Information security, sometimes shortened to infosec

including the obtaining, holding, use or
disclosure of such information. The
European Union Data Protection
Directive (EUDPD) requires that all E.U.
members adopt national regulations to
standardize the protection of data
privacy for citizens throughout the
E.U.
[72]
The Computer Misuse Act 1990 is an
Act of the U.K. Parliament making
computer crime (e.g., hacking) a
criminal offense. The act has become
a model upon which several other
countries, including Canada and the
Republic of Ireland, have drawn
inspiration from when subsequently

drafting their own information security
laws.
[73]
The E.U.'s Data Retention Directive
(annulled) required internet service
providers and phone companies to
keep data on every electronic message
sent and phone call made for between
six months and two years.
[74]
The Family Educational Rights and
Privacy Act (FERPA) (20 U.S.C. § 1232
g; 34 CFR Part 99) is a U.S. Federal law
that protects the privacy of student
education records. The law applies to
all schools that receive funds under an
applicable program of the U.S.
Department of Education. Generally,

schools must have written permission
from the parent or eligible student in
order to release any information from a
student's education record.
[75]
The Federal Financial Institutions
Examination Council's (FFIEC) security
guidelines for auditors specifies
requirements for online banking
security.
[76]
The Health Insurance Portability and
Accountability Act (HIPAA) of 1996
requires the adoption of national
standards for electronic health care
transactions and national identifiers
for providers, health insurance plans,
and employers. Additionally, it requires

health care providers, insurance
providers and employers to safeguard
the security and privacy of health
data.
[77]
The Gramm–Leach–Bliley Act of 1999
(GLBA), also known as the Financial
Services Modernization Act of 1999,
protects the privacy and security of
private financial information that
financial institutions collect, hold, and
process.
[78]
Section 404 of the Sarbanes–Oxley Act
of 2002 (SOX) requires publicly traded
companies to assess the effectiveness
of their internal controls for financial
reporting in annual reports they submit

at the end of each fiscal year. Chief
information officers are responsible for
the security, accuracy and the reliability
of the systems that manage and report
the financial data. The act also
requires publicly traded companies to
engage with independent auditors who
must attest to, and report on, the
validity of their assessments.
[79]
The Payment Card Industry Data
Security Standard (PCI DSS)
establishes comprehensive
requirements for enhancing payment
account data security. It was
developed by the founding payment
brands of the PCI Security Standards
Council — including American Express,

Discover Financial Services, JCB,
MasterCard Worldwide and Visa
International — to help facilitate the
broad adoption of consistent data
security measures on a global basis.
The PCI DSS is a multifaceted security
standard that includes requirements
for security management, policies,
procedures, network architecture,
software design and other critical
protective measures.
[80]
State security breach notification laws
(California and many others) require
businesses, nonprofits, and state
institutions to notify consumers when
unencrypted "personal information"

may have been compromised, lost, or
stolen.
[81]
The Personal Information Protection
and Electronics Document Act
(PIPEDA) of Canada supports and
promotes electronic commerce by
protecting personal information that is
collected, used or disclosed in certain
circumstances, by providing for the
use of electronic means to
communicate or record information or
transactions and by amending the
Canada Evidence Act, the Statutory
Instruments Act and the Statute
Revision Act.
[82]

Greece's Hellenic Authority for
Communication Security and Privacy
(ADAE) (Law 165/2011) establishes
and describes the minimum
information security controls that
should be deployed by every company
which provides electronic
communication networks and/or
services in Greece in order to protect
customers' confidentiality. These
include both managerial and technical
controls (e.g., log records should be
stored for two years).
[83]
Greece's Hellenic Authority for
Communication Security and Privacy
(ADAE) (Law 205/2013) concentrates
around the protection of the integrity

and availability of the services and
data offered by Greek
telecommunication companies. The
law forces these and other related
companies to build, deploy and test
appropriate business continuity plans
and redundant infrastructures.
[84]
Describing more than simply how
security aware employees are,
information security culture is the ideas,
customs, and social behaviors of an
organization that impact information
security in both positive and negative
ways.
[85]
 Cultural concepts can help
different segments of the organization
Information security culture

work effectively or work against
effectiveness towards information
security within an organization. The way
employees think and feel about security
and the actions they take can have a big
impact on information security in
organizations. Roer & Petric (2017)
identify seven core dimensions of
information security culture in
organizations:
[86]
Attitudes: Employees’ feelings and
emotions about the various activities
that pertain to the organizational
security of information.
Behaviors: Actual or intended activities
and risk-taking actions of employees

that have direct or indirect impact on
information security.
Cognition: Employees' awareness,
verifiable knowledge, and beliefs
regarding practices, activities, and self-
efficacy relation that are related to
information security.
Communication: Ways employees
communicate with each other, sense
of belonging, support for security
issues, and incident reporting.
Compliance: Adherence to
organizational security policies,
awareness of the existence of such
policies and the ability to recall the
substance of such policies.

Norms: Perceptions of security-related
organizational conduct and practices
that are informally deemed either
normal or deviant by employees and
their peers, e.g. hidden expectations
regarding security behaviors and
unwritten rules regarding uses of
information-communication
technologies.
Responsibilities: Employees'
understanding of the roles and
responsibilities they have as a critical
factor in sustaining or endangering the
security of information, and thereby
the organization.

Andersson and Reimers (2014) found
that employees often do not see
themselves as part of the organization
Information Security "effort" and often
take actions that ignore organizational
information security best interests.
[87]
Research shows information security
culture needs to be improved
continuously. In Information Security

Download 0,67 Mb.

Do'stlaringiz bilan baham: