An information security policy (ISP) is a set of rules, policies and

procedures designed to ensure all end users and networks within an

organization meet minimum IT security and data protection security
requirements.
ISPs should address all data, programs, systems, facilities, infrastructure,
authorized users, third parties and fourth parties of an organization.
What is the Purpose of an Information Security Policy?
An information security policy aims to enact protections and limit the
distribution of data to only those with authorized access. Organizations
create ISPs to:
 Establish a general approach to information security
 Document security measures and user access control policies
 Detect and minimize the impact of compromised information assets
such as misuse of data, networks, mobile devices, computers and
applications
 Protect the reputation of the organization
 Comply with legal and regulatory requirements like
NIST, GDPR, HIPAA and FERPA
 Protect their customer's data, such as credit card numbers
 Provide effective mechanisms to respond to complaints and queries
related to real or perceived cyber security risks such
as phishing, malware and ransomware
 Limit access to key information technology assets to those who have
an acceptable use
#The General Data Protection Regulation (GDPR) is one of the world's
toughest privacy and data protection laws, yet few organizations completely
comply with its statutes. The GDPR generally regulates countries within the
European Union (EU) and European Economic Area, but its framework has
been adopted in many important data privacy laws around the world.
3The Standards for Privacy of Individually Identifiable Health Information
(Privacy Rule) establishes a set of national standards for the protection of
patients' rights and certain health information.
3FERPA (the Family Educational Rights and Privacy Act) is a United
States federal law protecting the privacy of student education records, more
specifically governing access from public entities, such as employers, public
schools, and foreign governments.
Why is an Information Security Policy is Important?
Creating an effective information security policy and that meets all
compliance requirements is a critical step in preventing security incidents
like data leaks and data breaches.
ISPs are important for new and established organizations. Increasing
digitalization means every employee is generating data and a portion of that
data must be protected from unauthorized access. Depending on your
industry, it may even be protected by laws and regulations.
Sensitive data, personally identifiable information (PII), and intellectual
property must be protected to a higher standard than other data.
Whether you like it or not, information security (InfoSec) is important at
every level of your organization. And outside of your organization.
What are the Key Elements of an Information Security Policy?
an information security policy will have these nine key elements:
1. Purpose
 Preserve your organization's information security.
 Detect and preempt information security breaches caused by third-
party vendors, misuse of networks, data, applications, computer systems and
mobile devices.
 Protect the organization's reputation
 Uphold ethical, legal and regulatory requirements
 Protect customer data and respond to inquiries and complaints about
non-compliance of security requirements and data protection
2. Audience
Define who the information security policy applies to and who it does not
apply to.
3. Information Security Objectives
information security is concerned with the CIA triad:
 Confidentiality: data and information are protected from
unauthorized access
 Integrity: Data is intact, complete and accurate
 Availability: IT systems are available when needed
 4. Authority and Access Control Policy
This part is about deciding who has the authority to decide what data can be
shared and what can't.
5. Data Classification
An information security policy must classify data into categories. A good
way to classify the data is into five levels that dictate an increasing need for
protection:
1. Level 1: Public information
2. Level 2: Information your organization has chosen to keep
confidential but disclosure would not cause material harm
3. Level 3: Information has a risk of material harm to individuals or
your organization if disclosed
4. Level 4: Information has a high risk of causing serious harm to
individuals or your organization if disclosed
5. Level 5: Information will cause severe harm to individuals or your
organization if disclosed
6. Data Support and Operations
Once data has been classified, you need to outline how data is each level
will be handled. There are generally three components to this part of your
information security policy:
1. Data protection regulations: Organizations that store personally
identifiable information (PII) or sensitive data must be protected according
to organizational standards, best practices, industry compliance standards
and regulation
2. Data backup requirements: Outlines how data is backed up, what
level of encryption is used and what third-party service providers are used
3. Movement of data: Outlines how data is communicated. Data that is
deemed classified in the above data classification should be securely
communicated with encryption and not transmitted across public networks to
avoid man-in-the-middle attacks
7. Security Awareness Training
Training should be conducted to inform employees of security
requirements, including data protection, data classification, access control
and general security threats.
 8. Responsibilities and Duties of Employees
This part of your information security policy needs to outline the owners
of:
 Security programs
 Acceptable use policies
 Network security
 Physical security
 Business continuity
 Access management
 Security awareness
 Risk assessments
 Incident response
 Data security
 Disaster recovery
9. Other Items an ISP May Include
Virus protection procedure, malware protection procedure, network
intrusion detection procedure, remote work procedure, technical guidelines,
consequences for non-compliance, physical security requirements, references
to supporting documents, etc.
What is Cyber Law?
Cyber law is an integral part of the legal system. It deals with the legal
issues of cyberspace. Cyber law is also referred to as the Law of the Internet.
These cyber laws help businesses prevent identity and data theft, privacy
violation and fraud. The Information Technology Act, of 2000, as per the
Indian Penal Code, addresses Cyberlaw and includes laws related to e-
commerce, e-contracts, digital signatures, intellectual property rights, and
cyber security.
Cyber law is referred to as the Law of the Internet of Digital Law and
applies to the various categories of cyber-crimes, such as –

