Legislation of ICT’s purpose of is to control and regulate the use of ICT.

Legislation protects
people and ensures that there is no abuse by others to those investing in the technology.

INFORMATION PRIVACY AND THE GOVERNMENT

4.3.1 Describe ICT Legislation & laws governing ICT in Zimbabwe, Regional &
International

Legislation and Laws governing

 contract law- Contract law aims to provide an effective legal framework for contracting
parties to resolve their disputes and regulate their contractual obligations.
 consumer protection law- Consumer protection law or consumer law is considered as an
area of law that regulates private law relationships between individual consumers and the
businesses that sell those goods and services.
 criminal law- Criminal law, as distinguished from civil law, is a system
of laws concerned with punishment of individuals who commit crimes.
 copyright law- Copyright is a legal means of protecting an author's work. It is a type
of intellectual property that provides exclusive publication, distribution, and usage rights
for the author.
 trade mark law- A trademark is any word, name, symbol, or design, or any combination
thereof, used in commerce to identify and distinguish the goods of one manufacturer or
seller from those of another and to indicate the source of the goods.
 intellectual property law- Intellectual Property law deals with laws to protect and
enforce rights of the creators and owners of inventions, writing, music, designs and other
works, known as the "intellectual property."
 banking law- Banking law is the broad term for laws that govern how banks and other
financial institutions conduct business.
 privacy and data protection law- Information privacy, data privacy or data protection
laws provide a legal framework on how to obtain, use and store data of natural persons.
 the law of evidence- The law of evidence, also known as the rules of evidence,
encompasses the rules and legal principles that govern the proof of facts in
a legal proceeding.

4.3.2 Legislative & Regulatory Compliance

- Cite relevant legislation with regards to the investigation & Prosecution of

cyber criminals
 - Identify appropriate law enforcement strategies to both prevent and control
cybercrime

Establish effects of inappropriate content to minors

 Content promoting hate based on race, religion, disability, sexual preference, etc.
 Content promoting violent extremism
 Sexually explicit content
 Real or simulated violence
 Content advocating unsafe behaviour, such as self-harm or eating disorders

- Determine the morality of whistleblowing

Whistleblowers are those employees or ex-employees of a company who report their company’s
misdoings and expose the wrongful and unethical actions of their employer(s). Depending on
the kind of whistleblowing they do, whistleblowers are categorized into the following two types
−
 Internal whistleblowers − Internal whistleblowers report the unethical actions or illegal
procedures of an employee or a group of employees of their company to someone who is
a supervisor or senior authority in that company.
 External whistleblowers − External whistleblowers report the misgivings of their
companies to external agencies. Most of the external whistleblowers come from huge
corporations where the top management itself passes on unethical and at times, illegal
directions to follow.
There are times when whistleblowers are also employees working with various other
corporations, both local and international. Due to this, many whistleblowers are also categorized
based on the organizations they come from. Depending on that, there are two types of
whistleblowers −
 Federal whistleblowers − Federal whistleblowers work with government bodies and
report cases that are related to national policies, etc. A recent case could be cited of Mr
Edward Snowden, who used to work with NSA as a government contractor and
reported NSA to be spying on people and tapping their phone calls.
 Corporate whistleblowers − Corporate whistleblowers work with private corporate
houses and leak acts of cheating and fudging records and accounts to higher authorities.
Many big insurance houses in the past had been brought to task by ethical employees who
didn’t like the way the companies were functioning. One of the largest energy
companies, Enron, from the US was brought to its knees by Sherron Watkins, who was the
Vice President of the company and had reported massive irregularities in the accounting stages
of various financial reports.
 - Outline Ethical Perspectives On Censorship

Moral censorship is the removal of materials that are obscene or

otherwise considered morally questionable.

4.3.3 Discuss Security Governance Principles in relation to

- Alignment of security function to strategy, goals, mission and objectives

- Organizational Processes

- Security Roles & Responsibilities

C-level (chief executive)

C-level is responsible for making value judgments based on cyber security vulnerability and
business risk. They have the ultimate authority, therefore they have the ultimate responsibility
for results of the organizations cyber security program.

Steering Committee

The Steering committee represents the different departments within the organization. The
committee’s purpose is to provide insight into business operations, data classification, and
overall impact of cyber security policy’s and procedures.

Auditors

Auditors are outside consultants or regulators tasked with assessing cyber vulnerability and risk.
It is important that auditors are not aligned with the IT organization, but rather with operations or
finance.

Data Owner

Data owner – the data owner is responsible for the classification of data. Classification drives
the organization’s cyber security controls. (General use data can be on a file server and any
 authenticated network user can access it. Top Secret data goes in a safe and only the COO and
CFO know the location of the safe and the lock combination)

Data Custodian

The data custodian is responsible for the safe custody, transport, storage of the data. Simply put,
data custodians are responsible for the technical environment and database structure.

Network Admin

The network admin ensures availability of resources and has access to resources based on pre-
established policy and can make changes within his sphere of access.

Security Admin

Security Admin has access to everything allowing her to audit and measure cyber security
effectiveness. But a security admin should not have permission to make any changes.

