Cyber Security Compliance and Regulation in India
With developments in internet technology, cyber security has today become a global concern for both individual persons and companies. International bodies such as ISO and NIST have come up with regulations and compliance requirements to guide both public and private sector organizations into a world of data safety.
India has the second-largest internet user base in the world. The right to data privacy is part and parcel of the Indian constitution’s privacy law. Cyber security, data breaches and response to incidences all fall under the Information Technology Act (ITA) of 2000, which defines cyber security as “protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction”.
Also, Read: The First Line of Defence: A Strong Password
The Indian Computer Emergency Response Team (CERT -In) was established under ITA as the coordinating agency at the national level on matters of cybersecurity, and with the following functions:
- Harmonization of responses to incidences related to cyber security
- Publication of recommendations, advisories and white papers related to IT Security practices and procedures.
- Gathering, examination and distribution of cyber incidents related information.
- Prediction and forewarning on cyber threats.
- An emergency course of action whenever cybersecurity incidents occur
CERT-In operates a 24-hour helpdesk for reporting any cybersecurity incidents. It is required of all organizations handling sensitive personal data (SPD) to report any cases of breach of security to CERT-In as soon as they occur.
The National Critical Information Infrastructure Protection Centre (NCIIPC) was set up to protect all critical information infrastructure.
Also, Read: Cyber Security Best Practices for Law Firms
There are regulations and compliance requirements set for different sectors in India:
- The banking sector – the Reserve Bank of India (RBI) has put in place a Cyber Security and Information Technology Examination (CSITE) which monitors the implementation of cybersecurity frameworks by banks. It has recommended the implementation of industry standards such PCI-DSS and PA-DSS and data encryption standards in payment processing in order to prevent fraud. On a frequent basis, RBI conducts audits on banks’ security posture, compliance and preparedness against cyber threats. There are heavy fines which non-compliant banks will be forced to pay.
- Insurance sector – the insurance sector is coordinated by the Insurance Regulatory and Development Authority (IRDA). It formulated the IRDA Cyber Security Policy which requires that insurance service providers conduct an annual vulnerability assessment and pen testing to bridge any security gaps that might not have been noticed.
- Telecom Sector – the Unified Access Service License (UASL) manages information security for telecom service providers and other 3rd party companies. UASL requires that telecom companies conduct both external and internal audits of their network at least once a year.
- Health sector – the Indian Medical Council Regulations (IMCR) 2002 requires all medical services providers to protect the confidentiality of patient information. The Digital Information Security in Healthcare Act (DISH) regulates the way digital health information is managed. The Health Data Management Policy (HDM) was later introduced to ensure a data sharing environment that is consent-based.
- Securities- all market infrastructure institutions are required to set up a Cyber Security Operation Center (C-SOC) to manage data security operations using specialized security experts.
How Managed Security Providers Help Organizations Achieve their Security/Business Objective.
Log4j vulnerability and the impact
Top 10 Application Security Best Practices
Benefits of Having an Information Security Program in an Organization