Alignment of legislations to support improved service delivery

Auditor General’s Office
• One key audit focus area
– Compliance with Laws and Regulations
Relevant ICT Legislation (across all spheres)
•
•
•
•
•
ECT Act
RICA
EC Act
PAIA
POPI
Relevant ICT Legislation (government specific)
•
•
•
•
•
•
•
Public Services Act and Regulations
Public Finance Management Act
Intelligence Service Act
Electronic Communications Security Act (COMSEC)
Protection of State Information
State Information Technology Agency Act (SITA)
Draft White Paper on eCommunication
• No policies that address cross-over aspects
pertained in legislation
• No clear vision as to whom, how and when
legislation applies
• What does it mean seen from a CIO
perspective?
• What do you experience daily as CIOs?
• Centrally managed infrastructure environment
(databases) leading to improvement of admin
and security – but no critical database has been
registered thus far in terms of ECT Act!
• Consolidation and synchronisation of applications
and toolsets use – but has the legal implications
round POPI been assessed (e.g. Cloud and
BYOD)?
• Cloud Computing – do CIOs understand the
various legal consequences?
• E – Government – has the legitimacy and
underlying validations in terms of the ECT Act
been explained?
Developing enabling policies, legislation, norms
and standards and guidelines
Standards, Codes and Frameworks (best practise)
•
•
•
•
•
•
•
•
MISS
MIOS
ISO 27001
ISO 29100
SAS 70 / SSAE 16 / ISAE 3402
IT Governance Framework
COBIT
KING III
Align Legislation, Standards, Frameworks & Codes
•
•
•
•
•
•
Establish Compliance function
KYC & AO (Know Your Compliance and Accounting Officers!!)
Create ICT Regulatory Universe in conjunction with CO
TAKE RESPONSIBILITY & OWNERSHIP
Simplify legislation
Align processes with legislation – e.g. PAIA ( survey - no
implementation –– POOR SERVICE DELIVERY)
• Participate with new legislation by submitting public comment
(POPI – very little)
Simplify it by categorising legislation under CIO terms
•
•
•
•
•
•
•
•
Computer Crimes
Document Management / Retention (Duplication)
Electronic Communications
Data Classification
Information Security
National Security
Intellectual Property
Privacy etc.
Public Finance Management Act (Act 1 of 1999 as
amended by Act 29 of 1999)
• section 38(1)(b), (d) & (e) holds an accounting
officer responsible for the effective, efficient,
economical and transparent use of the resources
and to comply with audit commitments as
required by legislation and safeguarding of
assets.
KING III
One key aspect of IT Governance:
• risk management: addressing the safeguarding of
IT assets, disaster recovery and continuity of
operations
KING III
5.5.2 The board should ensure that the company complies with
IT laws and that IT related rules, codes and standards are
considered.
5.6.1 The board should ensure that there are systems in place
for the management of information which should include
information security, information management and
information privacy.
KING III
5.6.2 The board should ensure that all personal
information is treated by the company as an
important business asset and is identified.
According to SITA, National Treasury has embraced
Chapter 5 of KING III and although there are Public
Service Regulations and Info Security Plans, see how it
can be aligned to best practise to gain traction.
Remember!
AG audits against best practise!!
ADDITIONAL CONCERNS
•
•
•
•
•
Special Categories of Personal Information
Unsolicited Marketing
Automated Processing
Cross Border Data Transfers
Regulator
CLOUD COMPUTING
• Is moving data to the CLOUD a bad thing?
CLOUD COMPUTING
• Will my department have continued access to
its information or data (backup and disaster
recovery measures) irrespective of the
information or data’s location?
CLOUD COMPUTING
• Can you provide me with assurances that
unauthorised access to my department’s
information or data is prevented (covers both
protection against external “hacking” attacks
and access by the cloud provider’s personnel
or by other users of the datacentre)?
CLOUD COMPUTING
• Do you have adequate oversight of any subprocessors (irrespective of their location) you
use or might use and subsequent to that, do
you have the necessary agreements and
contracts in place to ensure the security of my
department’s information or data?
CLOUD COMPUTING
• Do you have sufficient procedures in place in
the event of a data breach that would enable
my department to take the necessary actions
in terms of POPI?
•
•
•
•
Awareness & Understanding
Creates better implementation, which
Facilitates best practise, which in return
Improves service delivery
© Copyright Francis Cronje 2010-2012 - All
Rights Reserved