Law & Policy Case Study

What does the word policy mean to you? In this study there will be a clear definition of the word and what it means to the company. After that is clearly defined, the next topics will be regulations and laws. Those three will cover legal environment and lead into a look at the impact the legal environment has on an organization.

The final area to address is confidentiality, integrity, and availability of information. To begin with the definition of policy for our purposes comes in two parts. The first part is the definition of policy as it applies to the government be it federal, state, or local. From the website dictionary.com a policy is a course of action adopted and pursued by a government, ruler, political party, ect(dicionary.com, 2012).

This definition is fairly strait forward and should not need any clarification. The second part of the definition is organizational policies; which are simply a specific course of action adopted for the sake of expediency, facility or other purpose. This can be just so the organization who developed the policy can achieve a goal or an objective. Policies are a necessary and critical part in any organization. They define the procedures and set of rules that employees or members are expected to abide by. Here is another definition from the SANS Institute,”

A policy is typically a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. For example, an "Acceptable Use" policy would cover the rules and regulations for appropriate use of the computing facilities”(sans.org, 2012). The site goes on to point out that sometimes a standard or guideline is used instead of the word policy. Now that policy is defined, the next topic will be the governing regulations and laws. Laws and regulations are more or less synonymous.

In conclusion, while the security risks of the new technology is significant, the benefits far outweigh the risks. It seems with a capable security program in place, complying with HIPPA rules the risks will be successfully mitigated.

Congratulations! You have just been hired by a major security consulting firm that has recently won several contracts to support chief information security officers (CISOs) in the Washington, DC, area. As part of your first consulting assignment, you have been asked to research and write a short case study (three pages) in which you discuss the legal environment (i.e., policies, regulations, and laws) and its impact upon how an organization (e.g., business, government agency, nonprofit) ensures the confidentiality, integrity, and availability of information and information systems. You have one week to complete your assignment.

The immediate audience for your case study is a group of senior managers (stakeholders) in a client organization who are not familiar with information security laws and practices. These managers need a brief overview of the legal environment to assist them in reviewing and commenting upon a new governance policy for their organization’s information security program. Your case study should be general enough, however, that it can be reused with other clients.

Your supervisor has also given you a “heads up” about a trap that previous consultants have missed when completing similar work for other clients: the term policy has two meanings that you must address: (a) government policies (e.g., those issued by federal, state, local, or tribal governments) and (b) organizational policies (e.g., those written to guide an organization’s compliance with laws, regulations, and policies).

All organizations, besides being profitable, also need to set structures in place in order to achieve such a goal. As discussed in this document, the highlight will be on the legal environment at the workplace such as policies, regulations and laws as well as how these factors ensures the confidentiality, integrity, and availability of information and information systems.

Policies in general play important roles in organizations. They define a set of rules and procedures that all employees must abide by. Information security thrives to make sure that all of the organization's data are safe and secure against attacks. It sets up protocols to follow in order to achieve maximum data integrity, availability, and confidentiality. There are two types of policies that rein in an organization: government policies and organizational policies.

In information security, government policies are policies issued by federal, state, local, or tribal government and which provide a framework for government organizations to establish local policies and procedures necessary for the protection of information and technology assets (British Columbia, 2011). The second sets of policies that guide an organization are organizational policies.

These are written to guide an organization's compliance with laws, regulations, and policies. Organizational security policies should fulfill many purposes such as protect people and information; set the rules for expected behavior by users, system administrators, management, and security personnel; authorize security personnel to monitor, probe, and investigate; define and authorize the consequences of violation; define the company consensus baseline stance on security; help minimize risk; and finally help track compliance with regulations and legislation (Canavan & Diver, 2007).

The priority of both type of policies, government and organizational, is to provide a framework that helps to ensure that potential risks associated with an organization's data are minimized or eliminated. With policies in place, it is the responsibility of the organization to make them understood by employees. It is also the responsibility of the organization to make sure that its employees are fully following the policies.

Moreover, information security policies are important in a way that they help reduce the risks associated with employees' acceptable and unacceptable use of the company's information resources. As would confirm Danchev of Windows Security, the first step towards enhancing a company's security is the introduction of a precise yet enforceable security policy, informing staff on the various aspects of their responsibilities, general use of company resources and explaining how sensitive information must be handled and by also describing in detail the meaning of acceptable use, as well as listing proibited activities (Danchev, 2003).

