SERIES 4:

Engineers aren’t just building systems and infrastructure, we’re also responsible for protecting the digital backbone that keeps businesses running. One overlooked breach, one compliance misstep, or one gap in security protocols can lead to legal fallout, project shutdowns, or long-term damage to a firm’s credibility. Criminal law and cybersecurity regulations aren’t just legal checkboxes, they’re now critical to business continuity. For engineers, this means understanding how these frameworks impact everything from data handling to system design. In this article, we’ll break down how criminal law intersects with cybersecurity compliance, and why staying ahead of both is essential to keeping operations secure, resilient, and legally protected in the digital age. What is the significance in today’s business environment? Prudence is mandatory. Showing due care and due diligence is the only way to disprove negligence in an occurrence of loss. Senior management must show due care and due diligence to reduce their culpability and liability when a loss occurs.

So business continuity planning. Despite our best efforts, disasters of one form or another will strike an organization. Be it a natural disaster such as a hurricane or an earthquake, or a man-made calamity such as a building fire. Every organization will encounter one threat in their existence.

One thing that can be noted here is business continuity planning. It is a practice. This involves assessing the risks to organizational processes and creating policies, plans, and procedures to minimize the impact of risk. BCP focuses on maintaining business operations with reduced capabilities. If this continuity is broken, then the business processes have stopped and the organization is in disaster mode. This is when the disaster recovery planning takes over. The top priority of BCP and DRP is always people. The primary concern is to get the people out of harm’s way. Then you can address IT recovery and restoration issues.

Now we have talked about BCP and DRP. We will see what are the differences between BCP and DRP. Business continuity plan refers to the means by which loss of business may be avoided and it ought to define the business requirements for continuity of operations. It also defines the business requirements for a disaster recovery plan. Disaster recovery plan on the other hand deals with the restoration of computer systems with all its software and connections to full functionality under a variety of damaging or interfering external conditions. Essentially disaster recovery plan addresses the procedures to be followed during and after the loss. Whereas BCP is the preemptive process put in place in preparation for handling the disaster. The overall goal of BCP is to provide a quick, calm, and efficient response in the event of emergency and to enhance the company’s ability to recover from a disruptive event promptly.

Legal Aspects of Cybersecurity

Now let’s talk in detail about the BCP process. The BCP process has four main steps. They are project scope and planning, business impact assessment, continuity planning, and finally approval and implementation.

Now let’s talk about the laws that are connected to cybersecurity. The first one we are talking about is criminal laws. Criminal laws are laws that are put in enforcement by the police or law enforcement agencies so that people are prohibited against acts such as murder, assault, robbery. These laws also make sure that penalties are paid to the court or the government for committing these crimes. There are also a number of criminal laws that are put in place to serve society against computer-based crime.

Then there are civil laws. Civil laws form the bulk of our body of laws. Civil laws basically maintain the order of our society. It governs matters that are not crimes but that require an impartial arbitrator to settle between individuals and organizations. Examples include contract disputes, real estate transactions, employment matters. Usually law enforcement authorities do not become involved in matters of civil law.

Then there is administrative law. Laws and legal principles created by administrative agencies to address a number of areas including international trade, manufacturing, environment, immigration come under this administrative law. When talking about laws related to computer crime, earlier computer crime prosecutions were attempted under traditional criminal law and many cases were dismissed because judges thought that applying traditional law to this modern type of crime was too far of a stretch. Legislators responded by passing specific statutes that define computer crime and laid out specific penalties for various crimes. These acts were created because of the lack of laws pertaining to computer crimes and they are the Computer Fraud and Abuse Act, Computer Security Act of 1987, and Federal Information Security Management Act.

Understanding the Digital Millennium Copyright Act (DMCA)

Millennium copyright act. Just a quick info guys, Intellipath provides an advanced certification in cyber security by EICT Academy IIT Gojhati. You will get to learn the most important concepts such as ethical hacking, penetration testing and network security. In this course, you’ll get to learn from IIT faculty and industry experts. Reach us out to know more. So this law prohibits attempts to circumvent copyright protection mechanisms placed on a protected work by the copyright holder. This also provides copy prevention for CDs and DVDs on earlier times. The DMC also limits the liability of internet service providers when their circuits are used by criminals violating the copyright law. Given the service provider’s activities must meet the following requirements. So if the internet service provider’s activities meets the following requirements, they can be stripped of the liability if a crime is happening over the over their network. So the requirements are transmission must be initiated by a person other than the provider. Transmission routing, provisional connections or copying are carried out by an automated process. The service provider must not determine the recipients of the material. Any intermediate copies must not ordinarily be accessible to anyone other than the anticipated recipients.

