4. South African ICT Regulatory Hype Cycle Compliance requirements develop at different rates Visibility Trough of Disillusionment Slope of Enlightenment Plateau of Productivity Business Trigger Peak of Inflated Expectations Maturity Less than two years Two years to five years Five years to 10 years More than 10 years Obsolete before plateau Key: Time to Plateau Basel I (1988) Infosec / SANS 17799 ECT Act (2002) Basel II (1999) RM / SANS 15489 PROATIA (2000) Sarbanes-Oxley Act (2002) RIC (monitoring) PPI Bill (Privacy) SANS 15801 Critical Databases, Crypto Providers and ASPs Convergence Bill (2005) King II (2002) EU Data privacy Directive FICA
5. Chapter V: Cryptography Providers Chapter V Cryptography Providers Register of Cryptography Providers S31 S30 S32 Registration with the Department Restrictions On disclosure of Information Application of Chapter offences S29 Chapter V: Cryptography Providers Chapter V governs the use of cryptography products and services used within the Republic. The Director General is tasked with maintaining a register of cryptography providers and their products and services. Registration is compulsory and suppliers are prohibited from providing cryptography products and services in the Republic without complying with the provisions of this Act.
6.
7. Chapter lX: Protection of Critical Databases Chapter lX: Protection of Critical Databases Scope of Critical Database Protection S57 S56 S55 S54 S53 S58 Identification of critical data and databases Registration Of Critical Databases Management Of Critical Databases Restrictions On disclosure of Information Right of Inspection Non Compliance with Chapter S52 Chapter lX: Protection of Critical Databases Aim is to facilitate the identification and registration of critical databases within the Republic. Critical databases are defined as databases that contain information that if compromised could threaten the security of the Republic or the economic and social well being of it’s citizens. The Act stipulates criteria for the identification, registration and management of critical databases as well as controls to ensure that the integrity and confidentiality of data relating to and contained in these databases is maintained such as the right to audit and restrictions and penalties resulting in unauthorised or illegal disclosure of information contained in or about these databases. In November 2003 the Minister of Communications awarded a tender to a consortium of Consultants to undertake an inventory of all major databases in South Africa.
21. Monitoring Matrix (RICA tells you what to do but not how to do it) Implied consent and reasonable efforts demonstrated by Express / Written consent demonstrated by CEO is protected by Monitoring Policy (Persons) Acceptance of Monitoring Policy CEO Delegation of Authority to MO FAQ Monitoring Consent (incl. waiver of right to privacy and covering ECT Act) Monitoring Policy & Guidelines for Technical Staff + Acceptance Doc Glossary of Terms Suggested clauses for HR contracts and promotions Pro-Forma Monitoring Request Log-on Notice Log-on Notice Pro-Forma Interception Report to the Board Monitoring Policy Notice and Memo to Users Waiver & consent clause in Visitor’s sign-in sheet Reminder e-mail from IT department
22.
23.
24.
25.
26.
27.
28.
29.
30.
31. Information Security Policy E-mail Policy Privacy & Monitoring Policy Internet Usage Policy Personal Computer Security Policy Telecommuting Policy Employee Exit Policy Legal Compliance Risk Management Best Practice Information Classification Scheme linked to functions