By the same source, a good and well developed security policy should address how sensitive information must be handled, how to properly maintain your ID(s) and password(s), as well as any other accounting data, how to respond to a potential security incident, intrusion attempt, how to use workstations and Internet connectivity in a secure manner, how to properly use the corporate e-mail system (Danchev, 2003).

Basically, the main reasons behind the creation of a security policy is to set a company's information security foundations, to explain to staff how they are responsible for the protection of the information resources, and highlight the importance of having secured communications while doing business online (Danchev, 2003)

The second aspect of rules governing an organization entity is regulations. Regulations are rules, laws, or orders documenting what may or may not be done, or how something must be done (US Department of Interior, Indians Affairs, 2011). Regulations in information security ensure enforcement of security controls in order to mitigate risks. They make sure that laws, policies and rules in place are properly followed by employees. They usually state what an employee must or must not do. For example, a HIPPA rule sets the following guidelines by a federal government on how agencies must protect the public health information.

A brief abstract states that entities providing care such as health plans, health care providers, health care Clearinghouses must “ensure the confidentiality, integrity, and availability of all e-PHI (electronic-Protected Health Information) they create, receive, maintain or transmit; identify and protect against reasonably anticipated threats to the security or integrity of the information; protect against reasonably anticipated, impermissible uses or disclosures; and ensure compliance by their workforce” (U.S. Department of Health & Human Services). As seen here the regulations set by the government towards these entities strive for the privacy, security, and confidentiality the public's health information.

The third facet of rules in the workplace or organization is laws. In the workplace an employee is subjected to 2 aspects of laws: private laws and public laws. Private laws regulate the relationship between the individual and the organization, while public law regulates the structure and administration of government agencies and their relationship with citizens, employees and other government (Whitman & Mattord, 2007). Whether it is private or public law in the workplace, it is the responsibility of the employee to be fully aware of these laws. In case an act has been committed resulting from the ignorance of the law, the employee could in fact be held liable and be reprimanded accordingly.

There have been many laws that came into existence in the domain of Information security. Some of the laws introduced were Computer Fraud and Abuse Act and Federal Privacy Act. Computer fraud and Abuse law was introduced in 1996 and lastly amended in 2001.

It defines and formalizes laws to counter threats from computer related acts and offenses, while Federal Privacy Act law governs federal agency's use of personal information (Whitman & Mattord, 2007). For example, the latter law deals with information privacy. In case an employee who genuinely or unknowingly breach and misuse a customer or client confidential information, the act will be deemed a federal crime, and will be rebuked accordingly.

With employees knowing that breaking a law can make them prosecutable, they will be more careful by not tempering with customers or clients confidential data resulting in data integrity, availability, and confidentiality.

All in all, policies, regulations, and laws in organizations contribute to the welfare and a safe working environment of all employees. At the same time, they provide means and ways to adhere by in order to achieve information security by ensuring data integrity, availability, and confidentiality of an organization's information system.

References

British Columbia. (2011). Information Security Policy. Retrieved June 23, 2011, from British Columbia Web site: http://www.cio.gov

Canavan, S., & Diver, S. (2007). Information Security Policy – A Development Guide for Large and Small Companies. Retrieved June 23, 2011, from SANS Institute Web site: http://www.sans.org

Danchev, D. (2003). Building and Implementing a Successful Information Security Policy. Retrieved June 23, 2011, from Windows Security Web site: http://www.windowsecurity.com/pages/security-policy.pdf

U.S. Department of Health & Human Services. (n.d.). Summary of the HIPAA Security Rule. Retrieved June 24, 2011, from U.S. Department of Health & Human Services Web site: http://www.hhs.gov

US Department of Interior, Indians Affairs. (2011, June 24). Regulations and Information Collection. Retrieved June 24, 2011, from US Department of Interior, Indians Affairs Web site: http://www.bia.gov

Whitman, M. E., & Mattord, H. J. (2007). Legal, Ethical, and Professional Issues in Information Security. In M. E. Whitman, & H. J. Mattord, Principles of Information Security (pp. 90-94). Course Technology. Posted 6th January by Zinsou Messan

U.S. Department of Health & Human Services. Retrieved from: http://www.hhs.gov/ocrprivacy/hipaa/understanding/summary/index.html