Just a quick info guys. Test your knowledge of cyber security by answering this question. What is code red? A. An antivirus program. B a photo editing software. C. A computer virus. D a video editing software. Comment your answer in the comment section below. Subscribe to Intellipad to know the right answer. Now let’s continue with the session. And the material must be transmitted with no modification to its content. Now we’ll see what are trademarks. So a trademark is a type of intellectual property consisting of a recognizable sign, design or expression which identifies products or services of a particular source or brand from those of others. So trademarks do not need to be officially registered to gain protection under the law. If you use a trademark during your public activities also you are automatically protected and can use the superscript TM symbol to show that you intend to protect words or login as trademarks. Trademarks can also be registered if you want with the United States patent and trademark office USPTO. Once you have received your registration certificate from the USPTO, you can denote your mark as a registered trademark with the R and a circle superscript symbol. Trademarks are granted for an initial period of 10 years and can be renewed an unlimited number of times with 10 year increment periods.

Exploring Patents and Their Importance in Innovation

Then there are patents. So a patent is an exclusive right granted for an invention which is a product or a process that provides in general a new way of doing something or offers a new technical solution to something. So to get a patent technical information about the invention must be disclosed to the public in a patent application. So they provide a period of 20 years during which the inventory is granted exclusive rights to use the invention whether directly or via licensing or agreements. At the end of the patent exclusivity period the invention is in the public domain available for anyone to use. So for something to have patents they have to be there has to be three main requirements. The first one is the invention must be new then the invention must be useful and the invention must not be obvious. In the technology field, patents have long been used to protect hardware devices and manufacturing processes. Recent patents have also been issued covering software programs.

Understanding Trade Secrets and Their Protection

Now, what are trade secrets? So trade secrets are a type of intellectual property that comprises formulas, practices, processes, designs or compilations of information that have inherent economic value because they are not generally known or readily available to the public and for which the owner takes reasonable measures to keep it secret. So those are the things that are known as trade secrets. So many companies have intellectual property that is critical to their businesses and significant damage would happen if it were disclosed. Some examples worth mentioning would be the secret formulas of Coca-Cola, KFC etc. Copyrights or patents could be used to protect trade secrets. But the catch here is that the trade secrets would have to be publicly disclosed for all the details of the work has to be publicly disclosed and copyrights or patents would only provide protection for a limited period of time. So protecting trade secrets with corporates or patents is not a very good idea. So to preserve trade secrets status, organizations must implement adequate controls to ensure that only authorized personnel with the need to know the secrets have access to them. Also, trade secret protection is one of the best way to protect computer software. This is the technique used by large software development companies like Microsoft to protect its core base of intellectual property. The US government recognized the importance of protecting trade secrets and enacted the economic espionage act of 1996.

Cybersecurity Laws, Intellectual Property & Privacy Compliance Explained

Now we’ll see what software licensing is. The common types of licensing agreements in use today are the first one is contractual license agreements. So this uses a written contract between the software vendor and the customer outlining the responsibilities of each. These agreements are commonly found for high priced and or highly specialized software packages. Then there are shrink license agreements. So these are agreements written on the outside of the software packaging. They commonly include a close stating that the user acknowledges agreement to the terms of the contract simply by breaking the shrink wrap seal on the package. Then there are these clickthrough license agreements. So the clickthrough agreements include contract terms that are either written on the software box or included in the software documentation. During the installation process, you are required to click a button indicating that you have read the terms of the agreement and agree to abide by them. Then there are cloud service license agreement. Most cloud services do not require any form of written agreement and simply flash legal terms on the screen for review. In some cases, they may simply provide a link to legal terms and a check box for users to confirm that they read and agree to the terms.

