shu's picture
From shu rss RSS  subscribe Subscribe

Cyber Security - National Policy 



 
 
 
Tags:  domain  registering 
Views:  1499
Downloads:  12
Published:  January 16, 2010
 
1
download

Share plick with friends Share
save to favorite
Report Abuse Report Abuse
 
Related Plicks
No related plicks found
 
More from this user
Q1 2009 Earning Report of United States Steel Corp.

Q1 2009 Earning Report of United States Steel Corp.

From: shu
Views: 78
Comments: 0
Clippingshop masking service presentation

Clippingshop masking service presentation

From: shu
Views: 98
Comments: 0
Sto ag

Sto ag

From: shu
Views: 61
Comments: 0
The Secret Casino Code

The Secret Casino Code

From: shu
Views: 3687
Comments: 0
Brandz Report 2009 Complete Report

Brandz Report 2009 Complete Report

From: shu
Views: 311
Comments: 1
Web presence for Unintentional Entrepreneurs

Web presence for Unintentional Entrepreneurs

From: shu
Views: 340
Comments: 0
See all 
 
 
 URL:          AddThis Social Bookmark Button
Embed Thin Player: (fits in most blogs)
Embed Full Player :
 
 

Name

Email (will NOT be shown to other users)

 
 
 
Comments: (watch)
 
 
Notes:
 
