ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Case Study in IT Security Management - Part 4: Legal and Ethical Concerns

Updated on November 30, 2011

Published: November 30, 2011

Legal and Regulatory Compliance

Some of the well known regulations that affect publicly traded corporations do not apply to Pace Heating because the organization is not publicly traded. Therefore, Pace does not need to ensure compliance with the Sarbanes-Oxley (SOX) Act of 2002. Pace Heating is also exempt from the Gramm-Leach Bliley Act, which “requires financial institutions to protect the security and confidentiality of their customers’ nonpublic personal information” (Moteff, 2004). There are, however, a number of laws enacted that Pace Heating is responsible to ensure compliance with.

Pace Heating receives credit card payments from customers so compliance with the Payment Card Industry Data Security Standards (PCI DSS) is mandated. “The PCI DSS applies to any entity that processes, transmits, stores, or accepts credit card data” (Harris, 2008, p. 858).

The benefits that Pace provides to employees include health insurance so the organization may fall under regulations set forth by the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

The Health Insurance Portability and Accountability Act of 1996, … authorizes the Secretary of Health and Human Services to adopt standards that require health plans, health care providers, and health care clearinghouses to take reasonable and appropriate administrative, technical and physical safeguards to: ensure the integrity and confidentiality of individually identifiable health information held or transferred by them; … (Moteff, 2004).

Complying with the licensing regulations of the State of Ohio and the localities where Pace Heating provides service to customers is a matter for the company’s operations staff and outside of the scope of this paper. However, the information assets of the organization support those activities so those resources should receive no less protection effort than those required for specific IT related regulations.

Security Controls Impact on Privacy

The implementation of security controls would have a positive impact on the privacy of both the employees and customers of Pace Heating. The present lack of security controls at the organization place the privacy of personal information of all individuals with records on the organization’s file server at risk. Specifically, the lack of access controls, lack of data encryption, and absence of restricted Internet access provide an environment of free access to all; which could result in a compromise of privacy information.

Shoring up the above mentioned deficiencies would protect the information that should be afforded privacy guarantees. These controls would not only protect the privacy rights of individuals but would also help protect the company from the litigation that may result if such information were compromised or released.

Ethical Obligations

As the principal provider of IT and security services for Pace Heating, the engineers and consultants from the Lakota Group should maintain the highest ethical standards with regard to their relationship with Pace Heating and Air Conditioning as well as with the public at large. These ethical standards and obligations should aim to promote a secure environment and promote trust between the organization and the public. The major ethical obligations that the Lakota Group should maintain are summarized as follows:

  • Protect society, the commonwealth, and the infrastructure
  • Act honorably, honestly, justly, responsibly, and legally
  • Provide diligent and competent service to principals
  • Advance and protect the profession

(International Information Systems Security Certification Consortium, Inc., 2009)

Compliance Strategies

The most effective strategies to ensure compliance with the aforementioned regulations are to implement access controls. Workstations should require individual authentication for physical access and access to specific information assets should be restricted to individuals with a need to know. For instance, licensing information should only be available to the company president and accounting information should only be available to the accountant. Incoming Internet connections should be restricted to the VPN connections for the service providers and casual web browsing should be limited.

An outside audit of the procedures in place with regard to the processing of credit card transactions is called for and an audit for compliance with HIPAA requirements would also be in order. These audits would evaluate the gaps between what controls are in place and the controls that are necessary for compliance. Any recommendations made by the auditing agency should then be strictly adhered to.

As a contracting organization providing Heating Ventilation and Air Conditioning (HVAC) service in the State of Ohio, Pace Heating and Air Conditioning, Inc., falls under various state and local regulations that regulate such services. The main legal issue that affects HVAC contractors is that of licensing. Licensing regulations apply at both the state and local levels.

Some of the Information Assets of Pace Heating directly support the organizations requirements for filing for licenses and renewals of such licenses. Other legal issues deal with protecting the financial information of the organization, employees, and customers. This paper discusses the legal, regulatory, and ethical considerations that Pace Heating must comply with to protect information assets as they relate to compliance with regulations and the ethical considerations of the individuals providing that protection.

Handling and Management of Information Assets

Information assets should be handled with the care and respect afforded to other more tangible assets. The information assets of Pace Heating permit the company to operate in an efficient manner and the loss of those assets would gravely affect the organization’s ability to continue to operate. Complying with regulations and implementing the necessary controls will help protect the company from the loss of those assets and from possible litigation.

Many of the actions related to managing the information assets of Pace Heating fall outside the direct control of the organization and have been outsourced to a local provider. The management of Pugh Heating should periodically review the performance of outside service providers to ensure that the service providers are maintaining the necessary states of due care and due diligence.

References

Harris, S. (2008). All in One CISSP Exam Guide (4th Ed.). New York, NY: McGraw-Hill.

International Information Systems Security Certification Consortium, Inc., (2009). (ISC)2 code of ethics. Available from http://www.isc2.org/ethics/default.aspx

Moteff, J. (2004). Computer security: A summary of selected federal laws, executive orders, and presidential directives. Congressional Research Service. Available from http://www.fas.org/irp/crs/RL32357.pdf

Comments

    0 of 8192 characters used
    Post Comment

    No comments yet.

    working

    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, hubpages.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: https://hubpages.com/privacy-policy#gdpr

    Show Details
    Necessary
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
    Features
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Marketing
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Statistics
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)