5. “ The King II report on corporate governance and the ECT Act are encouraging adherence to high security standards” 6 September 2004: http://www.itweb.co.za/sections/features/ictsecurity/feature040906-2.asp “ Race for compliance … the race to comply with increasingly specific ICT security legislation holding company executives personally responsible involves… “ 6 September 2004: http://www.itweb.co.za/sections/features/ictsecurity/feature040906-8.asp Security or records management products are “King II Compliant” Security or records management products are “SOX Compliant” “ New player helps with ECT Act compliance” 30 April 2004 http://www.itweb.co.za/sections/business/2004/0404301131.asp?A=CNT&S=Content%20Management%20&O=F X “ improves Corporate Governance with new Enterprise Portfolio Management Software”
6.
7.
8.
9.
10. The Unknown As we know, There are known knowns . There are things we know we know. We also know There are known unknowns . That is to say We know there are some things We do not know. But there are also unknown unknowns , The ones we don't know We don't know. -12 Feb 2002, Department of Defense news briefing http://slate.msn.com/id/2081042/ The Poetry of D.H. Rumsfeld Recent works by the Secretary of Defense
12. Compliance Best Practice Risk Management Examples of Current Issues Aspects of ECT Act Monitoring SANS 17799 (ISP) SANS 15489 (RM) BIP 0008 (Evidence) E-mail “disclaimers”
13. Compliance Cocktail (Information Security & Information Management) ACTS OF PARLIAMENT ECT ACT FICA, FAIS PROATIA, 2002 Monitoring Act COMMON LAW BEST PRACTICE INFORMATION RISK MANAGEMENT Contract Delict (Negligence) SANS 15489 RM SANS 17799 – Infosec BSI BIP 0008 – Integrity MISS (Govt depts) SEE OUR INFORMATION RISK MATRIX KING II GOOD GOVERNANCE Law / Legal Issues
14. Compliance Cocktail (Information Security & Information Management) ACTS OF PARLIAMENT ECT ACT FICA, FAIS PROATIA, 2002 Monitoring Act COMMON LAW BEST PRACTICE INFORMATION RISK MANAGEMENT Contract Delict (Negligence) SANS 15489 RM SANS 17799 – Infosec BSI BIP 0008 – Integrity MISS (Govt depts) SEE OUR INFORMATION RISK MATRIX KING II GOOD GOVERNANCE Law / Legal Issues
15. Compliance Cocktail (Information Security & Information Management) ACTS OF PARLIAMENT EASY COMMON LAW BEST PRACTICE INFORMATION RISK MANAGEMENT NOT SO EASY VOLUNTARY VOLUNTARY KING II GOOD GOVERNANCE
29. Policies Telecommuting Policy E-mail & Internet Use Policies Monitoring Policy Record Classification Policy Record Ownership Policy Record Destruction & Hold Policy Legal Compliance Risk Management Best Practice Information Classification Scheme linked to functions
32. US v SA (Laws) US SA Gramm-Leach-Bliley Act Nothing Health Insurance Portability and Accountability Act Nothing Sarbanes-Oxley Act King II (?) (no sec) Federal Information Security Management Act Nothing / MISS Freedom of Information Act PROATIA (no sec) Electronic Communications Privacy Act Monitoring Act (no sec)
33.
34. US v SA (Regulations) US Law Regulation Health Insurance Portability and Accountability Act Standards for Electronic Transactions Standards for Privacy of Individually Identifiable Health Information Security Standards SA Law Regulation ECT Act Crypto ASPs Critical Databases
35. US v SA (Standards) US SA ISO/IEC 17799 SANS 17799 ISO/IEC 13335 - Control Objectives for Information and Related Technology (CobiT) CobiT Generally Accepted Information Security Principles (GAISP) - American National Standards Institute (ANSI) standards - National Institute of Standards and Technology (NIST -