Auditor General’s Office • One key audit focus area – Compliance with Laws and Regulations Relevant ICT Legislation (across all spheres) • • • • • ECT Act RICA EC Act PAIA POPI Relevant ICT Legislation (government specific) • • • • • • • Public Services Act and Regulations Public Finance Management Act Intelligence Service Act Electronic Communications Security Act (COMSEC) Protection of State Information State Information Technology Agency Act (SITA) Draft White Paper on eCommunication • No policies that address cross-over aspects pertained in legislation • No clear vision as to whom, how and when legislation applies • What does it mean seen from a CIO perspective? • What do you experience daily as CIOs? • Centrally managed infrastructure environment (databases) leading to improvement of admin and security – but no critical database has been registered thus far in terms of ECT Act! • Consolidation and synchronisation of applications and toolsets use – but has the legal implications round POPI been assessed (e.g. Cloud and BYOD)? • Cloud Computing – do CIOs understand the various legal consequences? • E – Government – has the legitimacy and underlying validations in terms of the ECT Act been explained? Developing enabling policies, legislation, norms and standards and guidelines Standards, Codes and Frameworks (best practise) • • • • • • • • MISS MIOS ISO 27001 ISO 29100 SAS 70 / SSAE 16 / ISAE 3402 IT Governance Framework COBIT KING III Align Legislation, Standards, Frameworks & Codes • • • • • • Establish Compliance function KYC & AO (Know Your Compliance and Accounting Officers!!) Create ICT Regulatory Universe in conjunction with CO TAKE RESPONSIBILITY & OWNERSHIP Simplify legislation Align processes with legislation – e.g. PAIA ( survey - no implementation –– POOR SERVICE DELIVERY) • Participate with new legislation by submitting public comment (POPI – very little) Simplify it by categorising legislation under CIO terms • • • • • • • • Computer Crimes Document Management / Retention (Duplication) Electronic Communications Data Classification Information Security National Security Intellectual Property Privacy etc. Public Finance Management Act (Act 1 of 1999 as amended by Act 29 of 1999) • section 38(1)(b), (d) & (e) holds an accounting officer responsible for the effective, efficient, economical and transparent use of the resources and to comply with audit commitments as required by legislation and safeguarding of assets. KING III One key aspect of IT Governance: • risk management: addressing the safeguarding of IT assets, disaster recovery and continuity of operations KING III 5.5.2 The board should ensure that the company complies with IT laws and that IT related rules, codes and standards are considered. 5.6.1 The board should ensure that there are systems in place for the management of information which should include information security, information management and information privacy. KING III 5.6.2 The board should ensure that all personal information is treated by the company as an important business asset and is identified. According to SITA, National Treasury has embraced Chapter 5 of KING III and although there are Public Service Regulations and Info Security Plans, see how it can be aligned to best practise to gain traction. Remember! AG audits against best practise!! ADDITIONAL CONCERNS • • • • • Special Categories of Personal Information Unsolicited Marketing Automated Processing Cross Border Data Transfers Regulator CLOUD COMPUTING • Is moving data to the CLOUD a bad thing? CLOUD COMPUTING • Will my department have continued access to its information or data (backup and disaster recovery measures) irrespective of the information or data’s location? CLOUD COMPUTING • Can you provide me with assurances that unauthorised access to my department’s information or data is prevented (covers both protection against external “hacking” attacks and access by the cloud provider’s personnel or by other users of the datacentre)? CLOUD COMPUTING • Do you have adequate oversight of any subprocessors (irrespective of their location) you use or might use and subsequent to that, do you have the necessary agreements and contracts in place to ensure the security of my department’s information or data? CLOUD COMPUTING • Do you have sufficient procedures in place in the event of a data breach that would enable my department to take the necessary actions in terms of POPI? • • • • Awareness & Understanding Creates better implementation, which Facilitates best practise, which in return Improves service delivery © Copyright Francis Cronje 2010-2012 - All Rights Reserved