Chapter [7] Information Technology Regulatory Issues.

99

Transcript of Chapter [7] Information Technology Regulatory Issues.

Page 1: Chapter [7] Information Technology Regulatory Issues.
Page 2: Chapter [7] Information Technology Regulatory Issues.
Page 3: Chapter [7] Information Technology Regulatory Issues.
Page 4: Chapter [7] Information Technology Regulatory Issues.

Chapter [7]

Information Technology Regulatory Issues

Page 5: Chapter [7] Information Technology Regulatory Issues.

History. . . .

• 1999 – Information Technology Bill was prepared.• May 2000 –bill passed by both the houses of

parliament.• August 2000 – This was passed by President and

came to be known as “Information Technology Act -2000”.

• December 2008 – The amended act was passed by the parliament & renamed to “Information Technology (Amendment) Act – 2008”.

• This act is based on United National Commission on International Trade Law (UNCITRAL) of UNO.

Page 6: Chapter [7] Information Technology Regulatory Issues.

Objectives . . .• To grant legal recognition to transaction carried out

by electronic means.• To grant legal recognition to Digital Signature for

authentication of information.• To facilitate e-filing of documents with Govt. • To facilitate e-storage of data by business.• To facilitate and give legal recognition to EFT.• To give legal recognition for keeping books of

accounts by bankers.• To amend IPC, Indian Evidence Act, Banker Books

Evidence Act, RBI Act.

Page 7: Chapter [7] Information Technology Regulatory Issues.

ITAA 2008 composition

4 Schedules 13 Chapters 90 Sections and Sub-sections

Page 8: Chapter [7] Information Technology Regulatory Issues.

Chapter 1 : PRELIMINARY

Section 1 : Short title, Extent, Commencement and Application

Section 2 : Definitions

Page 9: Chapter [7] Information Technology Regulatory Issues.

Section 2 : Definitions

(a) “Access” – with it grammatical variations and cognate expression means,

gaining entry into, introducing and communicating with

arithmetical, logical or memory function of computer, computer system or computer network.

(b) “Addressee” – A person who is intended by the originator/sender to receive the electronic record.

Page 10: Chapter [7] Information Technology Regulatory Issues.

(d) “Affixing Electronic signature” – Adopting any procedure, by a person, to authenticate any electronic record, by means of electronic signature.

(f) Asymmetric Crypto system – a system of key pair consisting of private key to create electronic signature and public key to verify electronic signature.

(i) “Computer” – any electronic, magnetic, optical or high speed data processing device …… which performs arithmetical, logical or memory function ….. by manipulation of electronic, magnetic or optical signals ….. and includes input, output, storage, processing and comm. Facilities ….. and related to any computer, system or network.

Page 11: Chapter [7] Information Technology Regulatory Issues.

(j) “Computer network” – means interconnection of one or more computer/system/comm. device through –

(i) the use of satellite, microwave, terrestrial line, wire or wireless or other communication media.(ii) Terminals or a complex consisting of two or more interconnected computer; whether or not interconnection is continuously maintained.

(l) “Computer System” – means device or collection of devices, including I/O support devices and excluding calculators which are not programmable and capable of using external files and capable to perform logic, arithmetic, storage, retrieval and communication and other functions.

Page 12: Chapter [7] Information Technology Regulatory Issues.

(na) “Cyber cafe” – means any facility from where access to the internet is offered by any person in the ordinary course of business to the general public.

(nb) “Cyber Security” – means protecting information, equipment, devices, computer, resources from unauthorised access, use, disclosure, disruption, modification or destruction.

(w) “Intermediary” – means a person who on behalf of another person receives, stores or transmits electronic message or provides any service with respect to that electronic record….. and include telecom service provider, NSP, ISP, WSP, search engine, online payment sites, auction sites, market places and cyber cafes.

Page 13: Chapter [7] Information Technology Regulatory Issues.

(x) “Key pair” –means a private key and its mathematically related public key, which are so related that public key can verify a digital signature created by the private key.

(za) “Originator” – means a person who sends, generates, stores or transmit any electronic record or causes any electronic record to be sent, generated, stored or transmitted to other person & does not include intermediary.

Page 14: Chapter [7] Information Technology Regulatory Issues.

(ze) “Secure system” – means computer h/w, s/w that-(i) Are reasonably secure from unauthorised access and misuse.(ii) Provide a reasonably level of reliability of operation.(iii) Are reasonably suited to perform intended functions.(iv) adhere to generally accepted security procedures.

(zh) “Verify” – means to determine whether –(i) The initial electronic record was affixed with the digital signature.(ii) The initial electronic record is retained intact or has been altered.

