Security rules to live by: Compliance with laws and regulations

Information Protection Made Easy : A guide for employees and contractors David J. Lineman  96 pages; $9.95  Information Shield, Inc.

Rule: Be aware of the major laws your corporation must comply with.
No matter what industry you work in, there are most likely some laws and regulations concerning information security that your company must comply with. If your company is doing its job, you are already aware of these and have been trained in your responsibilities. Perhaps reading this book is part of that training.

While laws are generally very complicated and require interpretation, they usually have some simple, high level points that are easy to understand. (Appendix B provides a list of some common laws and regulations that your company may need to comply with.)

Rule: Know your part in the corporate governance program.
If you work for a company that is publicly-traded on a U.S. stock exchange, your organization is subject to the legal requirements of Sarbanes Oxley (named after the two Senators who proposed the bill.) You probably heard of the fall of Enron, and the accounting scandals at companies like Tyco and Worldcom that cost shareholders billions of dollars and helped trigger a stock market collapse. But you might not have heard of Sarbanes-Oxley.

Sarbanes-Oxley, or 'Sarbox' as it is sometimes called, was enacted in 2002 to help prevent future Enron-like episodes from happening again. (If you are interested, check out the references at the end of the book.) Throughout the world, there are similar laws that require companies to be accountable for identifying and mitigating risks to their financial stability. As we have seen throughout this book, this means information security.

More on compliance Learn how to maximize compliance efforts with this Compliance All-in-One Guide.

Among a host of other complicated requirements, Sarbanes-Oxley requires your senior executives to "sign off" or certify that the company's financial statements are accurate. Perhaps just as important it requires companies to establish a set of "internal controls" over financial accounting, and a chain of responsibility for making sure that these controls are implemented. The idea behind this chain of responsibility is that no single person or group of persons can instigate a series of fraudulent transactions that would lead to a significant misstatement of earnings.

This "chain of accountability" in Sarbanes-Oxley creates a trickledown effect that may soon drip on to you. If senior executives and board members must sign off on the accuracy of financial reporting, then the managers that report to them must be darned sure that their information is accurate. And that applies to the managers who report to them and the people who report to them and so on. While the average employee of a public company will most likely not go to jail over a Sarbanes-Oxley violation, each employee does have an important role in maintaining the security and integrity of corporate data.

So what does this mean for you? Basically, the word "controls" means the policies, procedures and guidelines that protect information in your company. And the chain of accountability means that most members of the organization will have some responsibility for either enforcing or testing controls. In a nutshell, you will probably be asked to perform either some or all of the protection measures we just discussed. Remember, you are part of a network. If your part of the network fails, then the entire network is vulnerable. If your organization did not have strong security policies in the past, or you weren't aware of them, there is a good chance that they will be updated very soon.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT General IT compliance success doesn't equal security success Business continuity planning standards and guidelines Define security's role in the regulatory process The 5 pillars of successful compliance What to tell senior management about regulatory compliance Complying with multiple regulations and contending with conflicts Will the 'regulatory police' be knocking on your door? Getting your regulatory priorities in order Sarbanes-Oxley Act RSA attendees see data classification, rights management projects stumble Hannaford breach illustrates dangerous compliance mentality PCI compliance drives identity management spending, says IBM's GRC chief Information security book excerpts and reviews IBM to boost security spending, push PCI DSS program What types of software can help a company perform a security risk assessment? Industry group uses awareness month to lobby for data breach laws Code Green pitches data protection for SMBs Report: Companies still stumped by PCI DSS COSO and COBIT: The value of compliance frameworks for SOX Sarbanes-Oxley Act Research Creating and Managing Information Security Policies How to lock down instant messaging in the enterprise Worst practices: Security incidents to avoid Thompson calls for marriage of data and security management Incident response success in five quick steps Social networking Web site threats manageable with good enterprise policy IT GRC: Combining disciplines for better enterprise security Security management in 2008: What's in store Should keystroke loggers be used in enterprise investigations? Exploring enterprise policy management options With data breach costs soaring, companies should review data sharing policies Creating and Managing Information Security Policies Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary