Case Study in IT Security Management - Part 4: Legal and Ethical Concerns

Published: November 30, 2011

Some of the well known regulations that affect publicly traded corporations do not apply to Pace Heating because the organization is not publicly traded. Therefore, Pace does not need to ensure compliance with the Sarbanes-Oxley (SOX) Act of 2002. Pace Heating is also exempt from the Gramm-Leach Bliley Act, which “requires financial institutions to protect the security and confidentiality of their customers’ nonpublic personal information” (Moteff, 2004). There are, however, a number of laws enacted that Pace Heating is responsible to ensure compliance with.

Pace Heating receives credit card payments from customers so compliance with the Payment Card Industry Data Security Standards (PCI DSS) is mandated. “The PCI DSS applies to any entity that processes, transmits, stores, or accepts credit card data” (Harris, 2008, p. 858).

The benefits that Pace provides to employees include health insurance so the organization may fall under regulations set forth by the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

The Health Insurance Portability and Accountability Act of 1996, … authorizes the Secretary of Health and Human Services to adopt standards that require health plans, health care providers, and health care clearinghouses to take reasonable and appropriate administrative, technical and physical safeguards to: ensure the integrity and confidentiality of individually identifiable health information held or transferred by them; … (Moteff, 2004).

Complying with the licensing regulations of the State of Ohio and the localities where Pace Heating provides service to customers is a matter for the company’s operations staff and outside of the scope of this paper. However, the information assets of the organization support those activities so those resources should receive no less protection effort than those required for specific IT related regulations.

Security Controls Impact on Privacy

The implementation of security controls would have a positive impact on the privacy of both the employees and customers of Pace Heating. The present lack of security controls at the organization place the privacy of personal information of all individuals with records on the organization’s file server at risk. Specifically, the lack of access controls, lack of data encryption, and absence of restricted Internet access provide an environment of free access to all; which could result in a compromise of privacy information.

Shoring up the above mentioned deficiencies would protect the information that should be afforded privacy guarantees. These controls would not only protect the privacy rights of individuals but would also help protect the company from the litigation that may result if such information were compromised or released.

As the principal provider of IT and security services for Pace Heating, the engineers and consultants from the Lakota Group should maintain the highest ethical standards with regard to their relationship with Pace Heating and Air Conditioning as well as with the public at large. These ethical standards and obligations should aim to promote a secure environment and promote trust between the organization and the public. The major ethical obligations that the Lakota Group should maintain are summarized as follows:

• Protect society, the commonwealth, and the infrastructure
• Act honorably, honestly, justly, responsibly, and legally
• Provide diligent and competent service to principals
• Advance and protect the profession

(International Information Systems Security Certification Consortium, Inc., 2009)

Compliance Strategies

The most effective strategies to ensure compliance with the aforementioned regulations are to implement access controls. Workstations should require individual authentication for physical access and access to specific information assets should be restricted to individuals with a need to know. For instance, licensing information should only be available to the company president and accounting information should only be available to the accountant. Incoming Internet connections should be restricted to the VPN connections for the service providers and casual web browsing should be limited.

An outside audit of the procedures in place with regard to the processing of credit card transactions is called for and an audit for compliance with HIPAA requirements would also be in order. These audits would evaluate the gaps between what controls are in place and the controls that are necessary for compliance. Any recommendations made by the auditing agency should then be strictly adhered to.

As a contracting organization providing Heating Ventilation and Air Conditioning (HVAC) service in the State of Ohio, Pace Heating and Air Conditioning, Inc., falls under various state and local regulations that regulate such services. The main legal issue that affects HVAC contractors is that of licensing. Licensing regulations apply at both the state and local levels.

Some of the Information Assets of Pace Heating directly support the organizations requirements for filing for licenses and renewals of such licenses. Other legal issues deal with protecting the financial information of the organization, employees, and customers. This paper discusses the legal, regulatory, and ethical considerations that Pace Heating must comply with to protect information assets as they relate to compliance with regulations and the ethical considerations of the individuals providing that protection.

Handling and Management of Information Assets

Information assets should be handled with the care and respect afforded to other more tangible assets. The information assets of Pace Heating permit the company to operate in an efficient manner and the loss of those assets would gravely affect the organization’s ability to continue to operate. Complying with regulations and implementing the necessary controls will help protect the company from the loss of those assets and from possible litigation.

Many of the actions related to managing the information assets of Pace Heating fall outside the direct control of the organization and have been outsourced to a local provider. The management of Pugh Heating should periodically review the performance of outside service providers to ensure that the service providers are maintaining the necessary states of due care and due diligence.

Continue to Part 5: Implementation, Maintenance, and Conclusion

Return to Part 3: Risk Management Plan

Harris, S. (2008). All in One CISSP Exam Guide (4th Ed.). New York, NY: McGraw-Hill.

International Information Systems Security Certification Consortium, Inc., (2009). (ISC)² code of ethics. Available from http://www.isc2.org/ethics/default.aspx

Moteff, J. (2004). Computer security: A summary of selected federal laws, executive orders, and presidential directives. Congressional Research Service. Available from http://www.fas.org/irp/crs/RL32357.pdf