it act for icai bangalore25-jan 2012

8/3/2019 IT Act for ICAI Bangalore25-Jan 2012

http://slidepdf.com/reader/full/it-act-for-icai-bangalore25-jan-2012 1/80

Information Technology Act

- CA perspectiveCA A.Rafeq, FCA, CISA, CIA, CGEIT

Managing Director, Wincer Infotech Limited

Bangalore, 25th Jan. 2012

1



Agenda

1. Need forChartered

Accountants toembrace IT

2. Overview of ITAct 2000 and IT

Act 2008

3. Impact of ITAct on

Government,Enterprises and

Individuals – some case studies

4. Impact and

opportunities forCharteredAccountants

– IT Act

2



1. Need for Chartered Accountantsto embrace IT

3



Technology: key enabler of business change

• Value does not come miraculously from technology

• Technology only provides a capability

• Value is only realized when this capability is applied and managed aspart of comprehensive program of business change.

• Evolved from automation through information to transformation,extent and complexity of business change has grown dramatically,and includes: – Business strategy

– Business processes

–

How people work – Organizational structure and

– Technology

4



Industrial revolution to Knowledge revolution

• Industrial revolution to the Knowledge revolution – Pervasive IT

• Role of IT in the evolving knowledge society is comparable to thatof the railroad during the Industrial Revolution.

• Amount of private and enterprise data stored on computers is

doubling every 12 to 18 months.

• Mobile computing gives users the freedom to roam, with access todata and services at any time and in any place.

• IT is becoming a primary driver of business growth and is expected

to make a greater contribution to success of enterprises.• Investment in IT is being made as it impacts business performance.

• Technology continues to be the one key driver of business growthworldwide, with IT spends continuing to see an annual rise for theforeseeable future – TCS Annual Report 2010-2011.

5



Future of IT

• A Dutch start up, Sparked

• is using wireless sensors on cattle so that when one is sick orpregnant, it sends a message to the farmer.

• Each cow transmits 200 MB of data per year.

• We can monitor ourselves this way too.

• Using a wireless cardiac monitor your physician can check for healthrisks.

• And this is just the beginning of embedded IT.

6



7



8



Information and IT: BI, Big Data and DataAnalytics

9

http://popimage%28%27img_3%27%2C%27http//images.books24x7.com/bookimages/id_22696/scheps7230c04-image_n-nfg0401.jpg','441','560')



Cloud computing

Global Scenario:

• Cloud services revenue to touch $149 billion in 2014. $55 billionforecasted worldwide revenue from public IT cloud services alone.

• Cloud services cost less than traditional outsourced services, with savings

ranging from 20% to 50% depending on the type of service offered.

• 30% the rate at which cloud computing will grow in 2011, or more than 5times the rate of IT industry as a whole.

• 2.3 million jobs (the net new jobs created by cloud on a cumulative basis

over the period 2010 to 2015.

• The impact of cloud computing will be very high on the nearly $60 billionoutsourcing sector, whose mantra is cost savings. This sector has littlechoice but to include cloud computing as part of their service portfolio.

10



Cloud computingIndian Scenario:

•

India is ahead of US in cloud adoption. Top cloud users today are Brazil (27%), Germany(27%), India (26%), US (23%).

• Cloud computing market in India is expected to cross USD 1.08 billion by 2015, fromUSD 110 million in 2010.

• Of the projected $4.5-billion total cloud computing market in India by 2015, private

cloud will account for $3.5 billion.

• It will generate about 100,000 additional jobs and save about 50 percent of cost of IToperations for Indian enterprises.

• India's No. 3 outsourcing firm looks at cloud computing as a "game changer”. It isbuilding data centers in India is implementing private clouds in partnership with other IT

firms.

• The cloud has the potential to transform business ecosystems that are relatively underpenetrated by IT due to high capital requirements, such as government, healthcare andeducation.

