SlideShare uma empresa Scribd logo

The integration of legal aspects in Information Security: Is your organisation up-to-date?

Transferir como PPTX, PDF
R
Rabelani Dagada

Paper presented during the Institute for International Research's IT Risk Management Conference - 10,11, & 12 November 2010, IIR Conference Centre, Rosebank, Johannesburg

Tecnologia
1 de 13
The Integration of Legal Aspects in Information Security: Is Your Organisation Up-to-Date?? Rabelani Dagada Development Economist Paper presented during Institute for International Research's Conference on Information Technology Risk Management - 11 November 2010, IIR Conference Centre, Rosebank, Johannesburg
AGENDA • Introduction and background • Motivation for the research • Research methodology and findings • Findings of the study • Contribution of the study • Conclusion Rabelani Dagada lectures ICT and Knowledge Management at the Wits Business School
INTRODUCTION & BACKGROUND • Today most organisations use the Internet for information and business related purposes. • The Internet revolution is developing rapidly due to the electronic commerce (e-commerce). • The use of the Internet for commercial purposes has brought with it a number of challenges. • These include information security risks, threats, and cyber crime. • The government of South has introduced several laws to deal with the IT related risks, threats, and cyber crime. • One such law is the highly acclaimed Electronic Communications and Transactions Act of 2002 (ECT Act, 2002).
MOTIVATION FOR THE RESEARCH • The 2002 and 2004 website compliance survey conducted by the Buys Attorneys found that most companies in SA were not complying with the laws and regulations and regulations governing e-commerce. • In 2002 most webmasters claimed that they were not even aware of the compliance requirements. • In 2004 this number increased by 31%. • Buys attorneys claimed that failure to comply with law led to an increase in website crime. • SA companies did not seem to realise that failure to comply with the provision of the law exposes their websites to huge risk and liability. • Of the 1 550 websites surveyed by Buys Incorporated Attorneys in 2004, the Telkom website was the only one to score 100% compliance rate. • It is on this premise that this study was conducted. Source: Buys Incorporated Attorneys
RESEARCH METHODOLOGY & SAMPLING • 22 organisations from various industrial sectors participated in this study. • The banking sector dominated all other industrial sectors. • Purposive sampling was employed due to the perceived value participants would add. • This study used the generic techniques for qualitative collection and analysis. • The study satisfied the principle of triangulation by employing multiple data- gathering methods and sources. • Data gathering methods included interviews, observation, and policy document analysis. • Interviews were analysed by using open coding. • Data collected through document analysis was analysed by comparing it with the SA legal framework for information security.
FINDINGS OF THE STUDY
FINDINGS OBTAINED THROUGH INTERVIEWS • The Board of Directors are not involved in the formulation of information security policies. • Very few organisations in SA incorporates legislation requirements in the information security policies. • Government has not yet implemented some legal provisions to fight cyber crime; e.g. - the appointment of the Cyber Inspectors as required by the ECT of 2002 is not yet implemented; and - the registration of the buyers and owners of the cell phone SIM cards as required by the Regulation of Interception of Communications and Provision of Communication-related Information Act of 2002 only came into effect on 1 July 2009. • Legal provision in the ECT Act that deal with unsolicited communication has serious loophole.
FINDINGS OBTAINED THROUGH DOCUMENT COLLECTION AND ANALYSIS • Policies related to hacking include Information Security Policies, and Interception & Surveillance Policy. Relevant legislations are the Promotion of Access to Information Act; ECT Act; and Interception Act. • Policies related to the intellectual property, copyright, and trademarks include Intellectual Property Policy and Data Privacy Policy. • The majority of organisations that participated in this study did not have policies that address intellectual property, copyright and trademarks. • None of the organisations that participated in this study had a separate policy on patents. • Most companies in SA perceive the Patents Act of 1978 to be ineffective. • Some of the laws pertaining to information security are very old,. • They were introduced before the Internet was used for commercial purposes.
FINDINGS OBTAINED THROUGH OBSERVATION ASPECT OBSERVED NUMBER Websites with legal notices at all 17 Websites with terms and conditions available as hyperlinks 7 Websites with liability disclaimers available as hyperlinks 11 Websites with legal notices that address the provisions of Chapter 3, Part II and Chapter 7 of the ECT Act 5 Websites that position and implement legal notices correctly 2 Website legal notices that are printable or saveable as required by section 11(3) of the ECT Act 2 Organizations that have policies that address websites legal compliance 5 Table 1: Number of organizations that are compliant with the legislation governing websites and e-commerce.
CONTRIBUTION OF THE STUDY
CONCEPT MODEL OF LEGAL COMPLIANCE • This study suggests a Model whereby legal requirements are incorporated into the information security endeavors. • The Model was necessitated by the main findings of the study which reveals that both the government and corporate SA were not implementing some of the information security legal provisions. • The Model may be very useful to policy formulators, directors of the boards, ICT executives, and information security practitioners. • According to the King III Report, IT strategic planning, risk management, and information security are the primary responsibility of the Board of Directors.
Make ICT strategic pronouncement. These would include information security within the corporate governance framework. Identify relevant information security legislation, standard and related governance compliance duties. Integrate legislation and compliance duties into ICT and Information Security Allocate duties to business units and for individual position Audit compliance and identity gaps attend to gaps and monitor compliance. Each employee signs the consent form, new employee sign this as part of the employment contract Approve the policies and delegation of duties. Gives go ahead for the implementation. All employees are receiving education and training on Information security policies Whole organisationWhole organisation Boards sub-committee risk management Boards sub- committee risk management ICT Steering committee ICT DepartmentICT Steering committeeBoard of Directors Figure 1: A concept of legal compliance for Information security policies formulation, implementation and multitasking
CONCLUSION • There are more than ten laws that deal with information security in SA. • Most information security provisions contained in laws are not yet implemented. • There is also a deliberate disregard of information security legal provisions by some companies and government entities. • This study found that most IT and information security practitioners were not familiar with the information security legal requirements. • It perhaps in this premise that most organisations do not comply with the legal requirements. • In some instances the attitude of the SA government towards its own laws has been lukewarm. • The proposed Model will help in mitigating information security challenges. • The overall intention of the Model is to priorities information security, elevate the profit and ultimately address corporate security lapses.

