Information Technology Act - CA perspective

CA A.Rafeq, FCA, CISA, CIA, CGEIT Managing Director, Wincer Infotech Limited

Bangalore, 25th Jan. 2012


1. Need for Chartered Accountants to embrace IT 2. Overview of IT Act 2000 and IT Act 2008

3. Impact of IT Act on Government, Enterprises and Individuals – some case studies

4. Impact and opportunities for Chartered Accountants – IT Act


1. Need for Chartered Accountants to embrace IT


Technology: key enabler of business change
• Value does not come miraculously from technology
• Technology only provides a capability • Value is only realized when this capability is applied and managed as part of comprehensive program of business change. • Evolved from automation through information to transformation, extent and complexity of business change has grown dramatically, and includes:
– – – – – Business strategy Business processes How people work Organizational structure and Technology


• Technology continues to be the one key driver of business growth worldwide. with IT spends continuing to see an annual rise for the foreseeable future – TCS Annual Report 2010-2011. • Investment in IT is being made as it impacts business performance.Industrial revolution to Knowledge revolution • Industrial revolution to the Knowledge revolution – Pervasive IT • Role of IT in the evolving knowledge society is comparable to that of the railroad during the Industrial Revolution. • IT is becoming a primary driver of business growth and is expected to make a greater contribution to success of enterprises. with access to data and services at any time and in any place. • Mobile computing gives users the freedom to roam. 5 . • Amount of private and enterprise data stored on computers is doubling every 12 to 18 months.

• And this is just the beginning of embedded IT. • We can monitor ourselves this way too.Future of IT • A Dutch start up. • Using a wireless cardiac monitor your physician can check for health risks. 6 . it sends a message to the farmer. Sparked • is using wireless sensors on cattle so that when one is sick or pregnant. • Each cow transmits 200 MB of data per year.

7 .

8 .

Information and IT: BI. Big Data and Data Analytics 9 .

• 30% the rate at which cloud computing will grow in 2011. whose mantra is cost savings. • 2. with savings ranging from 20% to 50% depending on the type of service offered. • The impact of cloud computing will be very high on the nearly $60 billion outsourcing sector. 10 .Cloud computing Global Scenario: • Cloud services revenue to touch $149 billion in 2014.3 million jobs (the net new jobs created by cloud on a cumulative basis over the period 2010 to 2015. This sector has little choice but to include cloud computing as part of their service portfolio. • Cloud services cost less than traditional outsourced services. $55 billion forecasted worldwide revenue from public IT cloud services alone. or more than 5 times the rate of IT industry as a whole.

private cloud will account for $3. from USD 110 million in 2010. • • • • Cloud computing market in India is expected to cross USD 1. Germany (27%). India (26%). 3 outsourcing firm looks at cloud computing as a "game changer”. The cloud has the potential to transform business ecosystems that are relatively under penetrated by IT due to high capital requirements. such as government. Top cloud users today are Brazil (27%).000 additional jobs and save about 50 percent of cost of IT operations for Indian enterprises.5-billion total cloud computing market in India by 2015. CC allows us to deliver standard end-to-end processes as a service to customers using new operating models .5 billion. Of the projected $4. It will generate about 100.Cloud computing Indian Scenario: • India is ahead of US in cloud adoption.08 billion by 2015. It is building data centers in India is implementing private clouds in partnership with other IT firms. India's No. US (23%).TCS 11 • • . healthcare and education.

educational experiences. and communication styles and techniques. • Many of the traditional. often from unexpected sources.” leaving those far behind who will not harness it and effectively integrate it. work patterns. 12 . as well as serve as consultants to link hardware/software solutions with sound business plans. integrate. essential skills of CAs are being replaced by new technologies that are increasing in number and being rapidly developed.Impact of IT for CA in future • CAs with solid IT skills are needed to design. • Technology will continue to challenge and reshape our lifestyles. Technology will rewrite the “rules of business. and implement advanced software systems.

