india start-ups it security & it act 2008
TRANSCRIPT
Information Risks, Managed
The contents of this document are property and confidential to ValueMentor Consulting and shall not be disclosed in whole or part at any time, to any third party without the prior written consent of ValueMentor Consulting LLP. © ValueMentor Consulting LLP. All rights reserved. Copyright in the whole and any part of this document belongs to ValueMentor Consulting LLP. This work may not be sold, transferred, adapted, copied and / or reproduced in whole or in part, in any manner or form, on in any media, without the prior consent of ValueMentor Consulting LLP.
IT Security & IT Act 2008
Binoy Koonammavu Principal Consultant | CISSP, CISA, CISM, CRISC, SBCI, CCSK Email: [email protected] | Ph: +91-974 5767 944
© ValueMentor Consulting LLP Slide 2
Agenda
• Introduction • Typical Start-up Scenario • Tips for changing the security scenario • Some clauses of IT Act 2000 (IT AA 2008) • Q & A
© ValueMentor Consulting LLP Slide 3
Shameless Advertising
• Binoy Koonammavu, that’s me, works for ValueMentor Consulting LLP – a specialist Information Security Company from Kochi
• 15 years in the field of IT with around 12 years of it in protecting data and complying with regulations
• Previously held roles like – Practice Director – Information Security at UST Global – Manager – IT Security at Burgan bank, Kuwait
• An Honouree in the Sixth Annual Asia-Pacific Information Security Leadership Achievements (ISLATM) Program
• CISSP, CISM, CRISC, CISA, SBCI & CCSK and also held various vendor certification
© ValueMentor Consulting LLP Slide 4
Typical Startup Scenario
© ValueMentor Consulting LLP Slide 5
Some Startups
Happy Developers Working on the product Not worried about the security standards or best practices Driven to deliver functionality Everybody loved the new product that fixed “that” gap
© ValueMentor Consulting LLP Slide 6
© ValueMentor Consulting LLP Slide 7
Challenges / Myths
• Secure software vs robust, usable & functional software
• Security is considered as complex in the SDLC process
• Security is considered as non-functional requirement • Hackers are targeting businesses, not software • With Agile, the development teams are required to
develop functional systems in less time • Development team awareness on security is less &
the skills are rare.
© ValueMentor Consulting LLP Slide 8
What is that often forgotten?
• Data Protection • Regulatory requirements
– Specifically, non-financial regulations
• Data privacy
© ValueMentor Consulting LLP Slide 9
Data.. Lets think
• Data of your company – Intellectual Property – Copyrights & Trademarks – Source code
• Data of your customers
– Personal Data – Sensitive / Confidential data
© ValueMentor Consulting LLP Slide 10
What is that you need to do?
Protect your data
Protect your customers
© ValueMentor Consulting LLP Slide 11
What Happens when your staff moves on?
© ValueMentor Consulting LLP Slide 12
What Happens when your staff move on?
• To your – Intellectual Property – Source code
• Get Non-Disclosure agreements signed
© ValueMentor Consulting LLP Slide 13
What if you are hacked?
© ValueMentor Consulting LLP Slide 14
What if you are hacked?
© ValueMentor Consulting LLP Slide 15
© ValueMentor Consulting LLP Slide 16
© ValueMentor Consulting LLP Slide 17
Some more myths
• Security hinders usability • Security is performance hungry • Security is all about antivirus, firewalls, IPS etc… • Security is all about encryption • Security is for big companies • It is easy to fix a vulnerability once identified • Security is complex
© ValueMentor Consulting LLP Slide 18
Some tips – Data Security
© ValueMentor Consulting LLP Slide 19
There is no Silver Bullet
© ValueMentor Consulting LLP Slide 20
© ValueMentor Consulting LLP Slide 21
© ValueMentor Consulting LLP Slide 22
Design Software with Secure Features
© ValueMentor Consulting LLP Slide 23
The easiest way to break system security is often to circumvent it rather than defeat it
© ValueMentor Consulting LLP Slide 24
Know what you need to protect
Identify your critical assets Passwords Health information Bank Account / Card numbers
Assess the risk Assess threats to those assets Determine impact of loss/compromise of assets
Define security requirements to prevent / delay the risks
Design solutions to meet your security requirements
© ValueMentor Consulting LLP Slide 25
Manage Risks
• Not every system / module requires same level of security. Assess the risks
© ValueMentor Consulting LLP Slide 26
Some design considerations
Adapted from the Saltzer & Schroeder Protection of Information in Computer Systems
© ValueMentor Consulting LLP Slide 27
Develop Software with Secure Features
“Security is just another attribute of software like usability, performance,
reliability & scalability” “The idea of incorporating security into the
SDLC begins with evaluating the relative importance of this attribute and then going
on to incorporating controls in line with that.”
