Infosec Law (Feb 2006)
-
Upload
lance-michalson -
Category
Technology
-
view
987 -
download
2
description
Transcript of Infosec Law (Feb 2006)
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
Information Technology Attorneys
Law relating to Information Security
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
Outline• Meaning of security in SA legal context• Helicopter legislative overview• Focus on select issues
– Crypto– Critical databases– Privacy– Monitoring– King II
• Take home messages
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
Meaning of “Security” in the SA Context
ECT Act, 2002
-Crypto
- Critical databases
The State Information Technology Agency Act, 1998
The Electronic Communications Security (Pty) Limited Act (COMSEC)
Intelligence Services Control Amendment Act, 2002
National Security Info Security Privacy & Security
(CIA)
SANS 17799
King 2 Infosec BPG
Monitoring Act
PPI Bill, 2005
(SA Law Commission)
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
Compliance requirements develop at different rates
Visibility
Trough ofDisillusionment
Slope ofEnlightenment
Plateau ofProductivityBusiness Trigger
Peak ofInflated Expectations
Maturity
Less than two years
Two years to five years
Five years to 10 years
More than 10 years
Obsolete before plateau
Key: Time to Plateau
Basel I (1988)
Infosec / SANS 17799
ECT Act (2002)
Basel II (1999)
RM / SANS 15489PROATIA (2000)
Sarbanes-Oxley Act (2002)
RIC (monitoring)
PPI Bill (Privacy)
SANS 15801
Critical Databases, Crypto Providers and ASPs
South African ICT Regulatory Hype Cycle
Convergence Bill (2005)
King II (2002)
EU Data privacy Directive
FICA
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDChapter V: Cryptography Providers
Chapter VCryptography
Providers
Register of Cryptography
Providers
S31S31S30S30
S32S32
Registrationwith the
Department
Restrictions On disclosure of Information
Application of Chapter
offences
S29S29
Chapter V: Cryptography Providers
Chapter V governs the use of cryptography products and services used within the Republic. The Director General is tasked with maintaining a register of cryptography providers and their products and services. Registration is compulsory and suppliers are prohibited from providing cryptography products and services in the Republic without complying with the provisions of this Act.
Chapter V: Cryptography Providers
Chapter V governs the use of cryptography products and services used within the Republic. The Director General is tasked with maintaining a register of cryptography providers and their products and services. Registration is compulsory and suppliers are prohibited from providing cryptography products and services in the Republic without complying with the provisions of this Act.
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
Cons• Definitions too wide
• Who has to register?
• Who is a cryptography provider?
• What is a cryptography service?
– Key Management service
– Enrolment and verification service
– Infosec Consulting service?
– Date and time-stamping service
• What is a cryptography product?
• When is it provided in the Republic?
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDChapter lX: Protection of Critical Databases
Chapter lX:Protection of
Critical Databases
Scope of Critical
Database Protection
S57S57
S56S56
S55S55
S54S54
S53S53
S58S58
Identification of critical data and databases
Registration Of Critical Databases
Management Of Critical Databases
Restrictions On disclosure of Information
Right of Inspection
Non Compliance with Chapter
S52S52
Chapter lX: Protection of Critical Databases
Aim is to facilitate the identification and registration of critical databases within the Republic. Critical databases are defined as databases that contain information that if compromised could threaten the security of the Republic or the economic and social well being of it’s citizens. The Act stipulates criteria for the identification, registration and management of critical databases as well as controls to ensure that the integrity and confidentiality of data relating to and contained in these databases is maintained such as the right to audit and restrictions and penalties resulting in unauthorised or illegal disclosure of information contained in or about these databases. In November 2003 the Minister of Communications awarded a tender to a consortium of Consultants to undertake an inventory of all major databases in South Africa.
Chapter lX: Protection of Critical Databases
Aim is to facilitate the identification and registration of critical databases within the Republic. Critical databases are defined as databases that contain information that if compromised could threaten the security of the Republic or the economic and social well being of it’s citizens. The Act stipulates criteria for the identification, registration and management of critical databases as well as controls to ensure that the integrity and confidentiality of data relating to and contained in these databases is maintained such as the right to audit and restrictions and penalties resulting in unauthorised or illegal disclosure of information contained in or about these databases. In November 2003 the Minister of Communications awarded a tender to a consortium of Consultants to undertake an inventory of all major databases in South Africa.
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
Management of Critical Databases
55 Management of critical databases
1. The Minister may prescribe minimum standards or prohibitions in respect of-
a) the general management of critical databases;b) access to, transfer and control of critical databases;c) infrastructural or procedural rules and requirements for
securing the integrity and authenticity of critical data; d) procedures and technological methods to be used in
the storage or archiving of critical databases; e) disaster recovery plans in the event of loss of critical
databases or parts thereof; andf) any other matter required for the adequate protection,
management and control of critical databases.
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
Privacy
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
State of SA privacy regulation
• Privacy regulation in its infancy• Protection of Personal Information
(PPI) Bill and Discussion Paper released in October 2005 by South African Law Reform Commission
• Comments due 28 February 2006• Based on 8 principles:
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
Principle 6 – Security Safeguards: Key Aspects
• Measures to ensure integrity of personal information
• Security measures regarding PI by processor
• Notification of security compromises
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
Monitoring
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
Monitoring• 30 September 2005• Monitoring lawful unless
exception
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
Exceptions
3rd party (e.g. Co X)
intercepts with written consent of one of parties
3rd party (e.g. Co X)
intercepts in ordinary course
of business
s4(1) s5(1) s6
Participant(s)intercept
themselves
Can intercept if party to communication
Can only intercept with written consent
– CEO not involved
– No fine
Business purpose exception
– CEO involved
– Fine: 2 yrs R10m
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
Monitoring• Electronic and paper
communications• Live versus stored data
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
Section 86.1 of ECT Act• Person who intentionally accesses and
intercepts data without authority or permission to do so is guilty of offence – S89(1) fine or jail not exceeding 1 year
• This provision is made subject to RICA• Section 88: any person who aids and
abets someone to commit any offence would be guilty of an offence.