Slide 1: Structuring a National Strategy to secure Cyberspace: Solutions for India Rodney D. Ryder 1
Slide 2: National Strategy to secure Cyberspace Part 1 - The need for a national strategy • • • Examining national objectives Structuring a policy Current law in India Part 2 – Case Study: Data Privacy and National Compliance [Challenges and Strategies] • • • • Data Protection legislation around the world European Commission Directive and the UK Act Data Protection model: the United States Balancing Privacy and Security 2
Slide 3: The need for a national strategy Opportunities for India 3
Slide 4: The need for a national strategy - to secure Cyberspace • Technological advances in data storage and transmission Globalisation of communications the internet Convergence and standardisation of technologies • • • • • Speed and Convenience Mobile access Personalised and tailored Data mining sophistication Loss of control Insecurity Lack of confidence Increased scepticism Low uptake of eCommerce 4 • • • • • Increasing importance of data processing • •
Slide 5: The Rise [and fall?] of Cyberspace • Cyberspace> as introduced by William Gibson [A place governed by its own laws] - “a consensual hallucination” [William Gibson, Neuromancer] A contradiction? Greek <kybernetes> means ‘steersman’ of a ship “Law and Borders”: the ‘independent’ theory of cyberspace law [David Post and David Johnson, Stanford Law Review] Benkler’s layers – the physical, the code and content [in communications theory] Lessig <Code and other laws of Cyberspace> 5 • • • •
Slide 6: The Action Plan • • • • • Securing “Indian” Cyberspace [regulations and the history of trade – towards pax mercatur] The basic premise: the machine or the medium Adaptability and Enforcement of Indian law – lessons from the American experience [Adobe Systems v. Dmitry Skylarov] Systematic collaboration between vendors and customers to secure interoperable government and industry enterprise information systems Enhance collaboration between law enforcement and industry to prevent and prosecute cyber crimes 6
Slide 7: Cybercrime and [a] National Cyber Security Programme • Understanding the role of the medium – incidental [blackmail, stalking]; content [obscene or sensitive material]; integrity [unauthorised access and/or modification] The criminal act – discovery [detection] and analysis The Cybercrime Manual – fostering preparedness Focussing on ‘relevant’ issues and appropriate classification of offences Cyber forensics and the collection of evidence Crisis management [internal and external] 7 • • • • •
Slide 8: Key Components of a Cyber Security Programme • The Team [Member of the Board, Human Resources Manager, Chief Information Officer, Legal Counsel, E-Risk Management Consultant, Internet Security Expert, Cyberinsurance broker] Utilising and factoring security tools – Digital signatures are a ‘sign of our times’ Understanding and evaluating risks [internal and external] Allocating roles and responsibilities - Structuring the audit process [examining use and abuse] Ten Tips – [i] Firewalls with secure passwords; [ii] correct installation and maintenance [the human angle]; [iii] encryption; [iv] assign network administrators a security role; [v] External consultants and auditors; [vi] periodic security audits; [vii] do not ignore ‘small company’ security needs; [viii] limit access to the computer room; [ix] educate employees about the dangers of social engineering; [x] educate employees on potential threats. • • • • 8
Slide 9: Structuring a Cyber Security Manual • • • A training process for law enforcement The Basics: the “machine” and the “medium” – What is a Cybercrime? Develop programs that promote a culture of security within and across enterprises, including corporate governance, integration of physical and cyber security, and cyber ethics from school to the office Engage with industry, academia and government in both countries to foster research and development and collaborative education efforts in information security • 9
Slide 10: Regulatory norms in ‘Indian’ cyberspace: a primer on the legal aspects of e-business • • • • • • • • • Stake your territory: the applicable law Have the final say: the invitation to treat On your own terms Is it secure? The customer is always right! Privacy policy and data protection Protecting your brand: Domain names and trademarks in general The copyright ‘catch’ Chat online [Bulletin Board/Service Provider Liability] 10
Slide 11: Data Privacy and the National Cyber Security Program Data Privacy and Indian Law 11
Slide 12: Privacy concerns A fundamental human right the right of the individual to be let alone • • Information Privacy (data protection) - personal data Bodily privacy - invasive procedures - search, drug testing; genetic testing; etc • Communications Privacy - mail, telephone, e-mail etc • Territorial privacy - domestic privacy; CCTV; ID checks etc “Public” aspects - surveillance, police powers and national security 12
Slide 13: Growth of Importance of Privacy Overview - major International and US regulations HUMAN RIGHTS 1948 1970 1974 1976 1980 1980 1995 1994 1996 UN Universal Declaration of Human Rights US Fair Credit Reporting Act US Privacy Act International Covenant on Civil and Political Rights OECD Guidelines on Protection of Privacy US Privacy Protection Act European Commission Directive on Data Protection US Communications Assistance to Law Enforcement Act US Health Insurance Portability and Accountability Act BUSINESS ISSUES 13
