Inside

M me b eet rsar ho ippr iso C o I peC nSD Visit: http://www.dsci.in/taxonomypage/105

Designed by Swati Communications Tel: +91-11-41659877, +91-9213132174

2

10PUBLIC ADVOCACY

9OUTREACH PROGRAMS

5THOUGHT LEADERSHIP

8CAPACITY BUILDING

DSCI NEWS DSCI NEWS Q U A R T E R LY N E W S L E T T E R O F D ATA S E C U R I T Y C O U N C I L O F I N D I A

October - December 2011 Vol. 2 No. 4

Facebook: http://www.facebook.com/dsci.connect

Linkedin: http://www.linkedin.com/company/data-security-council-of-india

Twitter: http://twitter.com/dsci_connect

Our Vision

Our Mission

Our Objectives

Harness data protection as a lever for economic development of India through global integration of practices and standards conforming to various legal regimes.

To create trustworthiness of Indian companies as global sourcing service providers, and to assure clients worldwide that India is a secure destination for outsourcing where privacy and protection of customer data are enshrined in the global best practices followed by the industry.

n Public Advocacy on Data Protection and Cyber Security

n Capacity Building on Security and Privacy

n Thought Leadership through Best Practices

n Independent Oversight for Assurance & Dispute resolution through ADR towards Self-Regulation

n Cyber Crime Speedier Trialthrough training of Law Enforcement Agencies and Judiciary

Contact Us

DATA SECURITY COUNCIL OF INDIA Niryat Bhawan, 3rd Floor, Rao Tula Ram MargNew Delhi – 110057, IndiaPhone: +91-11-26155070, Fax: +91-11-26155071Email: info@dsci.in, Website: www.dsci.in

Editorial Board

Kartik KorpalAM – Marketing & Communications, DSCI

Rahul JainSenior Consultant, DSCI

DATA SECURITY COUNCIL OF INDIA A Initiative

2011

Delhi

2

The Ministry of Communicationsand Information Technologyhas formulated drafts of three

interdependent and synergistic poli-cies for IT, Telecom and Electronics -“Triad of Policies to Drive a NationalAgenda for ICTE”. Based upon thefeedback received from the industry,DSCI submitted following suggestionsto the Ministry with regard to thesepolicies.

The draft policies lay strong focuson indigenous developments ofproducts and services for meetinglocal market needs. However, thesuccess of ICTE depends on howthe products and servicesdeveloped are accepted in aglobalized environment. Thoughit is necessary to focus onindigenous development ofproducts and services, care shouldalso be taken for their

conformance to global quality andsecurity standards. Additionally,the success of any productdepends upon its capability tocapture market share. Hence, it issuggested that the policies shouldequally focus on the global marketrequirements, besides localrequirements.

Cloud computing has maturedfrom a buzzword to a dynamicinfrastructure used today byseveral organizations. This hashuge significance to the growthof Indian industry. So, it isimportant that the policiesprovide various imperatives (apartfrom the cost-effective servicedelivery) to enable India as aleader in providing cloudcomputing services.

Mobile and other hand-held

Public AdvocacyDSCI takes a proactive role for “policy enablement” that affects ICT -

Strong Engagement & Enactment through the Government.

DSCI submitssuggestions to DIT on draft

National Policies on IT,Telecom & Electronics, 2011

3

devices have revolutionized theway we communicate, transactand operate in a desk-lessenvironment. We have seentremendous growth of the MobileApplications and OperatingPlatforms providing value-addedservices to customers. The draftpolicy on Telecom has notprovided any roadmap for thegrowth of this sector. Nor does itsay how it can revolutionize theoverall ICTE adoption in thecountry. Security of such MobileApplications and Platforms isequally important, and the policymeasures should cover them.

Security is one of the importantdrivers for the overall growth ofICTE. Given that most of the criticalinfrastructure makes use of ICTE,cyber security has to depend onICTE. DSCI appreciates the focusof the Ministry on this area,however, it believes that followingaspects should also be considered:

- Special focus should be givenon R&D in security, consideringthe enormous growth ofadvance persistent threats thatmight target criticalinfrastructure. The focusshould not only ensure earlydetection of these threats butalso their proactive mitigation.

