The Ministry of Electronics and Information Technology (MEITY) vide notification dated 22nd May, 2018 has notified the Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018 (“Rules”) which shall come into force on the date of publication in the Official Gazette.
The Rules detail the responsibilities to be met by various organisations which have a protected system. “Protected System” means any computer, computer system or computer network of any organisations notified under section 70 of the Act, in the official gazette by appropriate Government.
Constitution of Information Security Steering Committee
The Rules mandate that an organisation having a Protected System shall constitute an Information Security Steering Committee (ISSC) whose chairman shall be the Chief Executive Officer/ Managing Director/ Secretary of the organisation (Rule 3 (1) (a)). The composition of the ISSC as mentioned Rule 3 (1) (b) shall be as follows:
- IT Head or equivalent;
- Chief Information Security Officer (CISO);
- Financial Advisor or equivalent;
- Representative of National Critical Information Infrastructure Protection Centre (NCIIPC);
- Any other expert(s) to be nominated by the organisation.
The ISSC shall be the apex body and its responsibilities (as mentioned under Rule 3(2)) shall be as follows:
- All the information security policies of a Protected System has to be approved by the ISSC.
- Any significant change in the network configuration which has an impact on the Protected System shall be approved by ISSC.
- It is mandatory that each significant change in the application(s) of the Protected System shall be approved by ISSC.
- A mechanism has to be established which ensures timely communication of the cyber incident(s) related to Protected System to the ISSC.
- Protected System shall be validated for assessment after every 2 (two) years.
The Rules also lay down certain roles and responsibilities for the organisations having a Protected System (as mentioned under Rule 3(3)). Some of the key responsibilities are as follows:
- Nominate an officer as CISO whose roles and responsibilities shall be as per the latest Guidelines for Protection of Critical Information Infrastructure (“Guidelines”) and “Roles and Responsibilities of CISOs of Critical Sectors in India” released by the (NCIIPC);
- Plan, establish, implement, operate, monitor, review, maintain and continually improve Information Security Management System (ISMS) of its system as per the latest Guidelines released by the NCIIPC or an industry accepted standard duly approved by the said NCIIPC;
- Ensure that the network architecture of Protected System shall be documented;
- The same shall be reviewed at least once a year, or whenever required, or according to the (ISMS);
- Plan, develop, maintain and review the documents of inventory of hardware and software related to Protected System;
- Ensure that the vulnerability/threat/risk (V/T/R) analysis for the cyber security architecture of Protected System shall be carried out at least once a year. Further the (V/T/R) analysis shall be initiated whenever there is significant change or upgrade in the system, by intimation of the same to ISSC;
- Plan, establish, implement, operate, monitor, review, and continually improve Cyber Crisis Management Plan (CCMP) in close coordination with NCIIPC;
- Ensure conduct of internal and external Information Security audits periodically.
- Establish a Cyber Security Operation Center (C-SOC) using such tools and technologies to implement preventive, detective and corrective controls to secure against advanced and emerging cyber threats.
- The records of unauthorised access, unusual and malicious activity, if any, shall be documented;
- Establish a Network Operation Center (NOC) using tools and techniques to manage control and monitor the network(s) of Protected System.
- Plan, develop, maintain and review the process of taking regular backup of logs of networking devices, perimeter devices, etc. and services supporting “Protected System” and the logs shall be handled as per the ISMS as suggested.
The Rules also lay down responsibilities of the CISO towards NCIIPC (As mentioned under Rule 4). They are as follows:
- CISO shall maintain regular contact with the NCIIPC and will be responsible for implementing the security measures.
- CISO shall share inform the NCIIPC, whenever there is any change, and incorporate the inputs/feedbacks suggested by the said (NCIIPC)- with regard to details of Critical Information Infrastructure (CII), details of ISSC, network architecture of the Protected System., etc.
- CISO shall establish a process, in consultation with the NCIIPC, for sharing of logs of “Protected System” with NCIIPC to help detect anomalies and generate threat intelligence on real time basis.
