article

Information security requirements - Interpreting the legal aspects

Authors:

Mariana Gerber,

Rossouw Von SolmsAuthors Info & Claims

Computers and Security, Volume 27, Issue 5-6

Pages 124 - 135

https://doi.org/10.1016/j.cose.2008.07.009

Published: 01 October 2008 Publication History

Abstract

With information security being the focal point of business in the media and in legislatures around the world, organisations face complex requirements to comply with security and privacy standards and regulations. The escalating magnitude of national and international laws and regulations, such as Sarbanes-Oxley, Gramm-Leach-Bliley and Basel II, caused organisations to become increasingly aware of the importance of legal compliance and the obligations that arise from it. The challenge of meeting these obligations has become a complex web of requirements that grows exponentially as organisations cross international boundaries. This paper attempts to provide an interpretation of the legal aspects, as a starting point for clarifying compliance issues, as referred to by ISO/IEC 27002 (ISO/IEC 27002, 2005; previously known as ISO/IEC 17799, 2005). ISO/IEC 27002 further mentions three sources from which information security requirements can be derived, of which one will be focused on within this paper, namely the legal requirements. The interpretation of the legal aspects thus forms the foundation for motivating a proposed model for determining legal requirements, which in turn, indicates relevant information security controls from the list provided in ISO/IEC 27002, to satisfy the identified legal requirements.

References

[1]

About Intellectual Property; 2005. Retrieved June 8, 2006, from World Intellectual Propery Organization site: http://www.wipo.int/about-ip/en/.

[2]

Introduction. In: Baldwin, R., Scott, C., Hood, C. (Eds.), Reader on Regulation, Oxford University Press, Oxford.

[3]

Brewer D, List W. Fast track ISMS certification; 2004. Retrieved May 17, 2006, from: http://www.gammassl.co.uk/topics/ics/FTISMS.pdf.

[4]

Casper C. Complicated compliance; 2004. Retrieved Sep 19, 2005 from Tech Update IT Management - ZDNet site: http://techupdate.zdnet.com/techupdate/stories/main/Complicated_Compliance_print.html.

[5]

Sources of law. In: Fouché, M.A. (Ed.), Legal Principles of Contracts and Commercial Law, LexisNexis Butterworths, Durban.

[6]

Compliance. Corporate governance and IT security; 2005. Retrieved May 21, 2006, from ARTICSOFT site: http://www.articsoft.com/encryption_security.htm.

[7]

European Documentation Centre; 2006. Retrieved September 14, 2007, from Leeds University Library site: http://www.leeds.ac.uk/library/subjects/edc/secondary.htm.

[8]

Introduction to the law of contract. In: Fouché, M.A. (Ed.), Legal Principles of Contracts and Commercial Law, LexisNexis Butterworths, Durban. pp. 33-35.

[9]

The management of risk in the information age. Computers and Security. v24 i1. 16-30.

Digital Library

[10]

. In: The South African Legal System and Its Background, Juta and Co., Cape Town.

[11]

Hahlo HR, Kahn E; 2004. Retrieved May 23, 2006 from: http://www.bankseta.org.za/downloads/fais/business/CP1_LG_SEC1.doc.

[12]

History of 27000; March 5, 2006. Retrieved April 19, 2006 from GAMMA site: http://www.gammassl.co.uk/bs7799/history.html.

[13]

Introduction to South African Law and Legal Theory. Butterworths, Durban.

[14]

Guide to BS 7799 Risk Assessment and Risk Management. BSI, London.

[15]

Improved ISO/IEC 17799 makes information assets even more secure; June 20, 2005. Retrieved April 10, 2006, from ¿ISO: International Organization for Standardization site: http://www.iso.ch/iso/en/commcentre/pressreleases/archives/2005/Ref963.html.

[16]

ISO 27000 News; 2007. Retrieved August 15, 2007, from site: http://www.molemag.net/15.htm.

[17]

ISO/IEC 17799:2005. Information technology - security techniques - code of practice for information security management (2005, July 6). Retrieved April 19, 2006, from ¿ISO: International Organization for Standardization site: http://www.iso.org/iso/en/prods-services/popstds/informationsecurity.html.

[18]

ISO/IEC 27002:2005 Information technology - security techniques - code of practice for information security management; April 10, 2007. Retrieved August 15, 2007, from ¿ISO: International Organization for Standardization site: http://www.webstore.ansi.org/FindStandards.aspx?SearchString=27002&SearchOption=1&PageNum=0.

[19]

Information Security Governance: Guidance for Boards of Directors and Executive Management. Information Systems Audit and Control Foundation, United States of America.

[20]

Principles of Legal Interpretation - Statutes, Contracts & Wills. Butterworth Publishers (Pty) Ltd, Durban.

[21]

MSN Encarta - Dictionary; 2005. Retrieved May 23, 2006 from: http://encarta.msn.com/dictionary_1861625239/law.html.

