“Failure to meet rules and guidelines set by compliance standards could mean fines, penalties and loss of trust.” Andrew Hodes

IT departments are not only to be entangled by the security risks these days but also have to comply with the various industry and federal regulations to keep sensitive customer data safe and to uphold the trust levels of the potential customers. With the ongoing notion of BYOD

(Bring Your Own Device) it’s an up keeping task for the organizations to comply to the industry and federal regulation standards. Its very vital for the organizations to tap these potential compliance vulnerabilities to function and deliver in alignment to the industry and federal regulations. Some of the biggest hiccups to the organizations to keep complaint are

1. Employees: Employees play a vital role in compliance .Adherence to industry and federal standards are purely employee oriented and controls to tap this leakage is very essential for an organization. To overcome this threat, it’s important to educate all employees on different ways information can be acquired through very low-tech methods and give them tools they can use.
2. Cloud Service Providers.To ensure that sensitive data is being properly protected in the cloud, choose a trusted service provider. Cloud services present significant benefits in of cost savings, scalability, flexibility, however, to ensure that your or your customer’s data is properly protected and in compliance with all relevant regulations, the vendor/service provider should meet the underlying regulatory requirements, whether the cloud is engineered to be HIPAA-ready or to comply with PCI or FISMA standards.
3. To avoid the potential theft of data from mobile workers, provide travel laptops to employees and create specific information security policies to protect the network from cyber penetration.
4. Third-Party Apps (S hadow IT).The biggest compliance-related issue facing CIOs today is shadow IT, a threat caused by the use of unseen third-party solutions including devices and apps, the flow of data and information in an unregulated unchecked manner causes a potential compliance threat to the stakeholders.  Educate end users; give CIOs the controlled power to constantly assess services for suitability; and deploy modern enterprise cloud solutions to solve overall compliance problems.

ASHUTOSH JOSHI
MBA (IT) 4th SEM

Often laws are defined in a manner that it lay down all the substantive rights of the citizens. But it is due to lack of awareness of beneficiaries that most of the time they fail to respect and realize rights, demand justice, accountability and effective remedies at all levels. Recently, after hearing batch of public interest litigation on ambit, Honorable Supreme Court finally quashed down section 66(A) which allowed arrests for “inconvenient, abusive, and annoying messages on any online media, including ones involving freedom of expression”. The government also admit that section 66(A) of the Information and Technology Act had certain “aberrations amounting to abuse”. It means from now on section 66(A) atleast doesn’t have any legal standing.

Indians would have rejoice this decision, but wait how many of us know, that by striking down section 66(A), the Supreme Court of India paved the path for other challenges in cyber space for citizens’. Until the issue of further amendments in IT Act, every citizen must be aware about his/her privacy and cyber laws which will be helpful to exercise their rights. There are certain sections and articles which must be understood by every Indians in cyber space. These are discussed below:

1. Article 19 of the Constitution of India states:
2. Article 19(1)(a): grants every citizens with the right to freedom of speech and expression.
3. Article 19(2): states, that nothing in sub-clause (a) of clause (1) shall affect the operation of any existing law, or prevent the State from making any law, in so far as such law imposes reasonable restrictions on the exercise of the right conferred by the said sub-clause in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence.

Thus there is distinct contradiction between section 66(A) and article 19(2) of the Indian Constitution, which provides government to issue another amendment to exercise powers under Article 19(2).

Section 69(A) ” Power to block any content ” of Information Technology Act states:

Section 69(A) allows the Indian government the power to block/censor any website or internet service, without giving the creator or provider of the content a chance to defend the material or even to get it unblocked. Within this, any information generated, transmitted, received, stored or hosted on any computer resource, if found offending or annoying can be blocked for access by the public.

Section 79 “Punishment for platforms like YouTube, ISP, etc.” of Information Technology Act states:

The “intermediary” such as ISP, YouTube, Twitter, Facebook, etc. can be punished if they does not actively censor material that the government or any person complains about, without giving intermediary any chance to defend the content. This section provides a dangerous tool to disrupt the business of an intermediary by flooding it with baseless complains and notices.

