FISMA requires federal agencies to develop, document, and implement agency wide programs to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by other agencies, contractors, and other third parties.
FISMA has been responsible for bringing attention within the federal government to computer security. It explicitly emphasises a risk-based policy for cost-effective security. FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency’s information security program and report the results to Office of Management and Budget (OMB).
The Gramm Leach Bliley Act 1999 (US) also makes requirements for appropriate security programs to be implemented by organisations.
To comply with the Gramm Leach Bliley Act, all financial institutions must develop a comprehensive written information security program that specifies exactly how their customer data is being protected. The information security program must include the following elements:
- Involve the Board of Directors: The board is responsible for approving and overseeing all aspects of the information security program.
- Identify & Assess Risks: Identify internal and external threats to customer data. Assess the probability that such threats could occur and the potential damage envisioned. Assess how well existing policies, systems and procedures address the identified risks.
- Manage & Control Risks: Develop appropriate security measures to control the identified risks. Examples of such measures include data encryption, employee background checks, intrusion detection, and intrusion response programs.
- Oversee Service Providers: Insure security measures are in place to reduce risks from outside vendors.
- Employee Training: Once an information security program has been designed all employees must receive appropriate training so that they are better able to recognize and respond to security threats.
- Test the Program: The information security program must be tested on a regular basis. Testing should be conducted by independent third parties or staff independent from those who develop and maintain the program.
- Adjust the Program: The program should be reviewed on a regular basis and adjusted as needed to meet the changing demands of the institutions business environment. Report to the Board: The board should be kept informed on a regular basis regarding all matters pertinent to the program.
Computer Misuse Laws
This law makes it illegal to gain unauthorised access to computers and computer material.
An example of such is the UK Computer Misuse of Act 1998.
The UK Computer Misuse Act of 1990 has been enacted to secure computer material against unauthorised access or modification: and for connection purposes. Prior to 1990, there were no laws in the UK relating to Computer Misuse. The Act identifies three main computer misuse offences:
? Unauthorised access to computer material.
- Unauthorised access with intent to commit or facilitate commission of further offences.
- Unauthorised modification of computer material.
Unauthorised access offences are typically punished upon conviction with up to 6 months imprisonment and or a maximum fine of £5000.
The other two offences are taken more seriously with jail terms of up to 5 years and unlimited fines.
Cybercrime Convention (EU 2004)
This is a Treaty entered into force on 1st July 2004 with an additional Protocol for the criminalisation of racist and xenophobic material through computer systems coming into force on 1st March 2006. It has been adopted by member states of the European Union along with the United States and South Africa, to address computer related crime by harmonising national laws.
The Computer Crime Convention defines a number of offences which members can include in their national laws. Examples of such computer related offences include but are not limited to the following:
- Offences against the confidentiality, integrity and availability of computer data and systems
- Illegal access
- Illegal interception
- Data interference
- System interference
- Misuse of devices
- Computer-related offences
- Computer-related forgery
- Computer-related fraud
- Content-related offences
- Offences related to child pornography
- Offences related to infringements of copyright and related rights
- Offences related to infringements of copyright and related rights
- Computer-related offences
- Attempt and aiding or abetting
- Corporate liability
- Expedited preservation of stored computer data
- Expedited preservation and partial disclosure of traffic data
A key feature of the Treaty is identifying that Legal persons can be held liable for a computer crime related criminal offence established in accordance with the convention. Such criminal activity may be committed for their benefit by any natural person, acting either individually or as part of an organ of the legal person. This takes into account industrial espionage and other corporate illegal activity.
It would be ideal if more African Countries sign up this Treaty, as at present only South Africa has done the honours.
Impact of the Framework on Judges, Lawyers and Law Schools
African lawyers are undoubtedly losing out on the opportunity to represent clients on lucrative cases due to the lack of legislation on cybercrime. For example, in Nigeria a number of opportunities to challenge financial institutions for negligence in the implementation of online banking and the roll out of ATM cards which has led to customers losing money have not been taken due to either a lack of understanding of the issues as well as lawyers and judges not being adequately trained in information technology related issues. The same may be said of other African nations.
With the advent of these legislations will come the need for universities, schools of higher learning and academic institutions to devise specific courses designed to allow the next generation of Judges and Lawyers become skilled in what is a challenging but lucrative area.
It is the authors’ opinion that technology law needs to be on the curriculum of all African law faculties, as a minimum the following modules need to be mandatory to enable law students grasp the basics of the issues when dealing with the laws relating to technology:
Technology Law Syllabus:
- Computer Misuse
- Data Protection
- Data Retention
- Electronic Commerce
- Information Security
- Information Technology
- IT Contract Negotiations
- Lawful Interception
Current Judges and Lawyers will also need to become familiar with these issues through cross training, in order to be able get up to speed with the intricacies of computer crime so that they can take on cases and pronounce effective judgements. This cross-training should ideally be spearheaded by the ministries of Justice.
Benefits of implementing this Framework:
The implementation of these laws will allow us to tackle computer related criminal activity in a more structured manner. The laws will allow defined guidelines as to what constitutes illegal activities while using computers.
From an economic perspective, a lot of discussion has been made on the impact technology will have in providing initiatives that can provide economic growth and stability. It must be mentioned however that current legal frameworks will need to be overhauled to meet the changes and challenges that technology will bring, and for that purpose the need for us to revamp our technology related laws for us to meet growth forecasts.
We have seen the impact of telecommunications and the interest it has received from foreign telecommunications companies and investors. The development and implementation of these laws can allow the same response from technology companies and investors. The offshoot of this is job opportunities for Africans and the development of new services and technology related products.
With the development of these laws, we will be seen as a continent that wants to embrace and diversify into the new areas of technology.
We are aware that IP addresses belonging to some African countries have been blocked by credit card companies. Putting these laws in place shows that we understand and are dealing with credit card fraudsters and other cyber criminals. The implementation of the framework can be used as a tool for negotiations to remove such IP blocks. This in turn will allow more Africans to partake both as suppliers and consumers in the billion dollar e-commerce trade.
Individuals and organisations tasked with combating computer crime in Africa must take this issue to the forefront of their initiatives with a view to enacting as soon as possible. This should be done ensuring that the best brains on the issue from a legal and technical point of view are involved in the process. This is necessary so that we generate appropriate sections and wordings as well as anticipate the effects of new technologies so that the laws that constitute the framework are not obsolete and ineffective when passed.
African governments will need to look at the content of these legislations as a guide when formulating their Framework, bearing in mind that they will be computerising their government systems and moving into the realms of e-government and e-commerce.
As mentioned in the section on Data Protection and Privacy laws, African countries are being eyed as potential outsourcing posts. It should be noted that it is the absence of appropriate computer crime and privacy legislation rather than the lack of technology that prevents us partaking in this area.
The implementation of these laws will allow us to be in line with countries around the globe and be viewed as proactive in tackling cybercrime. The development of these laws will also mean that cybercrime technologies and information security awareness initiatives will be adopted by governments and corporate institutions. This knowledge will trickle down to members of staff who will by osmosis assimilate the trends on their home pc’s thereby ultimately providing for a more aware society on the issues.