India Start-ups IT Security & IT Act 2008

Information Risks,
Managed
The contents of this document are property and confidential to ValueMentor Consulting and shall not be disclosed in whole or part at any
time, to any third party without the prior written consent of ValueMentor Consulting LLP.
© ValueMentor Consulting LLP. All rights reserved. Copyright in the whole and any part of this document belongs to ValueMentor Consulting
LLP. This work may not be sold, transferred, adapted, copied and / or reproduced in whole or in part, in any manner or form, on in any media,
without the prior consent of ValueMentor Consulting LLP.
IT Security & IT Act 2008
Binoy Koonammavu
Principal Consultant | CISSP, CISA, CISM, CRISC, SBCI, CCSK
Email: binoy@valuementor.com | Ph: +91-974 5767 944

© ValueMentor Consulting LLP Slide 2
Agenda
• Introduction
• Typical Start-up Scenario
• Tips for changing the security scenario
• Some clauses of IT Act 2000 (IT AA 2008)
• Q & A

Shameless Advertising
• Binoy Koonammavu, that’s me, works for ValueMentor
Consulting LLP
– a specialist Information Security Company from Kochi
• 15 years in the field of IT with around 12 years of it in
protecting data and complying with regulations
• Previously held roles like
– Practice Director – Information Security at UST Global
– Manager – IT Security at Burgan bank, Kuwait
• An Honouree in the Sixth Annual Asia-Pacific Information
Security Leadership Achievements (ISLATM) Program
• CISSP, CISM, CRISC, CISA, SBCI & CCSK and also held
various vendor certification

Typical Startup Scenario

Some Startups
 Happy Developers
Working on the product
Not worried about the security standards or best practices
Driven to deliver functionality
Everybody loved the new product that fixed “that” gap

Challenges / Myths
• Secure software vs robust, usable & functional
software
• Security is considered as complex in the SDLC
process
• Security is considered as non-functional requirement
• Hackers are targeting businesses, not software
• With Agile, the development teams are required to
develop functional systems in less time
• Development team awareness on security is less &
the skills are rare.

What is that often forgotten?
• Data Protection
• Regulatory requirements
– Specifically, non-financial regulations
• Data privacy

Data.. Lets think
• Data of your company
– Intellectual Property
– Copyrights & Trademarks
– Source code
• Data of your customers
– Personal Data
– Sensitive / Confidential data

What is that you need to do?
Protect your data
Protect your customers

What Happens when your staff moves on?

What Happens when your staff move on?
• To your
– Intellectual Property
– Source code
• Get Non-Disclosure agreements signed

What if you are hacked?

Some more myths
• Security hinders usability
• Security is performance hungry
• Security is all about antivirus, firewalls, IPS etc…
• Security is all about encryption
• Security is for big companies
• It is easy to fix a vulnerability once identified
• Security is complex

Some tips – Data Security

There is no Silver Bullet

Design Software with Secure Features

The easiest way to break system security is often to
circumvent it rather than defeat it

Know what you need to protect
 Identify your critical assets
 Passwords
 Health information
 Bank Account / Card numbers
 Assess the risk
 Assess threats to those assets
 Determine impact of loss/compromise of assets
 Define security requirements to prevent / delay the
risks
 Design solutions to meet your security requirements

Manage Risks
• Not every system / module requires same level of
security. Assess the risks

Some design considerations
Adapted from the Saltzer & Schroeder Protection of Information in Computer Systems

Develop Software with Secure Features
“Security is just another attribute of
software like usability, performance,
reliability & scalability”
“The idea of incorporating security into the
SDLC begins with evaluating the relative
importance of this attribute and then going
on to incorporating controls in line with
that.”
Tallah Mir, Sr. Program Manager , Microsoft

Develop Software with Security Features
 Convert security design in secure code
 Secure coding practices
 https://www.securecoding.cert.org/confluence/display/se
ccode/
 Perform Security code reviews
 Manual
 Automated
 Perform Security tests (Vulnerability Assessments &
Penetration Testing)
 Blackbox
 Whitebox

Top 10 Secure Coding Practices
1. Validate input
2. Heed compiler warnings
3. Architect and design for security policies
4. Keep it simple
5. Default deny
6. Adhere to the principle of least privilege
7. Sanitize data sent to other systems
8. Practice defense in depth
9. Use effective quality assurance techniques
10. Adopt a secure coding standard
Source:
https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Sec
ure+Coding+Practices

Deploy Software with Secure Features
• Secure application, insecure host
• Develop and Implement Security baselines for
– Operating Systems
– Application Server
– Web Server
– Database servers
– Other computing devices
• Release Management
– How often you release code, what process you will follow.

