Law and Policy Case Study
Bradley L. Hardman
What does the word policy mean to you? In this study there will be a clear definition of the word and what it means to the company. After that is clearly defined, the next topics will be regulations and laws. Those three will cover legal environment and lead into a look at the impact the legal environment has on an organization. The final area to address is confidentiality, integrity, and availability of information. To begin with the definition of policy for our purposes comes in two parts. The first part is the definition of policy as it applies to the government be it federal, state, or local. From the website dictionary.com a policy is a course of action adopted and pursued by a government, ruler, political party, ect(dicionary.com, 2012). This definition is fairly strait forward and should not need any clarification. The second part of the definition is organizational policies; which are simply a specific course of action adopted for the sake of expediency, facility or other purpose. This can be just so the organization who developed the policy can achieve a goal or an objective. Policies are a necessary and critical part in any organization. They define the procedures and set of rules that employees or members are expected to abide by. Here is another definition from the SANS Institute,”A policy is typically a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. For example, an "Acceptable Use" policy would cover the rules and regulations for appropriate use of the computing facilities”(sans.org, 2012). The site goes on to point out that sometimes a standard or guideline is used instead of the word policy. Now that policy is defined, the next topic will be the governing regulations and laws. Laws and regulations are more or less synonymous.
In conclusion, while the security risks of the new technology is significant, the benefits far outweigh the risks. It seems with a capable security program in place, complying with HIPPA rules the risks will be successfully mitigated. Congratulations! You have just been hired by a major security consulting firm that has recently won several contracts to support chief information security officers (CISOs) in the Washington, DC, area. As part of your first consulting assignment, you have been asked to research and write a short case study (three pages) in which you discuss the legal environment (i.e., policies, regulations, and laws) and its impact upon how an organization (e.g., business, government agency, nonprofit) ensures the confidentiality, integrity, and availability of information and information systems. You have one week to complete your assignment.
The immediate audience for your case study is a group of senior managers (stakeholders) in a client organization who are not familiar with information security laws and practices. These managers need a brief overview of the legal environment to assist them in reviewing and commenting upon a new governance policy for their organization’s information security program. Your case study should be general enough, however, that it can be reused with other clients.
Your supervisor has also given you a “heads up” about a trap that previous consultants have missed when completing similar work for other clients: the term policy has two meanings that you must address: (a) government policies (e.g., those issued by federal, state, local, or tribal governments) and (b) organizational policies (e.g., those written to guide an organization’s compliance with laws, regulations, and policies).
All organizations, besides being profitable, also need to set structures in place in order to achieve such a goal. As discussed in this document, the highlight will be on the legal environment...
References: British Columbia. (2011). Information Security Policy. Retrieved June 23, 2011, from British Columbia Web site: http://www.cio.gov
Canavan, S., & Diver, S. (2007). Information Security Policy – A Development Guide for Large and Small Companies. Retrieved June 23, 2011, from SANS Institute Web site: http://www.sans.org
Danchev, D. (2003). Building and Implementing a Successful Information Security Policy. Retrieved June 23, 2011, from Windows Security Web site: http://www.windowsecurity.com/pages/security-policy.pdf
U.S. Department of Health & Human Services. (n.d.). Summary of the HIPAA Security Rule. Retrieved June 24, 2011, from U.S. Department of Health & Human Services Web site: http://www.hhs.gov
US Department of Interior, Indians Affairs. (2011, June 24). Regulations and Information Collection. Retrieved June 24, 2011, from US Department of Interior, Indians Affairs Web site: http://www.bia.gov
Whitman, M. E., & Mattord, H. J. (2007). Legal, Ethical, and Professional Issues in Information Security. In M. E. Whitman, & H. J. Mattord, Principles of Information Security (pp. 90-94). Course Technology.
Posted 6th January by Zinsou Messan
U.S. Department of Health & Human Services. Retrieved from: http://www.hhs.gov/ocrprivacy/hipaa/understanding/summary/index.html
Please join StudyMode to read the full document