Page 15: Chapter [7] Information Technology Regulatory Issues.

Chapter – II

Digital Signature and

Electronic signature

Covers Section 3 only

Page 16: Chapter [7] Information Technology Regulatory Issues.

The digital signature is created in two steps –Step 1 ~

Electronic record is converted into a message digest by using a mathematical function known as “Hash function”.

It will digitally freeze the electronic record thus ensuring integrity of the electronic record.

Step 2 ~ The identity of the person affixing the DS is

authenticated through the use of a private key. It can be verified by anybody who has the

corresponding public key.

Page 17: Chapter [7] Information Technology Regulatory Issues.

Section 3 : Authentication of Electronic Record

1. Subject to the provisions of this section any subscriber may authenticate an electronic record by affixing his digital signature.

2. The authentication can be done by the use of Asymmetric Crypto System and hash function.

3. Any person by the use of public key can verify the electronic record.

4. Private key and Public key are unique to the subscriber.

Page 18: Chapter [7] Information Technology Regulatory Issues.

Section 3 A : Electronic Signature1. A subscriber may authenticate any electronic record

by electronic technique which –– Is considered reliable and– May be specified in the second schedule

2. Electronic authentication technique shall be considered reliable if –– The signature creation data are within the context in which

they are issued.– The signature creation data at the time of signing, under

the control of signatory.– Any alteration to the ES, after affixing is detectable.– Any alteration to the info. , after affixing is detectable.– It fulfills such other conditions which may be prescribed.

Page 19: Chapter [7] Information Technology Regulatory Issues.

3. The central Govt. may prescribe the procedure of ascertaining whether electronic signature is that of the person by whom it have been affixed.

4. The central govt. may omit by notification any electronic signature technique from the II schedule.

5. Every notification shall be laid before each house of parliament.

Page 20: Chapter [7] Information Technology Regulatory Issues.

Chapter – III

Electronic Governance

Covers 7 Sections : from 4 to 10

Page 21: Chapter [7] Information Technology Regulatory Issues.

Section 4 : Legal recognition of Electronic record

Where any law requires that information should be in typewritten or printed form then such requirement shall be deemed to be satisfied if it is –

Made available in an electronic form. Accessible so as to be usable subsequently

Page 22: Chapter [7] Information Technology Regulatory Issues.

Section 5: Legal recognition of Electronic signature

Where any law requires that information should be authenticated by affixing signature of any person then such requirement shall be satisfied if it is authenticated by means of electronic signature.

Page 23: Chapter [7] Information Technology Regulatory Issues.

Section 6: Use of electronic record and E.S. in Govt.

1. Where any law provides for –• The filing of any Form, Application or other Docs. to

any Govt. department, body, agency office.• The issue or grant of any license, Permit, Sanction

or approval etc.• The receipt or payment in government offices

Then all these may be done through electronic means.

2. The appropriate Govt. may prescribe –manner and format of electronic recordmanner and format of payment

Page 24: Chapter [7] Information Technology Regulatory Issues.

Section 6A: Delivery of Service by Service Provider

1. The appropriate govt. may authorise any service provider to setup, maintain and upgrade the computerised

facilities to provide prescribed services to the public.

to collect, retain and appropriate service charges from the person availing the service.

To collect, retain and appropriate service charges for any services not covered by the act.

2. The appropriate govt. may specify the scale of services charges to be collected by service provider.

Page 25: Chapter [7] Information Technology Regulatory Issues.

Section 7 : Retention of electronic record

1. Where any law provides that document, record or information retained for any specified period, shall be deemed to have been retained in electronic form provided the following conditions are satisfied –– The information therein remain accessible so as to

be usable.– The information is retained in the original format.– The information is retained with the details that

facilitate the origin, destination, date and time of dispatch and receipt

Page 26: Chapter [7] Information Technology Regulatory Issues.

2. However, this section does not apply to any information which is automatically generated in the process of enabling electronic record.

3. This section does not supersede any law that expressly provide for retention of document in the form of electronic record.

Section 7 A: Audit of document in E-form

Where any law has the provision for audit of documents, that provision shall also be applicable for audit of documents maintained in electronic form.

Page 27: Chapter [7] Information Technology Regulatory Issues.

Section 8 : Publication of rules, regulation etc. in Electronic Gazette

• Where any law requires the publication of any rule, regulation, order, by-laws, notification in the official gazette then such requirement shall be deemed to be satisfied if it is published in electronic form.

• If official gazette is published in both the form than the date of publication shall be the date of publication of that form of O.G. which was first published.

Page 28: Chapter [7] Information Technology Regulatory Issues.