• CC allows us to deliver standard end-to-end processes as a service to customers usingnew operating models - TCS 11



Impact of IT for CA in future

• CAs with solid IT skills are needed to design, integrate, andimplement advanced software systems, as well as serve asconsultants to link hardware/software solutions with soundbusiness plans.

• Technology will continue to challenge and reshape our lifestyles,work patterns, educational experiences, and communication stylesand techniques. Technology will rewrite the “rules of business,”leaving those far behind who will not harness it and effectivelyintegrate it.

• Many of the traditional, essential skills of CAs are being replaced bynew technologies that are increasing in number and being rapidlydeveloped, often from unexpected sources.

12



Innovation - key to success

There’s plenty of evidence

that if You don’t find dramatically

new ways of doing business,

You’re not going to be

in business13



• IT – The road ahead for CAs

• The core competencies of a CA are a unique combination of knowledge

and skills in various aspects of accounting, assurance, informationsystems, governance, management, risk, controls, regulatory compliances,business processes, human relations, technology and related areasrelevant for enterprises of all types and oriented towards the objective of providing value and deliverables as per requirement of clients/users.

• Global studies have shown that the traditional core competencies of CAsneeds to be enhanced with increased understanding of technologysystems and there is urgent need to develop the ability to process andintegrate information among various areas of business practice.

• CA firms have to become IT savvy so as to deploy the optimum level of IT

within their firm and also to have the required working knowledge of IT toaudit/consult for their clients.

14



IT – The road ahead for CAs

• Interested in providing IT implementation and consulting services

• Get good understanding of technologies, tools, processes, and trends…and REGULTIONS.

• CA firms have to consider IT not merely as an office asset to be procuredfor use by staff as an office automation tool but as a critical infrastructurewhich has a strategic long-term impact on their service deliverycapabilities.

15



16



Example of GRC risk

17



IT Governance Principle

• “ Information Technology is critical

to the success of an enterprise,

Information Technology is an issuewhich cannot be relegated solelyto management or IT Specialists,

but must instead receive thefocussed attention of both”.

18



The key questions?

Corporate Governance

• How do suppliers of finance

get managers to return some

of the profits to them?

• How do suppliers of finance

make sure that managers do

not steal the capital they

supply or invest in bad

projects?• How do suppliers of finance

control managers?

IT Governance

• How do board and executivemanagement get their CIO andIT organisation to return some

business value to them?• How do board and executive

management get their CIO andIT organisation do not stealthe capital they supply or

invest in bad IT projects?• How do board and executive

management control their CIOand IT organisation?

19



2. Overview of IT Act 2000and IT Act 2008

20



Objectives of the IT Act 2000

•

Provide legal recognition for transactions carried out by means of electronic datainterchange, and other means of electronic communication, commonly referred to as"electronic commerce“

• Facilitate electronic filing of documents with Government agencies and E-Payments - E-Governance:

• Amend the Indian Penal Code, Indian Evidence Act,1872, the Banker’s Books Evidence

Act 1891,Reserve Bank of India Act ,1934

Establish Certifying Authorities for Digital Signature

Recognize Digital Signature

Impose tough penalties on Cyber crimes

Set up Appellate authorities

Schedule II provides for Guidelines for Implementation and management of IT Security

21



Extent of application

• Extends to whole of India and alsoapplies to any offence or contraventionthere under committed outside India by

any person {section 1 (2)} read withSection 75- Act applies to offence orcontravention committed outside Indiaby any person irrespective of his

nationality, if such act involves acomputer, computer system or networklocated in India

22



Act is NOT applicable to…

( a) a negotiable instrument (Other than a cheque) as defined in section 13 of the Negotiable Instruments Act, 1881;

(b) a power-of-attorney as defined in section 1A of the Powers-of-AttorneyAct, 1882;

(c) a trust as defined in section 3 of the Indian Trusts Act, 1882;

(d) a will as defined in clause (h) of section 2 of the Indian Succession Act,1925 including any other testamentary disposition

(e) any contract for the sale or conveyance of immovable property or any

interest in such property;

(f) any such class of documents or transactions as may be notified by theCentral Government

23



IT Act 2000

• Enacted on 17th May 2000- India is 12th

nation in the world to adopt cyber laws

• IT Act is based on Model law on e-commerce adopted by UNCITRAL

• IT Act was amended by IT AmendmentAct, 2008

• When the Information Technology Act,2000 was introduced –it was the firstinformation technology legislationintroduced in India!

