ELC - Electronic Law Consultancy

An introduction to Information Security Policies

This article provides general guidance and information and does not constitute professional advice relating to specific instances. It is intended only as a starting point for organisations considering implementing information security measures. The following discussion of Information Security Policies is based primarily on Chapter 3 of ISO/IEC 17799: Information Technology - Code of Practice for Information Security Management. This international standard has been adopted by the South African Bureau of Standards as South African National Standard (SANS) 7799 and will, we believe, assume a crucial role in the future development of eBusiness in South Africa.

What is information security?

SANS 7799 defines "information security" as the "preservation of

a) confidentiality: ensuring that information is accessible only to those authorized to have access;
b) integrity: safeguarding the accuracy and completeness of information and processing methods;
c) availability: ensuring that authorized users have access to information and associated assets when required."

The Standard itself contains sets of information security controls which organisations should consider when planning how to address significant information security risks identified through a rigorous risk assessment exercise, which would include some form of penetration testing and vulnerability assessment.

What is an information security policy?

An information security document covers a variety of issues, all of which should stem from a management commitment to effective information security management. It is important that management should have previously identified its strategy for effectively securing its information resources and that this strategy is clearly expressed in the policy.

The most important legal function of the policy is to create clear and accessible rules for users of company networks with access to valuable information as also employees responsible for IT security. By setting out the acceptable and unacceptable procures and practices an organisation can begin to steer employee behaviour towards more secure practices while laying the groundwork for disciplinary action where necessary. This is also a necessary step in establishing a defence against any claim which may be brought against a company as a result of a security breach.

An organisation's information security policy should also identify how information relating to online contracting is secured and stored in such a manner that it can be used to effectively manage contractual relations. An audit procedure should be set out to ensure that evidence of contracts and dealings are admissible in court if necessary.

What should be in it?

The nature of the business conducted and the results of an organisation's risk or gap analysis will dictate specific terms, but there are certain broad areas which should be covered. These include:

a) Organisational security
This covers setting up management bodies responsible for managing and co-ordinating information security; securing third party access to organisational information; and controlling the outsourcing of the management of information resources.

b) Personnel security
It is generally estimated that about 80% of the risk to information security is posed by staff and others using organisational information systems.

Securing personnel in respect of information systems includes:

-incorporating security obligations as terms of employment

-background checks if warranted

-training and

-setting out the manner in which security incidents should be responded to.

The training element cannot be overemphasised. It should be remembered that in the average business non-technical users have access to highly sensitive information and may damage or compromise the security of that information purely by accident. Training should also cover communication with third parties and the dangers of social engineering.

c) Compliance
Compliance requires a business to identify the legislation and regulations which affect its information security and related practices. In the context of South Africa, relevant legislation may include:

the Electronic Communications and Transactions Act

the Regulation of Interception of Communications and Provision of Communication-related Information Act (expected to enter into force in the first half of 2004)

the Promotion of Access to Information Act

the Copyright, Trade Marks, Patent and Design Acts

foreign law such as Data Protection legislation affecting the transfer of data from South Africa to other countries

the Companies Act·

legislation relating to the retention of documentation

the VAT Act.

(This is not intended to be a complete list - legislative obligations and rights will vary across organisations. It should be noted that a Privacy Act which is likely to place numerous obligations on organisations in respect of personal information held by them is under development by the South African Law Commission.)

Companies should also identify and cater for compliance with any third party obligations which they may have, i.e. where a contract with another company requires that specified security measures be taken to protect sensitive information.

d) Physical security

While focusing on information security it is often easy to overlook the obvious. Securing physical assets is becoming increasingly important with the drive towards greater mobility in the workplace. Threats can include environmental ones such as fires, earthquakes and extreme weather conditions, as well as theft, unauthorised access and malicious damage to property.

Conclusion

The Information Security Policy is the single most important planning aspect of information security. It must clearly state management's security objectives and then spell out how these are translated into concise, binding rules for all users, contractors and other third parties. The policy itself and the levels of compliance with it throughout an organisation will need to be continuously checked.

Please feel free to contact us if you require any further information on security policies and their legal implications. While an information security policy should involve collaboration between IT security specialists, IT staff, management and suitably specialised lawyers, it is, at the end of the day, a legal document which serves both to secure information and reduce the legal risk that inevitably comes with using information systems in the workplace.

25 Mar 2004

This article is intended to provide general guidance and does not constitute professional advice relating to specific instances. Should you wish to place any reliance on the information presented in this article we strongly advise that you consult your legal advisor or the Electronic Law Consultancy - info@e-lawconsultancy.co.za

There are Terms and Conditions which apply to the use of this website. Please review these now.	webmaster
Please review our Privacy Policy.
© elc 2005