The
Information Technology Amendment Act 2008 (ITAA 2008), which came into effect in October 2009,
is a recent addition to the long list of compliances which Indian organizations need to adhere to.
Several sections within the Act are likely to create the need for a proper audit and compliance
regime. Let us find out how IT Amendment Act 2008 compliance and audit is slowly emerging as a new
compliance domain in the information security industry.
According to Na Vijayashankar (Naavi), an independent cyber law consultant and founder of Ujvala
Consultants, the IT Amendment Act 2008 is a comprehensive legislation
Requires Free Membership to View
which touches
several aspects of the business of any organization which uses computers, hence many sections of
the Act directly or indirectly affect the organization's compliance strategy. ITAA 2008 is more
focused on two important areas: data protection and information preservation."Sections 43A, 72A, 79 and 67C clearly spell out the roles and responsibilities of the service provider in protecting data and preserving information. Companies providing IT services to their employees also come under the definition of service provider, and need to comply with the provisions of the IT Amendment Act 2008, hence we see a clear opportunity for IT Act audit and compliance," says D P Dubey, executive director, Paladion, a leading managed security service provider.
Unlike self-imposed quality offshoots such as an ISO27001 audit, the IT Amendment Act 2008 is
statutory. According to Prashant Mali, the president of legal consulting firm Cyber Law Consulting,
this Act, for the first time in India, defines what cyber security is, and also provides rights to
the nodal agencies to demand information from corporates which are required to maintain this
security. Naavi believes that every company which is desirous of being on the right side of
corporate governance will need to conduct an IT Amendment Act 2008 audit to ensure that they have
taken all reasonable steps needed to meet its requirements.
"Non-compliance with directions under 70B (which includes a requirement to provide information
sought by the CERT-In ) can lead to imprisonment of one year, non-compliance with section 69B could
result in a seven-year imprisonment, while most other non-compliance issues may result in a
three-year imprisonment—besides the liability to pay damages. As a result, there is no alternative
for companies except to make themselves compliant with the IT Amendment Act 2008," cautions Naavi.
The top 3,000 Indian companies which are listed, and are bound by the Clause 49 declaration that
the 'company is complying with all regulatory provisions,' gives an idea of how an ITAA 2008
compliance audit can be the next big opportunity for information security and techno-legal
consultants.
Several IT security consultancy and techno-legal firms have started propagating IT Amendment Act
2008 audit and certification as a new offering in their compliance basket. Ujvala Consultants,
Paladion, Mahindra Special Service Group and Prominds Consulting are some of the companies which
can offer an ITAA 2008 compliance audit.
Dubey explains that Paladion's offering will be an IT Act due diligence audit. "Instead of a plain
checklist audit, we will analyze the implications of the provisions of ITAA 2008 on the specific business through gap
It is not very explicit that if you have ISO 27001 you are IT Amendment Act compliant. However, the hassles will be less in the case of companies which have ISO 27001.
D P Dubey
Executive Director, Paladion
analysis, and then suggest appropriate controls to the stakeholders depending on the gaps. We
will be using many tools and techniques, including checklists, for effectively conducting the
audit."
Ujvala Consultants has adopted a framework of IT Amendment Act 2008 compliance developed by the
Cyber Law College and recognized as IISF-309 (Indian Information Security Framework version 309).
This framework has also crafted 23 controls and seven specific compliance clusters. "At present,
Ujvala leverages its activities through some other ISO27001 auditors to reach out to the industry.
The services include risk assessment, training and implementation assistance. As part of the
implementation assistance we provide drafting/modification of the information security policy, as
well as suggest technology in a few areas such as e-auditing and digital signature implementation,"
says Naavi.
Cyber Law Consulting is already offering an IT Amendment Act 2008 compliance audit which includes
policies and processes such as security practices followed by organizations, recruitment and
release processes for employees and directors, and data management processes. The firm also helps
companies to draft security practices and create cyber security awareness training programs with
reference to ITAA 2008.
Paladion believes that sectors such as BFSI are very proactive and are taking interest in this
compliance, while others are expected to catch up soon. "In general, the awareness level needs to
increase. Regulators such as RBI, SEBI and IRDA may also make it compulsory for their respective
sectors," says Dubey.
Although the market is all set to offer ITAA 2008 compliance audits, is there an actual need for
such services? Vicky Shah, principal consultant, cybercrimes.in, believes that there is no need to
have a new audit or compliance kind of service exclusively for the IT Amendment Act 2008 because it
gets covered when implementing ISMS27001. "I guess some organizations have identified this as a new
business service offering, but I frankly don't see the prospects for the same. It is more of a gap
analysis than a legal compliance audit service. An ISMS27001 takes care of these aspects."
Dubey disagrees. "The hassles will be less in the case of companies which have ISO27001. But it is
not very explicit that if you have ISO27001 you are ITAA 2008 compliant. You will require to
undertake an IT Amendment Act 2008 due diligence even if you have ISO27001." Mali seconds this
view. "We are already offering this service as an 'ITAA 2008 compliance audit'—even to companies
which are ISO27001 certified—for further legal compliance and fortification of security
practices."
You can follow our Twitter feed at @SearchSecIN