Defense in Depth
Electronic Access controls, Access cards,
Manned reception, Locks, Security Guards,
Fire alarms and suppression systems
ACL’s, Encryption, Backup
Application Hardening, ACL's, Secure
applications
Patch Management, Antivirus, Authentication
VLAN’s, NIPS, Internet Proxy Server
Firewall, VPN’s, NIPS
Management Controls
Policies, Procedures,
Awareness & Agreements
Physical Security
Technical Controls
Perimeter
Internal Network
Host
Application
Data
Risk Assessment and Treatment, Policies,
Process, NDA’s, Incident reporting, Internal
Audits

Some references
• OWASP Top 10
– https://www.owasp.org/index.php/Category:OWASP_Top_
Ten_Project
• SANS Top 25
– http://cwe.mitre.org/top25/
– http://www.sans.org/top25-software-errors/

BUILD A CULTURE OF SOFTWARE SECURITY

IT (amendment) Act 2008
Some sections of interest

Relevance of ITA 2008
• ITAA 2008 (Information Technology (Amendment) Act, 2008) focus on
covering the shortfalls of ITA 2000
• IT Act 2000 was focused on E-Commerce, Digital
transactions and its legal validity
• IT Act 2008 focuses on Information Security and data
privacy to a great extent

Direct responsibility
• The executives are directly responsible for Cyber
Security
• The responsibility can be attributed to
– The Head of IT / IT Manager
– The CEO / Founders
– Under the following conditions
• No Due Diligence is practiced when it comes to IT related affairs
• Neglected the IT Act requirements
• Willful act of Cyber security incident
• Information Security is no more Data Security, but a
law in India.

The importance of “Due Diligence”
• Section 85: Offences by Companies
– (1) Where a person committing a contravention of any of
the provisions of this Act or of any rule, direction or order
made there under is a Company,
• every person who, at the time the contravention was committed,
was in charge of, and was responsible to, the company for the
conduct of business of the company as well as the company, shall
be guilty of the contravention and shall be liable to be proceeded
against and punished accordingly:
• Provided that nothing contained in this sub-section shall render
any such person liable to punishment if he proves that the
contravention took place without his knowledge or that he
exercised all due diligence to prevent such contravention

Why “Due Diligence”
• In a typical cyber crime, investigators will search for
the origin of the incident. Mostly, by tracing the IP
Address of the computer involved
– If the cyber crime source is the IP Addresses controlled by
your company, Sec 85 may become applicable on you.
• How is that your company become part of a cyber
crime?
– Malicious staff members
– A hacked computer in your network which is used for
performing cyber crime on another company / computer
• In such cases, your company may become the
primary accused

Why “Due Diligence”
• What happens in such scenario? Let us review Sec 85
again
– Who is responsible? (Sub section (1) of 85)
• Every person who, at the time of contravention was
committed, was in charge of, and was responsible to, The
company for the conduct of business of the company (Head
of IT / CEO??)
• As well as the company
• Shall be guilty of the contravention and shall be liable to be
proceeded against and punished accordingly;
– Provided that nothing contained in this subsection shall render
any such person liable to punishment if he proves that the
contravention took place without his knowledge or that they
exercised all due diligence to prevent such contravention

43A - Compensation for failure to protect data
• Where a body corporate,
• possessing, dealing or handling any sensitive
personal data or information
• in a computer resource which it owns, controls or
operates,
• is negligent in implementing and maintaining
reasonable security practices and procedures
• and thereby causes wrongful loss or wrongful gain to
any person,
• such body corporate shall be liable to pay damages
by way of compensation to the person so affected

Sensitive personal data or information
• Sensitive personal data or information of a person means such
personal information which consists of information relating
to;—
– (i) password;
– (ii) financial information such as Bank account or credit card or debit
card or other payment instrument details ;
– (iii) physical, physiological and mental health condition;
– (iv) sexual orientation;
– (v) medical records and history;
– (vi) Biometric information;
– (vii) any detail relating to the above clauses as provided to body
corporate for providing service; and
– (viii) any of the information received under above clauses by body
corporate for processing, stored or processed under lawful contract or
otherwise

Need for policies
• Privacy policy
– Should be made available to the person from whom the
sensitive information is collected
– Clear and easily accessible statements of its practices and
policies;
– type of personal or sensitive personal data or information
collected
– purpose of collection and usage of such information
– disclosure of information including sensitive personal data
or information
– reasonable security practices and procedures

Reasonable Security Practices and Procedures
• A body corporate shall be considered to have
complied with reasonable security practices and
procedures, if ;
– they have implemented such security practices and
standards and
– have a comprehensive documented information security
programme and
– information security policies that contain managerial,
technical, operational and physical security control
measures that are commensurate with the information
assets being protected with the nature of business

Reasonable Security Practices and Procedures
• In the event of an information security breach,
– the body corporate shall be required to demonstrate, as
and when called upon to do so by the agency mandated
under the law,
– that they have implemented security control measures as
per their documented information security programme
and information security policies.
• The international Standard IS/ISO/IEC 27001 on "Information
Technology - Security Techniques - Information Security
Management System - Requirements" is one such standard
– That can be considered towards reasonable security practices

What should we do now?
• Perform an ITAA 2008 Risk Analysis with a focus on
– Compliance level of the company with the different
provisions of ITAA 2008
– Current gaps in the IT practices in relation with ITAA 2008
• Develop programs to ensure
– Implement “Reasonable security practices”
– Practice “Due Diligence”
– Management of Information Security

Next steps
• The first step to Information Security is direction
– Get your policies and procedures setup
• Next is awareness
– Get your team undergo security awareness about your
policies & allowed practices
• Top Management / Founders
– Invest in Secure products, security of your systems & data
– Build a top down approach on information security culture
– Assign compliance responsibilities
– Add ITAA2008 perspective to the IS Audits

Q&A

THANK YOU
Binoy Koonammavu
ValueMentor Consulting LLP
binoy@valuementor.com
+91-974-5767-944

India Start-ups IT Security & IT Act 2008

More Related Content

What's hot

Similar to India Start-ups IT Security & IT Act 2008

Recently uploaded

India Start-ups IT Security & IT Act 2008