Cybersecurity Policy Guidelines Need of the Hour

Dr. Harold D’costa
Advisor Law enforcement agencies,
Cyber Crime

21st-century organizations are set up with the latest infrastructure and techniques to make the life of their organization as well as their vendors and customers easy and safe. Sophisticated SCM and ERP systems are now coupled to Cloud giving the best response and efficiency. Organizations today are spending a fortune on the infrastructure to ensure that they can attract customers and make them aware that they are in safe hands. 

For over a decade, I have been watching organizations scaling on their infrastructure and making necessary upgradation in their software to be called as an ideal company.  With the advancement of technology, organizations have scaled up but failed to realize if their guidelines set according to the laws of the land or simply made it easier by saying that the guidelines are, indeed, according to the government standards.

I remember in late 2009, a 12-billion dollar company in Pune became a scapegoat of not following the compliancy and had to face the wrath of law. The organization, one of the premiers in its sector, was having the best of the infrastructure but lacking compliance. Although they had compliancy in place, but it was according to the US norms, which is not permissible or applicable in the Indian scenario. The organization had a security policy in place, but it was never followed. They had their network and systems audited from time to time, but never followed the procedures. They had a proper code of ethics and best business practices in place, but never implemented. They had a robust system and Internet usage policy, but never knew what it meant when it came to follow it. The net result was that the organization, after spending more than Rs.2 crore, never realized that one day the law will catch them on the wrong foot. 

In all this mess, an employee took the benefit of the situation and used the organization’s system to create a fake and obscene profile of a girl and posted it on the Facebook, not realizing that he could be caught. On a complaint by the girl’s father, the system from where the obscene profile was created was tracked. The cops, after doing an indepth investigation, knocked at the organization’s door and made the organization, its Vice-President and the Managing Director as accused. The charges framed against them were that they never had security and cyber policy according to the Indian guidelines. The systems were checked for vulnerability, but never tested on some mock cases. As a net result, the organization was chargesheeted. Eventually, the employee who had posted the fake profile was caught, but that doesn’t mean the liability of the organization was relaxed or taken off. For keeping the system open for doing the crime, an offence was registered against the organization.

From October 27, 2009, a special provision has been introduced in the IT Act, which says failure to protect the data, failure to implement proper security practices, failure to prevent the data from unauthorized access are offences and the organization will be considered a co-accused and a compensation of up to Rs.5 crore has to be paid to the victim affected. 

Cybercrimes have now taken a different dimension and most of the modern crimes are now handled through mobile and computer network. In order that the organization does not become a scapegoat, the following guidelines have to be followed on a war-footing basis:

• Get network, servers and systems scanned and check for vulnerability 

• Fix the vulnerability and ensure that before the network is made alive, have a mock test done

• Audit the network on a periodical basis, ideally every 3 months

• Get a non-disclosure agreement signed with the employees

• Create an awareness among the employees and explain the importance of security to them

• Have a robust information and cybersecurity policy guidelines in place

• Get the network and the system audited only through CERT-empanelled organizations

• Maintain a log sheet of each and every transaction done through the network

• Have a Disaster Recovery policy in place. Maintain a hot site to ensure that the data is not lost

• Have a contingency plan and risk assessment to be done, in case there is any fatal attack on the network

• Follow the laws of the land

• Ask vendors whether the hardware and the software they supply are compliant according to the law of  the land prevailing in the country. 

• Monitor the network traffic and have a proper IDS in place

• Before investing in the firewalls and UTM, ensure that the threats are monitored and filtered by them

All said and done, there is a golden chance for every vendor today to provide an array of services. One of them is providing consultancy and guidelines on effective monitoring and prevention of malwares entering in the network. Also, there is a need for every vendor to realize that the legal implications and if they can provide these additional services, then there is no doubt that customers shall rely on such type of vendors who give them additional support to be protected from the clutches of law. 

Finally, organizations may have the best hardware, software and technology in place, but without security to the systems may attract criminal liability, loss of image, loss of customers, and getting the business back is a herculean task in today’s modern world.