You’re not going to be in business 13 .Innovation .key to success There’s plenty of evidence that if You don’t find dramatically new ways of doing business.

management. technology and related areas relevant for enterprises of all types and oriented towards the objective of providing value and deliverables as per requirement of clients/users. • CA firms have to become IT savvy so as to deploy the optimum level of IT within their firm and also to have the required working knowledge of IT to audit/consult for their clients. assurance. business processes. controls. governance. 14 . information systems.• IT – The road ahead for CAs • The core competencies of a CA are a unique combination of knowledge and skills in various aspects of accounting. regulatory compliances. risk. • Global studies have shown that the traditional core competencies of CAs needs to be enhanced with increased understanding of technology systems and there is urgent need to develop the ability to process and integrate information among various areas of business practice. human relations.

• CA firms have to consider IT not merely as an office asset to be procured for use by staff as an office automation tool but as a critical infrastructure which has a strategic long-term impact on their service delivery capabilities. 15 .IT – The road ahead for CAs • Interested in providing IT implementation and consulting services • Get good understanding of technologies. tools. processes. and trends… and REGULTIONS.

16 .

Example of GRC risk 17 .

18 .IT Governance Principle • “Information Technology is critical to the success of an enterprise. but must instead receive the focussed attention of both”. Information Technology is an issue which cannot be relegated solely to management or IT Specialists.

The key questions? Corporate Governance IT Governance • How do suppliers of finance get managers to return some of the profits to them? • How do suppliers of finance make sure that managers do not steal the capital they supply or invest in bad projects? • How do suppliers of finance control managers? • How do board and executive management get their CIO and IT organisation to return some business value to them? • How do board and executive management get their CIO and IT organisation do not steal the capital they supply or invest in bad IT projects? • How do board and executive management control their CIO and IT organisation? 19 .

Overview of IT Act 2000 and IT Act 2008 20 .2.

the Banker’s Books Evidence Act 1891.Reserve Bank of India Act . commonly referred to as "electronic commerce“ Facilitate electronic filing of documents with Government agencies and E-Payments .1872.Objectives of the IT Act 2000 • Provide legal recognition for transactions carried out by means of electronic data interchange.1934 Establish Certifying Authorities for Digital Signature Recognize Digital Signature Impose tough penalties on Cyber crimes Set up Appellate authorities Schedule II provides for Guidelines for Implementation and management of IT Security 21 . Indian Evidence Act. and other means of electronic communication.EGovernance: • •      Amend the Indian Penal Code.

Act applies to offence or contravention committed outside India by any person irrespective of his nationality.Extent of application • Extends to whole of India and also applies to any offence or contravention there under committed outside India by any person {section 1 (2)} read with Section 75. computer system or network located in India 22 . if such act involves a computer.

(c) a trust as defined in section 3 of the Indian Trusts Act. (b) a power-of-attorney as defined in section 1A of the Powers-of-Attorney Act. (d) a will as defined in clause (h) of section 2 of the Indian Succession Act. 1882. 1925 including any other testamentary disposition (e) any contract for the sale or conveyance of immovable property or any interest in such property. (f) any such class of documents or transactions as may be notified by the Central Government 23 . 1881. 1882.Act is NOT applicable to… (a) a negotiable instrument (Other than a cheque) as defined in section 13 of the Negotiable Instruments Act.

2011 24 .India is 12th nation in the world to adopt cyber laws IT Act is based on Model law on ecommerce adopted by UNCITRAL IT Act was amended by IT Amendment Act. 2009) . 2008 When the Information Technology Act.could be a Game Changer! • • ITA Rules.IT Act 2000 • • • • Enacted on 17th May 2000. 2000 was introduced –it was the first information technology legislation introduced in India! And Information Technology (Amendment) Act 2008 (Effective from October 27.

43.Objectives of IT Act 2008 • Casts responsibility on body corporate to protect sensitive personal information (Sec.. 67.): – Sending offensive messages using electronic medium or using body corporate’s IT for unacceptable purposes – Dishonestly stolen computer resource – Unauthorized Access to computer resources – Identity theft/Cheating by personating using computer – Violation of privacy – Cyber terrorism/Offences using computer – Publishing or transmitting obscene material • Provides for Extensive powers for Police & Statutory Authorities 25 . 66 to 66F. 43A) • Recognizes and punishes offences by companies and individual(employee) actions (Sec.

