India’s Personal Data Protection Bill (2022): Will this be the Game Changer?

The long awaited Data Protection Act has finally been cleared by the Parliament in Dec 2021 and this will come into force for implementation sooner. Along with IT ACT 2000 (its amendments in 2008) and Changes in the Companies ACT (2021), this will mandate organizations pursuing Information Security as a holistic approach. This means that organizations will have to be ready to comply with these regulations and the Financial / IT GRC Audits will start looking for evaluating the readiness of the organizations effective 2023 onwards.

These changes in the Regulatory Framework will have significant impact on many organizations irrespective of the sector in which they are operating. They need to start their Information Security Journey right away without further delay. When I addressed my key note to a larger section of CIO groups in a Panel Discussion on 19 May 2022, it was evident that many organizations are yet to start their journey to become compliant with these regulatory changes.

I suggest the following approach plan for the organizations towards their journey to become compliant with these regulations.

1.?????Infosec is a Risk Based Approach:?The Executive Management is responsible for planning the strategy and the beginning must be only by performing a comprehensive Risk Assessment. Remember that the information security controls are specific to your organization and at this stage engaging with experts for Risk Assessment is essential.?Experts who have gone through multiple rounds of infosec implementation and have thorough knowledge on Risk Assessment methods must only perform this. The outcome is the Risk MAP of your organization.

2.????Prepare the right Dosage of the InfoSec controls:?The market is flooded with tools and technologies for protecting your organizational assets. The most important thing the Executive Management should do is to identify what is the required dosage for your organization? Please remember both OVER DOSAGE and UNDER DOSAGE will kill you. The outcome of Risk Assessment would be used to prepare an investment roadmap for the next 3-5 years.

3.????Set-up Exclusive InfoSec Organization:?The Information Technology cannot handle InfoSec as well. This is the foundation and clear SOD (Segregation of Duties) must be brought at this stage. The IT Processes (from an ITIL perspective) must be handled by IT role and the Security Processes must be by the security leader. These Regulatory changes mandate your organization to have CISO, CDPO (Data Privacy Officer) and CTRO (Chief Trust Officer). The SMES cannot certainly afford to have these many roles. But this is the time that you must have a senior Position who will handle this role and will have a direct responsibility to report to the Board.

4.????Design and Implement Data Classification Standards:

This must be the start and not every data generated and stored requires the same level of treatment. If this is not done well, then the organization will pay a heavy price. The Data Must be classified at the point of origination and every employee must be accountable for classifying the data originated.

5.????Build an effective Information Security Framework:?The most ignored area in my experience across the Industries. Design Policies, Standards and Procedures specific to your business processes. The references must be always to a very higher level of standards and the key differentiators for an organization is your Business Processes. Think of how many Patents an organization must register from this exercise. This is a time-consuming activity and needs an organization wide participation.

6.????Train your employees: Remember InfoSec is such a complicated domain and needs the most demanding skilled resources for implementation in today’s context. The contribution by people for the incidents always ?been significant. The only way to reduce such a contribution?is TRAIN-TRAIN-TRAIN.?Be prepared to change your culture and one cannot achieve greater things by doing the activities in the same way repeatedly. Innovation is the Key and though Modern Technology helps automating quite a few controls, at times you need to take tough decisions.

7.????Set-up Security Operations Centre (SOC):?This would by and large solve the Segregation of Duty to a very large extent.?This could be a game changer and establish great capability of the organization to deliver infosec objectives. The only caution is right sizing the Technology and optimal investment. This SOC will be completely handled by your Security Leader.

8.????Institutionalize Information Security Audits: Performing Infosec audits require a different skill set. Infosec audits will let the Executive Management know about?maturity of the processes and will plan for actions to drive Higher Level of Maturity. Train a group of Cross Functional Leaders who will perform these Security Audits under the Security Leader guidance.

9.????Set-up InfoSec Specific Board Meetings: Review the Risk Assessment outcome and areas requiring Mitigation. Decide what level of Risks can be absorbed and accordingly plan the financial budgets. Management must set up very high goals and not just get through the audits. The information Security Investments must be used to increase the overall capability of the organization and one must convert the investment into Marketing Advantage. InfoSec investment without complete alignment with core business will be of very less use.

10.??Prepare to Spend an 18-24 months Journey to set-up a good base before taking speed.

This approach will help organizations preparing to become compliant with the changing Regulatory requirements in India.

When designing the Security System, remember Shannon’s Maxim Security principle : “Enemy Knows the System well”.?

I would love to help SMEs successfully transform this change !?

Best Regards

Dr.R.Rajan