IT, security and compliance officers discuss the issues relating companies these days and what steps organizations can take to reduce potential regulatory compliance risks and security threats.

“Failure to meet rules and guidelines set by compliance standards could mean fines, penalties and loss of trust.” Andrew Hodes

IT departments are not only to be entangled by the security risks these days but also have to comply with the various industry and federal regulations to keep sensitive customer data safe and to uphold the trust levels of the potential customers. With the ongoing notion of BYOD

(Bring Your Own Device) it’s an up keeping task for the organizations to comply to the industry and federal regulation standards. Its very vital for the organizations to tap these potential compliance vulnerabilities to function and deliver in alignment to the industry and federal regulations. Some of the biggest hiccups to the organizations to keep complaint are

1. Employees: Employees play a vital role in compliance .Adherence to industry and federal standards are purely employee oriented and controls to tap this leakage is very essential for an organization. To overcome this threat, it’s important to educate all employees on different ways information can be acquired through very low-tech methods and give them tools they can use.
2. Cloud Service Providers.To ensure that sensitive data is being properly protected in the cloud, choose a trusted service provider. Cloud services present significant benefits in of cost savings, scalability, flexibility, however, to ensure that your or your customer’s data is properly protected and in compliance with all relevant regulations, the vendor/service provider should meet the underlying regulatory requirements, whether the cloud is engineered to be HIPAA-ready or to comply with PCI or FISMA standards.
3. To avoid the potential theft of data from mobile workers, provide travel laptops to employees and create specific information security policies to protect the network from cyber penetration.
4. Third-Party Apps (S hadow IT).The biggest compliance-related issue facing CIOs today is shadow IT, a threat caused by the use of unseen third-party solutions including devices and apps, the flow of data and information in an unregulated unchecked manner causes a potential compliance threat to the stakeholders.  Educate end users; give CIOs the controlled power to constantly assess services for suitability; and deploy modern enterprise cloud solutions to solve overall compliance problems.

ASHUTOSH JOSHI
MBA (IT) 4th SEM

With the vast expansion of Internet services and their necessities in the digital world, awareness about Internet regulation is must. The great majority of Internet users are not aware that they access a regulated version of World Wide Web where doing something to anything may result to a very dangerous transgression for the future. A lot of discussion and debate has taken place about privacy and IT act, whether with regard to freedom of speech, citizens’ rights, state surveillance or the Internet licensing stand. However, the most critical aspect that gives way to all these discussions and debates is, what should the citizens’ in India must know about Internet laws? How Internet users can make themselves more secure and safe by ensuring better protection of personal data?

Often laws are defined in a manner that it lay down all the substantive rights of the citizens. But it is due to lack of awareness of beneficiaries that most of the time they fail to respect and realize rights, demand justice, accountability and effective remedies at all levels. Recently, after hearing batch of public interest litigation on ambit, Honorable Supreme Court finally quashed down section 66(A) which allowed arrests for “inconvenient, abusive, and annoying messages on any online media, including ones involving freedom of expression”. The government also admit that section 66(A) of the Information and Technology Act had certain “aberrations amounting to abuse”. It means from now on section 66(A) atleast doesn’t have any legal standing.

Indians would have rejoice this decision, but wait how many of us know, that by striking down section 66(A), the Supreme Court of India paved the path for other challenges in cyber space for citizens’. Until the issue of further amendments in IT Act, every citizen must be aware about his/her privacy and cyber laws which will be helpful to exercise their rights. There are certain sections and articles which must be understood by every Indians in cyber space. These are discussed below:

1. Article 19 of the Constitution of India states:
2. Article 19(1)(a): grants every citizens with the right to freedom of speech and expression.
3. Article 19(2): states, that nothing in sub-clause (a) of clause (1) shall affect the operation of any existing law, or prevent the State from making any law, in so far as such law imposes reasonable restrictions on the exercise of the right conferred by the said sub-clause in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence.

Thus there is distinct contradiction between section 66(A) and article 19(2) of the Indian Constitution, which provides government to issue another amendment to exercise powers under Article 19(2).

Section 69(A) ” Power to block any content ” of Information Technology Act states:

Section 69(A) allows the Indian government the power to block/censor any website or internet service, without giving the creator or provider of the content a chance to defend the material or even to get it unblocked. Within this, any information generated, transmitted, received, stored or hosted on any computer resource, if found offending or annoying can be blocked for access by the public.

Section 79 “Punishment for platforms like YouTube, ISP, etc.” of Information Technology Act states:

The “intermediary” such as ISP, YouTube, Twitter, Facebook, etc. can be punished if they does not actively censor material that the government or any person complains about, without giving intermediary any chance to defend the content. This section provides a dangerous tool to disrupt the business of an intermediary by flooding it with baseless complains and notices.

Section 84(B)”Punishment for abetment of offences” and Section 84(C) “Punishment for attempt to commit offences” of Information Technology Act states:

This gives the powers to police officers of the rank of an Inspector to arrest any person without a warrant in case of any instigation or attempt of committing any offense under IT Act. There is no defined objective guidelines, which could help police officer in arresting any person in a public place who is about to commit a cyber crime.

Section 118(D)”Punishment for causing annoyance by sending mails” of Kerala Police Act states:

Like section 66(A), it is illegal to cause annoyance to anyone in an “indecent manner” by sending messages or mails by any means. This was meant to be a safeguard against stalkers and spammers, but unfortunately becomes a way of suppressing certain kinds of speech as “online illegal speech” is not defined under this act.

