A framework for a cybersecurity policy in South African schools
- Authors: Mhlaba, Surety Aleta
- Date: 2024-04
- Subjects: Computer security -- Government policy -- South Africa , Computer security -- South Africa , Cyber intelligence (Computer security) , Computer security -- South Africa Educational technology -- Security measures
- Language: English
- Type: Master's theses , text
- Identifier: http://hdl.handle.net/10948/64651 , vital:73835
- Description: Today, learners at school grow up within an Information and Communication Technology (ICT) environment and have become technology users. A growing number of learners have access to ICT devices, such as mobile phones, tablets and desktop computers owing to their affordability. Access to ICT devices enables learners to interact in cyberspace which offers them numerous advantages and benefits. Cyberspace enables learners to improve their learning by providing ease of access to information and other learning material. Additionally, it allows them to socialise and to communicate with each without having to be in the same place. Furthermore, it allows them to participate in games, including educational games, to help with their learning. Despite these benefits, learners are prone to falling victim to a range of cyber risks and attacks. These cyber risks and attacks include cyberbullying, accessing inappropriate content and being exposed to sexual grooming. This is due to the fact that cyberspace is an unregulated platform and its complex nature does not make it easy to govern. Thus, there is a need to implement a policy that can govern and educate school learners on how to protect and conduct themselves when accessing cyberspace to avoid and reduce exposure to cyber risks. Countries like the United Kingdom (UK), Australia (AU) and Rwanda (RW) have developed cybersecurity policies to assist schools to develop and implement a cybersecurity policy to create a cybersecurity environment for learners with the support and commitment of the government. These countries continue to implement cybersecurity strategies and advocate for a cybersecurity policy to be implemented in schools to foster a cybersecurity culture. However, this does not seem to be the case for South Africa. The South African education system does not have a standard national cybersecurity policy to be implemented in all schools to handle cyber risks and incidents. The Department of Basic Education (DBE) drafted guidelines to assist schools to implement cybersecurity strategies such as a cybersecurity-related policy; however, these guidelines do not include guidance on how to implement them and they have not been enacted. Because of the lack of commitment from the government to implement a cybersecurity policy at school level, learners continue to be exposed to cyber risks. Hence, it is up to each school to create and implement a cybersecurity policy that is unique to that school to help keep their learners safe. In terms of South African law, schools are ultimately responsible for the safety and well-being of school learners. School Governing Bodies (SGBs) have a legal obligation to ensure that cybersecurity measures are in place to protect learners from cyber risks, especially when schools provide access or expect learners to have and use ICT devices during school hours. However, schools (including SGBs) are ill-equipped to implement cybersecurity initiatives by themselves. They lack knowledge about ICT and are hampered by severe time and financial constraints. This study proposes a framework to assist SGBs in implementing a cybersecurity policy in South African schools. To address this need, the study first performed a literature review to identify the problem area, that schools in South Africa have no cybersecurity policy to guide them and protect school learners from cyber risks. There is a need for cybersecurity policies in schools and the SGBs entrusted with such a responsibility lack the resources and capacity to develop them. Moreover, many schools do not have cybersecurity policies in place to protect school learners if cyber risk incidents occur. This led to identifying research objectives together with research methods to address the problem area. The primary objective is to develop a framework to assist SGBs in implementing a basic cybersecurity policy in South African schools. In order to achieve the primary objective, the study determined cybersecurity policy implementation components and characteristics of cybersecurity policies using the literature review method to obtain the framework design components. Thereafter, cybersecurity-related policies, guidelines and best practices in South Africa and globally were identified and analysed for the school environment through the use of a literature review and qualitative content analysis to obtain cybersecurity policy content suitable for the school environment. Once these actions were performed, the formulation and design of the framework for implementing a basic cybersecurity policy using the relevant policy components and characteristics took place, which resulted in the proposed framework solution. , Thesis (MIT) -- Faculty of Engineering, the Built Environment, and Technology, School of Information Technology, 2024
- Full Text:
- Date Issued: 2024-04
De-identification of personal information for use in software testing to ensure compliance with the Protection of Personal Information Act
- Authors: Mark, Stephen John
- Date: 2018
- Subjects: Data processing , Information technology -- Security measures , Computer security -- South Africa , Data protection -- Law and legislation -- South Africa , Data encryption (Computer science) , Python (Computer program language) , SQL (Computer program language) , Protection of Personal Information Act (POPI)
- Language: English
- Type: text , Thesis , Masters , MSc
- Identifier: http://hdl.handle.net/10962/63888 , vital:28503
