india start-ups it security & it act 2008

Information Risks, Managed

The contents of this document are property and confidential to ValueMentor Consulting and shall not be disclosed in whole or part at any time, to any third party without the prior written consent of ValueMentor Consulting LLP. © ValueMentor Consulting LLP. All rights reserved. Copyright in the whole and any part of this document belongs to ValueMentor Consulting LLP. This work may not be sold, transferred, adapted, copied and / or reproduced in whole or in part, in any manner or form, on in any media, without the prior consent of ValueMentor Consulting LLP.

IT Security & IT Act 2008

Binoy Koonammavu Principal Consultant | CISSP, CISA, CISM, CRISC, SBCI, CCSK Email: [email protected] | Ph: +91-974 5767 944

© ValueMentor Consulting LLP Slide 2

Agenda

• Introduction • Typical Start-up Scenario • Tips for changing the security scenario • Some clauses of IT Act 2000 (IT AA 2008) • Q & A


Shameless Advertising

• Binoy Koonammavu, that’s me, works for ValueMentor Consulting LLP – a specialist Information Security Company from Kochi

• 15 years in the field of IT with around 12 years of it in protecting data and complying with regulations

• Previously held roles like – Practice Director – Information Security at UST Global – Manager – IT Security at Burgan bank, Kuwait

• An Honouree in the Sixth Annual Asia-Pacific Information Security Leadership Achievements (ISLATM) Program

• CISSP, CISM, CRISC, CISA, SBCI & CCSK and also held various vendor certification


Typical Startup Scenario


Some Startups

Happy Developers Working on the product Not worried about the security standards or best practices Driven to deliver functionality Everybody loved the new product that fixed “that” gap


Challenges / Myths

• Secure software vs robust, usable & functional software

• Security is considered as complex in the SDLC process

• Security is considered as non-functional requirement • Hackers are targeting businesses, not software • With Agile, the development teams are required to

develop functional systems in less time • Development team awareness on security is less &

the skills are rare.


What is that often forgotten?

• Data Protection • Regulatory requirements

– Specifically, non-financial regulations

• Data privacy


Data.. Lets think

• Data of your company – Intellectual Property – Copyrights & Trademarks – Source code

• Data of your customers

– Personal Data – Sensitive / Confidential data


What is that you need to do?

Protect your data

Protect your customers


What Happens when your staff moves on?


What Happens when your staff move on?

• To your – Intellectual Property – Source code

• Get Non-Disclosure agreements signed


What if you are hacked?


Some more myths

• Security hinders usability • Security is performance hungry • Security is all about antivirus, firewalls, IPS etc… • Security is all about encryption • Security is for big companies • It is easy to fix a vulnerability once identified • Security is complex


Some tips – Data Security


There is no Silver Bullet


Design Software with Secure Features


The easiest way to break system security is often to circumvent it rather than defeat it


Know what you need to protect

Identify your critical assets Passwords Health information Bank Account / Card numbers

Assess the risk Assess threats to those assets Determine impact of loss/compromise of assets

Define security requirements to prevent / delay the risks

Design solutions to meet your security requirements


Manage Risks

• Not every system / module requires same level of security. Assess the risks


Some design considerations

Adapted from the Saltzer & Schroeder Protection of Information in Computer Systems


Develop Software with Secure Features

“Security is just another attribute of software like usability, performance,

reliability & scalability” “The idea of incorporating security into the

SDLC begins with evaluating the relative importance of this attribute and then going

on to incorporating controls in line with that.”

Tallah Mir, Sr. Program Manager , Microsoft


Develop Software with Security Features

Convert security design in secure code Secure coding practices https://www.securecoding.cert.org/confluence/display/se

ccode/

Perform Security code reviews Manual Automated

Perform Security tests (Vulnerability Assessments & Penetration Testing) Blackbox Whitebox

https://www.securecoding.cert.org/confluence/display/seccode/

https://www.securecoding.cert.org/confluence/display/seccode/


Top 10 Secure Coding Practices

1. Validate input 2. Heed compiler warnings 3. Architect and design for security policies 4. Keep it simple 5. Default deny 6. Adhere to the principle of least privilege 7. Sanitize data sent to other systems 8. Practice defense in depth 9. Use effective quality assurance techniques 10. Adopt a secure coding standard Source: https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices

https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices





Deploy Software with Secure Features

• Secure application, insecure host • Develop and Implement Security baselines for

– Operating Systems – Application Server – Web Server – Database servers – Other computing devices

• Release Management – How often you release code, what process you will follow.


