Ict Compliance @ Gartner (August 2005)

ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED

Information Technology Attorneys

Snapshot of Current State of ICT Regulatory Compliance in South Africa

Lance MichalsonGartner Symposium ITXPO 2005

01 August 2005Cape Town, South Africa


Current Legal ComplianceLandscape


Compliance v Best Practice v Risk Management

Compliance Best PracticeBest Practice

Risk Management

Risk Management

TechnologyRisk

TechnologyRisk

Tech LegalRisk

Tech LegalRisk

Wide

Narrow


Example Compliance issues

Issue OffenceCrypto supplier not registered with DOC

Offence (fine or imprisonment not exceeding 2 years)

No corporate info on e-mail Offence ito Companies Act s50.1.c arw s50.4, s171.1 arw s441.1.m, s50.1.c arw s441.1.k

No express or implied consent to monitoring paper and electronic communications

Fine not exceeding R2m or imprisonment not exceeding 10 years | Inadmissible evidence


Example Tech Legal Risk Issues

Issue RiskNo software development agreement in place

Company does not own the software

Various factors might influence the admissibility and evidential weight of electronic documents

Inadmissibility of evidence. Compromised chances of success of litigation (resulting possible reputational damage, monetary loss – damages, legal costs etc.)

No e-mail footer (signature / disclaimer)

Vicarious liability (e.g. for defamation)



Legislative Process

LEGISLATURE

Parliament

-Makes new laws

-Amend existing laws

-Repeal old laws

Provincial Legislatures

Municipal Councils

EXECUTIVE JUDICIARY

CONSTITUTION


Visibility

Trough ofDisillusionment

Slope ofEnlightenment

Plateau ofProductivityBusiness Trigger

Maturity

South African ICT Regulatory Hype Cycle

Peak ofInflated Expectations


Process followed• What was included

– Primary ICT laws in SA– NB SA adopted Standards– NB foreign laws impacting some SA

Companies

• What was excluded– Secondary laws affected by primary

laws (e.g. record retention laws)


Compliance requirements develop at different rates

Visibility

Trough ofDisillusionment

Slope ofEnlightenment

Plateau ofProductivityBusiness Trigger

Peak ofInflated Expectations

MaturityAcronym KeyASPs = Authentication Service ProvidersRIC = Regulation of Interception of Communications etc. Act 70 of 2002

Less than two years

Two years to five years

Five years to 10 years

Key: Time to PlateauInfosec / SANS 17799

ECT Act (2002)

Basel II (1999)

RM / SANS 15489PROATIA (2000)

Sarbanes-Oxley Act (2002)

RIC (monitoring)

Data Privacy

SANS 15801

Critical Databases, Crypto Providers and ASPs

South African ICT Regulatory Hype Cycle

Convergence Bill (2005)

King II (2002)

EU Data privacy Directive

FICA


Life Cycle of an Act of Parliament

Issue Paper

Discussion Paper

Green Paper

White Paper or Fast Track to Bill

BillParliamentary PortfolioCommittee Hearings

Act before NationalCouncil of Provinces

Act before National

Assembly

Signed by President & Gazetted

Regulations, Notices

DRAFTING PERIOD INFLUENCE PERIOD PREPARE TO COMPLY

IP PC

Cabinet

Source: Department of Justice and Constitutional Developmenthttp://www.doj.gov.za/2004dojsite/legislation/legprocess.htm

Last updated: 01 August 2005


Where Key Pieces of Legislation Fit in

Issue Paper

Discussion Paper

Green Paper

White Paper or Fast Track to Bill

BillParliamentary PortfolioCommittee Hearings

Act before NationalCouncil of Provinces

Act before National

Assembly

Signed by President + Gazetted

Regulations, Notices

IP PC

Data Privacy Convergence Bill RIC (not yet promulgated)

ECT Act Critical Database Regs

ECT Act Crypto, ASP, Domain Name Regs

Regs not published for comment

Regs published for comment, not yet promulgated

Key: Status of Regulations

PC

IP

DRAFTING PERIOD INFLUENCE PERIOD PREPARE TO COMPLY

Last updated: 01 August 2005

Cabinet


Optimum points of engagement

June 2005 August 2005 December 2005

Convergence Bill Data Privacy Discussion Paper / Green Paper

Critical Database Regulations comments &

Crypto Provider enactment(ECT Act)

January 2006

Possible Gazetting of Monitoring Act (anytime)


What can be done now?• Critical Databases• Data Privacy• Monitoring• King II

– Information Security Best Practice Guide for South African Directors



ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVEDChapter lX: Protection of Critical Databases

Chapter lX:Protection of

Critical Databases

Scope of Critical

Database Protection

S57S57

S56S56

S55S55

S54S54

S53S53

S58S58

Identification of critical data and databases

Registration Of Critical Databases

Management Of Critical Databases

Restrictions On disclosure of Information

Right of Inspection

Non Compliance with Chapter

S52S52

Chapter lX: Protection of Critical Databases

Aim is to facilitate the identification and registration of critical databases within the Republic. Critical databases are defined as databases that contain information that if compromised could threaten the security of the Republic or the economic and social well being of it’s citizens. The Act stipulates criteria for the identification, registration and management of critical databases as well as controls to ensure that the integrity and confidentiality of data relating to and contained in these databases is maintained such as the right to audit and restrictions and penalties resulting in unauthorised or illegal disclosure of information contained in or about these databases. In November 2003 the Minister of Communications awarded a tender to a consortium of Consultants to undertake an inventory of all major databases in South Africa.