Crimes against People. Cyber harassment and stalking, sending offensive

and sensitive material, credit card fraud, spoofing, identity theft, online
slandering, etc., are examples of crimes against people.
 Crimes against Property – Unrecognized and unapproved intrusion
through cyberspace, computer vandalism, the transmission of viruses in any
network/system, copyright infringement, IPR violations, and unauthorized
possession of sensitive data are examples of Crimes against Property.

Crimes against Government - Crimes against the Government are

considered an attack on that nation's sovereignty, which may often lead to a
state of war. This category is the most crucial of all. It includes crimes like
hacking government websites, accessing confidential information, cyber
warfare and terrorism, introducing viruses and using pirated software, etc.
Main Types of Regulations Covered by Cyber Law

India's cyber law, the Information Technology Act of 2000, covers many
regulations to address cybercrime and protect digital assets. Here are the
main types of regulations covered by cyber law in India:

Cybercrime

Cyber law in India defines and penalizes various types of cybercrimes, such
as hacking, cyberstalking, identity theft, phishing, and cyberterrorism.
Consumers trust cyber laws to protect them from online fraud. These laws
are in place to prevent identity theft, credit card theft, and other online
financial crimes. A person guilty of identity theft may face federal or state
criminal charges.

Intellectual Property

Intellectual property is the work, designs, symbols, inventions or anything

you own that is intangible and usually patented or copyrighted. Cyber theft
would mean the theft or illegal use of the same intangible elements.
Copyright infringement under cyber law defends the rights of individuals
and businesses to profit from their creative works through copyrights,
trademarks, and patents.
 Trade Secrets

Online companies often depend on cyber law to protect their trade secrets.
Take an example of Google and other online search engines. They spend
much time developing algorithms that produce search results and other
features like maps, smart assistance, and flight search services, etc. Cyber
lawyers help clients take legal action to protect their trade secrets.

Electronic and Digital Signatures

Today, most people and companies use electronic signatures to verify

electronic records. Misuse of such digital signatures by another person is
illegal and constitutes a cybercrime. The law recognizes electronic signatures
as legally valid and enforceable, providing a framework for their usage.

Data Security

Data security is a central concern in the Internet age, becoming a huge

problem in litigation. India's data protection and privacy regulatory
mechanism is the Information Technology Act 2000. It has a few provisions
under Sections 43A, 72 and 72A to tackle crimes associated with personal
data.

Data Protection and Privacy

Cyber law in India protects personal and sensitive data by regulating its
collection, use, storage, and disclosure.

Cybersecurity

Cyber law in India mandates companies and organizations to adopt

adequate security measures to protect their digital infrastructure from cyber
threats.
 Cyber Forensics

Cyber law in India allows law enforcement agencies to conduct cyber

forensic investigations in cybercrime cases.

Employment Contract Conditions

Some terms of the employment contract fall under cyber law, including
non-disclosure and non-compete clauses. This can also include the usage of
company email or other digital resources by the employees.

Cyberbullying

The law prohibits cyberbullying and provides legal recourse for victims.

Social Media

Cyber law in India regulates the use of social media platforms and holds
them accountable for the content posted by users.

Electronic Evidence

The law recognizes electronic evidence in legal proceedings, providing a

framework for admissibility.

Cyber Tribunals

The law provides for establishing cyber tribunals to deal with cybercrime
cases and disputes arising from electronic transactions.
Characteristics of Cyber law

The main characteristics of cyber laws are:

 Cyber law covers online privacy, data protection, cybercrime, e-

commerce, intellectual property, and digital signatures.
  Cyber law is enforceable, and violators can face legal consequences.
This includes fines, imprisonment, and other penalties depending on the
severity of the offence.
 Cyber law can be complex because it involves legal, technical, and
policy issues. It requires a deep understanding of the technology and the
legal framework.
 There are security measures for electronic records and digital
signatures.
 Cyber law defines a process for appointing an adjudication officer to
conduct investigations.
 Cyber law provides legal recognition of digital signatures.
Furthermore, digital signatures are required to use an asymmetric
cryptosystem and a hash function.
 Law enforcement officers, including police officers, can record public
cases without a court order.
 If there is no cybercrime cell in the applicant's city, they can register
an FIR at their local police station.
Why is Cyber Law Needed?

