Information security relates to the protection of data against unauthorized access, use, disclosure, modification, corruption, recording or destruction. Cybersecurity is the protection of any data held on computers, mobile devices or electronic networks. As a compliance criterion, information security mandates the protection of data held by an organization, specifically the privacy (as applicable), confidentiality, integrity and availability of that data, in accordance with a stipulated, or recognized standard. Relevant data requiring protection includes, although not exclusively, personal information, confidential information and other information collected and maintained by an organization for purposes of carrying out its operations. Organizations may be required by law, by contract, or by industry standards to ensure a stated level of protection (the standard). However, increasingly, managing information security risk is also dictated by the critical criteria of competitive economic considerations and reputation risk.
The privacy laws require organizations to protect personal information maintained by them, applying measures that are appropriate to the sensitivity of the particular information. This means that more sensitive information (e.g. medical, financial, employment-related) requires more stringent security protections than less sensitive information.
Outside of the privacy laws, there are no general legislative rules requiring information security. However, a number of sector-specific rules, often articulated in regulatory guidelines as opposed to legislation, apply with respect to personal information and other confidential information.
In the private sector, legal obligations to meet information security requirements beyond legislated or regulator-driven protection of personal information or the sector-specific rules typically are mandated by contract or as a compliance standard stipulated as a condition of doing business within an operational or institutional framework, such as is the case with the payment card processor industry.
In contrast to the private sector, public sector bodies (government institutions, Crown agents) are subject to statutory obligations to protect all records maintain by them.
Information security compliance is therefore a requirement mandated potentially by statute but otherwise by contract, industry or institutional standards or even community expectations (based on reputation risk or public policy). Non-compliance may result in regulatory risk, civil liability (e.g. contract breach, statutory damages, civil tort claim), reputational risk or risk to competitive economic position.
Compliance requires due diligence in meeting the criterion, or specification, stipulated by the relevant reference (statute, contract, etc.). With few exceptions, compliance is not an absolute obligation but one requiring a diligent and rigorous effort to meet a standard. This is the statutory requirement and is typically embodied in contractual language. Furthermore, this is the standard that likely would be applied in any claim of civil liability resulting from a breach of security. Due diligence security compliance requires meeting recognized or, if applicable, stipulated security standards such as ISO 27000 or the Payment Card Industry’s Data Security Standard.
Compliance entails developing and executing a methodical and rigorous protocol for information security. Guidance in developing such a protocol is available from diverse public sources (see for example, NIST: Framework for Improving Critical Infrastructure Cybersecurity; February, 2014) as well as from information security specialists.
An information security protocol should include:
- Conducting an inventory of relevant information assets (data, systems, personnel)
- Identification of applicable/mandated security standards
- Identification of relevant risks (vulnerabilities, threat risk assessments)
- Development of a risk management strategy (practices, tolerances, assumptions to support RM decisions)
- Governance (policies, procedures)
- Execution of data security measures, including protective technologies
- Continuous monitoring, regular audit, and adjustment/improvement
- Incident response (including breach protocol, mitigation, recovery planning)