David Navetta, with Information Law Group, wrote an article for the Information Systems Security Association Journal about legal defensibility, “an integrated and holistic strategy for reducing legal risk with respect to an organization’s information security program.” In other words, to be successful as a security professional (i.e., the one who protects the information stored in a cloud), one must think like an attorney, and be prepared to defend security actions in court, mindful of any liability risk in their system. This puts quite a bit of pressure on the typical IT guy who has no legal training. Navetta points out that to a judge and jury, it’s not about the implementation of the security, it’s about the choices made in implementing it – the decisions regarding the security system, which represent legal positions or arguments. In the sometimes confusing and under-regulated world of cloud computing, legal defensibility of security decisions into account may serve as protection, should a lawsuit arise. Therefore, Navetta recommends that IT work closely with legal to come at security from a legal perspective, carefully documenting every security decision and rationale, to create proof that IT was operating in a reasonable and legally defensible manner.
