The integration of legal aspects in Information Security: Is your organisation up-to-date?
The Integration of Legal Aspects in
Information Security: Is Your Organisation
Paper presented during Institute for International Research's Conference on Information
Technology Risk Management - 11 November 2010, IIR Conference Centre, Rosebank,
• Introduction and background
• Motivation for the research
• Research methodology and findings
• Findings of the study
• Contribution of the study
Rabelani Dagada lectures ICT and Knowledge Management at the Wits Business School
INTRODUCTION & BACKGROUND
• Today most organisations use the Internet for information and business
• The Internet revolution is developing rapidly due to the electronic commerce
• The use of the Internet for commercial purposes has brought with it a
number of challenges.
• These include information security risks, threats, and cyber crime.
• The government of South has introduced several laws to deal with the IT
related risks, threats, and cyber crime.
• One such law is the highly acclaimed Electronic Communications and
Transactions Act of 2002 (ECT Act, 2002).
MOTIVATION FOR THE RESEARCH
• The 2002 and 2004 website compliance survey conducted by the Buys
Attorneys found that most companies in SA were not complying with the
laws and regulations and regulations governing e-commerce.
• In 2002 most webmasters claimed that they were not even aware of the
• In 2004 this number increased by 31%.
• Buys attorneys claimed that failure to comply with law led to an increase in
• SA companies did not seem to realise that failure to comply with the
provision of the law exposes their websites to huge risk and liability.
• Of the 1 550 websites surveyed by Buys Incorporated Attorneys in 2004,
the Telkom website was the only one to score 100% compliance rate.
• It is on this premise that this study was conducted.
Source: Buys Incorporated Attorneys
RESEARCH METHODOLOGY & SAMPLING
• 22 organisations from various industrial sectors participated in this study.
• The banking sector dominated all other industrial sectors.
• Purposive sampling was employed due to the perceived value participants
• This study used the generic techniques for qualitative collection and
• The study satisfied the principle of triangulation by employing multiple data-
gathering methods and sources.
• Data gathering methods included interviews, observation, and policy
• Interviews were analysed by using open coding.
• Data collected through document analysis was analysed by comparing it
with the SA legal framework for information security.
FINDINGS OBTAINED THROUGH INTERVIEWS
• The Board of Directors are not involved in the formulation of information
• Very few organisations in SA incorporates legislation requirements in the
information security policies.
• Government has not yet implemented some legal provisions to fight cyber
- the appointment of the Cyber Inspectors as required by the ECT of 2002 is
not yet implemented; and
- the registration of the buyers and owners of the cell phone SIM cards as
required by the Regulation of Interception of Communications and Provision
of Communication-related Information Act of 2002 only came into effect on
1 July 2009.
• Legal provision in the ECT Act that deal with unsolicited communication has
FINDINGS OBTAINED THROUGH DOCUMENT
COLLECTION AND ANALYSIS
• Policies related to hacking include Information Security Policies, and
Interception & Surveillance Policy. Relevant legislations are the Promotion
of Access to Information Act; ECT Act; and Interception Act.
• Policies related to the intellectual property, copyright, and trademarks
• The majority of organisations that participated in this study did not have
policies that address intellectual property, copyright and trademarks.
• None of the organisations that participated in this study had a separate
policy on patents.
• Most companies in SA perceive the Patents Act of 1978 to be ineffective.
• Some of the laws pertaining to information security are very old,.
• They were introduced before the Internet was used for commercial
FINDINGS OBTAINED THROUGH OBSERVATION
ASPECT OBSERVED NUMBER
Websites with legal notices at all 17
Websites with terms and conditions available as
Websites with liability disclaimers available as
Websites with legal notices that address the provisions
of Chapter 3, Part II and Chapter 7 of the ECT Act
Websites that position and implement legal notices
Website legal notices that are printable or saveable as
required by section 11(3) of the ECT Act
Organizations that have policies that address websites
Table 1: Number of organizations that are compliant with the legislation
governing websites and e-commerce.
CONCEPT MODEL OF LEGAL COMPLIANCE
• This study suggests a Model whereby legal requirements are incorporated
into the information security endeavors.
• The Model was necessitated by the main findings of the study which reveals
that both the government and corporate SA were not implementing some of
the information security legal provisions.
• The Model may be very useful to policy formulators, directors of the boards,
ICT executives, and information security practitioners.
• According to the King III Report, IT strategic planning, risk management,
and information security are the primary responsibility of the Board of
Make ICT strategic
would include information
security within the corporate
legislation, standard and
Integrate legislation and
compliance duties into ICT
and Information Security
Allocate duties to business
units and for individual
Audit compliance and
identity gaps attend to gaps
and monitor compliance.
Each employee signs the
consent form, new
employee sign this as part of
the employment contract
Approve the policies and
delegation of duties. Gives
go ahead for the
All employees are receiving
education and training on
Whole organisationWhole organisation Boards sub-committee
ICT DepartmentICT Steering committeeBoard of Directors
Figure 1: A concept of legal compliance for Information security policies formulation,
implementation and multitasking
• There are more than ten laws that deal with information security in SA.
• Most information security provisions contained in laws are not yet
• There is also a deliberate disregard of information security legal provisions
by some companies and government entities.
• This study found that most IT and information security practitioners were not
familiar with the information security legal requirements.
• It perhaps in this premise that most organisations do not comply with the
• In some instances the attitude of the SA government towards its own laws
has been lukewarm.
• The proposed Model will help in mitigating information security challenges.
• The overall intention of the Model is to priorities information security, elevate
the profit and ultimately address corporate security lapses.