Debriefing on the First Annual Information Security Compliance and Risk Management Institute: Topics, Problems and Future Directions
Barabara Endicott-Popvsky, John Christiansen, Jane Winn
John detailed the “train-wreck” combination of technological development, information policies, and legal standards. In brief: Information technologies are new. Information protection standards are even newer. Information protection laws are generally newer still. Information protection laws are proliferating and overlap.
More on information protection laws: US law in the area has developed reactively and sector-by-sector. For example, when there was a security breach of consumer information in California. California legislators responded by requiring government agencies and organizations to notify people in the event of a breach unless the information was encrypted. Soon, other states adopted this law (often copying whole segments of the draft). Much US law has followed this approach: an incident in one sector leads to a legal reaction which is adopted by other sectors. Thus these laws are proliferating — and overlapping. In the above case, these requirements for notification overlap with HIPA law.
There is confusion about governance. Who is responsible for IT governance in an organization? The CISO, the CIO, CF, General Counsel?
What values and factors guide IT governance decisions? Legal compliance? Financial constraints? Business opportunities or risk? John argues that the final decision should go to the fiduciaries and not the network administrators. After all, they have an agenda of their own.
From here, John navigated through a variety of issues, most stemming from the gap between law and IT. Roughly put, legal advisors hit limitations in their understanding of technology and IT professionals fear unnecessary constraints. Also, the technical landscape is so underexplored that there is constant threat of undiscovered security holes, new software attacks, and deprecating technologies. Consider the previous example. An organization is exempt from sending notification if their stolen information was encrypted. However, the drafted law does not account for nuances of cryptography. A “strong” encryption algorithm today may be discovered to be flawed and easily broken tomorrow. The law is not clear about who is considered legally negligent when a company uses encryption, suffers a breach, does not notify their customers, but finds their information was decrypted by newer technology.
Steps for the future include: More communication among disciplines (law, IT, etc…); Law education that trains IT legal experts; Safe Harbor legislation; Unified compliance frameworks.
Discussion
The values discussion is very important. Who is in on the discussion of values? You should bring in more perspectives, such as philosophers.
Response: Agreed. Currently, values discussions happen at vendor-driven conferences where the vendors of commercial products are driving it. There needs to be a broader and deeper perspective.
Someone mentioned that she has seen the same gap between the IT expertise and the legal expertise surface in her work with Information Services with reservations. She noted that these issues are not merely inter-organizational but also inter-national.
Another comment validated the CIO’s perspective: that organizations that are overly strict about sharing information make it very inconvenient for their constituents. There is a way to follow the legal standards that is counterproductive to the goals of the organization and does not present a very good solution.
Lastly, there was discussion about legal requirements for the preservation of data that highlighted the multi-disciplinary nature of these issues. John had mentioned that organizations are required to keep data “forever” and this presented a practical problem. Who could keep floppy disks forever? The audience members pointed towards the scholarly work by archivists in digital records management and migration. Here was a discipline that had investigated the same problems that the legal community was just beginning to grapple with (what is a document? What should you archive? How do you migrate from old technology to new?) Jane Winn pointed out the strong divide between practice and principle. She accepted the contribution that archivists brought to the table and made a recommendation for how to proceed. She noted that: despite the problems of common law developing incident by incident, producing law via principles is also tricky. For example, the environmental controls written in the 70s were intended to be minimum standards by which organizations should abide. In practice, however, they became ceilings — organizations that met the standards refused to change organizational policy in fear of breaking their already compliant setup. The problem here was that the legal initiative alone backfired. She recommended, instead was the need for a layered approach, inviting initiative from industry, law, and academia. With regards to information assurance, I assume this requires more collaboration and communication among the disciplines and among industry, government, and academia.
