CHAPTER 7

Current Practices, Regulations, and Plans for Information Assurance Strategy

This chapter draws an overall picture of how an information assurance strategy and operations fit within the environment of the organization and how the strategy implements existing laws and legislation. The chapter provides an overview of select local and international legislations about information assurance. In addition, an overview is given for some of the more common information assurance best practices and standards available to business and industry.

Understanding these regulations and standards is crucial because this is the source of security requirements.

Due Care and Due Diligence

The concepts of due care and due diligence are often discussed when evaluating the need for appropriate information assurance controls and risk management. Many areas of law, such as U.S. federal sentencing guidelines (criminal) and tort law (civil), rely on the concepts of due care and due diligence to determine negligence, intent, and severity of damages. Additionally, several safe harbor exceptions to laws require the safe harbor applicant to prove due care and due diligence to a certain standard or test.

Due Care

As adapted from U.S. NIST, due care can be defined as the responsibility that managers and their organizations have a duty to provide for information assurance to ensure that the type of control, the cost of control, and the deployment of control are appropriate for the system being managed.

Due Diligence

Due diligence is the continuous activities an organization takes to ensure the efforts established in due care are effective and operating as intended. It is imperative that organizations are aware of the implications of different types of laws around the world. Laws follow similar patterns. The bottommost layer consists of the following laws:

      • Criminal laws help identify and prosecute crimes arising from abuses in the use of IT and the Internet. The law defines the crimes, assigns punitive actions for each crime, and identifies the party with the jurisdiction to handle the abuses and enforce punishments.

      • Electronic transactions law provides a legal framework for the successful control and regulation of electronic transactions at both local and international levels.

      • Intellectual property laws are laws that economies and countries have to protect computer systems software and their contents. Intellectual property is an important right in modern societies.

Specific Laws and Regulations

It is important to understand the relevant legislation and regulations applicable to the organization. They form an important part of the security requirements for establishing protection strategies. They encourage the organization to establish policies and procedures ensuring compliance. This section provides an overview of legislation and regulations supporting information assurance. The summary includes sample legislation and regulations from other countries and regions.

Computer Laws

In the United States, computer laws fall generally into three major categories: criminal, administrative, and civil. Although in specific country laws these may be framed differently, it is important to understand the general principles used worldwide.

      • Criminal law

          • Describes the violation of government laws enacted to protect the public. (Criminal law is one of the most established laws in the world.)

          • Deals with crime and how criminal acts are handled. Under this law, punishment comes in the form of a jail sentence, a fine, or other penalties to the offender.

      • Administrative law

          • This law is sometimes called regulatory law.

          • It is created with the primary objective of setting standards of performance and conduct for organizations.

          • Violations of this law may result in imprisonment or financial penalties if it is incorporated into a penal law and is described as a crime,

      • Civil law

          • One form of this law is known as a tort law, and it deals with the administration of a civil society (property and commercial).

          • There is usually no jail sentence for violations, but there is a financial penalty (compensatory damages, punitive damages, and statutory damages).

Intellectual Property Law

The importance of intellectual property law to the profession of information assurance is obvious since it is directly related to ideas or information. It is concerned with how a company protects what it owns and describes remedies if this law is violated. The protection of intellectual property depends on the type of resource protected. Even where the laws in specific countries are different, understanding the terminology is important. Examples of intellectual property are as follows:

      • Patents

          • A patent grants legal ownership of an invention to an individual or organization.

          • The inventor applies formally for a patent, after which ownership, development, and use of the design is limited to the patent holder for a specific period.

          • A patent holder may grant a license to others to use the design information typically for a certain amount.

      • Trademarks

          • A trademark is any distinguishing name, symbol, logo, sound, or character that establishes identity for an organization, product, or service.

          • A trademark can be registered and filed in the appropriate jurisdiction.

      • Trade secrets

          • A trade secret is proprietary information important for its owner’s economic survival and profitability. It requires special skill, ingenuity, expense, and effort to develop and defend proprietary information.

          • Owners of trade secrets should take reasonable steps to protect the information.

      • Copyrights

          • A copyright protects the expression of ideas as opposed to the protection of ideas (as for patents).

          • It does not require the author to file for copyright protection because the law comes into effect as soon as the idea is expressed in a tangible form.

Privacy Laws

The principles addressed in privacy and data protection laws of many economies have these four items in common:

      • The collection of data should be by lawful means and with the consent of the owner or by the authorized regulatory body. Organizations must always check with existing laws if such activity is allowed or not.

      • Data should be accurate, complete, and kept up to date.

      • Data should be reasonably protected from possible security breaches.

      • Individuals have the right to make corrections to data and to make necessary amendments.

Specific implementations may contain more detail. For example, the Organization for Economic Co-operation and Development (OECD) specifies the principles covered in the following sections (www.oecd.org/internet/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm#part2).

Collection Limitation Principle

There should be limits to the collection of personal data. Data should be obtained by lawful and fair means and with the knowledge or consent of the data subject, where appropriate.

