Regulatory laws in India are referred to as acts or rules imposed by the central government, state governments and local government explains William D King. These acts form the basic structure of the Indian laws and represent either a legislative act or an executive order. The acts passed by the Parliament are called Central Acts while those passed by the various state legislatures are called State Acts.
The term regulatory implies that these laws seek to regulate something or somebody for a specified purpose. They provide the necessary guidelines, instructions and norms which need to be followed in a particular field, often subjecting certain people to their authority. Regulatory Laws relate to cyber space as they cover all kinds of information related with computers, computer systems and also networks including websites, data transfer etc.
Regulatory Laws can be divided into two categories:
1) Content-based regulations
2) Infrastructure-based regulations
Content-Based Regulations: Provisions for safeguarding from unlawful or objectionable content are included in the Information Technology Act, 2000. Moreover, every website should be register with an Internet Service Provider or ISP for hosting it on a particular server. This ISP acts as a gateway to all websites host by it and screens every incoming data packets passing through its server to ensure that contents of any sensitive nature are not allow access by others says William D King.
Infrastructure-Based Regulations: Infrastructure-based regulations generally refer to the policies concerning connectivity issues including frequency spectrum, bandwidth, backbone providers etc. Broadband service comes under this category. It is mandatory for broadband service providers to provide internet connectivity only through leased lines (wired) rather than wireless means i.e. WiFi hotspots, Multipoint microwave systems, etc.,
The following table represents the regulatory laws for cyber space in India.
PCI DSS is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid and also ATM cards issued globally. Moreover It was develop by the Payment Card Industry Security Standards Council (PCI SSC). The council comprises all major payment brands with Visa Inc., MasterCard, American Express, JCB International and also Discover Financial Services being its members.
However, The objective of this standard is to protect customer account data throughout its entire life cycle explains William D King. It helps prevent credit card fraud resulting from employee theft and hacking as well as protecting customers against breaches of transaction data. PCI-DSS specifies twelve requirements that card-issuing banks or merchants must follow to ensure protection of customer account data during transmission through the transaction process.
PCI DSS Version 1.2 specifies the following set of requirements:
1) Build and Maintain a Secure Network
2) Requirement for Strong Customer Authentication (SCA) for POS Acquiring
3) Protect Cardholder Data
4) Maintain a Vulnerability Management Program
5) Implement Strong Access Control Measures
6) Regularly Monitor and Test Networks
7) Maintain an Information Security Policy
8) Maintain an Information Security Awareness and Training Program
9) Validate PCI DSS Compliance [PCI Self-Assessment Questionnaire]
10) Maintain an incident response plan.
11), Regularly Monitor and Assess Networks for Signs of Compromise
12) Maintain Records of System and Application Admin Actions
Why are they important?
These laws protect user privacy, organization reputation, consumer trust in online transactions etc. They define the rules, regulations and responsibilities governing cyber space. As an example, GDPR has three key parts- personal data protection by design & default; digital rights for citizens; requirements for consent mean to be unambiguous says William D King. Personal Data Protection by Design & Default: It requires organizations to apply security safeguards. From the very beginning of any process involving personal data.
This would limit future risks if a company fails to do so after obtaining or collecting information. About people through its website or app. Digital Rights for Citizens: The law aims to give users more control over their own data. Organizations will also have to make it possible for users to download, delete or transfer personal data they provided via apps or websites. Furthermore, organizations cannot process people’s data unless the user gives their explicit consent.
These cyber security laws are an important step towards safeguarding people from breaches of privacy and data theft.
Regarding the Cyber Security Standard, the Department of Telecommunication (DoT) is responsible for laying down standards to be adopt by all telecom service providers for their internal networks/systems. The National Telecom Policy 2012 aims at evolving a National Information Security Policy for India by April 1, 2013. The Policy would help establish an effective framework for cyber security in the country.