Now let’s talk about privacy laws. The first one is the fourth amendment. So this prohibits government agencies from searching private property without a warrant and a probable cause. The courts have expanded their interpretation of the fourth amendment to include protection against wiretapping and other invasions of privacy. So no government agent can listen into a call without proper warrant or a probable cause. Then there is private act of privacy act of 1974. This severely limits the ability of federal government agencies to disclose private information to other agencies without the prior written consent of the affected individuals. Then there is health insurance portability and accountability act also known as the HIPPA. So this strictly regulates the hospitals, insurance companies and organizations that process or store medical information about individuals. This defines the rights of individuals who are the subject of medical records and requires organizations that maintain such records to disclose these rights in writing.

Then the European Union privacy law. This law creates a balance between the interest of data holder and the interest of the data subject. The directive outlines key rights of individuals about whom data is held and or processed like right to access data, right to know that data source, right to correct inaccurate data, right to withhold consent to process data in some situations, right of legal action should these rights be violated. The general data protection regulation GDPR was enforced by the European Union in May 2018. So this includes regulations that protect the personal data and privacy of the European Union citizens. So this law defines three things. The first one data subject. So the data subject is the individual to whom the data pertains. The data controller any organization that collects the data on European Union’s residence. Then the data processor any organization that processes the data for a data controller. The regulation applies if any one of the three entities is based in the European Union. The key provisions of the law include consent first one. So the consent means that data controllers and data processors cannot use personal data without explicit consent of the data subjects. Then right to be informed. So data controllers and data processors must inform data subjects about how their data is used. Then right to restrict processing. Data subjects can agree to have their data stored by a collector but disallow it to be processed. Then there is right to be forgotten. Data subjects can request that their personal data be permanently deleted. Data breaches. Then data controllers must report a database within 72 hours of becoming aware of it. Now let’s see what is compliance is. So basically compliance in business refers to showing following the relevant laws and regulations for your industry. Regulatory compliance describes the goal that organizations aspire to achieve in their efforts to ensure that they’re aware of and take steps to comply with relevant laws, policies and regulations. Due to the increasing number of regulations and need for operational transparency, organizations are increasingly adopting the use of consolidated and harmonized sets of compliance controls. Now let’s see what are ethics. So there is actually a code of ethics preamble which states that the safety and welfare of society and the common good duty to our principles and to each other requires that we other and be seen to other to the highest ethical

Code of Ethics and Certification Standards

Standards of behavior. Therefore, strict adherence to this code is a condition of the certification. The International Information System Security Certification Consortium or the ISC Squire requires all certified system security professionals to commit to fully supporting the code of ethics. If a CISSP intentionally or knowingly violates this code of ethics, he or she may be subject to a peer review panel which will decide whether the certification should be revoked. The code of ethics includes the first one: protect society, the common good, necessary public trust and confidence, and infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principles. Advance and protect the profession. Most often, laws are based on ethics and are put in place to ensure that others act in an ethical way. However, those do not apply to everything. There are times when ethics should take precedence. Some things may not be illegal, but that does not necessarily mean they are ethical.

Importance of Proactive Security Measures

Now, is security an overhaul? Basically, companies just want to do their business, and everyone likes to have unrestricted access to the internet. Most probably, we might not have seen any attack in the company or on our devices in the past. So why invest millions to install firewalls, proxies, AVs, WF, and other security tools? The main question is this, and the answer is that we are actually taking precautions. The world is very huge, and an attack can happen from anywhere. The internet is very open to anyone, so it is all possible. We are taking care of the company security. When you have thoughts like should I care about security or be worried about it, remember that the world is not a simple place anymore. One data breach and the business could never recover again.

CIA Triad and Sector-Specific Priorities

We have discussed the CA. Now, what is the priority within the CIA, and which should be the most important? The most important one cannot be said directly and actually, it depends. At the end of the day, you need a balanced approach to security, and not assume that one is better than the other. For instance, in the military, confidentiality is important. In banking, integrity is important. In digital entertainment, availability is the most important one.

Comprehensive Guide to Security Controls, Frameworks, and Best Practices in Information Security

Now, let’s talk about security terms. The first one is vulnerability. Vulnerability refers to weaknesses in a system that allows a threat source to compromise its security. Now, what is a threat? A threat is any potential danger that is associated with the exploitation of a vulnerability. A threat agent is the entity that takes advantage of this vulnerability. Risk is the likelihood of a threat source exploiting a vulnerability and the corresponding business impact it can have. Exposure is the instance of being exposed to losses, and controls are the mechanisms put into place to mitigate the risk and reduce the risk.

