Infosec Law (Feb 2006)


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Infosec Law (Feb 2006)

    1. 1. Information Technology Attorneys Law relating to Information Security
    2. 2. Outline <ul><li>Meaning of security in SA legal context </li></ul><ul><li>Helicopter legislative overview </li></ul><ul><li>Focus on select issues </li></ul><ul><ul><li>Crypto </li></ul></ul><ul><ul><li>Critical databases </li></ul></ul><ul><ul><li>Privacy </li></ul></ul><ul><ul><li>Monitoring </li></ul></ul><ul><ul><li>King II </li></ul></ul><ul><li>Take home messages </li></ul>
    3. 3. Meaning of “Security” in the SA Context <ul><li>ECT Act, 2002 </li></ul><ul><li>Crypto </li></ul><ul><li>Critical databases </li></ul><ul><li>The State Information Technology Agency Act, 1998 </li></ul><ul><li>The Electronic Communications Security (Pty) Limited Act (COMSEC) </li></ul><ul><li>Intelligence Services Control Amendment Act, 2002 </li></ul>National Security Info Security Privacy & Security (CIA) SANS 17799 King 2 Infosec BPG Monitoring Act PPI Bill, 2005 (SA Law Commission)
    4. 4. South African ICT Regulatory Hype Cycle Compliance requirements develop at different rates Visibility Trough of Disillusionment Slope of Enlightenment Plateau of Productivity Business Trigger Peak of Inflated Expectations Maturity Less than two years Two years to five years Five years to 10 years More than 10 years Obsolete before plateau Key: Time to Plateau Basel I (1988) Infosec / SANS 17799 ECT Act (2002) Basel II (1999) RM / SANS 15489 PROATIA (2000) Sarbanes-Oxley Act (2002) RIC (monitoring) PPI Bill (Privacy) SANS 15801 Critical Databases, Crypto Providers and ASPs Convergence Bill (2005) King II (2002) EU Data privacy Directive FICA
    5. 5. Chapter V: Cryptography Providers Chapter V Cryptography Providers Register of Cryptography Providers S31 S30 S32 Registration with the Department Restrictions On disclosure of Information Application of Chapter offences S29 Chapter V: Cryptography Providers Chapter V governs the use of cryptography products and services used within the Republic. The Director General is tasked with maintaining a register of cryptography providers and their products and services. Registration is compulsory and suppliers are prohibited from providing cryptography products and services in the Republic without complying with the provisions of this Act.
    6. 6. Cons <ul><li>Definitions too wide </li></ul><ul><li>Who has to register? </li></ul><ul><li>Who is a cryptography provider? </li></ul><ul><li>What is a cryptography service? </li></ul><ul><ul><li>Key Management service </li></ul></ul><ul><ul><li>Enrolment and verification service </li></ul></ul><ul><ul><li>Infosec Consulting service? </li></ul></ul><ul><ul><li>Date and time-stamping service </li></ul></ul><ul><li>What is a cryptography product? </li></ul><ul><li>When is it provided in the Republic? </li></ul>
    7. 7. Chapter lX: Protection of Critical Databases Chapter lX: Protection of Critical Databases Scope of Critical Database Protection S57 S56 S55 S54 S53 S58 Identification of critical data and databases Registration Of Critical Databases Management Of Critical Databases Restrictions On disclosure of Information Right of Inspection Non Compliance with Chapter S52 Chapter lX: Protection of Critical Databases Aim is to facilitate the identification and registration of critical databases within the Republic. Critical databases are defined as databases that contain information that if compromised could threaten the security of the Republic or the economic and social well being of it’s citizens. The Act stipulates criteria for the identification, registration and management of critical databases as well as controls to ensure that the integrity and confidentiality of data relating to and contained in these databases is maintained such as the right to audit and restrictions and penalties resulting in unauthorised or illegal disclosure of information contained in or about these databases. In November 2003 the Minister of Communications awarded a tender to a consortium of Consultants to undertake an inventory of all major databases in South Africa.
