Recent cyber-attacks in South Africa have demonstrated how vulnerable South Africa is to cybercrimes. Trends have shown that the public sector in South Africa has experienced a large volume of cyber incidents. This does not come as a surprise given the vast amount of data and information processed in the public sector. The Directive on Public Service Information Security, which was issued in terms of the Public Service Act, 1994 under regulation 94 of the Public Service Regulations, is therefore a much-welcomed policy for the public sector.
The directive primarily seeks to give guidance on information security governance principles, practices, and procedures to safeguard technology assets in the public sector. It applies to all national and provincial departments, government components, and employees employed in terms of the Act.
Any failure to comply with the Directive will be dealt with in terms of section 16A of the Act which includes disciplinary actions being taken against heads of governmental departments and employees.
Roles and responsibilities
There are various roles identified in the Directive as being key to its implementation, namely:
- heads of governmental departments;
- the "Government Information Technology Officer";
- the "Department Information Security Officer"; and
- the departmental ICT Steering Committee.
These parties are responsible for, among others:
- processes related to cybersecurity;
- cloud and network security;
- storage and destruction of information;
- backups;
- disaster recovery and business continuity;
- software and technology asset review;
- conducting information security awareness and training to reduce cybersecurity risks;
- recognising and reporting cyberattacks; and
- how to properly handle sensitive data.
Information security management
Each department must have an information security policy in place. The information security policy must align with the provisions set out in the Directive. Further, all human resources policies must include a summary of the information security policy so that all employees are aware of it before starting any work in the department.
Information system development and maintenance
Prior to any developments and approvals, application and system developments or any other changes to the systems must be documented. The developments or changes to the applications and systems must follow a formal structured approach that factors information security throughout the development cycle. It will be important to ensure that appropriate contracts are concluded between the department and the developer that address, how development of the system will be performed by the service levels, change control procedures, and costs for implementing such changes, among other things.
The testing and development environment must be separated from the production environment. This separation safeguards production environments from modifications or outages that may occur in the testing and development environment. Where feasible, the employee responsible for the development should not have access to production systems. Approval and confirmation of the new ICT system must satisfy all necessary security requirements before that system is used in a department production environment.
Access to the network
Every computer belonging to an external party must be examined to make sure its antivirus software is up to date before authorisation to access a department's network is granted. To keep up with network access authorisations, the Department Information Security Officer will maintain and review a register of authorised external party access users, as well as the access levels provided. The review will happen on a quarterly or ad hoc basis.
On review, the Department Information Security Officer will assess whether the access is still required based on verification that there is a valid business requirement that justifies the external party's access to the department network. When a contract with an external party ends, the external party must return government property in its possession. The external party's access to a government network will also be terminated.
Intellectual property rights
Any system, including software, information, source code, and system design documents, created by and/or on behalf of the department will be government intellectual property, and may not be copied, sold, leased, or removed without explicit written consent from the relevant executive authority.
Information Classification
Government information must be stored on departmental network servers. Data backups containing sensitive information must be encrypted. All information will be classified using the sensitivity classification matrix below:
- public information: information that has been approved by management for release to the public;
- confidential information: information that is private or otherwise sensitive in nature and must be restricted to those with a legitimate business need for access to the information; and
- secret information: this classification applies to the most sensitive business information that is intended for strict use within a department and restricted to those with a legitimate business need to access the information.
Data and information are becoming more important as the digital economy grows, and it is imperative that data and information is stored and securely handled in order to maintain its confidentiality, integrity, and availability. The directive establishes the standards for public bodies to follow with regard to information security, which must be implemented by each governmental department accordingly.
Our team of cyber-security experts have deep expertise in advising public sector entities and private IT service providers regarding the appropriate information security policies and procedures, and preparing IT service agreements. Should you require any assistance with these policies and agreements, please contact any member of our team.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
