Click Here for the First Part of the Article:
In the first part of this article, I have briefly addressed the need for
Cyber Law Compliance Assessment as part of the Software Quality
Standardisation process. In this article I elaborate the general principles of
assessment in the CyLawCom process and a brief logic for the same.
The main objective of CyLawCom Certification is to reduce the business risks
to the software developer both during the process of software development and
thereafter when it is in use at the client's place.
It must be remembered that often the Customer places the Software order on the
developer with the proviso that he is to be indemnified for any liability
arising out of the use of the product.
Further, "Software" is an "Agent" as per laws in force in many countries and
its actions though automated, are accountable on the owners for the time
being. While certain configurations of the software are under the control of
the user, the main functionality of the software is designed by the developer
and he should be responsible for the liabilities arising there from.
Let us try to identify some of the major liabilities that may be arising from
the use of software.
1. IPR Violations:
It is possible that the software may have embedded functionalities on
which Patent rights are with third parties. Or It is possible that the
developer might have also infringed on Copyright of others and embedded such
works in the product. The consequences of such infringement would be on the
user and could have been covered by an indemnity in the software development
contract.
As a result of the above, either we can conclude that the "Quality of the
Output" is not to the desirable standards or that the developer is saddled
with unknown liabilities that may arise in future and affect his continuity in
business.
The software developer has to therefore set in motion a process that
identifies such IPR violation risks and ways and means to mitigate them.
This requires an "Awareness of the Risks" and the "Means to Manage" them.
2. Contractual Risks
Software products are meant to automate processes and in the process take
"Decisions" on behalf of humans. In this capacity they are recognized in law
as "Agents". Any legal consequence arising out of the actions of the agent
needs to be boarne by the "Principal".
What constitutes "Decisions", "Offers or Invitation for Offer" or "Acceptance"
for a contractual binding depends on several factors.
The software development process needs to understand these risks and ensure
that there are adequate compliancy factors built into the system.
This requires an "Awareness of the Risks", "Ability to understand the legal
consequences of any automated process", and the "Means to Manage" them.
3. Privacy Violations:
In the context of strict data protection norms followed by many countries, it
is important that no software is designed to fundamentally violate the
accepted principles of Privacy protection.
The concept of what violates privacy and the differing standards prevalent
world wide makes it necessary for a software development company to
develop process controls that address these needs.
Again this requires the technology people to understand the prevailing laws of
privacy before they can address them with the right solutions.
In any of the above three situations, liabilities can arise first on the user
and then on the developer which in financial terms would erode the
profitability of the organization and eventually lead to the business being at
risk. Some times key employees may be prosecuted and jailed causing reputation
loss loss of manpower.
CyLawCom process is designed to estimate such risks and help the software
developers and users tune their processes so as to ensure that a Cyber Law
Compliancy environment is built into the basic business process.
The Process is mainly divided into Three Major Phases:
I. Creating Cyber Law Awareness to a desired degree with a desired minimum
number of workers in the organization.
II.Ensuring that the Cyber Law Compliance principles are embedded into every
business process in the Company.
III. Ensuring that Cyber Law Compliance principles become part of the business
strategy of the Company.
In practical implementation terms these three phases are further dub divided
into three levels in phase I, three levels in Phase II so that there will be
totally Seven levels of attainment before an organization is through with the
programme.
The sub divisions are as follows:
I. Creating Cyber Law Awareness to a desired degree with a desired minimum
number of workers in the organization.
Level 1: Awareness of the Fundamentals of Cyber Laws in a minimum of 90 % of
staff
Level 2: Awareness on the Application of Cyber Law for business
processes in a minimum of 95 % of managerial staff.
Level 3: Awareness on the Absorption of Cyber Law in business strategy
processs in a minimum of 100 % of top management.
All the above three levels are attainable through appropriate training
programmes and an exit evaluation.
II. Ensuring that the Cyber Law Compliance principles are embedded into every
business process in the Company.
Level 1: Cyber Law Compliance in the Software Development Process
Level 2: Cyber Law Compliance in All Aspects of Business within the Company
Level 3: Cyber Law Compliance in the Software Products of the Company
III. Ensuring that Cyber Law Compliance principles become part of the business
strategy of the Company.
The Certification Process would be supervised by a "CyLawCom Certifying
Agency" authorized by Cyber Law College which would document the process and
substantiate the certification by a committee of not less than three persons
of which at least one must be an outside independent industry specialist.
The individual staff of the CyLawCom Certifying agency would be trained
suitably by Cyber Law College and would be certified as "Authorized CyLawCom
Examiners".
An action plan is being finalized by Cyber Law College for the implementation
of the above programme. It is proposed that e-Information Systems, Security
and Audit Association (e-ISA) , SIRC would be one of the first CyLawCom
certifying agencies.
Naavi
January 20, 2003
(Comments are Welcome)