The Hindu Business Line : The Spotlight is on security

For instance, software that logs the precise time a USB drive is inserted into a computer and the time it is taken out, giving the ID of the computer and its user and also giving a list of files accessed, could be installed in such offices. It could cover all the computers used, with the provision of sending a log report containing the details to a designated computer.

This software could be installed in sensitive ministries/departments/organisations of the Governmentwhere vital information is stored. Access control measures using radio frequency identification (RFID) technology could be put in place in rooms with computers carrying vital information.

All details of entry of persons to such rooms and details of access to those computers could be logged, stored and monitored.

Presently, the Government works more on commercial standards such as BS 7799. Most of the commercial standards in vogue are very generic and lack some important factors, for instance, there is no clear definition of vulnerability assessment on securing infrastructure and data.

Security audits too should be performed on all sensitive departments to make sure that IT security measures are strictly followed and any violation is found out automatically and immediately.

The Government should take steps to have its own stringent standards to safeguard its critical infrastructure.

Background checks

Likewise, threats such as data theft should be countered with regular background checks, by having separate security personnel in each department, armed with appropriate monitoring tools.

Human `ingenuity' will always continue to create new offences as human behaviour is the biggest risk in security in all factors, physical, technical and mobile.

The government should create awareness and devise safe practices to be followed through appropriate training.

Higher authorities and people at management level should be made accountable for breaches. They should be asked to do appropriate Risk management and Analysis, guided by a well-drafted policy framework.

Likewise, some basic groundwork has to be done at the employee level.

Employees should be required to strictly abide by the security policy suggested and execute the stipulated processes and practices.

It is also essential to have a background check of people handling sensitive data — irrespective of the level — on a continuous basis by different methods and agencies, so that any breaches can be immediately notified to the concerned authorities.

As new technology evolves, new threats too will surface. But banning technology is no solution.

There are various other security means too, such as protection of files, protection of directories by passwords, disciplinary methods to keep confidentiality, Access control systems, network security, router security, blocking the ports at Unix Level, content filtering, perimeter security, URL filtering etc.

In fact, all these are already in place in most private companies, which have gone much ahead on security issues.

The Government can also introduce legislation, long overdue, addressing important issues such as definition of data, definition of data privacy, ownership of data, custodian of data, role of intermediaries, due diligence on the part of intermediaries, protection to the intermediaries and to what extent they can be held responsible, etc.

In their anxiety to encourage the usage of IT, the authorities must guard against trivialising the importance of and legal implications of the role of the intermediaries.

It should be remembered that the scope of the IT Act 2000, which was enacted keeping in mind electronic commerce transactions, does not address all the possible risks/crimes perpetrated in the IT/Internet areas.

(The author is Chairman, Cyber Society of India.)