Chapter lX: Protection of Critical Databases

Aim is to facilitate the identification and registration of critical databases within the Republic. Critical databases are defined as databases that contain information that if compromised could threaten the security of the Republic or the economic and social well being of it’s citizens. The Act stipulates criteria for the identification, registration and management of critical databases as well as controls to ensure that the integrity and confidentiality of data relating to and contained in these databases is maintained such as the right to audit and restrictions and penalties resulting in unauthorised or illegal disclosure of information contained in or about these databases. In November 2003 the Minister of Communications awarded a tender to a consortium of Consultants to undertake an inventory of all major databases in South Africa.


Management of Critical Databases

55 Management of critical databases

1. The Minister may prescribe minimum standards or prohibitions in respect of-

a) the general management of critical databases;b) access to, transfer and control of critical databases;c) infrastructural or procedural rules and requirements for

securing the integrity and authenticity of critical data; d) procedures and technological methods to be used in

the storage or archiving of critical databases; e) disaster recovery plans in the event of loss of critical

databases or parts thereof; andf) any other matter required for the adequate protection,

management and control of critical databases.


Privacy


State of SA privacy regulation• Law Reform Commission Issue Paper

recommends:1. privacy and data protection should be regulated by

legislation;2. a statutory regulatory agency should be

established;3. a flexible approach should be followed in which

industries will develop their own codes of practice (in accordance with the principles set out in the legislation) which will be overseen by the regulatory agency;

4. general principles of data protection should be developed and incorporated in the legislation.


Data Protection Principles• Limitation on collection (consent)• Specified purpose• Limitation on disclosure• Data quality (relevance)• Security safeguards

– Against unauthorised access, destruction use, modification disclosure

– Role of crypto


Monitoring


Monitoring e-communications• 1992 v 2002 (RIC) Acts• RIC is all about:

– Monitoring in a “legally compliant manner”

– Putting the correct processes and procedures in place


Monitoring• Section 7 “business exception”• System controller (SC) (CEO)• 4 requirements:

– Express / implied consent of SC– Particular purpose– E-communications tools owned by business– Reasonable efforts by SC to give advanced

notice OR express / implied consent of person being monitored

• R2m or 10 years


Some Monitoring Issues• What constitutes written consent?• What constitutes implied consent?• Is per interception consent

necessary?• Will a blanket consent suffice?• How does the CEO demonstrate

“reasonable efforts”• How does one protect the CEO?


Monitoring MatrixImplied consent and reasonable efforts demonstrated by

Written consent demonstrated by

CEO is protected by

Monitoring Policy Acceptance of Monitoring Policy

CEO Delegation to IT department

FAQ Pro-Forma Interception Request

Glossary of Terms Pro-Forma Interception Report to the Board

Log-on Notice Log-on Notice

Monitoring Policy Notice to Users

Reminder e-mail from IT department



Compliance & Risk Cocktail

ACTS OFPARLIAMENT

ECT ACT

PROATIA, 2002

Monitoring Act

COMMON LAW BEST PRACTICEINFORMATION

RISK MANAGEMENT

Contract

Delict (Negligence – duty to take reasonable steps)

SANS 17799

MISS (Govt depts)

COSO ERM

COBIT

SEE OUR INFORMATION & TECHNOLOGY COMPLIANCE AND LEGAL RISK MATRIX

KING IIGOOD GOVERNANCE

Compliance crosses several disciplines from HR to IT to Legal to risk management

Compliance is a combination of policy, process, and technology


THANK YOU FOR YOUR TIME!!

Lance [email protected]

“IT Law with Insight”

www.michalsons.com

Copyright © Michalsons 2002-2009

The information contained in this presentation is subject to change without notice. Michalsons makes no warranty of any kind with regard to the material, including, but not limited to, the implied warranties of fitness for a particular purpose. Michalsons shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. This document contains proprietary information that is protected by copyright. All rights are reserved. No part of this document may be photocopied, reproduced, or translated to another language without the prior written consent of Michalsons This document is an unpublished work protected by the copyright laws and is proprietary to Michalsons. Disclosure, copying, reproduction, merger, translation, modification, enhancement, or use by any unauthorised person without the prior written consent of Michalsons is prohibited. Contact Lance Michalson at [email protected] for permission to copy.

Ict Compliance @ Gartner (August 2005)

Business

years key

sarbanesoxley act

primary laws

existing laws

new laws

secondary laws

primary ict laws

asps convergence bill