Public Sector Lacks Security PolicySCOPE's Dhingra: Security Awareness Lacking at Indian PSUs
Most Indian public sector units/enterprises, in which government, either central or state, has a majority ownership stake, do not have a standard information security policy or a mandate to prescribe one, says K L Dhingra, vice chairman of SCOPE, an apex body representing the CPSUs (Central Public Sector Units).
"Public sector [units] have been more into working on survival in a recession-prone economy, with little focus on a robust security framework for protecting critical data," Dhingra says. "However, the Modi government's 'Digital India' initiative has laid thrust on 'Make in India' and a public/private partnership model to leverage technology, prodding public sector [units] to think about data privacy and protection."
In this interview with Information Security Media Group (transcript below), Dhingra provides insights into the poor focus on information security among public sector units. He also discusses:
- Security changes being brought about within public sector units;
- The government's new sensitivity about sharing its data with private parties;
- The "Digital India" initiative with focus on "Make in India" and smart cities.
Dhingra is the chairman and managing director of Bengaluru-based ITI Ltd., a public sector telecom product manufacturing unit, and vice chairman of the Standing Conference of Public Enterprises, or SCOPE, which promotes excellence in organizations where public investment is involved, enabling them to be globally competitive. Before ITI, Dhingra was CMD at HUDCO.
PSUs Fall Short on Security
GEETHA NANDIKOTKUR: Are Indian PSUs mandated to follow IT security guidelines in protecting their data?
K L DHINGRA: Traditionally, Indian PSUs/enterprises do not have any government mandates to follow a standard IT security policy. Security is not a priority. This is because, from a macroeconomic view, PSUs have been investing their energies in finding ways for survival and revival, particularly when most top ones were almost declared sick. Thus, information security is still not a foundational component of the business strategy initiated by the senior management, the CEO and the board. A study by PWC says Indian firms have cut their cybersecurity spend by 17 percent, which could be true from a public sector standpoint, as I do not see any.
Interestingly, the government has issued mandates for all PSUs to have a CEO and a chief personal information officer under the Right to Information Act 2005, but no guidelines on having a chief information security officer. Each company follows its own security procedures for data protection and access. Cybersecurity awareness is lacking among most firms.
State of Data Protection
NANDIKOTKUR: Given the lackadaisical approach to security, what is the scenario around data protection and security of critical infrastructure?
DHINGRA: I must say there've been some positive strides toward this within the government. For instance, a Central Vigilance Commission case (with very confidential data) is currently stored in a data center run by a private party. The government finds it risky, and hence intends to encourage public sectors to store and protect data. About US $66.7 million has been sanctioned to ITI to establish a new data center in Bangalore. Most government data and banks will store data at this center, expected to be up and running in a few months. A disaster recovery center is also planned. Once up and running, a robust security framework will be put in place, though currently the organization follows a password and encryption-based security framework.
The Hygiene Factor
NANDIKOTKUR: With the Modi government's "Digital India" initiative, what kind of hygiene factors should PSUs have in place from an information security standpoint?
DHINGRA: The good news is that the number of PSUs growing in revenues has increased to 290 in 2014 from 234 in 2012-13; the government is giving sufficient impetus to their growth and providing subsidies. The percentage of loss-making enterprises has declined by 29 percent during the year, triggering government interest in driving the "Digital India" initiative via public and private partnership. There are three initiatives planned in this model: "Make in India," improving ease of doing business with sufficient subsidies and creating "smart cities."
A new entity, Bharat Broadband Network Ltd., has been created with the collaboration of the government telecom Bharat Sanchar Nigam Ltd, power grid and railtek industries, to implement national optical fibre network project in all Indian villages. New banks have been created via PPP to refinance micro-finance institutions for inclusive growth.
As part of the "Make in India" plan, over US $377.3 million has been sanctioned to PSUs to manufacture telecom and IT products in India. The hygiene factor comes in with these initiatives to ensure data protection. DeitY says there's been a conscious effort from Central Bank to emphasize on information security through providing frameworks and guidelines to public sector banks. Also, the IT (Amendment) Act, 2008 has laid the foundation for strengthening cybersecurity and data protection in India. This has implications on the existing regulatory landscape of the banking industry, especially with the introduction of section 43A that mandates body corporates to implement "reasonable security practices" for protecting "sensitive personal information." India's homeland security spend is now larger than the overall defence budget of many countries. This will have a cascading effect on various PSUs in understanding the importance of security. We at SCOPE will drive cybersecurity awareness campaigns among our member bodies who represent large PSUs.