• And Information Technology(Amendment) Act 2008 (Effective fromOctober 27, 2009) - could be a GameChanger!

• ITA Rules, 2011

24



Objectives of IT Act 2008

• Casts responsibility on body corporate to protect sensitive personalinformation (Sec. 43A)

• Recognizes and punishes offences by companies and individual(employee)actions (Sec. 43, 66 to 66F, 67..):

– Sending offensive messages using electronic medium or using body

corporate’s IT for unacceptable purposes – Dishonestly stolen computer resource

– Unauthorized Access to computer resources

– Identity theft/Cheating by personating using computer

– Violation of privacy

– Cyber terrorism/Offences using computer

– Publishing or transmitting obscene material

• Provides for Extensive powers for Police & Statutory Authorities

25



What IT Act 2008 amendment aims for

• Paradigm shift in data protection and privacy regime in India:

– Establishing a self regulation framework

– Maintenance of reasonable security practices and

procedures – Articulating “sensitive personal data or information”

– Adjudication related to data protection and privacy [civilliabilities]

– Providing criminal prosecution vis-à-vis data protection

and privacy

26



Rules to IT Act 2008

• Information Technology (Reasonable securitypractices and procedures and sensitive personal dataor information) Rules, 2011.

• Information Technology (Intermediaries guidelines)Rules, 2011

• Information Technology (Electronic Service Delivery)

Rules, 2011

27



Definitions (section 2)

• "computer" means electronic, magnetic, optical or other high-speed date

processing device or system which performs logical, arithmetic andmemory functions by manipulations of electronic, magnetic or opticalimpulses, and includes all input, output, processing, storage, computersoftware or communication facilities which are connected or relates to thecomputer in a computer system or computer network;

• "computer network" means the inter-connection of one or morecomputers through-

– (i) the use of satellite, microwave, terrestrial lime or othercommunication media; and

– (ii) terminals or a complex consisting of two or more interconnectedcomputers whether or not the interconnection is continuouslymaintained;

28



Definitions (section 2)

• "electronic record" means date, record or date generated, image or sound

stored, received or sent in an electronic form or micro film or computergenerated micro fiche;

• “secure system” means computer hardware, software, and procedurethat-

(a) are reasonably secure from unauthorized access and misuse;(b) provide a reasonable level of reliability and correct operation;(c) are reasonably suited to performing the intended function; and(d) adhere to generally accepted security procedures

• “security procedure” means the security procedure prescribed by theCentral Government under the IT Act, 2000.

• secure electronic record – where any security procedure has been appliedto an electronic record at a specific point of time, then such record shallbe deemed to be a secure electronic record from such point of time to thetime of verification

29



Definitions

• Information includes

• Data, text, images, sound, voice, codes, computerprogrammes, software and databases or micro film orcomputer generated micro fiche

•Electronic form• With reference to information means

• Any information generated, sent, received or stored

• in media, magnetic, optical, computer memory, microfilm,computer generated micro fiche or similar device

30



Definition

• Digital signature• Authentication of any electronic record by a subscriber• by means of an electronic method or procedure• in accordance with the provisions of section 3

• Affixing digital signature• Adoption of any methodology or procedure by a person for

purpose of authenticating an electronic record by meansof a digital signature

• Intermediary• With respect to any particular electronic message means• Any person who on behalf of another person receives,

stores or transmits that message or provides any servicewith respect to that message

