Ict Compliance (Sept 2004)
-
Upload
lance-michalson -
Category
Technology
-
view
1.006 -
download
0
Transcript of Ict Compliance (Sept 2004)
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
ComplianceCompliance23 September 200423 September 2004
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
Nature of the Beast
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
ECT ActECT ActKing IIKing II
SOXSOXBS 17799BS 17799
FAISFAIS
FICAFICAPROATIAPROATIA
PrivacyPrivacy
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
Everyone is trying to get a grip on
ComplianceCompliance
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
“The King II report on corporate governance and the ECT Act are encouraging adherence to high security standards”
6 September 2004:http://www.itweb.co.za/sections/features/ictsecurity/feature040906-2.asp
“Race for compliance… the race to comply with increasingly specific ICT security legislation holding company executives personally responsible involves… “
6 September 2004:http://www.itweb.co.za/sections/features/ictsecurity/feature040906-8.asp
Security or records management products are “King II Compliant”
Security or records management products are “SOX Compliant”
“New player helps with ECT Act compliance”
30 April 2004http://www.itweb.co.za/sections/business/2004/0404301131.asp?A=CNT&S=Content%20Management%20&O=F
X “improves Corporate Governance with new Enterprise Portfolio Management Software”
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
The Fear Factor1. Exaggerating scope and benefits of
the solutions2. Basing proposition for the technology
requirement on a misreading or misunderstanding of the law
3. Opining on and interpreting legislation as if competent to make these assessments
4. Being under the misapprehension that what is obligatory in the USA is or will be obligatory in SA
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
The Fear Factor5. Misinterpreting best practice as
mandatory legal compliance6. Construing opinions on the impact of
legislation and regulations as fact 7. Misinterpreting international standards
as de facto legislation in SA when it is abundantly evident that SA can adopt whatever standards it chooses
8. Interpreting law in a misleading way
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
The Fear Factor
– conflating what the law says and what the penalty MIGHT be into one idea, suggesting that the law states that is what WILL happen• E.g. record retention
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
The UnknownAs we know,
There are known knowns. There are things we know we know.
We also know There are known unknowns.
That is to say We know there are some things
We do not know. But there are also unknown unknowns,
The ones we don't know We don't know.
-12 Feb 2002, Department of Defense news briefinghttp://slate.msn.com/id/2081042/
The Poetry of D.H. RumsfeldRecent works by the Secretary of Defense
The UnknownAs we know,
There are known knowns. There are things we know we know.
We also know There are known unknowns.
That is to say We know there are some things
We do not know. But there are also unknown unknowns,
The ones we don't know We don't know.
-12 Feb 2002, Department of Defense news briefinghttp://slate.msn.com/id/2081042/
The Poetry of D.H. RumsfeldRecent works by the Secretary of Defense
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
Compliance Best PracticeBest Practice
Risk Management
Risk Management
Compliance v Best Practice v Risk Management
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
Compliance Best PracticeBest Practice Risk Management
Risk Management
Examples of Current Issues
Aspects of ECT Act
Monitoring
SANS 17799 (ISP)
SANS 15489 (RM)
BIP 0008 (Evidence)
E-mail “disclaimers”
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
Compliance Cocktail(Information Security & Information Management)
ACTS OFPARLIAMENT
ECT ACT
FICA, FAIS
PROATIA, 2002
Monitoring Act
COMMON LAW BEST PRACTICEINFORMATION
RISK MANAGEMENT
Contract
Delict (Negligence)
SANS 15489 RM
SANS 17799 – Infosec
BSI BIP 0008 – Integrity
MISS (Govt depts)
SEE OUR INFORMATION RISK MATRIX
KING IIGOOD GOVERNANCE
Law / Legal Issues
Law / Legal Issues
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
Compliance Cocktail(Information Security & Information Management)
ACTS OFPARLIAMENT
ECT ACT
FICA, FAIS
PROATIA, 2002
Monitoring Act
COMMON LAW BEST PRACTICEINFORMATION
RISK MANAGEMENT
Contract
Delict (Negligence)
SANS 15489 RM
SANS 17799 – Infosec
BSI BIP 0008 – Integrity
MISS (Govt depts)
SEE OUR INFORMATION RISK MATRIX
KING IIGOOD GOVERNANCE
Law / Legal Issues
Law / Legal Issues
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
Compliance Cocktail(Information Security & Information
Management)ACTS OF
PARLIAMENT
EASY
