Are all corporate situations recognised being much the same, can companies carry out a risk assessment, implement a few policies and then relax in the knowledge that they have passed the information security test?
The existing information security laws and regulations aim to provide awareness and guidelines to organisations so that the protection of information is firmly planted within the organisation, in addition to protecting parties who fall victim to information compromise. The concept of 'reasonableness' allows for imperfections and adaption to the needs of the particular organisation. What constitutes as reasonable may however be difficult to determine as the compliance measures need to reflect constantly emerging new security vulnerabilities in the surrounding environment and might require a significant amount of investment that is influenced by factors outside of an organisation's control.
Because many security vulnerabilities often remain unknown until after they have occurred, the security measures and the concept of 'reasonableness' needs to be regularly updated by regulators8. It is perhaps therefore that such concepts are still utilized in laws, regulations and guidelines, as such a wide formulation leaves the organisation wholly responsible for, at all times, keeping on top of the developing threat-landscape surrounding them. The laws are as such more long-lived, but still able to offer basic guidelines.
1Solms v R & Solms v S.H 'Information Security Governance: A model based on the Direct-Control Cycle' 25 Computers & Security <http://www.sciencedirect.com.ezproxy.liv.ac.uk/science?_ob=MiamiImageURL&_cid=271887&_user=822084&_pii=S0167404806001167&_check=y&_origin=article&_zone=toolbar&_coverDate=2006-Sep-30&view=c&originContentFamily=serial&wchp=dGLbVlV-zSkWz&md5=a20d3709538ff6acb15e23eb91321397&pid=1-s2.0-S0167404806001167-main.pdf> accessed 01 May 2013
2Smedinghoff, J T Information Security Law: The Emerging Standard for Corporate Compliance (First Edition, IT Governance Publishing, 2008) p.61
3California Security Breach Act 2005 <http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.pdf> accessed 02 May 2013
4Stevens G 'Data Security Breach Notification Laws' (2012) Congressional Research Service <http://www.fas.org/sgp/crs/misc/R42475.pdf> accessed 29 April 2013
5Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data (EU Data Protection Directive) <http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML> accessed 02 May 2013
6Breaux D T, Antón A I, Karat C M & Karat J 'Enforceability vs. Accountability in electronic policies' (2006) IEEE 7th International Workshop on Policies for Distributed Systems and Networks <http://www.cs.cmu.edu/~breaux/publications/tdbreaux-policy06.pdf> accessed 03 May 2013
7Lecture Notes 'Week 5: Legal Standards for Compliance' (2013) University of Liverpool LLM <https://elearning.uol.ohecampus.com/bbcswebdav/xid-142633_4> accessed 01 May 2013
8Breaux D T & Baumer L D 'Legally 'Responsible' Security Requirements: A 10-year FTC Restrospective' (2011) 30(4) Computers & Society <http://www.cs.cmu.edu/~breaux/publications/tdbreaux-cose10.pdf> accessed 03 May 2013