first commit

.env.example

@@ -0,0 +1,17 @@
+OPENAI_API_KEY=your-openai-api-key
+
+LLM_MODEL=your-LLM-model-Name 
+## (in the format: provider/model-identifier)
+
+OPENAI_API_BASE=your-LLM-inference-provider-endpoint 
+## (for locally hosted llm inference server like LMStudio or Jan.ai, follow ollama host adding /v1: http://localhost:1234/v1)
+
+OPENAI_API_EMBED_BASE=your-embedding-provider-endpoint 
+## (for locally hosted, do not include /embedding)
+
+LLM_MODEL_EMBED=your-embedding-model  
+##(in the format: provider/embedding-name)
+
+OLLAMA_HOST=http://localhost:11434
+## change port #
+OLLAMA_API_KEY=  ##(include if required)

.gitignore copy

@@ -0,0 +1,30 @@
+# .gitignore et al
+#.gitignore
+.cursorindexingignore
+.env
+pyvenv.cfg
+
+Scripts/*
+share*
+Include/*
+lib/*
+
+# project
+MINIRAGsmy/*
+
+# SpecStory explanation file
+.specstory/*
+
+# working folder
+working_folder*/*
+copy/*
+dataset/*
+
+# logs
+logs/*
+troubleshooting.py
+
+# SpecStory explanation file
+.specstory/*
+# SpecStory explanation file
+.specstory/.what-is-this.md

MiniRAGsmy

@@ -0,0 +1 @@
+Subproject commit 0ffa447724123b273b1b4dea31b5f5f9ce4db073

README.md

@@ -0,0 +1,114 @@
+---
+# metadata
+title: semmyKG - Knowledge Graph visualiser builder toolkit (from markdown)
+emoji: 🕸️
+colorFrom: yellow
+colorTo: purple
+sdk: gradio
+sdk_version: 5.44.1
+python_version: 3.12
+command: python app_gradio_lightrag.py
+app_file: app_gradio_lightrag.py
+hf_oauth: true
+oauth_scopes: [read-access]
+hf_oauth_scopes: [inference-api]
+license: mit
+pinned: true
+short_description: semmyKG - Knowledge Graph builder toolkit (from markdown): (Use ParserPDF for PDF, Word & HTML parser to markdown)
+#models: [meta-llama/Llama-4-Maverick-17B-128E-Instruct, openai/gpt-oss-120b, openai/gpt-oss-20b, ]
+models: 
+  - meta-llama/Llama-4-Maverick-17B-128E-Instruct
+  - openai/gpt-oss-120b, openai/gpt-oss-20b
+tags: [knowledge graph, markdown, RAG, domain]
+#preload_from_hub: [https://huggingface.co/datalab-to/surya_layout, https://huggingface.co/datalab-to/surya_tablerec, huggingface.co/datalab-to/line_detector0, https://huggingface.co/tarun-menta/ocr_error_detection/blob/main/config.json]
+owner: research-semmyk
+#---
+#[Project]
+#---
+
+#short_description: PDF & HTML parser to markdown
+version: 0.1.0
+readme: README.md
+requires-python: ">=3.12"
+#dependencies: []
+#---
+---
+
+# LightRAG Gradio App
+
+A modern, modular Gradio app for knowledge graph-based Retrieval-Augmented Generation (RAG) using [LightRAG][1]. Supports OpenAI and Ollama LLM backends, markdown document ingestion, and interactive knowledge graph visualisation. Our ParserPDF ([GitHub]][3] | [HF Space][4]) pipeline generate markdown from documents (pdf, Word, html).
+
+## Features
+- LightRAG for Dual-level RAG and knowledge graph (KG)
+- Ingest markdown files from a folder (default: `dataset/data/docs`). 