Data Quality Principle

Personal data should be relevant to the purposes for which it is to be used. To the extent necessary for those purposes, it should be accurate, complete, and kept up to date.

Purpose Specification Principle

Personal data should be collected for purposes specified not later than at the time of data collection. Subsequent use is limited to the fulfillment of the stated purposes. If the data are used after this time for a purpose not stated at the time of collection, then that use must be specified on each occasion.

Use Limitation Principle

Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified in accordance with these principles except with the consent of the data subject or by the authority of law.

Security Safeguards Principle

Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data.

Openness Principle

There should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data and the main purposes of their use, as well as the identity and usual residence of the data controller.

Individual Participation Principle

An individual should have the right to do the following:

      • Obtain from a data controller, or otherwise, confirmation of whether the data controller has data relating to the individual

      • Have the data communicated to the individual within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible

      • Be given reasons if a request made based on the prior two points is denied and be able to challenge such denial

      • Challenge data relating to the individual and, if the challenge is successful, have the data erased, rectified, completed, or amended

Accountability Principle

A data controller should be accountable for complying with measures that give effect to the principles stated previously.

Different economies have different privacy and data protection laws. For multinational organizations, this can be a challenge because of transborder data flows. Transborder data flows may be a barrier to the free flow of personal information since acceptable content varies from one country to another. The organization should investigate applicable privacy and data protection laws before deciding how to manage the flow of personal information.

With development in international politics and security, it has become the norm for authorities in some countries to monitor personal information. In some organizations, newly recruited employees sign documents allowing the management to monitor information they are managing, including personal information. In some counties, employees of private organizations have no expectation of privacy while using organizational equipment.

International Laws and Acts

Some multinational companies doing business internationally may also be subject to various international laws and regulations. This section provides an overview of some of the more common laws and regulations existing in other countries. Examples provided are from the United States and Europe. However, current trends show that these laws and regulations are gradually being adopted/adapted worldwide as a guiding principle or reference when dealing with a specific security area. Table 7-1 summarizes these laws.

Table 7-1 Summary of Information Assurance Laws and Regulations

Standards and Best Practices

Information assurance standards and best practices have been developed over time. These standards and best practices may be referred to as a basis for establishing a security framework for the organization or for personal use. Some of the more common standards and best practices are described in Table 7-2.

Table 7-2 Summary of Standards/Best Practices

Further Reading

      • ISO TR 13569. Banking and Related Financial Services – Information Security Guidelines.

      • ISO/IEC 13335. Information Technology – Security Techniques – Management of Information and Communications Technology Security.

      • ISO/IEC 27001:2005. Information Technology – Security Techniques – Information Security Management Systems – Requirements.

      • ISO/IEC 27002:2005. Information Technology – Security Techniques – Requirements for Bodies Providing Audit and Certification of Information Security Management Systems.

      • ISO/IEC 27003:2010. Information Technology – Security Techniques – Information Security Management System Implementation Guidance.

      • ISO/IEC 27004:2009. Information Technology – Security Techniques – Information Security Management – Measurement.

      • ISO/IEC 27005:2011. Information Technology – Security Techniques – Information Security Risk Management.

      • ISO/IEC 27006:2011. Information Technology – Security Techniques – Requirements for Bodies Providing Audit and Certification of Information Security Management Systems.

      • ISO/IEC 27007:2011. Information Technology – Security Techniques – Guidelines for Information Security Management Systems Auditing.

      • ISO/IEC 27010:2012. Information Technology – Security Techniques – Information Security Management Guidelines for Inter-sector and Inter-organisational Communications.

      • ISO/IEC 27011:2008. Information Technology – Security Techniques – Information Security Management Guidelines for Telecommunications Organisations Based on ISO/IEC 27002.

      • ISO/IEC TR 27008:2011. Information Technology – Security Techniques – Guidelines for Auditors on Information Security Controls.

      • Maconachy, V., et al. “A Model for Information Assurance: An Integrated Approach.” Proceedings of the 2nd Annual, IEEE Systems, Man, and Cybernetics Information Assurance Workshop, West Point, New York (June 5–6, pp. 306–310). The MSR Model. 2001.

      • Schmidt, Howard A. Larstan’s The Black Book on Government Security. Transition Vendor, 2006.

      • Schou, Corey D., and D.P. Shoemaker. Information Assurance for the Enterprise: A Roadmap to Information Security. McGraw-Hill Education, 2007.

      • Tipton, Harold F., and S. Hernandez, ed. Official (ISC)² Guide to the CISSP CBK 3rd edition. ((ISC)²) Press, 2012.

Critical Thinking Exercise

        1. What laws, regulations, or standards does your organization need to comply with?

        2. An organization’s medical information site is tracking individuals and using information about searches and personal information entered to develop individual profiles for marketing. The web site does not inform visitors they are being tracked and their information is being collected. Which OECD principle has been violated, and what can the organization do to remedy the situation?