Upload File

the law starts to bite back

1
41 Infosecurity Today May/June 2006 c o l u m n L egislators are not making life easy for IT security professionals. Simply to identify the myriad laws re- lated to information security is com- plex, let alone to interpret them. While some laws are specific to IT se- curity, such as computer misuse and e-commerce, other general and regula- tory legislation also affects informa- tion security.This ranges from data privacy and corporate governance to healthcare and even human rights. It is getting tougher to keep up. Advances in technology and the slow legal process mean that some laws are obsolete before they come into effect. Meanwhile, new laws sprout in response to new, increasingly sophis- ticated computer-aided crimes such as ID theft, spam and hacking. Border confusion Then there is cross-border confusion. Not only do organizations have to ask themselves ‘what business are we in?’, but they also have to ask ‘where do we do business?’ For example, legislation designed for the banking and finance sector, such as Basel II, can also affect any organization that processes corpo- rate or personal financial data. As organizations expand and global- ize they face greater exposure to worldwide legislation.They may have to comply with laws outside their home operating sphere that even contradict their domestic legislation. Companies worldwide are feeling the effects of the Sarbanes-Oxley Act, even though it was drafted and en- forced in the US. In a recent survey of ISF members, which represent some of the largest international companies and organizations, more than half the respondents said they expect Sarbanes- Oxley to cost them more than $10m for information security controls alone. In the same report, ISF members identified unnecessary complexity, con- flicting legislative requirements, and a lack of clear ownership of responsibili- ty as key factors that hamper organiza- tions in their drive for compliance with security related legislation. Tradition annulled Traditionally,the responsibility for cor- porate compliance lies with the legal department. But where IT is concerned it is split between legal and informa- tion security (IS). Often, it is the IS team that feels obliged to accept most responsibility for compliance. Given the pressure to comply with the growing volume of legislation, there is a worry that it will lead to time and money being diverted from areas of critical risk mitigation. Given the fluidity of the situation, there is a real temptation to wait and see. But where legislators have previ- ously struggled to compete with the swiftening pace of technology, they are now sharpening teeth and rattling sabres. Failure to take act quickly enough could prove very costly and damage corporate reputations. This was illustrated recently in the US.The Federal Trade Commission ac- cused ChoicePoint Inc of Atlanta, Georgia, of violating consumers' pri- vacy with its security and record-han- dling procedures. ChoicePoint admit- ted that financial records of over 160,000 consumers had been com- promised and was fined US$10 mil- lion in penalties and US$5 million in compensation. This is a wake up call for compa- nies where compliance is concerned. And while there is still little case law by which to examine the ambiguities of legislation or clarify interpretation, the law is certainly starting to bite back. In practical terms, it may be diffi- cult to comply with all information security related laws, and a risk- based approach may still be appro- priate.The ISF has established a process to help organizations to identify compliance requirements. It is also becoming more relevant with a legal repository that can answer questions such as,‘What are all the privacy laws for our UK and German operations?’ The ultimate goal is to establish a comprehensive global database of in- formation security related laws, searchable by jurisdiction. Tempting though it may be, regard- less of the complications and costs, or- ganizations cannot afford to wait for enforcement officers to come knock- ing,They must establish procedures that ensure ongoing compliance.The courts do not always have to prove ma- licious intent or negligence, and igno- rance is never a defence. About the author Andy Jones is a senior research consult- ant at the Information Security Forum. The website is www.securityforum.org. The law starts to bite back Andy Jones Information security professionals need to start dealing with the law, before the law deals with them. Andy Jones "More than half said they expect Sarbanes-Oxley to cost them more than $10m."

Upload: andy-jones

Post on 06-Jul-2016

213 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: The law starts to bite back

41

Info

security To

day

May/June 2006

co

lu

mn

Legislators are not making life easyfor IT security professionals.

Simply to identify the myriad laws re-lated to information security is com-plex, let alone to interpret them.While some laws are specific to IT se-curity, such as computer misuse ande-commerce, other general and regula-tory legislation also affects informa-tion security.This ranges from dataprivacy and corporate governance tohealthcare and even human rights.

It is getting tougher to keep up.Advances in technology and the slowlegal process mean that some lawsare obsolete before they come intoeffect. Meanwhile, new laws sprout inresponse to new, increasingly sophis-ticated computer-aided crimes suchas ID theft, spam and hacking.

Border confusionThen there is cross-border confusion.Not only do organizations have to askthemselves ‘what business are we in?’,but they also have to ask ‘where do wedo business?’ For example, legislationdesigned for the banking and financesector, such as Basel II, can also affectany organization that processes corpo-rate or personal financial data.

As organizations expand and global-ize they face greater exposure toworldwide legislation.They may haveto comply with laws outside theirhome operating sphere that evencontradict their domestic legislation.

Companies worldwide are feelingthe effects of the Sarbanes-Oxley Act,even though it was drafted and en-forced in the US. In a recent survey ofISF members, which represent some of the largest international companiesand organizations, more than half therespondents said they expect Sarbanes-

Oxley to cost them more than $10mfor information security controls alone.

In the same report, ISF membersidentified unnecessary complexity, con-flicting legislative requirements, and alack of clear ownership of responsibili-ty as key factors that hamper organiza-tions in their drive for compliancewith security related legislation.

Tradition annulled Traditionally, the responsibility for cor-porate compliance lies with the legaldepartment. But where IT is concernedit is split between legal and informa-tion security (IS). Often, it is the ISteam that feels obliged to accept mostresponsibility for compliance.

Given the pressure to comply withthe growing volume of legislation,there is a worry that it will lead totime and money being diverted fromareas of critical risk mitigation. Giventhe fluidity of the situation, there is areal temptation to wait and see.

