Information Security Governance Papers
| Paper Title | Government has already established a significant legislative and regulatory regime around IT security, and is considering additional action |
|---|---|
| The Abstract of The Paper |
Information security is important. Companies and individuals want more security in the products
and networks they buy. Vendors are responding with more secure products. Industry and
consumers alike recognize the need for information security – consumers from the viewpoint of
keeping their information private and businesses from the perspective of its importance to longterm
growth of the IT sector. Even though there is a heightened awareness of the importance of
security, many factors have contributed to the perception that progress has been slow. For
example, the cost of security is not cheap and demonstrating return on security investment is
sometimes difficult. The good news is that industry and government are actively engaged in
addressing the information security challenge.
Increasing public concern has not only prompted industry to begin to work on this problem, but also has led legislatures to take action. Three examples serve to illustrate. On the national level, the Public Company Accounting Reform and Investor Protection Act (also known as Sarbanes- Oxley) requires firms to certify as to the integrity of their financial records, their information disclosure controls, and internal controls. This certification arguably cannot be made without serious attention having been paid to electronic information security. A second national law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), established standards for protecting health information about individuals. A principal motivation behind HIPAA was concern about the possible privacy impact on individuals of unauthorized sharing of personal health information. The Department of Health and Human Services recently issued detailed computer security regulations that organizations handling personal health information must follow. On the state level, California’s Database Security Breach Notification Act, which went into effect in July 2003, requires companies to notify customers if they believe a systems breach has led to the release of their personal information. As concern about the issue continues to grow, more attention and action by legislators and regulators can be expected. Recent identity theft cases in both the private and public sector have caused some in Congress to discuss whether legislation is necessary at the federal level. Senator Dianne Feinstein of California is considering a bill modeled after her state’s law. There also have been discussions in Congress on whether disclosure of information security vulnerabilities by companies should be mandated by Congress or required by the SEC. Thus far, the Bush Administration has taken a non-regulatory approach to information security. It recognizes that private companies on the front lines are best equipped to deal with the challenge and has encouraged companies to voluntarily share information on security breaches, while opposing legislation to force companies to report such incidents. That course could change if there is a major cyber attack that damages national critical infrastructure. Areas where regulation may occur include deployment by companies of specific security measures, reporting on intrusions, and reporting of vulnerabilities. 2 These laws and regulations, and the potential of additional government intervention, create uncertainty about the costs of compliance and potential liability. As with any uncertainty, this may have the effect of limiting investment by firms in advanced technologies, slowing productivity growth, and reducing the availability of electronic services to citizens and consumers. Additionally, because organizations vary greatly in size, the kind of information they handle, their exposure to threats, and the complexity of their information systems, no uniform regulatory regime can efficiently enhance information security across the board. Indeed, regardless of legislation, regulation, or other guidance, there is no substitute for the effective and consistent application of sound risk management practices at the operational level. |
| Web Link | http://www.bsa.org/country/Research%20and%20Statistics/~/media/BD05BC8FF0F04CBD9D76460B4BED0E67.ashx |