+- Query with OpenAI or Ollama backend (user-selectable)
+- Visualise KG interactively in-browser
+- Deployable to venv, Colab, or HuggingFace Spaces
+- Robust, pythonic, modular code (UK English)
+
+## Setup
+
+### 1. Clone and create venv
+```bash
+python -m venv .venv
+source .venv/bin/activate  # or .venv\Scripts\activate on Windows
+pip install -r requirements.txt
+```
+
+### 2. Configure environment
+Copy `.env.example` to `.env` and fill in your keys:
+```markdown
+OPENAI_API_KEY=your-openai-api-key
+LLM_MODEL=your-LLM-model-Name 
+    ##(in the format: provider/model-identifier)
+OPENAI_API_BASE=your-LLM-inference-provider-endpoint 
+    ##(for locally hosted llm inference server like LMStudio or Jan.ai, follow ollama host adding /v1: http://localhost:1234/v1)
+OPENAI_API_EMBED_BASE=your-embedding-provider-endpoint 
+    ##(for locally hosted, do not include /embedding)
+LLM_MODEL_EMBED=your-embedding-model  ##(in the format: provider/embedding-name)
+OLLAMA_HOST=http://localhost:11434
+OLLAMA_API_KEY=  ##(include if required)
+```  
+If .env is not set, you can enter into the web UI directly. <br>
+Ditto, override .env by inputting directly in web UI.
+
+### 3. Run the app
+```bash
+python app_gradio_lightrag.py
+```  
+For 'faster' development 'debug'
+
+```python
+##SMY: assist: https://www.gradio.app/guides/developing-faster-with-reload-mode
+gradio app_gradio_lightrag.py --demo-name=gradio_ui
+```
+
+### 4. Colab/Spaces
+- For HuggingFace Spaces: ensure all dependencies are in `requirements.txt` and `.env` is set via the web UI or Space secret.
+- For Colab: install requirements and run the app cell.
+
+## Usage
+- Select your data folder (default: `dataset/data/docs`)
+- Choose LLM backend (OpenAI or Ollama)
+- Enter your query and select query mode
+- Click 'Index Documents' to build the KG
+- Click 'Query' to get answers
+- Click 'Show Knowledge Graph' to visualise the KG
+
+## Notes
+- Only markdown files are supported for ingestion (images in `/images` subfolder are ignored for now). <br>NB: other formats will be enabled later: pdf, txt, html...
+- To generate markdown from documents (PDf, Word, html), use our ParserPDF tool [GitHub]][3] | [HF Space][4].
+- All user-facing text is in UK English
+- For advanced configuration, see LightRAG documentation
+
+## Roadmap (no defined timeline)
+- HuggingFace log in
+- [ParserPDF][3] integration
+
+## License
+[MIT][2] 
+
+[1]: https://github.com/HKUDS/LightRAG "LightRAG GitHub"
+[2]: https://opensource.org/license/mit "MIT License"
+[3]: https://github.com/semmyk-research/parserPDF "ParserPDF (GitHub)"
+[4]: https://huggingface.co/spaces/semmyk/parserPDF "ParserPDF (HF Space)"

app_gradio_lightrag.py

@@ -0,0 +1,691 @@
+import os
+import glob
+import gradio as gr
+from watchfiles import run_process  ##gradio reload watch
+
+import pipmaster as pm
+if not pm.is_installed("pyvis"):
+    pm.install("pyvis")
+if not pm.is_installed("networkx"):
+    pm.install("networkx")
+import networkx as nx
+from pyvis.network import Network
+import random
+
+from lightrag import LightRAG, QueryParam
+from lightrag.llm.openai import openai_complete_if_cache, openai_complete, openai_embed
+from lightrag.llm.ollama import ollama_embed, ollama_model_complete
+from lightrag.utils import EmbeddingFunc, logger, set_verbose_debug  ##SMY
+from lightrag.kg.shared_storage import initialize_pipeline_status  ##SMY
+
+import numpy as np  ##SMY
+
+import asyncio
+from functools import partial
+from typing import Tuple, Optional
+import logging, logging.config  ##SMY lightrag_openai_compatible_demo.py
+import inspect  ##SMY lightrag_openai_compatible_demo.py
+
+from dotenv import load_dotenv
+# Load environment variables
+load_dotenv()
+
+# Pythonic error handling decorator
+def handle_errors(func):
