The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the Ask the Author form.

Q: Why can t I advise customers about compliance with HIPAA or SOX information security requirements if I m a knowledgeable information security consultant?

A: Doing so would not only put you at risk for violating state law prohibitions against the unauthorized practice of law, but also fail to provide your customers either with attorney-client privilege protection against disclosure of vulnerabilities information or an advice of counsel defense.

Q: Why doesn t my in-house lawyer s involvement give me sufficient attorney-client privilege protection?

A: Contracting information security evaluations through in-house counsel is better than not having that involvement. However, as discussed, courts in multiple jurisdictions impose a higher standard for allowing attorney-client privilege for in-house counsel than for outside, retained lawyers.

Q: How often do I need to have information security evaluations?

A: Courts and regulators will apply a reasonability determination on this question, and it will be fact-specific, depending on the industry you are in, the types and amount of sensitive information you hold, and the then-current status of legal and regulatory requirements applicable to your business. In general, however, they should probably be no less frequently than once...