- CISO shall also establish a process of sharing documented records of Cyber Security Operation Center (related to unauthorised access, unusual and malicious activity) of Protected System with NCIIPC to facilitate issue of guidelines, advisories and vulnerability, audit notes etc. relating to Protected System.
- CISO shall establish a process in consultation with NCIIPC, for timely communication of cyber incident(s) on Protected System to the said NCIIPC.
DRUG & CLINICAL TRIAL RULE 2018
The Ministry of Health and Family Welfare of Government of India has released draft Clinical Trial (CT) Rules 2018, which will come in force after its final publication in the Official Gazette. The new rules have been drafted after consultation with the Drugs Technical Advisory Board (DTAB).
Drug & Clinical Trial Rule 2018 will be applicable to all new drugs, investigational new drugs for human use, clinical trial, bioequivalence study, bioavailability study and ethics Committee.
The Key Highlights of the Draft Clinical Trial Rules:
- All clinical trial institution, organization, entities or any other such group, which intends to conduct a CT or bioavailability study or bioequivalence study, is required to have an Ethics Committee (EC) supervising the CT at all times. The role of the EC has been expanded and has been made vital to any CT or bioavailability study or bioequivalence study.
- An EC needs to obtain a registration from the Central Licensing Authority (CLA) and it must have a minimum of seven members from Medical Science, Scientific, Non-medical, Non- scientific, and layperson and a woman member constituted by an institution conducting CT.
- Form CT-02 is the relevant form under which an EC is granted a registration under the draft rules, registration will be valid for a period of three years from the date of its issue unless suspended or cancelled by the Central Licensing Authority.
- Any person or institution intending to conduct a clinical trial of a new drug or investigational new drug shall procure a prior approval from the CLA, the permission to conduct a clinical trial is granted under rule 22 of the draft rules and as per the specifications of Form CT-06. Once the CLA approves and provides a license to conduct a CT, the same shall remain valid for a period of two years from the date of its issue, unless suspended or cancelled by the CLA.
- Whereas, the scope of the CT is only to do academic trials i.e. constraining the CT only to academic findings without human intervention then no permission is required from CLA to conduct a CT for any drug in the following circumstances:
- The CT drug formulation is intended solely for academic research purposes,
- The CT has been approved by the EC,
- The observations of such CT are not required to be submitted to the CLA; and
- The observations of such CT are not used for promotional purposes.
- Cases where an EC is not available on the site of CT, then a CT can only be initiated after getting the protocol approved from the Institutional Ethics Committee of another trial site or an independent EC constituted under the Rule 7. Provided that the approving Ethics Committee shall in such case be responsible for the study at the trial site or the centre, as the case may be.
- Provided further that, the approving Ethics Committee and the clinical trial site or the bioavailability and bioequivalence centre, as the case may be, shall be located within the same city or within a radius of 50 km of the clinical trial site.
- In case of termination of any CT, the detailed reasons for such termination should be communicated to the CLA within thirty days of such termination.
- Any report of a serious adverse event occurring during the CT to a subject of the CT, after due analysis, should be forwarded to the CLA, the chairperson of the EC and the Institute where the CT has been conducted within fourteen days of its occurrence.
- In case of an injury during a CT to the subject of such trial, complete medical management and compensation should be provided by the firm and details of compensation provided in such cases shall be intimated to the CLA within thirty days of the receipt of recommendations made by EC.
- In case of a CT related death or permanent disability of any subject during the trial, compensation shall be provided within thirty days of receipt of the order issued by the CLA. Whereas, the details of compensation provided in such cases should be intimated to the CLA.
- A license has to be obtained by the institutions or organizations for manufacturing or importing new drugs or investigational new drugs or for the manufacture of unapproved active pharmaceutical ingredient for the development of any formulation, for a CT, bioavailability, bioequivalence study etc.
- The institutions or organizations have to also obtain a license to manufacture or import new drugs for sale or for distribution under the Rules.
- No CT can be conducted without procuring a free consent from its participants or study subject. The consent shall be freely given, it should be an informed consent and shall be in written form. It is the duty of the investigator to provide detailed information to the participants both orally as well as by using an information sheet, that too in a language that is understandable by the respective participants.