+    def wrapper(*args, **kwargs):
+        try:
+            return func(*args, **kwargs)
+        except Exception as e:
+            return gr.update(value=f"Error: {e}")
+    return wrapper
+
+@handle_errors
+def configure_logging():
+    """Configure logging for the application"""
+    ##SMY lightrag_openai_compatible_demo.py
+
+    # Reset any existing handlers to ensure clean configuration
+    for logger_name in ["uvicorn", "uvicorn.access", "uvicorn.error", "lightrag"]:
+        logger_instance = logging.getLogger(logger_name)
+        logger_instance.handlers = []
+        logger_instance.filters = []
+
+    # Get log directory path from environment variable or use current directory
+    log_dir = os.getenv("LOG_DIR", os.getcwd())
+    log_file_path = os.path.abspath(
+        os.path.join(log_dir, "lightrag_compatible_demo.log")
+    )
+
+    print(f"\nLightRAG compatible demo log file: {log_file_path}\n")
+    os.makedirs(os.path.dirname(log_dir), exist_ok=True)
+
+    # Get log file max size and backup count from environment variables
+    log_max_bytes = int(os.getenv("LOG_MAX_BYTES", 10485760))  # Default 10MB
+    log_backup_count = int(os.getenv("LOG_BACKUP_COUNT", 5))  # Default 5 backups
+
+    logging.config.dictConfig(
+        {
+            "version": 1,
+            "disable_existing_loggers": False,
+            "formatters": {
+                "default": {
+                    "format": "%(levelname)s: %(message)s",
+                },
+                "detailed": {
+                    "format": "%(asctime)s - %(name)s - %(levelname)s - %(message)s",
+                },
+            },
+            "handlers": {
+                "console": {
+                    "formatter": "default",
+                    "class": "logging.StreamHandler",
+                    "stream": "ext://sys.stderr",
+                },
+                "file": {
+                    "formatter": "detailed",
+                    "class": "logging.handlers.RotatingFileHandler",
+                    "filename": log_file_path,
+                    "maxBytes": log_max_bytes,
+                    "backupCount": log_backup_count,
+                    "encoding": "utf-8",
+                },
+            },
+            "loggers": {
+                "lightrag": {
+                    "handlers": ["console", "file"],
+                    "level": "INFO",
+                    "propagate": False,
+                },
+            },
+        }
+    )
+
+    # Set the logger level to INFO
+    logger.setLevel(logging.INFO)
+    # Enable verbose debug if needed
+    set_verbose_debug(os.getenv("VERBOSE_DEBUG", "false").lower() == "true")
+
+# Utility: Wrap async functions
+##SMY: temporary dropped for async def declaration
+def wrap_async(func):
+    """Wrap an async function to run synchronously using asyncio.run"""
+    async def _async_wrapper(*args, **kwargs):
+        result = await func(*args, **kwargs)
+        return result
+    return lambda *args, **kwargs: asyncio.run(_async_wrapper(*args, **kwargs))
+
+# Utility: Visualise .graphml as HTML using pyvis
+@handle_errors
+def visualise_graphml(graphml_path: str, working_dir: str) -> str:
+    """Convert GraphML file to interactive HTML visualisation"""
+    ## graphml_path: defaults to lightRAG's generated graph_chunk_entity_relation.graphml
+        ## working_dir: lightRAG's working directory set by user
+
+    ## Load the GraphML file
+    G = nx.read_graphml(graphml_path)
+
+    ## Create a Pyvis network
+    #net = Network(height="100vh", notebook=True)
+    net = Network(notebook=True, width="100%", height="600px")  #, heading=f"Knowledge Graph Visualisation")  #(noteboot=False)
+    ## Convert NetworkX graph to Pyvis network
+    net.from_nx(G)
+
+    # Add colors and title to nodes
+    for node in net.nodes:
