X hits on this document

PDF document

The New Law of Information Security: - page 13 / 29





13 / 29

Thus, in most cases there are no hard and fast rules regarding which specific security measures to implement. Instead, the legal standard for security focuses on a process to identify and implement measures that are reasonable under the circumstances to achieve the desired security objectives. This requires companies to engage in an ongoing and repetitive process that is designed to assess risks, identify and implement responsive security measures, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.


What Companies Need to Do

The essence of the process-oriented approach to security compliance is

implementation of a comprehensive written security program that includes:

  • Asset assessment – identifying the systems and information that need to be protected

  • Risk assessment – conducting periodic assessments of the risks faced by the company

  • Security measures – developing and implementing security measures designed to manage and control the specific risks identified

  • Address third parties – overseeing third party service provider arrangements.

  • Education – implementing security awareness training and education

  • Monitoring and testing – to ensure that the program is properly implemented and effective

  • Reviewing and adjusting – to revise the program in light of ongoing changes.

The legally-mandated process may be summarized as follows:


Asset Assessment

When addressing information security, the first step is to define the scope of the effort. What information, communications, and processes are to be protected? What information systems are involved? Where are they located. What laws potentially apply to them? As is often the case, little known but sensitive data files are found in a variety of places within the company.


Periodic Risk Assessment

Implementing a comprehensive security program to protect these assets

requires a thorough assessment of the potential risks to the organization’s information systems and data.62 This involves identifying all reasonably foreseeable internal and external threats to the information assets to be protected.63 Threats should be considered in each area of relevant operation, including information systems, network and software


See, e.g., HIPAA Security Regulations, 45 C.F.R. Section 164.308(a)(1)(ii)(A).

63 See, e.g., Microsoft Consent Decree at II, p. 4; Ziff Davis Assurance of Discontinuance, Para. 25(b), p. 5; Eli Lilly Decision at II.B; GLB Security Regulations, 12 C.F.R. Part 30, Appendix B, Part III.B(1)


Document info
Document views170
Page views172
Page last viewedSat Jan 21 19:40:24 UTC 2017