contextually-aware controls for DLP. This approach allows you to, for example, prevent sensitive and regulated customer information from being uploaded to any social networking, personal email, or personal storage site, but lets that same data be posted to SalesForce.com, your CRM solution. With accurate data identification and contextually-aware controls (i.e. controls that tie user, data, and destination policy objects) you can safely enable use of social networking and cloud-based applications simultaneously.

Reasonable security for sensitive personal information

Parag Deodhar is Chief Risk Officer and Vice President – Process Excellence & Program Management, Bharti AXA General Insurance Company Limited. 

In the information security (info-sec) realm, we generally get to hear the prefixes ‘total’, ‘comprehensive’, ‘best in class’, etc.  I had never heard the prefix ‘reasonable’ (in context of security) before it was mentioned in the IT (Amendment) Act 2008. Even then, it has only come up for debate amongst the info-sec professionals.

‘Privacy’ is another term, which was very rarely used in the Indian context. True to the Indian fondness for ‘imported’ stuff, we were well-versed with laws like HIPAA, EU data protection, PCI-DSS. But we continue to lack indigenous data privacy legislation.

On 11 April 2011, the Government of India brought about a sweeping change in one stroke – the IT (reasonable security practices and procedures and sensitive personal data or information) Rules 2011. This, in my view has changed the rules of the game. But what does it mean for Indian organizations?

Sensitive personal information

To begin with, organizations will need to understand what constitutes personal sensitive information, analyze the information being collected at various points from their prospective/current customers, partners, and suppliers. It may be at the point of acquiring the customer or when doing a promotional event (outsourced to a marketing company), or a contest on the website. As per the rules, password also constitutes sensitive personal information. So, if you require a customer or partner to create an account on your website with user id and password, you are required to comply with these rules, though you may not be taking any other personal information like financial details, debit/credit card/bank account numbers or health information, etc.

Privacy policy

All organizations in India, collecting, storing or transfering sensitive personal information will need to put in place a privacy policy and make it available publicly i.e. on the company website.

Information collection and retention

The Organizations will also need to take explicit permission from the information owner regarding purpose of usage, in writing, through a letter, fax or email. This could turn out to be a very challenging process. While organizations that get forms filled for account opening, proposal forms, etc. could include the consent in the form itself, it would be difficult to implement where forms are filled/information is collected online e.g. online insurance policy issuance, hotel booking, visa applications, etc. The rules do not make it clear whether ticking the ‘I Accept’ box on terms and conditions on the website will be good enough. If organizations choose to take this consent over email, will this electronic record held valid only if digitally signed in accordance with the IT Act?

Organizations will be required to educate the information owner on the purpose, intended recipients as well as agency, which will retain the information. This means, if you have outsourced any of your data processing activities, you will need to disclose the names of your outsourced partners who will use this personal information at the time of collection.

Organizations are also required to allow the information owners to review the information stored and correct it if any discrepancies are found. This will probably require an addition to the customer service window. A grievance officer will need to be appointed and details published on the website.

The information owner can also withdraw this consent (in writing of course) and the personal information will need to be taken off from the records. In such cases, the organization reserves the right to stop providing the service to the information owner. I wonder if organizations will still need to keep the information in their record, if required by law for a particular period. Seems to be a contradiction and will need some clarification.

Data transfer

If organizations want to transfer the sensitive personal information to any other organization, e.g. outsourced data processing unit, call center, data center, then they need to ensure that such third parties should also have same levels of security as maintained by the organization. It will be imperative for organizations to mandate the level of security and also ensure that the standards are met by the partners through regular audits.

Data destruction

Organizations should not store data for a period longer than is required for providing the product/services unless required by law. Organizations will need to implement secure data deletion processes for all data including backups store on tapes, offsite locations, DR sites, not to forget the Cloud. They will also need to ensure that data is deleted securely from outsourced partners and their DR sites also.

Reasonable security

Organizations are required to document and implement reasonable security practices and processes covering managerial, technical, operational, and physical security measures, commensurate with the information to be protected. The rules also recommend ISO 27001 as a standard, which covers all these requirements. In case the organizations prefer to follow their own security measures, they need to get their measures approved by the Central Government.

Organizations will also be required to get security measures audited anually by an independent auditor approved by the Central Government. In the event of an information security breach, organizations must demonstrate that they had implemented reasonable security processes. 

