Infosec Law It Web (March 2006)
35
Law Relating to Information Security “Compliance in Uncertainty: Bringing a Little Order to a Lot of Chaos” Michael Silber Michalsons Information Technology Attorneys
-
Upload
lance-michalson -
Category
Technology
-
view
1.493 -
download
0
description
Transcript of Infosec Law It Web (March 2006)
Law Relating to Information Security“Compliance in Uncertainty: Bringing a Little Order to a Lot of
Chaos”Michael Silber
Michalsons Information Technology Attorneys
2
Overview• ICT Regulatory Hype Cycle• Contextualise concept of security: information security
versus national security• Applicable SA legislation and shortfalls, including:
– The ECT Act– RIC Act– Draft Protection of Personal Information Bill
• Corporate Governance - King II• Conclusions
3
Disclaimer• This is not legal advice.• If in doubt, consult an
attorney on your specific issue!
• By remaining seated you agree to be bound by this disclaimer.
4
Acts, Bills etc: Making Law (a brief interlude)• Bill: Draft Law presented in Parliament• Act: Law passed in Parliament• Process:
– Introduced in Parliament usually by Minister drafted by his/her Department approved by Cabinet
– Sent to Committee, published for comment & debated in committee– Final version sent to house for debate & vote– If passed – sent to other house– If passed – to President for assent– Once signed by President becomes an Act of Parliament– May have implementation date
5
Compliance requirements develop at different rates
Visibility
Trough ofDisillusionment
Slope ofEnlightenment
Plateau ofProductivityBusiness Trigger
Peak ofInflated Expectations
Maturity
Less than two years
Two years to five years
Five years to 10 years
More than 10 years
Obsolete before plateau
Key: Time to Plateau
Basel I (1988)
Infosec / SANS 17799
ECT Act (2002)
Basel II (1999)
RM / SANS 15489PROATIA (2000)
Sarbanes-Oxley Act (2002)
RIC (Interception)
PPI Bill (Privacy)
SANS 15801
Critical Databases, Crypto Providers and ASPs
South African ICT Regulatory Hype Cycle
Electronic Communications [Convergence] Bill (2005)
King II (2002)
EU Data Privacy Directive
FICA
6
Meaning of “Security” in the SA Context
ECT Act, 2002
- Crypto
- Critical databases
- Cyber crime
The State Information Technology Agency Act, 1998
The Electronic Communications Security (Pty) Limited Act (COMSEC)
Intelligence Services Control Amendment Act, 2002
National Security Info Security Privacy & Security
(Confidentiality. Integrity, Authentication
SANS 17799
King 2 Infosec BPG
Interception Act
Draft PPI Bill, 2005
(SA Law Commission)
7
Applicable Legislation• Electronic Communications & Transactions Act 2002
(ECT Act)– Cryptography & (draft) Regulations– Critical Databases– Data Privacy– Cyber crime
• Regulation of Interception of Communications & Provision of Communication-related Information Act 2002 (RIC Act)
• Draft Protection of Personal Information Bill
8
e-Infrastructure
e-Transactions
e-Data e-Communications
E-Contracts are validMethods of contract conclusion Electronic signaturesAutomated transactionsConsumer ProtectionSecure paymentsTime and place of contract conclusion
Time of sending & receiptAttribution of message to youAcknowledgement of receiptAuthenticity and identityCryptographyCyber Crime
How to satisfy statutory requirements of form: (Writing; Original; Record Retention; e-Filing; Noterisation & certification) Law of EvidenceData Proterction/ PrivacyCritical Databases
Maximising BenefitsE-GovernmentAuthentication Service ProvidersISP LiabilityDomain NamesCyber Inspectors
A
BD
C
ECT Act Cycle
9
Chapter V: Cryptography Providers
Chapter VCryptography
Providers
Register of Cryptography
Providers
S31S31S30S30
S32S32
Registrationwith the
Department
Restrictions On disclosure of Information
Application of Chapter
offences
S29S29
Chapter V: Cryptography Providers
Chapter V governs the use of cryptography products and services used within the Republic. The Director General is tasked with maintaining a register of cryptography providers and their products and services. Registration is compulsory and suppliers are prohibited from providing cryptography products and services in the Republic without complying with the provisions of this Act.
Chapter V: Cryptography Providers
Chapter V governs the use of cryptography products and services used within the Republic. The Director General is tasked with maintaining a register of cryptography providers and their products and services. Registration is compulsory and suppliers are prohibited from providing cryptography products and services in the Republic without complying with the provisions of this Act.
