Information Security comprises a set of guidelines and standards that organizations must follow to ensure the confidentiality, integrity, and availability of their information systems. These guidelines are critical for protecting sensitive information, whether in electronic or physical form, such as personal data, financial records, and intellectual property, from unauthorized access, misuse, and destruction.
Confidentiality pertains to the safeguarding of sensitive information from unauthorized disclosure. It is imperative that organizations ensure that only authorized individuals have access to sensitive information and that it is not shared with anyone who lacks the necessary clearance or permission.
Integrity refers to the accuracy and completeness of information. Therefore, organizations must ensure that the information they store and process is accurate, complete, and up-to-date, as this is essential for maintaining the trust and confidence of customers, employees, and other stakeholders.
Availability refers to the ability of authorized individuals to access information as needed. Therefore, organizations must ensure that their information systems are reliable, scalable, and secure, and that only authorized individuals can access them in a timely and efficient manner.
In India, the Ministry of Electronics and Information Security, through regulatory bodies such as CERT-In, prescribes the standards for information security. The Ministry of Corporate Affairs, through the Securities and Exchange Board of India, also plays an active role in formulating guidelines for disclosure requirements, with information security being a crucial factor.
Information Security, as specified under the Code of Conduct, encompasses various aspects, including:
1) Access Control: Organizations must establish suitable access controls to prevent unauthorized access to their information systems. These controls should include authentication, authorization, and access management mechanisms like passwords, biometrics, and access tokens.
2) Risk Management: Organizations must conduct regular risk assessments to identify, evaluate, and prioritize the risks to their information systems. They must also develop and implement strategies to mitigate these risks, such as implementing security controls, employee training, and conducting regular audits.
3) Data Protection: Organizations must put in place appropriate measures to protect sensitive data, including personal data, financial records, and intellectual property, from unauthorized access, misuse, and destruction. These measures should include encryption, data backup and recovery, and data disposal mechanisms.
4) Incident Response: Organizations must have a well-defined incident response plan to deal with information security incidents like cyber-attacks, data breaches, and malware infections. This plan should include procedures for detecting, analyzing, and responding to incidents, as well as communication and reporting mechanisms.
5) Compliance: Organizations must comply with all relevant laws, regulations, and standards related to information security, such as SEBI's Business Responsibility and Sustainable Reporting, which mandate disclosure requirements regarding information security, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Recently, CERT-In, under the aegis of MeitY, published guidelines to assist organizations in maintaining the desired level of information security. Organizations must regularly review and update their information security policies and practices to ensure their effectiveness and alignment with the changing threat landscape.
6) Third Parties: The information security plan included in the Code of Conduct must also specify the procedures and checklists in place when conveying sensitive information to third parties in the course of business. For example, the policy should mandate that the third party undergoes the required levels of risk assessment and disclosure requirement checks.
Case Studies on Information Security
1) Target Security Breach: In 2013, retail giant Target experienced a major security breach that exposed the personal and financial information of millions of customers. The breach was caused by hackers who gained access to the company's payment system through a third-party vendor that provided heating, ventilation, and air conditioning services to Target stores. By stealing the login credentials of the vendor's employees, the hackers were able to enter Target's network and install malware that collected the personal and financial information of customers who used their credit or debit cards to make purchases at Target stores. This breach had severe consequences for Target, with millions of customers being affected and the company facing substantial financial and reputational damage.
2) Marriott Data Security Breach: The Marriott hotel chain made headlines in 2018 when it disclosed a major data breach that compromised the personal and financial information of millions of its guests. The breach was traced back to the reservation system of Starwood, which Marriott had acquired in 2016. The attackers had managed to gain access to the reservation system and siphon off sensitive data of guests who had made reservations at Starwood hotels, all without detection for over four years. The stolen information included names, addresses, phone numbers, email addresses, passport numbers, payment card information, and other data, putting the affected guests at risk of identity theft and fraud.
3) JusPay Security Breach- In May 2021, JusPay, an Indian payment gateway company, announced that a data breach had potentially exposed the personal and financial information of its customers. The company stated that an unauthorized individual gained access to its systems and obtained sensitive data, including names, email addresses, phone numbers, and bank account details. According to JusPay, the data breach occurred on August 9, 2020, but the company only became aware of the incident on May 4, 2021, when it noticed suspicious activity on its systems. After conducting a thorough investigation, the company discovered that an attacker had accessed its systems using stolen employee credentials.
These case studies underscore the significance of having a robust and comprehensive Code of Conduct in place to prevent such incidents and safeguard sensitive information. The Code of Conduct should be regularly reviewed and updated to ensure that it remains relevant and effective in the face of evolving threats and technologies.
In conclusion, the Information Security segment of the Code of Conduct is pivotal in ensuring the confidentiality, integrity, and availability of sensitive information in organizations. Implementing a strong Code of Conduct, along with effective security measures, is critical to protect against potential threats and cyber-attacks. Recent cases in India highlight the imperative for organizations to prioritize information security and implement effective measures to safeguard their valuable data.
Authors: Kevin Davis and Tushar Baid, Research Associates, Law, Rainmaker Contributions and Directions: Akanksha Arora, AVP-Legal, Rainmaker
Disclaimer : No information contained in this website may be reproduced, transmitted, or copied (other than for the purposes of fair dealing, as defined in the Copyright Act, 1957) without the express written permission of Rainmaker Online Training Solutions Pvt. Ltd.
