Lesson 1, Topic 1
In Progress

1.7. Relevant security and legal regulations and their purpose

ryanrori February 1, 2021

[responsivevoice_button rate=”0.9″ voice=”UK English Female” buttontext=”Listen to Post”]

Information security (sometimes shortened to InfoSec) is the practice of defending information from unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc.) 

Two major aspects of information security are:

  • IT security: Sometimes referred to as computer security, Information Technology Security is information security applied to technology (most often some form of computer system). It is worthwhile to note that a computer does not necessarily mean a home desktop. A computer is any device with a processor and some memory (even a calculator). IT security specialists are almost always found in any major enterprise/establishment due to the nature and value of the data within larger businesses. They are responsible for keeping all of the technology within the company secure from malicious cyber-attacks that often attempt to breach into critical private information or gain control of the internal systems.
  • Information assurance: The act of ensuring that data is not lost when critical issues arise. These issues include but are not limited to; natural disasters, computer/server malfunction, physical theft, or any other instance where data has the potential of being lost. Since most information is stored on computers in our modern era, information assurance is typically dealt with by IT security specialists. One of the most common methods of providing information assurance is to have an off-site backup of the data in case one of the mentioned issues arises.

Over recent years there has been an expansion of the obligations of entities holding information in electronic form to implement reasonable, organisational, physical and technical measures to safeguard information under its control. Even in the absence of legislation or case law obliging holders of information to safeguard their information, persons responsible for the governance or management of an organisation have a duty of care to the stakeholders of the organisation and to third parties on whose behalf they may hold information, to ensure that they exercise due diligence in properly safeguarding the information.

The new Companies Act specifically mandates that a director must perform the functions of a director with a degree of care, skill and diligence that may be reasonably expected of the director and having the general knowledge, skill and experience of the director.4 In exercising the necessary degree of care, skill and diligence relating to the use of information and communications technology, directors should take heed of the provisions of the King III Code of Governance Principles for South Africa. These specifically define the obligations of directors relating to IT Governance and expressly address the obligation to implement information security.

The Protection of Personal Information Bill expressly requires in addressing Security Safeguards as a condition of lawful processing of personal information that: 

(1) A responsible party must secure the integrity of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent –

(a) Loss of, or damage to, or unauthorised destruction of personal information; and 

(b) Unlawful access to or processing of personal information. 

(2) In order to give effect to subsection (1) the responsible party must take reasonable measures to – 

(a) Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control; 

(b) Establish and maintain appropriate safeguards against the risk identified; 

(c) Regularly verify that the safeguards are effectively implemented; and 

(d) Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards. 

(3) The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or are required in terms of specific industry or professional rules and regulations.” 

Once the Bill is enacted this will be the first instance in South African law that there is an express statutory stipulation for the implementation of information security to protect information.