A Forrester Consulting Thought Leadership Paper Commissioned By EMC
The Data Storage Imperative: Backup, Recovery and
Archiving in India
April 2012
Forrester Consulting
The Data Storage Imperative: Backup, Recovery and Archiving in Asia Pacific
Page 1
Table Of Contents
Executive Summary ............................................................................................................................................................................... 2
India Policies and Regulations ........................................................................................................................................................... 2
Data Storage Approaches Currently Vary Widely Across the Region ..................................................................................... 5
Regulations Will Continue To Have a Major Impact on Data Storage Strategies and Approaches ................................ 7
Key Recommendations ...................................................................................................................................................................... 10
Appendix A: Methodology and Respondent Profile .................................................................................................................. 11
Appendix B: A List of Regulations in India................................................................................................................................... 14
Appendix C: Data Storage, Backup and Archiving Regulations in India ............................................................................. 15
© 2012, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available
resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, RoleView,
TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective
companies. For additional information, go to www.forrester.com. [OrderID]
About Forrester Consulting
Forrester Consulting provides independent and objective research-based consulting to help leaders succeed in their organizations. Ranging
in scope from a short strategy session to custom projects, Forrester’s Consulting services connect you directly with research analysts who
apply expert insight to your specific business challenges. For more information, visit www.forrester.com/consulting.
Forrester Consulting
The Data Storage Imperative: Backup, Recovery and Archiving in Asia Pacific
Page 2
Executive Summary
Storing, accessing and leveraging business-critical data will remain a strategic imperative for organizations of all
sizes across Asia Pacific (AP). In fact, implementing and managing effective policies for data storage, backup and
recovery are now more critical than ever. Trends such as cloud computing, social technologies and mobility are
driving major changes in the amount of data being generated, types of data being stored (both structured and
unstructured), and regulations in areas like data sovereignty and residency.
In September 2011, EMC commissioned Forrester Consulting to evaluate data backup, recovery and archiving
adoption trends and challenges across AP. In particular, to assess how organizations are storing data and the
impact of regulations focused on data protection and recovery.
This document analyzes some of the key trends, perceptions and actions that IT organizations are undertaking
as they seek to cost-effectively store data to support business requirements while also complying with rapidly
changing regulations. To do so, Forrester has surveyed 550 respondents across 11 countries in AP, including 50
in Australia and 30 in New Zealand, conducting in-depth interviews with a mix of senior IT and business
decision-makers who have deep knowledge of their organizations’ IT operations.
Key Findings Forrester’s study yielded several key findings:
India has fast changing regulatory environment, where compliance requirements related to data
protection/security are becoming tighter. Organizations should formalize processes for, ongoing analysis
and monitoring of relevant laws and regulations; and decide on best feasible approaches to data storage,
backup, and archiving that serve business needs and compliance requirements.
Data Storage Approaches Currently Vary Widely. This will remain the case as an effective information
governance strategy must leverage a variety of tools, technologies and approaches based on the type of
information being stored and relevant policy requirements.
Regulations Will Continue To Have A Major Impact On Data Storage Strategies And Approaches. IT
organizations must carefully consider all approaches to storing and accessing business-critical data and
continually assess technology capabilities against changing laws and regulations.
India Policies and Regulations
There are exhaustive statutory laws exists in the aspects of taxation, corporations, labors, consumer protection,
investor protection, foreign currency exchange, anti-terrorism, industrial policies, among others in India. Under
the country’s economic liberalization policy, various reforms have been carried forward. The authorities are
trying to bring legislation up-to-date with fast technological advancement in India, just as other governments
and international organizations are initiating worldwide. Enacting new personal data protection laws in 2011
has brought implications to all industries including the aspect of security measures and data transfer to third
Forrester Consulting
The Data Storage Imperative: Backup, Recovery and Archiving in Asia Pacific
Page 3
parties. The authority has appointed working groups to constantly review existing legislations related to
corporate governance, risk management, data protection and security, and others, which likely result in further
amendments in existing policies and guidelines.
