NIST and Basic US Laws-Regulating The Safety of the IT Industry: Morals, Ethics, and Social Mores Necessary

11-17-2017

Unit 6 Discussion 1 Response 1 Keating

Response from: Miss. Bayo Elizabeth Cary, AA, BA, MLIS

Information Security professionals are exposed to confidential and sensitive information regularly. It is only natural that Information Security professional have expose to data that could have the potential to damage the company in multiple ways. Being part of the Information Security profession for many years, I have been exposed to multiple situations that required confidently. Data Loss Prevention (DLP) process is one of the more sensitive issues that I have experienced in recent history. 

DLP is the process of ensuring that data is not transported to places it is not authorized to be. Several applications can be used to review activities of employees throughout the organization. Implementing DLP was sensitive subject as there is a level of “monitoring of employee activities on devices that have company data such as laptops and mobile devices. There was concern on how much monitoring is needed to protect data and how much was too far. We settled only scanning information for social security number, account numbers, and driver’s license numbers. On mobile devices, an employee was required to input a PIN to access the device. These profiles were reviewed by legal and senior management. There is a legal component when monitoring employees along with the basic ethical challenge on how much monitoring is crossing an ethical line.

To ensure confidently of DLP alerts, a process was created that had my team directly report alerts to Human Resources. Information Security would review all employees’ activities as mention earlier, which included IT and senior management. Due to the sensitivity nature of DLP, it was decided that Human Resources would take the lead on investigations or issues with employees. Alerts could be trigger not only for violation of data practices, but also unauthorized activities on the internet, such as looking up inappropriate pictures on the internet. Regardless of the violation, HR would be the most appropriate area to address these violations.

References

Andress, J. (2014). The basics of information security : understanding the fundamentals of infosec in theory and practice. Retrieved from https://ebookcentral-proquest-com.library.capella.edu

Response from: Miss. Bayo Elizabeth Cary, AA, BA, MLIS

On the one hand, companies are struggling with growing into heavily technology-driven structures of information management, but on the other, they still view the external projection of human characteristics of foremost business importance. In other words, today’s corporation

                                       has changed itself into a type of ‘‘cyborg’’ –
                                               a creature that is half machine and half human.  
                                                                              (Matwyshyn, 2009, p. 579)

NIST US Legal Standards and Data Loss Prevention:

Data Loss Prevention, is an extensive IT field. I can only imagine, how much easier it

would be, to place DLP monitoring, on an automated system-none of the human emotions and
feelings, get in the way. NIST, sets the standards in the US, for IT and data information security-in, four basic areas (Burr, et., al., 2014, p. 31):

1.      Crytographic standards;

2.      Role Based Access Control (RBAC);

3.      Identification card standards, and;

4.      Security automation. (Burr, et, al.,2014, p. 31)

The NIST, provides legal guidelines, for protecting information, and data, that should be kept confidential-however, the tendency, towards: human error, and fraud, can be dramatically reduced, by taking time, to care about the characteristics, of who is hired. When you hire a new employee, there can be a long, training, and probationary period, that is costly, and involved. Do not take any short-cuts, or you will find yourself, in a difficult legal position. The new reality, of the United States, is that-almost everything we access, on-a-daily-basis, is entirely dependent, on: computers, data, and information flows over the Internet-security, must be, the focus:

This duality in corporate identity – internal mechanization in context of external humanization–has given rise to new ethical and legal concerns. Companies increasingly rely on computer systems; yet, they do not necessarily understand their dangers and the new types of business risks these systems introduce. (Matwyshyn, 2009, p. 580)

Know Your Enemy-Who Did You Hire?

Prior to a pay-check, there needs to be, a: criminal background-check, references double-check, history or previous addresses, a credit-check, a validation of all educational documents-required for the employment position, etc. ID theft, and fraud, are on the rise. Be certain, the IT staff you hire, are honest, and reliable-it will cut-down, on the amount of “monitoring,” you will have to do, in regards, to employee activity, on and off the job. American law, is based on what is legally required, and not necessarily, what is: moral, or ethical-therefore, when seeking to hire, it is the burden, of an HR department, to seek-out, those responsible, and endowed with honest reliability, and sensibilities:

Throughout his work, Thomas Dunfee explicitly called for more in-depth analysis of the relationship between law and business ethics in context of particular-issues, and he rejected the idea that law and business ethics necessarily converge. Pointing to examples such as the unjust law, he cautioned against relying on law as the only source for articulating responsible corporate conduct. (Matwyshyn, 2009, p. 580)

When an employee, is inappropriate-stealing, or sharing information. When an employee, has been trained-then, the person, is aware, of what conduct is acceptable, in the workplace. Because someone, is smart enough, to learn some IT information, in no way means, that person, is also: honest, ethical, or moral-in any way:

Despite the E.U.’s more aggressive stance toward data protection, the United States did not have any consumer information security legislation in effect until April 2000.  To date, the information security legal regime adopted in the United States to address issues of corporate data vulnerability is an imperfect patchwork of state and federal laws, widely critiqued in legal scholarship. (Matwyshyn, 2009, p. 580)

In Conclusion: Do not Retain a Proven Felon:

People can learn information, on how to do something, that is complicated, and difficult-then, when an opportunity arises, that same person, can chose, to break the law. People, who have a history, of making illegal choices, do not alter that cognitive behavior, and thought process: “deviance,” and I agree-should be fired, right away.

References

   

Burr, William, Ferralolo, Hildegard, and Waltermire, David. (2014). NIST and Computer Security. US National Institute of Standards and Technology: IEEE and the Computer Society. Retrieved from www.computer.org/ITPro

Matwyshyn, Andrea, M. (2009). CSR and the Corporate Cyborg: Ethical Corporate Information Security Practices. Journal of Business Ethics. Vol. 88. P. 579-594. DOI 10.1007/s10551-009-0312-9