Legal, Regulatory, and Ethical Issues in Security Management

Abstract

The majority of organization have in place a high-level information security policy governing how and what information to handle. Looking down on these organizations, there policies look similar due to the expectation of security professional to know and respect the laws and regulations governing the use of computers and the information it holds. Security professions must understand the scope of an organization’s legal and ethical responsibilities.

Keywords: Regulations, Ethical issues, Legal, information security policies, governance, Chief Information Security Officer, Information ethics

Legal, Regulatory, and Ethical Issues in Security Management

Introduction

Information is the essence of every organization. If this information is compromised, the organization can experience a wide range of consequences. There are external issues outside of an organization’s control that influence security policy. These include legal requirements, fraud, hacking, contractual obligations, and existing organizational policies. Information Security is a strategic approach that should be based on a solid, holistic framework encompassing all of an organization's Information Security requirements. The purpose of this paper will examine the effects of these external factors organization’s security decisions. Although these factors are beyond the scope of any company’s direct control, the design of information security policies are essential to effectively anticipate them.

Chief Information Security Officer

Chief Information Security Officers (CISO) in companies is primarily responsible for providing corporate information security. In recent years this position has evolved beyond the singular scope into supporting business strategies and business continuity within the organization. By being a key business professional, the CISO evaluate ways to increase value to the organization and incorporate security needs according to the business goals and objectives (Whitten, 2008). The CISO engages with ‘c-suite’ colleagues such as the Chief Executive Officer (CEO) and Chief Privacy Officer (CPO) to gain support of security needs and objectives for the company (Dawson et al., 2010). The CISO works closely with the CEO to procure funding for allocated training. The CISO not only requires an understanding of information security but also in education, training, and soft skills. Promoting the idea that security and risk management are a collaborative effort where everyone works together toward a common goal.

Hard skills are not the only area of importance for CISO; soft skills are important due to their executive responsibilities. They should be effective presenter with the ability to communicate both

...