Information Security Jobs: Legal, Regulations, Investigations, and Compliance

By Peter H. Gregory

Because of their integral role in supporting business processes, information systems (and thus, information security professionals) are in the crosshairs of laws and regulations. Computers are frequently involved in civil and criminal investigations, requiring forensic procedures when collecting evidence from computers and other electronic devices.

Basic concepts in legal, regulations, investigations, and compliance

Even though security professionals are not attorneys, they must understand the laws, regulations, and other legal requirements that drive compliance efforts in organizations. Likewise, security professionals need to know how security investigations should be conducted. This is fun stuff!

Computer crime laws

Many countries have enacted computer crime laws that define trespass, theft, and privacy in the context of information systems. In the history of law, computers are still new, and the development of laws is ongoing and changing frequently.

This high frequency in changes of laws, regulations, and legal standards presents a challenge to information security and legal professionals as they strive to be compliant with these laws and also to recognize cybercrimes when they occur.

Managing compliance

Compliance is a matter of adhering to laws, regulations, contractual obligations, and policies. It takes a determined effort to know all compliance obligations in an organization, and more effort to achieve compliance. Many organizations develop or adopt a framework of controls to track compliance on an ongoing basis. Suitable frameworks include

  • COBIT (Control Objectives for Information and Related Technology): Developed by ISACA, COBIT is a highly regarded framework for IT operations.

  • COSO (Committee of Sponsoring Organizations of the Treadway Commission): Developed as a result of financial accounting scandals in the 1990s, COSO provides guidance for IT control frameworks for U.S. publicly traded companies.

  • ISO27002:2013: The international standard for information security management, which establishes a process of controls development and management

Security investigations and forensics

Security investigations are an organization’s response to isolated security incidents that have little direct effect on business operations. Still, the events requiring investigation can be important in other ways because they can have significant legal implications.

Any event that takes place in an organization in the context of computers where possible future legal action is involved may require an investigation with forensic rules of evidence in play. These rules include

  • Evidence collection and preservation

  • Evidence chain of custody

  • Evidence collection recordkeeping

  • Evidence examination recordkeeping

For an organization to prevail in any related legal proceedings, it is important that these forensic procedures be carried out by a trained individual with dedicated tools and hardware.

Emerging issues in legal, regulations, investigations, and compliance

The issues keeping security professionals awake at night include these:

  • Rapid onset of new laws and regulations: New laws on computer operations, security and privacy are enacted and updated at a rate that makes it hard to keep up on their details, never mind figure out how to be compliant with them.

  • Jurisdictional issues: Many new laws have greater jurisdictional reach than in the past. For example, privacy laws in many U.S. states have jurisdiction across state lines, and international privacy laws affect many organizations not located in countries that passed the laws. These jurisdictional issues are all about cross-border privacy, where each country passes laws requiring the protection of private data associated with its citizens, applicable regardless of the location of the organization that has the data. This issue has many corporate counsels on a steady diet of coffee and Rolaids.