1. Compliance 23 September 2004

2. Nature of the Beast

3. ECT Act King II SOX BS 17799 FAIS FICA PROATIA Privacy

4. Everyone is trying to get a grip on Compliance

5. “ The King II report on corporate governance and the ECT Act are encouraging adherence to high security standards” 6 September 2004: http://www.itweb.co.za/sections/features/ictsecurity/feature040906-2.asp “ Race for compliance … the race to comply with increasingly specific ICT security legislation holding company executives personally responsible involves… “ 6 September 2004: http://www.itweb.co.za/sections/features/ictsecurity/feature040906-8.asp Security or records management products are “King II Compliant” Security or records management products are “SOX Compliant” “ New player helps with ECT Act compliance” 30 April 2004 http://www.itweb.co.za/sections/business/2004/0404301131.asp?A=CNT&S=Content%20Management%20&O=F X “ improves Corporate Governance with new Enterprise Portfolio Management Software”

10. The Unknown As we know, There are known knowns . There are things we know we know. We also know There are known unknowns . That is to say We know there are some things We do not know. But there are also unknown unknowns , The ones we don't know We don't know. -12 Feb 2002, Department of Defense news briefing http://slate.msn.com/id/2081042/ The Poetry of D.H. Rumsfeld Recent works by the Secretary of Defense

11. Compliance Best Practice Risk Management Compliance v Best Practice v Risk Management

12. Compliance Best Practice Risk Management Examples of Current Issues Aspects of ECT Act Monitoring SANS 17799 (ISP) SANS 15489 (RM) BIP 0008 (Evidence) E-mail “disclaimers”

13. Compliance Cocktail (Information Security & Information Management) ACTS OF PARLIAMENT ECT ACT FICA, FAIS PROATIA, 2002 Monitoring Act COMMON LAW BEST PRACTICE INFORMATION RISK MANAGEMENT Contract Delict (Negligence) SANS 15489 RM SANS 17799 – Infosec BSI BIP 0008 – Integrity MISS (Govt depts) SEE OUR INFORMATION RISK MATRIX KING II GOOD GOVERNANCE Law / Legal Issues

14. Compliance Cocktail (Information Security & Information Management) ACTS OF PARLIAMENT ECT ACT FICA, FAIS PROATIA, 2002 Monitoring Act COMMON LAW BEST PRACTICE INFORMATION RISK MANAGEMENT Contract Delict (Negligence) SANS 15489 RM SANS 17799 – Infosec BSI BIP 0008 – Integrity MISS (Govt depts) SEE OUR INFORMATION RISK MATRIX KING II GOOD GOVERNANCE Law / Legal Issues

15. Compliance Cocktail (Information Security & Information Management) ACTS OF PARLIAMENT EASY COMMON LAW BEST PRACTICE INFORMATION RISK MANAGEMENT NOT SO EASY VOLUNTARY VOLUNTARY KING II GOOD GOVERNANCE

16. Common law - Contract

20. Common law – delict

24. Reputational Damage Loss of Revenue

25. “ It takes twenty years to build a reputation and five minutes to lose it.” Warren Buffet Chairman, Berkshire Hathaway

27. Removable Flash Disc Drive

28. Human Firewalls Technical Firewalls

29. Policies Telecommuting Policy E-mail & Internet Use Policies Monitoring Policy Record Classification Policy Record Ownership Policy Record Destruction & Hold Policy Legal Compliance Risk Management Best Practice Information Classification Scheme linked to functions

30. Debunking Compliance

32. US v SA (Laws) US SA Gramm-Leach-Bliley Act Nothing Health Insurance Portability and Accountability Act Nothing Sarbanes-Oxley Act King II (?) (no sec) Federal Information Security Management Act Nothing / MISS Freedom of Information Act PROATIA (no sec) Electronic Communications Privacy Act Monitoring Act (no sec)

34. US v SA (Regulations) US Law Regulation Health Insurance Portability and Accountability Act Standards for Electronic Transactions Standards for Privacy of Individually Identifiable Health Information Security Standards SA Law Regulation ECT Act Crypto ASPs Critical Databases

35. US v SA (Standards) US SA ISO/IEC 17799 SANS 17799 ISO/IEC 13335 - Control Objectives for Information and Related Technology (CobiT) CobiT Generally Accepted Information Security Principles (GAISP) - American National Standards Institute (ANSI) standards - National Institute of Standards and Technology (NIST -

37. The Electronic Communications and Transactions Act 2002 “ ECT ACT Compliance”

39. Structure of the Act Chapter Title e-Comm e-Trans e-Data e-Infra Chapter 1 Interpretation, Objects and Application Chapter 2 Maximising Benefits and Policy Framework Chapter 3 Facilitating Electronic Transactions Chapter 4 e-Government Services Chapter 5 Cryptography Providers Chapter 6 Authentication Service Providers Chapter 7 Consumer Protection Chapter 8 Protection of Personal Information Chapter 9 Protection of Critical Databases Chapter 10 Domain Name Authority & administration Chapter 11 Limitation of Liability of Service Providers Chapter 12 Cyber Inspectors Chapter 13 Cyber Crime Chapter 14 General

46. “ All companies in the King II era need to acknowledge the clear link between successful Infosec programs and business success as a whole” ? ?

48. THANK YOU FOR YOUR TIME!! Copyright © Michalsons Online The information contained in this presentation is subject to change without notice. Michalsons Online makes no warranty of any kind with regard to the material, including, but not limited to, the implied warranties of fitness for a particular purpose. Michalsons Online shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. This document contains proprietary information that is protected by copyright. All rights are reserved. No part of this document may be photocopied, reproduced, or translated to another language without the prior written consent of Michalsons Online This document is an unpublished work protected by the copyright laws and is proprietary to Michalsons Online. Disclosure, copying, reproduction, merger, translation, modification, enhancement, or use by any unauthorised person without the prior written consent of Michalsons Online is prohibited. Contact Michalsons Online for permission to copy: info@michalsons.com. Lance Michalson 0860 111 245 [email_address]