Law Relating to Information Security “Compliance in Uncertainty: Bringing a Little Order to a Lot of Chaos” Michael Silber Michalsons Information Technology Attorneys

Overview ICT Regulatory Hype Cycle Contextualise concept of security: information security versus national security Applicable SA legislation and shortfalls, including: The ECT Act RIC Act Draft Protection of Personal Information Bill Corporate Governance - King II Conclusions

ICT Regulatory Hype Cycle

Contextualise concept of security: information security versus national security

Applicable SA legislation and shortfalls, including:

The ECT Act

RIC Act

Draft Protection of Personal Information Bill

Corporate Governance - King II

Conclusions

Disclaimer This is not legal advice. If in doubt, consult an attorney on your specific issue! By remaining seated you agree to be bound by this disclaimer.

This is not legal advice.

If in doubt, consult an attorney on your specific issue!

By remaining seated you agree to be bound by this disclaimer.

Acts, Bills etc: Making Law (a brief interlude) Bill: Draft Law presented in Parliament Act: Law passed in Parliament Process: Introduced in Parliament usually by Minister drafted by his/her Department approved by Cabinet Sent to Committee, published for comment & debated in committee Final version sent to house for debate & vote If passed – sent to other house If passed – to President for assent Once signed by President becomes an Act of Parliament May have implementation date

Bill: Draft Law presented in Parliament

Act: Law passed in Parliament

Process:

Introduced in Parliament

usually by Minister

drafted by his/her Department

approved by Cabinet

Sent to Committee, published for comment & debated in committee

Final version sent to house for debate & vote

If passed – sent to other house

If passed – to President for assent

Once signed by President becomes an Act of Parliament

May have implementation date

South African ICT Regulatory Hype Cycle Compliance requirements develop at different rates Visibility Trough of Disillusionment Slope of Enlightenment Plateau of Productivity Business Trigger Peak of Inflated Expectations Maturity Less than two years Two years to five years Five years to 10 years More than 10 years Obsolete before plateau Key: Time to Plateau Basel I (1988) Infosec / SANS 17799 ECT Act (2002) Basel II (1999) RM / SANS 15489 PROATIA (2000) Sarbanes-Oxley Act (2002) RIC (Interception) PPI Bill (Privacy) SANS 15801 Critical Databases, Crypto Providers and ASPs Electronic Communications [Convergence] Bill (2005) King II (2002) EU Data Privacy Directive FICA

Meaning of “Security” in the SA Context ECT Act, 2002 Crypto Critical databases Cyber crime The State Information Technology Agency Act, 1998 The Electronic Communications Security (Pty) Limited Act (COMSEC) Intelligence Services Control Amendment Act, 2002 National Security Info Security Privacy & Security (Confidentiality. Integrity, Authentication SANS 17799 King 2 Infosec BPG Interception Act Draft PPI Bill, 2005 (SA Law Commission)

ECT Act, 2002

Crypto

Critical databases

Cyber crime

The State Information Technology Agency Act, 1998

The Electronic Communications Security (Pty) Limited Act (COMSEC)

Intelligence Services Control Amendment Act, 2002

Applicable Legislation Electronic Communications & Transactions Act 2002 (ECT Act) Cryptography & (draft) Regulations Critical Databases Data Privacy Cyber crime Regulation of Interception of Communications & Provision of Communication-related Information Act 2002 (RIC Act) Draft Protection of Personal Information Bill

Electronic Communications & Transactions Act 2002 (ECT Act)

Cryptography & (draft) Regulations

Critical Databases

Data Privacy

Cyber crime

Regulation of Interception of Communications & Provision of Communication-related Information Act 2002 (RIC Act)

Draft Protection of Personal Information Bill

ECT Act Cycle e -Infrastructure e -Transactions e -Data e -Communications E-Contracts are valid Methods of contract conclusion Electronic signatures Automated transactions Consumer Protection Secure payments Time and place of contract conclusion Time of sending & receipt Attribution of message to you Acknowledgement of receipt Authenticity and identity Cryptography Cyber Crime How to satisfy statutory requirements of form: (Writing; Original; Record Retention; e-Filing; Noterisation & certification) Law of Evidence Data Proterction/ Privacy Critical Databases Maximising Benefits E-Government Authentication Service Providers ISP Liability Domain Names Cyber Inspectors A B D C

Chapter V: Cryptography Providers Chapter V Cryptography Providers Register of Cryptography Providers S31 S30 S32 Registration with the Department Restrictions On disclosure of Information Application of Chapter offences S29 Chapter V: Cryptography Providers Chapter V governs the use of cryptography products and services used within the Republic. The Director General is tasked with maintaining a register of cryptography providers and their products and services. Registration is compulsory and suppliers are prohibited from providing cryptography products and services in the Republic without complying with the provisions of this Act.

