Al ig nme nt of leg is lati ons to s upport improved se rv ice de l ive ry

Why NB?

Auditor General’s Office

• One key audit focus area

– Compliance with Laws and Regulations

Legislation

Relevant ICT Legislation (across all spheres)

• ECT Act• RICA• EC Act• PAIA• POPI

Legislation

Relevant ICT Legislation (government specific)

• Public Services Act and Regulations• Public Finance Management Act• Intelligence Service Act• Electronic Communications Security Act (COMSEC)• Protection of State Information• State Information Technology Agency Act (SITA)• Draft White Paper on eCommunication

What are the current challenges?

• No policies that address cross-over aspects pertained in legislation

• No clear vision as to whom, how and when legislation applies

• What does it mean seen from a CIO perspective?

• What do you experience daily as CIOs?

SITA INITIATIVES

• Centrally managed infrastructure environment (databases) leading to improvement of admin and security – but no critical database has been registered thus far in terms of ECT Act!

• Consolidation and synchronisation of applications and toolsets use – but has the legal implications round POPI been assessed (e.g. Cloud and BYOD)?

SITA STRATEGIC PROJECTS

• Cloud Computing – do CIOs understand the various legal consequences?

• E – Government – has the legitimacy and underlying validations in terms of the ECT Act been explained?

DPSA STRATEGIC CONSIDERATIONS

Developing enabling policies, legislation, norms and standards and guidelines

Strategy

Standards, Codes and Frameworks (best practise)

• MISS• MIOS• ISO 27001• ISO 29100• SAS 70 / SSAE 16 / ISAE 3402• IT Governance Framework• COBIT• KING III

Strategy – CIO Perspective

Align Legislation, Standards, Frameworks & Codes

• Establish Compliance function• KYC & AO (Know Your Compliance and Accounting Officers!!) • Create ICT Regulatory Universe in conjunction with CO• TAKE RESPONSIBILITY & OWNERSHIP• Simplify legislation• Align processes with legislation – e.g. PAIA ( survey - no

implementation –– POOR SERVICE DELIVERY)• Participate with new legislation by submitting public comment

(POPI – very little)

Strategy – CIO Perspective

Simplify it by categorising legislation under CIO terms

• Computer Crimes• Document Management / Retention (Duplication)• Electronic Communications• Data Classification• Information Security• National Security• Intellectual Property• Privacy etc.

Example of comparative alignment

Public Finance Management Act (Act 1 of 1999 as amended by Act 29 of 1999)

• section 38(1)(b), (d) & (e) holds an accounting officer responsible for the effective, efficient, economical and transparent use of the resources and to comply with audit commitments as required by legislation and safeguarding of assets.

Comparisons

KING III

One key aspect of IT Governance:

• risk management: addressing the safeguarding of IT assets, disaster recovery and continuity of operations

ICT Legislation and Governance

KING III

5.5.2 The board should ensure that the company complies with IT laws and that IT related rules, codes and standards are considered.

5.6.1 The board should ensure that there are systems in place for the management of information which should include information security, information management and information privacy.

ICT Legislation and Governance

KING III

5.6.2 The board should ensure that all personal information is treated by the company as an important business asset and is identified.

National Treasury and Governance

According to SITA, National Treasury has embraced Chapter 5 of KING III and although there are Public Service Regulations and Info Security Plans, see how it can be aligned to best practise to gain traction.

Auditor General

Remember!

AG audits against best practise!!

POPI

ADDITIONAL CONCERNS

• Special Categories of Personal Information• Unsolicited Marketing• Automated Processing• Cross Border Data Transfers• Regulator

POPI example and Cloud

CLOUD COMPUTING

• Is moving data to the CLOUD a bad thing?

POPI

CLOUD COMPUTING

• Will my department have continued access to its information or data (backup and disaster recovery measures) irrespective of the information or data’s location?

POPI

CLOUD COMPUTING

• Can you provide me with assurances that unauthorised access to my department’s information or data is prevented (covers both protection against external “hacking” attacks and access by the cloud provider’s personnel or by other users of the datacentre)?

POPI

CLOUD COMPUTING

• Do you have adequate oversight of any sub-processors (irrespective of their location) you use or might use and subsequent to that, do you have the necessary agreements and contracts in place to ensure the security of my department’s information or data?

POPI

CLOUD COMPUTING

• Do you have sufficient procedures in place in the event of a data breach that would enable my department to take the necessary actions in terms of POPI?

CONCLUSION

• Awareness & Understanding• Creates better implementation, which• Facilitates best practise, which in return • Improves service delivery

© Copyright Francis Cronje 2010-2012 - All Rights Reserved

QUESTIONS