Ict Compliance @ Gartner (August 2005)
-
Upload
lance-michalson -
Category
Business
-
view
1.145 -
download
3
description
Transcript of Ict Compliance @ Gartner (August 2005)
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
Information Technology Attorneys
Snapshot of Current State of ICT Regulatory Compliance in South Africa
Lance MichalsonGartner Symposium ITXPO 2005
01 August 2005Cape Town, South Africa
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
Current Legal ComplianceLandscape
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
Compliance v Best Practice v Risk Management
Compliance Best PracticeBest Practice
Risk Management
Risk Management
TechnologyRisk
TechnologyRisk
Tech LegalRisk
Tech LegalRisk
Wide
Narrow
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
Example Compliance issues
Issue OffenceCrypto supplier not registered with DOC
Offence (fine or imprisonment not exceeding 2 years)
No corporate info on e-mail Offence ito Companies Act s50.1.c arw s50.4, s171.1 arw s441.1.m, s50.1.c arw s441.1.k
No express or implied consent to monitoring paper and electronic communications
Fine not exceeding R2m or imprisonment not exceeding 10 years | Inadmissible evidence
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
Example Tech Legal Risk Issues
Issue RiskNo software development agreement in place
Company does not own the software
Various factors might influence the admissibility and evidential weight of electronic documents
Inadmissibility of evidence. Compromised chances of success of litigation (resulting possible reputational damage, monetary loss – damages, legal costs etc.)
No e-mail footer (signature / disclaimer)
Vicarious liability (e.g. for defamation)
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
Legislative Process
LEGISLATURE
Parliament
-Makes new laws
-Amend existing laws
-Repeal old laws
Provincial Legislatures
Municipal Councils
EXECUTIVE JUDICIARY
CONSTITUTION
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
Visibility
Trough ofDisillusionment
Slope ofEnlightenment
Plateau ofProductivityBusiness Trigger
Maturity
South African ICT Regulatory Hype Cycle
Peak ofInflated Expectations
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
Process followed• What was included
– Primary ICT laws in SA– NB SA adopted Standards– NB foreign laws impacting some SA
Companies
• What was excluded– Secondary laws affected by primary
laws (e.g. record retention laws)
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
Compliance requirements develop at different rates
Visibility
Trough ofDisillusionment
Slope ofEnlightenment
Plateau ofProductivityBusiness Trigger
Peak ofInflated Expectations
MaturityAcronym KeyASPs = Authentication Service ProvidersRIC = Regulation of Interception of Communications etc. Act 70 of 2002
Less than two years
Two years to five years
Five years to 10 years
Key: Time to PlateauInfosec / SANS 17799
ECT Act (2002)
Basel II (1999)
RM / SANS 15489PROATIA (2000)
Sarbanes-Oxley Act (2002)
RIC (monitoring)
Data Privacy
SANS 15801
Critical Databases, Crypto Providers and ASPs
South African ICT Regulatory Hype Cycle
Convergence Bill (2005)
King II (2002)
EU Data privacy Directive
FICA
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
Life Cycle of an Act of Parliament
Issue Paper
Discussion Paper
Green Paper
White Paper or Fast Track to Bill
BillParliamentary PortfolioCommittee Hearings
Act before NationalCouncil of Provinces
Act before National
Assembly
Signed by President & Gazetted
Regulations, Notices
DRAFTING PERIOD INFLUENCE PERIOD PREPARE TO COMPLY
IP PC
Cabinet
Source: Department of Justice and Constitutional Developmenthttp://www.doj.gov.za/2004dojsite/legislation/legprocess.htm
Last updated: 01 August 2005
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
Where Key Pieces of Legislation Fit in
Issue Paper
Discussion Paper
Green Paper
White Paper or Fast Track to Bill
BillParliamentary PortfolioCommittee Hearings
Act before NationalCouncil of Provinces
Act before National
Assembly
Signed by President + Gazetted
Regulations, Notices
IP PC
Data Privacy Convergence Bill RIC (not yet promulgated)
ECT Act Critical Database Regs
ECT Act Crypto, ASP, Domain Name Regs
Regs not published for comment
Regs published for comment, not yet promulgated
Key: Status of Regulations
PC
IP
DRAFTING PERIOD INFLUENCE PERIOD PREPARE TO COMPLY
Last updated: 01 August 2005
Cabinet
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
Optimum points of engagement
June 2005 August 2005 December 2005
Convergence Bill Data Privacy Discussion Paper / Green Paper
Critical Database Regulations comments &
Crypto Provider enactment(ECT Act)
January 2006
Possible Gazetting of Monitoring Act (anytime)
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
What can be done now?• Critical Databases• Data Privacy• Monitoring• King II
– Information Security Best Practice Guide for South African Directors
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVEDChapter lX: Protection of Critical Databases
Chapter lX:Protection of
Critical Databases
Scope of Critical
Database Protection
S57S57
S56S56
S55S55
S54S54
S53S53
S58S58
Identification of critical data and databases
Registration Of Critical Databases
Management Of Critical Databases
Restrictions On disclosure of Information
Right of Inspection
Non Compliance with Chapter
S52S52
Chapter lX: Protection of Critical Databases
Aim is to facilitate the identification and registration of critical databases within the Republic. Critical databases are defined as databases that contain information that if compromised could threaten the security of the Republic or the economic and social well being of it’s citizens. The Act stipulates criteria for the identification, registration and management of critical databases as well as controls to ensure that the integrity and confidentiality of data relating to and contained in these databases is maintained such as the right to audit and restrictions and penalties resulting in unauthorised or illegal disclosure of information contained in or about these databases. In November 2003 the Minister of Communications awarded a tender to a consortium of Consultants to undertake an inventory of all major databases in South Africa.
