Information Security

Defending the digital infrastructure


News Stay informed about the latest enterprise technology news and product updates.

More cybersecurity laws needed for operational IT security

The U.S. has already adopted several cybersecurity laws, but few affect operational IT security.

The U.S. has already adopted several laws related to cybersecurity. However, these laws either don't affect operational IT security on a corporate or national infrastructure level, or affect only specific business practices within select industrial sectors.

For instance, the Children's Online Privacy and Protection Act (COPPA), enacted in 1998, was an early attempt to make the Internet more secure for children. But COPPA didn't deal with making the Internet operationally more secure. Similarly, legislation such as the Digital Millennium Copyright Act (DMCA), the Security Systems and Standards Certification Act (SSSCA) and the Consumer Broadband and Digital Television Promotion Act (CBDTPA) were advertised as "security" laws. But while IT security technologies are necessary to implement many of the provisions in these laws, securing the core infrastructure--at either a national or corporate level--is beyond their purview.

Recent industry-specific regulations--such as Health Insurance Portability and Accountability Act (HIPAA) for health care and the Gramm-Leach-Bliley Act (GLBA) for financial institutions--have a more direct impact on operational security, setting strict standards for the protection of confidential banking and patient data.

These regulations signal the federal government's willingness to regulate certain aspects of data security. The security laws proposed in the Information Security survey are much broader in scope and application, representing a paradigm shift in the government's involvement in private-sector security.

HIPAA and GLBA also foreshadow potential problems with the survey's proposed security laws. While these regulations are targeted at specific industries, many security managers say the rules are too vague when it comes to implementation.

"I have HIPAA breathing down my neck, and with no real guidelines, it makes it hard to make every health organization conform to one standard," says one survey respondent, an administrator at a health care organization. "What makes you think other nongovernmental organizations can do that?"

About the author:
Andrew Briney is editor-in-chief of Information Security.

Article 6 of 11
This was last published in January 2003

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All