Information Security Management: Legal Regulations Essay
Rapid technological advancement and globalization have entailed new challenges in organizational information security management. The amount of data collection and sharing across various media has drastically increased. Moreover, new technologies allow public and private enterprises and institutions to process private information at the biggest scale than ever before to pursue their very own goals. The given developmental trends are connected with major risks of confidential data breaches, that may violate an all natural person’s rights for the protection of personal data. Multiple national and international regulations and standards are manufactured to address this issue. All organizations are anticipated to follow laws requiring them to make sure a sufficient amount of data protection enacted at both state-wide and nation-wide levels also to follow recommendations outlined in international managerial guidelines and standards. Considering this, today’s paper aims to judge the importance of the regulatory facet of organizational information protection endeavors and identify the extent to that they may facilitate or hinder the task of security managers. To achieve the formulated objectives, the overview of state, national, and international regulations and standards, along with recent literature findings, will undoubtedly be performed.
Degrees of Information Security Management
Data security measures therefore can be split into three major levels: legal, organizational, and technological. You’ll be able to say that regulations form the foundation of data protection: they ensure compliance with state standards in neuro-scientific information protection you need to include such elements as copyright, decrees, patents, and job descriptions. It really is valid to say a well-built security system, which considers all relevant laws and policies, will not violate user rights and data processing standards. Thus, the significant aftereffect of the legal element of data protection management on the organizational-level procedures can’t be underestimated. National laws and standards directly affect the formulation of rules for confidential information processing, staff recruitment, overall use documentation and data carriers, design of access control protocols, etc. inside a company. Within their turn, these organizational information protection practices become realized at the technological degree of security management through programs, cryptographic protocols, and so forth.
U.S. Laws on Protection of Personal Data
Lots of companies nowadays cope with the personal information of these customers and employees. Overall, personal data can be explained as any information directly or indirectly linked to an individual data subject, i.e., someone who shared these details with an organization or another individual (i.e., data controllers). Organizations are obliged to check out certain rules associated with secure data processing to reduce possible injury to individual identity, financial status, and so forth. However, at the existing moment in the usa, no comprehensive federal laws are regulating personal data processing. The majority of the active national laws, like the Federal Trade Commission Act, medical Insurance Portability and Accountability Act, the Financial Services Modernization Act, among others, apply to certain forms of data and spheres, e.g., medical, financial, personal data in telemarketing, and so forth.
In line with the observations provided above, you’ll be able to say that the use of different national laws and standards to organizational operations when it comes to data storing and processing to a definite extent depends on the sort of information used by a business, its sphere of performance, etc. In some instances, security managers and personnel, generally, have to follow some stricter and specialized rules. For example, in governmental organizations, a small amount of employees may cope with classified data linked to the field of national security, e.g., home elevators measures against terrorism.
Safeguarding of the classified information is guided by Executive Order 12958 that outlines specific procedures, which a business should follow, including determination of authorized personnel, the establishment of uniform protocols for prevention of unauthorized access, an update of automatic distribution mechanisms, along with sanctions imposed in the event inefficient security measures are identified (U.S. National Archives and Records Administration 2016). Overall, regulations guides the business in the arrangement of data security protection in a manner that avoids causing injury to relevant stakeholders because of inappropriate handling of information, so when talking about classified governmental information, the stakeholder group can include the nation all together. Simultaneously, explicitly open organizations may face no security risks since they store and process only highly accessible mass information. Nevertheless, in nearly all contexts, the illegal access is connected with multiple risks.
Simultaneously, some state laws address the problem of data security with greater scrutiny compared to the federal ones. A number of them are reactive. For example, California Civil Code §1798.82 requires owners of electronic confidential data to reveal any breach of the security to individuals whose computerized private information was received by an unauthorized person (Jolly 2017). Also, a restricted amount of active state regulations could be prescriptive and preventive, e.g., the Massachusetts Regulation (201 CMR 17.00): a thorough law outlining an in depth set of administrative procedures and technical security protocols aimed in order to avoid security breaches (Jolly 2017). You’ll be able to say that in comparison to reactive regulations, such comprehensive preventive laws assist security managers in developing organizational information protection architectures and description of information security programs superior to reactive, fragmented, and industry-specific regulations by guiding them through these procedures.
Security Threats and Regulatory Capacity to Tackle Them
Generally, the laws on data privacy requires organizations, that have usage of personal data, never to disclose it to third parties minus the consent of an individual data subject. This means that any operator of personal data must be sure a sufficient degree of security and confidentiality. Overall, to use the very best data protection measures, not merely should security managers assess threats to information security, but additionally evaluate possible damages beforehand. This recommendation is roofed in a variety of international standards for data protection, i.e., ISO/IEC 27002:2013. This means that the business must identify what things to protect, what forms of threats (external or internal) it faces, and what methods can be viewed as far better in mitigating those threats.