COMMON LAW BEST PRACTICEINFORMATION
RISK MANAGEMENT
NOT SO EASY VOLUNTARY VOLUNTARY
KING IIGOOD GOVERNANCE
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
Common law - Contract
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
Nature of the beast• Most security software comes with
standard contract terms where– the user must evaluate the suitability
of the product for use– the user assumes all liability for
product behavior• User cannot evaluate / cannot be
expected to evaluate the security claims of a product
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
“Snake-Oil Salesman’s Paradise”• Because snakes do
not exude oil, the term snake-oil has come to mean any preparation that has no real medicinal value and yet is fraudulently sold by traveling medicine shows as a cure for many ills
• Not regulated by law
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
Common law - Contract• Obligation to take reasonable steps to protect
the e-security of the relevant system• Examples of “reasonable steps”:
– Spread the risk• Service providers• Customers
– Maintain secure networks– Safeguard confidentiality of valuable data– How to respond if a breach of e-security– Steps to follow to minimise damage that flows from
the breach
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
Common law – delict
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
Common law - Delict• Negligence:
– Involves establishing defendant owed a duty of care to the plaintiff
– Based on reasonable foreseeability that harm would be caused without the exercise of reasonable care
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
Examples of Foreseeability• Sending a virus infected e-mail:
the court would consider – Availability of a security patch– Notification of same to the defendant– Failure of defendant to
• install the relevant patch• Within a reasonable period
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
ReputationalDamage
ReputationalDamage
Loss of RevenueLoss of Revenue
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
“It takes twenty years to build a reputation
and five minutes to lose it.”Warren Buffet
Chairman, Berkshire Hathaway
“It takes twenty years to build a reputation
and five minutes to lose it.”Warren Buffet
Chairman, Berkshire Hathaway
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
• “Security is a process, not a product” – Bruce Schneier
• Information is information and software products only protect the information while it is on computers
• It does not protect it when it gets into the hands of disgruntled employees
• Most computer security measures – firewalls, intrusion protection systems – try to deal with the external hacker, but are powerless to deal with insiders
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
Removable Flash Disc Drive
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
Human FirewallsHuman Firewalls
Technical Firewalls
Technical Firewalls
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
Policies
Telecommuting
Policy
E-mail & Internet Use
Policies
Monitoring Policy
Record Classification
Policy
Record Ownership
Policy
Record Destruction
& Hold Policy
Legal Compliance Risk Management Best Practice
Information Classification Scheme linked to functions
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
Debunking Compliance
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
USA Law• Do be under the misapprehension
that what is obligatory in the USA is or will be obligatory in SA
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
US v SA(Laws)
US SAGramm-Leach-Bliley Act Nothing
Health Insurance Portability and Accountability Act
Nothing
Sarbanes-Oxley Act King II (?) (no sec)
Federal Information Security Management Act
Nothing / MISS
Freedom of Information Act PROATIA (no sec)
Electronic Communications Privacy Act
Monitoring Act (no sec)
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
King II ≠ Regulation
King Report on Corporate Governance for South Africa 2002
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
US v SA(Regulations)
US
Law Regulation
Health Insurance Portability and Accountability Act
Standards for Electronic Transactions
Standards for Privacy of Individually Identifiable Health Information
Security Standards
SA
Law Regulation
ECT Act Crypto
ASPs
Critical Databases
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
US v SA(Standards)
US SA
ISO/IEC 17799 SANS 17799
ISO/IEC 13335 -
Control Objectives for Information and Related Technology (CobiT) CobiT
Generally Accepted Information Security Principles (GAISP)
-
American National Standards Institute (ANSI) standards
-
National Institute of Standards and Technology (NIST
-
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
Terminology• Law• Regulation• Standard
