Avanzo is a Techno-Legal Security Solution provider, dealing with all aspects of cyber security in corporate organizations. We provide:

• Consultancy in formulating SECURITY POLICIES for Corporates
• Independently conduct cyber investigation for corporates
• Training for MNCs , Govts and Police Departments
• Conduct Cyber Legal Audit (I T Act)& I S Audit for Banks
• Advice on Intellectual Property Rights (I P R)in cyber space
• Advice best practices on e-commerce
• Draft contracts, agreements, and disclaimers for the purpose of e-commerce
• Provide Techno-Legal remedies for corporates, govt.houses & investigation depts.
• Conduct Security Audit as per ISO 27001 and recommend for certification
• Assist police in cyber crime investigation
• Retrieve evidence acceptable in the court of law
• Present the case in front of adjudicating officers (only in India)

Information Technology Act 2000

Digital Technology and new communication systems have made dramatic changes in our lives. Business Transactions are being made with the help of Computers. Business community as well as individuals is increasingly using computers to create, transmit and store information in the electronic form instead of traditional paper documents. People are aware of the advantages of this technology but are reluctant to conduct business or conclude business transactions in the electronic form due to lack of legal framework. Keeping in view with the urgent need to recognize and to facilitate electronic commerce and electronic governance this Act has come into being.

The term CYBER or CYBERSPACE signifies everything related to computers, the Internet ,websites, data, e-mails, networks, software, Data storage devices (such as hard disks, USB etc.) and even electronic devices such as cell phones, ATM machines etc.

The areas covered under Cyber Law or the “Law governing Cyber Space” includes:

1. Cyber Crime
2. Electronic Commerce
3. Intellectual Property Rights (IPR) in as much as it applies to cyber space.
4. Data protection and privacy.

Section 43 – PENALITIES AND ADJUDICATION

Penalty for damage to computer, computer system, etc.-

If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network,-

(a)        accesses or secures access to such computer, computer system or computer network;

(b)       downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;

(c)        introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;

(d)       damage or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;

(e)        disrupts or causes disruption of any computer, computer system or computer network;

(f)         denies or causes the denial of access to any person authorized to access any computer, computer system or computer network by any means;

(g)        provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder;

(h)         charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network

he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected.

Information Technology (Amendment) Act, 2008 :

The Information Technology (Amendment) Act, 2008 has introduced several amendments into the Information Technology Act, 2000-summerised as below:

1. The concept of electronic signature has been introduced. So hence forth the law will be technology neutral, as electronic signatures is a generic term for all technologies for digital authentication.

2. The upper limit of Rs.1 crore fixed for compensation for cases falling under section - 43 has been removed. The amended law does not put any upper limit for the compensation. The jurisdiction of adjudicating officers has been capped at Rs.5 crores. For compensation claims above that amount, the jurisdiction will lie with the relevant courts.

3. Two more issues have been covered under section 43 viz:-

(i)          Destruction, deletion or alteration of information residing in a computer resource as well as diminishing the value or utility of such information.

(ii)  Stealing, concealing, destroying or altering or causing any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage.

4. A new section 43A has been introduced that makes a company (dealing or handling any sensitive personal data) liable for negligence in implementing and maintaining reasonable security practices and procedures. This would affect the BPOs, call centers, banks, insurance companies, finance companies industries PSU s and all individual/corporate entities in short.

5. The earlier provisions relating to hacking in section 66 have been substituted by a much wider scope.

6. Various new offenses have been introduced in the Act, including:

a. sending offensive messages through communication service, etc.

b. dishonestly receiving stolen computer source or communication devise .

c. identity theft

d. cheating by personating by using computer source,

e. violation of privacy,

f. cyber terrorism,

g. publishing or transmitting of material containing sexually explicit act,

i.. publishing or transmitting of material depicting children in sexually explicit act,

h. disclosure of information in breach of lawful contract.

7. The method of blocking websites etc has been streamlined and the powers and duties of the Indian Computer Emergency Response Team have been mentioned in the Act.

8. The power to investigate offences is now vested with officers not below the rank of Inspector of Police (earlier it was not below rank of deputy superintendent of police).