Cyber laws exist to protect people from online fraud. They prevent online
crimes, including credit card and identity theft. A person who commits such
thefts stands to face criminal charges.

Being highly sophisticated and developing every day, cyberspaces have

become common. Thus, the increase in cyber crimes is inevitable. As of
2022, the approximate number of internet users worldwide was 5.3 billion,
up from 4.9 billion in 2021. Given this rapid increase in the use of
cyberspace, the implementation and use of strict cyber rules help establish a
safe environment for users.

With more and more transactions being conducted online, it is imperative

to have legal frameworks to regulate these transactions and protect the
interests of the parties involved.
Advantages of Cyber Law
 These are some of the advantages of cyber law listed below:

 Cyber law protects individuals and businesses from various

cybercrimes, such as hacking, identity theft, online fraud, and cyberbullying.
 Cyber law mandates the protection of personal information and data
privacy, ensuring that internet users have control over their personal
information and that organizations take adequate measures to protect such
information.
 Cyber law provides a legal framework for e-commerce transactions
and helps establish trust between parties by providing a secure and reliable
platform for online transactions.
 These laws effectively regulate internet-related activities, including
online transactions, intellectual property rights, and content regulation.
 Cyber laws encourage innovation by protecting intellectual property
rights, promoting technological research and development, and enabling the
creation of new digital products and services.
Emerging Trends in Cyber Law

As technology advances, cyber law also needs to evolve constantly. Some

emerging trends in cyber law include:

 Data protection laws: Increased data breaches pose the need for
strengthening data protection laws to protect internet users' personal
information.
 Artificial Intelligence and Machine Learning: AI can optimize data
breaches and interpret emerging security threats through machine learning
techniques. In future, we will see more and more use of AI and ML to
determine vulnerable information and information systems, recognize
connections between threats, and locate profiles of cybercriminals.
 Internet of Things (IoT): Blockchain data encryption ensures that
the data is not accessible by unauthorized parties while flowing through
untrusted networks. As more devices become connected to the internet, there
is a need for laws and regulations to address issues such as data privacy,
security, and liability.
 Blockchain technology: The use of blockchain technology is
increasing in various industries, and laws and regulations are needed to
govern its use, particularly in data privacy and security areas.
India’s Digital Personal Data Protection Act, 2023: Data Privacy
Compliance
This Act is now in effect and governs the processing of digital personal
data in India, regardless of whether the data was originally collected in
digital or non-digital format and subsequently digitized. Under the DPDP
Act, state agencies may be exempted from its provisions at the
government’s discretion. This legislation is designed to bolster data
protection and accountability for entities such as internet companies,
mobile apps, and businesses that handle citizens’ data. Furthermore, it’s
worth noting that the DPDP Act will have implications for India’s trade
negotiations with other nations. It aligns with global data protection
standards, taking inspiration from models like the EU’s GDPR and
China’s PIPL.
The Indian Digital Personal Data Protection Act (preceded by the Digital
Personal Data Protection Bill) establishes a national framework for
protecting personal data.
the DPDP replaces the limited data protections afforded by the Indian
Information Technology Act of 2008
In addition to providing guidelines for data security and data privacy, the
DPDP also established the Data Protection Board of India to help enforce its
protocols. This supervisory board has the power to investigate complaints
and issue fines but cannot issue guidance or impose new regulations. All
regulatory powers related to the DPDP remain with the Government of India.
The DPDP’s scope of application is extensive
The act protects the personal data of all data principals and restricts the
activities of all data fiduciaries regardless of private or corporate operating
status.
 Data Principals
Under the DPDP, “data principal” refers to individuals whose personal
data is being collected, stored, or otherwise interacted with. This term is
essentially the same as a “data subject” under the EU’s GDPR.
Data Fiduciaries
Data fiduciaries are data controllers or any other type of entity that
determines the purpose of a data principal’s personal data. This definition
includes startups and entities working alongside processors or other third-
party service providers who store or otherwise use personal data.