Recomendados

S719a
S719aS719a
S719aecommerce
 
Technology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformationTechnology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformationat MicroFocus Italy ❖✔
 
GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?Frederick Penaud
 
Session 5.2 Martin Koyabe
Session 5.2 Martin KoyabeSession 5.2 Martin Koyabe
Session 5.2 Martin KoyabeCommonwealth Telecommunications Organisation
 
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianHow to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianPECB
 
Is Ukraine safe for software development outsourcing?
Is Ukraine safe for software development outsourcing? Is Ukraine safe for software development outsourcing?
Is Ukraine safe for software development outsourcing? N-iX
 
Privacy trends 2011
Privacy trends 2011Privacy trends 2011
Privacy trends 2011Vladimir Matviychuk
 
Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2MLG College of Learning, Inc
 

Recomendados

S719a
S719aS719a
S719aecommerce
 
Technology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformationTechnology’s role in data protection – the missing link in GDPR transformation
Technology’s role in data protection – the missing link in GDPR transformationat MicroFocus Italy ❖✔
 
GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?Frederick Penaud
 
Session 5.2 Martin Koyabe
Session 5.2 Martin KoyabeSession 5.2 Martin Koyabe
Session 5.2 Martin KoyabeCommonwealth Telecommunications Organisation
 
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianHow to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianPECB
 
Is Ukraine safe for software development outsourcing?
Is Ukraine safe for software development outsourcing? Is Ukraine safe for software development outsourcing?
Is Ukraine safe for software development outsourcing? N-iX
 
Privacy trends 2011
Privacy trends 2011Privacy trends 2011
Privacy trends 2011Vladimir Matviychuk
 
Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2MLG College of Learning, Inc
 
DLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The ChallengesDLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The ChallengesNapier University
 
Legal issues in technology
Legal issues in technologyLegal issues in technology
Legal issues in technologyEzraGray1
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsPECB
 
EU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart MeteringEU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart Meteringnuances
 
Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security Richik Sarkar
 
Review questions
Review questionsReview questions
Review questionsAnura Kumara
 
Insider Threat Experiences
Insider Threat ExperiencesInsider Threat Experiences
Insider Threat ExperiencesNapier University
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
 
Ipswitch and cordery on the road " All you need to know about GDPR but are t...
Ipswitch and cordery on the road " All you need to know about GDPR but are t...Ipswitch and cordery on the road " All you need to know about GDPR but are t...
Ipswitch and cordery on the road " All you need to know about GDPR but are t...Sébastien Roques
 
The Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection RegulationThe Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection RegulationGhostery, Inc.
 
