Ict Compliance (Sept 2004)


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Ict Compliance (Sept 2004)

    1. 1. Compliance 23 September 2004
    2. 2. Nature of the Beast
    3. 3. ECT Act King II SOX BS 17799 FAIS FICA PROATIA Privacy
    4. 4. Everyone is trying to get a grip on Compliance
    5. 5. “ The King II report on corporate governance and the ECT Act are encouraging adherence to high security standards” 6 September 2004: http://www.itweb.co.za/sections/features/ictsecurity/feature040906-2.asp “ Race for compliance … the race to comply with increasingly specific ICT security legislation holding company executives personally responsible involves… “ 6 September 2004: http://www.itweb.co.za/sections/features/ictsecurity/feature040906-8.asp Security or records management products are “King II Compliant” Security or records management products are “SOX Compliant” “ New player helps with ECT Act compliance” 30 April 2004 http://www.itweb.co.za/sections/business/2004/0404301131.asp?A=CNT&S=Content%20Management%20&O=F X “ improves Corporate Governance with new Enterprise Portfolio Management Software”
    6. 7. The Fear Factor <ul><li>Exaggerating scope and benefits of the solutions </li></ul><ul><li>Basing proposition for the technology requirement on a misreading or misunderstanding of the law </li></ul><ul><li>Opining on and interpreting legislation as if competent to make these assessments </li></ul><ul><li>Being under the misapprehension that what is obligatory in the USA is or will be obligatory in SA </li></ul>
    7. 8. The Fear Factor <ul><li>Misinterpreting best practice as mandatory legal compliance </li></ul><ul><li>Construing opinions on the impact of legislation and regulations as fact </li></ul><ul><li>Misinterpreting international standards as de facto legislation in SA when it is abundantly evident that SA can adopt whatever standards it chooses </li></ul><ul><li>Interpreting law in a misleading way </li></ul>
    8. 9. The Fear Factor <ul><ul><li>conflating what the law says and what the penalty MIGHT be into one idea, suggesting that the law states that is what WILL happen </li></ul></ul><ul><ul><ul><li>E.g. record retention </li></ul></ul></ul>
    9. 10. The Unknown As we know, There are known knowns . There are things we know we know. We also know There are known unknowns . That is to say We know there are some things We do not know. But there are also unknown unknowns , The ones we don't know We don't know. -12 Feb 2002, Department of Defense news briefing http://slate.msn.com/id/2081042/ The Poetry of D.H. Rumsfeld Recent works by the Secretary of Defense
    10. 11. Compliance Best Practice Risk Management Compliance v Best Practice v Risk Management
    11. 12. Compliance Best Practice Risk Management Examples of Current Issues Aspects of ECT Act Monitoring SANS 17799 (ISP) SANS 15489 (RM) BIP 0008 (Evidence) E-mail “disclaimers”
    12. 13. Compliance Cocktail (Information Security & Information Management) ACTS OF PARLIAMENT ECT ACT FICA, FAIS PROATIA, 2002 Monitoring Act COMMON LAW BEST PRACTICE INFORMATION RISK MANAGEMENT Contract Delict (Negligence) SANS 15489 RM SANS 17799 – Infosec BSI BIP 0008 – Integrity MISS (Govt depts) SEE OUR INFORMATION RISK MATRIX KING II GOOD GOVERNANCE Law / Legal Issues
    13. 14. Compliance Cocktail (Information Security & Information Management) ACTS OF PARLIAMENT ECT ACT FICA, FAIS PROATIA, 2002 Monitoring Act COMMON LAW BEST PRACTICE INFORMATION RISK MANAGEMENT Contract Delict (Negligence) SANS 15489 RM SANS 17799 – Infosec BSI BIP 0008 – Integrity MISS (Govt depts) SEE OUR INFORMATION RISK MATRIX KING II GOOD GOVERNANCE Law / Legal Issues
    15. 16. Common law - Contract
    16. 17. Nature of the beast <ul><li>Most security software comes with standard contract terms where </li></ul><ul><ul><li>the user must evaluate the suitability of the product for use </li></ul></ul><ul><ul><li>the user assumes all liability for product behavior </li></ul></ul><ul><li>User cannot evaluate / cannot be expected to evaluate the security claims of a product </li></ul>
    17. 18. “ Snake-Oil Salesman’s Paradise” <ul><li>Because snakes do not exude oil, the term snake-oil has come to mean any preparation that has no real medicinal value and yet is fraudulently sold by traveling medicine shows as a cure for many ills </li></ul><ul><li>Not regulated by law </li></ul>