What IT Act 2008 amendment aims for • Paradigm shift in data protection and privacy regime in India: – Establishing a self regulation framework – Maintenance of reasonable security practices and procedures – Articulating “sensitive personal data or information” – Adjudication related to data protection and privacy [civil liabilities] – Providing criminal prosecution vis-à-vis data protection and privacy 26 .

2011 27 . 2011 • Information Technology (Electronic Service Delivery) Rules. • Information Technology (Intermediaries guidelines) Rules. 2011.Rules to IT Act 2008 • Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules.

microwave. computer software or communication facilities which are connected or relates to the computer in a computer system or computer network. • "computer network" means the inter-connection of one or more computers through– (i) the use of satellite. and includes all input. and – (ii) terminals or a complex consisting of two or more interconnected computers whether or not the interconnection is continuously maintained. storage. output.Definitions (section 2) • "computer" means electronic. magnetic or optical impulses. 28 . terrestrial lime or other communication media. processing. optical or other high-speed date processing device or system which performs logical. arithmetic and memory functions by manipulations of electronic. magnetic.

then such record shall be deemed to be a secure electronic record from such point of time to the time of verification 29 . and procedure that(a) are reasonably secure from unauthorized access and misuse. 2000. • secure electronic record – where any security procedure has been applied to an electronic record at a specific point of time. record or date generated. received or sent in an electronic form or micro film or computer generated micro fiche. (c) are reasonably suited to performing the intended function. software.Definitions (section 2) • "electronic record" means date. image or sound stored. and (d) adhere to generally accepted security procedures • “security procedure” means the security procedure prescribed by the Central Government under the IT Act. • “secure system” means computer hardware. (b) provide a reasonable level of reliability and correct operation.

magnetic. microfilm. optical. computer generated micro fiche or similar device 30 . images. sent. sound. voice. software and databases or micro film or computer generated micro fiche • Electronic form • With reference to information means • Any information generated.Definitions • Information includes • Data. computer memory. codes. text. computer programmes. received or stored • in media.

stores or transmits that message or provides any service with respect to that message 31 • Affixing digital signature • Intermediary .Definition • Digital signature • Authentication of any electronic record by a subscriber • by means of an electronic method or procedure • in accordance with the provisions of section 3 • Adoption of any methodology or procedure by a person for purpose of authenticating an electronic record by means of a digital signature • With respect to any particular electronic message means • Any person who on behalf of another person receives.

• Such requirement shall be deemed to be have been satisfied if such information or matter is: » Rendered or made available in an electronic form and » Accessible so as to be usable for a subsequent reference 32 .Electronic Governance • Legal recognition of electronic records (Sec.4) • Where any law provides that information of any other matter shall be in writing or in the typewritten or printed form then • Not withstanding anything contained in any law.

Recognition for E-Governance • Provides for following in electronic form (Sec. authority. application or any other document with any office. sanction or approval by whatever name called in a particular manner » The receipt or payment of money in a particular manner » As prescribed by the appropriate Government 33 . permit.6): • Filing of any form. body or agency owned or controlled by the appropriate Government in a particular manner: » The issue or grant of any licence.

• Any one can confirm whether the digital certificate is valid by confirming with the Certificate authority who has issued it. • Unique and dynamically created by the software. 34 .A digital signature • Created using a software. • Issued by the Certificate Authority and is valid for the period it is allotted. • Used for identifying and authenticating a user for transactions in the digital world similar to identifying and authenticating users through physical signatures in the physical world.

