SECURITY POLICY

A security policy is a strategy for how your company will implement Information Security
principles and technologies. An information security policy is the documentation of organizational-
level decisions on safeguarding information. It is essentially a business plan that applies only to the
Information Security aspects of a business. A security policy is different from security processes
and procedures, in that a policy will provide both high level and specific guidelines on how your
company is to protect its data, but will not specify exactly how that is to be accomplished. A
security policy is technology and vendor independent – its intent is to set policy only, which you
can then implement in any manner that accomplishes the specified goals.

A security policy must specifically accomplish three objectives:

1) It must allow for the confidentiality and privacy of your company’s information.
2) It must provide protection for the integrity of your company’s information.
3) It must provide for the availability of your company’s information.

Policies should define:

A security policy should have, at minimum, the following sections.

1. Overview: Provides background information on the issue that the policy will address.
2. Purpose: Specifies why the policy is needed.
3. Scope: Lays out exactly who and what the policy covers.
4. Target Audience: Advises for whom the policy is intended.
5. Policies: This is the main section of the document, and provides statements on each aspect of
the policy. For example, an Acceptable Use Policy might have individual policy statements
relating to Internet use, email use, software installation, and network access from home
computers, etc.
6. Definitions: For clarity, any technical terms should be defined.
7. Version: To ensure consistent use and application of the policy, include a version number
that is changed to reflect any changes/updates to the policy. Security policies should be
concise and as brief as possible while still fulfilling their purpose.
Why is a Security Policy Necessary?

1. It is generally impossible to accomplish a complex task without a detailed plan for doing so.
A security policy is that plan, and provides for the consistent application of security
principles throughout your company. After implementation, it becomes a reference guide
when matters of security arise.
2. A security policy indicates senior management’s commitment to maintaining a secure
network, which allows the IT Staff to do a more effective job of securing the company’s
information assets.
3. Ultimately, a security policy will reduce your risk of a damaging security incident. And in
the event of a security incident, certain policies, such as an Incident Response Policy, may
limit your company’s exposure and reduce the scope of the incident.
4. A security policy can provide legal protection to your company. By specifying to your users
exactly how they can and cannot use the network, how they should treat confidential
information, and the proper use of encryption, you are reducing your liability and exposure
in the event of an incident.
5. Further, a security policy provides a written record of your company’s policies if there is
ever a question about what is and is not an approved act.
6. Security policies are often required by third parties that do business with your company as
part of their due diligence process. Some examples of these might be auditors, customers,
partners, and investors. Companies that do business with your company, particularly those
that will be sharing confidential data or connectivity to electronic systems, will be concerned
about your security policy.
7. Lastly, one of the most common reasons why companies create security policies today is to
fulfill regulations and meet standards that relate to security of digital information.

Types of Policies
Different companies will need different policies for effective security management. Below is a list
of standard policies that would make up an organization’s security policy. Some companies may
need all these policies, while others need only a handful. That said, certain policies can reasonably
considered “essential” to security management and are applicable to most every company. These
are denoted below with an asterisk.

1. Acceptable Use Policy* Authentication Policy*

2. Backup Policy* Confidential Data Policy*
3. Data Classification Policy Encryption Policy
4. Email Policy Guest Access Policy
5. Incident Response Policy* ‘Mobile Device Policy
6. Network Access Policy* Network Security policy*
7. Outsourcing Policy Password Policy*
8. Physical Security policy Remote Access Policy
 Guidelines of Policy Content
When developing content, many go about creating a policy exactly the wrong way. The goal is not
to create hundreds of pages of impressive-looking information, but rather to create an actionable
security plan. The following guidelines apply to the content of successful IT security policies.

 A security policy should be no longer than is absolutely necessary.

