The Department of Communications' (DOC's) cyber security policy will only work if all stakeholders work together to get it off the ground, says the Information Security Group (ISG) of Africa.
ISG chairman Craig Rosewarne has praised communications minister Siphiwe Nyanda for his efforts in putting together the policy. However, he adds that going forward, business, industry organisations and civil society need to be involved to get a focused attack on the “scourge of e-crime”.
“I am excited, as the chairman of the ISG and as a citizen of this country, to see the first green shoots appearing that our government is taking information security seriously. Unless these spheres of society work together, SA's efforts to ensure a secured cyberspace will be severely compromised,” he notes.
Good plan
The ISG has been in operation for five years, attempting to tackle the key risk factors that SA's cyberspace faces. With 3 500 professionals from the industry, government and society, the organisation feels it is best placed to help government work towards a safer South African Internet.
The company has also been heavily involved in working with police and other institutions to fight crime, specifically through its online e-crime portal, www.ecrime.org.za.
Rosewarne says ISG hopes to encourage big business and locally represented security vendors to join its movement to help fast-track government's new policy.
Earlier this week, ISG asked for feedback from government departments and local banking representatives on the new draft policy. “The responses have been excited. There is a general sense that the overall structure of the minister's policy is solid. However, there are some details lacking that all of us will submit comment on when the time comes for public hearings,” adds Rosewarne.
While the government departments and banking representatives asked to remain unnamed, their concern is that the policy will remain a paper-based policy and will take too much time to be implemented.
“Most developed countries in the world have given this serious attention recently, and they are already miles ahead of us,” explains one source.
Another concern that was raised is that the concepts listed in the policy will remain solely a government project. There is a general hope that the private sector will be given the opportunity to contribute to the projects listed, which will give the policy more teeth and better reach.
Hand-in-hand
Part of the new security strategy will see the DOC introduce national and sector-based computer security incident response teams. The ISG recently announced a training programme to address the fact that no such team exists yet in SA.
Rosewarne says the training can complement the work that the DOC is doing in response to possible cyber threats.
The lack of any focused direction in SA has long been problematic in industry. However, ISG's response teams head, Iain Campbell, says the new policy goes a long way to address the lack of information around e-crime locally.
Campbell says: “In SA, there is currently no 'speed limit' for cyber security. More importantly, because there are no standards or regulations, many people who are aware they have a problem do not know how to address it. It is also crystal clear who is ultimately responsible, namely the DOC,” he adds.
Legal wise
Dominic White, security consultant for Sensepost, says: “This will hopefully not only become a paper-based exercise, but allow us to track a 'scoreboard' of tangible actions and deliverables. It is also vital to ensure breach disclosures are covered in the new policy.”
The DOC has also recognised in its draft policy that there are several parts of SA's legislation that already cover some aspects of e-crime, and it will take these into account when the final version of the document goes public.
Legal experts have already commented to ITWeb on the matter, saying the policy is a good step in the right direction.
The DOC will accept submissions on the document, and interested parties have until around mid-March to make written submissions.
Share