Defense in Depth

Electronic Access controls, Access cards, Manned reception, Locks, Security Guards, Fire alarms and suppression systems

ACL’s, Encryption, Backup

Application Hardening, ACL's, Secure applications

Patch Management, Antivirus, Authentication

VLAN’s, NIPS, Internet Proxy Server

Firewall, VPN’s, NIPS

Management Controls Policies, Procedures,

Awareness & Agreements

Physical Security

Technical Controls Perimeter

Internal Network

Host

Application

Data

Risk Assessment and Treatment, Policies, Process, NDA’s, Incident reporting, Internal Audits


Some references

• OWASP Top 10 – https://www.owasp.org/index.php/Category:OWASP_Top_

Ten_Project

• SANS Top 25 – http://cwe.mitre.org/top25/ – http://www.sans.org/top25-software-errors/

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

http://www.sans.org/top25-software-errors/

http://www.sans.org/top25-software-errors/


BUILD A CULTURE OF SOFTWARE SECURITY


IT (amendment) Act 2008

Some sections of interest


Relevance of ITA 2008

• ITAA 2008 (Information Technology (Amendment) Act, 2008) focus on covering the shortfalls of ITA 2000

• IT Act 2000 was focused on E-Commerce, Digital transactions and its legal validity

• IT Act 2008 focuses on Information Security and data privacy to a great extent


Direct responsibility

• The executives are directly responsible for Cyber Security

• The responsibility can be attributed to – The Head of IT / IT Manager – The CEO / Founders – Under the following conditions

• No Due Diligence is practiced when it comes to IT related affairs • Neglected the IT Act requirements • Willful act of Cyber security incident

• Information Security is no more Data Security, but a law in India.


The importance of “Due Diligence”

• Section 85: Offences by Companies – (1) Where a person committing a contravention of any of

the provisions of this Act or of any rule, direction or order made there under is a Company,

• every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly:

• Provided that nothing contained in this sub-section shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention


Why “Due Diligence”

• In a typical cyber crime, investigators will search for the origin of the incident. Mostly, by tracing the IP Address of the computer involved – If the cyber crime source is the IP Addresses controlled by

your company, Sec 85 may become applicable on you. • How is that your company become part of a cyber

crime? – Malicious staff members – A hacked computer in your network which is used for

performing cyber crime on another company / computer • In such cases, your company may become the

primary accused


Why “Due Diligence”

• What happens in such scenario? Let us review Sec 85 again – Who is responsible? (Sub section (1) of 85)

• Every person who, at the time of contravention was committed, was in charge of, and was responsible to, The company for the conduct of business of the company (Head of IT / CEO??)

• As well as the company • Shall be guilty of the contravention and shall be liable to be

proceeded against and punished accordingly; – Provided that nothing contained in this subsection shall render

any such person liable to punishment if he proves that the contravention took place without his knowledge or that they exercised all due diligence to prevent such contravention


43A - Compensation for failure to protect data

• Where a body corporate, • possessing, dealing or handling any sensitive

personal data or information • in a computer resource which it owns, controls or

operates, • is negligent in implementing and maintaining

reasonable security practices and procedures • and thereby causes wrongful loss or wrongful gain to

any person, • such body corporate shall be liable to pay damages

by way of compensation to the person so affected


Sensitive personal data or information

• Sensitive personal data or information of a person means such personal information which consists of information relating to;— – (i) password; – (ii) financial information such as Bank account or credit card or debit

card or other payment instrument details ; – (iii) physical, physiological and mental health condition; – (iv) sexual orientation; – (v) medical records and history; – (vi) Biometric information; – (vii) any detail relating to the above clauses as provided to body

corporate for providing service; and – (viii) any of the information received under above clauses by body

corporate for processing, stored or processed under lawful contract or otherwise


Need for policies

• Privacy policy – Should be made available to the person from whom the

sensitive information is collected – Clear and easily accessible statements of its practices and

policies; – type of personal or sensitive personal data or information

collected – purpose of collection and usage of such information – disclosure of information including sensitive personal data

or information – reasonable security practices and procedures


Reasonable Security Practices and Procedures

• A body corporate shall be considered to have complied with reasonable security practices and procedures, if ; – they have implemented such security practices and

standards and – have a comprehensive documented information security

programme and – information security policies that contain managerial,

technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business


Reasonable Security Practices and Procedures

• In the event of an information security breach, – the body corporate shall be required to demonstrate, as

and when called upon to do so by the agency mandated under the law,

– that they have implemented security control measures as per their documented information security programme and information security policies.

• The international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" is one such standard – That can be considered towards reasonable security practices


What should we do now?

• Perform an ITAA 2008 Risk Analysis with a focus on – Compliance level of the company with the different

provisions of ITAA 2008 – Current gaps in the IT practices in relation with ITAA 2008

• Develop programs to ensure

– Implement “Reasonable security practices” – Practice “Due Diligence” – Management of Information Security


Next steps

• The first step to Information Security is direction – Get your policies and procedures setup

• Next is awareness – Get your team undergo security awareness about your

policies & allowed practices

• Top Management / Founders – Invest in Secure products, security of your systems & data – Build a top down approach on information security culture – Assign compliance responsibilities – Add ITAA2008 perspective to the IS Audits


Q&A


THANK YOU

Binoy Koonammavu ValueMentor Consulting LLP [email protected] +91-974-5767-944