Previously discussed
topics:
1.
Cyber Security Landscape in Sri Lanka
2.
Overview of the National Information
and Cyber Security Strategy
The second pillar of the
strategy:
Thrust # 2: Legislation, Polices, and Standards
Our Strategy
The number of reported
incidents involving cybercrimes against individuals and organization
in Sri Lanka is increasing day by day. These include cybercrimes
against individuals such as credit card fraud, revenge porn, crimes
again property such as worm attacks, hacking, and intellectual
property theft, and crimes against governmental and other
organizations such as cyber terrorism, hacking of websites, processing
of unauthorized information, and hacking into sensitive financial
data. To battle cybercrimes against individuals and organizations
effectively, it is necessary to enact and formulate appropriate
legislation, policies, and standards for ensuring protection of
sensitive data, digital transactions, electronic communications,
privacy, and freedom of expression in the cyber space.
The government of Sri Lanka has taken a number of steps in this regard
such as the introduction of the government security policy (2009)
based on ISO 27000, and data sharing policy, and the enactment of
relevant legislation such as the Electronic Transactions Act No. 19 of
2006, Payment Devices Frauds Act No 30 of 2006, the Intellectual
Property Rights Acts, and Computer Crimes Act No 24 of 2007. Sri Lanka
ratified the Budapest Convention on Cybercrime in 2015 and became the
first country in South Asia to join this convention. Moreover, a
Computer Crimes Division was established in the Criminal Investigation
Department of Sri Lanka Police in line with the enactment of Computer
Crimes Act.
To further strengthen our
regulatory framework to effectively battle emerging cybercrimes, gaps
in the existing policies and laws will be identified, and new
legislation, policies, and standards will be drafted and implemented
to create a secure cyberspace for individuals and organizations.


Our Initiatives
2.1. Introduce a New Cyber Security Act
2.1.1. The government will introduce a new Cybersecurity Act for the
establishment of the NICSA and for equipping the agency with the
necessary powers to effectively address increasingly sophisticated
threats to the nation 2007. The existing Computer Crimes Act is
inadequate for addressing modern day cybercrimes.
2.2. Data Protection and Privacy Laws, and Data Sharing Policy
2.2.1. Currently, the number of cases on stealing customer data is on
the rise. However, Sri Lanka lacks appropriate laws to protect
customer data. We will, therefore, introduce a data privacy and
protection law which governs the collection, use, and disclosure of
citizens� personal data by government and private sector
organizations.
2.2.2. Through this act, we will ensure that all government
organizations and private sector firms which maintain citizens� data
have adequate security controls in place and make them liable for
privacy violations.
2.2.3. We will also introduce a data sharing policy for government
organizations
2.3. Baseline Security Standards
We will facilitate the Sri Lanka Standards Institute to develop
baseline information and cyber security standards for information
systems, hardware, and software applications.
2.4. Critical Infrastructure Protection Policy
We will introduce Critical Infrastructure Protection Policy which will
identify and declare infrastructure as critical infrastructure and
provide measures necessary for protecting, safeguarding and increasing
resilience of critical infrastructure.
2.5. Information Security Policy
We will facilitate organizations to develop security policies based on
the maturity of their information systems. The information security
policy of each organization shall be developed aligning with
international standards.
To be continued.....
Invitation to Public Comments on Cyber Security Strategy. Please add
your thoughts
here:
By:
Dr. Kanishka Karunasena,
Research and Policy
Development Specialist, Sri Lanka CERT|CC
| |