An ethical approach to data privacy protection
An ethical approach to data privacy protectionAn ethical approach to data privacy protection
An ethical approach to data privacy protectionNicha Tatsaneeyapan
 
Data Loss: Derelication of Duties?
Data Loss: Derelication of Duties?Data Loss: Derelication of Duties?
Data Loss: Derelication of Duties?Napier University
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
 
Ethical privacy and security issues
Ethical privacy and security issuesEthical privacy and security issues
Ethical privacy and security issuesMarcelo Augusto A. Cosgayon
 
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...Andrea Omicini
 
Are you preparing for GDPR?
Are you preparing for GDPR?Are you preparing for GDPR?
Are you preparing for GDPR?Chris Bullock
 
Sesi 11 information system
Sesi 11 information systemSesi 11 information system
Sesi 11 information systemReindy Gustyawan
 
Social & Ethical Issues in Information Systems
Social & Ethical Issues in Information SystemsSocial & Ethical Issues in Information Systems
Social & Ethical Issues in Information Systemsuniversity of education,Lahore
 
EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017Cliff Ashcroft
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
 
ABCON-AGM-2021-Final-2.pptx
ABCON-AGM-2021-Final-2.pptxABCON-AGM-2021-Final-2.pptx
ABCON-AGM-2021-Final-2.pptxHillaryObomighie
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach riskLivingstone Advisory
 

Mais conteúdo relacionado

Mais procurados

DLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The ChallengesDLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The ChallengesNapier University
 
Legal issues in technology
Legal issues in technologyLegal issues in technology
Legal issues in technologyEzraGray1
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsPECB
 
EU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart MeteringEU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart Meteringnuances
 
Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security Richik Sarkar
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
 
Ipswitch and cordery on the road " All you need to know about GDPR but are t...
Ipswitch and cordery on the road " All you need to know about GDPR but are t...Ipswitch and cordery on the road " All you need to know about GDPR but are t...
Ipswitch and cordery on the road " All you need to know about GDPR but are t...Sébastien Roques
 
The Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection RegulationThe Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection RegulationGhostery, Inc.
 
An ethical approach to data privacy protection
An ethical approach to data privacy protectionAn ethical approach to data privacy protection
An ethical approach to data privacy protectionNicha Tatsaneeyapan
 
Data Loss: Derelication of Duties?
Data Loss: Derelication of Duties?Data Loss: Derelication of Duties?
Data Loss: Derelication of Duties?Napier University
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
 
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...Andrea Omicini
 
Are you preparing for GDPR?
Are you preparing for GDPR?Are you preparing for GDPR?
Are you preparing for GDPR?Chris Bullock
 
Sesi 11 information system
Sesi 11 information systemSesi 11 information system
Sesi 11 information systemReindy Gustyawan
 
EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017Cliff Ashcroft
 

Mais procurados (19)

DLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The ChallengesDLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The Challenges
 
Legal issues in technology
Legal issues in technologyLegal issues in technology
Legal issues in technology
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New Regulations
 
EU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart MeteringEU General Data Protection: Implications for Smart Metering
EU General Data Protection: Implications for Smart Metering
 
Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security
 
Review questions
Review questionsReview questions
Review questions
 
Insider Threat Experiences
Insider Threat ExperiencesInsider Threat Experiences
Insider Threat Experiences
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
 
Ipswitch and cordery on the road " All you need to know about GDPR but are t...
Ipswitch and cordery on the road " All you need to know about GDPR but are t...Ipswitch and cordery on the road " All you need to know about GDPR but are t...
Ipswitch and cordery on the road " All you need to know about GDPR but are t...
 
The Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection RegulationThe Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection Regulation
 
An ethical approach to data privacy protection
An ethical approach to data privacy protectionAn ethical approach to data privacy protection
An ethical approach to data privacy protection
 
Data Loss: Derelication of Duties?
Data Loss: Derelication of Duties?Data Loss: Derelication of Duties?
Data Loss: Derelication of Duties?
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...
 
Ethical privacy and security issues
Ethical privacy and security issuesEthical privacy and security issues
Ethical privacy and security issues
 
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...
 
Are you preparing for GDPR?
Are you preparing for GDPR?Are you preparing for GDPR?
Are you preparing for GDPR?
 
