1. Law Relating to Information Security “Compliance in Uncertainty: Bringing a Little Order to a Lot of Chaos” Michael Silber Michalsons Information Technology Attorneys
2.
3.
4.
5. South African ICT Regulatory Hype Cycle Compliance requirements develop at different rates Visibility Trough of Disillusionment Slope of Enlightenment Plateau of Productivity Business Trigger Peak of Inflated Expectations Maturity Less than two years Two years to five years Five years to 10 years More than 10 years Obsolete before plateau Key: Time to Plateau Basel I (1988) Infosec / SANS 17799 ECT Act (2002) Basel II (1999) RM / SANS 15489 PROATIA (2000) Sarbanes-Oxley Act (2002) RIC (Interception) PPI Bill (Privacy) SANS 15801 Critical Databases, Crypto Providers and ASPs Electronic Communications [Convergence] Bill (2005) King II (2002) EU Data Privacy Directive FICA
6.
7.
8. ECT Act Cycle e -Infrastructure e -Transactions e -Data e -Communications E-Contracts are valid Methods of contract conclusion Electronic signatures Automated transactions Consumer Protection Secure payments Time and place of contract conclusion Time of sending & receipt Attribution of message to you Acknowledgement of receipt Authenticity and identity Cryptography Cyber Crime How to satisfy statutory requirements of form: (Writing; Original; Record Retention; e-Filing; Noterisation & certification) Law of Evidence Data Proterction/ Privacy Critical Databases Maximising Benefits E-Government Authentication Service Providers ISP Liability Domain Names Cyber Inspectors A B D C
9. Chapter V: Cryptography Providers Chapter V Cryptography Providers Register of Cryptography Providers S31 S30 S32 Registration with the Department Restrictions On disclosure of Information Application of Chapter offences S29 Chapter V: Cryptography Providers Chapter V governs the use of cryptography products and services used within the Republic. The Director General is tasked with maintaining a register of cryptography providers and their products and services. Registration is compulsory and suppliers are prohibited from providing cryptography products and services in the Republic without complying with the provisions of this Act.
10. Chapter lX: Protection of Critical Databases Chapter lX: Protection of Critical Databases Scope of Critical Database Protection S57 S56 S55 S54 S53 S58 Identification of critical data and databases Registration Of Critical Databases Management Of Critical Databases Restrictions On disclosure of Information Right of Inspection Non Compliance with Chapter S52 Chapter lX: Protection of Critical Databases Aim is to facilitate the identification and registration of critical databases within the Republic. Critical databases are defined as databases that contain information that if compromised could threaten the security of the Republic or the economic and social well being of it’s citizens. The Act stipulates criteria for the identification, registration and management of critical databases as well as controls to ensure that the integrity and confidentiality of data relating to and contained in these databases is maintained such as the right to audit and restrictions and penalties resulting in unauthorised or illegal disclosure of information contained in or about these databases. In November 2003 the Minister of Communications awarded a tender to a consortium of Consultants to undertake an inventory of all major databases in South Africa.
11. Cyber crimes I Acticle 2 - Illegal Access: The access to the whole or any part of a computer system, committed intentionally and without right Article 3 - Illegal interception: The interception made by technical means, of non-public transmissions of computer data when committed without right and intentionally Section 86(1): a person who intentionally accesses or intercepts any data without authority or permission to do so, is guilty of an offence ALSO RICA – Section 2: …no person may intentionally intercept or attempt to intercept, or authorise or procure any other person to intercept or attempt to intercept, at any place in the Republic, any communication in the course of its occurrence or transmission Definitions: computer data: representation of facts, information or concepts in a form suitable for processing in a computer system traffic data: data relating to a communication indicating origin, destination, route etc Definitions: data: electronic representations of information in any form data message: data generated, sent, received or stored by electronic means GAP: No definition of traffic data (CRI in RICA) CoE Convention on Cybercrime ECT Act
12. Cyber crimes II Article 6 - Misuse of devices: The production, sale, procurement for use, import, distribution or otherwise making available of a device, including a computer program, designed or adapted, or a computer password, access code, or similar date by which the whole or any part of a computer system is capable of being accessed, for the purpose of committing offences indicated in Articles 2 Section 86(3) and 86(4): - A person who unlawfully produces .. distributes or possesses any device, including a computer program or a component, which is designed primarily to overcome security measures for the protection of data, or performs any of those acts with regard to a password, access code or any other similar kind of data with the intent to unlawfully utilise such item to contravene this section, is guilty of an offence - A person who utilises any device or computer program mentioned above in order to unlawfully overcome security measures designed to protect such data of access thereto, is guilty of an offence Article 4 - Illegal interference: The damaging, deletion, deterioration, alteration or suppression of computer data committed intentionally without right Article 5 - System interference: Committed intentionally, the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data Section 86(2): A person who intentionally and without authority to do so, interferes with data in a way, which causes such data to be modified, destroyed or otherwise rendered ineffective, is guilty of an offence CoE Convention on Cybercrime ECT Act
13. Cyber crimes III Article 8 - Computer-related fraud: The causing of a loss of property to another by any input, alteration, deletion or suppression of computer data, any interference with the functioning of a computer system, with fraudulent or dishonest intent of procuring, committed intentionally and without right. There is an economic benefit for the individual or for another. Section 87(1): A person who performs or threatens to perform any of the acts described in section 86, for the purpose of obtaining any unlawful proprietary advantage by undertaking to cease or desist from such action, or by undertaking to restore any damage caused as a result of those actions, is guilty of an offence Common law Article 7 - Computer-related forgery: The input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible, committed intentionally and without right. Section 87 (2): A person, who performs any of the acts described in section 86 for the purpose of obtaining any unlawful advantage by causing fake data to be produced with the intent that it be considered or acted upon as if it were authentic, is guilty of an offence Common law CoE Convention on Cybercrime ECT Act
14. Cyber crimes IV Common Law: fraud, extortion, malicious damage to property etc Article 10 - Offences related to infringements of copyright and related rights Copyright Act - Section 27 Article 9 - Offences related to child pornography Films and Publication Act - Section 27(1) Other Laws Article 11: Attempt and aiding or abetting Each party shall adopt such legislative and other measures as may be to establish as criminal offences under its domestic law, when committed intentionally, aiding or abetting the commission of any of the offences established in accordance with Articles 2-10 of this Convention with intent that such offence be committed. Section 88: Any person who attempts to commit any of the offences referred to in sections 86 and 87 is guilty of an offence and is liable on conviction to the penalties set out in section 89 Any person who aids and abets someone to commit any of the offences referred to in sections 86 and 87 is guilty of an offence and is liable on conviction to the penalties set out in section 89 CoE Convention on Cybercrime ECT Act
24. Interception Matrix (RICA tells you what to do but not how to do it) Reminder e-mail from IT department Waiver & consent clause in Visitor’s sign-in sheet Interception Policy Notice and Memo to Users Pro-Forma Interception Report to the Board Log-on Notice Log-on Notice Pro-Forma Interception Request Suggested clauses for HR contracts and promotions Glossary of Terms Interception Policy & Guidelines for Technical Staff + Acceptance Doc Interception Consent (incl. waiver of right to privacy and covering ECT Act) FAQ CEO Delegation of Authority to MO Acceptance of Interception Policy Interception Policy (Persons) CEO is protected by Express / Written consent demonstrated by Implied consent and reasonable efforts demonstrated by