Section 9 : Electronic form is not to be the right

The provisions stipulated in section 6, 7 and 8 shall not confer any right to insist the document be accepted, issued, created and retained in electronic form.

Page 29: Chapter [7] Information Technology Regulatory Issues.

Section 10 : Power of Central Govt. to make rules

In respect of DS, the central govt. may prescribe – The type of digital signature. The manner and format in which DS shall be affixed. The procedure to identify the person affixing the DS. Controls to ensure integrity, security and

confidentiality of electronic record. Any other matter to give legal effect to DS.

Section 10A : Validity of E-contract

Where in contract formation, communication, acceptance or revocation of proposal are expressed in electronic form, such contract shall not deemed to be un-forceable solely on the ground that such electronic form was used for that purpose

Page 30: Chapter [7] Information Technology Regulatory Issues.

Chapter – V

Secure Electronic Record and Secure Digital Signature

Covers 3 Sections : from 14 to 16

Page 31: Chapter [7] Information Technology Regulatory Issues.

Section 11 : Attribution of Electronic record

When any security procedure has been applied to an electronic record then it shall be deemed to be secured electronic record from such point of time to the time of verification.

Section 14 : Secure Electronic Record

Section 15 : Secure Electronic Signature

An ES shall deemed to be a secure ES, if-• The signature creation data, at the time of affixing

signature, was under control of signatory.• The signature creation data was stored and affixed

in prescribed manner.

Page 32: Chapter [7] Information Technology Regulatory Issues.

Section 11 : Attribution of Electronic record

The central Govt. may prescribe the security procedure for secure electronic record and secure electronic signature. In doing so CG can take in to account following factors –– Nature of transaction– Technological capacity of both the parties– Availability and cost of alternative procedures– Volume of similar transactions entered into by

other parties.

Section 16: Security procedure and practice

Page 33: Chapter [7] Information Technology Regulatory Issues.

Chapter – IX

PENALTIES AND

ADJUDICATION

Covers 5 Sections : from 43 to 47

Page 34: Chapter [7] Information Technology Regulatory Issues.

Section 43: Penalty and Compensation

If any person, without permission of the owner or in-charge of computer commits any of the following act, he shall be liable to pay damages by way of compensation to the person so affected-• Securing access to the computer• Downloading any data, database or information from such

computer or storage medium.• Introducing any computer contaminant or virus into the

computer• Damaging any computer, network, data, database or program• Disrupting any computer, system or network• Denying access to any person authorised to access any

computer, system or network

Page 35: Chapter [7] Information Technology Regulatory Issues.

• Providing assistance to any person to access any computer in contravention of provisions of the act.

• Charging the service avail by a person to the account of another person by tempering with any computer.

• Destroy, delete, alter any info. or diminishing its value.• Steal, conceal, destroy, alter or causes any person to

S.C.D.A. any computer source code.

Compensation for failure to protect dataWhere any body corporate stores or processes any sensitive personal information in a computer which it owns, controls or operates, is negligent in implementing security and thereby cause wrongful loss or gain to any person, such body corporate shall be liable to pay damages by way of compensation to the affected person.

Page 36: Chapter [7] Information Technology Regulatory Issues.

Section 44: penalty for failure to furnish INFO.

If any person who is required to – Furnish any document, return or report to controller

or CA, fail to furnish, he shall be liable to a penalty not exceeding Rs. 1,50,000/- for each failure.

File any document, report, book etc within the time specified, fails to do the same, he shall be liable to a penalty not exceeding Rs. 5000/- per day till failure continues.

Maintain book of a/c or record, files to maintain, he shall be liable to a penalty not more then Rs. 10,000/- per day till failure continues.

Page 37: Chapter [7] Information Technology Regulatory Issues.

Section 45: Residual Penalty

Whoever contravenes any rule or regulation of the act for which no penalty has been separately provided, shall be liable to pay compensation not exceeding Rs. 25,000/- to the affected person.

Page 38: Chapter [7] Information Technology Regulatory Issues.

Chapter – XI

OFFENCES

Covers 14 Sections : from 65 to 78

Page 39: Chapter [7] Information Technology Regulatory Issues.

Section 65: Tampering with source document

Imprisonment up to 3 years OR fine up to 2 lakhs OR both.

Section 66: Computer related Offences

If any person does act referred in section 43, imprisonment upto 2 years OR fine upto 5 lakhs OR both.

Section 66A: Sending offensive messages Any person who sends –• Any information of offensive or menacing character.• Any information known as false but sent for the

purpose of insult, annoyance, enmity, ill will etc.

Page 40: Chapter [7] Information Technology Regulatory Issues.