 A security policy should be written in “plain English.”While, by nature, technical topics will
be covered.
 A security policy must be consistent with applicable laws and regulations.
 A security policy should be reasonable.
 A security policy must be enforceable.
 INFORMATION SECURITY STANDARD
While information security plays an important role in protecting the data and assets of an
organization, we often hear news about security incidents, such as defacement of websites, server
hacking and data leakage. Organizations need to be fully aware of the need to devote more
resources to the protection of information assets, and information security must become a top
concern in both government and business. To address the situation, a number of governments and
organizations have set up benchmarks, standards and in some cases, legal regulations on
information security to help ensure an adequate level of security is maintained, resources are used
in the right way, and the best security practices are adopted. Some industries, such as banking, are
regulated, and the guidelines or best practices put together as part of those regulations often
become a de facto standard among members of these industries.

ISO STANDARDS

The International Organisation for Standardisation (ISO), established in 1947, is a

nongovernmental international body that collaborates with the International Electrotechnical
Commission (IEC) 3 and the International Telecommunication Union (ITU) 4 on information and
communications technology (ICT) standards 5. The following are commonly referenced ISO
security standards:

1. ISO/IEC 27002:2005 (Code of Practice for Information Security Management)

It refers to a code of practice for information security management, and is intended as a common
basis and practical guideline for developing organizational security standards and effective
management practices. This standard contains guidelines and best practices recommendations for
these security domains: (a) security policy; (b) organization of information security; (c) asset
management; (d) human resources security; (e) physical and environmental security; (f)
communications and operations management; (g) access control; (h) information systems
acquisition, development and maintenance; (i) information security incident management; (j)
business continuity management; and (k) compliance.

2. ISO/IEC 27001:2005 (Information Security Management System -Requirements)

It specifies the requirements for establishing, implementing, operating, monitoring, reviewing,

maintaining and improving a documented Information Security Management System (ISMS)
within an organization. It is designed to ensure the selection of adequate and proportionate security
controls to protect information assets. This standard is usually applicable to all types of
organizations, including business enterprises, government agencies, and so on.

The standard introduces a cyclic model known as the “Plan-Do-Check-Act” (PDCA) model that
aims to establish, implement, monitor and improve the effectiveness of an organization’s ISMS.
The PDCA cycle has these four phases:
a) “Plan” phase – establishing the ISMS
b) “Do” phase – implementing and operating the ISMS
c) “Check” phase – monitoring and reviewing the ISMS
d) “Act” phase – maintaining and improving the ISMS

3. ISO/IEC 15408 (Evaluation Criteria for IT Security)

The international standard ISO/IEC 15408 is commonly known as the “Common Criteria” (CC). It
consists of three parts:

a) ISO/IEC 15408-1:2005 (introduction and general model)

b) ISO/IEC 15408-2:2005 (security functional requirements)
c) ISO/IEC 15408-3:2005 (security assurance requirements).

This standard helps evaluate, validate, and certify the security assurance of a technology product
against a number of factors, such as the security functional requirements specified in the standard.

Hardware and software can be evaluated against CC requirements in accredited testing laboratories
to certify the exact EAL (Evaluation Assurance Level) the product or system can attain.

4. ISO/IEC 13335 (IT Security Management)

ISO/IEC 13335 was initially a Technical Report (TR) before becoming a full ISO/IEC standard. It
consists of a series of guidelines for technical security control measures:

a) ISO/IEC 13335-1:2004 documents the concepts and models for information and
communications technology security management.

b) ISO/IEC TR 13335-3:1998 documents the techniques for the management of IT security.

c) ISO/IEC TR 13335-4:2000 covers the selection of safeguards (i.e. technical security controls).

d) ISO/IEC TR 13335-5:2001 covers management guidance on network security.

IT ACT
The Information Technology Act 2000 (also known as ITA-2000, or the IT Act) is an Act of
the Indian Parliament (No 21 of 2000) notified on October 17, 2000. It is meant to provide legal
recognition for transactions carried out by means of electronic data interchange (EDI) and other
means of electronic communication, commonly referred as ‘e-commerce’.