Sesi 11 information system
Sesi 11 information systemSesi 11 information system
Sesi 11 information system
 
Social & Ethical Issues in Information Systems
Social & Ethical Issues in Information SystemsSocial & Ethical Issues in Information Systems
Social & Ethical Issues in Information Systems
 
EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017
 

Semelhante a The integration of legal aspects in Information Security: Is your organisation up-to-date?

GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
 
ABCON-AGM-2021-Final-2.pptx
ABCON-AGM-2021-Final-2.pptxABCON-AGM-2021-Final-2.pptx
ABCON-AGM-2021-Final-2.pptxHillaryObomighie
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach riskLivingstone Advisory
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analyticsshekharkanodia
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Cyril Soeri
 
RuleBookForTheFairDataEconomy.pptx
RuleBookForTheFairDataEconomy.pptxRuleBookForTheFairDataEconomy.pptx
RuleBookForTheFairDataEconomy.pptxnoraelstela1
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurityIT Governance Ltd
 
A Legal Perspective of E-Businesses and E-Marketing for Small and Medium Ente...
A Legal Perspective of E-Businesses and E-Marketing for Small and Medium Ente...A Legal Perspective of E-Businesses and E-Marketing for Small and Medium Ente...
A Legal Perspective of E-Businesses and E-Marketing for Small and Medium Ente...IJMIT JOURNAL
 
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...ARMA International
 
Internet security and privacy issues
Internet security and privacy issuesInternet security and privacy issues
Internet security and privacy issuesJagdeepSingh394
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...IT Governance Ltd
 
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...David Kearney
 
Jisc GDPR conference
Jisc GDPR conferenceJisc GDPR conference
Jisc GDPR conferenceJisc
 
Cyber forensic readiness cybercon2012 adv j fick
Cyber forensic readiness cybercon2012 adv j fickCyber forensic readiness cybercon2012 adv j fick
Cyber forensic readiness cybercon2012 adv j fickJacqueline Fick
 
Legal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber RiskLegal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber RiskShawn Tuma
 
GDPR Scotland 2018
GDPR Scotland 2018GDPR Scotland 2018
GDPR Scotland 2018Ray Bugg
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...AIIM International
 
The future of regulation: Principles for regulating emerging technologies
The future of regulation: Principles for regulating emerging technologiesThe future of regulation: Principles for regulating emerging technologies
The future of regulation: Principles for regulating emerging technologiesDeloitte United States
 
Tim Willoughby - Presentation to Innovation Masters 2016
Tim Willoughby - Presentation to Innovation Masters 2016Tim Willoughby - Presentation to Innovation Masters 2016
Tim Willoughby - Presentation to Innovation Masters 2016Tim Willoughby
 

Semelhante a The integration of legal aspects in Information Security: Is your organisation up-to-date? (20)

GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
ABCON-AGM-2021-Final-2.pptx
ABCON-AGM-2021-Final-2.pptxABCON-AGM-2021-Final-2.pptx
ABCON-AGM-2021-Final-2.pptx
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach risk
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analytics
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.
 
RuleBookForTheFairDataEconomy.pptx
RuleBookForTheFairDataEconomy.pptxRuleBookForTheFairDataEconomy.pptx
RuleBookForTheFairDataEconomy.pptx
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurity
 
A Legal Perspective of E-Businesses and E-Marketing for Small and Medium Ente...
A Legal Perspective of E-Businesses and E-Marketing for Small and Medium Ente...A Legal Perspective of E-Businesses and E-Marketing for Small and Medium Ente...
A Legal Perspective of E-Businesses and E-Marketing for Small and Medium Ente...
 
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
 
Internet security and privacy issues
Internet security and privacy issuesInternet security and privacy issues
Internet security and privacy issues
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...
 