PIN. digitised fingerprint or image. retina scan 35 .Electronic Signature substituted by digital signature in IT Act 2008 • Subscriber may authenticate any electronic record by • Such electronic signature or electronic authentication technique that is: – Considered reliable and specified in second schedule • Technique shall be considered reliable if: – Signature creation data is unique to and under the control of the authenticator – Alterations are detectable – Eg.

legal issues such as non-repudiation. online contracts and protection of intellectual property will become more common“ • "Business managers.Impact of Digital Signature • "As enterprises increasingly use digital signature technologies to support e-commerce. Auditors and lawyers need to understand some of the underlying technology as they grapple with the legal implications” 36 .

15 • If by application of a security procedure agreed to by the parties concerned. was: (a) (b) unique to the subscriber affixing it. at the time it was affixed. it can be verified that a digital signature. then such digital signature shall be deemed to be a secure digital signature 37 .Secure digital signature-S. capable of identifying such subscriber. (c) created in a manner or using a means under the exclusive control of the subscriber and is linked to the electronic record to which it relates in such a manner that if the electronic record was altered the digital signature would be invalidated.

Public Key Infrastructure • Allow parties to have free access to the signer’s public key • This assures that the public key corresponds to the signer’s private key – Trust between parties as if they know one another • Parties with no trading partner agreements. operating on open networks. need to have highest level of trust in one another 38 .

Certificate based Key Management CA CA A B • Operated by trustedthird party – CA • Provides Trading Partners Certificates • Notarises the relationship between a public key and its owner 39 User A CA A User B CA B .

40 . and all the Rules and Regulations there.The licensing process • Examining the application and accompanying documents as provided in sections 21 to 24 of the IT Act. • Auditing the physical and technical infrastructure of the applicants through a panel of auditors maintained by the CCA.under. • Approving the Certification Practice Statement(CPS).

and guidelines issued by the Controller from time-to-time.Audit Process • Adequacy of security policies and implementation thereof. • CA’s services administration processes and procedures. • Compliance to relevant CPS as approved and provided by the Controller. • Adherence to Information Technology Act 2000. • Existence of adequate physical security. • Adequacy to contracts/agreements for all outsourced CA operations. 41 . the rules and regulations thereunder. • Evaluation of functionalities in technology as it supports CA operations.

PKI Hierarchy CCA Directory of Certificates CRLs CA CA CA Directory of Certificates CRLs Subscriber Subscriber Relying Party Subscriber 42 .

Section 12.Any communication automated or otherwise or conduct to indicate the receipt • If specified that the receipt is necessary.Acknowledgement of Receipt • If Originator has not specified particular method.Then unless acknowledgement has been received Electronic Record shall be deemed to have been never sent • Where ack. not received within time specified or within reasonable time the originator may give notice to treat the Electronic record as though never sent 43 .

Section 13. receipt occurs at time ER enters the designated computer.when ER enters Computer Resource of Addressee. • Shall be deemed to be dispatched and received where originator has their principal place of business otherwise at his usual place of residence 44 . if electronic record is sent to a computer resource of addressee that is not designated . receipt occurs when ER is retrieved by addressee • If no Computer Resource designated.Dispatch of Electronic record • Unless otherwise agreed dispatch occurs when ER enters resource outside the control of originator • If addressee has a designated computer resource .

modify or rearrange • Change the format of a file 45 . Section 43 • Whoever without permission of owner of the computer: – Secures access (mere U/A access) – Downloads. copies. extracts any data – Introduces or causes to be introduced any viruses or contaminant – Damages or causes to be damaged any computer resource – Disrupts or causes disruption of any computer resource • Preventing normal continuance of computer • Not necessarily through a network • Destroy.Civil Wrongs under IT Act Chapter IX of IT Act. add. alter. delete.

46 . possessing. such body corporate shall be liable to pay damages by way of compensation. which provides as follows: • “Where a body corporate. controls or operates. to the person so affected”.Key Provisions of the IT Act for corporates – Sec. • is negligent in implementing and maintaining reasonable security practices and procedures and • thereby causes wrongful loss or wrongful gain to any person. 2008. dealing or handling any sensitive personal data or information • in a computer resource which it owns. 43A • The responsibility for protection of stakeholder information by body corporate primarily arises from the provisions of Section 43A of the Information Technology Act.

wildlife Online gambling Intellectual Property crimes.TYPES OF CYBER CRIMES • • • • • • • Cyber terrorism Cyber pornography Defamation Cyber stalking (section 509 IPC) Sale of illegal articles-narcotics. trademarks violations. theft of computer source code Email spoofing Forgery Phising Credit card frauds Crime against Government Crime against persons • • • • Crime against property 47 .software piracy. weapons. copyright infringement.