Personal Data Protection Laws
India has adopted new data protection rules in April 2011, which was designed to protect ‘sensitive personal
data and information,’ applicable to all industries. When collecting, storing, and handling personal information,
organizations are required to obtain written consent from individuals; have clear and easily accessible
statements of privacy policies; implement reasonable security practices; and have comprehensively
documented security policies.1
Organizations may adopt International Standard IS/ISO/IEC 27001 or other security standard approved by the
central government. Data breach notification is not mandatory, but one must demonstrate the organization has
implemented security control measures as per one’s information security policies documented in the event of an
information security breach when called upon by the authority.2
Under the most recently amended Act, tougher penalties will be charged in case of data breach. Disclosure of
information, knowingly and intentionally without the consent of the person concerned and in breach of the
lawful contract may be punished with imprisonment for a term extending to three years, or with fine extending
to INR 500,000, or with both.3
SOX Compliance
The authority monitors corporate governance of listed companies in India through the Clause 49 that is
incorporated in the listing agreement of stock exchanges with listed companies.4 The Indian authority has
tightened the governance rules by issuing amendments.5
Unless the company is publicly listed or SEC registrants in the US, the Sarbanes-Oxley Act (SOX, 2002) is not
compulsory. However, SOX is widely regarded as the global de facto governance standard. SOX requirements
are becoming de facto best practice, especially for companies that are seeking investment from the US.
Record Retention Requirement
Corporate acts and taxation law typically determine data retention schedules based on the type of records, such
as financial/accounting records, corporate tax records, and related documents. Financial records must be
retained for eight years at least while tax records must be kept for seven years. There is no regulatory
requirement related to retaining employee record in India.
Data Encryption Requirement
There is no centrally controlled encryption law in India, but there are guidelines to managing sensitive personal
data or information (SPDI) and requirements for online trading.
Forrester Consulting
The Data Storage Imperative: Backup, Recovery and Archiving in Asia Pacific
Page 4
Passwords and storage of highly sensitive information must be encrypted using internationally proven
encryption techniques to prevent unauthorized disclosure and modification 6
Electronic communication systems used for the transmission of sensitive information must be equipped
with suitable security software and, if necessary, with an encryptor or encryption software 7
Online trading brokers are required to use encryption technology for security, reliability and
confidentiality of data 8
Encryption requirement, data transfer restriction, and business continuity/disaster recovery (BC/DR)
requirements in India are summarized below (Figure 1).
Figure 1
Encryption, Cross-Border Data Transfer, and BC/DR Requirement in India
Source: A commissioned study conducted by Forrester Consulting on behalf of EMC, April 2012
Cross-border Data Transfer
Under the new data protection rules, organizations may transfer personal data to a third party in India or
outside India if the third party affords the same level of data protection that is adhered to by the data privacy
rules in India; and the transfer is necessary for the performance of the lawful contract; or the information
provider has consented to such transfer.9
Business Continuity and Disaster Recovery
The Reserve Bank of India (RBI) has released business continuity planning (BCP) guidelines for the banking
sector.10 The RBI specifies technology aspects of BCP including high availability and fault tolerance for mission
critical applications and services; RTO/RPO metrics that fit the criticality of the business process and function;
auditing the deployed architecture for the mission critical applications and services; periodic investigation of the
experienced outage; define testing procedure; and regular BCP testing at least annually for maintaining BCP up
to date and effective.11
The RBI also suggests near site disaster recovery architecture in order to enable quick recovery and continuity
of critical business operations.12 Furthermore, banks should submit an annual statement describing RTOs set for
critical systems; we well as a quarterly statement reporting major failures and steps taken to avoid such
failures.13
Forrester Consulting
The Data Storage Imperative: Backup, Recovery and Archiving in Asia Pacific
Page 5
Data Storage Approaches Currently Vary Widely Across the Region
Daily backup of corporate data is the most common approach across AP, particularly in Japan (84% of
respondents), New Zealand (80%) and Australia (78%). In contrast, only 35% of China respondents currently
leverage daily backup, far below the regional average. In fact, 28% of China respondents still backup their data
weekly, by far the highest rate in the region – versus only 2% in Australia and no Japan respondents (see figure
4).