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
The Electronic Communications and Transactions Act 2002
“ECT ACT Compliance”
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
“ECT ACT Compliance”• “Web site terms and conditions”
– Making information available to “consumers”
– 'consumer' means any natural person – Penalty: consumer can cancel
transaction within 14 days• “E-mail legal notice”• “Electronic communications policy”
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
Structure of the Act Chapter Title e-
Comme-Trans
e-Data
e-Infra
Chapter 1 Interpretation, Objects and Application
Chapter 2 Maximising Benefits and Policy Framework
Chapter 3 Facilitating Electronic Transactions
Chapter 4 e-Government Services
Chapter 5 Cryptography Providers
Chapter 6 Authentication Service Providers
Chapter 7 Consumer Protection
Chapter 8 Protection of Personal Information
Chapter 9 Protection of Critical Databases
Chapter 10 Domain Name Authority & administration
Chapter 11 Limitation of Liability of Service Providers
Chapter 12 Cyber Inspectors
Chapter 13 Cyber Crime
Chapter 14 General
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
“ECT Act Compliance”• only 6 of its 14 chapters make mention of a fine
or imprisonment for those convicted of an offence under the Act
• these 6 chapters relate to cryptography providers, authentication service providers, unsolicited commercial communications (spam), critical databases, cyber inspectors and cyber crime
• Regulations still have to be published regarding cryptography providers, authentication service providers and critical databases
• Until those regulations are in place, there is nothing to comply with
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
“King II Compliance”
King Report on Corporate Governance for South Africa 2002
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
King II• King II designed to improve
accountability and transparency of JSE listed public companies
• King II is NOT a LAW • JSE listing requirement =
compliance with King II• Compliance Report to be signed by
all directors personally
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
“The board should have unrestricted access to all company information, records, documents and property. The information needs of the company should be well defined and regularly monitored” (2.1.7)
Quotes from the Code
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
“The board is responsible for the total process of risk management…” (3.1.1) and “should make use of…control models and frameworks…with respect to … “safeguarding the company’s assets (including information)” (3.1.4)
Quotes from the Code
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
“The board is responsible for ensuring that a[n]…assessment of…key risks is undertaken…[which] should address the company’s exposure to… technology risks…business continuity and disaster recovery…” (3.1.5)
Quotes from the Code
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
“All companies in the King II eraneed to acknowledge the clear link
between successful Infosec programs and business success as a whole”
? ?
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
Managing Risks of Non-compliance
• Part of reasonable foreseeability is to spread risk (service providers and business partners)
• Be able to objectively determine your compliance criteria and controls to manage your criteria
• Be able to subjectively determine best practice
• Use a trusted advisor who can help you:– Make this determination– Choose appropriate technology which is aligned to
your compliance and best practice requirements
INFORMATION MANAGEMENT INFORMATION MANAGEMENT PROFESSIONALSPROFESSIONALS
© Michalsons Online 2007-2009
Copyright © Michalsons Online
The information contained in this presentation is subject to change without notice. Michalsons Online makes no warranty of any kind with regard to the material, including, but not limited to, the implied warranties of fitness for a particular purpose. Michalsons Online shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. This document contains proprietary information that is protected by copyright. All rights are reserved. No part of this document may be photocopied, reproduced, or translated to another language without the prior written consent of Michalsons Online This document is an unpublished work protected by the copyright laws and is proprietary to Michalsons Online. Disclosure, copying, reproduction, merger, translation, modification, enhancement, or use by any unauthorised person without the prior written consent of Michalsons Online is prohibited. Contact Michalsons Online for permission to copy: [email protected].
Lance Michalson0860 111 [email protected]
THANK YOU FOR YOUR TIME!!