infosec law (feb 2006)

IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED

Information Technology Attorneys

Law relating to Information Security


Outline• Meaning of security in SA legal context• Helicopter legislative overview• Focus on select issues

– Crypto– Critical databases– Privacy– Monitoring– King II

• Take home messages


Meaning of “Security” in the SA Context

ECT Act, 2002

-Crypto

- Critical databases

The State Information Technology Agency Act, 1998

The Electronic Communications Security (Pty) Limited Act (COMSEC)

Intelligence Services Control Amendment Act, 2002

National Security Info Security Privacy & Security

(CIA)

SANS 17799

King 2 Infosec BPG

Monitoring Act

PPI Bill, 2005

(SA Law Commission)


Compliance requirements develop at different rates

Visibility

Trough ofDisillusionment

Slope ofEnlightenment

Plateau ofProductivityBusiness Trigger

Peak ofInflated Expectations

Maturity

Less than two years

Two years to five years

Five years to 10 years

More than 10 years

Obsolete before plateau

Key: Time to Plateau

Basel I (1988)

Infosec / SANS 17799

ECT Act (2002)

Basel II (1999)

RM / SANS 15489PROATIA (2000)

Sarbanes-Oxley Act (2002)

RIC (monitoring)

PPI Bill (Privacy)

SANS 15801

Critical Databases, Crypto Providers and ASPs

South African ICT Regulatory Hype Cycle

Convergence Bill (2005)

King II (2002)

EU Data privacy Directive

FICA

IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDChapter V: Cryptography Providers

Chapter VCryptography

Providers

Register of Cryptography

Providers

S31S31S30S30

S32S32

Registrationwith the

Department

Restrictions On disclosure of Information

Application of Chapter

offences

S29S29

Chapter V: Cryptography Providers

Chapter V governs the use of cryptography products and services used within the Republic. The Director General is tasked with maintaining a register of cryptography providers and their products and services. Registration is compulsory and suppliers are prohibited from providing cryptography products and services in the Republic without complying with the provisions of this Act.

Chapter V: Cryptography Providers

Chapter V governs the use of cryptography products and services used within the Republic. The Director General is tasked with maintaining a register of cryptography providers and their products and services. Registration is compulsory and suppliers are prohibited from providing cryptography products and services in the Republic without complying with the provisions of this Act.


Cons• Definitions too wide

• Who has to register?

• Who is a cryptography provider?

• What is a cryptography service?

– Key Management service

– Enrolment and verification service

– Infosec Consulting service?

– Date and time-stamping service

• What is a cryptography product?

• When is it provided in the Republic?

IT LAW EXPERTSIT LAW EXPERTS COPYRIGHT COPYRIGHT © MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVED© MICHALSONS ONLINE 2007-2009. ALL RIGHTS RESERVEDChapter lX: Protection of Critical Databases

Chapter lX:Protection of

Critical Databases

Scope of Critical

Database Protection

S57S57

S56S56

S55S55

S54S54

S53S53

S58S58

Identification of critical data and databases

Registration Of Critical Databases

Management Of Critical Databases

Restrictions On disclosure of Information

Right of Inspection

Non Compliance with Chapter

S52S52

Chapter lX: Protection of Critical Databases

Aim is to facilitate the identification and registration of critical databases within the Republic. Critical databases are defined as databases that contain information that if compromised could threaten the security of the Republic or the economic and social well being of it’s citizens. The Act stipulates criteria for the identification, registration and management of critical databases as well as controls to ensure that the integrity and confidentiality of data relating to and contained in these databases is maintained such as the right to audit and restrictions and penalties resulting in unauthorised or illegal disclosure of information contained in or about these databases. In November 2003 the Minister of Communications awarded a tender to a consortium of Consultants to undertake an inventory of all major databases in South Africa.

Chapter lX: Protection of Critical Databases

Aim is to facilitate the identification and registration of critical databases within the Republic. Critical databases are defined as databases that contain information that if compromised could threaten the security of the Republic or the economic and social well being of it’s citizens. The Act stipulates criteria for the identification, registration and management of critical databases as well as controls to ensure that the integrity and confidentiality of data relating to and contained in these databases is maintained such as the right to audit and restrictions and penalties resulting in unauthorised or illegal disclosure of information contained in or about these databases. In November 2003 the Minister of Communications awarded a tender to a consortium of Consultants to undertake an inventory of all major databases in South Africa.


Management of Critical Databases

55 Management of critical databases

1. The Minister may prescribe minimum standards or prohibitions in respect of-

a) the general management of critical databases;b) access to, transfer and control of critical databases;c) infrastructural or procedural rules and requirements for

securing the integrity and authenticity of critical data; d) procedures and technological methods to be used in

the storage or archiving of critical databases; e) disaster recovery plans in the event of loss of critical

databases or parts thereof; andf) any other matter required for the adequate protection,

management and control of critical databases.