    18. 19. Common law - Contract <ul><li>Obligation to take reasonable steps to protect the e-security of the relevant system </li></ul><ul><li>Examples of “reasonable steps”: </li></ul><ul><ul><li>Spread the risk </li></ul></ul><ul><ul><ul><li>Service providers </li></ul></ul></ul><ul><ul><ul><li>Customers </li></ul></ul></ul><ul><ul><li>Maintain secure networks </li></ul></ul><ul><ul><li>Safeguard confidentiality of valuable data </li></ul></ul><ul><ul><li>How to respond if a breach of e-security </li></ul></ul><ul><ul><li>Steps to follow to minimise damage that flows from the breach </li></ul></ul>
    19. 20. Common law – delict
    20. 21. Common law - Delict <ul><li>Negligence: </li></ul><ul><ul><li>Involves establishing defendant owed a duty of care to the plaintiff </li></ul></ul><ul><ul><li>Based on reasonable foreseeability that harm would be caused without the exercise of reasonable care </li></ul></ul>
    21. 22. Examples of Foreseeability <ul><li>Sending a virus infected e-mail: the court would consider </li></ul><ul><ul><li>Availability of a security patch </li></ul></ul><ul><ul><li>Notification of same to the defendant </li></ul></ul><ul><ul><li>Failure of defendant to </li></ul></ul><ul><ul><ul><li>install the relevant patch </li></ul></ul></ul><ul><ul><ul><li>Within a reasonable period </li></ul></ul></ul>
    22. 24. Reputational Damage Loss of Revenue
    23. 25. “ It takes twenty years to build a reputation and five minutes to lose it.” Warren Buffet Chairman, Berkshire Hathaway
    24. 26. <ul><li>“ Security is a process, not a product ” – Bruce Schneier </li></ul><ul><li>Information is information and software products only protect the information while it is on computers </li></ul><ul><li>It does not protect it when it gets into the hands of disgruntled employees </li></ul><ul><li>Most computer security measures – firewalls, intrusion protection systems – try to deal with the external hacker , but are powerless to deal with insiders </li></ul>
    25. 27. Removable Flash Disc Drive
    26. 28. Human Firewalls Technical Firewalls
    27. 29. Policies Telecommuting Policy E-mail & Internet Use Policies Monitoring Policy Record Classification Policy Record Ownership Policy Record Destruction & Hold Policy Legal Compliance Risk Management Best Practice Information Classification Scheme linked to functions
    28. 30. Debunking Compliance
    29. 31. USA Law <ul><li>Do be under the misapprehension that what is obligatory in the USA is or will be obligatory in SA </li></ul>
    30. 32. US v SA (Laws) US SA Gramm-Leach-Bliley Act Nothing Health Insurance Portability and Accountability Act Nothing Sarbanes-Oxley Act King II (?) (no sec) Federal Information Security Management Act Nothing / MISS Freedom of Information Act PROATIA (no sec) Electronic Communications Privacy Act Monitoring Act (no sec)
    31. 33. King II ≠ Regulation <ul><li>King Report on Corporate Governance for South Africa 2002 </li></ul>
    32. 34. US v SA (Regulations) US Law Regulation Health Insurance Portability and Accountability Act Standards for Electronic Transactions Standards for Privacy of Individually Identifiable Health Information Security Standards SA Law Regulation ECT Act Crypto ASPs Critical Databases
    33. 35. US v SA (Standards) US SA ISO/IEC 17799 SANS 17799 ISO/IEC 13335 - Control Objectives for Information and Related Technology (CobiT) CobiT Generally Accepted Information Security Principles (GAISP) - American National Standards Institute (ANSI) standards - National Institute of Standards and Technology (NIST -
    34. 36. Terminology <ul><li>Law </li></ul><ul><li>Regulation </li></ul><ul><li>Standard </li></ul>
    35. 37. The Electronic Communications and Transactions Act 2002 “ ECT ACT Compliance”
    36. 38. “ ECT ACT Compliance” <ul><li>“ Web site terms and conditions” </li></ul><ul><ul><li>Making information available to “consumers” </li></ul></ul><ul><ul><li>'consumer' means any natural person </li></ul></ul><ul><ul><li>Penalty: consumer can cancel transaction within 14 days </li></ul></ul><ul><li>“ E-mail legal notice” </li></ul><ul><li>“ Electronic communications policy” </li></ul>
