On a closer examination of all these cases, the following important issues emerge:-

• Except for the case related to the prosecution of the Managing Director under the shops & establishment act, the other two cases are pure “REACTIONS” to the problem at hand. In other words, they are justifications along the lines of, “if you get shot or hurt, someone will be liable to give you compensation”. The delay for justice or the degree of compensation is a completely different issue, beyond the scope of this topic under discussion.

• Even though the terms pertaining to employee safety under the Shops & Establishment Act point towards “PRO-ACTIVE” safety measures, the important aspect is that the Shops & Establishment Act is a state specific subject. In other words, we have different Shops & Establishment Acts for different states in India, leading to different levels of pro-activeness/absence of such safety measures. Last, but not the least, legal experts say that even if the Managing Director is indeed convicted in the case, he will only have to pay a sum of one thousand rupees. We are therefore waiting for another “Bhopal Gas Tragedy” to occur, and then be debated on various TV channels for even slightly more rigorous and thorough measures to be taken.

The Indian Industry therefore has the (near) freedom to be quite careless and not be held accountable for their mistakes.

In the United States of America, the Securities & Exchange Commission (SEC) instructions make it mandatory for business entities, stock brokers/advisors, exchanges and any other entities involved in the stock market, to comply with a minimum level of Business Continuity/Disaster Management capability in order to protect the interests of their investors.

In India, the Securities and Exchange Board of India (SEBI), an entity equivalent to the SEC in USA, is mandated to protect the interest of investors in securities and to promote the development of, and to regulate, the securities market, in accordance with section 11(1) of Securities and Exchange Board of India Act, 1992.

Now, let us look at the ground reality. In India, if a firm or a company (by whatever name one can call such entities) burns itself down, or meets with a disaster situation which leads to massive destruction of its resources (including people) due to the lack of adequate Disaster Management (DR) or Business Continuity Management (BCM) capability, the management of such entities cannot be held liable towards the lack of such a DR or BCM capability.

Though the SEBI has issued various circulars and guidelines for Exchanges, Mutual Funds & UTI and depositories (NSDL and CSDL) to have adequate BCM/DR capability, no such circular or guidelines exist for business entities listed in these very stock exchanges to have BCM/DR capability. In other words, the investors’ true interest, which actually lies in the well-being of the firm in which the investment has been made, is not being upheld. Instead, the focus of SEBI so far, has been towards the other entities connected with Securities market, viz. the stock exchanges, Mutual funds, securities market infrastructure, etc.

It is therefore, one can safely conclude that the market regulator, SEBI, has a lot more to do, in order to protect the interests of its investors by issuing directives to business entities listed on the stock market to have a reasonable level of BCM/DR capability in line with the SEC regulations in USA.

As a risk management professional, my objective has been to ensure that the basic principles of ‘due diligence’ are enforced in the corporate sector through a regulation, thereby extracting accountability.

Having stated my understanding on the subject, I must admit, I could be wrong in projecting my opinions due to a lack of adequate information. I therefore would like all the readers of this article to advise me on this subject, should my understanding be misguided or incorrect.

Hopefully, we can collectively make India a very proud and strong nation, which appreciates and applies the principals of Corporate Accountability in a just and fair manner.

By – Rakesh Pande,
www.aceservices.co.in & www.dri-india.org
Dated 21 Mar 2011

In the recent past, a number of articles in various tabloids and discussions on various TV channels have centered around WikiLeaks. High pitched discussion on cyber laws, privacy issues, control of the Internet, esoteric aspects of diplomacy etc. have been written about and discussed at length. However, no clear conclusions have emerged in any of these areas. Technology in the past two decades has made it possible for real time information transfer to specific points anywhere on the globe. The opinions and views of citizens in various countries, that were hitherto in closed environments and in small pockets, have commenced spreading and have gained a wider reach. Consequently, it is not surprising to observe that, in many of the subjects discussed, the gap between the ‘generalist’ and the ‘specialist’ has narrowed. As a result, TV anchors and reporters, for example, have moved from being moderators of a discussion to individuals who take a predefined position. Vast information availability in near real time has enabled easy assessment, dissection and analysis. The impact of easy information availability, free interpretation and its effective dissemination has started affecting organizations, governments and society at large—often in an adverse manner. Only time will tell as to how the modern world will rise to the occasion and grapple with this problem.