9. The posts of Examiner of Electronic Evidence has been introduced for providing expert opinion on electronic form evidence before any court of other authority.

10. Punishment for attempt to commit offences and abetment of offences has been prescribed.

Compensation for failure to protect Data

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall liable to pay damages by way of compensation, to the person so effected.

This section provides scope for introducing the definition of "Sensitive Personal Data or Information" (subject to notification), and also imposes a responsibility for "Reasonable Security Practice" to be followed by the data handlers. The victim of a breach of privacy is provided a remedy to claim compensation from the body corporate that has been negligent.

Explanation: for the purposes of this section:

• Body corporate:  means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.
• reasonable security practices and procedures (# amended in April, 2011):           means security practices procedures designed to protect such information from unauthorized access, damage, use, modification, disclosure or impairment, as many be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the central government in consultation with such professional bodies or association as it may deem fit.
• Sensitive personal data or information:  means such personal information as may be prescribed by the central government in consultation with such professional bodies or associations as it may deem fit.
• Computer :  means any electronic, magnetic, optical or other high speed data processing device or system which performs logical, arithmetic and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output .processing, storage, computer software or communication facilities which are connected  or related to the computer in a computer system or computer network.

The need of the hour is to protect companies and their Top management by adopting cyber security practices on a proactive basis, as the saying goes:

‘Prevention is better than cure’.

Further, all Corporates dealing with Data need to do Due Diligence - critical for Limitation of Liability. Due Diligence should be properly documented.

There is the need to limit potential legal exposure, both civil and criminal, for the companies& their top managements& to avoid Heavy penal provisions of the Law.

===========#==============#===============#==================

#Rule 7(4) of the Information Technology (Reasonable security practices and procedures and sensitive personal information) Rules, April, 2011 states that

 "The body corporate who has implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved under sub-rule (3) shall be deemed to have complied with reasonable security practices and procedures". 

===========#==============#================#==================

AVANZO provides Consultancy in formulating SECURITY POLICY and the pre-requisites for the ISO/IEC 27001 Certification.

ISO/IEC 27001:2005 is an International Standard for Information Security Management Systems and it has been now approved by Indian Govt. as the  best practices for data protection under IT Act 2000, sub-rule (3) This standard helps organizations meet all their information-related regulatory compliance objectives and can help them prepare and position themselves for these new and emerging regulations.

Information is the lifeblood of today's organization and, therefore, ensuring that information is simultaneously protected and available to those who need it, is essential to modern business operations. Information systems are not usually designed from the outset to be secure. Technical Security Measures and Checklists are limited in their ability to protect a complete information system. Management systems and procedural controls are essential components of any really secure information system and, to be effective, need careful planning and attention to detail.

ISO/IEC 27001 requires that management:

(1)     Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities and impacts;

(2)     Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and

(3)     Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.

ISO/IEC 27001 provides the specification for an information security management system and it draws on the knowledge of a group of experienced information security practitioners in a wide range of significant organizations across more than 40 countries to set out best practice in information security. An ISO 27001-compliant system will provide a systematic approach to ensuring the availability, confidentiality and integrity of Corporate Information. The controls of ISO 27001 are based on identifying and combating the entire range of potential risks to the organization’s Information Assets

AVANZO Services Summary :   

AVANZO provides a full range of Information Security Management Services to companies, corporate entities, government agencies, institutions and regulated entities. These services include:

(1)     Information Security Assessments

(2)     Risk Assessments

(3)     Policies Development

(4)     Awareness & Education Programs

(5)     Security Metrics

(6)     ISO 27001 Registration Assistance

(7)     Research and educational programme

$ Please contact us for a full presentation of our services.

Information Security Assessment

Our core service is to assist our clients in developing defensible Information Security Programs that address legal and commercial requirements and are structured according to an international standard. Our assessment is a four step process that results in an Information Security Plan:

1. Program coverage and effectiveness are measured against ISO standards 27001 and 17799. Legal & commercial requirements help determine the criticality of controls.
2. Opportunities for improvement are identified & grouped into project recommendations.
3. Project recommendations are prioritized in terms of increasing coverage and effectiveness, and addressing critical controls.
4. Projects are reviewed with management, and comprise the Information Security Plan, the implementation of which increases Program coverage and effectiveness.