[22]

Regulation: Legal Form and Economic Theory. Claredon Press, Oxford.

[23]

Rasmussen M. Analyst Report: Revised ISO 17799 Boosts Information Security Management Relevance - Forrester¿; n.d. Retrieved April 16, 2006 from CSO Online.com, The Resource for Security Executives site: http://www.csoonline.com/analyst/report3730.html.

[24]

Rasmussen, M. Analyst Report: IT Trends 2003 - Information Security Standards, Regulations and Legislation - Giga Information Group¿ 2003. Retrieved May 21, 2005 from CSOonline.com site: http://www.csoonline.com/analyst/report721.html.

[25]

Rasmussen M. FORRESTER¿ Research: Security building blocks with ISO 17799. Presented at the Information Security Decisions Conference, New York; October 19-21, 2005. Retrieved May 3, 2006 from Security Search.com site: http://searchsecurity.techtarget.com/tip/1, 289483,sid14_gci1086284,00.html.

[26]

Rasmussen M. Research Focus; 2006. Retrieved May 3, 2006 from FORRESTER¿ Research: Technology research and advice site: http://www.forrester.com/ER/Research/List/Analyst/Personal/0,830,00.html.

[27]

Schwartz M. Evaluating the New ISO 17799 Standard; September 6, 2005. Retrieved May 3, 2006, from ES: Enterprise Systems - Security site: http://www.esj.com/security/article.aspx?EditorialsID=1498.

[28]

. In: Soanes, C., Stevenson, A. (Eds.), Concise Oxford English Dictionary, Oxford University Press, United States.

[29]

Tarlton Law Library; 2000. Retrieved September 14, 2007 from The University of Texas - School of Law site: http://www.tarlton.law.utexas.edu/vlibrary/outlines/ukdelleg.html.

[30]

The History of ISO 17799 and BS 7799; n.d. Retrieved April 10, 2006 from: http://www.pc-history.org/17799.htm.

[31]

The ISO27k Standards; 2007. Retrieved August 15, 2007 from site: http://www.iso27001security.com/html/27002.html.

Cited By

Fujs DVrhovec SVavpotič D(2023)Balancing software and training requirements for information securityComputers and Security10.1016/j.cose.2023.103467134:COnline publication date: 1-Nov-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103467
Mesquida AMas A(2015)Implementing information security best practices on software lifecycle processesComputers and Security10.1016/j.cose.2014.09.00348:C(19-34)Online publication date: 1-Feb-2015
https://dl.acm.org/doi/10.1016/j.cose.2014.09.003
Mukundan NPrakash Sai L(2014)Perceived information security of internal users in Indian IT services industryInformation Technology and Management10.1007/s10799-013-0156-y15:1(1-8)Online publication date: 1-Mar-2014
https://dl.acm.org/doi/10.1007/s10799-013-0156-y

Information security requirements - Interpreting the legal aspects
1. Applied computing
2. Social and professional topics

Recommendations

Implementing information security best practices on software lifecycle processes

The ISO/IEC 15504 international standard can be aligned with the ISO/IEC 27000 information security management framework. During the research conducted all the existing relations between ISO/IEC 15504-5 software development base practices and ISO/IEC ...
Aligning Two Specifications for Controlling Information Security

Assuring information security is a necessity in modern organizations. Many recommendations for information security management exist, which can be used to define a baseline of information security requirements. ISO/IEC 27001 prescribes a process for an ...
A Database System for Effective Utilization of ISO/IEC 27002
FCST '09: Proceedings of the 2009 Fourth International Conference on Frontier of Computer Science and Technology

ISO/IEC 27002 is an international standard for information security management. Although many organizations need to manage their information systems according to ISO/IEC 27002, ISO/IEC 27002 is not convenient for users to retrieve terms, definitions, ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Computers and Security

Computers and Security Volume 27, Issue 5-6

October, 2008

111 pages

ISSN:0167-4048

Issue’s Table of Contents

Copyright © Elsevier Ltd © 2008.

Publisher

Elsevier Advanced Technology Publications

United Kingdom

Publication History

Published: 01 October 2008

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 18 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Fujs DVrhovec SVavpotič D(2023)Balancing software and training requirements for information securityComputers and Security10.1016/j.cose.2023.103467134:COnline publication date: 1-Nov-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103467
Mesquida AMas A(2015)Implementing information security best practices on software lifecycle processesComputers and Security10.1016/j.cose.2014.09.00348:C(19-34)Online publication date: 1-Feb-2015
https://dl.acm.org/doi/10.1016/j.cose.2014.09.003
Mukundan NPrakash Sai L(2014)Perceived information security of internal users in Indian IT services industryInformation Technology and Management10.1007/s10799-013-0156-y15:1(1-8)Online publication date: 1-Mar-2014
https://dl.acm.org/doi/10.1007/s10799-013-0156-y

View Options

View options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents