What Is Law and What Is Policy?
Organizations enforce policies and report on compliance. Organizations generally do not internally enforce laws. In other words, security policies are not a legal interpretation of the law. Security policies are interpretations of legal requirements that lead to compliance.
A law is any rule prescribed under the authority of a government entity. A regulatory agency may be granted the authority under the law to establish regulations. Regulations inherit their authority from the original law.
The distinction among laws, regulations, and security policies is as follows:
- Laws establish the legal thresholds.
- Regulatory requirements establish what an organization has to do to meet the legal thresholds.
- Security policies establish how the organization achieves the regulatory requirements.
Consider an example in the security world that relates to the interpretation of information security regulations. The Gramm-Leach-Bliley Act (GLBA) was intended to ensure the security and confidentiality of customer information. GLBA Section 501(b) requires that the board or its designated committee adequately oversee the financial institution’s information security program. What does “adequately oversee” mean? The Federal Deposit Insurance Corporation (FDIC) issued a regulatory ruling that the organization’s board must receive a formal report at least annually. Many organizations interpret that to be a formal report to the audit committee by both the CISO and auditors. The point is that organizations can achieve regulatory compliance in different ways. Often you write policies to achieve regulatory requirements. Most of the time, you do not write policy to specific language of the law.
A violation of a policy is not necessarily a violation of law; however, it might be. Legal interpretation of statutes is a different skill set from policy interpretation. Often, the legal threshold to violate a law is high. It considers circumstance and intent. Only a court or regulatory body can determine if there are sufficient grounds for determining a violation of the law.
Although it is important to remain aware of the current laws and regulations, they should not be your sole driver. There are many risks to the business that are not addressed by laws and regulations. Regulations are written to address a specific area of concern that may have been a result of a public incident or class-action suit. Although ensuring adherence to regulations is a must, there’s no substitute for common sense. The key point is that law always trumps policies with the regulators and the courts. Laws and regulation do not cover all risks.
What Security Controls Work to Enforce Protection of Personal Data?
Organizations have the ability to accept risk. They can accept risks that could potentially impact the business. These organizations do not, however, have the right to accept risk on behalf of the customer. In other words, they cannot put their customer at risk by mishandling their data.
The risk management approach used to assess and accept business risk cannot be applied equally to customers’ personal data. Any organization that collects, stores, processes, and transmits personal information must be compliant with privacy laws.
These privacy laws establish specific controls. Privacy laws do vary from state to state. Some common security controls include:
- Notification when a breach occurs
- Encrypting data when it leaves the organization’s network
- Ensuring that each user has a unique identity when accessing the data
- Granting access for business purposes only
- Destroying data when no longer needed
- Having appropriate policies and security awareness in place
It is important to find out what privacy laws exist when you are doing business. On the basis of these laws, you can determine a common set of core controls. These common controls need to be in the security policies. Effectively destroying data is often overlooked. Yes, shredding documents is a good idea; however, an incinerator is an even more effective approach. Computer storage media must be completely, forensically wiped. In some cases, it is the appropriate approach to simply destroy the computer media rather than try to wipe it for reuse.