One-third of Korean respondents support real-time backup, the highest in AP. Thailand (10%) and Philippines
(12%) lag, but so too do the more mature IT markets of Japan (13%) and New Zealand (13%). Among
organization types, very large organizations (10k+ employees) are twice as likely to support real-time backup
than smaller organizations (<1k employees), 34% vs. 16%.
Figure 2
Frequency Of Data Backup Varies Widely Across Asia Pacific
Base: 550 decision-makers
Source: A commissioned study conducted by Forrester Consulting on behalf of EMC, April 2012
Managing ever-increasing data volumes is the primary challenge APJ organizations face in regards to
backup/recovery/archiving (see Figure 5). India is the lone exception, where increasing data volumes are edged
slightly by the challenge of improving efficiency of backup operations.
Organizations across the region vary significantly in how closely they follow regulations outlining the length of
years to store historical data (see Appendix C). Australia has the highest percentage of respondents who
19%
10%
12%
13%
13%
18%
18%
24%
24%
27%
33%
62%
64%
64%
35%
84%
79%
74%
58%
62%
51%
60%
11%
18%
20%
28%
3%
6%
2%
4%
11%
7%
9%
8%
4%
24% 2%
1%
2% 16%
10%
10%
Total AP
Thailand
Philippines
China
Japan
ANZ
Singapore
Malaysia
Indonesia
India
Korea
Real-time Daily Weekly Other*
On average, how often do you backup corporate data that is considered most critical?
Forrester Consulting
The Data Storage Imperative: Backup, Recovery and Archiving in Asia Pacific
Page 6
eliminate stored data after the required number of years (40%) – versus only 15% in China and 17% in Korea.
In contrast, 32% of respondents in both Malaysia and Indonesia currently store all historical data forever –
versus only 12% in Australia and no respondents in Japan.
Figure 3
Challenges To Backup, Recovery and Archiving Are Extensive
Base: 550 decision-makers
Source: A commissioned study conducted by Forrester Consulting on behalf of EMC, April 2012
Tape-based storage remains critical in key AP markets, including Korea, where respondents are most likely to
view tape-based storage as critical to their business, rating the importance of searching for data on tapes 8.4 out
of 10, with 1 being lowest and 10 being highest. China respondents also rank the importance of searching for
data on tapes highly at 6.7 out of 10, well above the regional average of 5.8. Finally, among verticals, BFSI rank
the importance of searching for data on tapes highest at 6.5 – versus only 5.1 for both public sector respondents
and IT service providers.
The reliability of tape-based storage is also a consideration, with Korean respondents rating reliability highest at
8.4 out of 10 – versus a regional average of 6.8 and a low of 5.8 in Japan. Among verticals, both BFSI (7.1) and
Manufacturing (7.0) rate tape reliability above the regional average.
Despite ongoing demand, concerns related to managing tapes also impact organizations’ strategies. Across the
region, maintaining tape drives/libraries to restore data on tapes is the primary concern. The only exception is
Korea, where organizations are most concerned over physically managing the large number of tapes in use.
8%
9%
10%
13%
16%
22%
Over-reliance on manual processes
Lack of internal skill/knowledge
Lack of simplified management/automation tools
Increasing operational complexity
Improving efficiency of backup operation
Managing ever-increasing data volume
What are the challenges that you’re currently facing with regards to backup/recovery/archiving? Please select up to three.
Forrester Consulting
The Data Storage Imperative: Backup, Recovery and Archiving in Asia Pacific
Page 7
Regulations Will Continue To Have a Major Impact on Data Storage Strategies and Approaches
Awareness of regulatory requirements varies widely across the region. Surprisingly, Japan respondents in
particular rate their awareness particularly low at 4.4 out of 10 (with 10 being highest) – while Korea (8.5) and
China (7.8) both score well above the regional average of 6.9. Among specific regulations, AP organizations are
most familiar with the Private Information Protection Law (7.2 out of 10) and least familiar with the
International Finance Reporting Standard (IFRS) at 5.6 and Sarbanes-Oxley (SOX) at 5.9.
Organizations in Indonesia and Philippines are most likely to increase spending as a result of regulations. Across
the region as a whole, regulations related to disaster recovery and business continuity are most likely to drive
increased spending on backup, recovery and archiving. When considering all regulatory requirements, AP
organizations are slightly more likely to retrieve data quarterly than monthly (see Figure 6).