+        node["color"] = "#{:06x}".format(random.randint(0, 0xFFFFFF))
+        if "description" in node:
+            node["title"] = node["description"]
+    
+    # Add title to edges
+    for edge in net.edges:
+        if "description" in edge:
+            edge["title"] = edge["description"]
+
+    ## Set the 'physics' attribute to repulsion
+    net.repulsion(node_distance=120, spring_length=200)
+    net.show_buttons(filter_=['physics'])  ##SMY: dynamically modify the network
+    #net.show_buttons()
+    
+    ## graph path
+    kg_viz_html_file = "kg_viz.html"
+    html_path = os.path.join(working_dir, kg_viz_html_file)
+    #net.save_graph(html_path)
+    ## Save and display the generated KG network html
+    #net.show(html_path)
+    net.show(html_path, local=True, notebook=False)
+
+    ##SMY read and display generated KG html
+    #with open(html_path, "r", encoding="utf-8") as f:
+    #    return f.read()  ## html
+
+
+# Utility: Get all markdown files in a folder
+def get_markdown_files(folder: str) -> list[str]:
+    """Get sorted list of markdown files in folder"""
+    return sorted(glob.glob(os.path.join(folder, "*.md")))
+
+# LightRAG wrapper class
+class LightRAGApp:
+    """LightRAG application wrapper with async support"""
+    
+    def __init__(self):
+        """Initialise LightRAG application state"""
+        self.rag: Optional[LightRAG] = None
+        self.working_dir: Optional[str] = None
+        self.llm_backend: Optional[str] = None
+        self.llm_model_name: Optional[str] = None
+        self.llm_model_embed: Optional[str] = None
+        self.llm_baseurl: Optional[str] = None
+        self.system_prompt: Optional[str] = None
+        self.status: str = ""
+        self._is_initialised: bool = False  ## Add initialisation flag
+        self.cancel_event = asyncio.Event()  ## Add cancel event: long-running tasks
+        self.delay_between_files: Optional[float]=60.0  ## lightRAG initialisation: Delay in seconds between files processing viz RateLimitError 429
+        self.llm_model_max_async: Optional[int] = 2,  #4,  ##SMY: https://github.com/HKUDS/LightRAG/issues/128
+        self.max_parallel_insert: Optional[int] = 1,  ## No of parralel files to process in one batch: aasist: https://github.com/HKUDS/LightRAG/issues/1653#issuecomment-2940593112
+        self.timeout: Optional[float] = 1000,  #AsyncOpenAI #Union[float, Timeout, None, NotGiven] = NOT_GIVEN,
+        self.max_retries: Optional[int] = 1  #AsyncOpenAI #DEFAULT_MAX_RETRIES,   
+
+    def _system_prompt(self, custom_system_prompt: Optional[str]=None) -> str:
+        """Set a localised system prompt"""
+        ## SMY: TODO: Make modular
+        #self.system_prompt if custom_system_prompt else self.system_prompt=f"\n 
+        
+        if custom_system_prompt:
+            self.system_prompt = custom_system_prompt
+        else:
+            self.system_prompt = """
+            You are a domain expert on Cybersecurity, the South Africa landscape
+            and South African legislation. 
+            1. You only process text in English. 
+            2. When building knowledge graph, taxonomy and ontology, 
+            person(s) can be natural or juristic person. For instance, Minister of Justice is juristic.
+            3. Different natural and juristic person(s) are assigned to perform roles.
+            4. In South Africa, there are different entities (organisations) defined in legislations, Acts, Bills and Policy. 
+               For instance, you might Dept of Treasury at National (The National Treasury) and at Provincial levels (Provincial Treasuries) guided by the PFMA, while
+               Municipalities (local governments), guided by the MFMA, do not have Treasury department, but might have Budget & Treasury Office.