Tallah Mir, Sr. Program Manager , Microsoft
© ValueMentor Consulting LLP Slide 28
Develop Software with Security Features
Convert security design in secure code Secure coding practices https://www.securecoding.cert.org/confluence/display/se
ccode/
Perform Security code reviews Manual Automated
Perform Security tests (Vulnerability Assessments & Penetration Testing) Blackbox Whitebox
© ValueMentor Consulting LLP Slide 29
Top 10 Secure Coding Practices
1. Validate input 2. Heed compiler warnings 3. Architect and design for security policies 4. Keep it simple 5. Default deny 6. Adhere to the principle of least privilege 7. Sanitize data sent to other systems 8. Practice defense in depth 9. Use effective quality assurance techniques 10. Adopt a secure coding standard Source: https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices
© ValueMentor Consulting LLP Slide 30
Deploy Software with Secure Features
• Secure application, insecure host • Develop and Implement Security baselines for
– Operating Systems – Application Server – Web Server – Database servers – Other computing devices
• Release Management – How often you release code, what process you will follow.
© ValueMentor Consulting LLP Slide 31
Defense in Depth
Electronic Access controls, Access cards, Manned reception, Locks, Security Guards, Fire alarms and suppression systems
ACL’s, Encryption, Backup
Application Hardening, ACL's, Secure applications
Patch Management, Antivirus, Authentication
VLAN’s, NIPS, Internet Proxy Server
Firewall, VPN’s, NIPS
Management Controls Policies, Procedures,
Awareness & Agreements
Physical Security
Technical Controls Perimeter
Internal Network
Host
Application
Data
Risk Assessment and Treatment, Policies, Process, NDA’s, Incident reporting, Internal Audits
© ValueMentor Consulting LLP Slide 32
Some references
• OWASP Top 10 – https://www.owasp.org/index.php/Category:OWASP_Top_
Ten_Project
• SANS Top 25 – http://cwe.mitre.org/top25/ – http://www.sans.org/top25-software-errors/
© ValueMentor Consulting LLP Slide 33
BUILD A CULTURE OF SOFTWARE SECURITY
© ValueMentor Consulting LLP Slide 34
IT (amendment) Act 2008
Some sections of interest
© ValueMentor Consulting LLP Slide 35
Relevance of ITA 2008
• ITAA 2008 (Information Technology (Amendment) Act, 2008) focus on covering the shortfalls of ITA 2000
• IT Act 2000 was focused on E-Commerce, Digital transactions and its legal validity
• IT Act 2008 focuses on Information Security and data privacy to a great extent
© ValueMentor Consulting LLP Slide 36
Direct responsibility
• The executives are directly responsible for Cyber Security
• The responsibility can be attributed to – The Head of IT / IT Manager – The CEO / Founders – Under the following conditions
• No Due Diligence is practiced when it comes to IT related affairs • Neglected the IT Act requirements • Willful act of Cyber security incident
• Information Security is no more Data Security, but a law in India.
