Insecure information

Updated: Nov 30 2006, 05:30am hrs
Despite the hue and cry over incidents involving data theft at call centres, theres little to suggest that Indian companies have become more conscious of the security hazards. Not a single Indian company figures on the membership list of the Information Security Forum, an international not-for-profit organisation involved with the development of practical research in and best practices for information security. Indian companies have often been found wanting when it comes to creating an established environment that nurtures organisation-wide information security measures. They will have to move beyond just tactical information security policies and weave their overall, longer-term strategic business and organisational objectives around a robust information security environment. Information security has become vitally important now, especially with American and EU pressure stemming from the regulatory requirements of Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA. New regulations from the SEC and other agencies have created a need for several internal controls for application development, change control and maintenance. These controls have now been extended offshore and are already being monitored. In India, the stakes have never been higher, especially in the financial services and banking domain, the mobile telephony and Internet space, and even the by-now mature, but still booming, technology services industry itself.

The consensus has for long now been that the best safeguard may be to enact a law on data protection, like Britains Data Protection Act, 1998. There is no such law in India yet and, realistically speaking, even if the law did exist, enforcing standards in short order on mass volumes of new employees is going to be tough. The IT Act 2000 has provisions to protect data that comes from overseas, but to say that its comprehensive enough would be a fallacy. The amendments and security measures that were proposed this October, especially in the aftermath of a spurt in e-commerce frauds on auction sites, information leaks at call centres, phishing and other multimedia offences, are likely a step in the right direction and well-intentioned. But unless India provides enabling factors, including a nurturing information security environment, the growth momentum on its projected trajectory could well be tested.