CHAPTER 1:
INTRODUCTION

A key challenge for all IT executive teams is to ensure that the organization avoids breaches of any criminal or civil law, as well as any statutory, regulatory or contractual obligations, and of any security requirements.

Control A.15.1.1 of ISO/IEC27001:2005 (the best-practice information security management standard) provides guidance that is relevant to the IT governance of every organization. It says that the organization should explicitly define and document the statutory, regulatory and contractual requirements for each of its information systems, and that this documentation should be kept up-to-date to reflect any relevant changes in the legal environment.

The specific controls and individual responsibilities to meet these requirements should be similarly documented and kept up-to-date, and should be linked to the list of all the data assets and processes in the organization, together with their ownership details.

The outline of relevant legislation in this Pocket Guide is not intended to be authoritative: the US legal system is a complex one that has evolved over hundreds of years.

Current legal advice must be taken from qualified, specialist legal counsel if an organization wants or needs to rely on any matter identified here.

Equally, it should be noted that this Pocket Guide deals with key current compliance issues for organizations based or operating in or supplying customers in the United States. Laws are likely to be different in other countries and, therefore, organizations who are based elsewhere should take specialist local advice. Organizations based in the United States with operations elsewhere in the world will need to deal with the US requirements as well as those of the foreign countries in which they operate and, again, specialist legal advice should be taken.

Web trading (even for US-domiciled corporations) could potentially take place in a multitude of countries and the law in this area is constantly changing and developing. Any organization that is trading across the web without limits on who may access its website should take specialist advice to ensure that contractual and trading terms are watertight and that issues of jurisdiction and which law (that of the country in which the server is based, or the organization is based, or the customer is based, or to which delivery is made) will apply to any transaction have been resolved, and to ensure that there is an appropriate acceptance and/or waiver of liability on the entrance to the website.

State-level privacy laws across the United States may have relevance to e-commerce businesses throughout the world.