Blackberry Encryption and Threat to National Security
Information Security – What India Needs
VOIP and Risk of Data Privacy and Protection
Issue of Data Protection & Privacy in India
However, this time I have come back to write on this issue again post my interaction that I recently had with one of the Honorable Central Minister, who happened to point me towards the Indian IT Act 2000 & Indian IT Act Amendment 2008. When I highlighted the gaps in the issue, he directed me to write to him in this respect and in turn he would take it up with the Respective Minister to look into the issue. I was a bit lazy and a bit too tide up with the office routine and the actionable took a back seat from my end.
But a recent incident where I was interacting with few Information Security Managers / Officers of various organizations, I was shocked to note the remarks “All Data and Information in organization is Secured and Privacy and Protection is of Prime importance for all the Data and Information.” What Shocked me there was the Statement “ALL DATA” I was forced to think –
- How would ALL DATA and Information” be subject to Privacy and Protection?
- Why would one try to protect Data and Information that is inconsequential?
- What cost was the CISO trying to look at when making an statement about ALL Data?
Interesting conversation, as the discussion proceeded further on Private / Personal Data v/s Publicly available Data and replies were like, “Need to protect all data at any cost”. I was curious, so I raised the question on Access Control with them as well as Laptop Encryption trying to get a pointer on their thinking. Replies were like, we have strong Authentication Mechanism where each user has to have minimum 8 characters complex password and needs to change it every 42 days. “Every 42 Days?? Ain’t that Windows Default Setting??” I was expecting may be Two Factor or One Time password types, but plain password control, now that was somewhat shocking….. And on Laptop encryption, the reply was more shocking – “All our Executives are made aware of the Data and Information Security policy and they have to sign NDA, so we don’t think we need to invest in that type of Control”. Wow, what confidence and what trust on the Mobile Work Force. Interesting Conversation!!!!.
The Discussion led further to the base on which the controls are deployed and the answer was another interesting answer – “We have strict access authorization policy to have access to Information that is classified as per the organization’s Information Classification policy.” Interesting, as there was no mentioning of Data Classification as when probed on that side, the answer was “We Protect Information, Data Classification is not as important as Information Classification”. I was like “EXCUSE ME!!!! Data when processed provides you relevant information to make right decisions or pointers to right decision”, but I maintained a tight lipped approach as I was trying to know the thought process that represents the Industry reaction…..
Though this was a closed group discussion, I was forced to think of the state of affairs that prevails in India with respect to Data Privacy and Protection. The Country needs it very Badly as the Mobile Phone User Community is fed up of Pesky Calls, for the Mobile Companies or their agents somewhere sell Data to get that extra money. reminds me of one such case, when recently my bank people called me up for upgrade to my Credit Card and I said ok, within few hrs I got a call from another MNC Bank whom I never interacted asking me if I have any interest in another Credit Card that would be Free for Life Time and it would also help me avail a Loan of another 2 million Rupees without much documentation. Shocking ain’t it as the executive calling me up knew my Name, the organization I work with and few of my other Demographic Details that certainly are Classified as “Private Data”.
So What am I highlighting and What should we be targeting? I know the base and cases I highlighted have become too long that you might be loosing interest, But I thought they were required. What India needs is a Strong Drive from the Information Governance perspective. It is required for the Industry and Government both to make a unified move to get the Data Privacy and Protection Framework in Place along with a National Data Privacy and Protection Policy. Just like the Mobile Phone “National Do Not Disturb Database” there should be a National level database to register / de-register for Opt-in or Opt out for various Promotional Mails and calls.
If Industry can make use of the CIBIL sort of facility to its benefit, then Why Not put something that protects the Interest of the Customers?? Government for that matter needs to take a Proactive step forward and initiate this with no further delay