What are the legal requirements for ensuring information security relating to business organizations? How can these legal requirements for ensuring information security be met in typical modern companies? Explain your answers with reference to practical examples from your own knowledge and experience wherever possible.

Authors Avatar by dxb625 (student)

The Legal requirements

For data or information to be useful, at the minimum, the key principles of confidentiality, integrity and availability of data upon which the concept of information security is built must be met and this inevitably is in tandem with the legal requirements for any jurisdiction.[1] Legal requirements for most jurisdictions usually have the internal looking requirements[2] which provide for steps that an organization is required to comply with and the outward requirements which are punitive measures in cases of breach or noncompliance.[3]

Internationally there is no uniform standard or approach for ensuring information security and different jurisdictions have adopted different approaches.[4] As private data has become increasing vulnerable to exposure, the focus in most jurisdictions is to ensure that the privacy of individuals during transactions is protected[5]. Smedinghoff has summarized the legal requirements generally as the duty to provide security, the legal standard upon which that duty or obligation is based and the duty of notification in case of breach.[6]

Therefore in the United States, the approach initially was sector specific[7] but is now increasingly moving towards general requirements,[8] while the approach in Europe[9] for example is the general / omnibus approach. Generally all jurisdictions make provision for protection of data,[10] etc. and then provide for offenses.[11]

Steps to be taken to meet these legal requirements

The first step is for the company to determine what the general and specific legal requirements are for its sector and for its jurisdiction[12]. For example the compliance requirements for a company in the health sector or financial sector in the United States or Europe may be different for each of those companies. The company then reduces it into a policy framework that is implementable within the company. Some organisations choose to reduce these into contractual obligations for the parties it transacts with.[13]

Join now!

The company must then designate the person (s) who bears the overall responsibility for information security in the organization. Smedinghoff discusses changes in perspectives from information security initially being considered a technical matter and currently where it is considered critical and is a matter for corporate governance and therefore the responsibility would rest with the Board of Directors or senior management.[14]

The company will then put in place the necessary framework and take administrative steps to ensure compliance. For example the flow of processes and the persons responsible at every stage must be clear[15]. In addition the company ...

This is a preview of the whole essay