- Security should be consideredas a key component for designand deployment of standards,manufacturing of products,service delivery and for thegrowth of new channels such

as cloud and mobilecomputing.

- Government itself is a majorconsumer of ICTE which isevident from its recent policyinitiatives in e-governanceprojects, UIDAI, and otherprojects of nationalimportance. It is suggested thatthe Government should leadby example in ensuring thatthe security is considered inprocurement / RFP processes.

- Capacity building is animportant component toensure security of cyberspace.The policies may look toprovide directions on therequirement and mechanismfor building of adequatesecurity skill set in the country.

LEAs play a crucial role in nationalsecurity. The policies should alsoprovide direction for capacitybuilding for the LEAs to ensurethat privacy of data is notcompromised while providinglawful access to the investigationauthorities. There is a strong needfor development of encryptionand decryption capability for theLEAs and the necessary R&D forthe same.

In an open house discussion held re-cently on the draft Policy for IT, 2011,DSCI reiterated its suggestions men-tioned above. The open house wasjoined Mr. Shankar Aggarwal and Mr.N. Ravishankar, Additional Secretaries,DIT, besides many other senioroffcials.

DSCI team visitsBrussels to discuss DataProtection in EU & India

DSCI team, comprising of CEO, Dr.Kamlesh Bajaj and Sr. Consultant, Mr.Rahul Jain, visited Brussels in the firstweek of Dec’11 to discuss data pro-tection related developments in EU& India .

In a meeting with Mr. AlexanderAlvaro, Member of European Parlia-ment (MEP) - Committee on Civil Lib-erties, Justice and Home Affairs, Dr.Bajaj explained how DSCI was carry-ing out various activities to promotedata protection. He also explainedhow DSCI frameworks offered supe-rior alternative to ISO 27001 for meet-ing challenges of ever evolving cyberthreats. The two sides discussedemerging issues and developmentsin data protection with special refer-ence to global security standards, criti-cal infrastructure protection andCloud Computing.

In another meeting with Head of theEP Secretariat Delegation for Indiaand Advisor to MEP, Lena Kolarska-Bobinska, DSCI team requested thatthe Members of European Parliamentshould visit India to experience first-hand the progress made in data se-curity. Later, DSCI team met EuropeanData Protection Supervisor, Mr. PeterHustinx who shared his viewpoints onthe undergoing revision of EU DPD.

In the meeting with Directorate Gen-eral for Trade, European Commissionon trade negotiations, Mr IgnacioGarcia Bercero, DSCI team requested

4

that India should be declared as ‘ad-equate’ country for data protection.Dr. Bajaj explained how it could ben-efit businesses operating in both EUand India by allowing free flow of in-formation between the two regionswithout involving administrative bur-dens and costs. Mr. Bercero assuredto convey the views of DSCI in thisregard to the Commission’s Data Pro-tection Unit in DG Justice.

In the meeting with American Cham-ber of Commerce to the EU(Amcham), the two sides discussedthe need to establish EU-US-India dia-logue once the draft EU legislation(which is currently under revision)was officially published in late Janu-ary (2012). The two sides agreed towork together for harmonized and lib-eral regulation for data protection inEurope.

DSCI CEO addresses CyberSecurity Conference held inVietnam

In the Cyber Security Conference or-ganized by Council for Security Co-operation in the Asia Pacific (CSCAP)in November 2011 in Vietnam, DSCICEO made a presentation titled“Cyberspace – Global Commons ora National Asset.” In his presenta-tion, Dr. Kamlesh Bajaj traced the his-tory of global commons like air, wa-ter and sea for these to be of use tonations for the development and ben-efits.“ Governance of these commonshas taken a long time whilecyberspace is the latest among glo-bal commons which is entirely man-made and with the unique character-

istic that all that goes to make upcyberspace is privately owned by in-dividuals or organizations.” Said Dr.Bajaj.

