Why are standards gaining relevance? The key drivers for security & privacy for the industry have always been business, market and regulatory needs. Today, every enterprise – public or private – is well aware of consequences on their business, brand and market share, of not protecting their critical information assets, including consumer personal information. In addition, the regulations – omnibus laws such as the ones in European countries or sector-specific regulations that indirectly address data privacy and security such as Banking Regulations Act, CICRA in India and HIPAA, GLBA in the United States – help bring accountability on organizations and to provide grievance redressal mechanisms to consumers in the event of a breach. But regulations do not specify how organizations need to meet the security and privacy needs, and they are not intended to accomplish that either! Moreover with emerging technologies and business process innovation such as IoT, Big Data, Smart Cities, and corresponding increase in threat landscape, it is difficult for regulations to keep pace. It is here where standards play a key role in bridging the gap between regulations & industry practices.
What areas do we have opportunity to contribute? JTC1 SC27 of ISO has 5 Working Groups (WG) which prepare the content of the standards, process comments received from around the world, and ultimately finalize the work for submission as a draft international standard. The nature of standards that come under purview of each WG is highlighted below:
- WG1 –Information security management systems
- WG2 -Cryptography and security mechanisms
- WG3 -Security evaluation, testing and specification
- WG4 -Security controls and services
- WG5 -Identity management and privacy technologies
Some of the upcoming projects on standards include interesting areas such as Data de-identification, encryption algorithms, Cloud Security, IoT, application security.
Why should we participate? Being a leading player in IT on the global arena, we have a tremendous potential and stakes involved to influence standards development in the interest of Indian industry, and play a leader role instead of follower. In the field of security and privacy there are also regional, demographic and cultural factors that influence each country’s inputs for standards development and some of them may be unfavorable for us. Examples of such aspects are data localization, encryption, public disclosure of data processing where there are divergent views between countries. Moreover, the present emphasis by the Indian government to augment the Indian cyber security industry makes it all the more important to significantly increase our presence in this international forum. DSCI is playing a key role in driving this along with BIS and their effort connecting with industry on this initiative over last few years has resulted in a very good beginning, but we have a long way to go, and each of us have a role to play in making a difference.
Where are we today? ISO being the leading international standards body, their standards are widely adopted by industry globally, including by Indian organizations. While adoption of ISO standards has been widespread in India and often driven as a requirement by clients from various parts of the world, when it comes to our participation in standards development fora, it is minimal – in fact in the ISO/IEC JTC 1/SC 27 committee on IT Security techniques, our participation started only relatively recently and we are far from making significant impact. I myself attended the last ISO SC27 conference in Kuching and as I witnessed the standard development process, I was perturbed to see only three of us from India whereas the participation from several other nations was in large numbers – that too when India’s status in ISO is ‘participating country’ rather than ‘observer country’. Remote participation does not help since the inputs of those members who do not attend but send comments by email, are not considered. We like it or not, the process requires members to be physically present, support and articulate during the meeting to the committee why their views are important and should be considered. Also, since there are multiple parallel sessions on various working groups at any time, attending in small numbers does not help much.
How can we increase participation? Those of us from industry, academia, R&D associated with IT Security & Privacy, who can take out time for this initiative should come forward, volunteer and join this committee by becoming member of BIS’ LITD 17, a mirror committee of ISO SC27 committee. Having said that, getting support from organizations to sponsor an employees’ participation is easier said than done, given the resource crunch and the common question we all face from senior management & the company board: “What is the RoI it will bring for us in next few quarters?”. The industry needs to take long-term view and indirect benefits it will accrue by such participation, and our role is to articulate that to our management. Needless to mention, one needs to choose those areas among the 5 working groups of SC 27 which is likely to be of maximum interest for their organization, and also Indian interests as decided during BIS meetings. In the long run, it will not only benefit India but also the organization we represent and our own self in building domain knowledge! It is the choice we have to make – do we create standards that helps Indian industry grow or follow those created by other nations?