Privacy


State of SA privacy regulation

• Privacy regulation in its infancy• Protection of Personal Information

(PPI) Bill and Discussion Paper released in October 2005 by South African Law Reform Commission

• Comments due 28 February 2006• Based on 8 principles:


Principle 6 – Security Safeguards: Key Aspects

• Measures to ensure integrity of personal information

• Security measures regarding PI by processor

• Notification of security compromises


Monitoring


Monitoring• 30 September 2005• Monitoring lawful unless

exception


Exceptions

3rd party (e.g. Co X)

intercepts with written consent of one of parties

3rd party (e.g. Co X)

intercepts in ordinary course

of business

s4(1) s5(1) s6

Participant(s)intercept

themselves

Can intercept if party to communication

Can only intercept with written consent

– CEO not involved

– No fine

Business purpose exception

– CEO involved

– Fine: 2 yrs R10m


Monitoring• Electronic and paper

communications• Live versus stored data


Section 86.1 of ECT Act• Person who intentionally accesses and

intercepts data without authority or permission to do so is guilty of offence – S89(1) fine or jail not exceeding 1 year

• This provision is made subject to RICA• Section 88: any person who aids and

abets someone to commit any offence would be guilty of an offence.

• May thus breach both RICA and ECT Acts


Monitoring• Consent is at the heart of it• Consent from user perspective

– Express v implied– Written consent

• Consent from CEO perspective– Is per interception consent

necessary?– Will a blanket consent suffice?


Monitoring• “health purposes”

– Continuous monitoring– System security and maintenance– Automatic monitoring

• “forensic purposes” – Once–off, occasional, covert– Investigate allegations of fraud,

corruption, breach of a policy– Manual monitoring


MonitoringForensic Reasons

• Allegations of fraud• Allegations of criminal activity

against or attributable to ARC• Allegations of corruption• Allegations of breach of a

policy• to counteract criminal or

fraudulent activities;• to respond to legal

proceedings that call for electronic or paper evidence

• Where the involved individual is unavailable and timing is critical for business activity

• Where monitoring is required by a law enforcement agency

Health Reasons• Security Incident response • Help desk responses to

calls logged• Firewall software• Content monitoring

systems• Message login systems• Telephone management

system


Monitoring Matrix(RICA tells you what to do but not how to do it)

Implied consent and reasonable efforts demonstrated by

Express / Written consent demonstrated

by

CEO is protected by

Monitoring Policy (Persons)

Acceptance of Monitoring Policy

CEO Delegation of Authority to MO

FAQ Monitoring Consent (incl. waiver of right to privacy

and covering ECT Act)

Monitoring Policy & Guidelines for Technical Staff + Acceptance Doc

Glossary of Terms Suggested clauses for HR contracts and promotions

Pro-Forma Monitoring Request

Log-on Notice Log-on Notice Pro-Forma Interception Report to the Board

Monitoring Policy Notice and Memo to Users

Waiver & consent clause in Visitor’s sign-in sheet

Reminder e-mail from IT department


King II and Infosec

King Report on Corporate Governance for South Africa 2002


“The board should have unrestricted access to all company information, records, documents and property. The information needs of the company should be well defined and regularly monitored” (2.1.7)

Quotes from the Code


“The board is responsible for the total process of risk management…” (3.1.1) and “should make use of…control models and frameworks…with respect to … “safeguarding the company’s assets (including information)” (3.1.4)



“The board is responsible for ensuring that a[n]…assessment of…key risks is undertaken…[which] should address the company’s exposure to… technology risks…business continuity and disaster recovery…” (3.1.5)



King II Infosec BPG1. What is information security?2. Key considerations when making

information security decisions?3. Characteristics of a sound information

security agenda?4. An effective information security

strategy5. Devising a successful approach to

information security6. What directors can do


Take home messages• Identify your compliance criteria• Identify your information holdings

– Sensitivity– Personal information– Records

• Prepare a file plan / information taxonomy


Information Security Policy

Legal Compliance Risk Management Best Practice

• Often drafted by IT Audit / HR / IT – HR often doesn’t understand the tech issues– IT Audit often doesn’t understand the legal issues

and is too technical

• Need to address different audiences• Often “knipped” and “plukked” from internet • No clear understanding as to content and labeling

(e.g. ECP)• Myth around 17799 “compliance”


Information Security Policy

E-mail PolicyPrivacy &

Monitoring Policy

Internet Usage Policy

Personal Computer Security Policy

Telecommuting Policy

Employee Exit Policy

Legal Compliance Risk Management Best Practice

Information Classification Scheme linked to functions


Take home messages• Proper implementation of policies

– Principle of South African law that if an employee wants to discipline an employee on grounds that he/she has broken one of the rules set forth in a policy, then employer must establish 3 things

• (i) that there was a rule• (ii) that the rule was reasonable and • (iii) that the rule had been brought to the

attention of the employee.


Conclusion…• “Many businesses recognise that

information security is a key technical and business issue, but it is important to recognise that it is also a legal issue”– Lorijean G. Oei “Online Law: The Legal Role of

Information Security”

• Do not consult us after the fact• Legal advice must be “integrated

into” solutions, not “bolted onto” them


THANK YOU FOR YOUR TIME!!

–Lance Michalson

–[email protected]

–“IT Law with Insight”

–www.michalsons.com

–Copyright © Michalsons 2002-2009

–The information contained in this presentation is subject to change without notice. Michalsons makes no warranty of any kind with regard to the material, including, but not limited to, the implied warranties of fitness for a particular purpose. Michalsons shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. This document contains

proprietary information that is protected by copyright. All rights are reserved. No part of this document may be photocopied, reproduced, or translated to another language without the prior written consent of Michalsons This document is an unpublished work protected by the copyright

laws and is proprietary to Michalsons. Disclosure, copying, reproduction, merger, translation, modification, enhancement, or use by any unauthorised person without the prior written consent of Michalsons is prohibited. Contact Lance Michalson at [email protected] for

permission to copy.