+               You have stand alone entities like the Office of the Public Protector, headed by the Public Protector. Ditto, Information Regulator headed by Chairperson of the Information Regulator.
+               You have others like the CCMA (Commission for Conciliation, Mediation and Adjudication)
+            5. Legislations include Acts, Bill and in some instance, Regulations and Policy.
+            6. Legislations often have section heads. The also have section detailing amendments and repeals (if any).
+            7. Legislations will indicate the heading in the format Name Act No of YYYY. For instance 'Protection of Information Act No 84, 1982.
+            8. Legislations will have a Gazette No and Assented date (when the President assent to the legislation) from when it becomes operative.
+            9. Legislation might have paragraph number. Kindly disregard for content purposes but take cognisance for context.
+            10. Do not create multiple nodes for legislations. For instance, maintain a single node for Protection of Information Act, Protection of Information Act, 1982, Protection of Information Act No 84, 1982.
+                However, have a separate node for Protection of Personal Information Act, 2013.
+                Also take note that 'Republic of South Africa' is an offical geo entity while 'South Africa' is a referred to place, although also a geo entity: Always watch the context and becareful of lumping them together.
+                """
+
+        return self.system_prompt
+
+    async def _embedding_func(self, texts: list[str], **kwargs,) -> np.ndarray:
+    #def _embedding_func(self, texts: list[str], **kwargs,) -> np.ndarray:
+        """Get embedding function based on backend"""
+        try:
+            if self.llm_backend == "OpenAI":
+                #'''
+                
+                # Use wrap_async for proper async handling
+                #return wrap_async(openai_embed)(
+                return await openai_embed(
+                    texts, 
+                    model=self.llm_model_embed,                    
+                    api_key=self.llm_api_key_embed,
+                    base_url=self.llm_baseurl_embed
+                    #base_url=self.ollama_host
+                )
+            # Use wrap_async for proper async handling
+            #return wrap_async(ollama_embed)(
+            return await ollama_embed(
+                texts, 
+                embed_model=self.llm_model_embed,
+                #host=self.openai_baseurl_embed
+                host=self.ollama_host,
+                api_key=self.llm_api_key_embed
+            )
+        except Exception as e:
+            self.status = f"{self.status} | _embedding_func error: {str(e)}"
+            raise  # Re-raise to be caught by the setup method
+
+    async def _get_embedding_dim(self) -> int:
+    #def _get_embedding_dim(self) -> int:
+        """Dynamically determine embedding dimension or fallback to defaults"""
+        try:
+            test_text = ["This is a test sentence."]
+            embedding = await self._embedding_func(test_text)
+            ##SMY: getting asyncio error
+            #embedding = wrap_async(self._embedding_func)(test_text)
+            return embedding.shape[1]
+        except Exception as e:
+            self.status = f"_get_embedding_dim error: {str(e)}"
+            # Fallback to known dimensions
+            if "bge-m3" in self.llm_model_embed:
+                return 1024  # BAAI/bge-m3 embedding
+            if self.llm_backend == "OPENAI" and "gemini" in self.llm_model_name:
+                return 3072  # Gemini's gemini-embedding-exp-03-07 dimension
+            if self.llm_backend == "OpenAI":
+                return 1536  # OpenAI's text-embedding-3-small            
+            return 4096  # Ollama's default
+
+    #def _llm_model_func(self, prompt, system_prompt=None, history_messages=[], keyword_extraction=False,
+    async def _llm_model_func(self, prompt, system_prompt=None, history_messages=[], keyword_extraction=False, **kwargs) -> str:
+        """Complete a prompt using OpenAI's API with or without caching support."""