Figure 4
The Frequency Of Data Retrieval Varies Widely
Base: 550 decision-makers
Source: A commissioned study conducted by Forrester Consulting on behalf of EMC, April 2012
Discs and internally managed off-site locations are viewed as the two most appropriate mediums for storing
corporate data in order to comply with legal and regulatory requirements (see Figure 7). Disks are viewed most
favorably in mature IT markets like Australia, Japan, Korea, New Zealand and Singapore while internally
managed off-site location is preferred in growth markets like China, India, Indonesia, Malaysia and Philippines.
21%
2%
12%
13%
14%
19%
20%
24%
24%
30%
49%
22%
31%
18%
20%
28%
30%
16%
20%
34%
18%
19%
16%
16%
14%
17%
16%
16%
22%
16%
16%
22%
12%
17%
20%
38%
23%
20%
6%
32%
20%
12%
22%
3%
23%
31%
18%
27%
22%
30%
10%
20%
14%
8%
17%
Total AP
Japan
Thailand
New Zealand
Malaysia
India
Singapore
Australia
Philippines
Indonesia
China
Monthly Quarterly Half yearly Yearly Others
Please indicate how often you have typically retrieved data for regulatory purpose over the past three years.
Forrester Consulting
The Data Storage Imperative: Backup, Recovery and Archiving in Asia Pacific
Page 8
Figure 5
Organizations Continue To Leverage Multiple Data Storage Approaches
Base: 550 decision-makers
Source: A commissioned study conducted by Forrester Consulting on behalf of EMC, April 2012
Over the next 12 months, most of organizations expect 10-29% or larger data volume growth, and the expected
growth rate of data volume likely continues to accelerate over the next 2-3 years (see Figure 8). Organizations in
Japan, India and Indonesia expect the largest data growth rates, while Australia expects the lowest over the next
12 months. Results vary slightly when considering data growth rates over the next 2-3 years, with Japan,
Thailand and Indonesia expecting the largest data growth rates while Singapore expects the lowest.
Figure 6
Data Storage/Backup Volume Will Continue To Grow And Accelerate
What average annual data growth rate do you expect for your data storage/backup requirements in the next 12 months, and over the next 2-3 years?
Base: 550 decision-makers
Source: A commissioned study conducted by Forrester Consulting on behalf of EMC, April 2012
6.2
6.4
6.5
6.5
7.1
7.2
Off-site location - managed by a 3rd party
Tapes
WORM media
Optical media
Off-site location - internally managed
Disks
On a scale of 1 to 10, where 10 is most appropriate and 1 is least appropriate, how appropriate do you think each of the following is for storing corporate data in order to comply with legal/regulatory requirements?
13%
22%
50%
9%
50%+
30 – 49%
10 – 29%
Less than 10%
Next 12 Months
32%
31%
25%
5%
50%+
30 – 49%
10 – 29%
Less than 10%
Next 2-3 Years
Forrester Consulting
The Data Storage Imperative: Backup, Recovery and Archiving in Asia Pacific
Page 9
Data volume and efficiency improvement as the key investment drivers for data backup and recovery in AP over
the next 2-3 years (see Figure 9). China ranks ‘security capabilities’ highest while Singapore weighs ‘complying
with regulations’ as a primary driver. ‘Disaster recovery’ is the secondary focus after data volume in Australia
and New Zealand. Japan and Korea rank ‘utilization rate improvement’ higher than other countries do. Indonesia
is the only country that doesn’t consider data volume as the key driver, but lists efficiency improvement and
disaster recovery as primary reasons for back and recovery investment.
Figure 7
Data Backup, Recovery, And Archiving Investments Are Driven By Many Different Factors
Base: 550 decision-makers
Source: A commissioned study conducted by Forrester Consulting on behalf of EMC, April 2012
16%
16%
13%
13%
9%
9%
9%
Managing larger volumes of data
Improving the efficiency of storage/backup infrastructure
Improving security capabilities
Improving DR readiness
Complying with regulations
Improving utilization rates of storage/backup infrastructure
Infrastructure consolidation
Which of the following do you think are likely to drive investment for backup/recovery/archiving over the next 2-3 years? Please select up to three.