Slide 14: Privacy and Data Protection law in India There is no general privacy or data protection law in India: • Constitution Article 21 Right to life and liberty, interpreted by Supreme Court as including the “right to be let alone” • International Covenant on Civil and Political Rights 1966 Article 17: No one shall be subject to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks. • Law of privacy (Tort Law) – Action for unlawful invasion of privacy 14
Slide 15: The [Indian] Information Technology Act, 2000 Information Technology Act 2000 • Section 43 (a) Penalty for unauthorised access to a computer system • Section 43 (b) Penalty for unauthorised downloading or copying of data without permission • Section 72 Offence of accessing any electronic record, book, register, correspondence, information, document or other material and, without the consent of the person concerned, disclosing such information to another person 15
Slide 16: Current law in India • Public Financial Institutions Act of 1993 codifies confidentiality of bank transactions ISPs prohibited from violating privacy rights of subscribers by virtue of the licence to operate granted by the Department of Telecommunications A general data protection law in India? National Task Force on IT and Software Development 1998 Submitted “IT Action Plan” calling for “National Policy on Information Security, Privacy and Data Protection Act for handling of computerised data” but no Act introduced to date 16 • •
Slide 17: Possible approaches to Data Protection Data Protection Worldwide 17
Slide 18: Data Protection legislation worldwide NONE AFGHANISTAN ALBANIA ALGERIA AMERICAN SAMOA ANDORRA ANGOLA ANGUILLA ANTARCTICA ANTIGUA AND BARBUDA ARGENTINA ARMENIA ARUBA AUSTRALIA AUSTRIA AZERBAIJAN BAHAMAS BAHRAIN BANGLADESH BARBADOS BELARUS BELGIUM BELIZE BENIN BERMUDA BHUTAN BOLIVIA BOSNIA AND HERZEGOVINA BOTSWANA BOUVET ISLAND BRAZIL BRITISH INDIAN OCEAN TERRITORY BRUNEI DARUSSALAM BULGARIA BURKINA FASO BURUNDI CAMBODIA CAMEROON CANADA CAPE VERDE CAYMAN ISLANDS PENDING CENTRAL AFRICAN REPUBLIC CHAD CHILE CHINA CHRISTMAS ISLAND COCOS (KEELING) ISLANDS COLOMBIA COMOROS CONGO COOK ISLANDS COSTA RICA COTE D'IVOIRE CROATIA CUBA CYPRUS CZECH REPUBLIC DENMARK DJIBOUTI DOMINICA DOMINICAN REPUBLIC EAST TIMOR ECUADOR EGYPT EL SALVADOR EQUATORIAL GUINEA ERITREA ESTONIA ETHIOPIA FALKLAND ISLANDS (MALVINAS) FAROE ISLANDS FIJI FINLAND FRANCE FRENCH GUIANA FRENCH POLYNESIA FRENCH SOUTHERN TERRITORIES GABON GAMBIA GEORGIA GERMANY GHANA GIBRALTAR GREECE GREENLAND GRENADA IN PLACE EUD or ‘ADEQUATE’ LITHUANIA OURG PAKISTAN PALAU PALESTINIAN TERRITORY, OCCUPIED PANAMA PAPUA NEW GUINEA PARAGUAY PERU PHILIPPINES PITCAIRN POLAND PORTUGAL PUERTO RICO QATAR REUNION ROMANIA RUSSIAN FEDERATION RWANDA SAINT HELENA SAINT KITTS AND NEVIS SAINT LUCIA SAINT PIERRE AND MIQUELON SAINT VINCENT AND THE GRENADINES SAMOA SAN MARINO SAO TOME AND PRINCIPE SAUDI ARABIA SENEGAL SEYCHELLES SIERRA LEONE SINGAPORE SLOVAKIA SLOVENIA SOLOMON ISLANDS SOMALIA SOUTH AFRICA SOUTH GEORGIA SOUTH KOREA SPAIN SRI LANKA SUDAN SURINAME SVALBARD AND JAN MAYEN SWAZILAND SWEDEN SWITZERLAND SYRIAN ARAB REPUBLIC TAIWAN TAJIKISTAN TANZANIA, UNITED REPUBLIC OF THAILAND TOGO TOKELAU TONGA TONGA TRINIDAD AND TOBAGO TUNISIA TURKEY TURKMENISTAN TURKS AND CAICOS ISLANDS TUVALU UGANDA UKRAINE UNITED ARAB EMIRATES UNITED KINGDOM UNITED STATES (safe harbor) US MINOR OUTLYING ISLANDS URUGUAY UZBEKISTAN VANUATU VENEZUELA VIET NAM VIRGIN ISLANDS, BRITISH VIRGIN ISLANDS, U.S. WALLIS AND FUTUNA WESTERN SAHARA YEMEN YUGOSLAVIA ZAMBIA ZIMBABWE GUADELOUPE GUAM GUATEMALA GUINEA GUINEA-BISSAU GUYANA HAITI HEARD ISLAND AND MCDONALD ISLANDS HOLY SEE (VATICAN CITY STATE) HONDURAS HONG KONG HUNGARY ICELAND INDIA INDONESIA IRAN IRAQ IRELAND ISRAEL ITALY JAMAICA JAPAN JORDAN KAZAKSTAN KENYA KIRIBATI KUWAIT KYRGYZSTAN LAO PEOPLE'S DEMOCRATIC REPUBLIC LATVIA LEBANON LESOTHO LIBERIA LIBYAN ARAB JAMAHIRIYA LIECHTENSTEIN LUXEMBOURG MACAU MACEDONIA MADAGASCAR MALAWI MALAYSIA MALDIVES MALI MALTA MARSHALL ISLANDS MARTINIQUE MAURITANIA MAURITIUS MAYOTTE MEXICO MICRONESIA, FEDERATED STATES OF MOLDOVA, REPUBLIC OF MONACO MONGOLIA MONTSERRAT MOROCCO MOZAMBIQUE MYANMAR NAMIBIA NAURU NEPAL NETHERLANDS NETHERLANDS ANTILLES NEW CALEDONIA NEW ZEALAND NICARAGUA NIGER NIGERIA NIUE NORFOLK ISLAND NORTH KOREA NORTHERN MARIANA ISLANDS NORWAY OMAN 18
Slide 19: Industrialised Countries Legislation timeline Norway Personal D Reg Act In force 14 April 2000 Finland Personal DP Act In force 1 June 1999 Sweden Personal Data Act In force 24 October 1998 Denmark Act on Processing f PD In force 1 July 2000 Belgium Data Protection Act In force 1 Sep 2001 Ireland - Germany Data Protection Act In force 23 May 2001 United Kingdom Data Protection Act In force 1 March 2000 Austria Data Protection Act In force 1 January 2000 Luxembourg Netherlands Law on Protection PD ct In force 1 Sep 2001 Canada PIP&ED Act Commenced 1 Jan 2001 Mexico eCommerce Act In force 7 June 2000 Italy Data Protection Act In force 8 May 1997 United States (includes) CPP Act 1984 VPP Act 1988 COPP Act 1998 In force 21 April 2000 Hong Kong Personal Data (Privacy) In force 20 Dec 1996 Australia Privacy Act In force 21 Dec 2001 Spain Data Protection Act In force 13 January 2000 France - HIPA Act In force 14 April 2001 Taiwan Computer Processed DP In force 11 August 1995 New Zealand Privacy Act In force 1 July 1993 Portugal Personal DP Act In force 27 October 1998 Greece Protection Processing In force 10 April 1997 GLB Act In force 1 July 2001 ‘General’ Act Under consideration Switzerland Data Protection Act In force 1 June 1999 South Korea eCommerce Act In force January 1999 Eastern Europe Estonia (96) Poland (98) Solovak (98) Slovenia (99) Hungary (99) Czech (00) Latvia (00) Lithuania (00) 19
Slide 20: Possible approaches to Data Protection Data Protection in Europe 20
