CyLawCom Certification Programme...2

.

 

Click Here for the First Part of the Article:


In the first part of this article, I have briefly addressed the need for Cyber Law Compliance Assessment as part of the Software Quality Standardisation process. In this article I elaborate the general principles of assessment in the CyLawCom process and a brief logic for the same.

The main objective of CyLawCom Certification is to reduce the business risks to the software developer both during the process of software development and thereafter when it is in use at the client's place.

It must be remembered that often the Customer places the Software order on the developer with the proviso that he is to be indemnified for any liability arising out of the use of the product.

Further, "Software" is an "Agent" as per laws in force in many countries and its actions though automated, are accountable on the owners for the time being. While certain configurations of the software are under the control of the user, the main functionality of the software is designed by the developer and he should be responsible for the liabilities arising there from.

Let us try to identify some of the major liabilities that may be arising from the use of software.

1. IPR Violations:

 It is possible that the software may have embedded functionalities on which Patent rights are with third parties. Or It is possible that the developer might have also infringed on Copyright of others and embedded such works in the product. The consequences of such infringement would be on the user and could have been covered by an indemnity in the software development contract.

As a result of the above, either we can conclude that the "Quality of the Output" is not to the desirable standards or that the developer is saddled with unknown liabilities that may arise in future and affect his continuity in business.

The software developer has to therefore set in motion a process that identifies such IPR violation risks and ways and means to mitigate them.

This requires an "Awareness of the Risks" and the "Means to Manage" them.

2. Contractual Risks

Software products are meant to automate processes and in the process take "Decisions" on behalf of humans. In this capacity they are recognized in law as "Agents". Any legal consequence arising out of the actions of the agent needs to be boarne by the "Principal".

What constitutes "Decisions", "Offers or Invitation for Offer" or "Acceptance" for a contractual binding depends on several factors.

The software development process needs to understand these risks and ensure that there are adequate compliancy factors built into the system.

This requires an "Awareness of the Risks", "Ability to understand the legal consequences of any automated process", and the "Means to Manage" them.

3. Privacy Violations:

In the context of strict data protection norms followed by many countries, it is important that no software is designed to fundamentally violate the accepted principles of Privacy protection.

The concept of what violates privacy and the differing standards prevalent world wide makes it necessary  for a software development company to develop process controls that address these needs.

Again this requires the technology people to understand the prevailing laws of privacy before they can address them with the right solutions.

In any of the above three situations, liabilities can arise first on the user and then on the developer which in financial terms would erode the profitability of the organization and eventually lead to the business being at risk. Some times key employees may be prosecuted and jailed causing reputation loss loss of manpower.

CyLawCom process is designed to estimate such risks and help the software developers and users tune their processes so as to ensure that a Cyber Law Compliancy environment is built into the basic business process.

The Process is mainly divided into Three Major Phases:

I. Creating Cyber Law Awareness to a desired degree with a desired minimum number of workers in the organization.

II.Ensuring that the Cyber Law Compliance principles are embedded into every business process in the Company.

III. Ensuring that Cyber Law Compliance principles become part of the business strategy of the Company.

In practical implementation terms these three phases are further dub divided into three levels in phase I, three levels in Phase II so that there will be totally Seven levels of attainment before an organization is through with the programme.

The sub divisions are as follows:

I. Creating Cyber Law Awareness to a desired degree with a desired minimum number of workers in the organization.

Level 1: Awareness of the Fundamentals of Cyber Laws in a minimum of 90 % of  staff

Level 2: Awareness on the Application  of Cyber Law for business processes in a minimum of 95 % of managerial staff.

Level 3: Awareness on the Absorption of Cyber Law in business strategy processs in a minimum of 100 % of top management.

All the above three levels are attainable through appropriate training programmes and an exit evaluation.

II. Ensuring that the Cyber Law Compliance principles are embedded into every business process in the Company.

Level 1: Cyber Law Compliance in the Software Development Process

Level 2: Cyber Law Compliance in All Aspects of Business within the Company

Level 3: Cyber Law Compliance in the Software Products of the Company

III. Ensuring that Cyber Law Compliance principles become part of the business strategy of the Company.

The Certification Process would be supervised by a "CyLawCom Certifying Agency" authorized by Cyber Law College which would document the process and substantiate the certification by a committee of not less than three persons of which at least one must be an outside independent industry specialist.

The individual staff of the CyLawCom Certifying agency would be trained suitably by Cyber Law College and would be certified as "Authorized CyLawCom Examiners".

An action plan is being finalized by Cyber Law College for the implementation of the above programme. It is proposed that e-Information Systems, Security and Audit Association (e-ISA) , SIRC would be one of the first CyLawCom certifying agencies.

Naavi

January 20, 2003

(Comments are Welcome)