    8. 8. Management of Critical Databases <ul><li>Management of critical databases </li></ul><ul><li>The Minister may prescribe minimum standards or prohibitions in respect of- </li></ul><ul><li>the general management of critical databases; </li></ul><ul><li>access to, transfer and control of critical databases; </li></ul><ul><li>infrastructural or procedural rules and requirements for securing the integrity and authenticity of critical data; </li></ul><ul><li>procedures and technological methods to be used in the storage or archiving of critical databases ; </li></ul><ul><li>disaster recovery plans in the event of loss of critical databases or parts thereof; and </li></ul><ul><li>any other matter required for the adequate protection, management and control of critical databases. </li></ul>
    9. 9. Privacy
    10. 10. State of SA privacy regulation <ul><li>Privacy regulation in its infancy </li></ul><ul><li>Protection of Personal Information (PPI) Bill and Discussion Paper released in October 2005 by South African Law Reform Commission </li></ul><ul><li>Comments due 28 February 2006 </li></ul><ul><li>Based on 8 principles: </li></ul>
    11. 12. Principle 6 – Security Safeguards: Key Aspects <ul><li>Measures to ensure integrity of personal information </li></ul><ul><li>Security measures regarding PI by processor </li></ul><ul><li>Notification of security compromises </li></ul>
    12. 13. Monitoring
    13. 14. Monitoring <ul><li>30 September 2005 </li></ul><ul><li>Monitoring lawful unless exception </li></ul>
    14. 15. Exceptions 3 rd party (e.g. Co X) intercepts with written consent of one of parties 3 rd party (e.g. Co X) intercepts in ordinary course of business s4(1) s5(1) s6 Participant(s) intercept themselves Can intercept if party to communication <ul><li>Can only intercept with written consent </li></ul><ul><li>CEO not involved </li></ul><ul><li>No fine </li></ul><ul><li>Business purpose exception </li></ul><ul><li>CEO involved </li></ul><ul><li>Fine: 2 yrs R10m </li></ul>
    15. 16. Monitoring <ul><li>Electronic and paper communications </li></ul><ul><li>Live versus stored data </li></ul>
    16. 17. Section 86.1 of ECT Act <ul><li>Person who intentionally accesses and intercepts data without authority or permission to do so is guilty of offence </li></ul><ul><ul><li>S89(1) fine or jail not exceeding 1 year </li></ul></ul><ul><li>This provision is made subject to RICA </li></ul><ul><li>Section 88: any person who aids and abets someone to commit any offence would be guilty of an offence. </li></ul><ul><li>May thus breach both RICA and ECT Acts </li></ul>
    17. 18. Monitoring <ul><li>Consent is at the heart of it </li></ul><ul><li>Consent from user perspective </li></ul><ul><ul><li>Express v implied </li></ul></ul><ul><ul><li>Written consent </li></ul></ul><ul><li>Consent from CEO perspective </li></ul><ul><ul><li>Is per interception consent necessary? </li></ul></ul><ul><ul><li>Will a blanket consent suffice? </li></ul></ul>
    18. 19. Monitoring <ul><li>“ health purposes” </li></ul><ul><ul><li>Continuous monitoring </li></ul></ul><ul><ul><li>System security and maintenance </li></ul></ul><ul><ul><li>Automatic monitoring </li></ul></ul><ul><li>“ forensic purposes” </li></ul><ul><ul><li>Once–off, occasional, covert </li></ul></ul><ul><ul><li>Investigate allegations of fraud, corruption, breach of a policy </li></ul></ul><ul><ul><li>Manual monitoring </li></ul></ul>
    19. 20. Monitoring <ul><li>Forensic Reasons </li></ul><ul><li>Allegations of fraud </li></ul><ul><li>Allegations of criminal activity against or attributable to ARC </li></ul><ul><li>Allegations of corruption </li></ul><ul><li>Allegations of breach of a policy </li></ul><ul><li>to counteract criminal or fraudulent activities; </li></ul><ul><li>to respond to legal proceedings that call for electronic or paper evidence </li></ul><ul><li>Where the involved individual is unavailable and timing is critical for business activity </li></ul><ul><li>Where monitoring is required by a law enforcement agency </li></ul><ul><li>Health Reasons </li></ul><ul><li>Security Incident response </li></ul><ul><li>Help desk responses to calls logged </li></ul><ul><li>Firewall software </li></ul><ul><li>Content monitoring systems </li></ul><ul><li>Message login systems </li></ul><ul><li>Telephone management system </li></ul>
    20. 21. Monitoring Matrix (RICA tells you what to do but not how to do it) Implied consent and reasonable efforts demonstrated by Express / Written consent demonstrated by CEO is protected by Monitoring Policy (Persons) Acceptance of Monitoring Policy CEO Delegation of Authority to MO FAQ Monitoring Consent (incl. waiver of right to privacy and covering ECT Act) Monitoring Policy & Guidelines for Technical Staff + Acceptance Doc Glossary of Terms Suggested clauses for HR contracts and promotions Pro-Forma Monitoring Request Log-on Notice Log-on Notice Pro-Forma Interception Report to the Board Monitoring Policy Notice and Memo to Users Waiver & consent clause in Visitor’s sign-in sheet Reminder e-mail from IT department
