Governace, Risk & Compliance - a clear picture from the Infosec perspective

Wikipedia defines GRC or Governance, Risk Management, and Compliance as the "umbrella term covering an organization's approach across these three areas. Being closely related concerns, governance, risk and compliance activities are increasingly being integrated and aligned to some extent in order to avoid conflicts, wasteful overlaps and gaps. While interpreted differently in various organizations, GRC typically encompasses activities such as corporate governance, enterprise risk management (ERM) and corporate compliance with applicable laws and regulations."

"Governance describes the overall management approach through which senior executives direct and control the entire organization, using a combination of management information and hierarchical management control structures. Governance activities ensure that critical management information reaching the executive team is sufficiently complete, accurate and timely to enable appropriate management decision making, and provide the control mechanisms to ensure that strategies, directions and instructions from management are carried out systematically and effectively.

Risk management is the set of processes through which management identifies, analyses, and where necessary responds appropriately to risks that might adversely affect realization of the organization's business objectives. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting or transferring them to a third party. Whereas organizations routinely manage a wide range of risks (e.g. technological risks, commercial/financial risks, information security risks etc.), external legal and regulatory compliance risks are arguably the key issue in GRC.

Compliance means conforming with stated requirements. At an organizational level, it is achieved through management processes which identify the applicable requirements (defined for example in laws, regulations, contracts, strategies and policies), assess the state of compliance, assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance, and hence prioritize, fund and initiate any corrective actions deemed necessary.

Widespread interest in GRC was sparked by the US Sarbanes-Oxley Act and the need for US listed companies to design and implement suitable governance controls for SOX compliance, but the focus of GRC has since shifted towards adding business value through improving operational decision making and strategic planning. It therefore has relevance beyond the SOX world."

Now, we all know that there can be as many Governance frameworks as organisations - afterall it's a management driven approach and it will be hard to replicate it between two companies. And there are a plethora of of international standards pointing towards Governance frameworks, although these are in finite number. Risk Management frameworks are also a plenty and within each of them, one could adopt one or more out of several methodologies for a specific organisation, or a part of the organisation, be it a business process, or an installation or any other logical entity of the organisation. Compliance is about adherence to controls which are nothing but technology/process/people based procedures and they can be configured in any number of ways.

Thus, in normal times GRC is a huge challenge in itself. Now, to that we add technology complexity, outsourcing and mobility as also increasing regulatory stipulations and privacy concerns. The stage is thus set for a highly dynamic and complex environment with huge liability in case of non-compliance while there is little comfort from easy or even simple alternatives for compliance.
On top of this, GRC responsibles, who are often CISOs or CIOs, present this domain to their audiences in not a very simple manner; thus GRC becomes to enterprises what IT is to business - simply too much of jargon or machine language. It does not provide any comfort to management or stake holders when such a contentious subject is presented to them in such a complex manner. It is not for management or business to find meaning of the jargonic mumbo-jumbo that CISOs/CIOs use to address their audiences. It is rather the latter understand business needs on GRC from a 360 degree perspective and meet them by employing choice Governance and Risk methods deploying the right mix of people, process and technology controls to achieve the desired business objectives. Certain aspects to bear in mind are:
1. Garneringing management participation through a steering committee.
2. Ensuring creation of an asset and functionality inventory.
3. Defining and documenting the organisation's risk appetite and conducting a RA.
4. Mitigating risks and complying policies using Assets and functionalities.
5. Innovating business sensitive resolutions for uncovered areas.
Two aspects for key consideration are - experiences and perception. GRC is almost synonymous with Security and to make it an enabler, the audience must experience the wow from it and also perceive it positively. Security should not be seen or heard; it should be felt. And the approcah should focus on the strategic triads of Business focus, Revenue sensitivity and Cost consciousness. Ultimately Security should get ingrained in every. Product, every Project and every Process.

This can make a CISO the Chief Innovation Specialist Officer, instead of the Chief In-house Sadist Officer.

Enterprise Protection​, Assurance and Continuity (EPAC) - A Holistic and Risk Based Data Security, Privacy, Disaster Recovery Framework

Every enterprise has a plethora of these functions with overlapping domains and interdependent responsibilities. Governed by different (and sometimes non-complimentary though not necessarily conflicting) international standards, each of these functions provide adequate ammunition to their practicing professionals to conceive, plan and implement independent frameworks on their respective areas. Many a times these different frameworks are not aligned with each other and more importantly not aligned to business strategy and operational realities.

