Certain acts are being passed by U.S. legislators to aid corporations in adding

Question

Certain acts are being passed by U.S. legislators to aid corporations in adding information security to their organizations. The Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, and the Federal Information Security Management Act are examples of the government trying to regulate the security of certain organizations.

Read the Case Study at the end of Chapter 14 of the textbook. With your group, prepare a report to present to the CIO of a company that produces engineering software for security agencies. This CIO does not believe the government should have any say in the operations of the company. The report should contain at least three security practices that meet best practices industrywide. Also, explain at least two risks the nation's infrastructure may face if the company fails to comply with security standards. In addition, identify the individual contributions of each member of the group in this report.

Case study text from book

Recent corporate security breaches such as that at Lexis-Nexis and the recent failure of Corporate America to act responsibly to correct security flaws may force legislators to enact laws that require corporations to adhere to best practices in computer security.

Just as Sarbanes-Oxley Act of 2002 was designed to ensure that financial records of a corporation are properly prepared and are accurate, the Health Insurance Portability and Accountability Act (HIPAA) requires increased security procedures for maintaining and exchanging medical information, businesses can expect new legislation that will require that information security best practices are followed.

                The Federal Information Security Management Act of 2002 (FISMA) already requires federal departments and agencies to implement appropriate security policies and supporting security architectures to reduce and quickly remediate vulnerabilities to their enterprise systems. It is likely that similar legislation will be passed that would extend similar regulations to private enterprise. As with FISMA, the goal would be to define and architect the required security mechanisms within IT initiatives that support and enforce security planning, testing, and evaluation. FISMA creates a defined architecture for reporting information security incidents, which form the basis of accountability. FIMSA requires initial and regular risk assessments and management reviews. Organisations must begin the FIMSA process with an organisation risk assessment and then implement the required information security mechanism and controls to ensure the security of those identified risks in their organisation.

                Rep. Adam Putnam (R-Fla.) has drafted the Corporate Information Security Accountability Act of 2003, which would require private companies to comply with the industry benchmarks. Work is proceeding to update the bill in a working group created by the subcommittee Putnam chairs, The Government Reform Subcommittee on Technology, Information policy, Intergovernmental Relations and the Census.

                The bill may require companies to conduct annual security audits, inventory keys assets and their vulnerabilities, and carry insurance against cyberattacks. The proposed law also includes a provision to shield companies from large punitive lawsuits over security breaches. It will seek not only to protect businesses, but also the nation

Explanation / Answer

Industrywide Information Security Report:

There has been an enormous growth in the use of various types of data used in the industries these days. This includes crucial information like employee records, tender files, etc. which must not be allowed to slip into the hands of third party. For this purpose there needs to be a common set of rules to be followed so that the data is not not lost or malfunctioned during exchange. The government of US has implement a few acts or laws for the same. This has occured previously with other industries like health and finance. The acts have been known to be succesful and also brought about a uniformity in the process. Similarly, now new acts have been in theory for information security of industries. A few best practices involved are as follows:

responsibility and layered security : every individual in an organization have their duties assigned. These duties and responsibilities are structured in a layered format to maintain the coordination. These responsibilites are to be well understood and followed by every employee. At no point should these responsibilities be compromised or the system security.

Layered security can be achieved by providing firewalls at all possible levels. Also provide passwords for individual system so that data loss can be recorded timely and accurately(the source system).

Security and network audits: secuirty of the network must be subject to frequent audits and the updates must be immediately acted upon after every review. The IT audit records must record information for monitored systems.

Disaster planning: proper in time disaster recovery plan must be at hand.

The risks that the nation may face due to the lack of any of the above are as below:

Network intrusions are most common kind of threats these days faced by all organizations. Also, many government organizations use privately built software to conduct operations. These softwares are thought least vulnerable, prone to attacks every now and then. The best example of such data leaks is the organization wikileaks which hosts many high security documents.

The efforts involved in producing this document have been evenly distributed among every member in the team. The responsibilities include:

Related Questions

Navigate

• Browse (All)
• Browse C
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.