Information Security: Law and Policy

Need help with assignments?

Our qualified writers can create original, plagiarism-free papers in any format you choose (APA, MLA, Harvard, Chicago, etc.)

Order from us for quality, customized work in due time of your choice.

Click Here To Order Now

Introduction

Organizations cannot function effectively without data. In the 21st century, most organizations such as educational institutions, businesses and government agencies depend on modern information systems in undertaking their transactions (Whitman & Mattord, 2011, p. 40). As a result, protecting the data, either held by the firms or data that is being transmitted should be a critical consideration. This arises from the fact that there are numerous threats posed to the data. Therefore, it is important for the concerned stakeholders to implement effective and secure information security infrastructure. According to Smedinghoff (2008, p.13), information security entails the various processes that should be undertaken to protect information from various threats.

Overview of the legal environment (policies, regulations, and laws)

Firms information security professionals must be conversant with the existing legal framework which regulates the operation of their organization (Whitman & Mattford, 2010, p. 429). This is due to the fact that the legal environment can have a significant impact on the operation of the firm. In their operation, firms in different economic sectors are faced with a wide range of laws which they are required to adhere to. These laws include the civil law, criminal law, private law, public law and tort law.

In an effort to ensure effective implementation of information security, the United States government has implemented a number of information security legislations. The core objective is to ensure that individuals do not misuse information and information technology. Through the information security legislation, the US government has been able to create and promote an environment that is conducive for all firms to operate (Whitman & Mattford, 2009, p. 430).The chart below illustrates some of the federal laws related to information security that the US government has instituted.

Area of information Act Description
Freedom of Information The Freedom of Information Act Gives an entity the freedom to disclose information or documents which had not been released as a result of control by the government.
Copyright Copyright Act Protects an entitys intellectual property.
Federal Agency of Information Security Computer Security Act The law stipulates that all the federal government computer systems that contain confidential information to be well designed, maintained, and have a security plan.
Trade Secrets Economic Espionage Act of 1966 The law prevents employees from using information of the company gained elsewhere.
Threat to computers Computer Fraud and Abuse Act. The law defines how a company should counter threats arising from computer-related-offences.

In addition to the laws, organizations must stipulate policies aimed at enhancing information security. These policies should be based on various areas. According to Whitman and Mattord (2011, p.5), there should be a policy that stipulates how information should be protected in accordance with its criticality, sensitivity and value. Additionally, organizations should also have policies that stipulate how information is handled considering that information is a critical asset of a company. One of the ways through which this can be achieved is by ensuring that there are standards and policies that control accessibility and usage of information.

How the legal environment ensures confidentiality, integrity and availability of information and information systems

The legal environment has a significant impact on how an organization ensures that its information security system is efficient by ensuring confidentiality, availability and integrity of information.

Confidentiality

As a component of information security, confidentiality ensures that information or data is not disclosed to unauthorized individuals. This is attained by instituting an effective control mechanism. Additionally, appropriate policies and standards that bar unauthorized access should be instituted. Confidentiality can be attained by incorporating the concept of encrypting which ensuring that even if there is unlawful access the information, it is unreadable (Smedinghoff, 2008, p.17).

Integrity

This refers to the extent to which the information is reliable. Information security ensures that information held in an organization system is not altered, modified or destroyed. To attain this, information security ensures that an organizations computer network and software are not compromised through unauthorized access. According to Smedinghoff (2008, p.23) unauthorized access to the computer network can compromise reliability, accuracy and completeness of the information held in the firms information system. This is due to the fact that unauthorized changes can be made to the data either intentionally or accidentally.

Availability

This entails whether the information can be easily accessed and used as and when required by the authorized parties. For information to be available, information security ensures that the organizations computer networks and systems are fully operational (Smedinghoff, 2008, p.17).

The US legal environment plays a major role in ensuring that firms information and information systems are effective. This is achieved by promoting confidentiality, availability and integrity of information security systems in a number of ways. For example, the government has enacted laws that stipulate penalties and punishment to unauthorized individuals who breach the integrity, confidentiality and accessibility of information fro m a firms information system. For example, there is a law that stipulates how individuals who breach confidentiality through unauthorized access of information should be penalized. In addition, any one who knowingly conceals information regarding a breach of confidentiality is also punishable by the law as stipulated by title IV of the US Personal Data Privacy and Security Act of 2005 (Congress, 2005, p. 516).

Conclusion

Information security is an important component in ensuring that an organizations information system is effective. This is due to the fact that if it is well configured and implemented, it greatly reduces the various threats to organization information which include physical threats, environmental threats, technical threats, and people threats.

Reference List

Congress. (2005). Congressional record. V. 151, part 16. New York; Government Printing Office.

Smedinghoff, T. (2008). Information security law; the emerging standard for corporate compliance. Ely: IT Governance Publishers.

Whitman, M. & Mattord, H. (2010). Management of information security. Australia: Course Technology Cengage Learning.

Whitman, M. & Mattord, H. (2009). Principles of information security. Boston, Mass; Thompson Course Technology.

Whitman, M. & Mattord, H. (2011). Readings and cases in information security; law and ethics. Boston, MA: Cengage Learning.

Need help with assignments?

Our qualified writers can create original, plagiarism-free papers in any format you choose (APA, MLA, Harvard, Chicago, etc.)

Order from us for quality, customized work in due time of your choice.

Click Here To Order Now