DSCI has been nominated by the Min-istry of External Affairs to be a part ofthe Study Group of CSCAP to evalu-ate a need for joint efforts towardsincreasing cyber security in Asia Pa-cific countries and to prepare a memo-randum on cyber security for the re-gion. DSCI has contributed to the draftmemorandum for Asian Regional Fo-rum (ARF).

DSCI shares its views withDIT on Nationale-AuthenticationFramework

Department of Information Technol-ogy (DIT), Government of India hastaken up the initiative of formulatinga comprehensive framework on Elec-tronic Authentication to deliver gov-ernment services in a seamless andpaperless manner to the residents ofthe country through both internet andmobile platforms. In this regard, aDraft Consultation Paper on Nationale-Authentication Framework wasprepared by the National e-Gover-nance Division (NeGD) within DIT, forpublic consultation.

DSCI consolidated inputs from Secu-rity Vendor companies, its membersand shared its views on the Frame-work with the DIT. The highlights are:

Ensure that right Security Model isadoptedChoice of right strategic options

that could ensure security,manageability, scalability andaccountability is madeEnsure that e-Authentication ispart of overall design of end-to-end transaction security modelA comprehensive approach forfraud prevention needs to beadopted

DSCI attends final ProjectRISE conference

CEO, DSCI along with Sr. Consultant,attended the final RISE conference –‘Responsible Research and Innovationin Biometrics’ held on 1-2 Dec’11 inBrussels. This conference was aimedto pave the way for a future globalinitiative devoted to Responsible Re-search and Innovation in Biometrics.DSCI CEO made a presentation titled‘The Indian Unique Identificationproject: where we are, where we go’,highlighting the security and privacyrelated challenges faced by theproject.

For any Queries

relating Data

Security and

Privacy click

“Ask a Question”

on DSCI website

www.dsci.in

5

Thought LeadershipDSCI regularly undertakes study and surveys to develop reports on the various facets

of data security and privacy in India. These reports, jointly produced by

various corporate entities including major consulting firms amongst

others, highlight the current state and concern of

data security and privacy.

DSCI has recently joined hands withInternational Association ofOutsourcing Professionals (IAOP) asan Affiliate Association. The two sideswill work together to bring the latestinformation on data security, bestpractices, standards and thought lead-ership to outsourcing professionalsworldwide.

“Through strategic partnerships likeour latest one with DSCI, we continueto expand our network of global lead-ers in key areas that are important tooutsourcing,” said CEO, IAOP, DebiHamill. “We look forward to workingwith DSCI to continue to promote theimportance of data security in our(outsourcing) industry.”

“Data Protection continues to be akey enabler in outsourcing of IT ser-vices and business processes. WithDSCI focused on enhancing data pro-tection standards and practices andIAOP focused on promotingoutsourcing, there are obvious syn-ergies to collaborate. The DSCI-IAOPpartnership will help increase muchneeded awareness on data protectionamong the international outsourcing

community and address data protec-tion related concerns in outsourcing,”said Dr. Kamlesh Bajaj, CEO of DSCI.

IAOP, an organization engaged in set-ting up global standards inoutsourcing, has more than 110,000members and affiliates worldwide. Italso has affiliate relationships with TheBrazilian Association of InformationTechnology and CommunicationCompanies (Brasscom), ASTRA in Rus-sia, British Computer Society, Confed-eration of Indian Industries (CII) andother leading associations around theglobe.For more information, visit: http://www.iaop.org/Content/23/196/3309

DSCI join hands with IAOP topromote data protection among

outourcing professionals

DSCI joins Working Group 25of ISO/IEC JTC1 SC7

DSCI has formally joined the WorkingGroup 25 under the ISO/IEC JTC1 SC7,which is developing the proposed ISOStandard 30105 – a global standardwith an integrated approach tolifecycle processes for the ITeS-BPOsector. DSCI will contribute in devel-oping security related aspects of thisstandard.

6

National Task Force onCyber Security; Deputy NSAconsults CEO, DSCI

The government has constituted atask force to carry out a holistic re-view of national security and thecountry’s preparedness to face themyriad challenges. DSCI was invitedby National Task Force on Cyber Se-curity to give views on cyber securitycoordination and organization struc-ture in the country. CEO, DSCI wasalso consulted by the Dy NSA on or-ganizing cyber security, with an ap-propriate structure in the country.Such consultations will be on contin-ued basis.