+        try:
+            ## SMY: TODO: Revisit to make modular: tie-in with Gradio UI
+            if not system_prompt:
+                system_prompt = self._system_prompt()
+        except Exception as e:
+            self.status = f"_llm_model_func: Error while setting system_promt: {str(e)}"
+            raise
+        try:
+            #return openai_complete_if_cache(
+            return await openai_complete_if_cache(
+                model=self.llm_model_name, 
+                prompt=prompt, 
+                system_prompt=system_prompt, 
+                history_messages=history_messages,
+                base_url=self.llm_baseurl, 
+                api_key=self.llm_api_key, 
+                #timeout=self.timeout,  #: Union[float, Timeout, None, NotGiven] = NOT_GIVEN,
+                #max_retries=self.max_retries,  #: int = DEFAULT_MAX_RETRIES,
+                **kwargs,
+            )            
+        except Exception as e:
+            self.status = f"_llm_model_func: Error while initialising model: {str(e)}"
+            raise
+
+    async def _get_llm_functions(self) -> Tuple[callable, callable]:
+    #def _get_llm_functions(self) -> Tuple[callable, callable]:
+        """Get LLM and embedding functions based on backend"""
+        try:
+            # Get embedding dimension dynamically
+            try:
+                embedding_dimension = await self._get_embedding_dim()
+                self.status = f"Using embedding dimension: {embedding_dimension}"
+            except Exception as e:                
+                # feedback dimensions error                
+                self.status = f"_get_llm_function: embedding_dim error with fallback: {str(e)}"
+
+            # Create embedding function wrapper: # Wrap with EmbeddingFunc to provide required attributes
+            embed_func = EmbeddingFunc(
+                embedding_dim=embedding_dimension,
+                max_token_size=8192,  #4096,  #8192,  # Conservative default | #ollama
+                func=self._embedding_func
+            )
+            
+            # Get LLM function
+            #llm_func = await self._llm_model_func  ##SMY: not used
+            
+            # return LLM and embed functions
+            #return llm_func, embed_func
+            return await self._llm_model_func(), embed_func
+            
+        except Exception as e:
+            self.status = f"{self.status} \n| _get_llm_functions error: {str(e)}"
+            raise  # Re-raise to be caught by the setup method
+    
+    '''
+    ##SMY: record only. for deletion
+                # Wrap with EmbeddingFunc to provide required attributes
+                embed_func = EmbeddingFunc(
+                    #embedding_dim=1536,  # OpenAI's text-embedding-3-small dimension
+                    #max_token_size=8192,  # OpenAI's max token size
+                    embedding_dim=3072,  # Gemini's gemini-embedding-exp-03-07 dimension
+                    max_token_size=8000,  # Gemini's embedding max token size = 20000
+                    func=embedding_func
+                )    
+    '''
+
+    def _ensure_working_dir(self) -> str:
+        """Ensure working directory exists and return status message"""
+        if not os.path.exists(self.working_dir):
+            os.makedirs(self.working_dir, exist_ok=True)
+            return f"Created working directory: {self.working_dir}"
+        return f"Working directory exists: {self.working_dir}"
+    
+    ##SMY: //TODO: Gradio toggle button
+    def _clear_old_data_files(self):
+        """Clear old data files"""
+        files_to_delete = [
+                    "graph_chunk_entity_relation.graphml",
+                    "kv_store_doc_status.json",
+                    "kv_store_full_docs.json",
+                    "kv_store_text_chunks.json",
+                    "vdb_chunks.json",
+                    "vdb_entities.json",
+                    "vdb_relationships.json",
+                ]
+        
+        for file in files_to_delete:
+            file_path = os.path.join(self.working_dir, file)
+            if os.path.exists(file_path):
+                os.remove(file_path)
+                print(f"Deleting old file:: {file_path}")
+
+    async def _initialise_storages(self) -> str:
+    #def _initialise_storages(self) -> str:
