Ict Compliance (Sept 2004)

INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS

© Michalsons Online 2007-2009

ComplianceCompliance23 September 200423 September 2004



Nature of the Beast



ECT ActECT ActKing IIKing II

SOXSOXBS 17799BS 17799

FAISFAIS

FICAFICAPROATIAPROATIA

PrivacyPrivacy



Everyone is trying to get a grip on

ComplianceCompliance



“The King II report on corporate governance and the ECT Act are encouraging adherence to high security standards”

6 September 2004:http://www.itweb.co.za/sections/features/ictsecurity/feature040906-2.asp

“Race for compliance… the race to comply with increasingly specific ICT security legislation holding company executives personally responsible involves… “

6 September 2004:http://www.itweb.co.za/sections/features/ictsecurity/feature040906-8.asp

Security or records management products are “King II Compliant”

Security or records management products are “SOX Compliant”

“New player helps with ECT Act compliance”

30 April 2004http://www.itweb.co.za/sections/business/2004/0404301131.asp?A=CNT&S=Content%20Management%20&O=F

X “improves Corporate Governance with new Enterprise Portfolio Management Software”





The Fear Factor1. Exaggerating scope and benefits of

the solutions2. Basing proposition for the technology

requirement on a misreading or misunderstanding of the law

3. Opining on and interpreting legislation as if competent to make these assessments

4. Being under the misapprehension that what is obligatory in the USA is or will be obligatory in SA



The Fear Factor5. Misinterpreting best practice as

mandatory legal compliance6. Construing opinions on the impact of

legislation and regulations as fact 7. Misinterpreting international standards

as de facto legislation in SA when it is abundantly evident that SA can adopt whatever standards it chooses

8. Interpreting law in a misleading way



The Fear Factor

– conflating what the law says and what the penalty MIGHT be into one idea, suggesting that the law states that is what WILL happen• E.g. record retention



The UnknownAs we know,

There are known knowns. There are things we know we know.

We also know There are known unknowns.

That is to say We know there are some things

We do not know. But there are also unknown unknowns,

The ones we don't know We don't know.

-12 Feb 2002, Department of Defense news briefinghttp://slate.msn.com/id/2081042/

The Poetry of D.H. RumsfeldRecent works by the Secretary of Defense

The UnknownAs we know,

There are known knowns. There are things we know we know.

We also know There are known unknowns.

That is to say We know there are some things

We do not know. But there are also unknown unknowns,

The ones we don't know We don't know.

-12 Feb 2002, Department of Defense news briefinghttp://slate.msn.com/id/2081042/

The Poetry of D.H. RumsfeldRecent works by the Secretary of Defense



Compliance Best PracticeBest Practice

Risk Management

Risk Management

Compliance v Best Practice v Risk Management



Compliance Best PracticeBest Practice Risk Management

Risk Management

Examples of Current Issues

Aspects of ECT Act

Monitoring

SANS 17799 (ISP)

SANS 15489 (RM)

BIP 0008 (Evidence)

E-mail “disclaimers”



Compliance Cocktail(Information Security & Information Management)

ACTS OFPARLIAMENT

ECT ACT

FICA, FAIS

PROATIA, 2002

Monitoring Act

COMMON LAW BEST PRACTICEINFORMATION

RISK MANAGEMENT

Contract

Delict (Negligence)

SANS 15489 RM

SANS 17799 – Infosec

BSI BIP 0008 – Integrity

MISS (Govt depts)

SEE OUR INFORMATION RISK MATRIX

KING IIGOOD GOVERNANCE

Law / Legal Issues

Law / Legal Issues



Compliance Cocktail(Information Security & Information Management)

ACTS OFPARLIAMENT

ECT ACT

FICA, FAIS

PROATIA, 2002

Monitoring Act


RISK MANAGEMENT

Contract

Delict (Negligence)

SANS 15489 RM

SANS 17799 – Infosec

BSI BIP 0008 – Integrity

MISS (Govt depts)

SEE OUR INFORMATION RISK MATRIX


Law / Legal Issues

Law / Legal Issues



Compliance Cocktail(Information Security & Information

Management)ACTS OF

PARLIAMENT

EASY


RISK MANAGEMENT

NOT SO EASY VOLUNTARY VOLUNTARY




Common law - Contract



Nature of the beast• Most security software comes with

standard contract terms where– the user must evaluate the suitability

of the product for use– the user assumes all liability for

product behavior• User cannot evaluate / cannot be

expected to evaluate the security claims of a product



“Snake-Oil Salesman’s Paradise”• Because snakes do

not exude oil, the term snake-oil has come to mean any preparation that has no real medicinal value and yet is fraudulently sold by traveling medicine shows as a cure for many ills

• Not regulated by law



Common law - Contract• Obligation to take reasonable steps to protect

the e-security of the relevant system• Examples of “reasonable steps”:

– Spread the risk• Service providers• Customers

– Maintain secure networks– Safeguard confidentiality of valuable data– How to respond if a breach of e-security– Steps to follow to minimise damage that flows from

the breach



Common law – delict



Common law - Delict• Negligence:

– Involves establishing defendant owed a duty of care to the plaintiff

– Based on reasonable foreseeability that harm would be caused without the exercise of reasonable care



Examples of Foreseeability• Sending a virus infected e-mail:

the court would consider – Availability of a security patch– Notification of same to the defendant– Failure of defendant to