Forrester Consulting
The Data Storage Imperative: Backup, Recovery and Archiving in Asia Pacific
Page 10
KEY RECOMMENDATIONS
Monitor all relevant laws and regulations applicable to your industry. Given the high frequency of changes in
regulations across the region, organizations should optimally review all applicable policies and requirements
every 12 months across all countries in which the organization operates. This includes data privacy and
protection laws as well as regulations targeting business continuity and disaster recovery, among others.
Review backup and recovery tools, technologies and approaches regularly. To ensure adequate support for
data laws and regulations, organizations should analyze their storage, backup and archiving approaches every
12-18 months. This is essential for not only ensuring compliance but also for containing the cost of managing
growing data volumes and meeting service level expectations of the business.
Evaluate technology and approaches to reduce costs and improve management efficiencies. In addition to
reviewing core storage solutions in use, look to adopt a common platform for backup and archiving. At the
same time, evaluate data management solutions like data deduplication.
Analyze current internal policies for data storage and retention. Identify areas where data can be stored for
shorter periods of time to reduce ongoing operational expenditures. Simultaneously, apply the appropriate
information governance approach based on data requirements. For instance, by leveraging archiving for long
term data retention and backup for operational data.
Understand the impact of cloud computing and traditional outsourcing. An effective information governance
strategy must extend to support data stored off-premises. Whether the data resides in shared infrastructure or
dedicated infrastructure, organizations must ensure the data is stored and protected in a compliant manner.
Forrester Consulting
The Data Storage Imperative: Backup, Recovery and Archiving in Asia Pacific
Page 11
Appendix A: Methodology and Respondent Profile
In this study, Forrester conducted telephonic interviews with 550 organizations across verticals such as
banking, financial services, and insurance; manufacturing; public sector; telecom; and IT service providers in
Australia, China, India, Indonesia, Japan, Korea, Malaysia, New Zealand, the Philippines, Singapore, and Thailand
to evaluate their need to store/back-up/archive data, awareness level of legal requirement, and technology
requirements & adoption status. Survey participants included both IT and business decision-makers in
managerial roles namely at large enterprises (more than 1,000 employees) mainly and some SMBs (500 to 999
employees). The study began in October 2011 and was completed in March 2012.
Figure 8
Type Of Organization
Base: 550 enterprise IT and business decision-makers
Source: A commissioned study conducted by Forrester Consulting on behalf of EMC, April 2012
MNCs 37%
Local/Regional 41%
Public 22%
How would you describe your company?
Forrester Consulting
The Data Storage Imperative: Backup, Recovery and Archiving in Asia Pacific
Page 12
Figure 9
Breakdown By Employee Size
Base: 550 enterprise IT and business decision-makers
Source: A commissioned study conducted by Forrester Consulting on behalf of EMC, April 2012
Figure 12
Approaches To Storing Corporate Data
Base: 550 enterprise IT and Business decision-makers
Source: A commissioned study conducted by Forrester Consulting on behalf of EMC, April 2012
10,000+ 17%
5,000-9,999 14%
1,000-4,999 54%
500-999 15%
How many people are there in your company?
91%
45%
85%
89%
94%
Paper
Online Storage
Tape
Server
Storage
Which of the following is used to store corporate data? Please select all that apply.
Forrester Consulting
The Data Storage Imperative: Backup, Recovery and Archiving in Asia Pacific
Page 13
Figure 10
Approaches To Managing Storage Operation
Base: 550 decision-makers
Source: A commissioned study conducted by Forrester Consulting on behalf of EMC, April 2012
72%
59%
60%
65%
71%
72%
74%
74%
80%
82%
83%
AP Average
India
Korea
China
Japan
Indonesia
Thailand
Malaysia
Singapore
Philippines
ANZ
% of respondents choosing 'All managed internally'
Please select the one statement that best describes how your company manages storage environment.
Forrester Consulting
The Data Storage Imperative: Backup, Recovery and Archiving in Asia Pacific
Page 14
Figure 11
Historical Data Retention and Elimination Practice
Base: 550 decision-makers
Source: A commissioned study conducted by Forrester Consulting on behalf of EMC, April 2012
Appendix B: A List of Regulations in India
The Companies Act 1956
The Securities Contracts (Regulation) Act 1956
The Income Tax Act 1961
The Information Technology Act (the IT Act) 2000
The Information Technology (Certifying Authorities) Rules 2000
The Information Technology (Amendment) Act 2008
The Clause 49 of the Listing Agreement
The Information Technology (reasonable security practices and procedures and sensitive personal data
or information) Rules 2011
41%
20%
28%
29%
32%
38%
44%
48%
50%
55%
60%
64%
27%
36%
24%
23%
34%
30%
40%
30%
23%
15%
17%
33%
23%
32%
32%
31%
20%
28%
12%
16%
20%
28%
17%
0%
9%
12%
16%
17%
14%
4%
4%
6%
7%
3%
7%
2%
Total AP
Malaysia
Indonesia
India
Thailand
Philippines
Australia
Singapore
New Zealand
China
Korea
Japan
1. Store data for longer than the legally required no. of years
2. Eliminate after the required no. of years
3. Never eliminated historical data in the past
4. Other (no formal procedure in place, uncertain)
Which of the following best describes how you manage historical corporate data?
Forrester Consulting
The Data Storage Imperative: Backup, Recovery and Archiving in Asia Pacific
Page 15
Appendix C: Data Storage, Backup and Archiving Regulations in India
Data privacy rules - The Information Technology (reasonable security practices and procedures and sensitive
personal data or information) Rules 2011 or the Data Privacy Rules applies to sensitive data of any individual
collected, processed or stored by any entity in India. Anyone who uses prior to collection of sensitive data,
the body corporate or the data processor must obtain prior written consent (by letter, fax or email) from the
prospective provider, regarding the purpose of usage of such data (5 (1)); shall provide a privacy policy for
handling of or dealing in personal information (4(1)); being considered to have reasonable security practices
and procedures (8 (1)). Sensitive data must not be collected unless it is for a lawful purpose and the
collection is necessary for that purpose (5 (2)); and shall not be retained for longer than is required for that
purpose (5 (4)). Disclosure of sensitive personal data or information by body corporate to any third party
shall require prior permission from the provider of such information (6 (1)).
Security measures – Under the Data Privacy Rules 2011, the body corporate and the Data Processor should
implement reasonable security practices and standards; have a comprehensively documented information
security program, and security policies. These must contain managerial, technical, operational and physical
security control measures that are commensurate with the information assets being protected and with the
nature of business (8 (1)). The International Standard IS/ISO/IEC 27001 on ‘Information Technology -
Security Techniques - Information Security Management System - Requirements’ is recognized as an
approved security practices standard that the body corporate or the Data Processor could implement to
comply with security measures (8 (2)). Any other security standard approved by the Central Government
may also be adopted in compliance with the security measures (8 (3)). Under the Information Technology
(Certifying Authorities) Rules 2000, organizations are encouraged to ensure the secure disposal of sensitive
information assets on all corrupted/damaged or affected media both internal (e.g. hard disk/optical disk)
and external (e.g. diskette, disk drive, tapes etc.) to the system, and preferably such
affected/corrupted/damaged media both internal and external to the system shall be destroyed (5.3
Sensitive Information Control (7)); removable electronic storage media must be removed from the computer
and properly secured at the end of the work session or workday (5.3 (4)); hard disks containing sensitive
information and data must be securely erased prior to giving the computer system to another internal or
external department or for maintenance (5.3 (6)).
Penalties - Under 43A of the IT Act 2000, a body corporate that posses, deals or handles Sensitive Data in a
computer resource is liable to pay compensation if it is negligent in implementing and maintaining
reasonable security practices and procedures, and such negligence results in wrongful loss or wrongful gain
to any person. Under 72A of the IT Amendment Act 2008, a person who is providing services under a lawful
contract, may be liable to imprisonment for a term of up to 3 years, or a fine up to INR 500,000
(approximately U.S.$100,000), or both for disclosure of personal information of any individual: (a) with the
intent to cause, or knowing that he is likely to cause, wrongful loss or wrongful gain; and (b) without the
consent of such individual, or in breach of lawful contract.
