Professional Documents
Culture Documents
Cyber 4.3 Presantation
Cyber 4.3 Presantation
Legislation protects
people and ensures that there is no abuse by others to those investing in the technology.
4.3.1 Describe ICT Legislation & laws governing ICT in Zimbabwe, Regional &
International
contract law- Contract law aims to provide an effective legal framework for contracting
parties to resolve their disputes and regulate their contractual obligations.
consumer protection law- Consumer protection law or consumer law is considered as an
area of law that regulates private law relationships between individual consumers and the
businesses that sell those goods and services.
criminal law- Criminal law, as distinguished from civil law, is a system
of laws concerned with punishment of individuals who commit crimes.
copyright law- Copyright is a legal means of protecting an author's work. It is a type
of intellectual property that provides exclusive publication, distribution, and usage rights
for the author.
trade mark law- A trademark is any word, name, symbol, or design, or any combination
thereof, used in commerce to identify and distinguish the goods of one manufacturer or
seller from those of another and to indicate the source of the goods.
intellectual property law- Intellectual Property law deals with laws to protect and
enforce rights of the creators and owners of inventions, writing, music, designs and other
works, known as the "intellectual property."
banking law- Banking law is the broad term for laws that govern how banks and other
financial institutions conduct business.
privacy and data protection law- Information privacy, data privacy or data protection
laws provide a legal framework on how to obtain, use and store data of natural persons.
the law of evidence- The law of evidence, also known as the rules of evidence,
encompasses the rules and legal principles that govern the proof of facts in
a legal proceeding.
Content promoting hate based on race, religion, disability, sexual preference, etc.
Content promoting violent extremism
Sexually explicit content
Real or simulated violence
Content advocating unsafe behaviour, such as self-harm or eating disorders
Whistleblowers are those employees or ex-employees of a company who report their company’s
misdoings and expose the wrongful and unethical actions of their employer(s). Depending on
the kind of whistleblowing they do, whistleblowers are categorized into the following two types
−
Internal whistleblowers − Internal whistleblowers report the unethical actions or illegal
procedures of an employee or a group of employees of their company to someone who is
a supervisor or senior authority in that company.
External whistleblowers − External whistleblowers report the misgivings of their
companies to external agencies. Most of the external whistleblowers come from huge
corporations where the top management itself passes on unethical and at times, illegal
directions to follow.
There are times when whistleblowers are also employees working with various other
corporations, both local and international. Due to this, many whistleblowers are also categorized
based on the organizations they come from. Depending on that, there are two types of
whistleblowers −
Federal whistleblowers − Federal whistleblowers work with government bodies and
report cases that are related to national policies, etc. A recent case could be cited of Mr
Edward Snowden, who used to work with NSA as a government contractor and
reported NSA to be spying on people and tapping their phone calls.
Corporate whistleblowers − Corporate whistleblowers work with private corporate
houses and leak acts of cheating and fudging records and accounts to higher authorities.
Many big insurance houses in the past had been brought to task by ethical employees who
didn’t like the way the companies were functioning. One of the largest energy
companies, Enron, from the US was brought to its knees by Sherron Watkins, who was the
Vice President of the company and had reported massive irregularities in the accounting stages
of various financial reports.
- Outline Ethical Perspectives On Censorship
- Organizational Processes
C-level is responsible for making value judgments based on cyber security vulnerability and
business risk. They have the ultimate authority, therefore they have the ultimate responsibility
for results of the organizations cyber security program.
Steering Committee
The Steering committee represents the different departments within the organization. The
committee’s purpose is to provide insight into business operations, data classification, and
overall impact of cyber security policy’s and procedures.
Auditors
Auditors are outside consultants or regulators tasked with assessing cyber vulnerability and risk.
It is important that auditors are not aligned with the IT organization, but rather with operations or
finance.
Data Owner
Data owner – the data owner is responsible for the classification of data. Classification drives
the organization’s cyber security controls. (General use data can be on a file server and any
authenticated network user can access it. Top Secret data goes in a safe and only the COO and
CFO know the location of the safe and the lock combination)
Data Custodian
The data custodian is responsible for the safe custody, transport, storage of the data. Simply put,
data custodians are responsible for the technical environment and database structure.
Network Admin
The network admin ensures availability of resources and has access to resources based on pre-
established policy and can make changes within his sphere of access.