• Any e-mail for the purpose of causing annoyance, to deceive, mislead etc.

Imprisonment up to 3yrs AND fine.

Section 66B: Receiving stolen resources

Whoever dishonestly retains any stolen computer resource… imprisonment up to 3yrs OR fine up to 1 lakh OR both.

Section 66C: Identity theft

Whoever fraudulently make use of the E.Sign, password, UID etc…. Imprisonment up to 3yrs AND fine up to 1 lakh.

Page 41: Chapter [7] Information Technology Regulatory Issues.

Section 66D: Cheating by personating

Imprisonment up to 3yrs AND fine up to 1 lakh.

Section 66E: Violation of PrivacyWhoever knowingly captures, publishes or transmits the images of private area of any person without his/her consent…Imprison. upto 3yrs or fine upto 2lakh or both.

Section 66F: Cyber terrorismWhoever, with the intent to threaten the integrity, security or sovereignty of India or strike terror in public by –• Denying or cause denial of access to any person

authorised to access a computer resources.

Page 42: Chapter [7] Information Technology Regulatory Issues.

• Attempting to penetrate a computer resource without authorization.

• Introducing any computer contaminant causing death or injury to person.

• Damage or destruct property causing disruption of services essential to the life of community.

• Adversely affect Critical Information Infrastructure.• Whoever, knowingly penetrates a computer resource,

database that is restricted for reason of sovereignty, integrity of india, friendly relations with foreign states … … commits cyber terrorism.

• Imprisonment for LIFE.

Page 43: Chapter [7] Information Technology Regulatory Issues.

Section 67 : publishing obscene material in E-form• Whoever publishes or transmits in e-form any

material which is lascivious shall be punished –• First conviction – 3 yrs AND 5 lakh• Subsequent conviction – 5 yrs AND 10 lakh

Section 67A : publishing sexually explicit material• First conviction – 5 yrs AND 10 lakh• Subsequent conviction – 7 yrs AND 10 lakh• Exception –• Published in the interest of science, literature,

art, learning or which is used for religious purpose.

Page 44: Chapter [7] Information Technology Regulatory Issues.

Section 67B : publishing material depicting children in sexually explicit act in E-form

Section 67C : Retention of infor. by intermediaries• Intermediaries shall retain such info., for such

duration, in such format as prescribed by CG.• If fail –

Up to 3 yrs ANDup to 2 lakh.

• First conviction – 5 yrs AND 10 lakh• Subsequent conviction – 7 yrs AND 10 lakh• Exception –

Published in related to science, literature, art, learning or which is used for religious purpose.

Page 45: Chapter [7] Information Technology Regulatory Issues.

Section 68 : Power of controller• The controller may direct CA or his Emp. to take

such measure or cease carrying out any activity, to ensure compliance with the provisions of Act.

• If any fails – 2 yrs OR 1 lakh OR Both

Section 69 :Power to intercept/monitor/decrypt

Where CG, SG or any of its officer, is of opinion that it is necessary for the integrity, sovereignty, security of India, may intercept or monitor or decrypt any information transmitted through any computer resources.

Procedure/safeguard for I/M/D shall be prescribed.

Page 46: Chapter [7] Information Technology Regulatory Issues.

Any person in-charge of the computer resource shall extend all facilities and technical assistance.

If fail – 7 yrs AND fine.

Section 69A :Power to block for public access

Where CG, SG or any of its officer, is of opinion that it is necessary for the integrity, sovereignty, security of India, may direct any agency to block access by public any information stored in any computer system.

• Procedure/safeguard for blocking shall be prescribed.

Page 47: Chapter [7] Information Technology Regulatory Issues.

Any person in-charge of the computer resource shall extend all facilities and technical assistance.

If fail – 7 yrs AND fine.

Section 69B :Power to authorize to monitor/collect

• To enhance cyber security, prevent intrusion or spread computer contaminant, CG may autho. any agency of Govt. to monitor and collect traffic data from any computer resource.

• Procedure/safeguard for monitor shall be prescribed.• The person in-charge shall provide technical

assistance and extend all facilities.• If fails to comply with the direction– 3 yrs AND fine.

Page 48: Chapter [7] Information Technology Regulatory Issues.

Section 70 : Protected System The appropriate Govt. by official gazette may declare

any computer resource which affects C.I.I., as protected system.

CII means the computer resource, destruction of which may weaken the national security, economy, public health etc.

Appropriate Govt. may authorize the persons to access protected system.

Any other person who secure access or attempt to access protected system – 10 yrs AND fine.

CG shall prescribe the information Security practice and procedure for such protected system.

Page 49: Chapter [7] Information Technology Regulatory Issues.