Now that we have seen the different types of security controls, we should see what are the different functions of security controls. The functions can be classified as preventive, detective, corrective, deterrent, recovery, and finally compensative. In preventive controls or the controls that function as preventive, we have security guards, security policy, encryption, ACL, antiviruses. In detective functions or the controls that give detective functions, we have monitoring, CCTV, job rotation, audit logs, intrusion detection systems. The corrective functions are server images and patching. Controls that give deterrent functions are fences, lighting, dogs, CCTV. The controls that give recovery functions are BR facilities, backups, and high availability. Compensating functions are scenario-based. A control can exhibit multiple functions. While classifying, think of the primary purpose of that control.

The defense system or the security defense system in depth can be thought of as follows. From the outside, the threats can be external. The first line of security is perimeter security, followed by network security. Then there is endpoint security, application security, data security, and at the center are mission critical assets. Policy management comes under prevention, and operations come under monitoring and response.

Now, security through obscurity. Let us check the adversary. This is what is happening. Examples are making the application complex and assuming that the attacker would never be able to break it, keeping a copy of passwords on the keyboard, in-house cryptography algorithms. It is better to validate rather than assume.

Threat Modeling and Reduction Analysis

Attacks that could be targeted at each element of the diagram. Some key elements are trust boundaries, data flow paths, input points and privileged operations. And in reduction analysis, it is decomposing the application system or environment to understand logic of the products and its interaction with external elements. So breaking down a system in its constituent parts makes it easier to identify the components of each element as well as take notice of vulnerabilities and points of attack.

Now threat modeling strike. So this is a model developed by Microsoft for identifying and categorizing threats. So the threats can be spoofing, tampering, repudiation, information disclosure, denial of service or elevation of privilege. And the desired property that is being protected here are authenticity, integrity, non-repudiation, confidentiality, availability and authorization.

Now threat modeling dread. So dread rating system is designed to provide a prioritization solution that is based on the answers to five main questions about each threat. So the questions or aspects that are being rated here are damage potentiality that is how bad would an attack be. Then reproducibility that is how easy is it to reproduce the attack. Exploitability which shows how much work it is to launch the attack affected users. How many people will be attacked or impacted and then the discoverability that is how easy is it to discover the threat.

Quantitative and Qualitative Risk Analysis in Cybersecurity

What are value of information and assets? An asset can have both quantitative and qualitative measurements assigned to it. The actual value of an asset is determined by the importance it has to the organization as a whole. So what is the cost to maintain and protect the particular asset? Value of the asset to owners and users. Value of the asset to the adversaries and the cost to replace the asset if it is lost. The operational and production activities affected if the asset is unavailable and the liability issues if the asset is compromised.

What is a delayed loss? So the delayed loss is a secondary in nature and takes place well after a vulnerability is exploited. It may include damage to the company’s reputation, loss of market share, accrued late penalties, civil suits etc. and the delayed collection of funds from customers and the resources required to or remage the compromised systems etc.

Now let’s talk about quantitative risk analysis. So the first one here is asset value which corresponds to the value of the assets that we need to protect. Then exposure factor which is the percentage of loss realized or percentage of loss the realized threat could have on a certain asset. Then single loss expendency SLE which is the cost associated with a single realized risk against a specific asset which is calculated as the product of asset value and exposure factor.

Risk Analysis Examples and Comparisons

Then there is analyzed rate of occurrence ARO which is a value that represents the estimated frequency of a specific threat taking place within a year. The range can be from 0.0 never to 1.0 once a year to greater than one several times a year and anywhere in between. Then there is analyze loss expectancy which responds to the possible yearly cost of all instances of a specific threat realized against a specific asset. A is the product of SLE and AR. Now what is quantitative risk analysis examples? So let’s take a scenario here. The risk of a hurricane to a company’s data center. The asset value is around 1 million. The EF is 20% and the ARO is once in 10 years. So the SLE is the product of asset value and EF which comes to around $200,000 and then A is $20,000.

