Introduction
Complying with the ever-growing morass of data privacy, security laws and regulations can be a daunting task for any organization. In many instances, these laws and regulations are vague and ambiguous, with little specic guidance as to compliance. Worse yet, the laws of dierent jurisdictions may be, and frequently are, conicting. Reconciling all of these legal obligations can be, at best, a full time job and, at worst, the subject of nes, penalties, and lawsuits. Liability can range into the millions of dollars.
The threat from outside hackers is substantial, spear phishing and Advanced Persistent Threats are increasing with double digits every year. Moreover, according to the FBI, the incidence of “insider” misappropriation or compromise of condential information has never been higher. By better addressing information security with their personnel, including through appropriate awareness training, businesses can mitigate both these threats.
This white paper seeks to provide a “big picture” understanding of legal and regulatory compliance obligations and then to apply that understanding to the specic issue of mitigating the security threat posed by an organization’s own employees which are the weak link in IT security.
Finding Common Threads in Compliance Laws and Regulations
The sheer number and variety of privacy and security laws and regulations can be daunting, if not overwhelming. In some instances, it may be almost impossible for even a large, sophisticated organization to identify all applicable laws, reconcile inconsistencies, and then implement a compliance program. In this section, the goal is not to discuss any specic laws or regulations, but to identify three common threads that run through many of them. By understanding those common threads, organizations can more easily understand their baseline compliance obligations.
In reviewing the many laws and regulations applicable to privacy and data security, three common threads can be seen. These threads run not only through laws andregulations, but also contractual standards such as the Payment Card Industry Data Security Standard (PCI DSS) and, even, common industry standards for information security published by organizations like CERT at Carnegie Mellon and the International Standards Organization (“ISO”). Embracing these common threads in designing and
implementing an information security program will greatly increase a business’ ability to achieve overall compliance with the laws, regulations, and other requirements (e.g., PCI DSS, industry standards, etc.) applicable to it.
Condentiality, Integrity, and Availability (“CIA”). Anyone involved in information security should be familiar with the acronym “CIA,” which stands for Condentiality, Integrity, and Availability. For data to be truly secure, each of these three elements must be satised. “Condentiality” means the data is protected from unauthorized access and disclosure.