Ais Attacks

Assignment 2: AIS Attacks and Failures: Who to Blame

Prepared by: Houssem Aouididi

Professor: Elias Konwufine

Course: ACC 564

Date: 5/11/12

1. Accountability and responsibility:

In order for me to take a position on whether a firm and its management team should or should not be held liable for losses sustained in a successful attack made on their AIS by outside sources. I need to present some facts to explain my reasoning behind my decision, here are the facts:

* The Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) hold affected enterprises accountable to protect private information, meaning IT must assess the risks and implement appropriate safeguards. The Sarbanes-Oxley Act of 2002 (SOX) requires companies that issue public securities to establish and maintain internal controls over their financial reporting systems and assess these controls' effectiveness in reports to the Securities and Exchange Commission (SEC). The bottom line for each of these laws is accountability, accountability that goes beyond IT's responsibility to keep information systems and data secure. Management teams must formulate policies and procedures that comply with GLBA, HIPAA and SOX and ensure these policies are implemented. Otherwise, civil and criminal penalties may apply. Fines for ignoring a specific requirement under HIPAA can reach $25,000 per violation.

* Under GLBA, banks and financial institutions have a mandate to secure private customer data. They must implement a comprehensive, written information security program with administrative, technical and physical safeguards for customer information. In addition, the institution's board of directors or an appropriate committee of the board must approve the security program and oversee its development. Individual actions to enforce the regulations may reach $1,000, and damages for a class of individuals are available up to $500,000. Beyond that, GLBA regulations...