10
Chapter lX: Protection of Critical Databases
Chapter lX:Protection of
Critical Databases
Scope of Critical
Database Protection
S57S57
S56S56
S55S55
S54S54
S53S53
S58S58
Identification of critical data and databases
Registration Of Critical Databases
Management Of Critical Databases
Restrictions On disclosure of Information
Right of Inspection
Non Compliance with Chapter
S52S52
Chapter lX: Protection of Critical Databases
Aim is to facilitate the identification and registration of critical databases within the Republic. Critical databases are defined as databases that contain information that if compromised could threaten the security of the Republic or the economic and social well being of it’s citizens. The Act stipulates criteria for the identification, registration and management of critical databases as well as controls to ensure that the integrity and confidentiality of data relating to and contained in these databases is maintained such as the right to audit and restrictions and penalties resulting in unauthorised or illegal disclosure of information contained in or about these databases. In November 2003 the Minister of Communications awarded a tender to a consortium of Consultants to undertake an inventory of all major databases in South Africa.
Chapter lX: Protection of Critical Databases
Aim is to facilitate the identification and registration of critical databases within the Republic. Critical databases are defined as databases that contain information that if compromised could threaten the security of the Republic or the economic and social well being of it’s citizens. The Act stipulates criteria for the identification, registration and management of critical databases as well as controls to ensure that the integrity and confidentiality of data relating to and contained in these databases is maintained such as the right to audit and restrictions and penalties resulting in unauthorised or illegal disclosure of information contained in or about these databases. In November 2003 the Minister of Communications awarded a tender to a consortium of Consultants to undertake an inventory of all major databases in South Africa.
11
Cyber crimes IECT Act CoE Convention on Cybercrime
Definitions:
data: electronic representations of information in any form
data message: data generated, sent, received or stored by electronic means
GAP: No definition of traffic data (CRI in RICA)
Definitions:
computer data: representation of facts, information or concepts in a form suitable for processing in a computer system
traffic data: data relating to a communication indicating origin, destination, route etc
Section 86(1): a person who intentionally accesses or intercepts any data without authority or permission to do so, is guilty of an offence
ALSO RICA – Section 2: …no person may intentionally intercept or attempt to intercept, or authorise or procure any other person to intercept or attempt to intercept, at any place in the Republic, any communication in the course of its occurrence or transmission
Acticle 2 - Illegal Access: The access to the whole or any part of a computer system, committed intentionally and without right
Article 3 - Illegal interception: The interception made by technical means, of non-public transmissions of computer data when committed without right and intentionally
12
Cyber crimes IIECT Act CoE Convention on Cybercrime
Section 86(2): A person who intentionally and without authority to do so, interferes with data in a way, which causes such data to be modified, destroyed or otherwise rendered ineffective, is guilty of an offence
Article 4 - Illegal interference: The damaging, deletion, deterioration, alteration or suppression of computer data committed intentionally without right
Article 5 - System interference: Committed intentionally, the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data
Section 86(3) and 86(4):
- A person who unlawfully produces .. distributes or possesses any device, including a computer program or a component, which is designed primarily to overcome security measures for the protection of data, or performs any of those acts with regard to a password, access code or any other similar kind of data with the intent to unlawfully utilise such item to contravene this section, is guilty of an offence
- A person who utilises any device or computer program mentioned above in order to unlawfully overcome security measures designed to protect such data of access thereto, is guilty of an offence
Article 6 - Misuse of devices: The production, sale, procurement for use, import, distribution or otherwise making available of a device, including a computer program, designed or adapted, or a computer password, access code, or similar date by which the whole or any part of a computer system is capable of being accessed, for the purpose of committing offences indicated in Articles 2
13
Cyber crimes IIIECT Act CoE Convention on Cybercrime
Section 87 (2): A person, who performs any of the acts described in section 86 for the purpose of obtaining any unlawful advantage by causing fake data to be produced with the intent that it be considered or acted upon as if it were authentic, is guilty of an offence
Common law
Article 7 - Computer-related forgery:
The input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible, committed intentionally and without right.
Section 87(1): A person who performs or threatens to perform any of the acts described in section 86, for the purpose of obtaining any unlawful proprietary advantage by undertaking to cease or desist from such action, or by undertaking to restore any damage caused as a result of those actions, is guilty of an offence
Common law
Article 8 - Computer-related fraud:
The causing of a loss of property to another by any input, alteration, deletion or suppression of computer data, any interference with the functioning of a computer system, with fraudulent or dishonest intent of procuring, committed intentionally and without right. There is an economic benefit for the individual or for another.
14
Cyber crimes IVECT Act CoE Convention on Cybercrime
Section 88:
Any person who attempts to commit any of the offences referred to in sections 86 and 87 is guilty of an offence and is liable on conviction to the penalties set out in section 89
Any person who aids and abets someone to commit any of the offences referred to in sections 86 and 87 is guilty of an offence and is liable on conviction to the penalties set out in section 89
Article 11: Attempt and aiding or abetting
Each party shall adopt such legislative and other measures as may be to establish as criminal offences under its domestic law, when committed intentionally, aiding or abetting the commission of any of the offences established in accordance with Articles 2-10 of this Convention with intent that such offence be committed.