31



Electronic Governance

•

Legal recognition of electronic records (Sec.4)• Where any law provides that information of any other

matter shall be in writing or in the typewritten or printedform then

•Not withstanding anything contained in any law,

• Such requirement shall be deemed to be have beensatisfied if such information or matter is:

»Rendered or made available in an electronic form and

» Accessible so as to be usable for a subsequentreference

32



Recognition for E-Governance

• Provides for following in electronic form(Sec.6):

• Filing of any form, application or any other document withany office, authority, body or agency owned or controlled

by the appropriate Government in a particular manner:

» The issue or grant of any licence, permit, sanction orapproval by whatever name called in a particularmanner

» The receipt or payment of money in a particularmanner

» As prescribed by the appropriate Government

33



A digital signature

• Created using a software.

• Unique and dynamically created by the software.

• Used for identifying and authenticating a user fortransactions in the digital world similar to identifying andauthenticating users through physical signatures in thephysical world.

• Issued by the Certificate Authority and is valid for theperiod it is allotted.

• Any one can confirm whether the digital certificate is validby confirming with the Certificate authority who hasissued it.

34



Electronic Signature substituted by digitalsignature in IT Act 2008

• Subscriber may authenticate any electronic record by

• Such electronic signature or electronicauthentication technique that is:

– Considered reliable and specified in second schedule

• Technique shall be considered reliable if:

– Signature creation data is unique to and under the control of theauthenticator

– Alterations are detectable

– Eg. PIN, digitised fingerprint or image, retina scan

35



Impact of Digital Signature

•

"As enterprises increasingly use digital signature technologiesto support e-commerce, legal issues such as non-repudiation,online contracts and protection of intellectual property willbecome more common“

•

"Business managers, Auditors and lawyers need to understandsome of the underlying technology as they grapple with thelegal implications”

36



Secure digital signature-S.15

• If by application of a security procedure agreed to by theparties concerned, it can be verified that a digital signature, atthe time it was affixed, was:

(a) unique to the subscriber affixing it;

(b) capable of identifying such subscriber;

(c) created in a manner or using a means under theexclusive control of the subscriber and is linked to the

electronic record to which it relates in such a manner thatif the electronic record was altered the digital signaturewould be invalidated, then such digital signature shall bedeemed to be a secure digital signature

37



Public Key Infrastructure

• Allow parties to have free access to the signer’s public key

• This assures that the public key corresponds to thesigner’s private key

– Trust between parties as if they know one another

• Parties with no trading partner agreements,operating on open networks, need to have highest

level of trust in one another

38



Certificate based Key Management

• Operated by trusted-

third party – CA

• Provides Trading

Partners Certificates

• Notarises therelationship between

a public key and itsowner

CA

User A User B

CA A B

CA A CA B

39



The licensing process

• Examining the application and accompanying

documents as provided in sections 21 to 24 of the ITAct, and all the Rules and Regulations thereunder;

• Approving the Certification Practice Statement(CPS);

• Auditing the physical and technical infrastructure of the applicants through a panel of auditors maintainedby the CCA.

40



Audit Process

• Adequacy of security policies and implementation thereof;

• Existence of adequate physical security;

• Evaluation of functionalities in technology as it supports CA operations;

• CA’s services administration processes and procedures;

• Compliance to relevant CPS as approved and provided by the Controller;

• Adequacy to contracts/agreements for all outsourced CA operations;

• Adherence to Information Technology Act 2000, the rules and regulations

thereunder, and guidelines issued by the Controller from time-to-time.41

i h



CCA

CA CACA

Relying

PartySubscriber SubscriberSubscriber

Directory of

Certificates

CRLs

Directory of Certificates

CRLs

PKI Hierarchy

42



Section 12- Acknowledgement of Receipt

• If Originator has not specified particular method- Any

communication automated or otherwise or conduct to

indicate the receipt

• If specified that the receipt is necessary- Then unless

acknowledgement has been received Electronic Record shall

be deemed to have been never sent

• Where ack. not received within time specified or within

reasonable time the originator may give notice to treat the

Electronic record as though never sent

43



Section 13- Dispatch of Electronic record

• Unless otherwise agreed dispatch occurs when ER enters

resource outside the control of originator

• If addressee has a designated computer resource , receiptoccurs at time ER enters the designated computer, if electronic record is sent to a computer resource of addressee

that is not designated , receipt occurs when ER is retrieved byaddressee

• If no Computer Resource designated- when ER entersComputer Resource of Addressee.