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
 
Jisc GDPR conference
Jisc GDPR conferenceJisc GDPR conference
Jisc GDPR conference
 
Cyber forensic readiness cybercon2012 adv j fick
Cyber forensic readiness cybercon2012 adv j fickCyber forensic readiness cybercon2012 adv j fick
Cyber forensic readiness cybercon2012 adv j fick
 
Legal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber RiskLegal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber Risk
 
GDPR Scotland 2018
GDPR Scotland 2018GDPR Scotland 2018
GDPR Scotland 2018
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
 
The future of regulation: Principles for regulating emerging technologies
The future of regulation: Principles for regulating emerging technologiesThe future of regulation: Principles for regulating emerging technologies
The future of regulation: Principles for regulating emerging technologies
 
Tim Willoughby - Presentation to Innovation Masters 2016
Tim Willoughby - Presentation to Innovation Masters 2016Tim Willoughby - Presentation to Innovation Masters 2016
Tim Willoughby - Presentation to Innovation Masters 2016
 

Mais de Rabelani Dagada

Rabelani dagada economical waves presentation
Rabelani dagada economical waves presentationRabelani dagada economical waves presentation
Rabelani dagada economical waves presentationRabelani Dagada
 
Rabelani dagada bizpref erp factors
Rabelani dagada bizpref erp factorsRabelani dagada bizpref erp factors
Rabelani dagada bizpref erp factorsRabelani Dagada
 
Rabelani dagada electronic records management chetty law 2011
Rabelani dagada electronic records management chetty law 2011Rabelani dagada electronic records management chetty law 2011
Rabelani dagada electronic records management chetty law 2011Rabelani Dagada
 
Time, space and pace book launch presentation final
Time, space and pace book launch presentation finalTime, space and pace book launch presentation final
Time, space and pace book launch presentation finalRabelani Dagada
 
E learning research turning words into action
E learning research turning words into actionE learning research turning words into action
E learning research turning words into actionRabelani Dagada
 

Mais de Rabelani Dagada (10)

Rabelani dagada economical waves presentation
Rabelani dagada economical waves presentationRabelani dagada economical waves presentation
Rabelani dagada economical waves presentation
 
Rabelani dagada bizpref erp factors
Rabelani dagada bizpref erp factorsRabelani dagada bizpref erp factors
Rabelani dagada bizpref erp factors
 
Rabelani dagada electronic records management chetty law 2011
Rabelani dagada electronic records management chetty law 2011Rabelani dagada electronic records management chetty law 2011
Rabelani dagada electronic records management chetty law 2011
 
Rabelani dagada wbs erp
Rabelani dagada wbs erpRabelani dagada wbs erp
Rabelani dagada wbs erp
 
Domestication edit
Domestication editDomestication edit
Domestication edit
 
Note of thanks_02
Note of thanks_02Note of thanks_02
Note of thanks_02
 
Dagada programmefinal
Dagada programmefinalDagada programmefinal
Dagada programmefinal
 
Dagada invitation2
Dagada invitation2Dagada invitation2
Dagada invitation2
 
Time, space and pace book launch presentation final
Time, space and pace book launch presentation finalTime, space and pace book launch presentation final
Time, space and pace book launch presentation final
 
E learning research turning words into action
E learning research turning words into actionE learning research turning words into action
E learning research turning words into action
 

Último

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 

Último (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

The integration of legal aspects in Information Security: Is your organisation up-to-date?

