The Integration of Legal Aspects in Information Security: Is Your Organisation Up-to-Date?? Rabelani Dagada Development Economist Paper presented during.

Slides:

Advertisements

Similar presentations

Module N° 4 – ICAO SSP framework

Advertisements

Organizational Governance

ICP 25 CONSUMER PROTECTION Y. Priya Bharat. ICP 25: CONSUMER PROTECTION. Principle: Minimum requirements for Insurers and Intermediaries in dealing with.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

CHAPTER 1 : SECRETARY. Secretary is a person who conducts correspondence, maintains records and does ministerial and administrative work. This subject.

Contractor Coordination. Agenda Training Objectives Definitions Law and Regulatory Requirements Responsibilities Implementation Scenarios.

Audit Committee in Albania Legal framework Law 9226 /2006 “On banks in Republic of Albania” Law 9901/2008 “On entrepreneurs and commercial companies” Corporate.

AGENCY FOR PREVENTION OF CORRUPTION AND COORDINATION OF FIGHT AGAINST CORRUPTION mr.sci. Vladica Babić - Assisstent.

Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.

1 Supplement to the Guideline on Prevention of Money Laundering Hong Kong Monetary Authority 8 June 2004.

INTOSAI Compliance Audit Guidelines (ISSAI )

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

Running Your Club Corporate Governance Presentation.

Records Management and the Law

Building a Compliance Risk Monitoring Program HCCA Compliance Institute New OrleansApril 19, 2005 Lois Dehls Cornell, Esq. Assistant Vice President, Deputy.

BIOTECH SUPPLY October 8-9, 2012 Crowne Plaza, Foster City, CA California Transparency in Supply Chain Act, SB 657, Chapter 556, Statutes of 2010 David.

McGraw-Hill/Irwin © 2013 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 3 Internal Controls.

Performance Measurement. Integration of Information for Process Improvement and Innovation Palmira López-Fresno President. Quality Service Committee Spanish.

9 th October 2014 Perspective from the Danish Council for Corporate Responsibility on Tax and Transparency By Lise Kingo, Chair.

LIMITLESS POTENTIAL | LIMITLESS OPPORTUNITIES | LIMITLESS IMPACT Copyright University of Reading IMPACT AND THE SOCIAL SCIENCES Anthony Atkin (Research.

1st MODINIS workshop Identity management in eGovernment Frank Robben General manager Crossroads Bank for Social Security Strategic advisor Federal Public.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

11 – E-Commerce 1. What is Electronic Commerce? 2. What is a contract? 3. Elements of an enforceable contract 4. Standard terms of a contract 5. Form and.

Legislation For e-commerce to operate correctly, it needs to adhere to the relevant legislation. These laws protect both the business and the consumer.

Corporate Governance.  Acts and Regulations  Common law  Sets the minimum standards  Applies to all companies  Primary legislation ◦ The Companies.

Information Systems Today, 2/C/e ©2008 Pearson Education Canada 9-1 ACS 1803 Lecture Outline 15 ETHICS AND COMPUTER CRIME.

G041: Lecture 16 Section B Revision Questions

Experiences in Undergraduate Studies in the University of Zaragoza LEFIS Undergraduate studies Oslo, 19 th -20 th May 2006.

7 - 1 Copyright  2003 Pearson Education Canada Inc. CHAPTER 7 Audit Planning and Documentation.

11/13/2012ISC329 Isabelle Bichindaritz1 Professional, Legal, and Ethical Concerns in Data Management.

INTERNAL CONTROL OVER FINANCIAL REPORTING

Chapter 5 Internal Control over Financial Reporting

Employability skills workshop This work has been produced on behalf of the National Quality Council with funding provided through the Australian Government.

Corporate crime prevention project and Best practices manual Dr. Wybe Th. Douma T.M.C. Asser Institute, The Hague.

Fair competition commission 1 Fifth Annual African Dialogue Consumer Protection Conference September 10-12, 2013 ● Livingstone, Zambia Empowering and Educating.

Unlocking Financial Accounting Chapter 1 Chapter 1 Introduction Learning summary By the end of this chapter you should know: how accounting affects and.

Prepared by Douglas Peterson, University of Alberta 15-1 Part 3 – The Law of Contract Chapter 15 Electronic Business Law and Data Protection.

INTEGRATION OF MAIN STATE REGISTERS - LITHUANIAN EXPERIENCE

The CIPC Strategic Plan Purpose of presentation Present the updated strategic plan for the period Present the CIPC budget and.

Environmental Management System Definitions

IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.

Corporate Governance.  According to King III, the board should: ◦ be responsible for the strategic direction and control of the company; ◦ set the values.

Improving Quality of Service with Knowledge Management in Law Firms.

Regulatory Transparency and Efficiency in the Communications Industry in Australia Jennifer Bryant Office of Regulation Review Australia.

International Telecommunication Union Accra, Ghana, June 2009 Towards Cyber Security - Kenyan Experience Christopher Kemei, Asst. Director Licensing.

Practical Information and Guidance to Applicants Green Industry Innovation Programme Romania July 2014 Practical Information and Guidance to Applicants.

CYBER CRIMES PREVENTIONS AND PROTECTIONS Presenters: Masroor Manzoor Chandio Hira Farooq Qureshi Submitted to SIR ABDUL MALIK ABBASI SINDH MADRESA TUL.

M I N I S T R Y O F I N D U S T R Y, E M P L O Y M E N T A N D C O M M U N I C A T I O N S OECD Guidelines on Corporate Governance of State Owned Enterprises.

Good Governance in Not-for-Profits

RATIFICATION OF THE CAPE TOWN AGREEMEMENT OF 2012 ON THE IMPLEMENTATION OF THE PROVISIONS OF THE TORREMOLLINOS PROTOCOL OF 1993 RELATING TO THE INTERNATIONAL.

National Public Health Performance Standards Local Assessment Instrument Essential Service:6 Enforce Laws and Regulations that Protect Health and Ensure.

Chapter 8 Auditing in an E-commerce Environment

SOLGM Wanaka Retreat Health and Safety at Work Act 2015 Ready? 4 February 2016 Samantha Turner Partner DDI: Mob:

ICT Legislation  Copyright, Designs and Patents Act (1988);  Computer Misuse Act (1990);  Health and Safety at Work Act (1974);  EU Health and Safety.

PRESENTATION TO THE PORTFOLIO COMMITTEE ON COMMUNICATIONS ON NEMISA’S ANNUAL REPORT FOR 2012/ OCTOBER

Information Sharing & Corporate Governance Dave Parsons, Information Governance Manager, City of Cardiff Council.

Governance, Risk and Ethics. 2 Section A: Governance and responsibility Section B: Internal control and review Section C: Identifying and assessing risk.

PRESENTATION OF THE PROPOSED SECURITY INDUSTRY REGULATION BILL, 2001 by Francois Slabbert Manager: Legislation and Policy Development 02 May 2001.

Information and Network security: Lithuania Tomas Lamanauskas Deputy Director Communications Regulatory Authority (RRT) Republic of Lithuania; ENISA Liaison.

1 PORTFOLIO COMMITTEE ON MINERAL RESOURCES DISCUSSION ON THE MINERAL RESOURCES 2014 / 15 STRATEGIC PLAN 8-9 July 2014 Programme 3 – Mineral Regulation.

CHALLENGES, TRENDS AND EVALUATION OF MERGING PROCESSES CIAT TECHNICAL CONFERENCE Paris October 2010 By: Victor van Kommer Director Knowledge Centre.

Legal Aspects in IT Security Is Your Organisation Up-to-Date?? (Ref : IT Act, 2008 & IT Rules 2011) Adv Prashant Mali [BSc(Phy),MSc(Comp. Sci.),CNA,

Internal Control Principles

IIASA Governance Review

Support for Harmonization of the ICT Policies in Sub-Sahara Africa,

Internal control objectives

Malaysian Association of Company Secretaries

Corporate Governance It is a system by which companies are managed and directed in the best interests of the owners and shareholders. It refers to the.

Tools & Approaches for Ongoing Privacy Compliance

Title of presentation.

Presentation transcript:

The Integration of Legal Aspects in Information Security: Is Your Organisation Up-to-Date?? Rabelani Dagada Development Economist Paper presented during Institute for International Research's Conference on Information Technology Risk Management - 11 November 2010, IIR Conference Centre, Rosebank, Johannesburg

AGENDA Introduction and background Motivation for the research Research methodology and findings Findings of the study Contribution of the study Conclusion Rabelani Dagada lectures ICT and Knowledge Management at the Wits Business School

INTRODUCTION & BACKGROUND Today most organisations use the Internet for information and business related purposes. The Internet revolution is developing rapidly due to the electronic commerce (e-commerce). The use of the Internet for commercial purposes has brought with it a number of challenges. These include information security risks, threats, and cyber crime. The government of South has introduced several laws to deal with the IT related risks, threats, and cyber crime. One such law is the highly acclaimed Electronic Communications and Transactions Act of 2002 (ECT Act, 2002).