Cyber laws are contained in the IT Act, 2000.This Act aims to provide the legal infrastructure for
e-commerce in India. And the cyber laws have a major impact for e-businesses and the new
economy in India.

The Act states that unless otherwise agreed, an acceptance of contract may be expressed by
electronic means of communication and the same shall have legal validity and enforceability.
Information technology Act 2000 consisted of 94 sections segregated into 13 chapters. Four
schedules form part of the Act. In the 2008 version of the Act, there are 124 sections (excluding 5
sections that have been omitted from the earlier version) and 14 chapters. Schedule I and II have
been replaced. Schedules III and IV are deleted.
Information Technology Act 2000 addressed the following issues:

1. Legal recognition of electronic documents

2. Legal Recognition of digital signatures
3. Offenses and contraventions
4. Justice dispensation systems for cybercrimes

Objectives of the IT Act, 2000

(a) To grant legal recognition for transactions carried out by means of Electronic Data
Interchange and other means of electronic communication commonly referred to as
“electronic commerce” in place of paper-based methods of communication.
(b) To give legal recognition to Digital Signature for authentication of any information or matter
which requires authentication under any law
(c) To facilitate electronic filing of documents with Government departments
(d) To facilitate electronic storage of data.
(e) To facilitate and give legal sanction to electronic fund transfers between banks and financial
institutions.
(f) To give legal recognition for keeping books of account by Bankers in electronic form.
(g) Certifying authorities will be licensed to issue digital signature certificates and a regulatory
regime will be established to supervise the certifying authorities who will not, themselves be
a part of the bureaucracy.

Some highlights of the Act are listed below:

Chapter 1: Preliminary----It deals with important definitions of the terms used in the regulation.

Chapter 2: Digital Signature and Electronic Signature---It covers regulations regarding digital
signature. It specifically stipulates that any subscriber may authenticate an electronic record by
affixing his digital signature.

Chapter 3: Electronic Governance---It legalizes the use of electronic records in government

organizations and establishments.

Chapter 4: Attribution Acknowledgment and Dispatch of Electronic Records---It gives a

scheme for Regulation of Certifying Authorities and it further details the various provisions for the
issue of license to issue Digital Signature Certificates.

Chapter 5: Secure Electronic Records and Secure Electronic Signatures--- It establishes the
rules and regulations related to the electronic gazettes.

Chapter 6: Regulation of Certifying Authorities

Chapter 7: Electronic Signature Certificates--- It details about the scheme of things relating to
Digital Signature Certificates.
Chapter 8: Duties of Subscribers--- The duties of subscribers are also enshrined in the said Act.

Chapter 9: Penalties Compensation and Adjudication--- The penalties for damage to computer,
computer systems etc. has been fixed as damages by way of compensation not exceeding Rs.
1,00,00,000 to affected persons.

Chapter 10: The Cyber Appellate Tribunal--- It talks of the establishment of the Cyber
Regulations Appellate Tribunal (CRAT), which shall be an appellate body where appeals against
the orders passed by the Adjudicating Officers, shall be preferred.

Chapter 11: Offences--- It talks about various offences and the said offences shall be investigated
only by a Police Officer not below the rank of the Deputy Superintendent of Police. These offences
include tampering with computer source documents, publishing of information, which is obscene
in electronic form, and hacking.

Chapter 12: Intermediaries Not To Be Liable in Certain Cases--- It is explained that ‘network
service provider’ means an intermediary and ‘third-party information’.

Chapter 13: Miscellaneous— It deals with miscellaneous topics such as power of police officers
and other officers to enter, search, etc.