Now what is qualitative risk analysis? Qualitative methods walk through different scenarios of risk possibilities and rank the seriousness of the threats and the validity of the different possible counter missions based on opinions and qualitative analysis techniques include judgment best practices intuition and experience. So the techniques used include deli brainstorming storyboarding surveys questionnaers checklist and interviews. So deli this is a feedback that is collected anonymously by the moderator and it is then collected summarized and the most common solutions are selected. In each round the solutions get refined and the least popular ones are dropped off by the moderator.

Now this is the qualitative risk analysis example in the form of a graph between probability and impact. Now let’s compare quantitative versus qualitative. So when you take about quantitative the pros of quantitative analysis are that the object processes and the matrix then it is in expressly in monetary terms and then there is credible cost or benefit assessment but the cons include that the calculations are complex there is a lot of information required and the lack of proper standards. In qualitative assessment, the pros are that the calculations are very simple and these are general indications of areas of risk and the cons are that assessment and the results are subjective and there is no cost to benefit analysis and it doesn’t help in security budgeting.

Security Control Selection and Residual Risk

Now let’s talk about security control selection. So a security control for a business must make good business sense and meaning that it is cost effective. This requires another type of analysis which is the cost benefit analysis. So we calculate value of control as a before control minus a after control minus the annual cost of control. So while choosing an effective security control the costs are production cost, implementation cost, environmental modifications, maintenance requirements, effects on productivity and manh hours for monitoring. Then the features that these course represents are modularity, uniform protection, default to lease privilege, interactive, minimum human intervention and audit functionalities.

Now what is residual risk? So the reason a company implements quantum measures is to reduce its overall risk to an acceptable level and we can never say that no system or invement is 100% sure which means that there is always some risk left over. This is called residual risk. So the residual risk is total risk minus counter measures or the residual risk also is the product of total risk and the control gaps.

So what is continuous improvement? So the risk analysis or risk assessment is a point in time metric. Threats and vulnerabilities constantly change and the risk assessments needs to be redone periodically in order to support continuous improvement. So security is always changing. Thus any implemented security solution requires updates and changes over time. Now this is a flowchart representing handling risk. So in management there is risk mitigation, risk transference and risk acceptance and also risk avoidance.

Best Practices for Hiring, Security Awareness, and Business Continuity Planning

So how we handle this? We plan first we plan identify the team we identify the scope identify the methods identify the tools understand acceptable risk alerts. Then there we collect information identify the assets that are involved assign the value identify the vulnerabilities and threats calculating the risk cost benefit analysis and uncertainty analysis. Then we’ll define the recommendations the risk mitigation transference acceptance avoidance and then we’ll go to the management where all these are implemented. So we control selection implement monitor then purchase insurance risk if there is a risk attempt acceptance we do nothing and then in avoidance we discontinues the activity.

Now let’s see about the hiring practices for personal security. So the first one is job description. So this describes the or defines the roles to which an employee is assigned to perform their work tasks. It should define the type and extent of access the position requires on the secured resources. Then there is candidate screening which has background checks, references, education verification and security clearance. These are which are essentially proving that a candidate is adequate, qualified and trustworthy.

Then employment agreement which a new hireer should sign an employment agreement which outlines the rules and restrictions of the organization. The security policy, the acceptable use and activities policies, details of the job description, violations and consequences. There may be other security related documentation like a non-disclosure document etc and an NDA is used to protect the confidential information within an organization.

Business Impact Assessment in Continuity Planning

Workability, work stability, then other concerns into account. And this type of data often results in categories of prioritization. Now business impact assessment involves the following steps. The first one is identifying priorities. So there will be certain activities that are most essential to our day-to-day operations when disaster strikes. And the priority identification task or critical prioritization involves creating a comprehensive list of business processes and ranking them in order of importance. So asset value can be used. So here the BCB teams should draw up a list of organization assets and the value that the asset has in monetary terms. Then maximum tolerable downtime. This defines the maximum length of time a business can function without inoperable harm to the users or the business. Then recovery time objective which is the amount of time in which the function can be recovered after the disruption. The goal of the business BCP process is to ensure that your RPOS’s are less than your MTDs. Now risk identification. So this is the second step and the risk comes in two forms. So natural risk and manmade risk. So natural risk can be hurricanes, earthquakes etc. And man-made risk can be fires, theft, terrorism etc. So the risk identification of the process is purely qualitative in nature. At this point in the process, the BCP team should not be concerned about the likelihood that these type of risk will actually materialize or the amount of damage such an occurrence would inflict upon the continued operation of the business. So the likelihood assessment is expressed in terms of an analyzed rate of occurrence. ARO these numbers should be based on corporate history, professional experience of team members and advice from experts such as methologist, salesologist, fire prevention professionals and other consultants.

