The Minimum Information Security Standards (or MISS) is a standard for the minimum information security measures that any institution must put in place for sensitive or classified information to protect national security. If you work with public service information resources, you need to know this document intimately. The same applies if you are a private body working closely with government with information that is important to national interests. Cabinet approved it on 4 December 1996 and made it a national information security policy.
It is interesting to read how the Department of Health complies with the standard. The Minister of Health responded to a question in Parliament and explain what steps they take.
Who does the MISS apply to?
The MISS seems to apply to both public and private bodies that handle sensitive or classified information. The definition of institution covers not only public bodies but “any private undertaking that handles information classifiable by virtue of national interest” as well. Considering that private bodies seldom process classified information, the MISS mostly applies to public bodies. However, considering that the government does also outsource certain important national services to the private sector (such as social grants, for example), the MISS will certainly apply to private bodies as well.
The MISS, therefore, applies to:
- public bodies rendering a public service (both those subject to the Public Service Act and those subject to any other law)
- private bodies processing information that is of importance to national interests.
What does the MISS apply to?
MISS applies to sensitive information that has been classified as restricted, confidential, secret, or top secret. MISS defines classified information as “sensitive information which in the national interest, is held by, is produced in, or is under the control of the State, or which concerns the State and which must by reasons of its sensitive nature, be exempted from disclosure and must enjoy protection against compromise.”
Who is responsible?
It is the head of each institution, whether public or private, who bears the ultimate responsibility for ensuring compliance.
Amongst others, they have a responsibility to:
- delegate, in writing, to a suitably qualified staff member the authority to create an effective information security policy, and to personally sign the policy;
- assign clearly defined roles to security staff in the implementation of information security, and establish who they report to, including appointing a person to mainly act as head of the security staff and oversee the implementation of the information security policy;
- ensure the effective implementation of the information security policy by maintaining oversight over the activities of the head of the security staff.
Importantly, once a head of security staff is appointed by the head of the institution, the MISS specifically requires them to be responsible for ensuring the implementation of the information security policy.
Is MISS a Data Localization Law?
MISS is not a data localization law. It does not have any provision dealing specifically with the transmission of information out of the Republic. It does, however, require that if an institution will be transmitting information anywhere, it needs to keep a proper record of all such information. Additionally, it needs to ensure that it encrypts such information if the transmission is via computer or facsimile. And that if it will keep the same information in different places, there needs to be a sufficient record of all such copies.
Actions you can take:
- Read it by asking us to email you a copy.
- Find out what the information security obligations are for public bodies by attending one of our workshops.
- Raise awareness in your organization about how the MISS applies to you by asking us to do a private workshop for you.
- Prevent legal risks posed by your processing by asking us to do an information security audit.
- Know the information security laws that apply to you by reading our information security guide.
Questions
- Is it still a valid document? Is it outdated?
- Will the Cyber Bill repeal it?
- Is it replaced by the POSI Act?
- Does the POPI Act override it?
- How does one check that one complies with it?
The legislative framework
The enabler for the MISS is the Regulations of the Public Service Act (Chapter 5: Electronic Government Regulations, Part II: Information Security, B. Minimum information security standards). They say:
“B.1 The Minister shall, in consultation with the Minister of Intelligence, issue Minimum Information Security Standards (herein referred to as the MISS) for the public service in the form of a handbook called the Handbook on Minimum Information Security Standards.
B.2 Any person working with Public Service information resources shall comply with the MISS.
B.3 A head of the department may request an exemption from a provision of the MISS. The request shall be submitted to the Minister. The Minister shall, in consultation with the Minister of Intelligence, grant the request for exemption if the exemption is considered necessary for the effective functioning of the relevant department or a part thereof.”
What the Minimum Information Security Standards is not
It is not the Department of Social Development’s Security Policy. They also refer to their policy as MISS, but don’t confuse it with the actual Minimum Information Security Standards (or MISS) – the cabinet approved standard.