    21. 22. King II and Infosec <ul><li>King Report on Corporate Governance for South Africa 2002 </li></ul>
    22. 23. Quotes from the Code <ul><ul><li>“ The board should have unrestricted access to all company information, records, documents and property. The information needs of the company should be well defined and regularly monitored” (2.1.7) </li></ul></ul>
    23. 24. Quotes from the Code <ul><ul><li>“ The board is responsible for the total process of risk management…” (3.1.1) and “should make use of…control models and frameworks…with respect to … “safeguarding the company’s assets ( including information )” (3.1.4) </li></ul></ul>
    24. 25. Quotes from the Code <ul><ul><li>“ The board is responsible for ensuring that a[n]…assessment of…key risks is undertaken…[which] should address the company’s exposure to… technology risks… business continuity and disaster recovery …” (3.1.5) </li></ul></ul>
    25. 27. King II Infosec BPG <ul><li>What is information security? </li></ul><ul><li>Key considerations when making information security decisions? </li></ul><ul><li>Characteristics of a sound information security agenda? </li></ul><ul><li>An effective information security strategy </li></ul><ul><li>Devising a successful approach to information security </li></ul><ul><li>What directors can do </li></ul>
    26. 28. Take home messages <ul><li>Identify your compliance criteria </li></ul><ul><li>Identify your information holdings </li></ul><ul><ul><li>Sensitivity </li></ul></ul><ul><ul><li>Personal information </li></ul></ul><ul><ul><li>Records </li></ul></ul><ul><li>Prepare a file plan / information taxonomy </li></ul>
    27. 30. Information Security Policy Legal Compliance Risk Management Best Practice <ul><li>Often drafted by IT Audit / HR / IT </li></ul><ul><ul><li>HR often doesn’t understand the tech issues </li></ul></ul><ul><ul><li>IT Audit often doesn’t understand the legal issues and is too technical </li></ul></ul><ul><li>Need to address different audiences </li></ul><ul><li>Often “knipped” and “plukked” from internet </li></ul><ul><li>No clear understanding as to content and labeling (e.g. ECP) </li></ul><ul><li>Myth around 17799 “compliance” </li></ul>
    28. 31. Information Security Policy E-mail Policy Privacy & Monitoring Policy Internet Usage Policy Personal Computer Security Policy Telecommuting Policy Employee Exit Policy Legal Compliance Risk Management Best Practice Information Classification Scheme linked to functions
    29. 32. Take home messages <ul><li>Proper implementation of policies </li></ul><ul><ul><li>P rinciple of South African law that if an employee wants to discipline an employee on grounds that he/she has broken one of the rules set forth in a policy, then employer must establish 3 things </li></ul></ul><ul><ul><ul><li>(i) that there was a rule </li></ul></ul></ul><ul><ul><ul><li>(ii) that the rule was reasonable and </li></ul></ul></ul><ul><ul><ul><li>(iii) that the rule had been brought to the attention of the employee . </li></ul></ul></ul>
    30. 33. Conclusion… <ul><li>“ Many businesses recognise that information security is a key technical and business issue, but it is important to recognise that it is also a legal issue ” </li></ul><ul><ul><li>Lorijean G. Oei “Online Law: The Legal Role of Information Security” </li></ul></ul><ul><li>Do not consult us after the fact </li></ul><ul><li>Legal advice must be “integrated into” solutions, not “bolted onto” them </li></ul>
    31. 34. THANK YOU FOR YOUR TIME!! <ul><li>Lance Michalson </li></ul><ul><li>[email_address] </li></ul><ul><li>“ IT Law with Insight” </li></ul><ul><li> </li></ul><ul><li>Copyright © Michalsons 2002-2009 </li></ul><ul><li>The information contained in this presentation is subject to change without notice. Michalsons makes no warranty of any kind with regard to the material, including, but not limited to, the implied warranties of fitness for a particular purpose. Michalsons shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. This document contains proprietary information that is protected by copyright. All rights are reserved. No part of this document may be photocopied, reproduced, or translated to another language without the prior written consent of Michalsons This document is an unpublished work protected by the copyright laws and is proprietary to Michalsons. Disclosure, copying, reproduction, merger, translation, modification, enhancement, or use by any unauthorised person without the prior written consent of Michalsons is prohibited. Contact Lance Michalson at for permission to copy. </li></ul>