The following is the third excerpt from my Norwich MSIA Seminar 4 final paper, in which I speculate on how IA will evolve.
I would love to hear what you think, so leave a comment and let me know how you think things will turn out.
Security Policies and Laws
Security policies lay the foundation for any security program. ISO 27002 has the following objectives related to security policies (Praxiom Research):
1. Establish a comprehensive information security policy.
2. Make sure that your information security policy provides clear direction for your information security program.
3. Make sure that your information security policy shows that your management is committed to information security.
4. Make sure that your management supports your organization’s information security policy.
5. Make sure that your information security policy shows that your management is prepared to support an ongoing commitment to information security.
6. Make sure that your information security policy is consistent with your business objectives.
7. Make sure that your information security policy meets your organization’s business requirements.
8. Make sure that your information security policy complies with all relevant laws and regulations.
If a company’s security policies meet these objectives, the thought is that they line-up with the business, the management and the laws and regulations to which the business is subject.
Having policies is good, but policies are worthless if only a few people are aware of them. Therefore, an awareness program is just as important as writing the policies themselves. Bruce Schneier suggests this method for creating awareness: “The risks of not following security procedures are much less real. Maybe the employee will get caught, but probably not. And even if he does get caught, the penalties aren’t serious. Given this accurate risk analysis, any rational employee will regularly circumvent security to get his or her job done. That’s what the company rewards, and that’s what the company actually wants. “Fire someone who breaks security procedure, quickly and publicly,” I suggested to the presenter. “That’ll increase security awareness faster than any of your posters or lectures or newsletters.” If the risks are real, people will get it.”
The number of laws and regulations governing business has grown significantly in the past decade. The chart below lists some important laws and regulations related to IA (Cobb 6). In addition to these laws, 43 states plus the District of Columbia have data breach laws. These laws and regulations were written in response to acts of fraud and epidemic of data breaches.
Censorship and Privacy in the Workplace
Many companies have policies that define what are proper uses of company computing assets and electronic communications. The purpose of such policies is to protect the company’s data, reputation, and to avoid a hostile workplace. Companies monitor electronic communication in an attempt to enforce these policies. Awareness is the key to effectiveness of these policies just as with the security policies.
The Berkman Center for Internet and Society at the Harvard Law School cautions, “…policies regarding proper use of technology in the workplace, and the means that will be used to monitor such use, are highly recommended. Experts recommend that the notice be as specific as possible by including what types of monitoring will be used, how frequently monitoring will occur, and what purpose the employer hopes to accomplish through the monitoring. With an express privacy policy, an employee’s expectation of privacy is avoided at least as courts have currently interpreted the law. Employment lawyers suggest that the policy be disseminated to all employees and agreed to by them, as well.”
The Future of Security Policies and Laws
A recent example of new laws is the American Recovery and Reinvestment Act of 2009, which establishes nearly $1.2 billion in grants to help hospitals with the transition to electronic health records. As part of this act, Congress passed two laws to help insure security. SC Magazine’s online version reported, “An interim final rule, issued Wednesday by the U.S. Department of Health and Human Services (HHS), requires health care organizations subject to Health Insurance Portability and Accountability Act (HIPAA) regulations to notify individuals whose information has been breached, when the breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals must be reported to the HHS annually.
The rule also applies to business associates of health care organizations.
“This new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care,” Robinsue Frohboese, acting director and principal deputy director of the HHS Office for Civil Rights, said in a statement. “These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information.”
A similar final rule issued by the Federal Trade Commission this week requires web-based businesses that collect consumers’ health information, including vendors and online applications that interact with PHRs, to issue notifications if a breach occurs.”
Notice that the intent of the HHS rule is to maintain “consumer trust” as medical records are converted from paper to electronic format.
Considering the consequences for violating laws and regulations, policies will probably carry more weight than they do today, but awareness programs will probably be more sophisticated than simply firing people who violate policies. The penalty for violating security policies will have to be real when trust becomes a competitive advantage.
Next time: Risk Analysis and Risk Management, DRP & BCP
Bibliography
Cobb, Stephen. (2006). Sox, SoDC, HIPAA & GLB: Recent Developments in Management Responsibilities & Liabilities for IA Practitioners.
“ISO 27002 (17799) Information Security Control Objectives”. Praxiom Research Group. 8/5/09 <http://www.praxiom.com/iso-17799-objectives.htm>.
“Privacy in the Workplace”. Berkman Center for Internet & Society. 8/1/2009 <http://cyber.law.harvard.edu/privacy/Module3_Intronew.html>.
Moscaritolo, Angela. “Healthcare Breach Notification Mandated”. SC Magazine. 8/21/2009 <http://www.scmagazineus.com/Health-care-breach-notification-mandated/article/146976/>.
Subscribe (free) via RSS
LinkedIn
email