Section 43(A) “Compensation for failure to protect data” and Section 72(A) “Punishment for disclosure of information in breach of lawful contract” of Information Technology Act states:

These sections provide the concept of data privacy and its protection. Section 43(A) helps in getting compensations from any corporate body for the negligence in implementing or maintaining reasonable security practices and procedures by complying with the best standards like ISO 27001, etc. for safeguarding the sensitive personal data or information (SPDI). Here SPDI includes:

1. Passwords
2. Financial information such as bank account or credit card or debit card or other payment instrument details
3. Biometric information
4. Deoxyribonucleic acid data
5. Sexual preferences and practices
6. Medical history and health
7. Political affiliation
8. Commission, or alleged commission, of any offence and
9. Ethnicity, religion, race or caste

Further section 72(A) also deals with personal sensitive information and provides punishment for disclosure of information without the information provider’s consent or in breach of lawful contract. Both of these sections are at a nascent stage which needs to be stringent.

Apart from urgent amendments in IT Act, a special attention must be paid to the data privacy rights in India which is an essential part of civil liberties protection in cyberspace. A right to privacy bill, 2014 is in draft phase, which will help individuals to protect against misuse of data by government or private agencies. Until then each one of us must be careful while accessing, downloading or uploading different contents and stuffs on internet.

Akansha Pandey
MS- Cyber Law Information Security
IIITA

“Bring Your Own Device” (BYOD) has been popular for quite some time now. It is driven mainly by workers desire to use their own devices like phones, tablets, laptops etc. This practice has got its own benefits like flexibility, round the clock access to data, higher productivity and lesser dependency on central IT Hub. But, BOYD can easily cause disruptions to IT compliances and IT processes of an organization.

A new trends has emerged on the lines of BOYD called “Bring Your Own Cloud” or BYOC, which allows workers to utilize public or private third-party cloud services to complete their job tasks.

What is “Bring Your Own Cloud”?

In BYOC, workgroups or individual employees of the organization uses low cost, fast and efficient public or private third-party cloud services to get the work done. An organization might encourage its employees to use public or third-party cloud services in order to reduce capital and operational costs related to IT. This is prevalent in large organization that can’t spare resources or people to keep with changes in IT.

What are the advantages of BYOC?

1. Less utilization of the organization’s resources.
2. Less expensive
3. Faster and efficient
4. Agile and easy access

What are the disadvantages of BYOC?

BYOC is also referred to as “shadow IT” due its pervasiveness. The implications of BYOC are as follows:

1) Lack or loss of overall control: The organization doesn’t know who’s using what, and so, it has no control on the data access, its management and resource planning.

2) Inconsistency of System: With disparate systems in use, inconsistencies creeps into the IT environment.

3) Increase Risk of Data loss: with the use of third-party cloud services there is always a threat of data loss.

4) Greater risk of errors: This is due to non IT-professionals managing the infrastructure.

What are the controls or best practices for BYOC?

To mitigate the possible risks, the following could be consider as best practices or controls to be incorporated in the organization’s IT process.

1) The employees should be encouraged to use a single cloud storage for any work related activity and no personal data should be stored in that particular storage.

2) Use version-control sign-out process to ensure that multiple copies don’t exist and there is a record of everyone who has a personal copy.

3) Programs like word processor, spreadsheet, presentation-programs etc. should be standardized on a file format which is widely supported, and employees should be encouraged to only use the prescribed format.

4) Detailed BYOD policies wrapped up with BYOC policies should be adopted by the organizations.

5) Collaboration should be supported by sharing access to an organization-controlled cloud storage service and apps having same source.

Conclusion:

For today’s organizations it is wiser to accept that employees will rely on the tools they know best, and to accommodate employee choices and apply governance practices that offer an adequate level of protection.

 RAHUL KUMAR
MBA (IT) 4^th SEM

Smart phones have become a necessity of one’s life. Now a days more than a trend or symbol of aristocracy they have become a need. A customer wants a smart phone with a reasonable price and high end features. Most of the companies have emerged with brilliant marketing strategies but Chinese smartphones seems to be taking off in the Indian market because they are a great combination of off modern features and low price but then the question arises how does the Chinese smart phone companies like Xiaomi, Gionee and Oppo fare off so well in the Indian market even after having a security leakage issue. Although these companies seems to satisfy the customer in every aspect but they have a major security leakage issue.
According to report in a national daily Chinese smartphones are leaking some major information which are sent back to the the servers in China. The IAF has also alerted its people to avoid using these smartphones and an initial testing was also done by F-Secure on August 7, 2014 on a Redmi 1S, which had the issue of data automatically being transmitted while Xiaomi claims that their smartphones are safe and the Indian Air Force had issues a notice based on a two-month-old report by F-Secure.
Although after an update of the OS, they tested the handset again on August 14, to confirm that the issue is no longer present. The Note states that F-Secure, a security firm, carried out tests on the Redmi 1S, only to find that the phone was forwarding the carrier name, phone number, IMEI, address book records and SMS to the Chinese servers in Beijing. The report also mentioned about a user in Hong Kong, reporting that the Redmi Note automatically connected to a particular IP address hosted in China. The IP address belongs to the CNNIC, which is the administrative agency for Internet affairs operating under the Ministry of Information Industry of China.
Although there are laws against the leakage of privacy but the user must himself take care about the security of his data.
Some important sections have been substituted and inserted by the IT Amendment Act, 2008 in which Section 66E, Section 66B and Section 69B provide strict laws for information security.
However actions takes time to take place but the Chinese companies have firmly rooted in the Indian market and that is why they thriving it so well.
Although at user level there are lots of ways for to ensure the security of data. There are applications available for android and iOS to by the name OS monitor and viaProtect to provide the user information about the data being sent by different applications without his knowledge.
So, somehow we ourselves can put a step forward to avoid the insecurity of our data.

Source: Deccan Chronicle and Intellectual Property & Information Technology Laws Division

Varun Kumar
IIIT Allahabad