Section 70 A: National Nodal Agency CG, by official gazette, may designate any govt. org.

as the national nodal agency in respect to CII. The agency shall be responsible for all measures

including R&D in protection of CII.

Section 70 B: I. C. E. R. T. for incident response

• CG, by official gazette, may appoint an govt. agency to be called Indian Computer Emergency Response Team.

• ICERT is headed by Director General and have such other officers and employee as prescribed.

…..

Page 50: Chapter [7] Information Technology Regulatory Issues.

• Functions of ICERT – Collection, analysis and dissemination of

information on cyber incident. Forecast and alerts of cyber security incidents. Emergency measures for handling C.S. incidents. Coordination of C.S. incident response activities. Issue guidelines, advisories relating to

information security practice, procedure, prevention, reporting and response of cyber incidents.

Such other functions relating to cyber security as may be prescribed.

….

Page 51: Chapter [7] Information Technology Regulatory Issues.

• For carrying out the functions agency may call for info. and give directions to service provider, intermediaries, body corporate and any person.

• Any of these party fail to provide information and comply with the directions – up to 1 yr OR up to 1 lakh OR both.

Section 71 : Penalty for Misrepresentation

Whoever make any misrepresentation or hide any fact to Controller or CA, to obtain License or DSC shall be punished – upto 2 yrs OR upto 1 lakh OR both.

Page 52: Chapter [7] Information Technology Regulatory Issues.

Section 72 : Breach of confidentiality and privacy• Any person who has secured access to electronic

record without the consent of person concerned, discloses such information to other person –

• Upto 2 yrs OR upto 1 lakh OR both

Section 72 A : Breach of lawful contract

• Any person including intermediary, under the term of contract, has secured access to personal info. of other person and with the intent of cause wrongful loss or gain, without consent of the person concerned, provide such info. to other person –

• Upto 3yrs OR 5 lakh OR both

Page 53: Chapter [7] Information Technology Regulatory Issues.

Section 73 : publishing false DSC • Person who publishes a DSC with the knowledge –

The CA listed in the certificate has not issued it. The subscriber listed in the certificate has not

accepted it. The certificate has been suspended or revoked.

• Upto 2 yrs OR 1 lakh OR both.

Section 74 : publishing for fraudulent purpose• Whoever knowingly creates, publishes or otherwise

makes available ESC for any fraudulent purpose ---• Upto 2 yrs OR upto 1 lakh OR both

Page 54: Chapter [7] Information Technology Regulatory Issues.

Section 75 : Act to apply for offence outside India• The Act is applied to any offence where –

Perpetrator is Indian or Victim is Indian or Server is Indian

Section 76 : Confiscation

• Any computer, system, floppy, CD, tape or any other accessories has been or is being involved in contravention of provision of the act shall be liable to confiscate.

• However -

Page 55: Chapter [7] Information Technology Regulatory Issues.

• If the court is satisfied that the person in-charge of these computer resources are, is not guilty, the court may, instead of order of confiscation, make such other order against the person contravening the provision of the act, as it may think fit.

Page 56: Chapter [7] Information Technology Regulatory Issues.

Ensuring Compliance with Cyber laws Designate a Cyber Law Compliance Officer. Regular training of employees on Cyber Law

Compliance. Implement strict procedures in HR policy for non-

compliance. Implement authentication procedures as suggested in

law. Implement policy and procedures for data retention as

prescribed. Initiate safeguard requirements as applicable under

sections 43A, 69, 69A, 69B, etc of Cyber Law. Implement applicable standards of data privacy on

collection, retention, access, deletion etc. Implement reporting mechanism for compliance.

Page 57: Chapter [7] Information Technology Regulatory Issues.

Chapter – XII

INTERMEDIARIES NOT TO BE LIABLE IN

CERTAIN CASES

Covers only Section 79

Page 58: Chapter [7] Information Technology Regulatory Issues.

Section 79 : Exemption from liabilityAn intermediary shall not be liable for any third party communication if –• Their function is limited to provide access to a

communication system• The intermediary does not –• Initiated the communication• Select the receiver• Select or modify the information contained in

the communication• The intermediary observe de diligence and

observes such guidelines in discharging duties.

Page 59: Chapter [7] Information Technology Regulatory Issues.

An intermediary shall not be exempted from liability if–• It conspired, aided or induced the unlawful act

by the threats or otherwise.• Upon receiving actual knowledge that the

information connected to the computer resources controlled by intermediary is being used to commit unlawful act, fail to expeditiously remove or disable access to the material.

Page 60: Chapter [7] Information Technology Regulatory Issues.

