Compliance with Information Laws: Organizational Security Policies

Posted byStasyHsiehPosted in2. Technology & Science

Introduction

This article delves into four key American laws that directly affect the management of an organization’s information security resources. These laws are essential for cybersecurity managers to understand, as they dictate compliance procedures and safeguard requirements for handling sensitive information, depending on the sector in which an organization operates. The laws covered are FISMASarbanes-Oxley (SOX)HIPAA, and GDPR, with a focus on their impact at the organizational level.

1. FISMA (Federal Information Security Management Act) — 2002:

• Purpose: FISMA applies to U.S. federal agencies, requiring them to develop cybersecurity plans and submit annual reports to the Office of Management and Budget (OMB).

• Focus: FISMA is an example of the government regulating its own agencies to ensure information security standards are maintained.

• Challenges: Despite large expenditures (e.g., $1.3 billion annually for certification and accreditation), many federal agencies underperform in meeting FISMA’s requirements, revealing that merely ticking off compliance checkboxes doesn’t necessarily improve security.

• Key Requirements:

1. Agencies must maintain an inventory of hardware, software, and information.

2. Risk assessments must be conducted to classify and protect high-risk areas.

3. Security controls must be documented, tested, and continuously monitored after systems go live.

• Compliance: Organizations must continuously monitor and evaluate their systems, ensuring cybersecurity efforts align with risk management.

2. Sarbanes-Oxley Act (SOX) — 2002:

• Purpose: SOX was passed after major accounting scandals (e.g., Enron and WorldCom) to ensure the integrity of financial statements for publicly traded companies.

• Key SectionSection 404 requires companies to:

1. Prepare an internal control report stating that management is responsible for the company’s internal control structure.

2. Conduct an assessment of the effectiveness of these controls.

3. Ensure external auditors verify the accuracy of the company’s financial reports and control structures.

• Impact on Cybersecurity: SOX helps prevent financial fraud by ensuring strong controls, which contribute to broader cybersecurity objectives.

• Controversy: Section 404 is considered the most complicated and controversial part of SOX due to its detailed requirements for financial reporting and control structures.

3. HIPAA (Health Insurance Portability and Accountability Act) — 1996:

• Purpose: HIPAA focuses on the protection of privacy and security of health records in the healthcare sector, applying to organizations like hospitals, clinics, and insurance companies.

• Requirements for Electronic Health Information (e-PHI):

1. Covered entities must ensure the confidentialityintegrity, and availability of all electronic personal health information (e-PHI).

2. They must protect against reasonably anticipated threats and impermissible disclosures.

3. Compliance by employees is also required, with penalties for violations ranging from modest fines to a maximum of $1.5 million.

• Security Safeguards: Organizations handling e-PHI must implement robust security measures to protect patient data and ensure it is handled securely throughout its lifecycle.

4. GDPR (General Data Protection Regulation) — 2018:

• Purpose: GDPR governs data privacy and protection for EU residents and applies to any organization handling transnational data flows or conducting business in Europe.

• Key Requirements:

1. Organizations must notify EU authorities of a data breach within 72 hours.

2. Data processing is restricted to the purposes for which consent was given by the data subject.

3. Organizations must protect the accuracy and integrity of the data and minimize exposure to identity risks.

• Penalties: Non-compliance can lead to penalties of up to 4% of annual global revenue or €20 million (whichever is greater).

Common Themes and Takeaways:

• Compliance is Key: All of these laws require organizations to implement specific controls and procedures to protect sensitive information.

• Best Practice Frameworks: Many of the requirements set out in these laws can be met by implementing best practice cybersecurity frameworks (e.g., NISTISO).

• Organizational vs. Public Policy: This lesson focuses on organizational compliance and does not delve into broader public policy debates, such as whether these laws are effective or proportionate in shaping public policy incentives.

• Attention to Detail: Organizations must be vigilant in understanding and addressing the specific requirements of these laws to avoid non-compliance, which can result in substantial fines or penalties.

Conclusion:

The lesson emphasizes the importance of understanding and complying with key laws that affect information security management, such as FISMASOXHIPAA, and GDPR. While compliance with these laws ensures legal protection, organizations must also focus on effective security management practices to maintain a robust defense against cyber threats. Simply checking compliance boxes is not enough — organizations must integrate strong security controls into their day-to-day operations to ensure real-world security.

Published by StasyHsieh

A physicist by training, I’ve traversed seven countries, shaping my path through Cybersecurity, AI, and Astrophysics, while nurturing a deep passion for art, writing, and societal change. I advocate for inclusivity in STEM and explore the intersections of equality, economics, and the evolving digital world. My work—whether in technology or the arts—seeks to provoke thought and inspire change. Let’s connect and explore the dance between innovation and humanity.

Leave a comment