When links between national and international arenas are considered, international developments have decisively impacted national laws. Specifically; regional coalitions have enacted IAP related edicts that subsequently were codified in national laws and regulations. Procedurally, most regional coalition IAP decrees are presented as directives to member nations for federal ratification. For this reason, with the assistance of legal counsel, it is strongly recommended that information security managers evaluate all relevant statutory and regulatory mandates; in whatever judicial divisions the entity operates. Beneficially, multiple legal compliance requirements assessments enable entity-centric standard practices for satisfying other expected behavior. Exercises in legal due care can also equip an entity to build a compliance culture where standardization is the norm, and conditionally produce an environment conducive to training employees in IAP.
Apgar, Chris. “Complying with multiple regulations and contending with conflicts.” Search400.com, September 6, 2005. http://search400.techtarget.com/tip/0,289483,sid3_gci1122854,00.html (accessed April 21, 2008).
Gelbstein, Ed and Jovan Kurbalija. Internet Governance: Issues, Actors and Divides. Geneva: DiploFoundation and Global Knowledge Partnership, 2005. http://textus.diplomacy.edu/textusbin/env/scripts/Pool/GetBin.asp?IDPool=641 (accessed April 21, 2008).
There are numerous global, regional as well as national laws and regulations focusing on IAP that require professional consideration. In particular, at the global level, the World Intellectual Property Organisation (WIPO) and World Trade Organization (WTO) have constructed legally binding derivative IAP agreements. While regionally, trans-border coalitions adopting or enacting IAP related laws include the Asia-Pacific Economic Co-operation (APEC), Council of Europe (COE), E.U., Organization of American States (OAS), and Organization for Economic Cooperation and Development (OECD). Lastly, the U.K. Computer Misuse Act of 1990, the U.S. Digital Millennium Copyright Act (DMCA) of 1998, the Trinidad and Tobago Act No. 86 of 2000, the U.S. Federal Information Security Management Act (FISMA) of 2002, as well as the Japanese Financial Instruments and Exchange Law (J-SOX) of 2006 are clear examples of IAP national legislation that can affect an entity’s control framework.
Generally, determining an entity’s legal mandates exceeds the security function’s ambit. Nonetheless, overseeing applicable legally required control composition, implementation and evaluation are occupational security imperatives. To reduce potential negative effects of cross-compliance as well as multiple-compliance, management should seek assurance that relevant statutory, regulatory, and contractual requirements are adequately defined and documented for each information system. As suggested in Enterprise Security: The Struggle to Manage Security Compliance for Multiple Regulations; although SOX, HIPAA, GLBA, and PIPEDA are prominent managerial legal topics, these are not the only mandates compelling entities to demonstrate compliance.
Commission on Guidelines. Information Asset Protection Guideline. Alexandria, VA: ASIS International, 2007. http://www.asisonline.org/guidelines/guidelinesinfoassetsfinal.pdf (accessed April 21, 2008).
Hurley, Jim. Enterprise Security: The Struggle to Manage Security Compliance for Multiple Regulations. Cupertino, CA: Symantec Corporation, 2004.
Regulatory agencies are generally designed to operate with minimum executive or legislative supervision. Theoretically, a commission of experts is more suitable for regulating an industry’s activities than legislative or executive oversight committees. Usually, regulatory agencies are empowered with executive, legislative, and judicial functions, and their regulations have the force of law.
Simultaneous compliance with multiple legal mandates can create unique challenges for most entities. Selectively, potential compliance hurdles include distinct internal management groups pursuing equivalent goals; diverse audit perspectives, priorities, and requirements; as well as confusion resulting from redundant controls. For instance, cross-compliance with the Foreign Corrupt Practices Act (FCPA), Sarbanes Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA), and Gramm-Leach-Bliley Act (GLBA) may generate muddled responses regarding the importance of certain security controls for a U.S. based ‘publicly held’ corporate conglomerate.
Categorically, security implies protection while privacy implies confidentiality. Laws and regulations have been enacted throughout the world addressing either or both areas as well as intellectual property and contracts. Compliance with laws and regulations are considered essential to avoid legal prosecution risks that may impose various penalties and fines if an employee or organizational formation is convicted for breaching proclaimed unacceptable behavior. For most entity’s, this means systematizing standard practices that cover the regulatory spectrum and decreasing legal compliance complexity.
