/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsPUNE, INDIA: ‘Infinite security is possible but at a zero level of activity’ is how he defines security. He is a member of the Membership, Growth and Retention Committee at ISACA HQ and a member of the ISACA Growth Task Force (that concentrates on identifying the country specific needs in the areas of IT assurance, Security and Risk). As a member of ISACA, an independent, nonprofit, global association which engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for Information Systems; he is at a vantage point that gives a view of both dimensions of security in today’s chaotic and fast-track world. Sandeep Godbole, Member- ISACA India Task Force takes some time out of a busy schedule amidst the flurry of organizing what ISACA calls the first-ever Virtual Seminar for IT professionals in India titled “ Emerging IT Issues : Managing Information Risk, Compliance and Security in India”.
He stresses some key points on security, risk and technology while he also answers questions about walking the tight rope tied between two poles — security and privacy.
What would you outline as the highlight area of the conference’s agenda this time?
The focus point revolves around general and specific aspects of technology as well as specific points about IT regulatory environment. Awareness needs to be heightened over many issues.
What are the major gaps, as you see?
For India, the important factor is that there is no legacy, so it is always a slippery, hesitant, risk-enveloped state. In April 2011, some path breaking rules were notified in the IT Act. That ushered a new dimension to data privacy. Europe has been at it for 11 to 15 years with legacy of much legislation. It brings in control and the ‘human consent’ element. Some changes take the typical time as always, but there are also major gaps on expectations at the corporate level. They should understand about corporate information, employee information and related security implications. There is no provision in the Act that differentiates between corporate data and employee data. As a first step, they should be made aware of areas of critical importance. I believe new legislations will come up in future, but awareness needs to be driven.
What areas?
The rules have specified that there should be transparency in how a subject’s information is used or put in. Just because you have collected information, does not infer that you can use it for any other purpose than ones originally mentioned. This aspect has been brought into focus at a policy level. Since IT Act is about computerized information, there are many issues that are not just technology issues but also policy issues or those about intent of an organization.
That’s a dilemma. On one hand, organizations are swept with pressure of the Cloud wave or Enterprise 2.0 and social networking brouhaha. On another end, we are talking policies and rules.
The dilemma is there for sure, but it is about how to leverage social media and still not eliminate risks associated with leakage of information or misrepresentation or malware. People are still evolving, but a general consensus in the corporate world is that we can not ignore social media and yet be cautious about acceptable usage. As to Cloud, so many people used to talk about the concerns related to non-cloud environments, but now it is an environment of limited control. Incident management is what they expect to exist even once moved to someone else. Same for forensics.
So can a CIO kill two birds (or three birds here) with one stone while managing risk, compliance and security?
Even security is part of risk audit. I don’t see too much divergence in these areas. Both risk and compliance matter a lot in driving security. One more variable is the value one gets out of it. I believe that infinite security is possible but at a zero level of activity. So a balance is what one should strive for.
What would you advise them to do?
A lot of things are happening at technology level. But there are lot of non-technology aspects that need attention- risk, security and compliance. CIOs can not be in silos, they should provide inputs and be a change agent.
How do you assess another paradox of privacy vis a vis all the new big government initiatives like UID or NATGRID intelligent databases?
Yes, it is definitely a challenge. But we should understand that they are basic infrastructure projects at a country level. Absence of data and privacy are not part of the same continuum. Besides, rules have been set already. We need to have data. All we need to focus on is how to protect it also. As an individual, or at a citizen level, what I see is that when I entrust my data to a government mechanism, I should feel safe. That’s what the privacy watchdogs are possibly highlighting.