- Control Frameworks

A control framework is a conceptual basis for formulating a set of controls for an organization.
This set of controls is intended to minimize risk through the use of practices and procedures in a
coordinated manner.

 COBIT. Developed by the Information Systems Audit and Control Association (ISACA) and the
IT Governance Institute (ITGI), COBIT consists of several components, including

o Framework. Organizes IT governance objectives and best practices.

o Process descriptions. Provides a reference model and common language.

o Control objectives. Documents high-level management requirements for control of individual

IT processes.
o Management guidelines. Tools for assigning responsibility, measuring performance, and
illustrating relationships between processes.

o Maturity models. Assess organizational maturity/capability and address gaps.

The COBIT framework is popular in organizations that are subject to the Sarbanes-Oxley Act.

 NIST (National Institute for Standards and Technology) Special Publication 800-53: Security
and Privacy Controls for Federal Information Systems and Organizations. Known as NIST
SP800-53, this is a very popular and comprehensive controls framework required by all U.S.
government agencies. It also is widely used in private industry.

 COSO (Committee of Sponsoring Organizations of the Treadway Commission). Developed by

the Institute of Management Accountants (IMA), the American Accounting Association (AAA),
the American Institute of Certified Public Accountants (AICPA), The Institute of Internal
Auditors (IIA), and Financial Executives International (FEI), the COSO framework consists of
five components:

o Control environment. Provides the foundation for all other internal control components.

o Risk assessment. Establishes objectives through identification and analysis of relevant risks and
determines whether anything will prevent the organization from meeting its objectives.

o Control activities. Policies and procedures that are created to ensure compliance with
management directives. Various control activities are discussed in the other chapters of this
book.

o Information and communication. Ensures appropriate information systems and effective

communications processes are in place throughout the organization.

o Monitoring. Activities that assess performance over time and identify deficiencies and
corrective actions.
 ISO/IEC 27002 (International Organization for Standardization/ International
Electrotechnical Commission). Formally titled “Information Technology — Security
Techniques — Code of Practice for Information Security Management,” ISO/IEC 27002
documents security best practices in 14 domains, as follows:

o Information security policies

o Organization of information security

o Human resource security

o Asset management

o Access control and managing user access

o Cryptographic technology

o Physical security of the organization’s sites and equipment

o Operational security

o Secure communications and data transfer

o Systems acquisition, development, and support of information systems

o Security for suppliers and third parties

o Information security incident management

o Information security aspects of business continuity management

o Compliance

 ITIL (Information Technology Infrastructure Library). A set of best practices for IT service
management consisting of five volumes, as follows:
o Service Strategy. Addresses IT services strategy management, service portfolio management, IT
services financial management, demand management, and business relationship management.

o Service Design. Addresses design coordination, service catalog management, service level
management, availability management, capacity management, IT service continuity
management, information security management system, and supplier management.

o Service Transition. Addresses transition planning and support, change management, service
asset and configuration management, release and deployment management, service validation
and testing, change evaluation, and knowledge management.

o Service Operation. Addresses event management, incident management, service request

fulfillment, problem management, and access management.

o Continual Service Improvement. Defines a seven-step process for improvement initiatives,

including identifying the strategy, defining what will be measured, gathering the data, processing
the data, analyzing the information and data, presenting and using the information, and
implementing the improvement.

4.3.4 Develop & Implement Documented Security Policies, Standards, Procedures &
Guidelines

In this chapter we will explain security policies which are the basis of security for the
technology infrastructure of your company.
In a way they are the regulatory of the behaviors of your employees towards the use of
technology in the workplace, that can minimize the risk of being hacked, information leak,
internet bad usage and it also ensures safeguarding of company resources.
In real life you will notice the employees of your organization will always tend to click on bad
or virus infected URL’s or email attachments with viruses.

Role of the Security Policy in Setting up Protocols

Following are some pointers which help in setting u protocols for the security policy of an
organization.
  Who should have access to the system?
 How it should be configured?
 How to communicate with third parties or systems?
Policies are divided in two categories −

 User policies
 IT policies.
User policies generally define the limit of the users towards the computer resources in a
workplace. For example, what are they allowed to install in their computer, if they can use
removable storages.
Whereas, IT policies are designed for IT department, to secure the procedures and functions of
IT fields.
 General Policies − This is the policy which defines the rights of the staff and access
level to the systems. Generally, it is included even in the communication protocol as a
preventive measure in case there are any disasters.
 Server Policies − This defines who should have access to the specific server and with
what rights. Which software’s should be installed, level of access to internet, how they
should be updated.
 Firewall Access and Configuration Policies − It defines who should have access to the
firewall and what type of access, like monitoring, rules change. Which ports and
services should be allowed and if it should be inbound or outbound.
 Backup Policies − It defines who is the responsible person for backup, what should be
the backup, where it should be backed up, how long it should be kept and the frequency
of the backup.
 VPN Policies − These policies generally go with the firewall policy, it defines those
users who should have a VPN access and with what rights. For site-to-site connections
with partners, it defines the access level of the partner to your network, type of
encryption to be set.