But where legislators have previ-ously struggled to compete with theswiftening pace of technology, theyare now sharpening teeth and rattlingsabres. Failure to take act quicklyenough could prove very costly anddamage corporate reputations.

This was illustrated recently in theUS.The Federal Trade Commission ac-cused ChoicePoint Inc of Atlanta,

Georgia, of violating consumers' pri-vacy with its security and record-han-dling procedures. ChoicePoint admit-ted that financial records of over160,000 consumers had been com-promised and was fined US$10 mil-lion in penalties and US$5 million incompensation.

This is a wake up call for compa-nies where compliance is concerned.And while there is still little case lawby which to examine the ambiguitiesof legislation or clarify interpretation,the law is certainly starting to biteback.

In practical terms, it may be diffi-cult to comply with all informationsecurity related laws, and a risk-based approach may still be appro-priate.The ISF has established aprocess to help organizations toidentify compliance requirements. Itis also becoming more relevant witha legal repository that can answerquestions such as,‘What are all theprivacy laws for our UK and Germanoperations?’

The ultimate goal is to establish acomprehensive global database of in-formation security related laws,searchable by jurisdiction.

Tempting though it may be, regard-less of the complications and costs, or-ganizations cannot afford to wait forenforcement officers to come knock-ing,They must establish proceduresthat ensure ongoing compliance.Thecourts do not always have to prove ma-licious intent or negligence, and igno-rance is never a defence.•About the authorAndy Jones is a senior research consult-ant at the Information Security Forum.The website is www.securityforum.org.

The law starts to bitebackAndy Jones

Information security professionals need to start dealing with the law,before the law deals with them.

Andy Jones

"More than halfsaid they expect

Sarbanes-Oxley tocost them more

than $10m."

http://www.securityforum.org

Instruction Manual BITE 2 and BITE 2P - Cloudinaryg_center/assets/… · Instruction Manual BITE 2 and BITE 2P Battery Impedance Test Equipment BITE 2: Catalog No. 246002B BITE 2P:

Bite Back Nieuwsbrief 23 September 2012

Bite back - Survival Techniques for Technical Authors

Mental Fitness A3 Posters - BITE BACK

Welcome Back to Physics My DogAjax. Your 5 minutes starts now

Stock Buybacks Bite Back

Booklet - BITE BACK

open bite and deep bite

VO/SOT – Video ClipVideo Clip Starts as a voice over includes sound on tape ▪ Sound bite or bite Contains anchor voice ▪ Plus one or more comments

BY: NICKY AND GIGI The Digestive System. Food The digestive system starts when you take a bite of food. The minute you swallow a bite of food, the digestive

Bite Back nieuwsbrief Januari 2016

Classes-To-Go Stock Buybacks Bite Back James Hurt OKI Tri-State Chapter of BetterInvesting

ZB70601 Bite&White ABC IFU - cavex.nl · PLINSTRUKCJA A – AKTYWACJA – CAVEX BITE&WHITE STAINLESS B – WYBIELANIE – CAVEX BITE&WHITE 1 Nałożyć Cavex Bite&White StainLess

Facebook Is Biting Businesses, But You Can Bite Back

Forest insects as food: humans bite back / Proceedings of ... · Forest insects as food: humans bite back / Proceedings of a workshop on Asia-Pacific resources and their potential

M MINDFUL EATING, BITE BY BITE - well-concepts.com

What Is Bite-Back?

Hey Buckeyes: Don’t let the Bed Bugs Bite! Bite Back!… · 2019. 4. 24. · the skin with their saliva and an anesthetic (this keeps the host from feeling the bite and moving)

PQ BITE C A4 24 Languages - abs.orthofix.itabs.orthofix.it/db/resources/PQ_BITE.pdf · Skru Mampatan Rival Bite 130 Șuruburi cu compresie Rival Bite 136 Rival Bite Kompresyon Vidaları

Forest insects as food: humans bite back / Proceedings of

Bite Back: Product Information and Terms of Use

STARTS (Track, Grab, Back and Relay) - American … Haufler - STARTS 2012 ASCA… · Take your Marks • Hands (including the thumbs) grab the underside of blocks with both hands,

When School Starts Back: Helping students and your own

Back to School 2018 - Cloudinaryres.cloudinary.com/.../Back_to_School-2_t5pfs4.pdf · Back to School “Are the holidays over already?!” The new school year starts between the 15th

DOG BITE INJURIES - Joubert Galpin Searle Bite Injuries Hennie Van Eck … · DOG BITE INJURIES A dog’s bite can “bite” your pocket - You get bitten; or - Your dog bites and

Bite-Sized Scenario Training Empowerment and Bite-Sized

The ethics of animal experiments in 3 steps Stijn Bruers Bite Back aug-2013

Conventionalisation? Organic farmers bite back!€¦ · 34 Working group 2.6, room D103 (Tervahovi building) Conventionalisation? Organic farming bites back Convenors: Julien Blanc

Introductioncl-biteback.blackdoghealth.org.au/Resources/BITE BACK Student Wor… · If you’ve still got some time up your sleeve right now, check out SNAP THAT on the BITE BACK

West Spreydon school · The yogmey starts ADVENTURE ACHIEVEMENT West Spreydon School Room 1 - Year 3 2014 starts ADVENTURE ACHIEVEMENT Back Row: Krysia Waaka (Part-Time Teacher),

BACK Youth Educa… · 3. BITE BACK Mental Fitness Challenge In class delivery - Most Intensive Overview Resources required 1. Drawing from Section 5 of this handbook, introduce the

BITE Magazine BITE Magazine Issue 07 Transcend

Fly traps! plants that bite back

Snake Bite ,Bee sting and Scorpian Bite

Welcome Back to Physics. Your 5 minutes starts now