Your SlideShare is downloading. ×
The integration of legal aspects in Information Security: Is your organisation up-to-date?
The integration of legal aspects in Information Security: Is your organisation up-to-date?
The integration of legal aspects in Information Security: Is your organisation up-to-date?
The integration of legal aspects in Information Security: Is your organisation up-to-date?
The integration of legal aspects in Information Security: Is your organisation up-to-date?
The integration of legal aspects in Information Security: Is your organisation up-to-date?
The integration of legal aspects in Information Security: Is your organisation up-to-date?
The integration of legal aspects in Information Security: Is your organisation up-to-date?
The integration of legal aspects in Information Security: Is your organisation up-to-date?
The integration of legal aspects in Information Security: Is your organisation up-to-date?
The integration of legal aspects in Information Security: Is your organisation up-to-date?
The integration of legal aspects in Information Security: Is your organisation up-to-date?
The integration of legal aspects in Information Security: Is your organisation up-to-date?
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

The integration of legal aspects in Information Security: Is your organisation up-to-date?

801

Published on

Paper presented during the Institute for International Research's IT Risk Management Conference - 10,11, & 12 November 2010, IIR Conference Centre, Rosebank, Johannesburg

Paper presented during the Institute for International Research's IT Risk Management Conference - 10,11, & 12 November 2010, IIR Conference Centre, Rosebank, Johannesburg

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
801
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
9
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. The Integration of Legal Aspects in Information Security: Is Your Organisation Up-to-Date?? Rabelani Dagada Development Economist Paper presented during Institute for International Research's Conference on Information Technology Risk Management - 11 November 2010, IIR Conference Centre, Rosebank, Johannesburg
  • 2. AGENDA • Introduction and background • Motivation for the research • Research methodology and findings • Findings of the study • Contribution of the study • Conclusion Rabelani Dagada lectures ICT and Knowledge Management at the Wits Business School
  • 3. INTRODUCTION & BACKGROUND • Today most organisations use the Internet for information and business related purposes. • The Internet revolution is developing rapidly due to the electronic commerce (e-commerce). • The use of the Internet for commercial purposes has brought with it a number of challenges. • These include information security risks, threats, and cyber crime. • The government of South has introduced several laws to deal with the IT related risks, threats, and cyber crime. • One such law is the highly acclaimed Electronic Communications and Transactions Act of 2002 (ECT Act, 2002).
  • 4. MOTIVATION FOR THE RESEARCH • The 2002 and 2004 website compliance survey conducted by the Buys Attorneys found that most companies in SA were not complying with the laws and regulations and regulations governing e-commerce. • In 2002 most webmasters claimed that they were not even aware of the compliance requirements. • In 2004 this number increased by 31%. • Buys attorneys claimed that failure to comply with law led to an increase in website crime. • SA companies did not seem to realise that failure to comply with the provision of the law exposes their websites to huge risk and liability. • Of the 1 550 websites surveyed by Buys Incorporated Attorneys in 2004, the Telkom website was the only one to score 100% compliance rate. • It is on this premise that this study was conducted. Source: Buys Incorporated Attorneys
  • 5. RESEARCH METHODOLOGY & SAMPLING • 22 organisations from various industrial sectors participated in this study. • The banking sector dominated all other industrial sectors. • Purposive sampling was employed due to the perceived value participants would add. • This study used the generic techniques for qualitative collection and analysis. • The study satisfied the principle of triangulation by employing multiple data- gathering methods and sources. • Data gathering methods included interviews, observation, and policy document analysis. • Interviews were analysed by using open coding. • Data collected through document analysis was analysed by comparing it with the SA legal framework for information security.
  • 6. FINDINGS OF THE STUDY
  • 7. FINDINGS OBTAINED THROUGH INTERVIEWS • The Board of Directors are not involved in the formulation of information security policies. • Very few organisations in SA incorporates legislation requirements in the information security policies. • Government has not yet implemented some legal provisions to fight cyber crime; e.g. - the appointment of the Cyber Inspectors as required by the ECT of 2002 is not yet implemented; and - the registration of the buyers and owners of the cell phone SIM cards as required by the Regulation of Interception of Communications and Provision of Communication-related Information Act of 2002 only came into effect on 1 July 2009. • Legal provision in the ECT Act that deal with unsolicited communication has serious loophole.
  • 8. FINDINGS OBTAINED THROUGH DOCUMENT COLLECTION AND ANALYSIS • Policies related to hacking include Information Security Policies, and Interception & Surveillance Policy. Relevant legislations are the Promotion of Access to Information Act; ECT Act; and Interception Act. • Policies related to the intellectual property, copyright, and trademarks include Intellectual Property Policy and Data Privacy Policy. • The majority of organisations that participated in this study did not have policies that address intellectual property, copyright and trademarks. • None of the organisations that participated in this study had a separate policy on patents. • Most companies in SA perceive the Patents Act of 1978 to be ineffective. • Some of the laws pertaining to information security are very old,. • They were introduced before the Internet was used for commercial purposes.
  • 9. FINDINGS OBTAINED THROUGH OBSERVATION ASPECT OBSERVED NUMBER Websites with legal notices at all 17 Websites with terms and conditions available as hyperlinks 7 Websites with liability disclaimers available as hyperlinks 11 Websites with legal notices that address the provisions of Chapter 3, Part II and Chapter 7 of the ECT Act 5 Websites that position and implement legal notices correctly 2 Website legal notices that are printable or saveable as required by section 11(3) of the ECT Act 2 Organizations that have policies that address websites legal compliance 5 Table 1: Number of organizations that are compliant with the legislation governing websites and e-commerce.
  • 10. CONTRIBUTION OF THE STUDY
  • 11. CONCEPT MODEL OF LEGAL COMPLIANCE • This study suggests a Model whereby legal requirements are incorporated into the information security endeavors. • The Model was necessitated by the main findings of the study which reveals that both the government and corporate SA were not implementing some of the information security legal provisions. • The Model may be very useful to policy formulators, directors of the boards, ICT executives, and information security practitioners. • According to the King III Report, IT strategic planning, risk management, and information security are the primary responsibility of the Board of Directors.
  • 12. Make ICT strategic pronouncement. These would include information security within the corporate governance framework. Identify relevant information security legislation, standard and related governance compliance duties. Integrate legislation and compliance duties into ICT and Information Security Allocate duties to business units and for individual position Audit compliance and identity gaps attend to gaps and monitor compliance. Each employee signs the consent form, new employee sign this as part of the employment contract Approve the policies and delegation of duties. Gives go ahead for the implementation. All employees are receiving education and training on Information security policies Whole organisationWhole organisation Boards sub-committee risk management Boards sub- committee risk management ICT Steering committee ICT DepartmentICT Steering committeeBoard of Directors Figure 1: A concept of legal compliance for Information security policies formulation, implementation and multitasking
  • 13. CONCLUSION • There are more than ten laws that deal with information security in SA. • Most information security provisions contained in laws are not yet implemented. • There is also a deliberate disregard of information security legal provisions by some companies and government entities. • This study found that most IT and information security practitioners were not familiar with the information security legal requirements. • It perhaps in this premise that most organisations do not comply with the legal requirements. • In some instances the attitude of the SA government towards its own laws has been lukewarm. • The proposed Model will help in mitigating information security challenges. • The overall intention of the Model is to priorities information security, elevate the profit and ultimately address corporate security lapses.

×