This widespread implementation of networked information systems has provided companies with tremendous economic benefits, including significantly reduced costs and increased productivity. But the resulting dependence on a computer infrastructure also creates significant potential vulnerabilities that can result in major harm to the business and its stakeholders.16 Thus, concerns regarding corporate governance, ensuring individual privacy, protecting sensitive business data, accountability for financial information, and the authenticity and integrity of transaction data are driving the enactment of laws and regulations, both in the U.S. and globally, that are imposing obligations on businesses to implement information security measures to protect their own data.
The ultimate concern is electronic corporate information. But protecting
electronic information also requires addressing the means by which such information is created, stored, and communicated. Thus, statutes and regulations governing information security typically focus on the protection of both information systems17 – i.e., computer systems, networks, and software – as well as the data, messages, and information that is typically recorded on, processed by, communicated via, stored in, shared by, transmitted, or received from such information systems.
When addressing corporate information, it is also important to remember that all types of information need be considered, including financial information, personal information, tax-related records, employee information, transaction information, and trade secret and other confidential information. Moreover, the information can be in any form, including databases, e-mails, text documents, spreadsheets, voicemail messages, pictures, video, sound recordings, etc.
The objectives of information security are often stated in a variety of ways. In some cases, statutes and regulations define the primary objectives of information security in terms of positive results to be achieved, such as ensuring the availability of systems and information, controlling access to systems and information, and ensuring the
16 “As a result of increasing interconnectivity, information systems and networks are now exposed to a growing number and a wider variety of threats and vulnerabilities. This raises new issues for security.” OECD Guidelines for the Security of Information Systems and Networks, July 25, 2002, at p. 7, available at www.oecd.org/dataoecd/16/22/15582260.pdf.
17 The Homeland Security Act of 2002 defines the term “information system” to mean “any equipment or interconnected system or subsystems of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information, and includes – (A) computers and computer networks; (B) ancillary equipment; (C) software, firmware, and related procedures; (D) services, including support services; and (E) related resources.” Homeland Security Act of 2002, Pub. L. 107-296, at Section 1001(b), amending 44 U.S.C. § 3532(b)(4).