Intellectual Property Rights (IPR)

Intellectual property rights are the rights given to a person or an organization for their intellectual
activity, i.e. over the creations of their minds. They usually give the creator an exclusive right over
the use of his/her creation for a certain period of time. Thus, Intellectual Property Rights are legal
rights, which result from intellectual activity in industrial, scientific, literary and artistic fields.
Intellectual property is the product of the human intellect including creativity concepts, inventions,
industrial models, trademarks, songs, literature, symbols, names, brands, etc. It refers to intangible
property that has been created by individuals and corporate for their personal benefit or usage. It is
created through human intelligence and mental efforts.
Intellectual Property Rights do not differ from other property rights. They allow the rights owner to
completely benefit from his product which was initially an idea that developed and crystallized.
They also give him the right to prevent others from using, dealing or tampering with his product
without prior permission from him. He can in fact legally sue them and force them to stop and
compensate for any damages.

Benefits of IPR are to:

IPR is divided into seven main branches under the TRIP (Trade-Related aspects of IPR) agreement.
These branches are:

PATENT:
A patent is an exclusive right granted for an invention, which is a product or a process that
provides a new way of choosing something, or offers a new technical solution to a problem. A
patent is a government issued right granted to individuals or groups that protects their original
inventions from being made, used, or sold by others without their permission for a set period of
time. Basically, A Patent is a legal monopoly, which is granted for a limited time by a country to
the owner of an invention. A patent is a limited property right the government gives inventors in
exchange for their agreement to share details of their inventions with the public. The patent, in the
eyes of the law, is a property right and it can be given away, inherited, sold, licensed and can even
be abandoned. a patent provides the right to exclude others from making, using, selling, offering
for sale, or importing the patented invention for the term of the patent, which is usually 20 years
from the filing date subject to the payment of maintenance fees. In order to be recognized as a
patent, the invention should fit into certain criteria such as it should be new, imaginative and
should be functional and useful or could be applied in the relevant organizations. Like any other
property right, it may be sold, licensed, mortgaged, assigned or transferred, given away, or simply
abandoned. There are three types of patents: utility patents, design patents and plant patents.

COPYRIGHT:
Copyright is a legal concept, enacted by most governments, giving the creator of original work
exclusive rights to it, usually for a limited time. Generally, it is "the right to copy", but also gives
the copyright holder the right to be credited for the work, to determine who may adapt the work to
other forms, who may perform the work, who may financially benefit from it, and other related
rights. It is a form of intellectual property (like the patent, the trademark) applicable to any
expressible form of an idea or information that is substantive and discrete.
Copyright initially was conceived as a way for government to restrict printing; the contemporary
intent of copyright is to promote the creation of new works by giving authors control of and profit
from them. Typically, the duration of copyright is the whole life of the creator plus fifty to a
hundred years from the creator's death, or a finite period for anonymous or corporate creations.
It is also be defined as, “As a copyright holder, you have the exclusive right to reproduce or make
copies of a creative work. You can also distribute or sell copies; make a derivative work (for
example, turn a novel into a movie); and perform or display the work publicly”.
Copyrightable Material includes:
 creative works---literature, art and music
 artistic creations---books, music, paintings and sculptures, films
 technology-based works---computer programs and electronic databases
A copyright owner can perform subsequent work to his original work:
 To replicate the work
 To organize derived works.
 To advertise, sell, lend, distribute copies or even transfer ownership.
 To present the work publicly.
 To exhibit the copyrighted work publicly.
There are four main forms of remedies in the event that copyright infringement takes place:
1. An injunction to stop the production of further copies.
2. A demand that all copies are surrendered to the copyright owner.
3. Damages for losses suffered by the copyright owner.
4. An account of profits made by the infringer.