Slide 21: European Data Protection Directive • Directive 95/46/EC of the European Commission • Now implemented in almost all Member States e.g. UK previously - UK Data Protection Act 1984 now - UK Data Protection Act 1998 (in force March 2000) (“DPA”) 21
Slide 22: UK DPA 1998 - The Eight Principles 1. Personal data must be processed fairly and lawfully 2. Personal data must be collected and used only for notified purposes. 3. Personal data must be adequate, relevant and not excessive. 4. Personal data must be accurate and, where necessary, kept up-todate. 5. Personal data must only be retained for as long as is necessary to carry out the purposes for which it is collected. 6. Personal data must be processed in accordance with the rights of data subjects as set out under the 1998 Act. 22
Slide 23: UK DPA 1998 - The Eight Principles 7. Appropriate technical and organisational measures must be in place to protect against unauthorised access, amendment or loss of personal data. There must be a contractual obligation, in writing, upon any data processor to comply with the relevant legislation and to ensure that such measures have been put in place. 8. Personal information must not be transferred out of the European Economic Area ("EEA") unless the receiving country ensures "an adequate level of protection" for the rights and freedoms of the data subjects vis-à-vis the processing of personal data. 23
Slide 24: Transfers of Personal Data from Europe to India The Eighth Principle Personal information must not be transferred out of the European Economic Area ("EEA") unless the receiving country ensures "an adequate level of protection" for the rights and freedoms of the data subjects vis-à-vis the processing of personal data. 24
Slide 25: Alternative Grounds: “Seventh-Principle” type contract Notwithstanding lack of country adequate status, a Data Controller can nevertheless conclude there is adequate protection in respect of a particular transfer if: There is sufficient protection for individual data subjects Having regard to: - nature of data being transferred; - purposes for processing; - security measures in place; - individual rights to redress if things go wrong Note - all of these could be covered in a Seventh-Principle type contract 25
Slide 26: Possible models for India Data Protection in the USA 26
Slide 27: Data Protection in the United States United States (Federal) Fair Credit Reporting Act 1970 Privacy Act 1974 Family Educational Rights and Privacy Act 1974 Cable TV Privacy Act 1974 Right to Financial Privacy Act 1978 Privacy Protection Act 1980 Cable Communications Policy Act 1984 Electronic Communications Privacy Act 1986 Video Privacy Protection Act 1988 Employee Polygraph Protection Act 1988 Telephone Consumer Protection Act 1991 Driver’s Privacy Protection Act 1994 Communications Assistance to Law Enforcement Act 1994 Health Insurance Portability and Accountability Act 1996 Children's Online Privacy Protection Act 1998 Deceptive Mail Prevention and Enforcement Act 1999 Financial Services Modernization Act 1999 ‘General’ Act Under consideration? Safe Harbor In effect 2001 • Self certified compliance with ‘adequate’ principles • Regulatory enforcement of trade practices legislation 27
Slide 28: US Safe Harbor - self regulation • However, only 356 companies in the whole of the United States have current Safe Harbor registrations • This raises questions as to the credibility of the safe harbor regime • Safe Harbor also only addresses transfers of data from abroad, and does not offer comprehensive protection for US citizens 28
Slide 29: Balancing Privacy & Security - terrorism • Antiterrorism Acts: – USA <the Patriot Act> 26 October 2001 – Canada 16 October 2001 – India <Prevention of Terrorism Act> • Issues – enhanced investigative powers – will governments enforce privacy laws? • US, Canada, UK, EU, Australia • Thoughts – data protection enforcement is generally complaint based – public continually stress privacy concerns – good privacy is good business – erosion of privacy is a win for terrorism • • easier to use electronic surveillance continue and clarify the mandate of the law enforcement to collect foreign communications requires individuals who have information related to a terrorist groups to appear before a judge to provide that information extending DNA data bank to include terrorist crimes • • 29
Slide 30: Possible approaches to Data Protection The Best Solution? 30
Slide 31: Summary of possible Data Protection Models • Comprehensive Laws governing collection, use and dissemination of personal data • Sectoral laws - piecemeal rules for particular industries, types of information or technologies - piecemeal protection • Self-regulation - e.g. Safe Harbor - mostly disappointing to date • Technological solutions - physical and logical security, encryption, etc - must be combined with legislative protections 31
Slide 32: Rationales for a comprehensive Data Protection law • • To remedy past injustices (e.g. C.Europe, S.America, S.Africa) To create confidence and promote e-commerce, m-commerce, ITES and bioinformatics sectors To remove barriers to data transfers from Europe, by ensuring India is granted “adequate” status To ensure enforceability, through a central oversight agency • • • • Because effectiveness of self-regulation is limited Because State governments are already recognising need and considering own data protection legislation 32
Slide 33: Any questions? 33
Slide 34: Legal Services Technology, Media and Communications Technology, Media and Communications A National Strategy to secure Cyberspace Solutions for India Rodney D. Ryder +91-9811013560

   
Time on Slide Time on Plick
Slides per Visit Slide Views Views by Location