CyLawCom Audit is an audit of the business process of an entity from the objective of identifying Cyber Law related risks of business. The audit is normally followed by a recommendation on actions to be taken to bring the Cyber Law Compliance level to an acceptable level.

 CyLawCom audit is typically undertaken in two phases. The “CyLawCom Risk Audit” phase is the phase in which the risks are identified and a “Risk Assessment Report” is made available to the management of the organization.

 The “CyLawCom Compliance Audit” is the phase in which the organization’s efforts of “Cyber Law Risk Compliance Measures” based on an earlier “Risk Audit” is evaluated and a “Compliance Certificate” is issued by the audit agency to a “CyLawCom Certifying Agency”.

 CyLawCom Audit process has been developed by Cyber Law College and is undertaken through professionals trained in “Techno Legal Cyber Security Aspects”, referred to as “CyLawCom Examiners”. Cyber Law College enrolls qualified professionals as “Provisional CyLawCom Examiners” to whom necessary training is administered to undertake such audits. Additionally, “Certified CyLawCom Examiners” are being developed through a competitive qualification examination.

The presence of laws that cover the use or misuse  of electronic documents pose a management challenge of a special  nature to the hotel industry.

Large Hotels take pride in providing easy Internet access both through wired networks as well as WiFi services. In the process they also assume the risks of "Vicarious Liability" arising out of the misuse of the facility by any customer. The fact that International travellers who are not conversant with the Indian laws are frequently the Internet users in a Hotel network creates an additional problem of legal and cultural differences that lead to contraventions arising out of mistake and ignorance.

Additionally, Hotels use Computer networks to manage their business just like other business houses and are therefore exposed to all the network related risks. They are themselves E-Business centers accepting Credit Card payments online for various services rendered.

It can therefore be said that the Hotel Industry is exposed to the Cyber Law Related risks a little more than a Company in other business. In fact a Hotel is as much prone to such risks as a Cyber Cafe.

Terrorist related crimes also are likely to take place through Hotel networks since terrorists may be the guests of the Hotel.  Organized criminals always try to use borrowed networks for information exchange since they can later vanish without trace. Hotels are therefore exposed to greater risks than other establishments.

Last year in a case reported from Chennai, when a Hotel was involved in the filming of the private moments of a celebrity which later found its way onto the Internet. In such a case the Hotel would be the prime accused for the crime.

In another incident, a small hotel in Andhra Pradesh found that its manager was indulging in a fraud whereby he was manipulating the room allotments in the system collecting more from the customers and accounting less for the management in a systematic manner. Though the management came to know of the fraud due to some circumstancial fortunes it was unable to take appropriate action on the fraudster since the system was not geared to meet the evidentiary standards required for such convictions.

The process of "CyLawCom-Hotel" addresses the  Risk Mitigation Requirements of the industry both from the risks posed by the guests as well as the evidentiary requirements of  in-house frauds as a “IT Process Security” issue.

It addresses the issue from 

a)      Providing a reasonable level of technical security to protect the data from loss supported by an effective Disaster Recovery and Business Continuity Plan

b) Provides a reasonable level of "Due Diligence" in respect of Computer use by all users including the guests and internal staff.

c)  Creating a Cyber Evidence Capture System (CECS) that ensures that every critical piece of electronic document is accounted for against the author and tracked for all modifications in a manner which the prevailing laws (ITA-2000 in India) recognize as judicially non repudiable.                                                                                                   

While the IT Security standards such as the ISO 27001 (Replacement of BS 7799) are used as guidelines for providing the “Technical Security” for the IT system,  the CEES system takes security to the “Techno Legal Security Level” under the guidelines pioneered by Cyber Law College promoted by Naavi.

Scope of CyLawCom –Hotel 

CyLawCom –Hotel is the product which combines theISO 27001 compatible IT Security and "Cyber Crime Prevention Precautions"  (CCPP)as envisaged under ITA-2000 and the  CECS developed by Cyber Law College, a division of Ujvala Consultants Pvt Ltd. The product is being structured for the first time in India.

The "Cyber Crime Prevention Precaution" (CCPP) component includes

a) Creating Awareness of Cyber Laws amongst the users

b) Generating Alerts and Disclaimers necessary to reduce the organizational risk factor

c) Use of appropriate system based processes aimed at preventing occurence of known violations of law.

 The CECS component of the CyLawCom Hotel consists of  

a)     Examining the access controls from CECS perspective

b)      Examining the system of creation, storage and transmission of electronic documents in the Hotel

c)      Examining the use of  encryption and digital signature systems for document security and authentication.

d)      Examining DRP and BCP from CECS perspective

e)      Examining the network abuse monitoring mechanism from the CECS perspective.

f)        Examining media control and mobile data handling devices from CECS perspective

g)      Examining auditing of transactions under the Forensic principles .

h)      Examining any other computer process that may have an impact on the information under the control of the Company.

 The CECS levels are presently divided into 5 levels of desired attainment graded from

 Level 1: Non existence controls

Level 2: Preliminary levels of controls

Level 3: Satisfactory controls over part of the systems but not over the entire system for present requirements.

Level 4: Satisfactory controls over the entire system for present requirements.

Level 5: Satisfactory controls over the entire system with adequate control over planning and design affecting future requirements.

Disclaimer: 

The CyLawCom Audit process takes adequate care of the expectations of  Regulatory and Law Enforcement Agencies in the Indian scenario on a dynamic basis. However, it must be recognized that CyLawCom Audit process is a voluntary Cyber Law Compliance  does not create an obligation on  the Regulatory Agencies or the Law Enforcement or the Judiciary to accept it with or without reservations. Further, the audit and certification may be a reflection of the status as at a point of time  and cannot guarantee a continued compliance between two points of reference times. Neither the Auditors nor the Certifiers are liable for any consequences in the event of the process falling short of Policing or Judicial expectations.

Naavi

Dated: August 20, 2005

 Back