Thales banner

Data Security Compliance with the Information
and Cyber Security Guidelines 2023

Thales can help organizations in the Indian Insurance Industry protect information assets and comply with the guidelines with a Data-centric Security approach.

Information and Cyber Security (ICS) Guidelines 2023

APAC

The digitalization initiated by the Indian government in 2017 and the remote working arrangements during COVID-19 marked a change in the manner of data handling and processing by the Indian insurance industry. With the evolving cybersecurity landscape, the Insurance Regulatory and Development Authority of India (IRDAI) introduced the Information and Cyber Security (ICS) Guidelines 2023 on April 24, 2023, which superseded the 2017 Guidelines.

As one of the leaders in data security, Thales enables organizations in the insurance industry to comply with ICS Guidelines in 6 security domain policies by recommending the appropriate data security and identity management technologies.

  • Regulation
  • Compliance

Regulation Overview

The primary emphasis of the Information and Cyber Security (ICS) Guidelines 2023 is on a data-centric security approach – securing the data itself rather than just the network or system it is stored in. The ICS Guidelines 2023 also mandates Regulated Entities (RE) to adopt a risk-based approach, take necessary measures to secure data management, and mitigate cyber threats against loss, misuse, or leak of sensitive customer information in any form.

Which companies are subject to ICS Guidelines?
ICS Guidelines 2023 applies to all insurance intermediaries, including brokers, foreign reinsurance businesses (FRBs), corporate agents, web aggregators, third-party administrators (TPAs), insurance marketing firms (IMFs), insurance repositories, insurance self-network platforms (ISNPs), corporate surveyors, motor insurance service providers (MISPs), common service centers (CSCs), and the Insurance Information Bureau of India (IIB) (collectively with insurers, the “Regulated Entities”).

Thales helps organizations in the Indian insurance industry comply with Information and Cyber Security Guidelines 2023 by addressing 6 security domain policies.

Security Domain Policies

Thales Solutions

2.1 Data Classification

 

3.3 Data Classification Process:

CipherTrust Data Discovery and Classification identifies structured and unstructured sensitive data on-premises and in the cloud. Built-in templates enable rapid identification of regulated data, highlight security risks, and help uncover compliance gaps.

Data Security Fabric monitors data from a unified viewpoint for auditing across diverse on-premises and cloud platforms, providing oversight for relational databases, NoSQL databases, mainframes, big data platforms, and data warehouses. Detailed structured an unstructured data activity is captured automatically, making it easier to fulfill audit requests.

3.4.1.2 & 3.4.2.2 Storage Requirements

3.4.1.3 & 3.4.2.3 Transfer Requirements

CipherTrust Transparent Encryption delivers data-at-rest encryption with centralized key management and privileged user access control. It provides a complete separation of roles, where only authorized users and processes can view unencrypted data.

CipherTrust Tokenization with dynamic data masking permits the pseudonymization of sensitive information in databases while maintaining the ability to analyze aggregate data without exposing sensitive data during the analysis or in reports.

CipherTrust Enterprise Key Management streamlines and strengthens key management in cloud and enterprise environments over a diverse set of use cases. In addition, encrypted information can be effectively deleted by destroying encryption keys.

2.2 Asset Management

 

3.1 Information Asset Profiling

3.2.2.1 Asset Labeling

3.2.2.2 Asset Inventory and Documentation

CipherTrust Data Discovery and Classification identifies structured and unstructured sensitive data on-premises and in the cloud. Built-in templates enable rapid identification of regulated data, highlight security risks, and help uncover compliance gaps.

3.2.2.3 Authorization Inventory

3.2.3 Asset Use

CipherTrust Secrets Management is a state-of-the-art secrets management solution, which protects and automates access to secrets across DevOps tools and cloud workloads including secrets, credentials, certificates, API keys, and tokens. Combining secrets management with key management is like having a fortified vault for all your valuable assets in one place for inventory control.