• every person who. the company for the conduct of business of the company as well as the company. direction or order made there under is a Company. at the time the contravention was committed. and was responsible to.Provision affecting body corporates Section 85: • “Where a person committing a contravention of any of the provisions of this Act or of any rule. shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly” 48 . • was in charge of.

Impact on Government.3. Enterprises and Individuals – some case studies 49 .

Impact of IT Act Overall Impact • Recognition of Electronic Records • Electronic filing of records • Legal recognition for digital signature Specific Impact • How digital signatures could be used within the company? • How digital signatures could be used for business operations with customers and suppliers • How digital signatures could be used for new business avenues? • How will it impact the way your company is maintaining its record and conducting business operations? 50 .

Risk management. IT Security Strategy NETIZEN: Data Privacy.Security implications – different dimensions GOVERNMENT: Regulations and Policies. Lawful interception ENTERPRISES: Contractual. Compliance. Safe Browsing 51 .

Section 43A
• "body corporate" means any company and includes a firm, sole
proprietorship or other association of individuals engaged in commercial or professional activities • "reasonable security practices and procedures“ means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit. • "Sensitive personal data or information“ means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

Why Cyber law Compliance is a burning Issue?

• Has given a Security orientation to Cyber law in India • Cyber Security is no longer a Technical Issue • It is a legal prescription under ITA 2008 • Every Corporate Entity should therefore
• Implement a structured plan of action to ensure that he is not liable under ITA 2008 through a Cyber Law Compliance programme

Seven basic compliance requirements
• Designate a Cyber Law Compliance officer • Initiate training of employees on Cyber Law Compliance

• Introduce sanction procedures in HR policy for non compliance
• Use authentication procedures suggested in law • Maintain data retention as suggested under Section 67C • Identify and initiate safeguard requirements indicated under Sections 69 and 69A, 69B,43A

• Initiate global standards of data privacy on collection, retention, access, deletion etc

Categories of Cybercrimes
Offences - sections 65 to 74 categorized as offences against: Property • Tampering with computer source documents • Hacking Person • Obscenity • Cyber trespass • confidentiality and privacy Sovereignty/government/Authority • Interception of information affecting sovereignty • Unauthorized access to protected systems • Noncompliance with Orders of Certifying Authority • Misrepresentation for obtaining Digital Signature • Digital Signature for fraudulent or unlawful purpose • Publishing Digital false in particulars

Introduce any computer contaminant and causes death or destruction of property. decency. • It is punishable with imprisonment upto life. Denying access to computer resource. integrity. contempt of court. Access computer resource without authority.Cyber Terrorism is defined in Section 66F • Whoever threatens the unity. defamation or to the advantage of foreign state or group of persons. security or sovereignty of India or strike terror in people by: 1. public order. or 3. or • Penetrates restricted computer resources or information affecting sovereignty. 56 . or 2. friendly relations with foreign states. integrity.

Forgery Andhra Pradesh Tax Case • In the explanation of the Rs. 22 Crore which was recovered from the house of the owner of a plastic firm by the sleuths of vigilance department. • All vouchers were fake computerized vouchers. but after careful scrutiny of vouchers and contents of his computers it revealed that all of them were made after the raids were conducted . the accused person submitted 6000 vouchers to legitimize the amount recovered. 57 .

