1. Information Technology Attorneys Snapshot of Current State of ICT Regulatory Compliance in South Africa Lance Michalson Gartner Symposium ITXPO 2005 01 August 2005 Cape Town, South Africa
3. Compliance v Best Practice v Risk Management Compliance Best Practice Risk Management Technology Risk Tech Legal Risk Wide Narrow
4. Example Compliance issues Issue Offence Crypto supplier not registered with DOC Offence (fine or imprisonment not exceeding 2 years) No corporate info on e-mail Offence ito Companies Act s50.1.c arw s50.4, s171.1 arw s441.1.m, s50.1.c arw s441.1.k No express or implied consent to monitoring paper and electronic communications Fine not exceeding R2m or imprisonment not exceeding 10 years | Inadmissible evidence
5. Example Tech Legal Risk Issues Issue Risk No software development agreement in place Company does not own the software Various factors might influence the admissibility and evidential weight of electronic documents Inadmissibility of evidence. Compromised chances of success of litigation (resulting possible reputational damage, monetary loss – damages, legal costs etc.) No e-mail footer (signature / disclaimer) Vicarious liability (e.g. for defamation)
6.
7.
8. South African ICT Regulatory Hype Cycle Visibility Trough of Disillusionment Slope of Enlightenment Plateau of Productivity Business Trigger Maturity Peak of Inflated Expectations
9.
10. South African ICT Regulatory Hype Cycle Compliance requirements develop at different rates Visibility Trough of Disillusionment Slope of Enlightenment Plateau of Productivity Business Trigger Peak of Inflated Expectations Maturity Acronym Key ASPs = Authentication Service Providers RIC = Regulation of Interception of Communications etc. Act 70 of 2002 Less than two years Two years to five years Five years to 10 years Key: Time to Plateau Infosec / SANS 17799 ECT Act (2002) Basel II (1999) RM / SANS 15489 PROATIA (2000) Sarbanes-Oxley Act (2002) RIC (monitoring) Data Privacy SANS 15801 Critical Databases, Crypto Providers and ASPs Convergence Bill (2005) King II (2002) EU Data privacy Directive FICA
11. Life Cycle of an Act of Parliament Issue Paper Discussion Paper Green Paper White Paper or Fast Track to Bill Bill Parliamentary Portfolio Committee Hearings Act before National Council of Provinces Act before National Assembly Signed by President & Gazetted Regulations, Notices DRAFTING PERIOD INFLUENCE PERIOD PREPARE TO COMPLY IP PC Cabinet Source : Department of Justice and Constitutional Development http://www.doj.gov.za/2004dojsite/legislation/legprocess.htm Last updated: 01 August 2005
12. Where Key Pieces of Legislation Fit in Issue Paper Discussion Paper Green Paper White Paper or Fast Track to Bill Bill Parliamentary Portfolio Committee Hearings Act before National Council of Provinces Act before National Assembly Signed by President + Gazetted Regulations, Notices IP PC Data Privacy Convergence Bill RIC (not yet promulgated) ECT Act Critical Database Regs ECT Act Crypto, ASP, Domain Name Regs Regs not published for comment Regs published for comment, not yet promulgated Key: Status of Regulations PC IP DRAFTING PERIOD INFLUENCE PERIOD PREPARE TO COMPLY Last updated: 01 August 2005 Cabinet
13. Optimum points of engagement June 2005 August 2005 December 2005 Convergence Bill Data Privacy Discussion Paper / Green Paper Critical Database Regulations comments & Crypto Provider enactment (ECT Act) January 2006 Possible Gazetting of Monitoring Act (anytime)
14.
15.
16.
17. Chapter lX: Protection of Critical Databases Chapter lX: Protection of Critical Databases Scope of Critical Database Protection S57 S56 S55 S54 S53 S58 Identification of critical data and databases Registration Of Critical Databases Management Of Critical Databases Restrictions On disclosure of Information Right of Inspection Non Compliance with Chapter S52 Chapter lX: Protection of Critical Databases Aim is to facilitate the identification and registration of critical databases within the Republic. Critical databases are defined as databases that contain information that if compromised could threaten the security of the Republic or the economic and social well being of it’s citizens. The Act stipulates criteria for the identification, registration and management of critical databases as well as controls to ensure that the integrity and confidentiality of data relating to and contained in these databases is maintained such as the right to audit and restrictions and penalties resulting in unauthorised or illegal disclosure of information contained in or about these databases. In November 2003 the Minister of Communications awarded a tender to a consortium of Consultants to undertake an inventory of all major databases in South Africa.
26. Monitoring Matrix Implied consent and reasonable efforts demonstrated by Written consent demonstrated by CEO is protected by Monitoring Policy Acceptance of Monitoring Policy CEO Delegation to IT department FAQ Pro-Forma Interception Request Glossary of Terms Pro-Forma Interception Report to the Board Log-on Notice Log-on Notice Monitoring Policy Notice to Users Reminder e-mail from IT department
27.
28. Compliance & Risk Cocktail ACTS OF PARLIAMENT ECT ACT PROATIA, 2002 Monitoring Act COMMON LAW BEST PRACTICE INFORMATION RISK MANAGEMENT Contract Delict (Negligence – duty to take reasonable steps) SANS 17799 MISS (Govt depts) COSO ERM COBIT SEE OUR INFORMATION & TECHNOLOGY COMPLIANCE AND LEGAL RISK MATRIX KING II GOOD GOVERNANCE Compliance crosses several disciplines from HR to IT to Legal to risk management Compliance is a combination of policy, process, and technology