ChannelWorld

Storing Safe and Secure Information

Vishal Gupta is CEO, Seclore Technology

It is impossible for any organization of a reasonable size to be in business and not collect and hold personal information, such as names, addresses, account numbers, about employees, customers, etc. It is therefore vital to acknowledge and act on the responsibility that this information comes with. Enterprises are slowly but surely awakening to this responsibility as the loss of this information could lead to monetary and reputation loss.

Here, I would like to stress on the role of government and industry regulators to bring forth a set of regulations and norms to ensure that the enterprises value information that people entrust them with. The objective of these measures would be to provide assurance that

Information is revealed to those who have the right, i.e. Confidentiality

Information is consistent and no unauthorized change has occurred, i.e. Integrity

Information is available and usable, i.e. Availability

Information disputes can be resolved, i.e. Non-repudiation

At a high level, they could be classified under four categories. The first being the mandatory establishment of information security auditors as distinct from information security consulting companies. The Prime Minister has, on various occasions said that India is a knowledge economy. If this is so, then knowledge needs to be treated like money. Just as financial transactions have to pass a financial auditor, information transactions should also pass through the information security auditors. Most companies handling confidential information today have an internal or outsourced information security team. The external information systems auditor would perform the role similar to the financial auditor. He will monitor activities and ensure compliance of the internal information security team. This is a vital step to ensure separation of duties.

The second is the complete auditing of confidential information. Enterprises need to deal with customer information like they deal with money. They must keep track of what was deposited by the consumer and what happened to the information since the deposit. They must also, on request, be able to delete personal identity information that is not required by regulatory bodies.

This end-to-end visibility of data in the cycle of creation-distribution-usage-archival-deletion is the only mechanism for enterprises to self monitor their information handling processes.

The third is the enactment of disclosure norms. Many countries in the world are still deciding on what stand to take on data breach disclosure norms.

“If a confidential data is lost by the enterprise, should it be mandatory to disclose this to parties that could possibly get affected by the loss?”

The argument on one side is of ‘No harm, no foul’, which means that as long as the data breach had no ‘damages’ attached to it, the company should not be penalized. Judgements in cases related to Wells Fargo and TJX are along these lines.

While the debate between enterprises facing data breaches and the possibly affected individuals will continue, the enactment of disclosure norms would be a significant preventive measure since enterprises are bound to be extra careful if the reputation risk is enhanced.

The fourth and the final is the establishment of a centralized information security ombudsman with international reach. The establishment of localized cyber crime cells has helped in providing a place to lodge a ‘First Information Report’ but there is a need to have a centralized, information security ombudsman that can affect industry-specific norms as well as coordinate with international security agencies in cases involving international cyber crime.

The present day norms for preventing and handling data breaches in India leave much to be desired. It is now time for the government to step in to have industries incorporate information security governance into the overall corporate governance practices.