Chapter lX: Protection of Critical Databases
Aim is to facilitate the identification and registration of critical databases within the Republic. Critical databases are defined as databases that contain information that if compromised could threaten the security of the Republic or the economic and social well being of it’s citizens. The Act stipulates criteria for the identification, registration and management of critical databases as well as controls to ensure that the integrity and confidentiality of data relating to and contained in these databases is maintained such as the right to audit and restrictions and penalties resulting in unauthorised or illegal disclosure of information contained in or about these databases. In November 2003 the Minister of Communications awarded a tender to a consortium of Consultants to undertake an inventory of all major databases in South Africa.
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
Management of Critical Databases
55 Management of critical databases
1. The Minister may prescribe minimum standards or prohibitions in respect of-
a) the general management of critical databases;b) access to, transfer and control of critical databases;c) infrastructural or procedural rules and requirements for
securing the integrity and authenticity of critical data; d) procedures and technological methods to be used in
the storage or archiving of critical databases; e) disaster recovery plans in the event of loss of critical
databases or parts thereof; andf) any other matter required for the adequate protection,
management and control of critical databases.
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
Privacy
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
State of SA privacy regulation• Law Reform Commission Issue Paper
recommends:1. privacy and data protection should be regulated by
legislation;2. a statutory regulatory agency should be
established;3. a flexible approach should be followed in which
industries will develop their own codes of practice (in accordance with the principles set out in the legislation) which will be overseen by the regulatory agency;
4. general principles of data protection should be developed and incorporated in the legislation.
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
Data Protection Principles• Limitation on collection (consent)• Specified purpose• Limitation on disclosure• Data quality (relevance)• Security safeguards
– Against unauthorised access, destruction use, modification disclosure
– Role of crypto
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
Monitoring
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
Monitoring e-communications• 1992 v 2002 (RIC) Acts• RIC is all about:
– Monitoring in a “legally compliant manner”
– Putting the correct processes and procedures in place
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
Monitoring• Section 7 “business exception”• System controller (SC) (CEO)• 4 requirements:
– Express / implied consent of SC– Particular purpose– E-communications tools owned by business– Reasonable efforts by SC to give advanced
notice OR express / implied consent of person being monitored
• R2m or 10 years
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
Some Monitoring Issues• What constitutes written consent?• What constitutes implied consent?• Is per interception consent
necessary?• Will a blanket consent suffice?• How does the CEO demonstrate
“reasonable efforts”• How does one protect the CEO?
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
Monitoring MatrixImplied consent and reasonable efforts demonstrated by
Written consent demonstrated by
CEO is protected by
Monitoring Policy Acceptance of Monitoring Policy
CEO Delegation to IT department
FAQ Pro-Forma Interception Request
Glossary of Terms Pro-Forma Interception Report to the Board
Log-on Notice Log-on Notice
Monitoring Policy Notice to Users
Reminder e-mail from IT department
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
Compliance & Risk Cocktail
ACTS OFPARLIAMENT
ECT ACT
PROATIA, 2002
Monitoring Act
COMMON LAW BEST PRACTICEINFORMATION
RISK MANAGEMENT
Contract
Delict (Negligence – duty to take reasonable steps)
SANS 17799
MISS (Govt depts)
COSO ERM
COBIT
SEE OUR INFORMATION & TECHNOLOGY COMPLIANCE AND LEGAL RISK MATRIX
KING IIGOOD GOVERNANCE
Compliance crosses several disciplines from HR to IT to Legal to risk management
Compliance is a combination of policy, process, and technology
ITC LAW EXPERTSITC LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDRIGHTS RESERVED
THANK YOU FOR YOUR TIME!!
Lance [email protected]
“IT Law with Insight”
www.michalsons.com
Copyright © Michalsons 2002-2009
The information contained in this presentation is subject to change without notice. Michalsons makes no warranty of any kind with regard to the material, including, but not limited to, the implied warranties of fitness for a particular purpose. Michalsons shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. This document contains proprietary information that is protected by copyright. All rights are reserved. No part of this document may be photocopied, reproduced, or translated to another language without the prior written consent of Michalsons This document is an unpublished work protected by the copyright laws and is proprietary to Michalsons. Disclosure, copying, reproduction, merger, translation, modification, enhancement, or use by any unauthorised person without the prior written consent of Michalsons is prohibited. Contact Lance Michalson at [email protected] for permission to copy.