DSCI signs MoU with AujasNetworks

DSCI is working towards establishingits Security Framework – DSF© - as aStandard for security practices in theorganizations, and is engaged withBureau of Indian Standards for recog-nizing it as a Standard. DSCI ispartnering with Systems Integrators,Consultants and Security VendorCompanies to help their clients adoptbest practices Frameworks for Secu-rity and Privacy. In this regard, DSCIrecently signed an MoU with AujasNetworks, which will help companiesimplement the DSF and DPF frame-works.

Speaking on the occasion, Mr. SrinivasRao, CEO Aujas said, “We are very ex-cited about our partnership with DSCI.We have been helping clients imple-ment Risk Management Frameworks

as part of our Risk Advisory practice.This partnership with DSCI adds a newdimension to our offerings and willadd considerable value to our clients.”

DSCI has also entered into an agree-ment with ACPL Systems Pvt. Ltd., fortraining its employees on DSCI Frame-works and work as a channel partnerfor Frameworks.

EastWest Institute partnerswith NASSCOM, DSCI forupcoming 3rd WorldwideCyber Security Summit

EastWest Institute has partnered withNASSCOM and DSCI for the 3rd World-wide Cyber Security Summit to takeplace in New Delhi on October 30-31, 2012. The launch of the Summitwas announced by Shri. Kapil Sibal,Hon’ble Minister of Communicationsand Information Technology, in a Spe-cial Industry Forum on “Cyber Secu-rity and Business: The Challenges andOpportunities”. A preliminary meet-ing with EWI officials was also held.DSCI will be a knowledge partner forthe Summit and will provide lead infollowing 2 tracks

Globally Distributed Processingand Data Storage BreakthroughGroup (Cloud Computing)

ICT Development Supply ChainIntegrity Breakthrough Group

The EastWest Institute’s WorldwideCyber Security Initiative (WCI) wasestablished in 2008 to bridgepolicymakers and law enforcement

officials from around the world withthe business and technical commu-nities to break the deadlock in inter-national cooperation in meetingcyber security challenges. CEO, DSCIis actively engaged with EWI’s CyberSecurity Initiatives.

CEO, DSCI authors article forFORCE magazine

CEO, DSCI was invited to share hisinsights on national cyber securityposture by FORCE – a leading nationalsecurity and defence magazine. Hiscontribution, in form of the articletitled ‘Virtual Force – Cyber spaceentails critical protection just likeland, air, sea and space’, was pub-lished by the Magazine in its October2011 issue. The article specifically fo-cuses on cyber security in Defenceforces.

For complete article, please visit: http://www.dsci.in/node/908

Following this, CEO, DSCI provided hisinputs on a cyber security report titled‘Virtual Attack, Real Threat,’ in the De-cember issue of the Magazine.

DIT Project on NextGeneration Firewall

As member of the Project Review andStudy Group for the project at TejpurUniversity, Mr. Vinayak Godse, Direc-tor – Data Protection, DSCI providedexpert guidance to the investigatorsfor incorporation in their develop-ment work.

7

DSCI Assessment Framework (DAF©) launched

Indian IT/BPO Service Providers are striving hard to ensure that security and privacy ofdata is well maintained. In this outsourcing ecosystem, many Clients have developed andapplied their own proprietary assessment frameworks for evaluating their Service Pro-viders. Service Providers, on the other hand, strain their resources to respond to diverseand varied client information requests. Such independent approach proves to be anineffective and costly affair, both for the Clients and the Service Providers.

Inconsistencies arising from the use of different assessment methodologies cause de-lays, resulting in inefficient use of time and resources. Unavailability of generally acceptedstandard for Service Provider assessments further aggravates the problem.

