SME Security Risk and Compliance

Our Excellent Opportunity

Senior Manager - Security Risk & Compliance is responsible for ensuring that the company's processes and systems are monitored and evaluated to meet compliance requirements. Some of the responsibilities include:

• Regulatory Intelligence - Monitor and analyse regulatory policies, notifications, and guidelines.
• Compliance - Developing and implementing policies and procedures that ensure compliance with regulatory and ethical standards.
• Risk management - Identifying and mitigating compliance risks and supporting annual risk assessments.
• Advisory - Providing guidance to business teams on regulatory compliances.
• Audits - Conducting compliance reviews and audits and performing due diligence screening on third-party engagements.
• Decision-making - Overseeing key decision points to ensure appropriate decisions are made.
• Program management - Work internally with key stakeholders to drive compliance program covering impact assessment of regulatory requirements and identify risks.

Security Compliance landscape

The security landscape is dynamically evolving from a regulatory perspective. Since security is a cross-cutting issue, India has a complex inter-ministerial and inter-departmental institutional framework, with several ministries, departments and agencies performing key functions.

India's cyber security compliance requirements include:

• Communication Security Certification Scheme (ComSec) notified in 2020 follows Indian Telecom Security Assurance Requirements (ITSAR) and mandates testing in designated Telecom Security Test Labs (TSTL) accredited by National Centre for Communication Security (NCCS).
• Telecom Cybersecurity Rules These rules expand the scope of data collection, increase the responsibilities of telecom entities, and introduce new roles and reporting requirements. They also emphasize a proactive approach to cybersecurity, with a focus on continuous monitoring, rapid response, and coordination between the government and telecom entities.
• Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, rules), established the Computer Emergency Response Team (CERT-In) and put in place obligations on intermediaries and service providers to report cybersecurity incidents to the CERT-In.
• Directions on information security practices, procedure, prevention, response and reporting of cyber incidents for a safe and trusted internet, issued in 2022 by the CERT-In, add to and modify existing cybersecurity incident reporting obligations under the 2013 rules.
• Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI rules) require companies that process, collect, store or transfer sensitive personal data or information to implement reasonable security practices and procedures.
• The Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code Rules, 2021) require intermediaries to implement reasonable security practices and procedures to secure their computer resources and information, maintaining safe harbour protections. Intermediaries are also mandated to report cybersecurity incidents to the CERT-In.
• Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018, oblige companies that have protected systems – as defined under the IT Act – to put in place specific information security measures.
• Data localization - Mandatory data localization is a key provision of the 2024 Cyber Security Regulations in India.
• Incident reporting and response- All entities are required to report cybersecurity incidents to the Computer Emergency Response Team (CERT-In) within six hours of becoming aware of them.
• Cyber security audits and compliance- Cyber security audits and compliance are key provisions of the 2024 Cyber Security Regulations in India.
• National Critical Information Infrastructure Protection Centre (NCIIPC)- The NCIIPC was launched by the Indian government in 2014 and is under the Prime Minister's Office (PMO).