• May thus breach both RICA and ECT Acts
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
Monitoring• Consent is at the heart of it• Consent from user perspective
– Express v implied– Written consent
• Consent from CEO perspective– Is per interception consent
necessary?– Will a blanket consent suffice?
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
Monitoring• “health purposes”
– Continuous monitoring– System security and maintenance– Automatic monitoring
• “forensic purposes” – Once–off, occasional, covert– Investigate allegations of fraud,
corruption, breach of a policy– Manual monitoring
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
MonitoringForensic Reasons
• Allegations of fraud• Allegations of criminal activity
against or attributable to ARC• Allegations of corruption• Allegations of breach of a
policy• to counteract criminal or
fraudulent activities;• to respond to legal
proceedings that call for electronic or paper evidence
• Where the involved individual is unavailable and timing is critical for business activity
• Where monitoring is required by a law enforcement agency
Health Reasons• Security Incident response • Help desk responses to
calls logged• Firewall software• Content monitoring
systems• Message login systems• Telephone management
system
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
Monitoring Matrix(RICA tells you what to do but not how to do it)
Implied consent and reasonable efforts demonstrated by
Express / Written consent demonstrated
by
CEO is protected by
Monitoring Policy (Persons)
Acceptance of Monitoring Policy
CEO Delegation of Authority to MO
FAQ Monitoring Consent (incl. waiver of right to privacy
and covering ECT Act)
Monitoring Policy & Guidelines for Technical Staff + Acceptance Doc
Glossary of Terms Suggested clauses for HR contracts and promotions
Pro-Forma Monitoring Request
Log-on Notice Log-on Notice Pro-Forma Interception Report to the Board
Monitoring Policy Notice and Memo to Users
Waiver & consent clause in Visitor’s sign-in sheet
Reminder e-mail from IT department
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
King II and Infosec
King Report on Corporate Governance for South Africa 2002
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
“The board should have unrestricted access to all company information, records, documents and property. The information needs of the company should be well defined and regularly monitored” (2.1.7)
Quotes from the Code
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
“The board is responsible for the total process of risk management…” (3.1.1) and “should make use of…control models and frameworks…with respect to … “safeguarding the company’s assets (including information)” (3.1.4)
Quotes from the Code
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
“The board is responsible for ensuring that a[n]…assessment of…key risks is undertaken…[which] should address the company’s exposure to… technology risks…business continuity and disaster recovery…” (3.1.5)
Quotes from the Code
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
King II Infosec BPG1. What is information security?2. Key considerations when making
information security decisions?3. Characteristics of a sound information
security agenda?4. An effective information security
strategy5. Devising a successful approach to
information security6. What directors can do
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
Take home messages• Identify your compliance criteria• Identify your information holdings
– Sensitivity– Personal information– Records
• Prepare a file plan / information taxonomy
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
Information Security Policy
Legal Compliance Risk Management Best Practice
• Often drafted by IT Audit / HR / IT – HR often doesn’t understand the tech issues– IT Audit often doesn’t understand the legal issues
and is too technical
• Need to address different audiences• Often “knipped” and “plukked” from internet • No clear understanding as to content and labeling
(e.g. ECP)• Myth around 17799 “compliance”
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
Information Security Policy
E-mail PolicyPrivacy &
Monitoring Policy
Internet Usage Policy
Personal Computer Security Policy
Telecommuting Policy
Employee Exit Policy
Legal Compliance Risk Management Best Practice
Information Classification Scheme linked to functions
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
Take home messages• Proper implementation of policies
– Principle of South African law that if an employee wants to discipline an employee on grounds that he/she has broken one of the rules set forth in a policy, then employer must establish 3 things
• (i) that there was a rule• (ii) that the rule was reasonable and • (iii) that the rule had been brought to the
attention of the employee.
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
Conclusion…• “Many businesses recognise that
information security is a key technical and business issue, but it is important to recognise that it is also a legal issue”– Lorijean G. Oei “Online Law: The Legal Role of
Information Security”
• Do not consult us after the fact• Legal advice must be “integrated
into” solutions, not “bolted onto” them
IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED
THANK YOU FOR YOUR TIME!!
–Lance Michalson
–“IT Law with Insight”
–www.michalsons.com
–Copyright © Michalsons 2002-2009
–The information contained in this presentation is subject to change without notice. Michalsons makes no warranty of any kind with regard to the material, including, but not limited to, the implied warranties of fitness for a particular purpose. Michalsons shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. This document contains
proprietary information that is protected by copyright. All rights are reserved. No part of this document may be photocopied, reproduced, or translated to another language without the prior written consent of Michalsons This document is an unpublished work protected by the copyright
laws and is proprietary to Michalsons. Disclosure, copying, reproduction, merger, translation, modification, enhancement, or use by any unauthorised person without the prior written consent of Michalsons is prohibited. Contact Lance Michalson at [email protected] for
permission to copy.