To begin with, to guarantee the security and confidentiality of information, it’s important to determine what forms of media are accustomed to process it, and what degree of access (open or closed) is connected with those media. The forms of data carriers is often as follows: print media, electronic and web-based sources, corporate telecommunications equipment, documents, software, and so forth. Distinct forms of data carriers are connected with different types of security threats to confidentiality and integrity of personal and organizational information. Secondly, security managers should consider distinct forms of confidential data, that may include either technical information (e.g., passwords and usernames, etc.) or subject information (i.e., actual information susceptible to security threats). The protection of technical information could be especially challenging in the context of growing data synchronization where employees request usage of data on multiple devices (Mallery 2013). Additionally, Mallery (2013) states that the trend for storing and sharing data online, in cloud-based and similar commercial services, raises some additional privacy and confidentiality issues because, in this instance, a company provides usage of almost a limitless level of data to third parties, i.e., providers.
It really is worth noticing that even though the info is stored in some type of computer or designed for computer use, threats to its confidentiality could be non-technical. Among such threats, that is often difficult to be defended from, is related to abuse of authority. For example, within multiple security systems, a privileged user (e.g., something administrator) can read any (unencrypted) file, access the mail of any user, etc. Additionally, service engineers usually get unlimited usage of the equipment and so are capable of bypassing the program protection mechanisms.
You’ll be able to say that the U.S. federal and state breach notification laws usually do not significantly help companies mitigate the mentioned information security risks because they primarily try to alleviate the adverse consequences of breaches post-factum. The significant problem is that active U.S. preventive and reactive regulations can do not connect with all industries and states. Moreover, as mentioned by Guffin (2012), having less comprehensive and unified regulation of information security issues often results in the problem when different (and frequently conflicting) federal and state regulations can relate with exactly the same legal incidents. Such overlaps may significantly complicate the organizational compliance with laws.
Simultaneously, it really is implied that noncompliance with legal regulations and laws on data protection entails threats to information security, which, subsequently, can result in multiple adverse consequences for both data subjects and data controllers like the imposition of varied punitive actions and sanctions. Additionally, security managers in organizations can make reference to national and international standards and guidelines, such as for example “Focus on Security: HELPFUL INFORMATION for Business” by the Federal Trade Commission, along with the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) standards. The given documents usually comprise a listing of best security practices, both administrative and technical. However, compliance using them will not exempt companies from legal obligations.
Although it isn’t mandatory for enterprises to check out the
standards, the referral in their mind might provide multiple benefits for them. To begin with, standards and managerial specifications are developed in line with the accumulated experience and knowledge, primarily linked to procedural and program-technical degrees of information security. Such documents list approved, high-quality solutions and methodologies formulated by probably the most qualified specialists. Secondly, in comparison to laws, such standards as ISO/IEC 27002:2013 try to reconcile different points of view including perspectives of both data controllers and data subjects. Thus, standards might provide security managers with information regarding effective mechanisms for productive and beneficial interaction among all involved parties.
As it had been mentioned above, the option of a thorough law on information protection across multiple industries and organizations can largely facilitate the establishment of corporate information security systems. THE OVERALL Data Protection Regulation enacted in europe in 2016 is really a bright exemplory case of such unified legislation. Not merely does this law try to ensure the protection of natural persons’ rights concerning the processing of personal data by data controllers, but additionally provides a detailed set of procedures, that your latter must implement to keep a consistent degree of protection of personal data subjects’ freedoms and rights, and sets the criteria for showing the compliance with regulations. For instance, regulations states that “the controller should adopt internal policies and implement measures which meet specifically the principles of data protection by design and data protection automagically,” like the measures of “minimizing the processing of personal data,…transparency concerning the functions and processing of personal data, enabling the info subject to monitor the info processing, enabling the controller to generate and improve security features,” etc. (European Commission 2016, p. L119/15). However, the regulation offers a generalized orientation to check out, which gives organizations an opportunity to choose an appropriate approach to security protection, predicated on their overall strategic goals and objectives.
The Role of Administrative Measures and Their Links to Laws
Just how available regulations are implemented at the administrative level within an organization is paramount to information security. Nevertheless, the discussed state, national, and international regulations usually do not dictate which practices to utilize precisely. Thus, security managers can start using a creative and innovative method of performing organizational security management activities, development, and planning of architecture and planning solutions. The only real requirement is to make sure that the applied information protection practices usually do not contradict relevant laws and meet quality and efficiency requirements.