- A written consent from the participants of the CT is mandatory as per the draft rules, the same needs to be taken through an “Informed Consent Form”, the patient information sheet and the informed consent form must be approved by the ethics committee and shall be submitted to the CLA. In case any changes are to be made to the informed consent documents, the same has to be approved by the EC and subsequently shall be submitted to CLA.
- In case a participant fails to or is not able to provide his/her consent then a legal representative of the participant can provide the consent or the same may be obtained in presence of witnesses.
- Where a CT on paediatrics is been conducted and the participants are unable to provide written informed consent, the consent shall be obtained from the parent or legal guardian. Additionally, paediatric participants should additionally agree to enrol in the CT.
- It is mandatory to have an audio-video recording of the informed consent process where vulnerable subjects, CT of New Chemical Entity or New Molecular Entity including procedure of providing information to the subject and his understanding on such consent, shall be maintained by the investigator for record. In cases of anti- HIV and anti-leprosy drugs, only an audio recording of the informed consent process needs to be maintained.
- The quality assurance system shall be implemented to ensure that data generated, documented and reported in compliance with the protocol and GCP guidelines, proper implementation of the rules and regulations under the draft CT rules is the responsibility of the Sponsor of the respective CT.
- Status report needs to submitted by the Sponsor to ensure that the CT is been conducted as per the prescribed rules and regulations.
- Where any serious adverse event occurs at the CT site, the sponsor shall submit a Serious Adverse Event (SAE) report to CLA, it the duty of the Sponsor to submit the SAE after due analysis of the event and shall make the necessary payment for medical management of the participants and the sponsor shall also provide financial compensation for the CT related injury or death (If any).
- Post-trial access of the investigational drug shall be provided by the sponsor by providing a drug free of cost to the participants as per the directions of the CLA, and in special circumstances on the recommendations of the investigator and the EC upon taking a written consent of the patient.
MCA vide its notification dated 9 February 2018 has notified the “Companies (Registered Valuer’s and Valuation) Amendment Rules, 2018“, to amend Rule 11 on “Transitional Arrangement”, i.e. persons rendering valuation services.
According to the provisions of these rules, any person rendering valuation services under the said act on the date of the commencement of the particular rules can continue to until 31 March 2018 without a certificate, however, with the new amendment the time has been extended till 30 September 2018.
The MCA vide its notification dated 16 February 2018 has amended the Companies (Authorised to Register) Rules, 2014 and notified the Companies (Authorised to Register) Amendment Rules, 2018, substituting form no. URC-1 (Application by a Company for registration under Section 366 i.e, Conversion from firm into Company and LLP into Company)
The MCA vide its notification dated 16 February 2018 has amended the Companies (Management and Administration) Rules, 2014 and notified the Companies (Management and Administration) Amendment Rules, 2018, to substitute/ amend the prescribed forms MGT-6 (Return to the Registrar in respect of declaration under section 89 received by the Company) and MGT-15 (Form for filing report on Annual General Meeting).
The MCA vide its notification dated 16 February 2018 has notified the Companies (Audit and Auditors) Amendment Rules, 2018, to substitute/ amend the prescribed Forms ADT-1 (Notice to the Registrar by Company for appointment of Auditor) and ADT-2 (Application for removal of auditor(s) from his/ their office before expiry of term) in Annexure to the Companies (Audit and Auditors) Rules, 2014.
MCA vide its notification dated 27 February 2018 has amended the Companies (Accounts) Rules 2014 and notified the Companies (Accounts) Amendments Rules 2018.
The Companies (Accounts) Amendment Rules, 2018 (“Amendment Rule”), inserts a new proviso under Rule 10 of the Companies (Accounts) Rules 2014 which deals with the provision of “Statement containing salient features of financial statements” which states that “The companies which are required to comply with companies (Indian Accounting Standards) Rules, 2015 shall forward their statement in form AOC-3A.”
The amendment also inserts a new form i.e. form AOC 3A (Statement containing salient features of the financial statements pursuant to section 136 of the Companies Act 2013 and proviso to rule 10 of the Companies (Accounts) Rules 2014.