Encryption – The Government has laid down the IT Security Guidelines under the Information Technology
(Certifying Authorities) Rules 2000, stating that highly sensitive information assets should be stored in an
encrypted format to avoid compromise by unauthorized persons (5.3 Sensitive Information Security (1));
electronic communication systems used for the transmission of sensitive information, such as routers,
switches, network devices and computers, must be equipped with suitable security software and, if
necessary, with an encryptor or encryption software (5.3 (6)). The Securities and Exchange Board of India
Forrester Consulting
The Data Storage Imperative: Backup, Recovery and Archiving in Asia Pacific
Page 16
(SEBI) mandates the use of encryption technology for security, reliability and confidentiality of data through
use of encryption technology and prescribes a 64 bit/128 bit encryption for standard network security. For
securities trading over a mobile phone or Wireless Application Platform (WAP), SEBI recommends that
transmission from the WAP Gateway server to the Internet server should be secured using Secured Socket
Layer (SSL) security, preferably with 128 bit encryption; the Reserve Bank of India (RBI) advise that banks
should use at least 128-bit SSL for securing browser to web server communications and encryption of
sensitive data like passwords in transit within the enterprise itself.
Data Transfer - Under the Data Privacy Rules 2011, a body corporate or Data Processor (‘Transferor’) may
transfer Sensitive Data to a third party in India or outside India, provided: the third party affords the same
level of data protection that is adhered to by the Transferor under the Data Privacy Rules; and transfer is
necessary for the performance of the lawful contract between the Transferor and the Provider; or the
Provider has consented to such transfer (7 Transfer of Information).
Outsourcing in the Banking sector – Under the “Guidelines on Managing Risks and Code of Conduct in
Outsourcing of Financial Services by banks 2006”
(http://www.rbi.org.in/commonman/English/scripts/Notification.aspx?Id=40), banks would not require
prior approval from the Reserve Bank of India (RBI) for outsourcing of financial or other services if the
service provider is located in India, but will have to notify the RBI of all the financial services planned to
outsource. Outsourcing outside India will require RBI’s prior approval upon the factors including country
risk, the bank’s procedure to deal with country risk issues, and appropriate contingency and exit strategies.
Outsourcing arrangements should only be entered into with parties operating in jurisdictions generally
upholding confidentiality clauses and agreements.
Business Continuity in the Banking sector – Under the “Guidelines on Information security, Electronic
Banking, Technology risk management and Cyber frauds” issued by the RBI, banks should consider looking at
BCP methodologies and international standards (BS 25999 by BSI) which follows the “Plan-Do-Check-Act
Principle” (2.1 BCP Methodology). BCP methodology should include Business Impact Analysis (Phase 1), Risk
Assessment (Phase 2), Determining Choices and Business Continuity Strategy (Phase 3), Developing and
Implementing BCP (Phase 4). Action plans and key steps in each phase are determined in the Guideline. Risk
Assessment in the Phase 2 should include formulating Recovery Time Objectives (RTO) based on the
Business Impact Analysis in the previous phase; and identification of the Recovery Point Objective (RPO) for
data loss for each of the critical systems and strategy to deal with such data loss, which may also be
periodically fine-tuned by benchmarking against industry best practices. The Guideline suggests the DR
planner(s) may determine the most suitable recovery strategy for each system and RTO/RPO metrics that fit
the criticality of the business process and function with the available budget, and mapped into the underlying
IT infrastructure (8. Technology Aspect of BCP). Common Strategies for Data Protection is listed as: Backups
made to tape and sent off-site at regular intervals (preferably daily); Backups made to disk on-site and
automatically copied to off-site disk, or made directly to off-site disk; Replication of data to an off-site
location, which overcomes the need to restore the data (only the systems then need to be restored or
synced), which generally makes use of storage area network (SAN) technology; High availability systems that
keep both data and system replicated, off-site, enabling continuous access to systems and data; and Local
mirrors of systems/data and use of disk protection technology such as RAID.
