The directive on public service information security is the South African Department of Public Service and Administration’s (DPSA) latest effort to address the government’s vulnerability to cyberattacks. This development comes four months after the Minister issued the directive on cloud computing in the public service on 14 January 2022.
The digital transformation of government departments is a key objective of the DPSA. The State Information Technology Agency (the state-owned company that coordinates the state’s IT resources) also anchored digital transformation in its 2022 GovTech conference, themed “Digitisation and Digitalisation – evolving government services”.
This directive sets the standard for information security governance and practice across departments. I’ve written this post for government departments that need help complying with the directive, as well as vendors that either provide or wish to provide IT goods and services to the government.
At the end of the post, you should know what the directive requires from you.
“The persistent cybersecurity incidents in the public service reveal the level of vulnerability that the government departments are exposed to with limited ICT security skills to mitigate and combat the cyber-attacks as they may emerge” – Acting Minister T.W. Nxesi, M.P. (DPSA)
To whom does the directive on public service information security apply?
All government departments must comply with the directive. Although the directive is silent on what a department is, the DPSA’s Public Service Corporate Governance of Information and Communication Technology Policy Framework (CGICT policy framework) from 2012, defines it to include:
- a national or provincial government department
- a national or provincial government component
- the office of a premier
- public administration in all spheres of government
- organs of state
- public enterprises
There may be some exempt departments.
When did the directive start applying?
7 June 2022.
What are some important concepts that you need to know in the directive on public service information security?
Classification
The directive requires departments to classify all information. This aspect of the directive is reminiscent of the government’s 1996 Minimum Information Security Standards (MISS). The directive incorporates MISS by reference in the definitions section. MISS first introduced the concept of classification at the start of the democratic era of South Africa. However, unlike the four classifications in MISS, the directive has three:
- Public information – for example reports, announcements, job openings, press releases, service brochures, and information published on the website.
- Confidential information – for example employee performance evaluations, transaction data, agreements, unpublished memorandums or submissions, passwords, internal audit reports, and all client information.
- Secret information – this is sensitive information that, if disclosed, has the ability to seriously and adversely impact a department or third parties.
The distinction between a compromise, an incident, and an event
The directive requires a department to proactively manage four kinds of security occurrences: an incident, an information security event, an information security incident, and compromise. The DISO and GITO may need to step in to further distinguish these concepts in their respective department’s information security policies to ensure that the right response procedures are applied to each.
Computer security vs information security
The directive distinguishes between computer security and information security. Computer security seems to focus on device security, while information security is concerned with safeguarding information assets.
What does the directive on public service information security require departments to do differently?
Introduce a new role player in the governance structure and work together
All departments must follow an information security governance structure which includes the following role players:
- The Head of Department (HoD) – is ultimately responsible for information security in a department. Typically, it is the director general of the relevant department. The HoD is also the default information officer of a department.
- A Departmental Information Security Officer (DISO) – is a new role player introduced by the directive. Their main role is to manage the people and process part of a department’s ongoing information security program.
- A Government Information Technology Officer (GITO) – is an existing role player established by the DPSA’s CGICT policy framework. The GITO is primarily responsible for managing the systems aspect of a department’s information security program; for example, approving and recommending software that a department can and should use, authorising connections to the department’s network, etc.
- The ICT steering committee – is an existing forum, like the GITO, which was established by the DPSA’s CGICT policy framework. It consists of executive management, a department’s ICT governance champion, programme management, and the GITO. It is the official information security forum for a department.
Maintain an awareness programme
As of 7 June 2022, departments are expected to develop and maintain an ongoing information security awareness programme to reduce human error. The directive has certain requirements that a programme must meet:
- It must train government employees to recognise and report cyberattacks, and also empower employees on how to handle sensitive data appropriately.
- It must target specific roles for training and awareness, like system administrators, web application developers, and help desk administrators.
Use contracts to strengthen information security
The directive instructs departments to leverage contracts in two main ways:
- All new government employees must sign an HR policy which incorporates a summarised version of the mandatory information security policy. Practically, this means that information security practices will form part of the employment contract.
- All contracts with software or system developers must include an intellectual property clause which prohibits developers from copying, selling, leasing, or removing any software, information, source code, or system design documents developed by or on behalf of a department.
What challenges can departments expect in trying to comply?
Ultimately, the directive attempts to provide a framework for information security best practices in public services by detailing what minimum organisational and technical information security measures should be in place. This comes with its challenges, but departments can get this right. The first step is understanding what the challenge is.
Understanding your compliance universe
Departments must understand their compliance universe. Section 19 of the Protection of Personal Information Act (PoPIA) obliges a department, as a responsible party, to take appropriate technical and organisational measures to prevent information security incidents and compromises concerning personal information. State security is a unique feature of the government’s unique compliance universe. This is why classification is an important aspect of a department’s compliance framework.
The directive on public service information security and the directive on cloud computing in public service are positioned on this foundation. And yes, with more directives comes more complexities in the compliance universe of departments. There are also various frameworks and policies that a department must take into account like the DPSA’s CGICT policy framework and the national data and cloud policy.
The biggest challenge for departments in this context is how all these norms and standards work together, not to mention other standards which don’t quite fit into the compliance framework. An example is MISS. It is still not clear what the status of MISS is. Its relationship with the directive on public service information security is also unclear because it is only mentioned in the definitions section of the directive, and nowhere else. This creates more questions than answers; for example, are departments meant to comply with both MISS and the directive? What happens in the event of a conflict between the two? Furthermore, MISS has not been updated since 1996 and the world has significantly changed since then.
Building a data protection culture
Building a healthy data protection culture is tough for any organisation, let alone one the size of the government. Low digital literacy and fear of change can threaten the data protection compliance journey. It’s about building trust with employees and demonstrating the value of learning good information security practices and also unlearning bad habits. If government employees don’t understand how information security forms part of their daily work lives and then what they need to do, you’re going to struggle to sustain any system and process controls you put in place. This is the intention of the directive’s requirement on departments to have an ongoing information security awareness programme.
Actions you can take
- Secure information by asking us to draft you a robust information security policy.
- Reduce human error in your department by asking us to help you develop a training and awareness programme.
- Discover more about cloud contracts, the associated risks, what the law requires they contain, and how to draft them by buying our Cloud Contracts Guide.
- Manage your relationship with your cloud and software providers by asking us to review your vendor agreements and help you with contract lifecycle management.
- Find out more about cloud computing governance, risk and compliance, including cloud compliance.