Chapter – XII-A

Covers section 79 A

EXAMINER OF ELECTRONIC EVIDENCE

Page 61: Chapter [7] Information Technology Regulatory Issues.

Section 79 A: CG to notify Examiner of E. Evidence

The CG, for the purpose of providing expert opinion on evidence in electronic form before any court, may specify any department, agency, body of the Govt. as examiner of E. E.

Page 62: Chapter [7] Information Technology Regulatory Issues.

Chapter – XIII

MISCELLANEOUS

Covers 11 sections : from 80 to 90

Page 63: Chapter [7] Information Technology Regulatory Issues.

Section 80 : Power of police officer or other officer

• Any police officer not below the rank of Inspector or other officer of the govt. may enter any public place and search and arrest any person who is reasonably suspect of having committed contravention under this act.

• Where any person is arrested by the other then police officer, such officer shall immediately send the arrested person to the magistrate or the officer-in-charge of the police station.

Page 64: Chapter [7] Information Technology Regulatory Issues.

Section 81 : Act not to have overriding effect

The provisions of this act shall not have inconsistent effect with any other law for the time being in force.

Section 81-A : E-cheque and truncated cheque

• Act shall apply to, E-cheques and truncated cheques subject to such modification as may be necessary for carrying out purposes of negotiable instrument act, in consultation with RBI.

• Every notification shall be laid before each house of the parliament for a total period of 30 days, in one or multiple sessions.

Page 65: Chapter [7] Information Technology Regulatory Issues.

Section 82 : officers to be public servants

Chairman, Members, Controller, AC/DC and other officers deemed to be public servant within the meaning of IPC section 21.

Section 83 : CG’s power to give directionThe CG may give directions to any SG, on the provisions of the Act.

Section 84 : Protection of action taken in good faithNo suit, prosecution or other legal proceeding lie against CG/SG/C/AC/DC or any other person acting on behalf, for anything done in good faith or done in pursuance of this act.

Page 66: Chapter [7] Information Technology Regulatory Issues.

Section 84-A : Mode or method of encryprion

CG may, for the promotion of e-commerce or e-governance, prescribe the mode or method of encryption.

Section 84-B : Punishment for AbetmentWhoever provoke any offence shall be punished with the punishment provided for the offence under the Act.

Section 84-C : Punishment for attempt to commitOne half of the longest term of imprisonment provided for that offence or such fine as is provided for the offence or both.

Page 67: Chapter [7] Information Technology Regulatory Issues.

Section 85 : Offences by Companies

• Where a person committing a contravention is a company, every person who was in charge of or was responsible of conduct of business shall be guilty and liable to be punished.

• However, if he proves that such contravention took place without his knowledge and he exercised all due diligence then he shall not be liable for punishment.

Page 68: Chapter [7] Information Technology Regulatory Issues.

Authorities for System Controls & Audit

IRDA

RBISEBI

Page 69: Chapter [7] Information Technology Regulatory Issues.

Requirements of IRDA

1 •All insurers shall have their systems audited at least once in three years by a CA firm.

2 •The current internal or concurrent auditor is not eligible for appointment.

3 •CA firm must be having a minimum of 3-4 years experience of system audit of banks or insurance companies.

System Audit

Page 70: Chapter [7] Information Technology Regulatory Issues.

1• Location(s) from where Investment activity

is conducted.

2 • IT Applications used to manage the Insurer’s Investment Portfolio.

3• Obtain the system details including: Server,

database, network connectivity, firewalls etc.

4 • Are systems and applications Centralized or De-Centralized?

5 •Previous Audit reports and details of unresolved issues.

6 •Internal circulars and guidelines of the Insurer.

Preliminaries

Page 71: Chapter [7] Information Technology Regulatory Issues.

7 • Standard Operating Procedures (SOP).

8• List of new Products/funds introduced

during audit period along with IRDA approvals.

9 •Fund wise lists of all investments classified as per IRDA Guidelines.

10 • IRDA Correspondence files, circulars and notifications issued by IRDA.

11 • IT Security Policy.

12 • Business Continuity Plans.

13 • Network Security Reports pertaining to IT Assets.

Page 72: Chapter [7] Information Technology Regulatory Issues.

System Controls

There should be Electronic transfer of Data. All Systems should be seamlessly integrated. Audit trail required at every data entry point. The auditor should comment on the audit trail

maintained in the system. The auditor should review the FOS, MOS and

BOS and confirm that the system maintains audit trail.

The auditor shall also ascertain that the system has separate logins for each user.

Page 73: Chapter [7] Information Technology Regulatory Issues.

Requirements of RBI

• Duties of system programmer/designer should not be assigned to persons operating the system.

