Required Acknowledgement of Security Policy Changes

Legal precedents are beginning to dictate a new standard for the notification of policy changes to your customers and employees. In the "old days" organizations would post changes to information security policies on the corporate intranet, and perhaps even notify employees that these changes occurred via email or some other means. However, in legal actions where employees were terminated for violating policy and then sued for improper termination, the conclusion was that mere notification is not enough. Organizations are expected to notify employees of important policy changes, but must go a step further and verify acknowledgement by employees affected by the change.

A recent case with a telecommunications provider seems to indicate that this standard applies to customers as well. The typical line in many online privacy policies goes something like "we reserve to change this policy at any time." While this practice is common, it is certainly not in the spirit of “open” communication with customers as outlined in OECD Privacy Principles. This ruling came as part of a class-action lawsuit where customers sued for terms of service changes that were applied automatically to their account. However, it seems likely that an equal case could be made for changes to privacy policies that would effect the collection of personal information.

I believe it is now "best practice" to require acknowledgement of important security and privacy policy changes. I am interested to hear if this is becoming standard practice in real organizations, or just the unrealistic musings of a policy "purist."

New legislation may help prosecution of ID theft

Companies that have their identities used in phishing scams have little recorse in stopping the attacks. However, new legislation proposed by the Justice Department would expand the ability of enforcement agencies to prosecute identity theft, and adds provisions that may help corporations who are used in phishing scams.

The "Identity Theft Enforcement and Restitution Act of 2007" would expand the reach of federal law to criminal activity that currently “slips through the cracks” of existing federal law. Among the many provisions, the law would increase the ability of the federal government to prosecute criminals by expanding the definitions of the criminal activity that defined “identify theft” and by addressing specific technologies such as spyware and keystroke logging. The bill would also expand the rights of victims to seek restitution for the hours spent recovering from ID theft.

Several provisions introduced in the bill may help corporations fight identify theft. For example, the law would close gaps in two federal statutes by making it illegal to use not just a person's identification but also the identification of a corporation or organization “such as the name, logo, trademark”, as is common in phishing attacks. Other language closes more gaps related to cyber-extortion as covered in the Computer Fraud and Abuse Act, by including threats “to steal or corrupt data on a victim's computer, or not repair damage the offender already caused to the computer."

Contractors fined for not following security policy

In July 2007, several contractors of Los Alamos National Laboratory were fined a total of $3.3 million for failing to adequately protect data as required in their contracts. The Department of Energy (DOE) initiated formal enforcement actions against specific current and former contractors, the reports said that investigations revealed that the contractors failed to prevent "a subcontractor employee's unauthorized reproduction of and removal of classified matter from the site." The DOE also issued a Compliance Order to Los Alamos, requiring corrective action to increase physical protection and cyber-security to safeguard classified information.

This is another example that illustrates the importance of two areas of security policy related to third-party contractors. First, information security requirements should be included in all written contracts (apparently so in this case). Second, the organization must establish procedures for periodic monitoring of all third-party contractors for compliance with information security policies. Information security policies made easy includes over 100 separate security policy controls for managing third-party relationships.

Regulatory Requirements for Information Security Policies

Some organizations still receive little management support or funding for a sound information security policy program. Within the last several years, however, numerous federal, state and international regulations have been passed that require the protection of information. Many organizations are now enhancing their information security policies in response to legal and regulatory requirements.

In some cases, these regulations are very specific about the requirements for written security and privacy policies. In other cases, a regulation simply requires safeguards that are "appropriate" for the size and type of organization. In these cases, enforcement agencies and auditors must defer to accepted best practices or frameworks for guidance, all of which require written policies. Examples of these are the Generally Accepted Information Security Principles (GAISP), Control Objectives for Information Technology (COBIT®) and ISO/IEC 17799.

This information security policy requirements table contains a partial list of security or privacy-related regulations and their specific information security policy requirements. Where appropriate, the list includes the security policy requirements of several key frameworks used to manage compliance with various regulations. Organizations may use this table to help build a case to senior management that written security policies are "not just a good idea, they're the law."