There are many requirements associated with IT security. In this video, you’ll learn about regulatory requirements, legal issues, industry standards, and more.
IT security professionals have to be aware of regulations associated with the organization that they work for and the type of data that they’re collecting. This may not only include information stored by an application but also log files that are created by that application. There may also be a requirement to retain certain types of information over an extended period of time.
For example, some organizations are mandated to store email for a certain number of years and be able to access that data at any time. One regulation that many organizations are mandated to follow is Sarbanes-Oxley. You may see this abbreviated as SOX. This is officially the Public Company Accounting Reform and Investor Protection Act of 2002. And it focuses on the finances associated with an organization.
Sarbanes-Oxley is relatively broad and it can affect many different parts of the organization. From an IT perspective, we want to be sure that all of our financial data is protected and all of that information is available to the proper individuals within our organization. And if you’re in health care, you’re certainly familiar with HIPAA. This is the Health Insurance Portability and Accountability Act. And it’s abbreviated H-I-P-A-A or HIPAA.
This mandate ensures that our health care information is protected. This covers not only the data that’s being stored by our health care professionals, but it also covers how that information is transferred and how that information is disclosed to a third party. If you’re working in IT security, there’s certainly going to be legal requirements associated with part of your job. This means there needs to be a set of formal processes and procedures for the IT team to be able to report any illegal activities.
The IT security team is also responsible for responding to a legal hold. This ensures that data will be available for any future legal proceedings. Many jurisdictions also have rules in the books regarding the disclosure of security breaches. This means, if your organization discovers a security breach, they are legally mandated to disclose that breach in an appropriate time frame. The rules and regulations around disclosures are different depending on the geography, so you’ll need to make sure that you follow the legal requirements in your particular area.
And although cloud computing is a significant advantage to the technologist, it does create a number of challenges from a legal perspective. With cloud computing, we can create application instances anywhere in the world. And the data associated with those applications may also be stored anywhere in the world. However, there might be legal guidelines as to where information can be stored. For example, some countries require that if any data is collected from their citizens, that data must stay within that country’s borders.
We might also have different security considerations for different industries. Different organizations certainly work in different ways, and there will be differences in how IT security is handled between different environments. For example, if we’re dealing with public utilities or electrical power generation, there may be a set of very strict requirements on how someone can access that information. This often means that our power-generating technologies are often air-gapped from any other part of the network.
This might be very different than someone who works in medicine where the information needs to be available to everyone, but it needs to be highly secure. This is why, in a medical environment, you may find extensive data encryption and other protection technologies. This allows the medical professionals to have access to our private medical information but keeps all of that information private from anyone else.
We also have different security considerations depending on the scope of the organization. If there’s a local or a regional focus for an organization, all of the data tends to be associated with what’s happening in that specific area. For example, a city or state government may collect records and other information that they can use to help manage a city or county.
As the geography increases to more of a national level, we’re now dealing with issues associated with a much larger federal government and things like national defense. This might also include communication between multiple states who make up that national organization. And since the need for confidentiality is a much larger scope at the national level, we may introduce new technologies for encryption and data protection.
A global company has additional security concerns, since they have offices that are located in different countries. This can be a relatively complex endeavor, especially since there are different laws for data protection and data security, depending on where you happen to go in the world.