Rule: Be aware of the major laws your corporation must comply with.
No matter what industry you work in, there are most likely some laws and regulations concerning information security that your company must comply with. If your company is doing its job, you are already aware of these and have been trained in your responsibilities. Perhaps reading this book is part of that training.
While laws are generally very complicated and require interpretation, they usually have some simple, high level points that are easy to understand. (Appendix B provides a list of some common laws and regulations that your company may need to comply with.)
Rule: Know your part in the corporate governance program.
If you work for a company that is publicly-traded on a U.S. stock exchange, your organization is subject to the legal requirements of Sarbanes Oxley (named after the two Senators who proposed the bill.) You probably heard of the fall of Enron, and the accounting scandals at companies like Tyco and Worldcom that cost shareholders billions of dollars and helped trigger a stock market collapse. But you might not have heard of Sarbanes-Oxley.
Sarbanes-Oxley, or 'Sarbox' as it is sometimes called, was enacted in 2002 to help prevent future Enron-like episodes from happening again. (If you are interested, check out the references at the end of the book.) Throughout the world, there are similar laws that require companies to be accountable for identifying and mitigating risks to their financial stability. As we have seen throughout this book, this means information security.
This "chain of accountability" in Sarbanes-Oxley creates a trickledown effect that may soon drip on to you. If senior executives and board members must sign off on the accuracy of financial reporting, then the managers that report to them must be darned sure that their information is accurate. And that applies to the managers who report to them and the people who report to them and so on. While the average employee of a public company will most likely not go to jail over a Sarbanes-Oxley violation, each employee does have an important role in maintaining the security and integrity of corporate data.
So what does this mean for you? Basically, the word "controls" means the policies, procedures and guidelines that protect information in your company. And the chain of accountability means that most members of the organization will have some responsibility for either enforcing or testing controls. In a nutshell, you will probably be asked to perform either some or all of the protection measures we just discussed. Remember, you are part of a network. If your part of the network fails, then the entire network is vulnerable. If your organization did not have strong security policies in the past, or you weren't aware of them, there is a good chance that they will be updated very soon.
This was first published in November 2006