• Shall be deemed to be dispatched and received whereoriginator has their principal place of business otherwise athis usual place of residence

44



Civil Wrongs under IT Act

Chapter IX of IT Act, Section 43

• Whoever without permission of owner of the computer:

– Secures access (mere U/A access)• Not necessarily through a network

– Downloads, copies, extracts any data – Introduces or causes to be introduced any viruses or contaminant – Damages or causes to be damaged any computer resource

• Destroy, alter, delete, add, modify or rearrange• Change the format of a file

– Disrupts or causes disruption of any computer resource• Preventing normal continuance of computer

45



Key Provisions of the IT Act for corporates – Sec.

43A

• The responsibility for protection of stakeholder information by body

corporate primarily arises from the provisions of Section 43A of the

Information Technology Act, 2008, which provides as follows:

• “Where a body corporate, possessing, dealing or handling any sensitive

personal data or information

• in a computer resource which it owns, controls or operates,

• is negligent in implementing and maintaining reasonable security practices

and procedures and

• thereby causes wrongful loss or wrongful gain to any person, such body

corporate shall be liable to pay damages by way of compensation, to the

person so affected”. 46



TYPES OF CYBER CRIMES

• Cyber terrorism

• Cyber pornography

• Defamation

• Cyber stalking (section 509 IPC)

• Sale of illegal articles-narcotics,weapons, wildlife

• Online gambling

• Intellectual Property crimes- softwarepiracy, copyright infringement,trademarks violations, theft of computersource code

• Email spoofing• Forgery

• Phising

• Credit card frauds

Crime against property

Crime against Government

Crime against persons

47



Provision affecting body corporates

Section 85:• “Where a person committing a contravention of any of the

provisions of this Act or of any rule, direction or ordermade there under is a Company,

• every person who, at the time the contravention wascommitted,

• was in charge of, and was responsible to, the company for

the conduct of business of the company as well as thecompany, shall be guilty of the contravention and shall beliable to be proceeded against and punished accordingly”

48



3. Impact on Government,

Enterprises and Individuals – some case studies

49



Impact of IT Act

Overall Impact

• Recognition of Electronic Records• Electronic filing of records

• Legal recognition for digital signature

Specific Impact

• How digital signatures could be used within the company?

• How digital signatures could be used for business operations withcustomers and suppliers

• How digital signatures could be used for new business avenues?

• How will it impact the way your company is maintaining its record and

conducting business operations?

50



Security implications – different dimensions

GOVERNMENT:Regulations and Policies, Lawful

interception

ENTERPRISES:

Contractual, Risk management,Compliance, IT Security Strategy

NETIZEN:

Data Privacy, Safe Browsing

51



Section 43A

• "body corporate" means any company and includes a firm, sole

proprietorship or other association of individuals engaged in commercialor professional activities

• "reasonable security practices and procedures“ means security practicesand procedures designed to protect such information from unauthorised

access, damage, use, modification, disclosure or impairment, as may bespecified in an agreement between the parties or as may be specified inany law for the time being in force and in the absence of such agreementor any law, such reasonable security practices and procedures, as may beprescribed by the Central Government in consultation with suchprofessional bodies or associations as it may deem fit.

• "Sensitive personal data or information“ means such personal informationas may be prescribed by the Central Government in consultation with suchprofessional bodies or associations as it may deem fit.

52



Why Cyber law Compliance is aburning Issue?