Security Admin
Security Admin has access to everything allowing her to audit and measure cyber security
effectiveness. But a security admin should not have permission to make any changes.
- Control Frameworks
A control framework is a conceptual basis for formulating a set of controls for an organization.
This set of controls is intended to minimize risk through the use of practices and procedures in a
coordinated manner.
COBIT. Developed by the Information Systems Audit and Control Association (ISACA) and the
IT Governance Institute (ITGI), COBIT consists of several components, including
The COBIT framework is popular in organizations that are subject to the Sarbanes-Oxley Act.
NIST (National Institute for Standards and Technology) Special Publication 800-53: Security
and Privacy Controls for Federal Information Systems and Organizations. Known as NIST
SP800-53, this is a very popular and comprehensive controls framework required by all U.S.
government agencies. It also is widely used in private industry.
o Control environment. Provides the foundation for all other internal control components.
o Risk assessment. Establishes objectives through identification and analysis of relevant risks and
determines whether anything will prevent the organization from meeting its objectives.
o Control activities. Policies and procedures that are created to ensure compliance with
management directives. Various control activities are discussed in the other chapters of this
book.
o Monitoring. Activities that assess performance over time and identify deficiencies and
corrective actions.
ISO/IEC 27002 (International Organization for Standardization/ International
Electrotechnical Commission). Formally titled “Information Technology — Security
Techniques — Code of Practice for Information Security Management,” ISO/IEC 27002
documents security best practices in 14 domains, as follows:
o Asset management
o Cryptographic technology
o Operational security
o Compliance
ITIL (Information Technology Infrastructure Library). A set of best practices for IT service
management consisting of five volumes, as follows:
o Service Strategy. Addresses IT services strategy management, service portfolio management, IT
services financial management, demand management, and business relationship management.
o Service Design. Addresses design coordination, service catalog management, service level
management, availability management, capacity management, IT service continuity
management, information security management system, and supplier management.
o Service Transition. Addresses transition planning and support, change management, service
asset and configuration management, release and deployment management, service validation
and testing, change evaluation, and knowledge management.
4.3.4 Develop & Implement Documented Security Policies, Standards, Procedures &
Guidelines
In this chapter we will explain security policies which are the basis of security for the
technology infrastructure of your company.
In a way they are the regulatory of the behaviors of your employees towards the use of
technology in the workplace, that can minimize the risk of being hacked, information leak,
internet bad usage and it also ensures safeguarding of company resources.
In real life you will notice the employees of your organization will always tend to click on bad
or virus infected URL’s or email attachments with viruses.
Following are some pointers which help in setting u protocols for the security policy of an
organization.
Who should have access to the system?
How it should be configured?
How to communicate with third parties or systems?
Policies are divided in two categories −
User policies
IT policies.
User policies generally define the limit of the users towards the computer resources in a
workplace. For example, what are they allowed to install in their computer, if they can use
removable storages.
Whereas, IT policies are designed for IT department, to secure the procedures and functions of
IT fields.
General Policies − This is the policy which defines the rights of the staff and access
level to the systems. Generally, it is included even in the communication protocol as a
preventive measure in case there are any disasters.
Server Policies − This defines who should have access to the specific server and with
what rights. Which software’s should be installed, level of access to internet, how they
should be updated.
Firewall Access and Configuration Policies − It defines who should have access to the
firewall and what type of access, like monitoring, rules change. Which ports and
services should be allowed and if it should be inbound or outbound.
Backup Policies − It defines who is the responsible person for backup, what should be
the backup, where it should be backed up, how long it should be kept and the frequency
of the backup.
VPN Policies − These policies generally go with the firewall policy, it defines those
users who should have a VPN access and with what rights. For site-to-site connections
with partners, it defines the access level of the partner to your network, type of
encryption to be set.
When you compile a security policy you should have in mind a basic structure in order to make
something practical. Some of the main points which have to be taken into consideration are −
Checklist Status of
task
Server Room
Documentation is up to date
Redundant lines
Information Systems
Information Security
Human Factor
ICT System and email Usage Policy is rolled-out (should be checked as per the
disciplinary safeguards)
General
Network Security
Firewall access rules and open ports are compliant with the firewall policy
Network Management
Please keep in mind that this list can be modified according to your company needs and
staff too.