As a result, most of these important support functions often do not reach a position of direct business relevance. Thus, they fail to get mind share of business leadership and consequently never reach strategic relevance. In effect they never reach their ultimate destination of business enablement and remain relegated to a regulatory compliance mandated compulsion for the enterprise.

However, in the rapidly transforming business landscape in the ICT defined global markets, the reality is that these support functions, which comprise of the entire risk universe of an enterprise, can contribute directly to business objectives of most organisations, play the role of business differentiators and thus be of strategic relevance.

Thus, there is a scope in many enterprises to re-examine the construct, structure, role and functioning of all these support functions with a view to work out a holistic, business aligned, and uniquely positioned Enterprise Protection, Assurance and Continuity (EPAC) framework which provided integrated and Risk Based Data Security, Privacy, Disaster Recovery assurance to the organisation. As a result of this exercise, besides business enablement, there is a substantial scope of cost savings for enterprises in the form of removal of manning of overlapping domains, outsourcing of non-core function (those not contributing to business enablement) and overall reduction of head count owing to integration.

Hence, it would be worthwhile to undertake in-depth examination of enterprise framework of support functions and provide a holistic picture to executive management comprising of a current status snap shot, gap areas, scope of re-work towards an integrated and business enabled function, and suggested detailed implementation road map with milestones and deliverables. Also important would be handholding through out the implementation and helping the enterprise reach business specified integration targets with periodic reporting through suitable metrics and dashboards.

Emergence of Information Security & the role of CISO

In the last decade or so, Information Security has emerged from within the IT function as an important element with business critical and even strategic ramifications. The emerging direct business relevance of IS has created a leadership role which has come to be known as the CISO. International standards, IT frameworks and several regulations have also sanctified the criticality of IS and thus made the role of CISO even more relevant and legitimate.


In India, IS compliance had been almost non existent prior to 1990s. With opening of Indian markets and development of intimate global market connect, IS found it's place first in the BFSI sector and then in the IT/ITES sectors. Business and operational needs for security drove the next wave of IS-isation in India which saw home grown sectors like Telecom, Pharma, Manufactuing, Retail etc create IS teams, primarily to protect IP and safeguard operations.

The current drive of IS is mostly powered by regulations/laws as Indian Govt is carving out several laws/regulations with IS intent and content in it's march to join the big league of powerful nations. However, all along IS has not been treated as a core business need; rather as reactive measures to meet business realities (such as IT/ITES companies providing assurance to their international customers) or in response to high impact incidents (loss of business plan etc) or to comply with a law/regulation. While IS think-tanks like ISACA and ISC2 forecast the emergence of IS as a strategic function and the move of CISO into the Corporate Boardroom, the scene in India is a little different with lack of clear management understanding of the business value of IS and it's strategic impact. There are also numerous other related/relevant functions (such as Risk Management, BCP, Privacy, Physical Security, Intellectual Property etc) some with different international standard for them which are vying for management attention and organisational acceptance.

The contributing factors to this situation are:
1. Lack of a Security conscious and compliant culture in India.
2. Low levels of legal/regulatory enforcement.
3. Varying Security requirements and postures across different industry sectors.

In light of the above, it may be worthwhile to deliberate on the nuances of the CISO's role in an Indian enterprise and suggest measures to bring it at par with global standards and provide higher business value. It is also recommended to study industry/sector specific security requirements and suggest a sectoral security model as a best practice for adoption by Indian enterprises Pan-India.

Idea of a Nation & it's impact on its Armies

The Armies (by which I mean Army, Navy, AF, SF, Seals et all) are mediocre-ly paid everywhere just as any other govt dept, with perks differing from country to country based on the influence of the Armies in that specific country - from accommodation with piped gas etc to management of PSUs (in Pakistan) to regularly manning public offices (in US/Europe). But there's a lot of difference in the role Armies play in different countries and I will try to group them in to three categories:


1. Cat 1: Armies in many countries play a legitimate role in national security which is an oxymoron of sorts - you create/maintain big & potent armies so that you avoid wars, thus never having to use the Armies. Thus they generally get a bad deal due to nil or insignificant/marginal representation in polity. Owing to this, such armies remain in the fringes of governance and suffer from diminishing value in protocol & perks; offset to some extent only by the occasional war or other high profile internal development. India falls in this category, so do most defensive democracies.

