¶ … Policy Case Study
The author of this report has been asked to act as a consultant for a major security consulting firm. Contained within this report will be several topics that were requested to be covered and thus they will be with the appropriate amount of vigor and detail. The first topic will be a brief overview of the overall legal environment for non-information technology managers when it comes to things like constitutional law, administrative law, civil law, criminal law, due care, due diligence and overall fiduciary duty. Another major topic that will be covered is the applicable information security laws and practices. Next up will be the impact of policies, regulations and laws when it comes to the information security sphere. The next topic, and a very controversial one in the eyes of many, is the Central Intelligence Agency including is practices, what has been in the news about them and so forth. There will also be a discussion of governance policy and recommendations for the same. The final portion will be the distinguishing between government and organization policies. While information security practices are like writing a tightrope, it is something that people must master and learn to do well.
Analysis
When it comes to the legal environment in which information technology managers operate, it can be a minefield and then some. Just as two examples, Target and Home Depot have learned a very hard lesson about what happens when information is not properly secured and some very high-ranking IT and non-IT people lost their jobs over that mess (Sidel, 2015). Then of course there were prior incidents like the one at TJX that was borne of abject ignorance about the obsoleteness of the WEP wireless standard at the time (Ou, 2007). What information technology executives and other managers must understand is that failing to secure information properly and with the proper amount of due diligence can have a wide array of legal implications. In fact, being too secure and too interested in what employees are doing (or not doing) can lead to issues. For example, an employee can scream about a loss of privacy even if they are using company equipment and this has obvious constitutional implications...
Other things that can occur included the proper amount of privacy regulations and security that must be in place, protection against lawsuits from customers, employees or shareholders (among other people), general ramifications for not exercising due care or due diligence or not acting in a fiscally responsible manner in any provable or demonstrable way (TechTarget, 2015).
Practices that could and should be mastered included setting proper password complexity requirements, having the right firewalls and access control standards in place, establishing (and enforcing) policies that could or would have an impact on information security, restricting physical access to sensitive equipment and keeping sensitive information about a system's setup and security on a "need to know" basis with the people that should know these things. Impacts of information technology policies, for example, include whether they are legal, whether they are all-encompassing and whether they are actually being enforced. When it comes to regulations and laws, it is commonly at the discretion of law enforcement as to whether or when they prosecute people but that is there call and they will tend to protect employees and customers if they are being wronged or if there is a perception of the same (Hess, 2013). One major component of any solid information security and integrity protocol would be having data backed up reliably and sufficiently. As described by the NIST, backups can be done via DVD disc, network storage, external hard drives and internet backups. Generally, it is best to have both local redundancy and remote redundancy so that one backup is local and immediately accessible while the other is in a secondary location just in case the first location is compromised by a storm, fire or sabotage (NIST, 2010)
One gray area in all of that are requests for information from agencies like the CIA, the NSA and so forth. The tech giants of the United States have complained that these agencies often go on "fishing expeditions" to root out malfeasance any way they can. Information technology personnel should certainly cooperate with these agencies but there should be legitimate warrants and/or other judge-ordered actions…
