Business Information Security vs. Government Searching

¶ … Policy Case Study The author of this report has been asked to act as a consultant for a major security consulting firm. Contained within this report will be several topics that were requested to be covered and thus they will be with the appropriate amount of vigor and detail. The first topic will be a brief overview of the overall legal environment for non-information technology managers when it comes to things like constitutional law, administrative law, civil law, criminal law, due care, due diligence and overall fiduciary duty.

Another major topic that will be covered is the applicable information security laws and practices. Next up will be the impact of policies, regulations and laws when it comes to the information security sphere. The next topic, and a very controversial one in the eyes of many, is the Central Intelligence Agency including is practices, what has been in the news about them and so forth. There will also be a discussion of governance policy and recommendations for the same.

The final portion will be the distinguishing between government and organization policies. While information security practices are like writing a tightrope, it is something that people must master and learn to do well. Analysis When it comes to the legal environment in which information technology managers operate, it can be a minefield and then some.

Just as two examples, Target and Home Depot have learned a very hard lesson about what happens when information is not properly secured and some very high-ranking IT and non-IT people lost their jobs over that mess (Sidel, 2015). Then of course there were prior incidents like the one at TJX that was borne of abject ignorance about the obsoleteness of the WEP wireless standard at the time (Ou, 2007).

What information technology executives and other managers must understand is that failing to secure information properly and with the proper amount of due diligence can have a wide array of legal implications. In fact, being too secure and too interested in what employees are doing (or not doing) can lead to issues. For example, an employee can scream about a loss of privacy even if they are using company equipment and this has obvious constitutional implications (ABA, 2015).

Other things that can occur included the proper amount of privacy regulations and security that must be in place, protection against lawsuits from customers, employees or shareholders (among other people), general ramifications for not exercising due care or due diligence or not acting in a fiscally responsible manner in any provable or demonstrable way (TechTarget, 2015).

Practices that could and should be mastered included setting proper password complexity requirements, having the right firewalls and access control standards in place, establishing (and enforcing) policies that could or would have an impact on information security, restricting physical access to sensitive equipment and keeping sensitive information about a system's setup and security on a "need to know" basis with the people that should know these things. Impacts of information technology policies, for example, include whether they are legal, whether they are all-encompassing and whether they are actually being enforced.

When it comes to regulations and laws, it is commonly at the discretion of law enforcement as to whether or when they prosecute people but that is there call and they will tend to protect employees and customers if they are being wronged or if there is a perception of the same (Hess, 2013). One major component of any solid information security and integrity protocol would be having data backed up reliably and sufficiently.

As described by the NIST, backups can be done via DVD disc, network storage, external hard drives and internet backups. Generally, it is best to have both local redundancy and remote redundancy so that one backup is local and immediately accessible while the other is in a secondary location just in case the first location is compromised by a storm, fire or sabotage (NIST, 2010) One gray area in all of that are requests for information from agencies like the CIA, the NSA and so forth.

The tech giants of the United States have complained that these agencies often go on "fishing expeditions" to root out malfeasance any way they can. Information technology personnel should certainly cooperate with these agencies but there should be legitimate warrants and/or other judge-ordered actions (in writing) behind any request that is honored. Doing otherwise is a betrayal of the customer or the employees involved. Customers will not take kindly if they know or think their data is being reviewed in a willy-nilly and/or warrantless fashion (Nelson, 2015).

When it comes to governance policy, the rules and regulations in place need to be current with technology, current with the overall corporate and legal landscape and those policies should be followed to the letter in all instances. It is true that the government acts and moves in a different way but they have that luxury. There are limitations, but government policies are for the benefit of the agency and people in question as they usually care not a lot for the people it might affect.

They do not have to worry about sales revenues and customer opinion…just their budget. On the other hand, governance from a for-profit business standpoint is about protecting the clients and the company from all sources of danger and this can include government and good intentions in certain instances (DHS, 2004). Some of the specific laws that bear mentioning include the E-Government Act of 2002 and the Federal Information Security Management Act of 2002.

These are laws that affected government institutions more than anyone but they both prove and enforce the idea that information security is a national security matter. In terms of laws with wider scopes and impacts, that laws that would have varying impacts on information security would include the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act, Electronic Fund Transfer Act, Customs-Trade Partnership Against Terrorism (C-TPAT) and many others (USDOC, 2004). The impact of violations of ethics or the laws themselves fall under several categories including confidentiality, integrity and availability.

When it comes to confidentiality, information going public or getting breached by someone or some entity that is not entitled to it can lead to loss of money from the victims, identity theft and so forth. If data integrity is an issue, this means that the data is incomplete or perhaps not correct and the impacts of this could include incorrect or ill-advised business decisions being made, decisions not being made timely and so forth.

When it comes to availability, this is much the same as integrity except that there is question whether there is any data to use or harness at all. In any event, any of those three lead to loss of efficiency, timeliness, money and resources. Lives can be greatly impacted and businesses can be ruined if data is lost,.