+        """Initialise LightRAG storages and pipeline"""
+        try:
+            await self.rag.initialize_storages()
+            await initialize_pipeline_status()
+            return "Storages and pipeline initialised successfully"
+        except Exception as e:
+            return f"Storage initialisation failed: {str(e)}"
+
+    ##SMY: 
+    async def _initialise_rag(self):
+        """Initialise lightRAG"""
+
+        ##debug
+        # ## getting embedidngs dynamically
+        #self.status = f"Getting embeddings dynamically"
+        print(f"Getting embeddings dynamically")
+        print(f"_embedding_func: llm_model_embed: {self.llm_model_embed}")
+        print(f"_embedding_func: llm_api_key_embed: {self.llm_api_key_embed}")
+        print(f"_embedding_func: llm_baseurl_embed: {self.llm_baseurl_embed}")
+        # Get embedding
+        embedding_dimension = await self._get_embedding_dim()
+        print(f"Detected embedding dimension: {embedding_dimension}")
+
+        try:
+            rag = LightRAG(
+                working_dir=self.working_dir,
+                llm_model_max_async=self.llm_model_max_async,  #1,  #4,  ##SMY: https://github.com/HKUDS/LightRAG/issues/128
+                max_parallel_insert=self.max_parallel_insert,  #1,  ## No of parralel files to process in one batch: assist: https://github.com/HKUDS/LightRAG/issues/1653#issuecomment-2940593112
+                llm_model_func=self._llm_model_func,
+                embedding_func=EmbeddingFunc(
+                    embedding_dim=embedding_dimension,
+                    max_token_size=8192,
+                    func=self._embedding_func,
+                ),
+            )
+
+            await rag.initialize_storages()
+            await initialize_pipeline_status()
+
+            self.status = f"Storages and pipeline initialised successfully"  ##SMY: debug
+            return rag        
+        except Exception as e:
+            return f"lightRAG initialisation failed: {str(e)}"
+
+    @handle_errors
+    #def setup(self, data_folder: str, working_dir: str, llm_backend: str,
+    async def setup(self, data_folder: str, working_dir: str, llm_backend: str, 
+             openai_key: str, openai_baseurl: str, openai_baseurl_embed: str, llm_model_name: str, 
+             llm_model_embed: str, ollama_host: str, embed_key: str) -> str:
+        """Set up LightRAG with specified configuration"""
+        # Configure environment
+        #os.environ["OPENAI_API_KEY"] = openai_key or os.getenv("OPENAI_API_KEY", "")
+        ##os.environ["OLLAMA_HOST"] = ollama_host or os.getenv("OLLAMA_HOST", "http://localhost:11434")
+        #os.environ["OLLAMA_API_BASE"] = os.getenv("OLLAMA_API_BASE")  #, "http://localhost:1337/v1/chat/completions")
+        ##os.environ["OPENAI_API_BASE"] = openai_baseurl or os.getenv("OPENAI_API_BASE", "https://openrouter.ai/api/v1")
+        #os.environ["OPENAI_API_EMBED_BASE"] = openai_baseurl_embed or os.getenv("OPENAI_API_EMBED_BASE")  #, "http://localhost:1234/v1/embeddings")
+
+        # Update instance state
+        self.data_folder = data_folder
+        self.working_dir = working_dir
+        self.llm_backend = llm_backend
+        self.llm_model_name = llm_model_name
+        self.llm_model_embed = llm_model_embed
+        self.llm_baseurl = openai_baseurl
+        self.llm_baseurl_embed = openai_baseurl_embed
+        self.llm_api_key = openai_key
+        self.ollama_host = ollama_host
+        self.llm_api_key_embed = embed_key
+        
+        try:
+            ## ensure working folder exists and send status
+            try:
+                self.status = self._ensure_working_dir()
+            except Exception as e:
+                self.status = f"LightRAG initialisation.setup: working dir err | {str(e)}"
+
+            # Initialize lightRAG with storages
+            try:
+                self.rag = await self._initialise_rag()
+                self.status = f"{self.status}\n{self.rag}"
+
+                # set LightRAG class initialised flag
+                self._is_initialised = True
+                self.status = f"{self.status}\n Initialised LightRAG with {llm_backend} backend"   
+            except Exception as e:
+                self.status = f"{self.status}\n LightRAG initialisation.setup and storage failed | {str(e)}"
+            