Risk and Impact Assessment Strategy

Then there is impact assessment. Here we analyze the data gathered during risk identification and likelihood assessment and attempt to determine what impact each one of the identified risks would have on the business if it were required. So in quantitative we calculate metrics like EF, SL etc. And in qualitative we calculate reputation loss, customer loss etc. Here we do resource prioritization which is prioritize the allocation of business continuity resources to the various risks that you identified and assessed in the preceding tasks of the business impact assessment. Now let’s talk about continuity planning. So developing and implementing a continuity strategy to minimize the impact realized impact of the realized risks might have an onproduct of assets. So there are multiple subtasks involved in continuity planning. So the first one is strategy development. So this bridges the gap between business impact assessment and the continuity planning phases of BCP development. The BCP team must now take the prioritized list of concerns raised by the quantitative and qualitative resource prioritization exercises and determine which risks will be addressed by the BCP. Then there is provisions and processes. So the BCB team designs the specific procedures and mechanisms that will mitigate the risk deemed unacceptable during the strategy development stage. So three categories of assess must be protected through BC provisions and processes. The people, buildings of facilities and the infrastructure. Then there is plan approval which requires to get the top level management endorsement of the plan. So this move demonstrates the importance of the plan to the entire organization and showcases the business leaders commitment to the business continuity. Then plan implementation where the BCB team should get together and develop an implementation schedule that utilizes the resources dedicated to the program to achieve the stated process and provision goals. Then there is training and education. So everyone in the organization should receive at least a plan overview briefing. So people with direct BCP responsibilities should be trained and evaluated on their specific BCB tasks and at least one backup person should be trained for every BCP task.

Documentation and Strategic Communication

Now documentation. So committing our BCB methodology to paper provides several important benefits like it ensures that BCB personnel have a written continuity document to reference in the event of an emergency even if senior BCB team members are not present to guide the effort and it provides a historical record of the BCB process that will be useful to future personnel seeking to both understanding the reason behind the various procedures and implementing necessary changes in the plan. And it forces the team members to commit their thoughts to the paper. A process that often facilitates the identification of flaws in the plan. So having a plan on the paper also allows draft documents to be distributed to individuals not on the BCB team for a sanity check. Now a statement of importance. So this reflects the criticality of the BCP to the organization’s continued viability. This document commonly takes the form of a letter to the organization’s employees stating the reason that the organization devoted significant resources to the BCB development process and requesting the cooperation of all personnel in the BCB implementation phase. So the statement of priorities flows directly from the identified priorities phase of the business impact assessment and it simply involves listing the functions considered critical to continue business operations in a prioritized order. The statement of organizational responsibility. It comes from a senior level executive and can be incorporated into the same letter as the statement of importance. It basically echoes the sentiment that business continuity is everyone’s responsibility.

Comprehensive Guide to Business Continuity, Cybersecurity, and Data Protection Best Practices

Then a vital records program. So the BCP documentation should outline a vital records program for the organization. This document states where critical business records to be stored and the procedures for making and storing backup copies of those records. One of the biggest challenges in implementing a vital record program is often identifying the vital records. Then emergency response guidelines. So this outlines the organizational and individual responsibilities for immediate response to an emergency. This document provides the first employees to detect an emergency with the steps they should take to activate provisions of the BCP and immediate response procedures like security and safety procedures, fire suppression procedures, notification of property emergencies etc. And also this includes a list of individuals who should be notified of the incident. Then maintenance. So this BCP documentation has the plan itself and it includes documentation and it must be living documents. So every organization encounters nearly constant change and this dynamic nature ensures that the business continuity requirements will also evolve. Now what is advanced persistent threat AP? AP is very focused and motivated to aggressively and successfully penetrate a network with variously different attack methods and then hiding its presence while achieving a well-developed multi-level foothold in the environment. So the advanced aspect of this term pertains to the expansive knowledge capabilities and the skill base of the AP and the persistent component has to do with the fact that the group of attackers is not in a hurry to launch an attack quickly but will wait for the correct opportunity. This is also referred to as low and slow attack.