In accordance with Holtfreter and Harrington (2016), the amount of data breaches because of external factors including theft, hacking, or loss by the people who are not related to the business prevails nowadays and equals nearly 70 percent of most data breach cases. However, employees’ actions and misconduct have greater significance in this regard and so are associated with a lot more important implications for organizations compared to the actions performed by the 3rd parties. The inner factors defining data breaches include improper protection of data, theft, or hacking by employees with a higher or a low possibility of fraudulent intent, and unintentional lack of data (Holtfreter & Harrington 2016). To handle the issue of both internal and external unauthorized usage of confidential data, security managers must start using a group of organizational-regulatory and technical measures to improve security and minimize threats to confidential information.
You can locate detailed recommendations regarding organizational security solutions in international standards. The ISO and the IEC (2017) suggests you start with the allocation of responsibilities and imposition of access restrictions; development of policies concerning the usage of the mobile device and teleworking practices, covering such measures as cryptographic techniques, requirements for physical protection, and malware protection, etc. The ISO and the IEC (2017) also recommend implementing such human resource practices as screening prior to the recruitment, confirmation of qualifications, and so forth. Overall, it really is implied that the knowledge of assigned duties and responsibilities about data security among employees may be the key to effective data protection. Thus, the business must ensure a person authorized to gain access to confidential information is competent enough. Moreover, it is important to get rid of possible conflicting regions of responsibility to get rid of the risks of intentional and unintentional misuse. Moreover, Chander, Jain, and Shankar (2013) remember that ethical norms and rules adopted by the business can donate to better information security protection. Such norms might not be obligatory because the legal regulations. However, the failure to market compliance with them can result in inappropriate and harming employee behaviors.
Generally, comprehensive data protection acts and standards, like the General Data Protection Regulation and ISO/IEC 27002:2013, outline managerial rules reflecting such principles as system complexity, reliability, and continuity. They emphasize the significance of considering all possible threats to various stakeholders and selecting appropriate methods and interrelated processes, both technical and non-technical, that might be included in a thorough information protection system. The regulations also inform you a high standard for data security management ought to be equally applied to every area of data protection. Lastly, these regulations require security systems to work continuously, meaning that managers should match technological advancements, should update the security system regularly, and inform the personnel about occurred changes promptly. The consideration of the given principles, legal norms, and standards might help security managers raise the efficiency of information security strategies within their organizations.
Overall, information security implies the implementation of legal, administrative, and technical measures aimed to guarantee the protection of sensitive information from unauthorized access, modification, deletion, dissemination, etc.; to keep the confidentiality of sensitive data; and realization of rights for usage of those data by subjects and responsible controllers. The conducted analysis of hawaii, national, and international laws on information security across industries reveals that to a varying degree they address such issues as prevention of personal data misuse; timely detection of unauthorized access incidents, in addition to mitigation of these adverse consequences; determination of sanctions for data breaches; and continual control on the information security system and its own functioning.
The analysis also revealed that in the usa, there’s currently no comprehensive and unified federal law aimed to safeguard the rights of natural persons for safe processing of personal data also to regulate organizational efforts in data protection across the industries and sectors. Most of the legal regulations related to data security specialize in particular areas, such as federal information system security, healthcare, financing, commerce, and telecommunications. At the same time, several state laws address the problem to a different extent, focusing mainly on breach notification requirements. It can be suggested that the development of a comprehensive document comprising both preventive and regulatory regulations may provide a substantial basis for the establishment of sound information security systems in organizations of different types and would allow eliminating possible controversies due to overlaps in federal and state laws.
As for security protection standards, they are usually associated with greater practical utility compared to laws because they summarize high-quality, credible recommendations formulated by experts in the field of security management. In most of the cases, the utilization of standards and guidelines in practice is not obligatory, yet it can help security managers develop more efficient data protection strategies and architectures and, in this way, may allow protecting organizational interest better. Security managers may also utilize professional recommendations and guidelines to develop a unique information protection framework that would support the fulfillment of specific corporate goals and would suit the overall strategic orientation of the company in a more effective way. Thus, it is valid to conclude that standards, as well as legal regulations, largely support the work of security management teams.
Chander, M, Jain, SK & Shankar, R 2013, ‘Modeling of information security management parameters in Indian organizations using ISM and MICMAC approach”, Journal of Modelling in Management, vol. 8, no. 2, pp. 171-189.
European Commission 2016, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 , Web.
Holtfreter, R & Harrington, A 2016, ‘Employees are the weakest links, part 1: data breaches and untrained workers’ , Fraud Magazine , Web.
International Organization for Standardization & International Electrotechnical Commission 2017, Information technology − security techniques − code of practice for information security controls ,Web.
Jolly, I 2017, Data protection in the United States: overview , Web.
Mallery, J 2013, ‘Building a secure organization’, in JR Vacca (ed), Computer and information security handbook , Syngress, Amsterdam, Netherlands, pp. 3-24.
U.S. National Archives and Records Administration 2016, Basic laws and authorities , Web.