To overcome these issues and challenges, DSCI as an industry initiative seeks to establisha well-defined “Assessment Framework” in order to have a universal assessment approachthat can be used to assess different organizations in DSCI Assessment Framework – DAF.The guiding principle for developing DAF has been to add value to the organizationthrough the assessment by way of reviewing the strategy, processes, implementation,including technology solutions deployed – through rating arrived for each of the identi-fied criteria. The Framework emerged out of the findings from DSCI’s security surveys thatwere based on detailed questionnaires. DSCI also analyzed the responses of companiesto the elaborate questionnaires that were designed for the DSCI Excellence Awards. It wasinteresting to observe the emerging pattern, which provided clues to light-weight as-sessment. The assessment process would lend itself to self-assessment by organizations;with additional confirmation by a third party using a little more inputs. This can act as aquick guide to confirm the security posture.

The detailed assessment process has been developed for some of the areas that com-prise the DSF©. In this, DSCI benefited from consultations with industry – the companiesthat came forward to test the framework in the pilot projects; the consulting firms thathave partnered with it. The guiding principle has been to add value to the organizationthrough the assessment by way of reviewing the strategy, processes, implementationincluding technology solutions deployed – through rating arrived for each of the identi-fied criteria.

DSCI invites you to refer the DAF© at http://www.dsci.in/sites/default/files/DSCI%20Assessment%20Framework.pdf

As always, DSCI requests you to review it critically and give your constructive suggestionsto make it more useful to organizations.

8

Capacity BuildingDSCI has been actively involved in developing and imparting

training and capacity building for various government and

corporate entities.

Ministry of Home Affairs has decidedto launch a scheme to assist and helpthe State Governments in buildingadequate capacity and technical ex-pertise for handling the cyber-crimeby institutionalizing a pan India net-work of Cyber Crime Police Stations(CCPS) and Cyber Crime Investigationand Forensic Training Facilities(CCIFTF).

MHA, with the support of DSCI, con-ducted a workshop on 15th Novem-ber for all the stakeholders, includingall law enforcement agencies of Cen-tre and State / UT Governments sothat valuable inputs could be ob-tained before the scheme is finalizedfor launching at the national level.Close to 100 officials attended theworkshop.

MHA has also decided to create aNational Centre of Excellence (CoE)for Cyber Forensics to act as a Na-tional Resource Centre for providingadvance training, investigations sup-port, technical know-how and under-taking research and development in

MHA holds Workshopwith DSCI on Cyber CrimeInvestigation Programme

the area of Cyber-Crimes. Besides,MHA is mulling to launch a nationalcapacity building program to provideLEAs international exposure to newtechnology changes in cyber crimeinvestigating mechanisms.

Apart from this, MHA has suggestedDSCI to establish a core team of fo-rensic experts for providing regularsupport to CCIP.

DSCI publishes TrainingMaterial for Cyber CrimeInvestigators

DSCI has recently published TrainingMaterial for Cyber Crime Investiga-tors. The standardized content hasbeen developed for Level 1 Trainingof LEAs, to be used at DSCI CyberLabs.

Continuing its efforts towards build-ing technical infrastructure for cybercrime investigation, DSCI has com-pleted the up gradation of its PuneCyber Lab.

Personnel trained in 5 day course 1043Personnel trained in Short Term Course 820Guest lecturers 311LEA Support 41Industry Support 3

Cyber Lab Training Program Updatefor Oct.-Dec. 2011

Outreach ProgramsDSCI organizes various conferences and seminars and participates in

the events in India and abroad to draw focus on data security

and privacy concerns and DSCI’s approach towards

data protection.

NASSCOM-DSCIAnnual Information

Security Summit 2011

9

1010

11

CEO, DSCI presents talk on‘Security for the Cloud’ atCloudSEC 2011

CEO, DSCI was invited to present atalk on ‘Security for the Cloud’ at theCloudSEC 2011 Conference orga-nized by Trend Micro Systems. He dis-cussed the challenges faced by theIndian cloud service providers andusers of such services, based on a sur-vey carried out by DSCI. The specificissues raised by the Survey were pre-sented to the audience. These in-cluded the following:

For Service Providers- Meeting multiple regulatory

requirements due to multipleclients spread acrossdifferent geographies

- Meeting multiple contractualrequirements including auditrequirements of differentusers