Now. • A friend of her husband gave her phone number and name on a chat site for immoral purposes. 58 . the latter is being tried for "outraging the modesty of a woman". • A computer expert.Cyber stalking • Ritu Kohli (first lady to register the cyber stalking case) is a victim of cyber-stalking. under Section 509 of IPC. Kohli was able to trace the culprit.

publishing and transmitting e-mails. • The court granted an ad-interim injunction and restrained the employee from sending. Ltd. • The e-mails were anonymous and frequent. v. • The plaintiff was able to identify the defendant with the help of a private computer expert and moved the Delhi High Court. Jogesh Kwatra: India’s first case of cyber defamation was reported when a company’s employee (defendant) started sending derogatory. defamatory and obscene e-mails about its Managing Director. which are defamatory or derogatory to the plaintiffs. 59 .Cyber defamation • SMC Pneumatics (India) Pvt. and were sent to many of their business associates to tarnish the image and goodwill of the plaintiff company.

Cases of money laundering • Cyber lotto case: In Andhra Pradesh one Kola Mohan created a website and an email address on the Internet with the address ' • After getting confirmation with the email address a telgu newspaper published this as news. • He gathered huge sums from the public as well as from some banks. 60 .' which shows his own name as beneficiary of 12.5 million pound in Euro lottery. The fraud came to light only when a cheque amounting Rs 1.Online gambling: virtual casinos.73 million discounted by him with Andhra bank got dishonored.

5 crores has raised concerns of many kinds including the role of "Data Protection". 61 .Case Study.BPO Data Theft • The recently reported case of a Bank Fraud in Pune in which some ex employees of BPO arm of MPhasis Ltd Msource. • The crime was obviously committed using "Unauthorized Access" to the "Electronic Account Space" of the customers. It is therefore firmly within the domain of "Cyber Crimes". defrauded US Customers of Citi Bank to the tune of RS 1.

if the crime is investigated in India under ITA-2000. The process of getting the PIN number was during the tenure of the persons as "Employees" and hence the organization is responsible for the crime. • At the same time. • Some of the persons who have assisted others in the commission of the crime even though they may not be directly involved as beneficiaries will also be liable under Section 43 of ITA-2000.BPO data theft -Case Study (contd. vicarious responsibilities are indicated both for the BPO and the Bank on the grounds of "Lack of Due Diligence". then the fact that the Bank was not using digital signatures for authenticating the customer instructions is a matter which would amount to gross negligence on the part of the Bank. • Under Section 79 and Section 85 of ITA-2000. 62 .) • The BPO is liable for lack of security that enabled the commission of the fraud as well as because of the vicarious responsibility for the ex-employee's involvement.

• Both the email accounts were tracked. 384/506/511 IPC. • The sender of the email used the email ID xyz@yahoo. Police registered a case u/s. details collected from ISP’s & locations were identified. • The Cyber cafes from which the emails has been made were monitored and the accused person was nabbed red & and signed as Chengez Babar. 63 . Dubai.Case of Extortion of Money Through Internet • The complainant has received a threatening email and demanded protection from unknown person claiming to be the member of Halala Gang.Case Study.

Ninawe an Abu Dhabi businessmen. Mitra extorted few lacs Rupees as advocate fees etc. • When Ninawe mailed at the other ID he was shocked to learn that Mitra had died and police is searching Ninawe. Mitra even sent e-mails as high court and police officials to extort more money. and created a fake e-mail ID through which he contacted one V. former executive of Gujarat Ambuja Cement posed as a woman. . • After long cyber relationship and emotional massages Mitra sent an e-mail that ‘‘she would commit suicide’’ if Ninawe ended the relationship. He also gave him ‘‘another friend Ruchira Sengupta’s’’ e-mail ID which was in fact his second bogus address.R.Email spoofing: • Pranab Mitra . Ninawe finally came down to Mumbai to lodge a police case. Rita Basu.

Kolkata Police etc. • Two laptops recovered at the said place contain most of the e-mail communication made under the various identities such as Ruchira. • The I. New York Police. • Man assuming all these identities was identified as P M.Bankrupt Complainant approaches Police • • The complainant realizes having been cheated. Addresses embedded in all e-mails received by complainant reveal the origin to be either • • • • Ambuja Cement Company or A residential address at Nerul. Advocate Mitra. employee of Gujarat Ambuja 65 . approaches Police.P. A bank account at Chembur Police swing into action and raid the addresses. Total amount obtained by the perpetrator = Rs 1.25 crore.