Chapter lX: Protection of Critical Databases Chapter lX: Protection of Critical Databases Scope of Critical Database Protection S57 S56 S55 S54 S53 S58 Identification of critical data and databases Registration Of Critical Databases Management Of Critical Databases Restrictions On disclosure of Information Right of Inspection Non Compliance with Chapter S52 Chapter lX: Protection of Critical Databases Aim is to facilitate the identification and registration of critical databases within the Republic. Critical databases are defined as databases that contain information that if compromised could threaten the security of the Republic or the economic and social well being of it’s citizens. The Act stipulates criteria for the identification, registration and management of critical databases as well as controls to ensure that the integrity and confidentiality of data relating to and contained in these databases is maintained such as the right to audit and restrictions and penalties resulting in unauthorised or illegal disclosure of information contained in or about these databases. In November 2003 the Minister of Communications awarded a tender to a consortium of Consultants to undertake an inventory of all major databases in South Africa.

Cyber crimes I Acticle 2 - Illegal Access: The access to the whole or any part of a computer system, committed intentionally and without right Article 3 - Illegal interception: The interception made by technical means, of non-public transmissions of computer data when committed without right and intentionally Section 86(1): a person who intentionally accesses or intercepts any data without authority or permission to do so, is guilty of an offence ALSO RICA – Section 2: …no person may intentionally intercept or attempt to intercept, or authorise or procure any other person to intercept or attempt to intercept, at any place in the Republic, any communication in the course of its occurrence or transmission Definitions: computer data: representation of facts, information or concepts in a form suitable for processing in a computer system traffic data: data relating to a communication indicating origin, destination, route etc Definitions: data: electronic representations of information in any form data message: data generated, sent, received or stored by electronic means GAP: No definition of traffic data (CRI in RICA) CoE Convention on Cybercrime ECT Act

Cyber crimes II Article 6 - Misuse of devices: The production, sale, procurement for use, import, distribution or otherwise making available of a device, including a computer program, designed or adapted, or a computer password, access code, or similar date by which the whole or any part of a computer system is capable of being accessed, for the purpose of committing offences indicated in Articles 2 Section 86(3) and 86(4): - A person who unlawfully produces .. distributes or possesses any device, including a computer program or a component, which is designed primarily to overcome security measures for the protection of data, or performs any of those acts with regard to a password, access code or any other similar kind of data with the intent to unlawfully utilise such item to contravene this section, is guilty of an offence - A person who utilises any device or computer program mentioned above in order to unlawfully overcome security measures designed to protect such data of access thereto, is guilty of an offence Article 4 - Illegal interference: The damaging, deletion, deterioration, alteration or suppression of computer data committed intentionally without right Article 5 - System interference: Committed intentionally, the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data Section 86(2): A person who intentionally and without authority to do so, interferes with data in a way, which causes such data to be modified, destroyed or otherwise rendered ineffective, is guilty of an offence CoE Convention on Cybercrime ECT Act

Cyber crimes III Article 8 - Computer-related fraud: The causing of a loss of property to another by any input, alteration, deletion or suppression of computer data, any interference with the functioning of a computer system, with fraudulent or dishonest intent of procuring, committed intentionally and without right. There is an economic benefit for the individual or for another. Section 87(1): A person who performs or threatens to perform any of the acts described in section 86, for the purpose of obtaining any unlawful proprietary advantage by undertaking to cease or desist from such action, or by undertaking to restore any damage caused as a result of those actions, is guilty of an offence Common law Article 7 - Computer-related forgery: The input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible, committed intentionally and without right. Section 87 (2): A person, who performs any of the acts described in section 86 for the purpose of obtaining any unlawful advantage by causing fake data to be produced with the intent that it be considered or acted upon as if it were authentic, is guilty of an offence Common law CoE Convention on Cybercrime ECT Act

