Page 340 -
P. 340
Chapter 8 Securing Information Systems 339
providing penalties for breaches of medical privacy, disclosure of patient
records by e-mail, or unauthorized network access.
If you work in a firm providing financial services, your firm will need to
comply with the Financial Services Modernization Act of 1999, better known as
the Gramm-Leach-Bliley Act after its congressional sponsors. This act requires
financial institutions to ensure the security and confidentiality of customer
data. Data must be stored on a secure medium, and special security measures
must be enforced to protect such data on storage media and during transmittal.
If you work in a publicly traded company, your company will need to comply
with the Public Company Accounting Reform and Investor Protection Act of
2002, better known as the Sarbanes-Oxley Act after its sponsors Senator Paul
Sarbanes of Maryland and Representative Michael Oxley of Ohio. This Act was
designed to protect investors after the financial scandals at Enron, WorldCom,
and other public companies. It imposes responsibility on companies and their
management to safeguard the accuracy and integrity of financial information
that is used internally and released externally. One of the Learning Tracks for
this chapter discusses Sarbanes-Oxley in detail.
Sarbanes-Oxley is fundamentally about ensuring that internal controls are
in place to govern the creation and documentation of information in financial
statements. Because information systems are used to generate, store, and trans-
port such data, the legislation requires firms to consider information systems
security and other controls required to ensure the integrity, confidentiality, and
accuracy of their data. Each system application that deals with critical financial
reporting data requires controls to make sure the data are accurate. Controls
to secure the corporate network, prevent unauthorized access to systems and
data, and ensure data integrity and availability in the event of disaster or other
disruption of service are essential as well.
ELECTRONIC EVIDENCE AND COMPUTER FORENSICS
Security, control, and electronic records management have become essential
for responding to legal actions. Much of the evidence today for stock fraud,
embezzlement, theft of company trade secrets, computer crime, and many civil
cases is in digital form. In addition to information from printed or typewritten
pages, legal cases today increasingly rely on evidence represented as digital
data stored on portable storage devices, CDs, and computer hard disk drives,
as well as in e-mail, instant messages, and e-commerce transactions over the
Internet. E-mail is currently the most common type of electronic evidence.
In a legal action, a firm is obligated to respond to a discovery request for
access to information that may be used as evidence, and the company is
required by law to produce those data. The cost of responding to a discovery
request can be enormous if the company has trouble assembling the required
data or the data have been corrupted or destroyed. Courts now impose severe
financial and even criminal penalties for improper destruction of electronic
documents.
An effective electronic document retention policy ensures that electronic
documents, e-mail, and other records are well organized, accessible, and neither
retained too long nor discarded too soon. It also reflects an awareness of how to
preserve potential evidence for computer forensics. Computer forensics is the
scientific collection, examination, authentication, preservation, and analysis of
data held on or retrieved from computer storage media in such a way that the
information can be used as evidence in a court of law. It deals with the follow-
ing problems:
MIS_13_Ch_08 Global.indd 339 1/17/2013 3:10:20 PM