Structure of a Security Policy

When you compile a security policy you should have in mind a basic structure in order to make
something practical. Some of the main points which have to be taken into consideration are −

 Description of the Policy and what is the usage for?

 Where this policy should be applied?
 Functions and responsibilities of the employees that are affected by this policy.
 Procedures that are involved in this policy.
 Consequences if the policy is not compatible with company standards.
Types of Policies

In this section we will see the most important types of policies.

 Permissive Policy − It is a medium restriction policy where we as an administrator block
just some well-known ports of malware regarding internet access and just some exploits
are taken in consideration.
 Prudent Policy − This is a high restriction policy where everything is blocked regarding
the internet access, just a small list of websites are allowed, and now extra services are
allowed in computers to be installed and logs are maintained for every user.
 Acceptance User Policy − This policy regulates the behavior of the users towards a
system or network or even a webpage, so it is explicitly said what a user can do and
cannot in a system. Like are they allowed to share access codes, can they share
resources, etc.
 User Account Policy − This policy defines what a user should do in order to have or
maintain another user in a specific system. For example, accessing an e-commerce
webpage. To create this policy, you should answer some questions such as −
o Should the password be complex or not?
o What age should the users have?
o Maximum allowed tries or fails to log in?
o When the user should be deleted, activated, blocked?
 Information Protection Policy − This policy is to regulate access to information, hot to
process information, how to store and how it should be transferred.
 Remote Access Policy − This policy is mainly for big companies where the user and
their branches are outside their headquarters. It tells what should the users access, when
they can work and on which software like SSH, VPN, RDP.
 Firewall Management Policy − This policy has explicitly to do with its management,
which ports should be blocked, what updates should be taken, how to make changes in
the firewall, how long should be the logs be kept.
 Special Access Policy − This policy is intended to keep people under control and
monitor the special privileges in their systems and the purpose as to why they have it.
These employees can be team leaders, managers, senior managers, system
administrators, and such high designation based people.
 Network Policy − This policy is to restrict the access of anyone towards the network
resource and make clear who all will access the network. It will also ensure whether that
person should be authenticated or not. This policy also includes other aspects like, who
will authorize the new devices that will be connected with network? The documentation
of network changes. Web filters and the levels of access. Who should have wireless
connection and the type of authentication, validity of connection session?
  Email Usage Policy − This is one of the most important policies that should be done
because many users use the work email for personal purposes as well. As a result
information can leak outside. Some of the key points of this policy are the employees
should know the importance of this system that they have the privilege to use. They
should not open any attachments that look suspicious. Private and confidential data
should not be sent via any encrypted email.
 Software Security Policy − This policy has to do with the software’s installed in the
user computer and what they should have. Some of the key points of this policy are
Software of the company should not be given to third parties. Only the white list of
software’s should be allowed, no other software’s should be installed in the computer.
Warez and pirated software’s should not be allowed.
 In this chapter, we will discuss on an advanced checklist that we will use in order to
educate users and IT staff too, when it comes to any security issues, they should come as
natural expressions.
 Based on all the chapters and especially on the security policies, the following table has a
list of checklist that touches most of the components that have been discussed in this
tutorial.

Checklist Status of
task

Server Room

Server rack installed properly

Air conditioning present

Temperature monitoring and alarm system is in place

Automatic smoke/fire detection is available

Water entry prevention detector is available

Fire extinguisher is in place

Local LAN wiring is done properly

Business Critical Services

Redundant power supplies are available

RAID systems are available

UPS systems are in place

Emergency systems are in place

Documentation is up to date

Professional support is provided

SLAs are signed

Emergency plan is prepared

Business Internet Account

Redundant lines

Insurance for ICT equipment is available

Information Systems

Server is installed according to the Setup Policies Manuals

Standard GPOs are configured on the Server

System security is done

System documentation is up-to-date

Data backup is configured properly and done regularly according to backup

policies

To check proper naming of all computers, network devices to be in line with IT

Policy

Standard Whitelist Software to be aligned on all PCs

All PCs in domain system

Administrator privileges are taken from computer users

Program privileges are on minimum needed level

Information Security

Identity and access management is configured

Data access possibilities are minimized to needed level

Virus protection software is installed on each PC

Human Factor
ICT System and email Usage Policy is rolled-out (should be checked as per the
disciplinary safeguards)

Staff awareness training is provided regularly

Responsibilities are documented

Maintenance of Information Systems

Security updates are installed on all PC’s

ICT internal alert and notification system is configured

Security update action plan is done

Security update roll out plan is in place

General

Network IP address schema are in line

Network Security

Firewall access rules and open ports are compliant with the firewall policy

Protection of sensitive information is in place

Restriction of communication services is enabled

VPN is configured properly with the partners

WLAN security is enabled on all WIFI devices

Limited internet access is configured

BYOD regulations are implemented

Network Management

Bandwidth Management System is configured

Network Monitoring System is available

DRP files are up to date

 Please keep in mind that this list can be modified according to your company needs and
staff too.