The Law in Information Security Management Katherine H. Winters This case study is designed to provide insight into the relationship between the law and information security management. A fictitious...

The Law in Information Security Management Katherine H. Winters This case study is designed to provide insight into the relationship between the law and information security management. A fictitious consulting company, K-LiWin Consulting, is used to provide cohesion. This fictitious company has four fictitious customers: a hospital, a financial securities firm, a record producer, and a nonprofit organization. Each of these organizations represents industries that have unique laws that impact their information security policy. Within the context of K-LiWin Consulting providing information security consulting services, some of these laws and regulations will be examined. This case will examine the impact of some of the major laws affecting information security such as HIPAA, the Sarbanes-Oxley Act of 2002 (SOX), the Gramm-Leach-Bliley Act of 1999, the Digital Millennium Copyright Act, and a Massachusetts statute dealing with privacy. A brief overview of each law is provided. The detail review of the law is left to the reader as an exercise. By no means is this an exhaustive list of important information security laws; it is intended to provide the reader with an appreciation of the importance of law in information security. A brief overview of the case and K-LiWin Consulting will be presented followed by details of each organization and one or more laws specific to that entity