Now what is intellectual property? Intellectual property refers to creations of the mind such as inventions, literary and artistic works, designs and symbols, names and images used in commerce. So the major types of intellectual property are copyrights, trademarks, patents and trade secrets. Now what is privacy? So personally identifiable information PII. These are data that can be used to uniquely identify, contact or locate a single person or can be used with other sources to uniquely identify a single individual. So the PII needs to be highly protected because it is commonly used in identity theft, financial crimes and various criminal activities. So the typical components are full name, national identification numbers, IP addresses, vehicle registration plate number, driver’s license number, face, fingerprints or handwriting and credit card numbers.

Now let’s talk about employee rights. So within a corporation several employee privacy must be thought through and addressed. So the monitoring must be workrelated meaning that a manager may have the right to listen in on his employees conversation with customers but he does not have the right to listen in on his personal conversations that are not workrelated. So monitoring also must happen in a consistent way such that all employees are subject to monitoring not just one or two people. So here we have to have the employees a document describing what type of monitoring they should be subjected to, what is considered acceptable behavior and what the consequences of not meeting those expectations are. The employees should be asked to sign the document referred to as a waiver of reasonable expectation of privacy.

Now let’s talk about international issues. When computer crime crosses international boundaries, the complexity of such issues shoots up considerably and the chances of the criminal being brought to any court decreases. So organization for economic cooperation and development OECD. So this is a glo says the global organization must also follow OECD guidelines on the protection of privacy and transport of laws of PI. So like collection limitation, data quality, purpose, specification, use limitation, security safeguards, openness, individual participation and accountability. Now export or import. So the government require recognizes that the various computers and software technologies that drive the internet and e-commerce can be extremely powerful tools in the hands of a military force. For this reason, a complex set of regulations were developed governing the export of sensitive hardware and software products to other nations. The regulations include the management of transported data flow of new technologies, intellectual property and personally identifying information. So encryption technologies are used here and these are controls on exporting encrypted software where even more severe rendering it virtually impossible to export any encryption technology outside the country.

Now what is PCIDSS? This is the payment card industry data security standard. This is a set of security standards formed in 2004 by Visa, Mastercard, Disco Financial Services, JCB International and American Express. This is governed by the payment card industry security standard council and the compliance scheme aims to secure credit and debit card transaction against data theft and fraud. The PCIDSS has no legal authority to compel compliance. It is a requirement for any business that process credit or debit card transactions and PCI certification is also considered the best way to safeguard sensitive data and information thereby helping business build long-lasting and trusting relationship with their customers.

Asset security. Now what is information classification? Information classification is a process in which organizations assess the data that they hold and the level of protection it should be given. So data classification helps ensure that data is protected in the most cost effective manner. So asset classification is used to store or process information should be as high as the classification of the most valuable data in it like media, laptop, phones, paper prints. Now what are the classification criteria? Once the scheme is designed, the organization must develop the criteria it will use to decide what information goes into which classification. Following are the parameters. So they are usefulness of data, value of data, age of data, level of damage that could be caused if the data were disclosed, level of damage that would be caused if the data were modified or corrupted, legal, regulatory or contractual responsibility to protect the data. Lost opportunity cost that could be incurred if the data were not.

As engineers, we tend to focus on systems, infrastructure, and technical performance, but in today’s digital landscape, ignoring the legal and cybersecurity side of operations is no longer an option. One data breach, one compliance failure, and an entire project, or company, can come to a halt. Criminal law and cybersecurity compliance aren’t just legal checkboxes; they directly shape how resilient and trustworthy our systems are. Business continuity now depends on how well we engineer for security, build with regulation in mind, and anticipate where vulnerabilities, both technical and legal, can surface. For engineers working in this digital age, the real challenge is designing not just for performance, but for protection, accountability, and long-term operational survival. That’s where our value, and responsibility, has evolved.