• Contingency plans should be introduced and tested at periodically.

• EDP auditor should put such contingency plan under test.

• Appropriate control should be placed to protect the system from attacks of immoral elements.

System Controls

Page 74: Chapter [7] Information Technology Regulatory Issues.

There should be formal method of incorporating change in standard software and it should be approved by senior management.

Board of Directors and senior management are responsible for ensuring that the system of internal controls operates effectively.

There should also be annual review of IS Audit Policy or Charter to ensure its continued relevance and effectiveness.

Banks are required to conduct a quality test at least once every three years, on the banks IS Audit.

Page 75: Chapter [7] Information Technology Regulatory Issues.

Banks require a separate IS Audit function within an Internal Audit department reporting to Chief Audit Executive (CAE).

The IS Audit should be independent of the auditee. The Audit policy or engagement letter should address independence and accountability of the audit function.

Auditor should be appropriately qualified, have professional certifications such as CISA, DISA along with two or more years of IS Audit experience, are desirable.

IT governance, critical IT controls and critical business applications, regulatory reporting, risk management, needs to be audited at least once a year.

System Audit

Page 76: Chapter [7] Information Technology Regulatory Issues.

IS Audits should also cover branches. IS Auditors should test the controls on newly developed

systems before implementing them in live environment A PIR of application controls should be carried out. Detailed audit of SDLC process. a review of data migration from legacy systems to the

new system. IS Auditors should validate IT risks before launching a

product or service.

Page 77: Chapter [7] Information Technology Regulatory Issues.

Requirements of SEBI

Stock exchanges shall conduct an annual system audit by a reputed independent auditor.

Comments shall be submitted to SEBI within 1 month of completion of the audit.

The Auditors can perform a maximum of 3 successive audits.

Audit schedule shall be submitted to SEBI at-least 2 months in advance.

System Audit

Page 78: Chapter [7] Information Technology Regulatory Issues.

The scope of the Audit may be extended by SEBI.

The Audit report should have specific non-compliance issues as well as comments for improvement.

The Auditee management provides their comment about the Non-Conformities. For each NC, specific time-bound (within 3 months) corrective action must be taken and reported to SEBI.

Page 79: Chapter [7] Information Technology Regulatory Issues.

Requirements of SEBI

Along with the audit report, Stock Exchanges are advised to submit a declaration certifying the security and integrity of their IT Systems.

A proper audit trail for upload/modifications/ downloads of KYC data to be maintained.

System Control

Page 80: Chapter [7] Information Technology Regulatory Issues.

Cyber Forensic

‘Cyber Forensic’ is an investigation method gathering digital evidences to be produced in court of law.

As electronic evidences can be created through use of technology, cyber forensics emphasizes the use of special methods to scrutinize electronic evidences when presented in a court of law.

Page 81: Chapter [7] Information Technology Regulatory Issues.

Security StandardsThe ever-increasing information risk needs

organization to implement information security such as ~ • Maintain information risk at an acceptable level• Ensure that services and systems are continuously

available to users.• Comply with the relevant laws and regulations,

Contractual requirements and internal policies.• Achieve all of the above while keeping the cost of IT

services and technology low.

Page 82: Chapter [7] Information Technology Regulatory Issues.

Considering the importance of security, Government of India recently published the National Cyber Security Policy - 2013.

Major objectives of this policy are : To create a secure cyber system in the country,

generate adequate trust and confidence in IT systems. To create a framework for design of security policies

and for compliance to global standards and best practices.

To strengthen the Regulatory framework. To enhance and create National level mechanisms for

obtaining strategic information regarding threats of ICT infrastructure.

Page 83: Chapter [7] Information Technology Regulatory Issues.

To enhance the protection and resilience of Nation’s CII by operating a 24*7 National Critical Information Infrastructure Protection Center (NCIIPC).

To develop suitable indigenous security technologies. To improve visibility of the integrity of ICT products & services. To create a workforce of 500,000 professional skilled in cyber

security in the next 5 years through capacity building. To enable effective prevention, investigation and prosecution of

cybercrime and enhancements of law enforcement capabilities. To create a culture of cyber security and privacy. To develop effective public private partnerships for enhancing

the security of cyberspace. To enhance global cooperation by promoting shared

understanding.

Page 84: Chapter [7] Information Technology Regulatory Issues.

ISO 27001 : ISMS• Published by International Security Office and

International Electrotechnical Commission, it is standard of information security management.

• It provides a systematic approach of managing CIA.

Phases

Page 85: Chapter [7] Information Technology Regulatory Issues.