Checker-board

Looking at the history of information security breaches in India, both published and unpublished, data privacy rules are definitely required. However, in my opinion these rules should be practical and ‘reasonable’ to implement. In their current form, some of these rules pose multiple challenges in implementation in true spirit. Again, what constitutes ‘reasonable’ security will remain matter of interpretation and I suspect would be an area of major debates in the coming days.

Parag Deodhar is Chief Risk Officer and Vice President – Process Excellence & Program Management, Bharti AXA General Insurance Company Limited.

In the information security (info-sec) realm, we generally get to hear the prefixes ‘total’, ‘comprehensive’, ‘best in class’, etc.  I had never heard the prefix ‘reasonable’ (in context of security) before it was mentioned in the IT (Amendment) Act 2008. Even then, it has only come up for debate amongst the info-sec professionals.

‘Privacy’ is another term, which was very rarely used in the Indian context. True to the Indian fondness for ‘imported’ stuff, we were well-versed with laws like HIPAA, EU data protection, PCI-DSS. But we continue to lack indigenous data privacy legislation.

On 11 April 2011, the Government of India brought about a sweeping change in one stroke – the IT (reasonable security practices and procedures and sensitive personal data or information) Rules 2011.

This, in my view has changed the rules of the game.

But what does it mean for Indian organizations?

Sensitive personal information

To begin with, organizations will need to understand what constitutes personal sensitive information, analyze the information being collected at various points from their prospective/current customers, partners, and suppliers. It may be at the point of acquiring the customer or when doing a promotional event (outsourced to a marketing company), or a contest on the website. As per the rules, password also constitutes sensitive personal information. So, if you require a customer or partner to create an account on your website with user id and password, you are required to comply with these rules, though you may not be taking any other personal information like financial details, debit/credit card/bank account numbers or health information, etc.

Privacy policy

All organizations in India, collecting, storing or transfering sensitive personal information will need to put in place a privacy policy and make it available publicly i.e. on the company website.

Information collection and retention

The Organizations will also need to take explicit permission from the information owner regarding purpose of usage, in writing, through a letter, fax or email. This could turn out to be a very challenging process. While organizations that get forms filled for account opening, proposal forms, etc. could include the consent in the form itself, it would be difficult to implement where forms are filled/information is collected online e.g. online insurance policy issuance, hotel booking, visa applications, etc. The rules do not make it clear whether ticking the ‘I Accept’ box on terms and conditions on the website will be good enough. If organizations choose to take this consent over email, will this electronic record held valid only if digitally signed in accordance with the IT Act?

Organizations will be required to educate the information owner on the purpose, intended recipients as well as agency, which will retain the information. This means, if you have outsourced any of your data processing activities, you will need to disclose the names of your outsourced partners who will use this personal information at the time of collection.

Organizations are also required to allow the information owners to review the information stored and correct it if any discrepancies are found. This will probably require an addition to the customer service window. A grievance officer will need to be appointed and details published on the website.

The information owner can also withdraw this consent (in writing of course) and the personal information will need to be taken off from the records. In such cases, the organization reserves the right to stop providing the service to the information owner. I wonder if organizations will still need to keep the information in their record, if required by law for a particular period. Seems to be a contradiction and will need some clarification.

Data transfer

If organizations want to transfer the sensitive personal information to any other organization, e.g. outsourced data processing unit, call center, data center, then they need to ensure that such third parties should also have same levels of security as maintained by the organization. It will be imperative for organizations to mandate the level of security and also ensure that the standards are met by the partners through regular audits.

Data destruction

Organizations should not store data for a period longer than is required for providing the product/services unless required by law. Organizations will need to implement secure data deletion processes for all data including backups store on tapes, offsite locations, DR sites, not to forget the Cloud. They will also need to ensure that data is deleted securely from outsourced partners and their DR sites also. 

Reasonable security

Organizations are required to document and implement reasonable security practices and processes covering managerial, technical, operational, and physical security measures, commensurate with the information to be protected. The rules also recommend ISO 27001 as a standard, which covers all these requirements. In case the organizations prefer to follow their own security measures, they need to get their measures approved by the Central Government.

Organizations will also be required to get security measures audited anually by an independent auditor approved by the Central Government. In the event of an information security breach, organizations must demonstrate that they had implemented reasonable security processes.

Checker-board

Looking at the history of information security breaches in India, both published and unpublished, data privacy rules are definitely required. However, in my opinion these rules should be practical and ‘reasonable’ to implement. In their current form, some of these rules pose multiple challenges in implementation in true spirit. Again, what constitutes ‘reasonable’ security will remain matter of interpretation and I suspect would be an area of major debates in the coming days.