Forrester Consulting
The Data Storage Imperative: Backup, Recovery and Archiving in Asia Pacific
Page 17
1 India issued new privacy rules called the Information Technology (reasonable security practices and
procedures and sensitive personal data or information) Rules 2011. Organizations are required to notify
individuals when personal information are collected, make a privacy policy available, take steps to secure
personal information, obtain prior permission when disclosing personal information to a third party, may
transfer personal data only if necessary, and to another country that ensures the same level of data protection as
provided under the Rules. Source: “Ministry of Communications and Information Technology (Department of
Information Technology) Notification”, Government of India, Ministry of Communications and Information
Technology, 11 April 2011 (http://www.mit.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf)
2 See footnote 1 above.
3 The Ministry of Information Technology (MIT) amended the IT Act 2000 by adding more severe penalties for
data breach to curtail Internet usage for misuse and terrorist activities. Source: “The Information Technology
(Amendment) Bill 2008”, Government of India, MIT, Department of Electronics and Information Technology, 22
December 2008 (http://164.100.24.219/BillsTexts/LSBillTexts/PassedLoksabha/96-c%20of%202006.pdf)
4 The Securities & Exchange Board of India (SEBI) has constituted the Clause 49 applicable to all listed entities
having a paid up share capital of INR 3 crores and above or net worth of INR 25 crores or more at any time in the
company’s history. This came into effect from 1 January 2006 for the improvement of corporate governance of
all listed companies. Source: SEBI, 29 March 2005 (http://www.sebi.gov.in/press/2005/200566.html)
5 The SEBI has issued amendments to the existing Clause 49 including mandating listed companies to disclose
the relationship between independent directors; not allowing vacancy period of an independent director longer
than 180 days. Source: “Press Release: Changes to Clause 49 of the Listing Agreement”, SEBI, 8 April 2008
(http://www.sebi.gov.in/Index.jsp?contentDisp=SubSection&sec_id=25&sub_sec_id=25)
6 The MIT has released guidance on key steps for organizations when managing personal information security
breaches. Source: “Information Technology (Certifying Authorities) Rules, 2000”, Department of Electronics and
Information Technology, MIT, Government of India, 17 October 2000
(http://www.mit.gov.in/sites/upload_files/dit/files/downloads/itact2000/act2000.pdf)
7 See footnote 6 above.
8 The SEBI mandates Internet trading system to have provision for security, reliability and confidentiality of data
through use of encryption and in line with the SEBI’s directives on standards for web interfaces and protocols.
Source: “Master Circular for Stock Exchanges”, SEBI, 31 March 2010
(http://www.sebi.gov.in/cms/sebi_data/commondocs/anncir2_p.pdf)
9 See footnote 1 above.
10 The Reserve Bank of India (RBI) advised banks to implement a BCP with a robust information risk
management system thoroughly test it to verify its full capability against the changing scenario and assumptions
at frequent intervals, as per the policy, subjected to review annually. A copy of the BCP approved by the Board
Forrester Consulting
The Data Storage Imperative: Backup, Recovery and Archiving in Asia Pacific
Page 18
may be forwarded for perusal to the General Manager of the RBI. Source: “Operational Risk Management -
Business Continuity Planning”, RBI, 15 April 2005
(http://www.sebi.gov.in/cms/sebi_data/commondocs/anncir2_p.pdf)
11 The RBI has released comprehensive guidelines for technology risk management, IT governance, and BCP
applicable to the banking sector. Source: “Guidelines on Information security, Electronic Banking, Technology
risk management and cyber frauds”, RBI, Department of Banking Supervision, Central Office, 29 April 2011
(http://www.sebi.gov.in/cms/sebi_data/commondocs/anncir2_p.pdf)
12 See footnote 11 above.
13 The RBI notified banks to submit 1) an annual statement describing at the end of each financial year
describing the critical systems, their RTOs and the strategy to achieve them, 2) a quarterly statement reporting
major failures during the period for critical systems, customer segment/services impacted due to the failures
and steps taken to avoid such failures in future, starting from June 2005. Source: “Operational Risk Management
- Business Continuity Planning”, RBI, 15 April 2005
(http://www.sebi.gov.in/cms/sebi_data/commondocs/anncir2_p.pdf)