• Has given a Security orientation to Cyber law

in India

• Cyber Security is no longer a Technical Issue

• It is a legal prescription under ITA 2008

•

Every Corporate Entity should therefore• Implement a structured plan of action to ensure that he is

not liable under ITA 2008 through a Cyber Law Compliance

programme

53



Seven basic compliance requirements

• Designate a Cyber Law Compliance officer

• Initiate training of employees on Cyber Law Compliance

• Introduce sanction procedures in HR policy for non compliance

• Use authentication procedures suggested in law

• Maintain data retention as suggested under Section 67C

• Identify and initiate safeguard requirements indicated under Sections 69and 69A, 69B,43A

• Initiate global standards of data privacy on collection, retention, access,deletion etc

54



Categories of Cybercrimes

Offences - sections 65 to 74 categorized as offences against:

Property

• Tampering with computer source documents

• Hacking

Person

• Obscenity

• Cyber trespass

• confidentiality and privacy

Sovereignty/government/Authority

• Interception of information affecting sovereignty

• Unauthorized access to protected systems

• Noncompliance with Orders of Certifying Authority

• Misrepresentation for obtaining Digital Signature

• Digital Signature for fraudulent or unlawful purpose

• Publishing Digital false in particulars

55



Cyber Terrorism is defined in Section 66F

• Whoever threatens the unity, integrity, security or sovereignty of India or

strike terror in people by:1. Denying access to computer resource; or

2. Access computer resource without authority; or

3. Introduce any computer contaminant and causes death or destruction of property; or

•

Penetrates restricted computer resources or information affectingsovereignty, integrity, friendly relations with foreign states, public order,decency, contempt of court, defamation or to the advantage of foreignstate or group of persons.

• It is punishable with imprisonment upto life.

56



Forgery

Andhra Pradesh Tax Case

• In the explanation of the Rs. 22 Crore which was recovered fromthe house of the owner of a plastic firm by the sleuths of vigilance department, the accused person submitted 6000vouchers to legitimize the amount recovered, but after careful

scrutiny of vouchers and contents of his computers it revealedthat all of them were made after the raids were conducted .

• All vouchers were fake computerized vouchers.

57



Cyber stalking

• Ritu Kohli (first lady to register the cyber stalkingcase) is a victim of cyber-stalking.

• A friend of her husband gave her phone numberand name on a chat site for immoral purposes.

•

A computer expert, Kohli was able to trace theculprit. Now, the latter is being tried for "outragingthe modesty of a woman", under Section 509 of IPC.

58

C b d f tio



Cyber defamation

• SMC Pneumatics (India) Pvt. Ltd. v. Jogesh Kwatra: India’s firstcase of cyber defamation was reported when a company’s employee (defendant) started sending derogatory, defamatoryand obscene e-mails about its Managing Director.

• The e-mails were anonymous and frequent, and were sent to

many of their business associates to tarnish the image andgoodwill of the plaintiff company.

• The plaintiff was able to identify the defendant with the helpof a private computer expert and moved the Delhi High Court.

• The court granted an ad-interim injunction and restrained theemployee from sending, publishing and transmitting e-mails,which are defamatory or derogatory to the plaintiffs.

59

O li bli i t l i C f



Online gambling: virtual casinos, Cases ofmoney laundering

•

Cyber lotto case: In Andhra Pradesh one Kola Mohan createda website and an email address on the Internet with the

address '[email protected].' which shows his own name

as beneficiary of 12.5 million pound in Euro lottery.

• After getting confirmation with the email address a telgu

newspaper published this as news.

•

He gathered huge sums from the public as well as fromsome banks. The fraud came to light only when a cheque

amounting Rs 1.73 million discounted by him with Andhra

bank got dishonored.

60

C St d BPO D t Th ft



Case Study- BPO Data Theft

• The recently reported case of a Bank Fraud in

Pune in which some ex employees of BPO armof MPhasis Ltd Msource, defrauded USCustomers of Citi Bank to the tune of RS 1.5crores has raised concerns of many kinds

including the role of "Data Protection".