Other LawsFilms and Publication Act - Section 27(1) Article 9 - Offences related to child
pornography
Copyright Act - Section 27 Article 10 - Offences related to infringements of copyright and related rights
Common Law: fraud, extortion, malicious damage to property etc
15
Shortfalls• No definition of traffic data• Possibly inadequate sentences• Proceedure
– No cyber inspectors– Limited skills in NPA, judicial officers
SAPS– Criminal Procedure Act– Extra territorial application
• Functional Equivalence– Possible but limited application
• SABRIC Initiative
16
Privacy
17
State of SA privacy regulation• Privacy regulation in its infancy
• Protection of Personal Information (PPI) Bill and Discussion Paper released in October 2005 by South African Law Reform Commission
• Comments due 31 March 2006
• Based on 8 principles:
18
19
Principle 6 – Security Safeguards: Key Aspects• Measures to ensure integrity of personal information• Authority of person processing PI• Security measures regarding PI by processor• Notification of security compromises
20
Interception
21
RICA• Regulation of Interception and Provision of Communication-
related Information Act 2002• Effective 30 September 2005• Customer verification – some extended
• Service provider directives – 28 May 2006• Live intercept & stored data (CRI)• Intercept means the aural or other acquisition of the contents of
any communication so as to make some or all of the contents of a communication available to a person other than the sender or recipient or intended recipient of that communication, and includes monitoring, viewing, examination or inspection of indirect communication and diversion
• Interception prohibited unless exception
22
Exceptions
3rd party (e.g. Co X)
intercepts with written consent of one of parties
3rd party (e.g. Co X)
intercepts in ordinary course
of business
s4(1) s5(1) s6
Participant(s)intercept
themselves
Can intercept if party to communication
Can only intercept with written consent
– CEO not involved
– No fine
Business purpose exception
– CEO involved
– Fine: 2 yrs R10m
DIRECTIVES
23
Business-related Interception
• “health purposes” – Continuous monitoring / interception
– System security and maintenance
– Automatic monitoring / interception Security Incident response Help desk responses to calls logged – internal / external Firewalls Content monitoring / interception systems Message login systems Telephone management system
• “forensic purposes” – Once–off, occasional, covert
– Investigate allegations of fraud, corruption, breach of a policy
– Manual monitoring / interception
24
Interception Matrix(RICA tells you what to do but not how to do it)
Implied consent and reasonable efforts demonstrated by
Express / Written consent demonstrated by
CEO is protected by
Interception Policy (Persons) Acceptance of Interception Policy
CEO Delegation of Authority to MO
FAQ Interception Consent (incl. waiver of right to privacy and
covering ECT Act)
Interception Policy & Guidelines for Technical Staff + Acceptance
Doc
Glossary of Terms Suggested clauses for HR contracts and promotions
Pro-Forma Interception Request
Log-on Notice Log-on Notice Pro-Forma Interception Report to the Board
Interception Policy Notice and Memo to Users
Waiver & consent clause in Visitor’s sign-in sheet
Reminder e-mail from IT department
25
King II and Infosec
King Report on Corporate Governance for South Africa 2002
26
Corporate Governance?
27
“The board should have unrestricted access to all company information, records, documents and property. The information needs of the company should be well defined and regularly monitored” (2.1.7)
Quotes from the Code
28
“The board is responsible for the total process of risk management…” (3.1.1) and “should make use of…control models and frameworks…with respect to … “safeguarding the company’s assets (including information)” (3.1.4)
Quotes from the Code
29
“The board is responsible for ensuring that a[n]…assessment of…key risks is undertaken…[which] should address the company’s exposure to… technology risks…business continuity and disaster recovery…” (3.1.5)
Quotes from the Code
30
31
King II Infosec BPG1. What is information security?2. Key considerations when making information security
decisions?3. Characteristics of a sound information security agenda?4. An effective information security strategy5. Devising a successful approach to information security6. What directors can do
32
Take home message I• Identify your compliance criteria• Identify your information holdings
– Sensitivity– Personal information– Records
• Prepare a file plan / information taxonomy
33
Take home message II• Adequate Information Security
Policy– Often drafted by IT Audit / HR / IT
HR often doesn’t understand the tech issues
IT Audit often doesn’t understand the legal issues and is too technical
– Need to address different audiences– Often “knipped” and “plukked” from
internet – No clear understanding as to
content and labeling (e.g. ECP)– Myth around 17799 “compliance”
34
GENERAL INFORMATION SECURITY POLICY
INFORMATION POLICIES ACCESS CONTROL
POLICIESTECHNICAL POLICIES
BUSINESS CONTINUITY
INFORMATION CLASSIFICATION
• Information Ownership Policy• Information Management
Policy• Encryption & Transmission
Policy• Media Handling Policy
• Password Policy• User Policy• Acceptable Usage Policy• 3rd Party Access Policy
• Development Review • Patch Management • Architecture Policy• Infrastructure Policy• System Audit Policy
• Business Continuity Policy
• Backup & Restore Policy
• Disaster Recovery
• E-mail Policy• Telecommuting Policy
• Privacy, Interception & Monitoring Policy
• Employee Exit Policy
LEGAL COMPLIANCERISK MANAGEMENT
BEST PRACTICE
Thank YouQuestions?