The intent of this article is not to delve into any of the areas mentioned above but rather to address an altogether different dimension—that of Information Security. Those who had gone through the WikiLeaks site when it was active would have observed the neatness with which content was organized. It was clear that there was a structured database containing information, location and origin wise, with defined categories and classification. There is perhaps nothing fascinating about how the content was made available, because the primary business objective of the site’s creators was to provide easy navigation to average citizens across the globe for a defined number of documents. There are important questions though. Would Indian Embassies across countries, for example, have stored the cables exchanged with various parties, say for the last one year, in such an organized fashion? Do our Ministries have a clear line of sight to the document stores that they have? Would it be possible for various Directorates in the armed forces to put an exact number, say, on the number of ‘secret’ documents generated across their setup in the last one week?

The electronic document melee has, over a period of time, become a matter of concern for organizations of all shapes and sizes. If the facts are to be believed, the financial world alone accounts for 3 to 6% of the digital universe’s total volume (figures as of 2009). While this looks like a relatively small fraction, the truth is that, in absolute terms, it runs into exabytes (1 exabyte = a billion gigabytes). It may be also true that a major part of this volume could be related to structured data. However, that does not preclude the possibility of a high volume document store across enterprises. For those who have grown with technology over the last two to three decades, applications like WordStar, WordPerfect etc. may not be unfamiliar. It was a boon to have editors with that capability then, because it made the typewriter nearly defunct—though it is another matter altogether that it is only recent devices that have started changing the conventional layout of the vintage Remington Typewriter style keyboard. Nevertheless, from then until now, the Peter Senge norm that ‘yesterday’s solutions are today’s problems’ have begun to take root in this area. It was natural that the complete dependency on these editors, forced the industry to innovate. However the offshoots of the approach taken have led to complexities in multiple areas. Storage, retrieval, location of specific information, archival, compression, security & protection, rights etc. being some of these. The interesting part is that, unlike structured data that can be handled by databases, in this case the nature of the application and the strength it drew was from its decentralized format. Yet when the need to control readership, limit ‘views’ based on ‘author’, ‘owner’ etc. started to become a matter of concern, the subject of ‘enterprise (or information) rights management’ began to take shape. In both these spaces—document management and rights management—several large vendors have thrown their hats into the ring. However, the implementation of these solutions occur at an enterprise level and, therefore, adoption by large organizations is relatively slow for reasons that may not be solely IT related.

The question, therefore, is if document management and rights management sit at two extremes, with one becoming a ‘facilitator’ and another, a ‘controller’, have we been able to contain the problems in this space? How many enterprises today have a clear line of sight to their document store. A study by Enterprise Strategy Group (ESG) in 2009 indicated that, 51% of security professionals ‘feel’ that over half the data of their respective organization are ‘confidential’ in nature. There are good reasons to believe though, that this figure has been derived more from a gut feel reaction rather than from any empirical method.

Another aspect that any seasoned infosec professional can see is that, the strength of information security in a set-up depends only up to a point on the IT security factor. In the people, process, technology dimensions—the importance of ‘people’ need not be overstated. Technology has empowered each employee, which is both a boon and a bane. The paradoxical need for senior management within an enterprise to store confidential data embedded in electronic documents and to maintain it for a defined period of time as per regulatory norms and the fact that it may be inadvertently lying strewn about increases the need for the ownership to shift from IT to the individual creator of the document. So, for those organizations that are reluctant to go in for big-bang deployments in both the areas mentioned above, it would be far more comfortable to come up with low-end implementations that, on the one hand, sensitize each employee of the ‘data’ (read document) that he or she is responsible for and on the other make him/her accountable for its categorization or classification ensuring that the individual is aware of its importance and criticality. If this could be coupled with security management getting a clear metric on the overall document store status with essential metadata thrown around, including a nearly accurate estimate of confidential documents held, apart from the ability to plan an effective Data Leakage Prevention (DLP) solution, it will also result in a fairly accurate test of the effectiveness mechanism of the Information Classification Control, A 7.2 of the ISO 27001 standard. Even beyond that, would be the ability of the organization to have ‘enrolled’ the employee into its larger vision of security, something that is less fascinating for an IT Security professional but is a critical need nonetheless. In government bodies where the networks are fragmented and where standalone systems still exist, the challenges assume greater significance against a WikiLeaks like scenario and it is time that those in authority factor the same as they plan to address the risk associated in this space.

The author is currently Director Technology & Co-founder of Periculum Technology & Consulting Services Pvt Ltd. He is a technology professional with over 24 years of experience in multiple areas of IT, who has served in both the Government and the Corporate Sector and holds three postgraduate degrees in Mathematics, Operations Research and Software Systems.