TRADEMARK:
Trademarks are the characteristic distinguishing signs, symbols, or indicators used by an individual
or an organization, which are normally used to recognize a particular artifact or services which
specifies its source to differentiate its artifacts or services from other individual or organization.
A trademark is a recognizable sign, designer expression which identifies products or services of a
particular source from those of others. It could be a combination of words, expressions, symbols,
emblems, designs, images or devices. The trademark owner can be an individual, business
organization, or any legal entity. A trademark may be located on a package, a label, a voucher or
on the product itself. For the sake of corporate identity trademarks are also being displayed on
company buildings. Trademarks are used to claim exclusive properties of products or services.
The usage of trademarks by its owner can cause legal issues if this usage makes them guilty
of false advertising or if the trademark is offensive. A trademark provides protection to the owner
of the mark by ensuring the exclusive right to use it to identify goods or services, or to authorize
another to use it in return for payment. The period of protection varies, but a trademark can be
renewed indefinitely beyond the time limit on payment of additional fees. Trademark protection is
enforced by the courts, which in most systems have the authority to block trademark infringement.
The trademarks agreement provides the primary registration and each renewal of registration
should be for a period of not less than 7 years and the registration can be renewed indefinitely.
 PATENT LAW
Patent law governs the "right to exclude others from making, using or selling an invention or
products made by an invented process that is granted to an inventor" for a period of time. Patents
are not granted if the invention or product is obvious or known or used by others.

The fundamental principle of patent law is that the patent is granted only for an invention i.e. new
and useful having novelty and utility.
 The grant of patent thus becomes of industrial property and also called an intellectual
property
 The term “pattern “has its origin from the term “Letter patent”.
 This expression “Letter patent meant open letter and were instruments under the great seal of
king of England addressed by the crown.
 Patents area type of intellectual Property right that grant the owner the right to exclude
others from making, using, offering for sale or selling the invention in the United States.
 Patents are generally concerned with functional and technical aspects of products and
processes and must fulfill specific conditions to be granted.
 Most patents are for incremental improvements in known technology - evolution rather than
revolution. The technology does not have to be complex.
 Patent rights are territorial; an Indian patent does not give rights outside of India.
 Patent rights last for up to 20 years in India and in most countries outside India.
 Depending on where you wish your patent to be in effect, you must apply to the appropriate
body. In India, this is The Indian Patent Office. There are various Patent Offices around the
world. Alternatively, a Patent Agent can apply on your behalf.

REQUIREMENTS OF PATENT LAW:

The invention must be useful, novel (new), and non obvious. If so, the inventor is entitled to patent
protection, and the government is obliged to give it. Patent protection excludes all others except the
patent holder from making, using, selling or offering to sell the patented invention. However if
another invention which has patent is used in the actual physical creation of the new invention, the
patent owner may have to obtain certain rights from the first patent holder.
ADVANTAGES OF PATENT LAW:
Some of the more obvious advantages of patent law is that the patent owner holds exclusive right
to the invention and that others must pay either a license fee or obtain some other type of right to
produce or manufacture the patented item. Additionally a company may invent something that is
not necessarily useful to the company’s overall goals at the time, and then they would have to
decide whether the lengthy and sometimes expensive patent application process is in their best
interest.

COPYRIGHT LAW
The Copyright Act, established in 1976, is located in Title 17 of the U.S. Code, from sections 101
through 122. Copyright refers to laws that regulate the use of the work of a creator, such as an artist
or author. This includes copying, distributing, altering and displaying creative, literary and other
types of work. Unless otherwise stated in a contract, the author or creator of a work retains the
copyright.
Copyright protects original works of authorship fixed in any tangible medium of expression, now
known or later developed, from which they can be perceived, reproduced, or otherwise
communicated, either directly or with the aid of a machine or device.
It defines the following as some examples of original works of authorship:
 literary works;
 musical works, including any accompanying words;
 dramatic works, including any accompanying music;
 pantomimes and choreographic works;
 pictorial, graphic, and sculptural works;
 motion pictures and other audiovisual works;
 sound recordings;
 architectural works.
Copyright laws fully apply to virtually anything that is brought in digital form or published on the
Internet. In today’s dynamic electronic environment, copyright laws are no longer limited to the
traditional works of authorship.

