WHAT IS INFORMATION SECURITY?

Information Security is a process that protects the information, intellectual property and resources generated or managed by an organisation. An Information Security Management System (ISMS) ensures stability and protection of information by preventing the occurrence and minimising the impact of security incidents.

WHAT IS ISO 27001?

ISO 27001:2013 is an international standard mandating requirements pertaining to Information Security Management System of an organization. The primary aim of this Standard is to protect the confidentiality and integrity of information belonging to organisations by establishing suitable procedures and implementing adequate data security controls to preserve the confidentiality, integrity and availability of information assets.

CURRENT LEGISLATIVE FRAMEWORK PERTAINING TO DATA PROTECTION:

Though provisions under Information Technology Act, 2000 (“IT Act”) and the Indian Contract Act, 1872 touch upon the issue of data protection, India currently does not have any specific legislation that expressly governs data protection or privacy. The Information Technology Act, 2000 and its Rules thereunder provide for payment of compensation and/or imprisonment, as the case may be, for misuse or unlawful disclosure of personal data.

LIABILITY OF COMPANIES/ORGANISATIONS IN ENSURING DATA PROTECTION

Section 43A of the Information Technology Act, 2000 requires ‘body corporates’ to adhere to ‘Reasonable Security Practices & Procedures’ while handling sensitive personal data or information to prevent wrongful loss or wrongful gain to any person. Non-compliance of this provision may cause such body corporate to pay damages to the person affected by such negligence. ‘Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011’ have been accordingly framed, wherein adoption of ISO 27001 Standard displays compliance of requirements u/s 43A of the IT Act.

WHAT IS SENSITIVE PERSONAL DATA & INFORMATION (SPDI)?

n   password;

n   financial information regarding Bank account/credit/debit card/other payment instrument details ;

n   details pertaining to physical, physiological and mental health condition;

n   medical records and history;

n   Biometric information

WHAT ARE REASONABLE SECURITY PRACTICES & PROCEDURES:

A Body Corporate is considered to have adhered to reasonable security practices and procedures, if they have implemented any the following:

n   A comprehensive and documented Information Security Program/Policy

n   IS/ISO/IEC 27001

n   Annual Independent Audit of the Information System infrastructure

n   While collecting SPDI, an organisation is required to seek the express written consent from the provider of information specifying the purpose for which SPDI may be used.

• According to Section 85 of the IT Act, in the event of contravention of any provision of the IT Act by a Company, every person responsible for or in charge of the Company at the time of such contravention shall be considered liable. Provided, that if such person proves that the contravention took place without his knowledge or that he exercised all due diligence to avoid the same, he shall not be held liable under this Act.
• According to the IT Rules, disclosure of SPDI to a third party requires prior written approval of the provider of such information
• Before transferring sensitive/personal information to any third party, Organisations must ensure that such party also implements the required data security practices as prescribed under the Rules.

SIGNIFICANCE OF INFORMATION SECUIRTY MANAGEMENT IN ORGANISATIONS:

The IT Act and its Rules being relatively new, data protection laws in India are still in the process of being accurately interpreted and appropriately implemented. In the absence of established jurisprudence on this subject, it is highly imperative for organisations, across various industrial verticals to tread carefully while monitoring and safeguarding confidential data. In today’s day and age, every Organisation, irrespective of its industry, must revisit its existing business models to determine various levels at which data is received, stored, or handled, so as to ensure appropriate information security and compliance as specified in the Rules. Designing and implementation of suitable policies and procedures are necessary in allowing the organisation to do the same.

IMPORTANCE OF ISO 27001 FOR A LAW FIRM

Law firms, on a day to day basis receive confidential information across numerous clients. The nature of the matters being mostly confidential, it is the growing demand of the law as well as today’s Clientele that the confidentiality of data remains uncompromised. Information in today’s times is available in both physical as well as electronic form. Though most of the information available with a law firm today is exchanged electronically, that however, does not ensure the safety of all of its data. For instance, how do you protect the integrity of the information contained in hard copy? Or How do you safeguard your data from unauthorized access at all times?

The ISO 27001 standard covers information in both physical as well as electronic form. Contrary to popular opinion, ISO 27001, does not cater to only IT specifics organisations. The data concerned with all departments of an Organisation -Legal, HR, Administration, Finance and of course IT requires adequate security measures.

IMPLEMENTATION OF ISO 27001 BY ABHAY NEVAGI & ASSOCIATES:

Since, the functioning of a law firm is primarily centered on data, we at Abhay Nevagi & Associates (ANA) place utmost importance to the privacy of Client data. Moreover, it is essential for us as an organization to practice what we preach. With a massive amount of confidential client data coming into our Offices and computer systems every day, in physical as well as electronic form, now seemed as good a time as any to acquire this international certification for Information security, making ANA now one of the few law firms in India to attain this Certification.

Certification Process

Getting certified under ISO requires an Organisation to undergo an extensive two-stage audit as well as acquiring regular recertification to ensure accurate implementation of controls.

To acquire this certification, ANA underwent a thorough procedure;

• Obtain Management Buy-in
• Apply a Project Management Framework
• Perform Gap Analysis
• Define Scope
• Publish an ISMS Policy
• Perform Risk Assessment
• Develop a Risk Treatment Plan
• Publish a Statement of Applicability
• Implement Controls and Procedures
• Operate, Monitor and Measure the ISMS
• Perform an Internal Audit
• Certification