Corporate governance is centred around people, whose actions can often have legal repercussions for organisations, delegates at the IT Governance 2005 conference were told yesterday.
Maeson Maherry, senior executive of security solutions at NamITech, said such commercial risks could only be managed with systems that have integrity, as businesses are becoming increasingly dependent on information systems.
Whereas these systems are a company`s competitive-edge, Maherry said that with reliance on them comes a risk that these systems may not be available or lack privacy or integrity.
"South African law has changed to facilitate legally-binding electronic transactions and businesses need to capitalise on this," he explained.
"The ECT Act has given effect to all electronic records and data messages and normal rules of evidence apply."
[VIDEO]Maherry stated that the ECT Act has defined electronic and advanced electronic signatures, which are deemed more reliable than a handwritten signature, due to forensic properties.
Like physical transactions and contracts, electronic transactions and contracts demand identity and signatures, and, if a forensic test cannot be applied to prove integrity, evidence is hearsay, he said.
Maherry pointed out that information security and confidentiality are often assumed with an organisation, but, in reality, the information is open to anyone, and the means to eavesdrop, remove or alter data are easily accessible, including through bribery and coercion.
"Corporate governance demands that risks be identified and managed according to the level of threat posed. It is commonly known that identity theft and data alteration can occur. Not managing this threat would be deemed negligent by any shareholder, as well as employee groups," he said.
Maherry added that, in order to apply security to the right areas, an organisation first has to establish business needs in the end-to-end business process. Business needs include accountability, evidence and non-repudiation.
He said that there are five steps to non-repudiation which organisations should follow: retaining records, ensuring forensically testable integrity, proof from the documented process, proof of possession and acceptance, and ensuring the process of personalisation or manufacture has integrity.
As issues of accountability and non-repudiation become an increasingly important part of IT governance, Maherry argued, many organisations are starting to rely on "intelligent" forms of electronic transactions.
Related story:
SA`s low level of IT governance
Share