In this month’s column; Gary Middleton examines the impact of existing and upcoming legislation on an organisation’s information security strategy.
Every day, companies face the challenge of securing their information environment both from internal and external threats. In recent years, as the value and vulnerability of digital assets has increased, the compromise of these assets has led to large revenue losses and tarnished company reputations.
Gary Middleton, general manager: Security Solutions at Dimension Data
Terms such as regulatory compliance, privacy and legislation have received much attention in the IT industry in recent years. Globally, information security spending is being driven by compliance requirements brought on by regulatory acts such as Sarbanes-Oxley and HIPAA. The local industry has, however, been somewhat slow to implement and enforce laws that impact the information security landscape.
South African organisations have to take into account, amongst others, the ECT Act, RICA (Regulation of Interception of Communications and Provision of Communication Related Information Act) and King II - some of which have been passed as legislation; others providing guidelines for good corporate practice.
Without guidance, the issue of regulatory compliance can be a minefield strewn with legal jargon and uncertainty. Many organisations still have unanswered questions: What laws should my business comply with? What draft bills should I pay attention to that might impact my business once they are passed into law? What advice can I follow to ensure that I meet the requirements as set out in the law books?
The industry you operate in and the profile of your company (whether it is a local, multinational or global organisation) will to a large extent provide compliance guidelines. There are, however, Acts such as RICA that apply to all local companies. The premise of RICA is that direct or indirect communications cannot be monitored or intercepted unless in accordance with the Act and to do so is an offence. This requires organisations to pay special attention to aspects such as e-mail monitoring and employee content.
There is one draft bill that we believe will have a significant impact on the local market, namely the Protection of Personal Information Act (POPIA). POPIA is based on eight key principles, which range from information quality and openness to security safeguards and accountability. Once passed into law, POPIA will carry more weight than the ECT Act as it requires companies to demonstrate that they have taken all reasonable steps to ensure that data has been secured.
One of the key principles of POPIA is the implementation of technical and organisational measures to ensure the confidentiality, integrity and availability of collected personal information. It furthermore looks at the compromise of personal information, stating that if such a compromise takes place the affected parties must be notified. Consider your database with a million records - if compromised; you will have to notify a million customers!
Monitoring and tracking security breaches
What approach can you take to address regulatory compliance in your organisation? Enter ISO 17799, a code of practice for information security management and a generic set of best practices for information security systems. In much the same way that ISO 9001 governs the quality of consumer goods, ISO 17799 has been developed to ensure good information security practices. This code of practice aims to be as comprehensive as possible and specifies best practices for aspects such as business continuity planning, physical and environmental security, system access control and personnel security - amongst others.
Often, good information security management boils down to common sense and following established best practices. Do not ignore it as you will get into trouble. Define and document procedures for disclosing any breaches, remembering that the losses are often not only financial, but may be very damaging to your reputation. Some technology considerations include the following:
* Security event management systems and vulnerability management technology is important to help organisations to improve their security postures and detect where security policies have been breached.
* Implement authentication technology for access to databases containing sensitive information.
* It is important to deploy strong intrusion prevention for data centres and databases.
* Rights management technology will ensure that only authorised employees can print, forward and edit records.
* Forensic technologies are also finding favour as it enables an organisation to establish exactly what damage an attacker has caused, helping to track down the perpetrator.
Be aware of changes in the local regulatory landscape and how these changes impact your business. If you do not take the necessary steps to ensure that your information assets are protected, the chances are very good that they will be compromised. And remember that ignorance is not a defence.