Info. Technology Law
https://www.itlaw.in/rule-8-reasonable-security-practices-and-procedures/
Export date: Mon Oct 18 20:20:13 2021 / +0000 GMT

Rule 8: Reasonable Security Practices and Procedures


(1) A body corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. In the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies.

(2) The international Standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" is one such standard referred to in sub-rule (1).

(3) Any industry association or an entity formed by such an association, whose members are self-regulating by following other than IS/ISO/IEC codes of best practices for data protection as per sub-rule(1), shall get its codes of best practices duly approved and notified by the Central Government for effective implementation.

(4) The body corporate or a person on its behalf who have implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under sub-rule (3) shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis by entities through independent auditor, duly approved by the Central Government. The audit of reasonable security practices and procedures shall be carried out by an auditor at least once a year or as and when the body corporate or a person on its behalf undertake significant upgradation of its process and computer resource.
Post date: 2014-11-13 11:46:59
Post date GMT: 2014-11-13 06:16:59

Post modified date: 2019-10-08 00:36:23
Post modified date GMT: 2019-10-07 19:06:23

Export date: Mon Oct 18 20:20:13 2021 / +0000 GMT
This page was exported from Info. Technology Law [ https://www.itlaw.in ]
Export of Post and Page has been powered by [ Universal Post Manager ] plugin from www.ProfProjects.com