Cyber crimes IV Common Law: fraud, extortion, malicious damage to property etc Article 10 - Offences related to infringements of copyright and related rights Copyright Act - Section 27 Article 9 - Offences related to child pornography Films and Publication Act - Section 27(1) Other Laws Article 11: Attempt and aiding or abetting Each party shall adopt such legislative and other measures as may be to establish as criminal offences under its domestic law, when committed intentionally, aiding or abetting the commission of any of the offences established in accordance with Articles 2-10 of this Convention with intent that such offence be committed. Section 88: Any person who attempts to commit any of the offences referred to in sections 86 and 87 is guilty of an offence and is liable on conviction to the penalties set out in section 89 Any person who aids and abets someone to commit any of the offences referred to in sections 86 and 87 is guilty of an offence and is liable on conviction to the penalties set out in section 89 CoE Convention on Cybercrime ECT Act

Shortfalls No definition of traffic data Possibly inadequate sentences Proceedure No cyber inspectors Limited skills in NPA, judicial officers SAPS Criminal Procedure Act Extra territorial application Functional Equivalence Possible but limited application SABRIC Initiative

No definition of traffic data

Possibly inadequate sentences

Proceedure

No cyber inspectors

Limited skills in NPA, judicial officers

SAPS

Criminal Procedure Act

Extra territorial application

Functional Equivalence

Possible but limited application

SABRIC Initiative

Privacy

State of SA privacy regulation Privacy regulation in its infancy Protection of Personal Information (PPI) Bill and Discussion Paper released in October 2005 by South African Law Reform Commission Comments due 31 March 2006 Based on 8 principles:

Privacy regulation in its infancy

Protection of Personal Information (PPI) Bill and Discussion Paper released in October 2005 by South African Law Reform Commission

Comments due 31 March 2006

Based on 8 principles:

Principle 6 – Security Safeguards: Key Aspects Measures to ensure integrity of personal information Authority of person processing PI Security measures regarding PI by processor Notification of security compromises

Measures to ensure integrity of personal information

Authority of person processing PI

Security measures regarding PI by processor

Notification of security compromises

Interception

RICA Regulation of Interception and Provision of Communication-related Information Act 2002 Effective 30 September 2005 Customer verification – some extended Service provider directives – 28 May 2006 Live intercept & stored data (CRI) Intercept means the aural or other acquisition of the contents of any communication so as to make some or all of the contents of a communication available to a person other than the sender or recipient or intended recipient of that communication, and includes monitoring, viewing, examination or inspection of indirect communication and diversion Interception prohibited unless exception

Regulation of Interception and Provision of Communication-related Information Act 2002

Effective 30 September 2005

Customer verification – some extended

Service provider directives – 28 May 2006

Live intercept & stored data (CRI)

Intercept means the aural or other acquisition of the contents of any communication so as to make some or all of the contents of a communication available to a person other than the sender or recipient or intended recipient of that communication, and includes monitoring, viewing, examination or inspection of indirect communication and diversion

Interception prohibited unless exception

Exceptions 3 rd party (e.g. Co X) intercepts with written consent of one of parties 3 rd party (e.g. Co X) intercepts in ordinary course of business s4(1) s5(1) s6 Participant(s) intercept themselves Can intercept if party to communication Can only intercept with written consent CEO not involved No fine Business purpose exception CEO involved Fine: 2 yrs R10m DIRECTIVES

Can only intercept with written consent

CEO not involved

No fine

Business purpose exception

CEO involved

Fine: 2 yrs R10m

Business-related Interception “ health purposes” Continuous monitoring / interception System security and maintenance Automatic monitoring / interception Security Incident response Help desk responses to calls logged – internal / external Firewalls Content monitoring / interception systems Message login systems Telephone management system “ forensic purposes” Once–off, occasional, covert Investigate allegations of fraud, corruption, breach of a policy Manual monitoring / interception

“ health purposes”

Continuous monitoring / interception

System security and maintenance

Automatic monitoring / interception

Security Incident response

Help desk responses to calls logged – internal / external

Firewalls

Content monitoring / interception systems

Message login systems

Telephone management system

“ forensic purposes”