  • 1. The Integration of Legal Aspects in Information Security: Is Your Organisation Up-to-Date?? Rabelani Dagada Development Economist Paper presented during Institute for International Research's Conference on Information Technology Risk Management - 11 November 2010, IIR Conference Centre, Rosebank, Johannesburg
  • 2. AGENDA • Introduction and background • Motivation for the research • Research methodology and findings • Findings of the study • Contribution of the study • Conclusion Rabelani Dagada lectures ICT and Knowledge Management at the Wits Business School
  • 3. INTRODUCTION & BACKGROUND • Today most organisations use the Internet for information and business related purposes. • The Internet revolution is developing rapidly due to the electronic commerce (e-commerce). • The use of the Internet for commercial purposes has brought with it a number of challenges. • These include information security risks, threats, and cyber crime. • The government of South has introduced several laws to deal with the IT related risks, threats, and cyber crime. • One such law is the highly acclaimed Electronic Communications and Transactions Act of 2002 (ECT Act, 2002).
  • 4. MOTIVATION FOR THE RESEARCH • The 2002 and 2004 website compliance survey conducted by the Buys Attorneys found that most companies in SA were not complying with the laws and regulations and regulations governing e-commerce. • In 2002 most webmasters claimed that they were not even aware of the compliance requirements. • In 2004 this number increased by 31%. • Buys attorneys claimed that failure to comply with law led to an increase in website crime. • SA companies did not seem to realise that failure to comply with the provision of the law exposes their websites to huge risk and liability. • Of the 1 550 websites surveyed by Buys Incorporated Attorneys in 2004, the Telkom website was the only one to score 100% compliance rate. • It is on this premise that this study was conducted. Source: Buys Incorporated Attorneys
  • 5. RESEARCH METHODOLOGY & SAMPLING • 22 organisations from various industrial sectors participated in this study. • The banking sector dominated all other industrial sectors. • Purposive sampling was employed due to the perceived value participants would add. • This study used the generic techniques for qualitative collection and analysis. • The study satisfied the principle of triangulation by employing multiple data- gathering methods and sources. • Data gathering methods included interviews, observation, and policy document analysis. • Interviews were analysed by using open coding. • Data collected through document analysis was analysed by comparing it with the SA legal framework for information security.
  • 7. FINDINGS OBTAINED THROUGH INTERVIEWS • The Board of Directors are not involved in the formulation of information security policies. • Very few organisations in SA incorporates legislation requirements in the information security policies. • Government has not yet implemented some legal provisions to fight cyber crime; e.g. - the appointment of the Cyber Inspectors as required by the ECT of 2002 is not yet implemented; and - the registration of the buyers and owners of the cell phone SIM cards as required by the Regulation of Interception of Communications and Provision of Communication-related Information Act of 2002 only came into effect on 1 July 2009. • Legal provision in the ECT Act that deal with unsolicited communication has serious loophole.
  • 8. FINDINGS OBTAINED THROUGH DOCUMENT COLLECTION AND ANALYSIS • Policies related to hacking include Information Security Policies, and Interception & Surveillance Policy. Relevant legislations are the Promotion of Access to Information Act; ECT Act; and Interception Act. • Policies related to the intellectual property, copyright, and trademarks include Intellectual Property Policy and Data Privacy Policy. • The majority of organisations that participated in this study did not have policies that address intellectual property, copyright and trademarks. • None of the organisations that participated in this study had a separate policy on patents. • Most companies in SA perceive the Patents Act of 1978 to be ineffective. • Some of the laws pertaining to information security are very old,. • They were introduced before the Internet was used for commercial purposes.
  • 9. FINDINGS OBTAINED THROUGH OBSERVATION ASPECT OBSERVED NUMBER Websites with legal notices at all 17 Websites with terms and conditions available as hyperlinks 7 Websites with liability disclaimers available as hyperlinks 11 Websites with legal notices that address the provisions of Chapter 3, Part II and Chapter 7 of the ECT Act 5 Websites that position and implement legal notices correctly 2 Website legal notices that are printable or saveable as required by section 11(3) of the ECT Act 2 Organizations that have policies that address websites legal compliance 5 Table 1: Number of organizations that are compliant with the legislation governing websites and e-commerce.
  • 11. CONCEPT MODEL OF LEGAL COMPLIANCE • This study suggests a Model whereby legal requirements are incorporated into the information security endeavors. • The Model was necessitated by the main findings of the study which reveals that both the government and corporate SA were not implementing some of the information security legal provisions. • The Model may be very useful to policy formulators, directors of the boards, ICT executives, and information security practitioners. • According to the King III Report, IT strategic planning, risk management, and information security are the primary responsibility of the Board of Directors.
  • 12. Make ICT strategic pronouncement. These would include information security within the corporate governance framework. Identify relevant information security legislation, standard and related governance compliance duties. Integrate legislation and compliance duties into ICT and Information Security Allocate duties to business units and for individual position Audit compliance and identity gaps attend to gaps and monitor compliance. Each employee signs the consent form, new employee sign this as part of the employment contract Approve the policies and delegation of duties. Gives go ahead for the implementation. All employees are receiving education and training on Information security policies Whole organisationWhole organisation Boards sub-committee risk management Boards sub- committee risk management ICT Steering committee ICT DepartmentICT Steering committeeBoard of Directors Figure 1: A concept of legal compliance for Information security policies formulation, implementation and multitasking
  • 13. CONCLUSION • There are more than ten laws that deal with information security in SA. • Most information security provisions contained in laws are not yet implemented. • There is also a deliberate disregard of information security legal provisions by some companies and government entities. • This study found that most IT and information security practitioners were not familiar with the information security legal requirements. • It perhaps in this premise that most organisations do not comply with the legal requirements. • In some instances the attitude of the SA government towards its own laws has been lukewarm. • The proposed Model will help in mitigating information security challenges. • The overall intention of the Model is to priorities information security, elevate the profit and ultimately address corporate security lapses.