2. Cat 2: In handful of countries, their Armies besides fulfilling their national security role, go beyond the oxy-moronic context to use their defensive capabilities in an offensive manner (the best defense is offence, right!) and wage or participate in wars in other countries' backyards; thereby getting involved in polity and in effect get a much better deal. America leads this bandwagon which was till WW-II being led by UK. And you can very well guess that most offensive democracies fall in this category.

3. Cat 3: Then there are the lot of non-democratic countries where Armies are the central player in polity and have the last or lasting say in most matters of national importance. Obviously, since they make the rules, these folks tend to make the rules quite favourable to themselves; thus they enjoy a pretty good deal in all aspects. They even get a chance to participate in the wars waged by the Cat 2 guys in other countries (mostly Cat 1 or 3) backyards. And you guessed it right, our westerly neighbours belong here. And so does the other in the North/East.

But the issue is not which category a country's armies belong to. The bigger issue is how they landed there and what is in store for them in future. And for each country this is intricately connected to the idea of that country. Thus, what matters more than Pakistan is the idea of it and the idea of India is more important than India itself. Founded on the stark and unstable principles of monotheism, and carved out without natural defensibility, Pakistan needs its Armies to be involved in polity by design. And found with the values of non-violence co-existence guided by the all accepting Indian culture, there is almost no place for Armies in the Indian polity and civil supremacy rules. Going by how these prevalent ideas of Pakistan and India (and other countries in the world) are being shaped, it appears that ideas of these categories of nation states are solidifying more and more; defensive democracies getting more defensive, offensive ones getting more offensive and non-democratic ones resorting to be more non-democratic.
Change they say is the new constant.. but I would say, the more they change, the more they remain the same!

Mobile Malware: Is India Ready?

Q - Mobile Malware (MM) - How ready are Indian Enterprises to deal with them and why do you think so?


Ans - There is good awareness within the security community on delivery mechanisms of MM such as SMS, MMS, WAP push, GPRS, Mobile as Data Card etc. However, due to the large user base and in the absence of general user awareness on security, the instances of infections in India due to MM delivered on user handsets, and further communicated to user desktops/laptops and further to enterprise networks, is deemed to be very high.

However, enterprises do not perceive infections to be a major source of threat or a significant risk. This is because, on one hand management understanding on the subject is feeble, and on the other hand, the security community does not distinguish between MM and other malware while trying to deal with them primarily because they do not have any wherewithal to do the same. For example, a notable telecom fraud called PRS Fraud (Premium Rate Service) saps established operators of substantial revenues but operators have no inkling of what % of PRS frauds are caused by MM.

Moreover, there is no worthwhile research in industry and academia on MM or other related mobile security issues which can shed light on attacker patterns, preferred delivery channels, susceptible target groups, infection patterns, and post-infection prognosis. The trend is likely to remain the same unless there is demonstrable RoI from investing on such security research and deploying such security platforms.

Comments on Security Clauses in IT Act Amendments 2008

Q1. Prior to the amendments the IT act was perceived as a toothless tiger against the cyber criminals. Post amendments does the IT act give you a legal shield to battle the menace of cyber crimes?

A. It would not be correct to say that the IT Act was like a toothless tiger before the amendments. It was quite comprehensive even before the amendments. Every legislation has to evolve with time. The evolution process is faster in case of technology related legislations as technological advancements tend to be rapid.

The amendments have rationalized some sections and expanded the scope of the act. For example earlier Section 66 was a section which could be invoked against any crime that "Diminished the value of information residing inside a computer resource". This section has been clarified now with 10 subsections through an integration with Section 43. Sec 66A and 66F are new provisions that add new crimes to the act.

The only point of discussion regarding the dilution or otherwise is that most of the offences are now considered "Bailable". This however may be considered as an attempt to prevent misuse of the act against innocent persons rather than being treated as an attempt to make it easy for offenders to get bail.

Certain provisions in the amended Act will certainly make the fight easier. Allowing an Inspector to investigate crimes under the IT Act instead of a Deputy Superintendent of Police is one of those. In that sense, the amended Act is an improvement upon the original Act.