Section 84(B)”Punishment for abetment of offences” and Section 84(C) “Punishment for attempt to commit offences” of Information Technology Act states:

This gives the powers to police officers of the rank of an Inspector to arrest any person without a warrant in case of any instigation or attempt of committing any offense under IT Act. There is no defined objective guidelines, which could help police officer in arresting any person in a public place who is about to commit a cyber crime.

Section 118(D)”Punishment for causing annoyance by sending mails” of Kerala Police Act states:

Like section 66(A), it is illegal to cause annoyance to anyone in an “indecent manner” by sending messages or mails by any means. This was meant to be a safeguard against stalkers and spammers, but unfortunately becomes a way of suppressing certain kinds of speech as “online illegal speech” is not defined under this act.

Section 43(A) “Compensation for failure to protect data” and Section 72(A) “Punishment for disclosure of information in breach of lawful contract” of Information Technology Act states:

These sections provide the concept of data privacy and its protection. Section 43(A) helps in getting compensations from any corporate body for the negligence in implementing or maintaining reasonable security practices and procedures by complying with the best standards like ISO 27001, etc. for safeguarding the sensitive personal data or information (SPDI). Here SPDI includes:

1. Passwords
2. Financial information such as bank account or credit card or debit card or other payment instrument details
3. Biometric information
4. Deoxyribonucleic acid data
5. Sexual preferences and practices
6. Medical history and health
7. Political affiliation
8. Commission, or alleged commission, of any offence and
9. Ethnicity, religion, race or caste

Further section 72(A) also deals with personal sensitive information and provides punishment for disclosure of information without the information provider’s consent or in breach of lawful contract. Both of these sections are at a nascent stage which needs to be stringent.

Apart from urgent amendments in IT Act, a special attention must be paid to the data privacy rights in India which is an essential part of civil liberties protection in cyberspace. A right to privacy bill, 2014 is in draft phase, which will help individuals to protect against misuse of data by government or private agencies. Until then each one of us must be careful while accessing, downloading or uploading different contents and stuffs on internet.

Akansha Pandey
MS- Cyber Law Information Security
IIITA

A new trends has emerged on the lines of BOYD called “Bring Your Own Cloud” or BYOC, which allows workers to utilize public or private third-party cloud services to complete their job tasks.

What is “Bring Your Own Cloud”?

In BYOC, workgroups or individual employees of the organization uses low cost, fast and efficient public or private third-party cloud services to get the work done. An organization might encourage its employees to use public or third-party cloud services in order to reduce capital and operational costs related to IT. This is prevalent in large organization that can’t spare resources or people to keep with changes in IT.

What are the advantages of BYOC?

1. Less utilization of the organization’s resources.
2. Less expensive
3. Faster and efficient
4. Agile and easy access

What are the disadvantages of BYOC?

BYOC is also referred to as “shadow IT” due its pervasiveness. The implications of BYOC are as follows:

1) Lack or loss of overall control: The organization doesn’t know who’s using what, and so, it has no control on the data access, its management and resource planning.

2) Inconsistency of System: With disparate systems in use, inconsistencies creeps into the IT environment.

3) Increase Risk of Data loss: with the use of third-party cloud services there is always a threat of data loss.

4) Greater risk of errors: This is due to non IT-professionals managing the infrastructure.

What are the controls or best practices for BYOC?

To mitigate the possible risks, the following could be consider as best practices or controls to be incorporated in the organization’s IT process.

1) The employees should be encouraged to use a single cloud storage for any work related activity and no personal data should be stored in that particular storage.

2) Use version-control sign-out process to ensure that multiple copies don’t exist and there is a record of everyone who has a personal copy.

3) Programs like word processor, spreadsheet, presentation-programs etc. should be standardized on a file format which is widely supported, and employees should be encouraged to only use the prescribed format.

4) Detailed BYOD policies wrapped up with BYOC policies should be adopted by the organizations.

5) Collaboration should be supported by sharing access to an organization-controlled cloud storage service and apps having same source.

Conclusion:

For today’s organizations it is wiser to accept that employees will rely on the tools they know best, and to accommodate employee choices and apply governance practices that offer an adequate level of protection.

 RAHUL KUMAR
MBA (IT) 4^th SEM

Source: Deccan Chronicle and Intellectual Property & Information Technology Laws Division

Varun Kumar
IIIT Allahabad