Law and Policy in Business Organizations


One of the major goals of any business organization is to make generate revenues or profits. For businesses to achieve such goals, they must put in place structures that facilitate their functionalities towards the set objectives. This document will put emphasis on the legal and policy structures that a firm must put in place in order to attain its set objectives.

The manuscript will underscore the firm’s legal environment exploring laws, regulations and policies as well as the way they influence information systems characteristics such as accessibility, reliability and discretion.

Information security policies

Organizations cannot undermine the roles policies play towards attainment of their set goals. Policies determine rules and regulations as well as procedures that all the organization employees must adhere to (Gentile et al. 2005). They regulate all the functionalities of an organization including information systems. Information security within an organization ensures that all the data are safely stored and secured. Policies ensure a procedure through which information can be accessed, and used. They also determine how such information should be kept in order to attain optimal confidentiality, integrity as well as availability (Gentile et al. 2005).

Generally, there are two types of policies applied within an organization. That is the business policies and the public policies. Public or the government policies are those policies issued by the state organs at all levels of government such as the federal, state and local governments (Canavan & Diver, 2007). Concerning information security, these polices are often issued and provide structures as well as procedures that ensure safety and security of the organization data. In a broader context, government policies provide a framework through which organizations anchor the procedures they require to guard their information and knowledge resources (Whitman & Mattord, 2011).

On the other hand, business or organization policies are written rules and regulations that the organization must adhere to (Danchev, 2003). For instance, policies guiding the employees’ conducts are normally written in form of the cords of conducts. The information security policies must set procedures and guidelines through which information and the users should be protected.

It must put in place rules that guide information use by the management, information system administrators and the security personnel (Canavan & Diver, 2007). It must sanction and outline the consequences of any violations, identify the firm’s baseline position on information safety measures, help in reducing possibilities and follow up on conformity with set of legislative laws (Danchev, 2003).

As indicated above, the main purpose of any policy, be it a government or corporate, is to ensure that all risks associated with an organizational data are get rid of or reduced (Gentile et al. 2005). Once these policies are put in place, organizations are supposed to ensure that all the stakeholders particularly the employees are conversant with such guidelines. Further, the organization must also ensure compliance (Canavan & Diver, 2007).

Within an organization, information security policies are essential in ensuring that risks associated with the use of information resources are minimized (Whitman & Mattord, 2011). The first step for organizations to ensure that the information security is complied with is to introduce precise and enforceable policy procedures. This can be achieved through staff training on information policy and its compliance (Gentile et al. 2005).

At the same time, corporations must also develop information security policies that address sensitive information issues including proper handling and maintaining accounting data, passwords, IDs in addition to how security threats should be dealt with. Besides, the company information security policy should spell out how internet connectivity and work stations should be used in a secure manner and how the employees should properly and securely use the business email system.

In essence, the company information security policies are created purposely to define procedures, laws and regulations that ensure the organization information resources are protected. The information security policy train staff on their responsibility to protect the information resources and emphasize on the need to secure information while doing online business (Danchev, 2003).

Information security laws and regulations

Regulations are the other facets that preside over an entity. Regulations are instructions, set of laws, guidelines or rulings that spell out what should be done and the way things should be done (Canavan & Diver, 2007). Regarding information security, regulations ensure security control enforcements so as to tone down threats. Regulations normally specify what information users should or should not do.

For instance, HIPPA laws provide federal guidelines on how entities are supposed to secure information regarding public health. According to the organization, all agencies concerned with healthcare must ensure privacy, honesty and accessibility to all information they receive, generate, convey or retain. These agencies must also protect the electronic-Protected Health Information (e-PHI) aligned with plausible predictable threats, impermissible uses or revelations for the integrity of information or security as well as compliance with their employees.


Generally laws, policies and regulations are put in place to standardize the working environment for the safety and welfare of all the stakeholders. Similarly, information policies are put in place to provide a means through which information security can be achieved. Information security policy ensures confidentiality, reliability and ease of use of the organizations data.


Canavan, S., & Diver, S. (2007). Information security policy: A development guide for large and small companies.

Danchev, D. (2003). Building and implementing a successful information security policy.

Gentile, M., Collette, R. & August, T. D. (2005). The CISO handbook: A practical guide to securing your company. Brighton, UK: Taylor & Francis.

Whitman, M. E., & Mattord, H. J. (2011). Principles of information security. Farmington Hills, MI: Cengage Learning.