3.2.6 Asset Disposal

CipherTrust Enterprise Key Management ensures secure asset disposal. Leveraging FIPS 140-2-compliant virtual or hardware appliances, Thales key management tools and solutions deliver high security to sensitive environments and centralize key management for home-grown encryption, as well as third-party applications.

2.3 Access control

 

3.3 User-ID Creation and Maintenance

3.5 Privileged User Accounts

Thales OneWelcome identity and access management solutions limit the access of internal and external users based on their roles and context. Backed by strong authentication (MFA), granular access policies and fine-grained authorization policies help ensure the right user is granted access to the right resource at the right time. This minimizes the risk of unauthorized access.

SafeNet Trusted Access (STA) is a cloud-based access management solution that makes it easy to manage access to both cloud services and enterprise applications with an integrated platform combining single sign-on, multi-factor authentication (MFA) and scenario-based access policies. It provides a single pane view of access events across your app estate to ensure that the right user has access to the right application at the right level of trust.

2.16 Monitoring, Logging and Assessment

 

3.3 Information systems logging and monitoring

CipherTrust Transparent Encryption Ransomware Protection (CTE-RWP) continuously monitors processes for abnormal activity and alerts or blocks malicious activity. It monitors active processes to identify activities such as excessive data access, exfiltration, unauthorized encryption, or malicious impersonation of a user, and alerts/blocks when such an activity is detected.

2.12 Cryptographic Controls

 

3.1 Use of Cryptograph Controls

CipherTrust Secrets Management is a state-of-the-art secrets management solution, which protects and automates access to secrets across DevOps tools and cloud workloads including secrets, credentials, certificates, API keys, and tokens thus ensuring all static or reusable authentication information shall be encrypted during storage and while in use.

3.2 Key Management

CipherTrust Manager enables organizations to centrally manage encryption keys, provide granular access control and configure security policies. CipherTrust Manager is the central management point for the CipherTrust Data Security Platform and manages key lifecycle tasks, provides role-based access control to keys and policies, supports robust auditing and reporting, and offers developer-friendly REST API.

Thales Luna Hardware Security Modules (HSMs) protect cryptographic keys and provide a FIPS 140-3 Level 3 hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption, and more. Luna HSMs are available on-premises, in the cloud as-a-service, and across hybrid environments.

2.19 Cloud Security

 

3.4.7 Encryption

CipherTrust Enterprise Key Management simplifies and strengthens key management in cloud and enterprise environments, it also delivers high security to sensitive environments and centralizes key management for home-grown encryption, and supports KMIP as well as third-party applications.

CipherTrust Cloud Key Management allows organizations to separate the keys from the data stored in the cloud, preventing unauthorized data access by the Cloud Service Provider by using the Hold-Your-Own-Key (HYOK) technology, organizations retain full control and ownership of their data by controlling encryption key access.

3.4.8 Application Security

CipherTrust Data Security Platform provides multiple capabilities for application security. Among them:

 

Recommended Resources

Data Security Compliance with the Information and Cyber Security Guidelines 2023 for Indian Insurance Industry

Data Security Compliance with the Information and Cyber Security Guidelines 2023 for Indian Insurance Industry - Compliance Brief

What are the Information and Cyber Security Guidelines 2023?The digitalization initiated by the Indian government in 2017 and the remote working arrangements during COVID-19 marked a change in the manner of data handling and processing by the Indian insurance industry. The...

Data Security Compliance and Regulations - eBook

Data Security Compliance and Regulations - eBook

This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.

The Key Pillars for Protecting Sensitive Data in Any Organization - White Paper

The Key Pillars for Protecting Sensitive Data in Any Organization - White Paper

Traditionally organizations have focused IT security primarily on perimeter defense, building walls to block external threats from entering the network. However, with today’s proliferation of data, evolving global and regional privacy regulations, growth of cloud adoption, and...

Other key data protection and security regulations

GDPR

Regulation
Active Now

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.

PCI DSS

Mandate
Active Now

Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Data Breach Notification Laws

Regulation
Active Now

Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.