• The crime was obviously committed using

"Unauthorized Access" to the "ElectronicAccount Space" of the customers. It is thereforefirmly within the domain of "Cyber Crimes".

61



BPO data theft -Case Study (contd.)

• The BPO is liable for lack of security that enabled the commission of the

fraud as well as because of the vicarious responsibility for the ex-employee'sinvolvement. The process of getting the PIN number was during the tenureof the persons as "Employees" and hence the organization is responsible forthe crime.

• Some of the persons who have assisted others in the commission of thecrime even though they may not be directly involved as beneficiaries will

also be liable under Section 43 of ITA-2000.

• Under Section 79 and Section 85 of ITA-2000, vicarious responsibilities areindicated both for the BPO and the Bank on the grounds of "Lack of DueDiligence".

• At the same time, if the crime is investigated in India under ITA-2000, then

the fact that the Bank was not using digital signatures for authenticating thecustomer instructions is a matter which would amount to gross negligenceon the part of the Bank.

62

C S d C f E i f M



Case Study- Case of Extortion of MoneyThrough Internet

• The complainant has received a threatening email and demandedprotection from unknown person claiming to be the member of

Halala Gang, Dubai. Police registered a case u/s. 384/506/511

IPC.

• The sender of the email used the email ID [email protected] &

[email protected] and signed as Chengez Babar.

• Both the email accounts were tracked, details collected from ISP’s

& locations were identified.

• The Cyber cafes from which the emails has been made were

monitored and the accused person was nabbed red handed.

63

Email spoofing:



Email spoofing: • Pranab Mitra , former executive of Gujarat Ambuja Cement

posed as a woman, Rita Basu, and created a fake e-mail IDthrough which he contacted one V.R. Ninawe an Abu Dhabibusinessmen.

• After long cyber relationship and emotional massages Mitra sentan e-mail that ‘‘she would commit suicide’’ if Ninawe ended therelationship. He also gave him ‘‘another friend RuchiraSengupta’s’’ e-mail ID which was in fact his second bogus

address.

• When Ninawe mailed at the other ID he was shocked to learnthat Mitra had died and police is searching Ninawe. Mitraextorted few lacs Rupees as advocate fees etc. Mitra even sente-mails as high court and police officials to extort more money.

Ninawe finally came down to Mumbai to lodge a police case.



Bankrupt Complainant approaches Police

• The complainant realizes having been cheated, approaches Police.

• Total amount obtained by the perpetrator = Rs 1.25 crore.

• The I.P. Addresses embedded in all e-mails received by complainant reveal

the origin to be either

• Ambuja Cement Company or

• A residential address at Nerul.

• A bank account at Chembur

• Police swing into action and raid the addresses.

• Two laptops recovered at the said place contain most of the e-mail communication

made under the various identities such as Ruchira, Advocate Mitra, New York Police,

Kolkata Police etc.

• Man assuming all these identities was identified as P M, employee of Gujarat

Ambuja

65



4. Impact and opportunities forChartered Accountants

66



Chartered Accountants

Traditional areas:• Internal Auditing,

• Filing of returns

• Compliance

•

MIS

New Areas:• Electronic filing of documents

• Web based business

• Web Assurance policies

• eEnabling business operations

67



eCommerce Concepts and impact

• eCommerce refers to the use of technology to

enhance the processing of commercialtransactions between a company, its customersand its business partners.

• eCommerce has vast potential to change the waybusiness is conducted.

