Reasonable, appropriate, adequate…security (Part I)

June 30th, 2009 by Olga Koksharova

Most laws define security obligations as reasonable, appropriate, suitable, necessary, adequate etc. without giving more precise directives to follow. Is it good or bad? And what should be known about these standards?

Let’s see what major security standards say about recommended security measures.

Data Protection Directive in Europe

…implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing

http://www.enisa.europa.eu/rmra/lr_privacy.html

HIPAA Security Standards: Technical Safeguards

It is important, and therefore required by the Security Rule, for a covered entity to comply with the Technical Safeguard standards and certain implementation specifications; a covered entity may use any security measures that allow it to reasonably and appropriately do so.

A covered entity must determine which security measures and specific technologies are reasonable and appropriate for implementation in its organization.

Determining which security measure to implement is a decision that covered entities must make based on what is reasonable and appropriate for their specific organization, given their own unique characteristics, as specified in § 164.306(b) the Security Standards: General Rules,Flexibility of Approach.

Read more: "Security Standards: Technical Safeguards"

The LGB Security Regulations

Effective security management requires your company to deter, detect, and defend against security breaches. That means taking reasonable steps to prevent attacks, quickly diagnosing a security incident, and having a plan in place for responding effectively.

http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus54.shtm

Does it seem to you pretty ambiguous at first reading? No, it is not law inconsistence that there are no more precise prescriptions/measures to be followed. On the contrary, they show security as a relative and flexible concept. The set of security measures and technologies (like approved passwords, password managers, or encryption …) is not universal for all cases, organizations, or industries – they can differ and each company has to understand its own industry-, company-, situation-, or else-specific dangers and accordingly protect sensitive information and maintain its protection.

Pretty wisely, security laws do not impose security measures, but require organizations to be involved in an ongoing and repetitive process*, which consequently presupposes both understanding of computer security development and taking timely measures. Otherwise, in the light of technologies constantly taking great strides forward, data security would bump into red tape and necessity to establish, introduce, and follow precise security measures.

*Information Security Law: The Emerging Standard for Corporate Compliance by Thomas J. Smedinghoff.


Tags: , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

One Response to “Reasonable, appropriate, adequate…security (Part I)”

  1. I would like to further add few points on HIPAA Security Standards: Technical Safeguards
     
    Technical safeguards are hardware, software, applications, etc. that can be implemented and/or used to act as barriers to inappropriate access or disclosure, limit access to authorized users, and act as filters protecting against any inappropriate electronic traffic (firewalls, web filters, etc.). These safeguards enforce privacy and security without necessarily requiring active participation of workforce members. However, they should be regularly monitored and tested by appropriate staff. Examples of technical safeguards
    are:
    Computers automatically logging off when inactive for extended periods
    Using password-protected and timed screen savers
    Being sure anti-virus, anti-spam, and anti-spy software and a firewall are installed and active and that signature files and patches are current
    Requiring some kind of authentication for access (passwords, smart cards, biometrics, etc.)
    Assigning access appropriate to job or business needs; all other access is automatically denied
    Setting audit alerts to notify IT when certain unauthorized actions occur
    Blocking certain Internet sites and e-mail content
    Disabling copying mechanisms and potentially the ability to print certain documents on computers (networked or standalone)
    Automatically encrypting transmissions of PHI and e-mail containing PHI
    Using a VPN (virtual private network) for transmitting data and for remote user communication

Leave a Reply