MOTIVATION FOR THE RESEARCH The 2002 and 2004 website compliance survey conducted by the Buys Attorneys found that most companies in SA were not complying with the laws and regulations and regulations governing e-commerce. In 2002 most webmasters claimed that they were not even aware of the compliance requirements. In 2004 this number increased by 31%. Buys attorneys claimed that failure to comply with law led to an increase in website crime. SA companies did not seem to realise that failure to comply with the provision of the law exposes their websites to huge risk and liability. Of the websites surveyed by Buys Incorporated Attorneys in 2004, the Telkom website was the only one to score 100% compliance rate. It is on this premise that this study was conducted. Source: Buys Incorporated Attorneys

RESEARCH METHODOLOGY & SAMPLING 22 organisations from various industrial sectors participated in this study. The banking sector dominated all other industrial sectors. Purposive sampling was employed due to the perceived value participants would add. This study used the generic techniques for qualitative collection and analysis. The study satisfied the principle of triangulation by employing multiple data- gathering methods and sources. Data gathering methods included interviews, observation, and policy document analysis. Interviews were analysed by using open coding. Data collected through document analysis was analysed by comparing it with the SA legal framework for information security.

FINDINGS OF THE STUDY

FINDINGS OBTAINED THROUGH INTERVIEWS The Board of Directors are not involved in the formulation of information security policies. Very few organisations in SA incorporates legislation requirements in the information security policies. Government has not yet implemented some legal provisions to fight cyber crime; e.g. - the appointment of the Cyber Inspectors as required by the ECT of 2002 is not yet implemented; and - the registration of the buyers and owners of the cell phone SIM cards as required by the Regulation of Interception of Communications and Provision of Communication-related Information Act of 2002 only came into effect on 1 July Legal provision in the ECT Act that deal with unsolicited communication has serious loophole.

FINDINGS OBTAINED THROUGH DOCUMENT COLLECTION AND ANALYSIS Policies related to hacking include Information Security Policies, and Interception & Surveillance Policy. Relevant legislations are the Promotion of Access to Information Act; ECT Act; and Interception Act. Policies related to the intellectual property, copyright, and trademarks include Intellectual Property Policy and Data Privacy Policy. The majority of organisations that participated in this study did not have policies that address intellectual property, copyright and trademarks. None of the organisations that participated in this study had a separate policy on patents. Most companies in SA perceive the Patents Act of 1978 to be ineffective. Some of the laws pertaining to information security are very old,. They were introduced before the Internet was used for commercial purposes.

FINDINGS OBTAINED THROUGH OBSERVATION ASPECT OBSERVEDNUMBER Websites with legal notices at all17 Websites with terms and conditions available as hyperlinks 7 Websites with liability disclaimers available as hyperlinks 11 Websites with legal notices that address the provisions of Chapter 3, Part II and Chapter 7 of the ECT Act 5 Websites that position and implement legal notices correctly 2 Website legal notices that are printable or saveable as required by section 11(3) of the ECT Act 2 Organizations that have policies that address websites legal compliance 5 Table 1: Number of organizations that are compliant with the legislation governing websites and e-commerce.

CONTRIBUTION OF THE STUDY

CONCEPT MODEL OF LEGAL COMPLIANCE This study suggests a Model whereby legal requirements are incorporated into the information security endeavors. The Model was necessitated by the main findings of the study which reveals that both the government and corporate SA were not implementing some of the information security legal provisions. The Model may be very useful to policy formulators, directors of the boards, ICT executives, and information security practitioners. According to the King III Report, IT strategic planning, risk management, and information security are the primary responsibility of the Board of Directors.

Whole organisation Boards sub-committee risk management ICT Steering committee ICT DepartmentICT Steering committee Board of Directors Figure 1: A concept of legal compliance for Information security policies formulation, implementation and multitasking

CONCLUSION There are more than ten laws that deal with information security in SA. Most information security provisions contained in laws are not yet implemented. There is also a deliberate disregard of information security legal provisions by some companies and government entities. This study found that most IT and information security practitioners were not familiar with the information security legal requirements. It perhaps in this premise that most organisations do not comply with the legal requirements. In some instances the attitude of the SA government towards its own laws has been lukewarm. The proposed Model will help in mitigating information security challenges. The overall intention of the Model is to priorities information security, elevate the profit and ultimately address corporate security lapses.