CyLawCom Audit is an audit of the business process of an entity from the objective of identifying Cyber Law related risks of business. The audit is normally followed by a recommendation on actions to be taken to bring the Cyber Law Compliance level to an acceptable level.

 CyLawCom audit is typically undertaken in two phases. The “CyLawCom Risk Audit” phase is the phase in which the risks are identified and a “Risk Assessment Report” is made available to the management of the organization.

 The “CyLawCom Compliance Audit” is the phase in which the organization’s efforts of “Cyber Law Risk Compliance Measures” based on an earlier “Risk Audit” is evaluated and a “Compliance Certificate” is issued by the audit agency to a “CyLawCom Certifying Agency”.

 CyLawCom Audit process has been developed by Cyber Law College and is undertaken through professionals trained in “Techno Legal Cyber Security Aspects”, referred to as “CyLawCom Examiners”. Cyber Law College enrolls qualified professionals as “Provisional CyLawCom Examiners” to whom necessary training is administered to undertake such audits. Additionally, “Certified CyLawCom Examiners” are being developed through a competitive qualification examination.

The frequent incidences of IPR theft from R & D Divisions of both IT and non IT companies have created an urgent need for Companies to make an appropriate assessment of the data security requirements of the R & D divisions and protect the IPR from the stage of initial development to its creation, registration and subsequent use.

Last year in a case reported from Chennai, a leading BPO saw one of its employees leave the company and join a competitor in Bangalore. While doing so, he carried a proprietary software developed by the Company which had created a unique marketing edge for the company.

A few months back,  a leading manufacturing company in Chennai also found one of its senior employees in the R & D division leaving the Company and starting a rival unit allegedly using product designs developed in the R & D lab.

In the light of the frequent occurrences of such incidents it has become a matter of "Due Diligence" for R & D Units to initiate appropriate Risk Mitigation efforts to protect their interests.

When R & D Department works in a Cyber environment where multiple workers work on a computer network and collaborate to develop a product, there are several issues concerning IT Security and implications of Cyber Laws such as ITA-2000 which need to be factored into the risk mitigation strategy.  

CyLawCom process therefore addresses the IPR Risk Mitigation as a “IT Process Security” issue. It addresses the issue from 

a)      Providing a reasonable level of technical security to protect the data from loss supported by an effective Disaster Recovery and Business Continuity Plan

b)      Creating a Cyber Evidence Capture System (CECS) that ensures that every critical piece of electronic document is accounted for against the author and tracked for all modifications in a manner which the prevailing laws (ITA-2000 in India) recognize as judicially non repudiable.                                                                                                   

While the IT Security standards such as the BS 7799/ISO 17799 are used as guidelines for providing the “Technical Security” for the IT system that manages the R & D division, the CEES system takes security to the “Techno Legal Security Level” under the guidelines pioneered by Cyber Law College promoted by Naavi.

Scope of CyLawCom –R & D 

CyLawCom –R & D is the product which combines the BS 7799 compatible IT Security and the  CECS developed by Cyber Law College, a division of Ujvala Consultants Pvt Ltd. The product is being structured for the first time in India.

 The CECS component of the CyLawCom R & D consists of  

a)      Examining the access controls from CECS perspective

b)      Examining the system of creation, storage and transmission of electronic documents in the R & D division.

c)      Examining the use of  encryption and digital signature systems for document security and authentication.

d)      Examining DRP and BCP from CECS perspective

e)      Examining the network abuse monitoring mechanism from the CECS perspective.

f)        Examining media control and mobile data handling devices from CECS perspective

g)      Examining auditing of transactions under the Forensic principles .

h)      Examining any other computer process that may have an impact on the information under the control of the Company.

 The CECS levels are presently divided into 5 levels of desired attainment graded from

 Level 1: Non existence CECS controls

Level 2: Preliminary levels of CECS controls

Level 3: Satisfactory controls over part of the systems but not over the entire system for present requirements.

Level 4: Satisfactory controls over the entire system for present requirements.

Level 5: Satisfactory controls over the entire system with adequate control over planning and design affecting future requirements.

Disclaimer: 

The CyLawCom Audit process takes adequate care of the expectations of  Regulatory and Law Enforcement Agencies in the Indian scenario on a dynamic basis. However, it must be recognized that CyLawCom Audit process is a voluntary Cyber Law Compliance  does not create an obligation on  the Regulatory Agencies or the Law Enforcement or the Judiciary to accept it with or without reservations. Further, the audit and certification may be a reflection of the status as at a point of time  and cannot guarantee a continued compliance between two points of reference times. Neither the Auditors nor the Certifiers are liable for any consequences in the event of the process falling short of Policing or Judicial expectations.

Naavi

Dated: June 19, 2005

 Back