- Huge initial capitalexpenditure/investment

For Cloud Users- Challenges in meeting

Compliance requirements- Legal and Contractual issues- Data segregation and

Protection

DSCI CEO addresses USIBCAnnual Legal ServicesConference

US India Business Council organizedits 3rd Annual Legal Services Confer-ence titled “Maximizing Value in theIndo-US Regulatory Thicket”. CEO,

DSCI was invited to be a panel mem-ber on discussion ”Data Privacyand Security: Rules of the Roadfor the Indo-U.S. Virtual High-way”. Dr. Bajaj provided his insightson how the IT (Amendment) Act,2008, Rules u/s 43A has establisheda sound legal framework for dataprotection in the country. He alsohighlighted that the concerns dueto varied interpretations of the Ruleswere also addressed by the activeengagement of NASSCOM and DSCIwith the government which were re-flected in the subsequent clarifica-tions issued by the government.

DSCI participates in CIIconference on CloudComputing in Chennai

CII organized a conference on‘Cloud Computing’ in Chennai re-cently. Director, DSCI, Mr. VinayakGodse was invited to participate inthe panel discussion on ‘Security andPrivacy Challenges in Cloud Com-puting’. Privacy issues with respectto Cloud were a key focus of inter-action. Director, DSCI presented acomprehensive perspective on se-curity and privacy from User Group,Solutions Providers and Governmentaspects.

DSCI-ACPL Roundtable on“Changing Security andPrivacy Landscape in theCountry”

DSCI has partnered with ACPL Sys-tems Pvt. Ltd. for taking forward the

implementation of Security and Pri-vacy Frameworks. To apprise the in-dustry of the features of Frameworksand also offer a platform for discus-sion, a roundtable on “Changing Se-curity and Privacy Landscape inthe Country” was organized atGurgaon (Haryana) which was at-tended by over 25 delegates frommiddle to senior management. Themeeting featured a presentation onDSCI Frameworks by Director, DSCI,Mr. Vinayak Godse. DSCI CEO, Dr.Kamlesh Bajaj spoke on the changingregulatory landscape for security andprivacy in the country, while CEO,ACPL pushed for the need to havepartnerships for improving securityand privacy culture.

CIO Gujarat organizes paneldiscussion on ‘IT Security’ atAhmedabad

CIO Gujarat organized a panel discus-sion on ‘IT Security’ at Ahmedabadon December 12, 2011. The eventwas supported by NASSCOM. Direc-tor-Data Protection, DSCI, Mr. VinayakGodse was invited to chair the ses-sion. The session primarily discussedon the security challenges emanat-ing from transforming IT infrastruc-ture, the increasing adoption of cloudcomputing and mobility. It also tookreview of issues related to cyber se-curity and their relevance to nationalsecurity. Representatives of RelianceTech services, Dhirubhai Ambani In-stitute of Information and Communi-cation Technology (DA-IICT), ElitecoreTechnologies, ISRO and (n) Code So-lutions participated in the discussion.

1212

SiliconIndia’s SECURITYConference 2011

Addressing Security Conference 2011organized by SiliconIndia, DSCI SeniorConsultant, Mr. Rahul Jain said anation’s cyberspace is part of the glo-bal cyberspace and cannot be iso-lated to define its boundaries unlikethe physical world which is limitedby geographical boundaries – land,sea, air and space –with Cyberspace

emerging as the fifth domain whichis ever expanding. “In today’s infor-mation age, Internet is the engine forglobal economic growth and thecyber security initiatives of any coun-try should not impede it, instead theseinitiatives should create enablers forgrowth of the Internet and other tech-nology innovations. Cyber Securitywarrants an information age responserequiring coordination among gov-ernments, ministries, departments,

private sector, LEAs, etc. through awell tested federated managementstructure.” He added.

British Telecom organizesSecurity Workshop

British Telecom organized a SecurityWorkshop for its suppliers. During theWorkshop, DSCI team apprised theparticipants of DSCI Frameworks –DSF© and DPF© - along with Assess-ment Framework – DAF©.