Impact and opportunities for Chartered Accountants 66 .4.

Chartered Accountants Traditional areas: • • • • Internal Auditing. Filing of returns Compliance MIS New Areas: • • • • Electronic filing of documents Web based business Web Assurance policies eEnabling business operations 67 .

global markets will become accessible to all comers and the traditional role of middlemen will be undermined 68 . its customers and its business partners. • • eCommerce transactions over the Internet include – Formation of Contracts – Delivery of Information and Services – Delivery of Content • Traditional sources of competitive advantage will be supplanted. power and control will shift from suppliers to customers. eCommerce has vast potential to change the way business is conducted.eCommerce Concepts and impact • eCommerce refers to the use of technology to enhance the processing of commercial transactions between a company.

8. tampered with or replayed Digital signatures and electronic records may not be recognized as evidence in courts of law Transactions may be hard to substantiate causing problem of accounting recognition. Web merchants may be bogus Customers may be fictitious Electronic documents on the Web may not be authentic Trading partners may deny they were a party to the transaction Transactions may be intercepted. 5. 3.eCommerce Issues 1. Audit trails may be lacking or easily tampered with 69 . 7. 4. 2. 6.

Minimum Security Requirement for eCommerce Replace letterhead & signature on original document AUTHENTICATION INTEGRITY NON REPUDIATION Ref: Sub: This Sir. is with your Ref vide -------------------------- ? Vikram Signature CONFIDENTIALITY Replace Envelope ? 70 .

The Answer Replaces AUTHENTICATION INTEGRITY letterhead & signature on original document Cryptographic digital signature NON REPUDIATION Replaces Envelope CONFIDENTIALITY Encryption 71 .

– Receipt of purchase – Non-repudiation – Time stamping – Authentication – Legal evidence orders – Receipt of other important Electronic documents 72 .Digital Certificates in eCommerce • Verification of • Secure E-Mail customer. bank .. – Receipt of contracts merchant.

Impact on traditional areas Key Issues impacting CAs Authenticity How do we implement a system that ensures that transactions are genuine and authorized? Reliability How do we rely on the information. which is digital form? 73 . which does not have physical documents? Accessibility How do we gain access and authenticate this information.

Control Objectives for eCommerce Business and Control objectives do NOT change e. monitoring tools and techniques used need to be changed 74 .g. • • • • Goods sold are as per customer order Delivered to correct customer Payment is correct and made to correct supplier Transactions are correctly recorded. etc However.

procedures and safeguards for monitoring and collecting traffic data or information? Are these documented? 75 .Sample checklist for evaluation Section 43 A (a) Are various components of “sensitive personal data or information” vis-àvis users/customers defined by the enterprise? (b) Does the enterprise you have a security policy? Is the security policy documented? Section 67C Does the enterprise have an electronic record preservation and retention policy? Section 69B Has the enterprise adopted/established appropriate policy.

Sample checklist for evaluation Section 70B Does the enterprise have appropriate documented procedure to comply with the requests of CERT-IN regarding cyber security incidents? Section 72A (a)Does the enterprise have an adequate privacy policy? (b) Whether the enterprise has provided for opt-in/opt-out clause in the privacy policy? General 1. Have the enterprise appointed designated officer/nodal officer/computerin-charge to comply with the directions of competent authority/agency under various provisions of the Act? 2. Whether details of such designated officer/nodal officer readily available online (at your website)? 76 .

Digital Signatures will be key enablers of eCommerce • eCommerce offers exciting Avenues 77 .Key Concepts to Take Away • Implications of IT Act 2000 – More pervasive as we move on – Definite role to play – Are we ready and equipped? – Do we have the vision and long term focus? – Certificate Authorities.

78 .

References • • • • • • • http://naavi. 79 and… http://www.

All challenges are opportunities IT is one such continuing challenge 80 .