- Description: Encryption of Personally Identifiable Information stored in a Structured Query Language Database has been difficult for a long time. This is owing to block-cipher encryption algorithms changing the length and type of the input data when encrypted, which cannot subsequently be stored in the database without altering its structure. As the enactment of the South African Protection of Personal Information Act, No 4 of 2013 (POPI), was set in motion with the appointment of the Information Regulators Office in December 2016, South African companies are intensely focused on implementing compliance strategies and processes. The legislation, promulgated in 2013, encompasses the processing and storage of personally identifiable information (PII), ensuring that corporations act responsibly when collecting, storing and using individuals’ personal data. The Act comprises eight broad conditions that will become legislation once the new Information Regulator’s office is fully equipped to carry out their duties. POPI requires that individuals’ data should be kept confidential from all but those who specifically have permission to access the data. This means that not all members of IT teams should have access to the data unless it has been de-identified. This study tests an implementation of the Fixed Feistel 1 algorithm from the National Institute of Standards and Technology (NIST) “Special Publication 800-38G: Recommendation for Block Cipher Modes of Operation : Methods for Format-Preserving Encryption” using the LibFFX Python library. The Python scripting language was used for the experiments. The research shows that it is indeed possible to encrypt data in a Structured Query Language Database without changing the database schema using the new Format-Preserving encryption technique from NIST800-38G. Quality Assurance software testers can then run their full set of tests on the encrypted database. There is no reduction of encryption strength when using the FF1 encryption technique, compared to the underlying AES-128 encryption algorithm. It further shows that the utility of the data is not lost once it is encrypted.
- Full Text:
- Date Issued: 2018
Towards an information security awareness process for engineering SMEs in emerging economies
- Authors: Gundu, Tapiwa
- Date: 2013
- Subjects: Computer security -- South Africa , Information technology -- South Africa , Computer networks -- Security measures -- South Africa , Information resources management -- South Africa , Small business -- South Africa , Engineering firms -- South Africa , Confidential communications -- South Africa , Information Security Awareness , Information Security Behaviour , Information Security Training
- Language: English
- Type: Thesis , Masters , MCom (Information Systems)
- Identifier: vital:11138 , http://hdl.handle.net/10353/d1007179 , Computer security -- South Africa , Information technology -- South Africa , Computer networks -- Security measures -- South Africa , Information resources management -- South Africa , Small business -- South Africa , Engineering firms -- South Africa , Confidential communications -- South Africa , Information Security Awareness , Information Security Behaviour , Information Security Training
- Description: With most employees in Engineering Small and Medium Enterprises (SME) now having access to their own personal workstations, the need for information security management to safeguard against loss/alteration or theft of the firms’ important information has increased. These Engineering SMEs tend to be more concerned with vulnerabilities from external threats, although industry research suggests that a substantial proportion of security incidents originate from insiders within the firm. Hence, technical preventative measures such as antivirus software and firewalls are proving to solve only part of the problem as the employees controlling them lack adequate information security knowledge. This tends to expose a firm to risk and costly mistakes made by naïve/uninformed employees. This dissertation presents an information security awareness process that seeks to cultivate positive security behaviours using a behavioural intention model based on the Theory of Reasoned Action, Protection Motivation Theory and the Behaviourism Theory. The process and model have been refined and verified using expert review and tested through action research at an Engineering SME in South Africa. The main finding was information security levels of employees within the firm were low, but the proposed information security awareness process increased their knowledge thereby positively altering their behaviour.
- Full Text:
- Date Issued: 2013
A model for legal compliance in the South African banking sector : an information security perspective
- Authors: Maphakela, Madidimalo Rabbie
- Date: 2008
- Subjects: Database security -- South Africa , Computer security -- South Africa , Computer networks -- Security measures -- South Africa
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9783 , http://hdl.handle.net/10948/725 , Database security -- South Africa , Computer security -- South Africa , Computer networks -- Security measures -- South Africa
- Description: In the past, many organisations used to keep their information on paper, which resulted in the loss of important information. In today’s knowledge era the information super-highway facilitates highly connected electronic environments where business applications can communicate on an intra- as well as inter-organizational level. As business expanded more into the cyber-world, so did the need to protect the information they have. Technology advances did not only bring benefits, it also increased the vulnerability of companies’ information. Information, the lifeblood of an organization, must be protected from threats such as hackers and fraud, amongst others. In the highly regulated financial sector, the protection of information is not only a best practice, but a legal obligation carrying penalties for non-compliance. From a positive aspect, organisations can identify security controls that can help them to secure their information, with the aid of legal sources. But organisations find themselves burdened by a burgeoning number of legal sources and requirements, which require vast resources and often become unmanageable. This research focuses on finding a solution for South African banks to comply with multiple legal sources, as seen from an information security perspective.
- Full Text:
- Date Issued: 2008