CYBER LAW
Cyber Law is the law governing cyber space. Cyber space is a very wide term and includes
computers, networks, software, data storage devices (such as hard disks, USB disks etc), the
Internet, websites, emails and even electronic devices such as cell phones, ATM machines etc.

Cyber law or Internet law is a term that encapsulates the legal issues related to use of the Internet.
It is less a distinct field of law than intellectual property or contract law, as it is a domain covering
many areas of law and regulation. Some leading topics include internet access and
usage, privacy, freedom of expression, and jurisdiction.

Law encompasses the rules of conduct:

1. that have been approved by the government, and
2. which are in force over a certain territory, and
3. which must be obeyed by all persons on that territory.

Cyber laws in India: The primary source of cyber law in India is the Information Technology Act,
2000 (IT Act) which came into force on 17 October 2000. The primary purpose of the Act is to
provide legal recognition to electronic commerce and to facilitate filing of electronic records with
the Government. The IT Act also penalizes various cyber crimes and provides strict punishments
(imprisonment terms up to 10 years and compensation up to Rs 1crore).
Advantages of cyber laws:

Information Technology is encapsulating all the aspects of life across the world. It has brought
transition from paper to the paperless world. With the increasing usage of internet in the world, the
criminals are also increasing in the field of information technology. The cyber criminals are able to
use the software by creating it themselves and manipulating it for their own benefits. It is
happening only because of the simplicity of crimes.
In order to maintain harmony and co-existence of people in the cyberspace, there is a need for a
legal program called as cyber laws.
 Coming of the internet.
 Complex legal issues arising leading to the development of cyber laws.
 Different approaches for controlling , regulating and facilitating electronic communication and
commerce.
 Internet requires an enabling and supportive legal infrastructure in tune with the times.
 Ecommerce the biggest future of internet, can only be possible if we have the required legal
infrastructure in place to compliment its growth.
 Since it touches almost all the aspects of transactions, and activities concerning the internet, the
WWW and cyberspace. Therefore, cyber laws are extremely important.
 As such, the coming of the internet led to the emergence of numerous ticklish legal issues and
problems which necessitated the enactment of cyber law.

With the advent of Computers as a basic tool of Communication, Information Processing,

Information Storage, Physical Devices Control, etc., a whole new Cyber Society has come into
existence. This Cyber society operates on a virtual world created by Technology and it is the
“Cyber Space Engineering” that drives this world. In maintaining harmony and co-existence of
people in this Cyber Space, there is a need for a legal regime which is what we recognize as
“Cyber laws”. Cyber Laws are the basic laws of a Society and hence have implications on every
aspect of the Cyber Society such as Governance, Business, Crimes, Entertainment, Information
Delivery, Education etc.

CYBER CRIMES
Computer crimes are called by different names, like cyber crime, e-crime or electronic crime. It
refers to any crime that involves a computer and a network, where the computers may or may not
have played an important role in the commission of the crime. Computer crimes includes a large
range of potentially illegal actions. However, cyber crimes can be categorized into either of the
following categories:
1. Crimes that are aimed for computer networks or devices directly.
2. Crimes assisted by computer networks or devices, where the primary target of crime is free
of the computer network or device.
TYPES OF CYBER CRIMES:
 SOFTWARE LICENSE
A software license is a legal instrument (usually by way of contract law, with or without printed
material) governing the use or redistribution of software. Under United States copyright law
all software is copyright protected, except material in the public domain. A typical software license
grants an end-user permission to use one or more copies of software in ways where such a use
would otherwise potentially constitute copyright infringement of the software owner's exclusive
rights under copyright law.
In addition to granting rights and imposing restrictions on the use of software, software licenses
typically contain provisions which allocate liability and responsibility between the parties entering
into the license agreement. In enterprise and commercial software transactions these terms often
include limitations of liability, warranties and warranty disclaimers, and indemnity if the software
infringes intellectual property rights of others.
Software licenses can generally be fit into the following categories: proprietary licenses and free
and open source.
SEMICONDUCTOR LAW