I've been asked to touch on the sometimes complex and always interesting relationship between security policy and the law. To begin, because I'm not a lawyer, I cheerfully confess myself both unable and perhaps incompetent when it comes to delivering legal advice, be it related to security matters or other topics.
That said, it's relatively easy to describe how security policy and the law should fit together. A simple-minded way of describing the proper relationship between security policy and the law is as follows:
Security policy must be formulated to take cognizance of all applicable laws. This includes following the dictates of security- or privacy-related law like
- HIPAA, the PATRIOT Act, the Gramm-Leach-Billey Act of 1999 and so forth. It also includes following the dictates of relevant business, financial and employment law.
Security policy cannot be formulated to require anyone to break the law.
While security policy can be formulated to exceed what existing law requires, such additional requirements must be clearly spelled out and should be cast in a form that can be legally enforced, if necessary.
The bottom line is that individuals responsible for formulating security policy should plan on obtaining legal advice on early drafts of their documents to make sure they meet legal standards. It's also a good idea at this stage of development to make sure that such documents neither include elements that should be omitted because they're not legal or enforceable, nor that they omit elements that should be included because their omission may make security policy unenforceable or invalid.
Likewise, security policy documents should also be subjected to legal review as part of their approval process. This is particularly important when a company or organization provides goods or services that may somehow incur liability, and where security policy touches on those things in some way. It's also absolutely essential to make sure that security policy is not likely to be harmful to an organization on legal grounds (particularly because measurement, cost, avoidance and mitigating of risk is such an important part of how security policy should be formulated).
To better help you understand the issues involved, it's smart to learn more about security policy and the law. To that end you'll find the following resources useful:
Legal Issues papers in the SANS online reading room.
The Final Data Security Report from the State of California's One-Stop Steering Committee for their One-Stop Career Center System does a great job of explaining how legal concerns should map into security in general, with considerable mention of security policy.
Careful review of security policy recommendations in multi-national security initiatives (which have passed many levels of legal review in multiple countries and legal jurisdictions), such as the Common Criteria for Information Technology Security provides good information about formulating security policy that is legally sound (but may not sufficiently stress the need for legal review).
As long as you build in legal input and feedback at the beginning of the process and include legal review during the final steps (and remember to repeat as needed for revisions and maintenance), you should be able to cover the legal angles, so to speak.
Please feel free to e-mail me with feedback, comments or questions at etittel@iLearning.com.
About the author:
Ed Tittel is VP of Content Services at iLearning, a CapStar company, based in Austin, Texas. As creator and series editor for Exam Cram 2, Ed's worked on numerous titles on Microsoft, Novell, CompTIA and security certifications, including Security+, CISSP and TICSA.
This was first published in October 2003