PLAN phase

Determining the scope of ISMS Writing security policy Identifying Risk Assessment methodology Identifying Asset, Vulnerability and Threat Evaluation of size of risk Determining risk acceptance criteria Identifying risk mitigation options Selection of controls Obtaining mgmt approval for implementation Writing statement of applicability

Page 86: Chapter [7] Information Technology Regulatory Issues.

DO phase

Writing implementation plan describing who, how, when, what etc.

Plan implementation Measuring the effectiveness of controls Carrying out awareness and training program Management of ISMS operation and

resources Implementation of detection procedure of

security incident

Page 87: Chapter [7] Information Technology Regulatory Issues.

CHECK phase

Implementing procedure for removing violation of standard

Measuring effectiveness of control Reviewing risk assessment periodically Periodic internal audit Updating security plan Keeping records of incidents Reporting to management

Page 88: Chapter [7] Information Technology Regulatory Issues.

ACT phase

Implementing improvement in ISMS procedure

Communicating improvement to all Evaluating the improvement.

Page 89: Chapter [7] Information Technology Regulatory Issues.

Benefi ts - ISO 27001

Page 90: Chapter [7] Information Technology Regulatory Issues.

Why – ISO 270011 • It is suitable for protecting critical and

sensitive information.

2 • It provides a holistic approach to secure information and compliance.

3• Demonstrates credibility, satisfaction

and confidence with stakeholders, Partners, citizens and customers.

4• Demonstrates security status

according to internationally accepted criteria.

5 • Creates a market differentiation due to prestige, image and goodwill.

6 • If a company is certified once, it is accepted globally.

Page 91: Chapter [7] Information Technology Regulatory Issues.

IT Infrastructure Library(ITIL)

ITIL is a set of best practice for IT service management with need of business.

ITIL provides procedures, tasks and checklist of service to be used by organization to establish minimum level competency in their IT infrastructure.

Its latest version ITILv3 includes 5 core publications that covers IT service management life cycle. It includes : Service Strategy(SS), Service Design(SD), Service Transition(ST); Service Operation(SO); Service Improvement(SI).

Page 92: Chapter [7] Information Technology Regulatory Issues.

[1] Service Strategy

SS volume provides guidelines on leveraging service management capabilities to deliver value to customer.

SS volume provides guidelines on the development and implementation of service management strategy, policies and processes.

SS volume includes development of market, information asset, service catalog, setting objectives, and expectation of performance by users.

Page 93: Chapter [7] Information Technology Regulatory Issues.

[2] Service Design

SD volume provide guidelines on translating plans and strategies into design and specification for execution.

SD volume provide guidelines on combining infrastructure, application, system and processes with suppliers and partners to present service offering.

SD volume in not limited to new services but also includes improvement in existing services to increase value to customer.

Page 94: Chapter [7] Information Technology Regulatory Issues.

[3] Service Transition

ST volume provide guidelines for transitioning new and improved services into operations.

ST volume provide guidance on managing complexity of changes and prevent undesired consequences while permitting innovation.

Page 95: Chapter [7] Information Technology Regulatory Issues.

[4] Service Operations SO volume provide guidance on management of

service through its day-to-day operations. It also provides guidelines on support functions

such as shared facilities, utility computing, web services and m-commerce.

SO volume presents best practice in service operation to achieve efficiency, effectiveness and stability in the delivery of service.

It gives knowledge to the managers in managing availability of service, controlling demand, optimizing capacity utilization, scheduling of operations and fixing problems.

Page 96: Chapter [7] Information Technology Regulatory Issues.

[5] Service Improvement

SI volume provides guidance on measuring service performance and suggesting improvement.

It combines principles, practices and methods for change management, quality management, capability improvement to achieve significant improvement in service.

Page 97: Chapter [7] Information Technology Regulatory Issues.

SA-402• SA-402 is revised version of AAS-24 which is related

to auditing of an entity using service organization.• SA-402 also deals with

o understanding of services, o internal controls, o Type I and Type II reports, o frauds, o non-compliance with law, o responding to assessed risk of material misstatement.

Page 98: Chapter [7] Information Technology Regulatory Issues.

Service auditor’s reportS. No.

Report Contents Type I Type II

1. Service auditor’s opinion about control structure

Included Included

2. Service organization’s description of controls

Included Included

3. Description of service auditor’s test of effectiveness of controls

Optional Included

4. Other information provided by the service organization

Optional Optional

Page 99: Chapter [7] Information Technology Regulatory Issues.

• Benefits of Service organization• Multiple audit is not required• Improvement in operation• More business opportunity

• Benefit of User organization• Accessibility to Valuable control information of

service organization.• Easy outsourcing decision.