Once–off, occasional, covert

Investigate allegations of fraud, corruption, breach of a policy

Manual monitoring / interception

Interception Matrix (RICA tells you what to do but not how to do it) Reminder e-mail from IT department Waiver & consent clause in Visitor’s sign-in sheet Interception Policy Notice and Memo to Users Pro-Forma Interception Report to the Board Log-on Notice Log-on Notice Pro-Forma Interception Request Suggested clauses for HR contracts and promotions Glossary of Terms Interception Policy & Guidelines for Technical Staff + Acceptance Doc Interception Consent (incl. waiver of right to privacy and covering ECT Act) FAQ CEO Delegation of Authority to MO Acceptance of Interception Policy Interception Policy (Persons) CEO is protected by Express / Written consent demonstrated by Implied consent and reasonable efforts demonstrated by

King II and Infosec King Report on Corporate Governance for South Africa 2002

King Report on Corporate Governance for South Africa 2002

Corporate Governance?

Quotes from the Code “ The board should have unrestricted access to all company information, records, documents and property. The information needs of the company should be well defined and regularly monitored” (2.1.7)

“ The board should have unrestricted access to all company information, records, documents and property. The information needs of the company should be well defined and regularly monitored” (2.1.7)

Quotes from the Code “ The board is responsible for the total process of risk management…” (3.1.1) and “should make use of…control models and frameworks…with respect to … “safeguarding the company’s assets ( including information )” (3.1.4)

“ The board is responsible for the total process of risk management…” (3.1.1) and “should make use of…control models and frameworks…with respect to … “safeguarding the company’s assets ( including information )” (3.1.4)

Quotes from the Code “ The board is responsible for ensuring that a[n]…assessment of…key risks is undertaken…[which] should address the company’s exposure to… technology risks… business continuity and disaster recovery …” (3.1.5)

“ The board is responsible for ensuring that a[n]…assessment of…key risks is undertaken…[which] should address the company’s exposure to… technology risks… business continuity and disaster recovery …” (3.1.5)

King II Infosec BPG What is information security? Key considerations when making information security decisions? Characteristics of a sound information security agenda? An effective information security strategy Devising a successful approach to information security What directors can do

What is information security?

Key considerations when making information security decisions?

Characteristics of a sound information security agenda?

An effective information security strategy

Devising a successful approach to information security

What directors can do

Take home message I Identify your compliance criteria Identify your information holdings Sensitivity Personal information Records Prepare a file plan / information taxonomy

Identify your compliance criteria

Identify your information holdings

Sensitivity

Personal information

Records

Prepare a file plan / information taxonomy

Take home message II Adequate Information Security Policy Often drafted by IT Audit / HR / IT HR often doesn’t understand the tech issues IT Audit often doesn’t understand the legal issues and is too technical Need to address different audiences Often “knipped” and “plukked” from internet No clear understanding as to content and labeling (e.g. ECP) Myth around 17799 “compliance”

Adequate Information Security Policy

Often drafted by IT Audit / HR / IT

HR often doesn’t understand the tech issues

IT Audit often doesn’t understand the legal issues and is too technical

Need to address different audiences

Often “knipped” and “plukked” from internet

No clear understanding as to content and labeling (e.g. ECP)

Myth around 17799 “compliance”

GENERAL INFORMATION SECURITY POLICY INFORMATION POLICIES ACCESS CONTROL POLICIES TECHNICAL POLICIES BUSINESS CONTINUITY INFORMATION CLASSIFICATION Information Ownership Policy Information Management Policy Encryption & Transmission Policy Media Handling Policy Password Policy User Policy Acceptable Usage Policy 3 rd Party Access Policy Development Review Patch Management Architecture Policy Infrastructure Policy System Audit Policy Business Continuity Policy Backup & Restore Policy Disaster Recovery E-mail Policy Telecommuting Policy Privacy, Interception & Monitoring Policy Employee Exit Policy LEGAL COMPLIANCE RISK MANAGEMENT BEST PRACTICE

Information Ownership Policy

Information Management Policy

Encryption & Transmission Policy

Media Handling Policy

Password Policy

User Policy

Acceptable Usage Policy

3 rd Party Access Policy

Development Review

Patch Management

Architecture Policy

Infrastructure Policy

System Audit Policy

Business Continuity Policy

Backup & Restore Policy

Disaster Recovery

E-mail Policy

Telecommuting Policy

Privacy, Interception & Monitoring Policy

Employee Exit Policy

Thank You Questions?