• install the relevant patch• Within a reasonable period





ReputationalDamage

ReputationalDamage

Loss of RevenueLoss of Revenue



“It takes twenty years to build a reputation

and five minutes to lose it.”Warren Buffet

Chairman, Berkshire Hathaway

“It takes twenty years to build a reputation

and five minutes to lose it.”Warren Buffet

Chairman, Berkshire Hathaway



• “Security is a process, not a product” – Bruce Schneier

• Information is information and software products only protect the information while it is on computers

• It does not protect it when it gets into the hands of disgruntled employees

• Most computer security measures – firewalls, intrusion protection systems – try to deal with the external hacker, but are powerless to deal with insiders



Removable Flash Disc Drive



Human FirewallsHuman Firewalls

Technical Firewalls

Technical Firewalls



Policies

Telecommuting

Policy

E-mail & Internet Use

Policies

Monitoring Policy

Record Classification

Policy

Record Ownership

Policy

Record Destruction

& Hold Policy

Legal Compliance Risk Management Best Practice

Information Classification Scheme linked to functions



Debunking Compliance



USA Law• Do be under the misapprehension

that what is obligatory in the USA is or will be obligatory in SA



US v SA(Laws)

US SAGramm-Leach-Bliley Act Nothing

Health Insurance Portability and Accountability Act

Nothing

Sarbanes-Oxley Act King II (?) (no sec)

Federal Information Security Management Act

Nothing / MISS

Freedom of Information Act PROATIA (no sec)

Electronic Communications Privacy Act

Monitoring Act (no sec)



King II ≠ Regulation

King Report on Corporate Governance for South Africa 2002



US v SA(Regulations)

US

Law Regulation

Health Insurance Portability and Accountability Act

Standards for Electronic Transactions

Standards for Privacy of Individually Identifiable Health Information

Security Standards

SA

Law Regulation

ECT Act Crypto

ASPs

Critical Databases



US v SA(Standards)

US SA

ISO/IEC 17799 SANS 17799

ISO/IEC 13335 -

Control Objectives for Information and Related Technology (CobiT) CobiT

Generally Accepted Information Security Principles (GAISP)

-

American National Standards Institute (ANSI) standards

-

National Institute of Standards and Technology (NIST

-



Terminology• Law• Regulation• Standard



The Electronic Communications and Transactions Act 2002

“ECT ACT Compliance”



“ECT ACT Compliance”• “Web site terms and conditions”

– Making information available to “consumers”

– 'consumer' means any natural person – Penalty: consumer can cancel

transaction within 14 days• “E-mail legal notice”• “Electronic communications policy”



Structure of the Act Chapter Title e-

Comme-Trans

e-Data

e-Infra

Chapter 1 Interpretation, Objects and Application

Chapter 2 Maximising Benefits and Policy Framework

Chapter 3 Facilitating Electronic Transactions

Chapter 4 e-Government Services

Chapter 5 Cryptography Providers

Chapter 6 Authentication Service Providers

Chapter 7 Consumer Protection

Chapter 8 Protection of Personal Information

Chapter 9 Protection of Critical Databases

Chapter 10 Domain Name Authority & administration

Chapter 11 Limitation of Liability of Service Providers

Chapter 12 Cyber Inspectors

Chapter 13 Cyber Crime

Chapter 14 General



“ECT Act Compliance”• only 6 of its 14 chapters make mention of a fine

or imprisonment for those convicted of an offence under the Act

• these 6 chapters relate to cryptography providers, authentication service providers, unsolicited commercial communications (spam), critical databases, cyber inspectors and cyber crime

• Regulations still have to be published regarding cryptography providers, authentication service providers and critical databases

• Until those regulations are in place, there is nothing to comply with



“King II Compliance”

King Report on Corporate Governance for South Africa 2002



King II• King II designed to improve

accountability and transparency of JSE listed public companies

• King II is NOT a LAW • JSE listing requirement =

compliance with King II• Compliance Report to be signed by

all directors personally



“The board should have unrestricted access to all company information, records, documents and property. The information needs of the company should be well defined and regularly monitored” (2.1.7)

Quotes from the Code



“The board is responsible for the total process of risk management…” (3.1.1) and “should make use of…control models and frameworks…with respect to … “safeguarding the company’s assets (including information)” (3.1.4)




“The board is responsible for ensuring that a[n]…assessment of…key risks is undertaken…[which] should address the company’s exposure to… technology risks…business continuity and disaster recovery…” (3.1.5)




“All companies in the King II eraneed to acknowledge the clear link

between successful Infosec programs and business success as a whole”

? ?



Managing Risks of Non-compliance

• Part of reasonable foreseeability is to spread risk (service providers and business partners)

• Be able to objectively determine your compliance criteria and controls to manage your criteria

• Be able to subjectively determine best practice

• Use a trusted advisor who can help you:– Make this determination– Choose appropriate technology which is aligned to

your compliance and best practice requirements



Copyright © Michalsons Online

The information contained in this presentation is subject to change without notice. Michalsons Online makes no warranty of any kind with regard to the material, including, but not limited to, the implied warranties of fitness for a particular purpose. Michalsons Online shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. This document contains proprietary information that is protected by copyright. All rights are reserved. No part of this document may be photocopied, reproduced, or translated to another language without the prior written consent of Michalsons Online This document is an unpublished work protected by the copyright laws and is proprietary to Michalsons Online. Disclosure, copying, reproduction, merger, translation, modification, enhancement, or use by any unauthorised person without the prior written consent of Michalsons Online is prohibited. Contact Michalsons Online for permission to copy: [email protected].

Lance Michalson0860 111 [email protected]

THANK YOU FOR YOUR TIME!!