© ValueMentor Consulting LLP Slide 37
The importance of “Due Diligence”
• Section 85: Offences by Companies – (1) Where a person committing a contravention of any of
the provisions of this Act or of any rule, direction or order made there under is a Company,
• every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly:
• Provided that nothing contained in this sub-section shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention
© ValueMentor Consulting LLP Slide 38
Why “Due Diligence”
• In a typical cyber crime, investigators will search for the origin of the incident. Mostly, by tracing the IP Address of the computer involved – If the cyber crime source is the IP Addresses controlled by
your company, Sec 85 may become applicable on you. • How is that your company become part of a cyber
crime? – Malicious staff members – A hacked computer in your network which is used for
performing cyber crime on another company / computer • In such cases, your company may become the
primary accused
© ValueMentor Consulting LLP Slide 39
Why “Due Diligence”
• What happens in such scenario? Let us review Sec 85 again – Who is responsible? (Sub section (1) of 85)
• Every person who, at the time of contravention was committed, was in charge of, and was responsible to, The company for the conduct of business of the company (Head of IT / CEO??)
• As well as the company • Shall be guilty of the contravention and shall be liable to be
proceeded against and punished accordingly; – Provided that nothing contained in this subsection shall render
any such person liable to punishment if he proves that the contravention took place without his knowledge or that they exercised all due diligence to prevent such contravention
© ValueMentor Consulting LLP Slide 40
43A - Compensation for failure to protect data
• Where a body corporate, • possessing, dealing or handling any sensitive
personal data or information • in a computer resource which it owns, controls or
operates, • is negligent in implementing and maintaining
reasonable security practices and procedures • and thereby causes wrongful loss or wrongful gain to
any person, • such body corporate shall be liable to pay damages
by way of compensation to the person so affected
© ValueMentor Consulting LLP Slide 41
Sensitive personal data or information
• Sensitive personal data or information of a person means such personal information which consists of information relating to;— – (i) password; – (ii) financial information such as Bank account or credit card or debit
card or other payment instrument details ; – (iii) physical, physiological and mental health condition; – (iv) sexual orientation; – (v) medical records and history; – (vi) Biometric information; – (vii) any detail relating to the above clauses as provided to body
corporate for providing service; and – (viii) any of the information received under above clauses by body
corporate for processing, stored or processed under lawful contract or otherwise
© ValueMentor Consulting LLP Slide 42
Need for policies
• Privacy policy – Should be made available to the person from whom the
sensitive information is collected – Clear and easily accessible statements of its practices and
policies; – type of personal or sensitive personal data or information
collected – purpose of collection and usage of such information – disclosure of information including sensitive personal data
or information – reasonable security practices and procedures
© ValueMentor Consulting LLP Slide 43
Reasonable Security Practices and Procedures
• A body corporate shall be considered to have complied with reasonable security practices and procedures, if ; – they have implemented such security practices and
standards and – have a comprehensive documented information security
programme and – information security policies that contain managerial,
technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business
© ValueMentor Consulting LLP Slide 44
Reasonable Security Practices and Procedures
• In the event of an information security breach, – the body corporate shall be required to demonstrate, as
and when called upon to do so by the agency mandated under the law,
– that they have implemented security control measures as per their documented information security programme and information security policies.
• The international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" is one such standard – That can be considered towards reasonable security practices
© ValueMentor Consulting LLP Slide 45
What should we do now?
• Perform an ITAA 2008 Risk Analysis with a focus on – Compliance level of the company with the different
provisions of ITAA 2008 – Current gaps in the IT practices in relation with ITAA 2008
• Develop programs to ensure
– Implement “Reasonable security practices” – Practice “Due Diligence” – Management of Information Security
© ValueMentor Consulting LLP Slide 46
Next steps
• The first step to Information Security is direction – Get your policies and procedures setup
• Next is awareness – Get your team undergo security awareness about your
policies & allowed practices
• Top Management / Founders – Invest in Secure products, security of your systems & data – Build a top down approach on information security culture – Assign compliance responsibilities – Add ITAA2008 perspective to the IS Audits
© ValueMentor Consulting LLP Slide 47
Q&A
© ValueMentor Consulting LLP Slide 48
THANK YOU
Binoy Koonammavu ValueMentor Consulting LLP [email protected] +91-974-5767-944