- How Seriously Should You Take Threats to Network Security?
- Identifying Types of Threats
- Assessing the Likelihood of an Attack on Your Network
- Basic Security Terminology
- Concepts and Approaches
- How Do Legal Issues Impact Network Security?
- Online Security Resources
- Test Your Skills
How Do Legal Issues Impact Network Security?
An increasing number of legal issues affect how one approaches computer security. If your organization is a publicly traded company or a government agency or does business with either one, there may be legal constraints regarding your network security. Even if your network is not legally bound to these security guidelines, it’s useful to understand the various laws impacting computer security. You may choose to apply them to your own security standards.
One of the oldest pieces of legislation in the United States that affects computer security is the Computer Security Act of 1987. It requires government agencies to identify sensitive systems, conduct computer security training, and develop computer security plans. This law was a vague mandate ordering federal agencies in the United States to establish security measures, but it did not specify standards.
This legislation established a legal mandate to enact specific standards, paving the way for future guidelines and regulations. It also helped define terms, such as what information is considered “sensitive.” This quote is found in the legislation itself:
The term “sensitive information” means any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy.
This definition of the word sensitive should be kept in mind because it indicated that more than just Social Security information and medical history information must be secured.
When considering what information needs to be secured, simply answer this question: Would the unauthorized access or modification of this information adversely affect your organization? If the answer is yes, then you must consider that information sensitive and in need of security precautions.
Another more specific federal law that applied to mandated security for government systems was OMB Circular A-130 (specifically, Appendix III). This document required that federal agencies establish security programs containing specified elements. It also described requirements for developing standards for computer systems and for records held by government agencies.
Most states have specific laws regarding computer security, such as legislation like the Computer Crimes Act of Florida, the Computer Crime Act of Alabama, and the Computer Crimes Act of Oklahoma. If you’re responsible for network security, you might find yourself part of a criminal investigation. This could be an investigation into a hacking incident or employee misuse of computer resources. A list of computer crime laws (organized by state) can be found at http://criminal.findlaw.com/criminal-charges/cyber-crimes.html.