Davis, Robert E. IT Auditing: An Adaptive Process.Mission Viejo, CA: Pleier Corporation, 2005. CD-ROM.
Ross, Ron, Stu Katzke, Arnold Johnson, Marianne Swanson, Rogers George, and Gary Stoneburner. NIST Special Publication 800-53: Recommended Security Controls for Federal Information Systems. Rev. ed. Washington, DC: Government Printing Office, 2007. http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf (accessed April 21, 2008).
An entity’s management should, and in several countries do, have a legal responsibility to implement an adequate internal control system for preventing, detecting, and conditionally correcting errors, mistakes, omissions, irregularities and illegal acts. Similar to the legal requirement for maintaining a ‘system of internal accounting controls,’ some technology related laws and regulations only address the system of privacy controls for specific information assets; thereby, leaving other information security control systems at management’s discretion.
Davis, Robert E. IT Auditing: Irregular and Illegal Acts.Mission Viejo,CA: Pleier Corporation, 2006. CD-ROM.
IT safeguarding has generated considerable debate within the audit and management communities since the deployment of computers for performing transaction processing. Specifically, the merits of IT auditor involvement in financial statement audits and managements’ fiduciary ISG responsibilities have consistently created abstraction polarity when government enacted legal mandates impacting entity-centric financial control requirements are the issue for positively asserting design and/or operational effectiveness.
IT controls should be immersed throughout an entity’s adopted ISG framework. Descriptively, structural IT control envelops all the means utilized by an entity to direct, restrain, govern and monitor its various activities. Therefore, designing IAP IT control objectives reflecting compliance with laws and regulations should be a generally accepted management responsibility. Furthermore, leveraging technology controls to support ISG compliance should also be an accepted management practice.
Considering fiduciary tenets and accepting ISG utilizes a top-down approach for legal requirements compliance, if the entity’s executive management has an established or enforceable fiduciary duty then organizational personnel are expected to adhere to and sustain the defined obligation. Consequently, employees are primarily controlled through policies and procedures that support compliance with laws and regulations. Employees that value compliance usually hold honesty and integrity as desirable personal traits or fear noncompliance repercussions. However, if an entity’s culture continually encourages or accepts objectives achievement over ethical behavior eventually legal dilemmas ensue that can damage reputations as well as create financial losses. Therefore, an entity’s management should implement technology related control self-assessment procedures that assure adherence to legal obligations.
Information Security Governance (ISG) normally addresses creating and implementing a ‘system of security controls’ that enable ethical and/or legal managerial responsibilities fulfillment for information assets protection (IAP). Ethically, management must protect an entity’s information assets from potential external and internal threats that may compromise confidentiality, integrity, and availability (C-I-A) in order to preserve organization, presentation, and utilization value. Legally, within an entity’s information security control system, explicitly or implicitly, management as a fiduciary agent is responsible and accountable for deploying controls that prevent, deter, detect and/or correct privacy breaches mandated by laws and regulations. Furthermore, laws and regulations may also mandate C-I-A requirements be implemented within an entity; with managerial fiduciary responsibilities and accountabilities.
Brotby, Krag W. Information Security Governance: Guidance for Boards of Directors and Executive Management. 2nd ed. Rolling Meadows, IL: IT Governance Institute, 2006. http://www.isaca.org/ContentManagement/ContentDisplay.cfm?ContentID=34997 (accessed April 21, 2008).
IT policies, directives, standards, procedures, and rules should be deployed based on assessed effectiveness and efficiency in addressing managements risk appetite. Deployed controlling and monitoring activities should reflect management’s strategy for ensuring an adequate IT control system. IT control policies and directives can be considered high-level governance documentation while standards, procedures, and rules can be considered detail-level governance documentation. Normally, oversight committees and executive management utilize high-level governance documents to provide general control direction. Whereby, lower-level management converts high-level governance documents into detail-level IT governance documents assisting in ensuring control objective achievement. Developing and implementing IT governance design effectiveness and efficiency can be a multidirectional, interactive, iterative, and adaptive process.
Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359
Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.