Regulations, Investigations, and Compliance Issues You Should Know About to Get a Networking Job

By Peter H. Gregory, Bill Hughes

Because of their integral role in supporting business processes, information systems and networking professionals are in the crosshairs of laws and regulations. Computers are frequently involved in civil and criminal investigations, requiring forensic procedures when collecting evidence from computers and other electronic devices. Some networking professionals will have the opportunity to work in these areas.

Basic concepts in regulations, investigations, and compliance

Even though networking professionals are not attorneys, it is helpful for them to understand the laws, regulations, and other legal requirements that drive compliance efforts in organizations. It’s also helpful for networking professionals to understand how security investigations should be conducted. This is fun stuff!

Computer crime laws

Many countries have enacted computer crime laws that define trespass, theft, and privacy in the context of information systems. In the history of law, computers are still new, and the development of laws is ongoing and changing frequently.

This high frequency in changes of laws, regulations, and legal standards presents a challenge to information security and legal professionals as they strive to be compliant with these laws and also to recognize cybercrimes when they occur.

Industry regulations

Regulations on many topics have been enacted for various industries. In the information technology world, regulations such as HIPAA (Health Insurance Portability and Accountability Act) require the protection of healthcare-related information and GLBA (Gramm–Leach–Bliley Act) require protection of customer information in the financial services industry.

Managing compliance

Compliance is a matter of adhering to laws, regulations, contractual obligations, and policies. It takes a determined effort to know all compliance obligations in an organization, and more effort to achieve compliance. Many organizations develop or adopt a framework of controls to track compliance on an ongoing basis. Suitable frameworks include

  • COBIT (Control Objectives for Information and Related Technology): Developed by ISACA, COBIT is a highly regarded framework for IT operations.

  • COSO (Committee of Sponsoring Organizations of the Treadway Commission): Developed as a result of financial accounting scandals in the 1990s, COSO provides guidance for IT control frameworks for U.S. publicly traded companies.

  • ISO27002:2013: The international standard for information security management, which establishes a process of controls development and management

Security investigations and forensics

Security investigations are an organization’s response to isolated security incidents that have little direct effect on business operations. Still, the events requiring investigation can be important in other ways because they can have significant legal implications.

Any event that takes place in an organization in the context of computers where possible future legal action is involved may require an investigation with forensic rules of evidence in play. These rules include

  • Evidence collection and preservation

  • Evidence chain of custody

  • Evidence collection recordkeeping

  • Evidence examination recordkeeping

For an organization to prevail in any related legal proceedings, a trained individual with dedicated tools and hardware must carry out these forensic procedures.

Emerging issues in regulations, investigations, and compliance

Following are two issues keeping networking professionals on their toes:

  • Rapid onset of new laws and regulations: New laws on computer operations, security and privacy are enacted and updated at a rate that makes it hard to keep up on their details, never mind figure out how to be compliant with them.

  • Jurisdictional issues: Many new laws have greater jurisdictional reach than in the past. For example, privacy laws in many U.S. states have jurisdiction across state lines, and international privacy laws affect many organizations not located in countries that passed the laws.

    These jurisdictional issues are all about cross-border privacy, where each country passes laws requiring the protection of private data associated with its citizens, applicable regardless of the location of the organization that has the data. This issue has many corporate counsels on a steady diet of coffee and Rolaids.