Risk Assessments

An effective Information Security Program bases its decisions about which controls to deploy on an analysis of the risks it faces. Risk Assessments, the processes used to identify and understand these risks may vary in scope:

1. Comprehensive - an examination of all types of risks throughout the enterprise, including those introduced by major changes in the environment;
2. Application-Based - an assessment of risks in applications and on supporting infrastructure throughout the Development Life Cycle;
3. Third Party - an evaluation of risks associated with using third parties;
4. Vulnerability - the identification of technical (e.g. out-of-date patches) and non-technical (e.g. awareness) vulnerabilities using scans, penetration tests, etc.; and
5. Ad Hoc - risk assessments performed on new technologies, acquisitions, etc.

Companies should base the selection and frequency of use of risk methodologies on the value of the information processed and stored. AVANZO can help you select and implement appropriate methodologies.

Security Policies

While security policies are often considered the foundation on which all of security is based, some companies struggle with levels of depth and keeping policies current, while others lack any statement of policy altogether.

Even with extensive technology-based controls, a firm cannot fully substantiate its Information Security Program without a current, comprehensive, and communicated set of policies. In our view, companies achieve this through a continuous process encompassing the following five elements:

·        drafting body               

·        framework;

·        approval body;                             

·        communication;

·        updates and exception handling.

We have the experience and approach to create a base set of policies for you, or to enhance your existing policies to fully address all your security requirements, including those established by legal, regulatory, and commercial entities

Awareness & Training

In many organizations, oftentimes the evening news is the only security education employees receive (typically about lost computer tapes or stolen laptops containing social security numbers).

However, with the number of social engineering techniques, such as "phishing" and "pharming," on the rise, organizations should actively and continuously educate their employees and contractors about security responsibilities, good security practices, and potential means of information theft. Sole reliance on the evening news and anti-virus protections is just not enough.

A comprehensive, annual, and fully implemented user awareness and training plan is the best means of coordinating this education, which is as much a part of an effective Information Security Program as are policies and technology. Drawing on a number of proven techniques, such as "top 10 lists," on-line training, bulletins, and web portals, we will help you construct a cost-effective user awareness and training plan.

Security Metrics

Security professionals often use metrics to substantiate value to the organization, justify requests for additional funding, or demonstrate meeting certain objectives, like completing projects on time or applying security patches in a timely manner.

While having a plethora of data, many staff lack the time and expertise in representing data and utilizing appropriate benchmarks in ways that can be understood and accepted by audiences outside of their organizations. We have the experience and methodologies to give meaning and "life" to your metrics program. We enhance a NIST-based approach to help our clients focus on elements that have been shown to be effective in organizations with successful metrics programs, including those supporting various ISO registrations.

ISO27001 Registration Assistance

To prepare you for ISO27001 registration, AVANZO offers the following services:

(1)   The classification of information;   

(2)   Risk Assessment;

(3)   Establishment of the Information Security Management System;

(4)   Creation of policies, Statements of Applicability and Controls, and other       documentation required for registration;

(5)   A pre-assessment and gap closure; and

(6)   A pre-registration audit.

Support Systems: Research

Avanzo Academy for Information Security: (AAIS)

AVANZO has recently launched an academy to support the organizations in finding the right candidate with proper training in security management.

AAIS has introduced a well structured three tier courses designed to support the industry to take care of the complete security systems in IT for positions such as Network System Administrators, Information Security Officers, IT Security Professionals and even Management Executives/ CEO s

AAIS – IT Professional Courses in Security are aimed at providing the most comprehensive knowledge in the Network and IT Security, providing a broad platform to prospective candidates to analyze the security concerns, vulnerabilities, attacks and to plan and implement the desired e- security solutions.

The Courses offered are:      

(1)     Diploma in Network & System Security;

(2)     PG Diploma in IT Security; and

(3)     Advanced Diploma in IT Security Management                                             

(Correspondence course intended for Management Executives)

The examinations are conducted and Certifications issued by