Has IT Amendment Act 2008 created a new audit domain?

IT Amendment Act 2008 may have created the need for a proper audit and compliance regime, and in the process created an opportunity for Indian infosec industry.

The Information Technology Amendment Act 2008 (ITAA 2008), which came into effect in October 2009, is a recent addition to the long list of compliances which Indian organizations need to adhere to. Several sections within the Act are likely to create the need for a proper audit and compliance regime. Let us find out how IT Amendment Act 2008 compliance and audit is slowly emerging as a new compliance domain in the information security industry.

According to Na Vijayashankar (Naavi), an independent cyber law consultant and founder of Ujvala Consultants, the IT Amendment Act 2008 is a comprehensive legislation which touches several aspects of the business of any organization which uses computers, hence many sections of the Act directly or indirectly affect the organization's compliance strategy. ITAA 2008 is more focused on two important areas: data protection and information preservation.

"Sections 43A, 72A, 79 and 67C clearly spell out the roles and responsibilities of the service provider in protecting data and preserving information. Companies providing IT services to their employees also come under the definition of service provider, and need to comply with the provisions of the IT Amendment Act 2008, hence we see a clear opportunity for IT Act audit and compliance," says D P Dubey, executive director, Paladion, a leading managed security service provider.

Unlike self-imposed quality offshoots such as an ISO27001 audit, the IT Amendment Act 2008 is statutory. According to Prashant Mali, the president of legal consulting firm Cyber Law Consulting, this Act, for the first time in India, defines what cyber security is, and also provides rights to the nodal agencies to demand information from corporates which are required to maintain this security. Naavi believes that every company which is desirous of being on the right side of corporate governance will need to conduct an IT Amendment Act 2008 audit to ensure that they have taken all reasonable steps needed to meet its requirements.

"Non-compliance with directions under 70B (which includes a requirement to provide information sought by the CERT-In ) can lead to imprisonment of one year, non-compliance with section 69B could result in a seven-year imprisonment, while most other non-compliance issues may result in a three-year imprisonment—besides the liability to pay damages. As a result, there is no alternative for companies except to make themselves compliant with the IT Amendment Act 2008," cautions Naavi. The top 3,000 Indian companies which are listed, and are bound by the Clause 49 declaration that the 'company is complying with all regulatory provisions,' gives an idea of how an ITAA 2008 compliance audit can be the next big opportunity for information security and techno-legal consultants.

Several IT security consultancy and techno-legal firms have started propagating IT Amendment Act 2008 audit and certification as a new offering in their compliance basket. Ujvala Consultants, Paladion, Mahindra Special Service Group and Prominds Consulting are some of the companies which can offer an ITAA 2008 compliance audit.

Dubey explains that Paladion's offering will be an IT Act due diligence audit. "Instead of a plain checklist audit, we will analyze the implications of the provisions of ITAA 2008 on the specific business through gap

It is not very explicit that if you have ISO 27001 you are IT Amendment Act compliant. However, the hassles will be less in the case of companies which have ISO 27001.

D P Dubey
Executive Director, Paladion

analysis, and then suggest appropriate controls to the stakeholders depending on the gaps. We will be using many tools and techniques, including checklists, for effectively conducting the audit."
Ujvala Consultants has adopted a framework of IT Amendment Act 2008 compliance developed by the Cyber Law College and recognized as IISF-309 (Indian Information Security Framework version 309). This framework has also crafted 23 controls and seven specific compliance clusters. "At present, Ujvala leverages its activities through some other ISO27001 auditors to reach out to the industry. The services include risk assessment, training and implementation assistance. As part of the implementation assistance we provide drafting/modification of the information security policy, as well as suggest technology in a few areas such as e-auditing and digital signature implementation," says Naavi.

Cyber Law Consulting is already offering an IT Amendment Act 2008 compliance audit which includes policies and processes such as security practices followed by organizations, recruitment and release processes for employees and directors, and data management processes. The firm also helps companies to draft security practices and create cyber security awareness training programs with reference to ITAA 2008.

Paladion believes that sectors such as BFSI are very proactive and are taking interest in this compliance, while others are expected to catch up soon. "In general, the awareness level needs to increase. Regulators such as RBI, SEBI and IRDA may also make it compulsory for their respective sectors," says Dubey.

Although the market is all set to offer ITAA 2008 compliance audits, is there an actual need for such services? Vicky Shah, principal consultant, cybercrimes.in, believes that there is no need to have a new audit or compliance kind of service exclusively for the IT Amendment Act 2008 because it gets covered when implementing ISMS27001. "I guess some organizations have identified this as a new business service offering, but I frankly don't see the prospects for the same. It is more of a gap analysis than a legal compliance audit service. An ISMS27001 takes care of these aspects."

Dubey disagrees. "The hassles will be less in the case of companies which have ISO27001. But it is not very explicit that if you have ISO27001 you are ITAA 2008 compliant. You will require to undertake an IT Amendment Act 2008 due diligence even if you have ISO27001." Mali seconds this view. "We are already offering this service as an 'ITAA 2008 compliance audit'—even to companies which are ISO27001 certified—for further legal compliance and fortification of security practices."

You can follow our Twitter feed at @SearchSecIN

Read more on IT technical skills