Security rules to live by: Compliance with laws and regulations

Learn how complying with enterprise and federal laws and regulations affects information security and receive guidelines practitioners can use to protect themselves and their organization, in this excerpt of Chapter 3: Security Rules to Live By from David J. Lineman's Information Protection Made Easy

Information Protection Made Easy : A guide for employees and contractors

David J. Lineman     96 pages; $9.95     Information Shield, Inc.

In this excerpt of Chapter 3: Security rules to live by from Information Protection Made Easy: A guide for employees and contractors, author David J. Lineman examines how complying with enterprise and federal laws and regulations affects information security and provides guidelines practitioners can use to protect themselves and their organization.

Rule: Be aware of the major laws your corporation must comply with.
No matter what industry you work in, there are most likely some laws and regulations concerning information security that your company must comply with. If your company is doing its job, you are already aware of these and have been trained in your responsibilities. Perhaps reading this book is part of that training.

While laws are generally very complicated and require interpretation, they usually have some simple, high level points that are easy to understand. (Appendix B provides a list of some common laws and regulations that your company may need to comply with.)

Rule: Know your part in the corporate governance program.
If you work for a company that is publicly-traded on a U.S. stock exchange, your organization is subject to the legal requirements of Sarbanes Oxley (named after the two Senators who proposed the bill.) You probably heard of the fall of Enron, and the accounting scandals at companies like Tyco and Worldcom that cost shareholders billions of dollars and helped trigger a stock market collapse. But you might not have heard of Sarbanes-Oxley.

Sarbanes-Oxley, or 'Sarbox' as it is sometimes called, was enacted in 2002 to help prevent future Enron-like episodes from happening again. (If you are interested, check out the references at the end of the book.) Throughout the world, there are similar laws that require companies to be accountable for identifying and mitigating risks to their financial stability. As we have seen throughout this book, this means information security.

Among a host of other complicated requirements, Sarbanes-Oxley requires your senior executives to "sign off" or certify that the company's financial statements are accurate. Perhaps just as important it requires companies to establish a set of "internal controls" over financial accounting, and a chain of responsibility for making sure that these controls are implemented. The idea behind this chain of responsibility is that no single person or group of persons can instigate a series of fraudulent transactions that would lead to a significant misstatement of earnings.

This "chain of accountability" in Sarbanes-Oxley creates a trickledown effect that may soon drip on to you. If senior executives and board members must sign off on the accuracy of financial reporting, then the managers that report to them must be darned sure that their information is accurate. And that applies to the managers who report to them and the people who report to them and so on. While the average employee of a public company will most likely not go to jail over a Sarbanes-Oxley violation, each employee does have an important role in maintaining the security and integrity of corporate data.

So what does this mean for you? Basically, the word "controls" means the policies, procedures and guidelines that protect information in your company. And the chain of accountability means that most members of the organization will have some responsibility for either enforcing or testing controls. In a nutshell, you will probably be asked to perform either some or all of the protection measures we just discussed. Remember, you are part of a network. If your part of the network fails, then the entire network is vulnerable. If your organization did not have strong security policies in the past, or you weren't aware of them, there is a good chance that they will be updated very soon.

This was last published in November 2006

Dig Deeper on Security audit, compliance and standards