Information Security

by Andy Taylor

Legal aspects

The Data Protection Act is one of many pieces of UK legislation which is principally about information security. If an organisation chooses to become compliant with the international information security standard ISO27001, then the standard will largely cover dealing with the relevant legislation as well. If not, then special efforts may be needed to comply with the legislative requirements.

Other areas of legislation will include those dealing with intellectual property, radio transmissions (for the transmission of information), personal and commercial privacy, structured information protection (such as databases or archives), the use of cryptography and so on.

Each country has its own legislation and it is vital that a suitably qualified and experienced practitioner in the relevant law of the land is consulted in areas where there might be some unusual legal issue to address.

In general, though, common sense and a realistic basic knowledge of the law as applicable in the relevant country will be held by most business managers. This should normally be enough for most of their information security work. In the UK, the Information Commissioner, who is responsible for the Data Protection Act and related legislation, provides a wealth of information to help improve the general understanding of what the various acts require.

Are there any other legal issues I need to worry about?

Perhaps the area most often neglected in terms of the relevant legislation is that of employment legislation. Unless the appropriate clauses are put into employment contracts, it is highly likely that it may be impossible to take legal or disciplinary action against individuals who do the wrong thing (deliberately or otherwise). See the topic on Employment Contracts.

In this respect, it is critical that appropriate statements are included in the contracts of third party suppliers. Very often, for example, a computer is sent off site for repair and it is merely assumed that the engineer will respect the privacy of the information stored on it.

It is common nowadays to invite specialists to come in to test the integrity of computer system – to try and hack into it to make sure it is safe, an activity commonly known as penetration testing or ‘pen testing’. Without an appropriate and specialised contract, they may well be breaking the law in the pursuance of their work and the information to which they might gain access could be at risk. Naturally, any reputable company offering such services will have thought this through and will provide an acceptable contract. Nevertheless, it is the employing organisation that is principally at risk and needs to protect its interests. The manager in charge of such a piece of work should be well aware of the potential issues and how they are to be addressed.