We are living in the age of technological revolution and are impacted both positively and negatively by the same. In the case of corporates, if not managed well, it can have disastrous impact across multiple facets like business operations/ results, company management teams, individuals and third parties.
The Government of India recognizes this and has mandated practices on Information Security by amending “The IT Act 2000” in the year 2008 by introducing a new section 43A.
✓ 43A.Compensation for failure to protect data. –
Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.
✓ Explanation–For the purposes of this section,
(i) "body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;
(ii) "reasonable security practices and procedures" means security practices and procedures designed to protect such information from unauthorized access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit. [The IT( Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011]
(iii) "Sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit. [Ref.: Section 3- of the Rules mentioned in the above paragraph (ii)].
Further to this, to know the adequacy of reasonable security practices and procedures, IT audit is required (as per CERT-In guidelines, which are mandated by Ministry of Communication and IT). During the audit, the existing security policy and controls are reviewed for their adequacy, as outlined in the standards of ISO 27001, COBIT etc.
Dr CBS Cyber Security Services LLP is capable of conducting IT Security Audit and Assurance as per the requirements of CERT-In. We specialize in various parameters of IT Audits, including network mapping, vulnerability assessment/ exploitation, penetration testing, review and assessment of security policies and controls as per best practices, application security assessment, log review, incidence response and forensic auditing, malware/ backdoor detection, etc. as enumerated by CERT-In.