Assignment Code: MSE-024/TMA/2022

Course Code: MSE-024

Assignment Name: Policy, Standards and Laws

Year: 2022

Verification Status: Verified by Professor

Q1) Imagine you are working with information security department of your company, and you are required to provide suggestions to develop information security policy for your company.

Ans) An information security policy is a set of rules that a company follows to keep its important information safe and secure. The policy helps protect confidential data such as personal information, financial records, and trade secrets from theft, damage, or unauthorized access. The steps to create an information security policy in simple terms:

1. Define the Scope and Purpose of the Policy: Before developing the policy, it's important to define the scope and purpose of the policy. This will help ensure that the policy is focused and relevant to your company's specific needs. Consider the types of information that need to be protected, the potential risks and threats, and the specific goals and objectives of the policy.

2. Identify Key Stakeholders and Responsibilities: It's important to identify the key stakeholders who will be involved in implementing the policy, as well as their specific responsibilities. This may include IT staff, security professionals, HR, legal, and other relevant departments. It's also important to define the responsibilities of individual employees with respect to information security.

3. Establish Policies and Procedures: The policy should outline specific policies and procedures for protecting company information. This may include password policies, data backup and recovery procedures, network security measures, and other relevant policies.

4. Provide Training and Awareness: It's important to provide training and awareness programs to ensure that all employees understand the policies and procedures and their responsibilities with respect to information security.

5. Establish Incident Response Procedures: The policy should outline the procedures for responding to security incidents, such as data breaches or other security incidents. This should include procedures for identifying and containing the incident, notifying relevant stakeholders, and investigating.

6. Conduct Regular Audits and Assessments: Regular audits and assessments of the information security policy and procedures can help identify potential weaknesses or gaps in the policy and ensure that the policy remains up-to-date and effective.

7. Review and Update the Policy: Finally, the policy should be reviewed and updated regularly to ensure that it remains relevant and effective. This may include updating policies and procedures, adding new technologies or services, or responding to changes in the security threat landscape.

Q2) Write the limitations or drawbacks in the amendments to the Information Technology. Elaborate on the liability of intermediaries under the amended Information Technology Act.

Ans) The Information Technology (Amendment) Act, 2008 is an update to the original Information Technology Act, 2000. While the amendments brought about some positive changes and improvements, there are also some limitations and drawbacks to the amended Act. One of the key areas of concern is the liability of intermediaries under the amended Information Technology Act.

The amended Act provides for the liability of intermediaries, which include internet service providers, search engines, social media platforms, and other online platforms. Under the amended Act, intermediaries can be held liable for any content that is deemed to be illegal, harmful, or offensive, even if they are not the originators of the content. This means that intermediaries can be held liable for content that is posted by users of their platform.

While this provision is intended to help protect against illegal and harmful content online, it can also have some negative consequences. For one, intermediaries may be inclined to remove or block content that is potentially risky or controversial, even if it is not actually illegal. This could lead to censorship and a restriction of free speech online.

Furthermore, the provision can be difficult to enforce, as it is often difficult to determine whether content is illegal or harmful. This can create a burden on intermediaries to monitor and police content on their platforms, which can be expensive and time-consuming.

In addition, the provision can be unfair to intermediaries who may not have the resources or expertise to monitor and remove content effectively. Small and medium-sized businesses may be particularly vulnerable, as they may not have the same level of resources as larger companies to comply with the provisions of the amended Act.

In conclusion, while the amended Information Technology Act has brought about some important improvements and protections, there are also some limitations and drawbacks. The liability of intermediaries under the Act can be difficult to enforce and may create a burden on intermediaries to monitor and police content on their platforms. It can also be unfair to smaller businesses who may not have the same resources as larger companies. As such, it is important for policymakers to continue to evaluate and refine the provisions of the amended Act to ensure that they strike the right balance between protecting against illegal and harmful content and protecting free speech and the interests of intermediaries.

Q3) Cybercrime spans not only state but national boundaries as well. Perhaps we should look to international organizations to provide a standard definition of the Cybercrime. Explain the definition of Cybercrime in detail.

Ans) Cybercrime is a type of criminal activity that involves the use of digital technologies, such as computers, networks, and the internet, to commit unlawful acts. The term "cybercrime" refers to a wide range of criminal activities that are carried out through electronic means, including hacking, identity theft, fraud, theft of intellectual property, cyberbullying, and more. Given the global and transnational nature of cybercrime, there is a need for a standard definition of the term.

Currently, there are several international organizations that have provided definitions of cybercrime. One such organization is the Council of Europe, which has defined cybercrime as "unlawful acts wherein the computer or electronic communication device is either a tool or a target or both."

The United Nations Office on Drugs and Crime has also provided a definition of cybercrime. According to the UNODC, cybercrime refers to "any illegal behavior directed by means of electronic operations that targets the security of computer systems and the data processed by them."

The common elements in both definitions are the use of electronic means to commit a criminal offense and the targeting of computer systems or electronic communication devices. The definition also encompasses a broad range of activities, from hacking and malware attacks to online fraud and theft of intellectual property.

One of the challenges in defining cybercrime is that the nature of the crime is constantly evolving. As new technologies and methods are developed, cybercriminals adapt their tactics and strategies to circumvent existing security measures. As a result, there is a need for ongoing updates and refinements to the definition of cybercrime to ensure that it remains relevant and effective in the face of new threats.

In conclusion, a standard definition of cybercrime is important to ensure that law enforcement agencies and policymakers can effectively address this growing threat. The definition should encompass a wide range of criminal activities carried out through electronic means and should be periodically updated to keep pace with evolving threats.