Personal Data
While the DPDP only applies to digital personal data or personal data that a
data fiduciary has subsequently converted to digital form after collection, the
act’s definition of personal data is expansive.
What Rights Does the DPDP Grant to Data Principals?
The Indian government enacted the DPDP to prevent personal data
breaches and extend data privacy rights to all applicable data principals.
Under the act, data principals possess the following fundamental rights:
 The right to give consent for the processing of personal data
 The right to withdraw consent for the processing of personal data
 The right to access information about personal data
 The right to erasure and the right to correct, update, and complete
personal data
 The right to readily available grievance redressal in the event a data
fiduciary fails to carry out their obligations under the act
 The right to nominate any other individual to carry out their data
principal rights in the event of death or incapacity
Under What Circumstances Can Data Fiduciaries Process Personal Data?
In Chapter II, the DPDP explicitly outlines the legal grounds for processing
personal data. To begin their data processing procedures, data fiduciaries
must first request and obtain verifiable consent from each data principal.
When a data fiduciary requests consent from a data principal, it must also
include the following information in the request:
 The type of personal data that the fiduciary will process and the
specified purpose for which the fiduciary will process such data
  An explanation of the process a data principal can follow to withdraw
their consent
 An explanation of how the data principal can pursue grievance
redressal, including the contact information of any relevant POC or consent
manager that can assist with the process
 The process the data principal can follow to submit a formal
complaint to the Data Protection Board of India
Intellectual property is a key aspect for economic development~ Craig
Venter

The legal rights are given to the person who invented / created something
new and different which had not been done before. The legal rights are given
to the person for a period of time or his delegate to make full use of that
particular idea. There are mainly three types of intellectual property rights:
copyrights, trademark and patents.

i. Copyright:
This right is given to the person who creates something for the public such
as books, movies, songs etc. The rights are automatically given to the creator
and the person has rights to make copies of the product, distribute in public
or use the content for any live performance.

ii. Trademark:
It is a legal right given to any name, logo, symbol or slogan for their
personal use and to publicly show their brand. For example: Nike has a Tick
sign and a slogan Just Do it. Copying the content can be charged section 63
of copyright act 1957.

iii. Patents:
The title is giving the rights to its owner(s) which forbids others /
competitors to make such products for a period of time.

There are many issues which a content creator goes through when
he/she wants to get an Intellectual Property Right.
 I. Patent Evergreening Prevention: The most common intellectual
property right problem is to prevent the Patent Evergreening Prevention so
that any person / company cannot patent by making minor changes to
something forever. Section 3(d) in the Indian Patent Act is one of the biggest
issues with the Intellectual Property Right.

II. Subsidies and IPR: The subsidies provided to people specially to

farmers to decrease their financial strain. A big number of subsidies is food,
subsidy, education subsidy, fertilizer subsidy etc. To completely implement
Trade-Related Aspects of Intellectual Property Rights (TRIPS) these
subsidies should be eliminated or decreased. The Government of India
should make a balance between giving Intellectual Property Rights and
giving subsidies.

III. The Product Patent Process: A product patent safeguards the goods.
The Product Patent process gives a large amount of protection to the product.
The problem lies that the patent is given for the process via which one makes
the product rather than the product. Which reduces monopoly in the market.
India is a part of Trade-Related Aspects of Intellectual Property Rights
(TRIPS) agreement, this agreement needs that all is members should change
their patent regime from giving patent to process to giving patent to the
product. This will be a great task for the country as the process patent is
more beneficial as the country is still developing and it creates new and
different ways to produce the goods.

IV. Protecting Traditional Knowledge: The Indian government has to

protect the traditional knowledge by not allowing MNC�s to take over the
patents, to increase make in India and to not lose the employment of Indians.
The government has specially made a Traditional Knowledge Digital Library
(TKDL) to prevent patenting on traditional knowledge, because such
knowledge in the medical field is a very rich source.
V. Mandatory Licensing and Drug price control order: One of the major
intellectual property right that the Government of India needs to focus on is
mandatory licensing. The flexible availability is available to the rich and
developed countries under the Trade-Related Aspects of Intellectual Property
Rights (TRIPS), something which organizations misuses. Under sections 84
of the IPA a company have a compulsory license for private commercial use
under selected circumstances.
Plagiarism is a Big and common problem these days where there is not
much light focused on as well. The hard work, creation, original contents
such as literature, designs, business information etc. are stolen by someone
else as a piece of cake and not even given the credit for it. As the Section 23
of the Indian Penal Code 1860 states:
Wrongful gain or Wrongful loss So as to summarize that everyone who
every creates a new design, makes a new logo or a brand name etc. should
get their content the correct property right. Till the time an act comes into
force by the law for internet wrongful doings such as plagiarism or any other
illegal activity / offence, one has to be very careful.

Intellectual Property is made of originality of content but it is separated in

to two different parts:
1. Content is used for industrial related service. It also includes patents,
new creations, trademark, designs and geographical indications of source. A
patent is right given to someone specially who creates a product or a method
to produce such product which has not been done before.

2. Content that are copyrighted.