• eCommerce transactions over the Internetinclude

– Formation of Contracts

– Delivery of Information and Services

– Delivery of Content

• Traditional sources of competitive advantage willbe supplanted, power and control will shift fromsuppliers to customers, global markets willbecome accessible to all comers and thetraditional role of middlemen will be undermined

68

eCommerce Issues



eCommerce Issues

1. Web merchants may be bogus

2. Customers may be fictitious

3. Electronic documents on the Web may not be authentic

4. Trading partners may deny they were a party to thetransaction

5. Transactions may be intercepted, tampered with or replayed

6. Digital signatures and electronic records may not berecognized as evidence in courts of law

7. Transactions may be hard to substantiate causing problem of accounting recognition.

8. Audit trails may be lacking or easily tampered with

69

Minimum Security Requirement for



u Secu y equ e e oeCommerce

NON REPUDIATION

AUTHENTICATION

CONFIDENTIALITY

INTEGRITY

Ref:Sub:Sir,This is with your

Ref vide -------

-------------------- Vikram

Signature

Replaceletterhead &signature on

originaldocument

ReplaceEnvelope

?

?

70

The Answer



The Answer

Encryption

Cryptographic digital signature

NON REPUDIATION

AUTHENTICATION

CONFIDENTIALITY

INTEGRITY

Replaces

letterhead &signature on

originaldocument

ReplacesEnvelope

71



Digital Certificates in eCommerce

• Verification of customer,

merchant, bank .. – Non-repudiation

– Time stamping

– Authentication

– Legal evidence

• Secure E-Mail – Receipt of contracts

–

Receipt of purchaseorders

– Receipt of otherimportant Electronic

documents

72

Impact on traditional areas



Impact on traditional areas

Key Issues impacting CAs

Authenticity

How do we implement a system that ensures that transactions are genuine andauthorized?

Reliability

How do we rely on the information, which does not have physical documents?

Accessibility

How do we gain access and authenticate this information, which is digital form?

73

Control Objectives for eCommerce



Control Objectives for eCommerce

Business and Control objectives do NOT change e.g.

• Goods sold are as per customer order

• Delivered to correct customer

• Payment is correct and made to correct supplier

• Transactions are correctly recorded, etc

However, monitoring tools and techniques used need to

be changed

74

S l h kli t f l ti



Sample checklist for evaluation

Section 43 A

(a) Are various components of “sensitive personal data or information” vis-à-vis users/customers defined by the enterprise?

(b) Does the enterprise you have a security policy?

Is the security policy documented?

Section 67C

Does the enterprise have an electronic record preservation and retentionpolicy?

Section 69BHas the enterprise adopted/established appropriate policy, procedures and

safeguards for monitoring and collecting traffic data or information?

Are these documented?

75

S l h kli t f l ti



Sample checklist for evaluation

Section 70B

Does the enterprise have appropriate documented procedure to comply withthe requests of CERT-IN regarding cyber security incidents?

Section 72A

(a)Does the enterprise have an adequate privacy policy?

(b) Whether the enterprise has provided for opt-in/opt-out clause in the

privacy policy?

General

1. Have the enterprise appointed designated officer/nodal officer/computer-in-charge to comply with the directions of competent authority/agency

under various provisions of the Act?

2. Whether details of such designated officer/nodal officer readily available

online (at your website)?

76

Key Concepts to Take Away



Key Concepts to Take Away

•

Implications of IT Act 2000

– More pervasive as we move on

– Definite role to play

– Are we ready and equipped?

– Do we have the vision and long term focus?

– Certificate Authorities, Digital Signatures will

be key enablers of eCommerce

• eCommerce offers exciting Avenues

77



78

f



References

• http://mit.gov.in/content/cyber-laws

• http://naavi.org/

• http://www.pavanduggal.net/

• http://www.cert-in.org.in/

• http://www.cyberlawsindia.net/

•

http://www.indlii.org/CyberLaw.aspx • www.google.co.in and….

79

All challenges are opportunities

http://mit.gov.in/content/cyber-laws

http://naavi.org/

http://www.pavanduggal.net/

http://www.cert-in.org.in/

http://www.cyberlawsindia.net/

http://www.indlii.org/CyberLaw.aspx

http://www.google.co.in/

http://www.google.co.in/











http://naavi.org/

http://naavi.org/







All challenges are opportunities

IT is one such continuing challenge

it act for icai bangalore25-jan 2012

Documents