    37. 39. Structure of the Act Chapter Title e-Comm e-Trans e-Data e-Infra Chapter 1 Interpretation, Objects and Application Chapter 2 Maximising Benefits and Policy Framework Chapter 3 Facilitating Electronic Transactions Chapter 4 e-Government Services Chapter 5 Cryptography Providers Chapter 6 Authentication Service Providers Chapter 7 Consumer Protection Chapter 8 Protection of Personal Information Chapter 9 Protection of Critical Databases Chapter 10 Domain Name Authority & administration Chapter 11 Limitation of Liability of Service Providers Chapter 12 Cyber Inspectors Chapter 13 Cyber Crime Chapter 14 General
    38. 40. “ ECT Act Compliance” <ul><li>only 6 of its 14 chapters make mention of a fine or imprisonment for those convicted of an offence under the Act </li></ul><ul><li>these 6 chapters relate to cryptography providers, authentication service providers, unsolicited commercial communications (spam), critical databases, cyber inspectors and cyber crime </li></ul><ul><li>Regulations still have to be published regarding cryptography providers , authentication service providers and critical databases </li></ul><ul><li>Until those regulations are in place, there is nothing to comply with </li></ul>
    39. 41. “ King II Compliance” <ul><li>King Report on Corporate Governance for South Africa 2002 </li></ul>
    40. 42. King II <ul><li>King II designed to improve accountability and transparency of JSE listed public companies </li></ul><ul><li>King II is NOT a LAW </li></ul><ul><li>JSE listing requirement = compliance with King II </li></ul><ul><li>Compliance Report to be signed by all directors personally </li></ul>
    41. 43. Quotes from the Code <ul><ul><li>“ The board should have unrestricted access to all company information, records, documents and property. The information needs of the company should be well defined and regularly monitored” (2.1.7) </li></ul></ul>
    42. 44. Quotes from the Code <ul><ul><li>“ The board is responsible for the total process of risk management…” (3.1.1) and “should make use of…control models and frameworks…with respect to … “safeguarding the company’s assets ( including information )” (3.1.4) </li></ul></ul>
    43. 45. Quotes from the Code <ul><ul><li>“ The board is responsible for ensuring that a[n]…assessment of…key risks is undertaken…[which] should address the company’s exposure to… technology risks… business continuity and disaster recovery …” (3.1.5) </li></ul></ul>
    44. 46. “ All companies in the King II era need to acknowledge the clear link between successful Infosec programs and business success as a whole” ? ?
    45. 47. Managing Risks of Non-compliance <ul><li>Part of reasonable foreseeability is to spread risk (service providers and business partners) </li></ul><ul><li>Be able to objectively determine your compliance criteria and controls to manage your criteria </li></ul><ul><li>Be able to subjectively determine best practice </li></ul><ul><li>Use a trusted advisor who can help you: </li></ul><ul><ul><li>Make this determination </li></ul></ul><ul><ul><li>Choose appropriate technology which is aligned to your compliance and best practice requirements </li></ul></ul>
    46. 48. THANK YOU FOR YOUR TIME!! Copyright © Michalsons Online The information contained in this presentation is subject to change without notice. Michalsons Online makes no warranty of any kind with regard to the material, including, but not limited to, the implied warranties of fitness for a particular purpose. Michalsons Online shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. This document contains proprietary information that is protected by copyright. All rights are reserved. No part of this document may be photocopied, reproduced, or translated to another language without the prior written consent of Michalsons Online This document is an unpublished work protected by the copyright laws and is proprietary to Michalsons Online. Disclosure, copying, reproduction, merger, translation, modification, enhancement, or use by any unauthorised person without the prior written consent of Michalsons Online is prohibited. Contact Michalsons Online for permission to copy: info@michalsons.com. Lance Michalson 0860 111 245 [email_address]