Information is an important tool for successful organisations and Information Security Law forms a key part of that equation. Information Security Law is the body of legal rules, codes, and standards that require you to protect that information and the information systems that process it, from unauthorized access. The legal risks are potentially significant if you don’t take a pragmatic approach. We can help you avoid or minimise these risks with our various solutions.
Why is Information Security Law important?
Securing information is about securing value. In the same way that we secure physical stores of value such as cash, gold, or jewelery against theft, loss, or destruction, we must do the same with digital stores of value – particularly information. We live in an information society, after all, where the creation, use, and distribution of information is a significant economic, political, and cultural activity. We are moving from the service economy into the information economy, which emphasizes informational activities that rely on information technologies such as computers, mobile devices, and the Internet.
Information security law is important because information has value.
You wouldn’t leave your house without locking the door or buy an expensive car without insuring it against theft, so why would you process information without securing it?
How should you apply Information Security Law?
We suggest a pragmatic approach to information security law. You should be proactive in how you deal with information security law. You should base your approach on practical considerations, not just lofty theories or ideas about what you must do to comply. How should you do this? Consider the following example:
Should you encrypt your data?: You have an on-premise server where you store transaction data related to your clients or customers, including their account numbers.
In this scenario, you should take the following steps:
- identify risks – identify all risks to the information – e.g. there’s the very real risk of hackers stealing the account numbers
- identify safeguards – identify physical, digital, operational, and administrative safeguards that reasonably address those risks, also considering any inherent characteristics of the personal information that make it riskier – e.g. encryption is a digital safeguard that is especially useful in preventing hackers from stealing personal information as important as account numbers
- create safeguards – actually create the safeguards for those risks – e.g. buy an encryption software solution and install it on your equipment where you store account numbers
- verify safeguards – check that those safeguards are working – e.g. ensure your software solution is always running by checking it manually or monitoring it automatically
- update safeguards – update those safeguards for any new risks – e.g. consider implementing operational safeguards such as training your staff if you find that the digital safeguards are not sufficient
What is reasonable depends on the following factors:
- risks – the existing and prospective risks to the information – e.g. there are great risks when the information involved includes account numbers
- technology – the most recent level of development of technology at a particular time – e.g. software encryption solutions are readily available, but will evolve and improve as time goes on – so you have to keep updating them
- costs – the costs of creating, checking, and updating safeguards for those risks in terms of money, time, and labour – e.g. software encryption solutions are cheap, quick, and easy to implement
The moral of the story for this example is: encrypt your data! In the event of a data breach, regulatory authorities will not look upon you kindly if you failed to do so.
This is just one example of how to pragmatically apply information security law to a particular situation. Our recommendation relies on global data protection laws (such as the GDPR, UK DPA, and ZA POPIA), international trends, and widely accepted information security standards (such as ISO/IEC 27001:2005, COBIT 5, and ITIL). There are many more situations out there that you may need specialist help with to determine what is reasonable.
What help can Michalsons offer when it comes to Information Security Law?
We offer the following solutions that can help you take a pragmatic approach to information security:
- our Online Information Security Assessment – to assess your current level of information security and what you still need to do to comply with the relevant laws
- our Information Security Regulation Programme – a four week online course with webinars, a forum, and related tools (including a generic Information Security Policy, Information Security Action Items and Incident Response Policy) to help you comply with information security laws
- our Data Protection and Information Security Webinar – an online group training session on information security law
- our Data Protection and Information Security Workshop – a face-to-face meeting, seminar, or discussion group where people intensively discuss and engage in activities on information security law
- our Information Security Handbook – a concise manual about information security law
- an Information Security Compliance Guide – a comprehensive document that helps someone make a decision about an information security solution by providing them with information about information security law
- an Information Security Policy – a plan of action when it comes to protecting information and information systems from unauthorized access in your organisation
- our Information Security Action Items – a set of checklists that simplify the complex information security law compliance landscape into simple lists of distinct tasks that you can do to protect information and information systems from unauthorized access in your organisation
- an Incident Response Policy – a written plan of how your organisation will respond to an information security incident properly, when one inevitably occurs
- an Information Security Audit – an audit on how technically good your information security measures are
- our Cryptography Provider Registration Services to help you comply with the ECT Act when providing information security products and services, such as encryption solutions.
If you are interested, please complete the form on the right or enquire now. We will contact you to find out more about your requirements and give you a quote.