The biggest change however is that ITA 2008 attempts to create a "Security Culture" in the society with the creation of a "Security Management Infrastructure" by prescribing "Reasonable Security Practices" and expanding the concept of "Due Diligence" applicable to companies and Intermediaries. By assuming certain powers under Section 69, 69A,69B and 70B as well as imposing certain data retention obligations on the companies. In the long run this would provide a better cyber crime prevention mechanism than the deterrent effect of punishments.

Q2. What are some concerns that have not been addressed by the recent amendments in the act?

Ans. The main cause of lack of implementation of the regulations or faulty implementation of the law is the lack of awareness about law. The solution for better regulatory regime lies in strengthening the cyber law awareness amongst consumers. The law could have provided for incentivisation and obligations on creating a "Cyber Law Aware Cyber Society". In future also "Lack of Awareness" will continue to reduce the effectiveness of law.

Another deficiency which is apparent relates to data protection. Certain amended provisions do address data protection but the treatment could have been more comprehensive looking at existing EU Directives on Data Protection. This would however be corrected with the 'Data Protection & Privacy' law which the government is currently contemplating on.

Q3. What are some of the improvements that the amended act has brought about? Is there anything to thank for in the 2008 legislation?

Ans. Sections 43A, 72A and 67C are specific provisions that strengthen the Data Protection regime in India. This is a highly commendable aspect of the legislation.

Strengthening the organization of CERT-IN and enabling it to be a powerful regulator is another significant aspect.

One of the less recognized but more important change is in the revised structure of the Cyber Appellate Tribunal which has increased the effectiveness of the supporting judicial system.

Increase in the amount of compensation that can be claimed through adjudication from Rs 1 crore to Rs 5 crore is also another positive feature.

Introduction of the "Electronic Signature" has introduced new technical possibilities.

The amendments are an attempt to make the Act as technologically neutral as possible, which is a welcome step.

Also, there are new penal provisions addressing spam messages, trading in access codes and passwords, phishing attacks, identity thefts, unauthorized use of mobile phone cameras among others which have widened its scope.

The amended Act envisages appointment of experts for examining electronic evidence and delegates investigation to Inspectors.

All these are welcome improvements upon the earlier Act. Overall several good things have happened because of the amendments.

Q4. How closely should the IT and legal department work in order to build synergies? How can the IT- legal confluence help combat the scourge of cyber crime?

Ans. If the objective of law is to prevent occurrence of a crime, it has to address not only post offence punishment but also encourage proactive defense systems. Imposing legal obligations on information security practices is a step in this direction. This requires the IT and legal systems to work in close coordination.

Even at the post offence scenario, collection and presentation of evidence is an area where the IT and legal system should work in close coordination.

The amendments have attempted to bring such a synergy through the prescription of "Reasonable Securities" under Section 43A and due diligence under Sections 79 and 85.

To tackle cyber crimes, the need for the IT and legal departments to come together cannot be stressed enough. For any charge to be framed, evidence is important. In case of cyber crimes, the IT department becomes responsible to collect such evidence. Logically no other department would have such technical proficiency.

The legal department will, thus, need the help of the IT deparment to legally assess a particular incident and take appropriate action.

Q5. The rate of reporting, prosecution and conviction in cases of cyber crime is abysmally low in India. In such a scenarion how much trust do you repose in the investigation mechanism of our law enforcement agencies?

Ans. If victims do not understand the remedies available under law and seek remedies, we cannot blame the investigating officers that they have not prosecuted the offenders.

Everybody in the field including the Police, legal, judicial as well as the Information security community is in the learning phase and improvements can be expected over a period of time.

The enormous awareness on "Due Diligence" created by the recent verdict of the Adjudicator of Tamil Nadu against ICICI Bank in a Phishing Case which has resulted in a spurt of reporting of Phishing losses is an example of how better awareness leads to better implementation of laws.

As long as our criminal law functions upon the principle, ''let a thousand criminals go free but do not allow even one innocent man to go to jail", the rate of conviction will remain low.

Also, in many incidents the scene of crime due to ignorance would aleady have been disturbed before law enforcement agencies reach the scene.

This is especially true for corporate organizations, where they will typically try to retrieve and collect evidence before the law enforcement agencies enter the scene.

In many occasions, if the person collecting the evidence is not properly trained, such evidence is either lost or becomes inadmissible in a court. In such cases, conviction will naturally be difficult.

Capacity building to tackle such kind of criminal activity in a populous country such as ours will take time. We need to bear with them. With time things are sure to improve.