+        except Exception as e:
+            self._is_initialised = False
+            self.status = (f"LightRAG initialisation failed: {str(e)}\n"
+                         f"LightRAG with {working_dir} and {llm_backend} not initialised")
+            
+        return self.status
+    
+    ''' ##SMY: disable to follow lightRAG documentations
+    @handle_errors
+    #def setup(self, data_folder: str, working_dir: str, llm_backend: str,
+    async def setup(self, data_folder: str, working_dir: str, llm_backend: str, 
+             openai_key: str, llm_baseurl: str, llm_model_name: str, 
+             llm_model_embed: str) -> str:
+        """Set up LightRAG with specified configuration"""    
+    '''
+
+    @handle_errors
+    async def index_documents(self, data_folder: str) -> Tuple[str, str]:
+    #def index_documents(self, data_folder: str) -> Tuple[str, str]:
+        """Index markdown documents with progress tracking"""
+        if not self._is_initialised or self.rag is None:
+            return "Please initialise LightRAG first using the 'Initialise App' button.", "Not started"
+            
+        md_files = get_markdown_files(data_folder)
+        if not md_files:
+            return f"No markdown files found in {data_folder}:", "No files"
+            
+        try:
+            total_files = len(md_files)
+            #self.status = f"Starting to index {total_files} files..."
+            status_msg = f"Starting to index {total_files} files"
+            progress_msg = f"Found {total_files} files to index"
+            
+            self.reset_cancel()  ## Add <-- Reset at the start of each operation. ##TODO: ditto for query
+            for idx, md_file in enumerate(md_files, 1):
+                ## cancel indexing
+                if self.cancel_event.is_set():
+                    self.status = "Indexing cancelled by user."
+                    return self.status, "Cancelled"
+                else:
+                    #delay_between_files: float=60.0  ## Delay in seconds between files processing viz RateLimitError 429
+                    try:
+                        with open(md_file, "r", encoding="utf-8") as f:
+                            text = f.read()
+                        status_msg = f"Indexing file {idx}/{total_files}: {os.path.basename(md_file)}"
+                        progress_msg = f"Processing {idx}/{total_files}: {os.path.basename(md_file)}"
+                        # Use wrap_async for proper async handling
+                        #wrap_async(self.rag.ainsert)(text, file_paths=md_file)
+                        await self.rag.ainsert(text, file_paths=md_file)  ##SMY: 
+                        await asyncio.sleep(self.delay_between_files)  # Pause between file processing
+                    except Exception as e:
+                        #self.status = f"Error indexing {os.path.basename(md_file)}: {str(e)}"
+                        status_msg = f"Error indexing {os.path.basename(md_file)}: {str(e)}"
+                        progress_msg = f"Failed on {idx}/{total_files}: {os.path.basename(md_file)}"
+                        continue
+                await asyncio.sleep(1)  #(0) ## Add Yield to event loop
+                    
+            status_msg = f"{self.status}\n Successfully indexed {total_files} markdown files."
+            progress_msg = f"{self.status}\n Completed: {total_files} files indexed"
+        except Exception as e:
+            status_msg = f"{self.status}\n Indexing failed: {str(e)}"
+            progress_msg = "{self.status}\n Indexing failed"
+            
+        return status_msg, progress_msg
+
+    @handle_errors
+    async def query(self, query_text: str, mode: str) -> str:
+    #def query(self, query_text: str, mode: str) -> str:
+        """Query LightRAG with specified mode"""
+        if not self._is_initialised or self.rag is None:
+            return (f"Please initialise LightRAG first using the 'Initialise App' button. \n"
+                    f" and index with 'Index Documents' button")
+            
+        param = QueryParam(mode=mode)
+        ## return lightRAG query answer
+        # Use wrap_async for proper async handling
+        #return await wrap_async(self.rag.aquery)(query_text, param=param)
+        return await self.rag.aquery(query_text, param=param)  ##SMY: 
+        #####Err
+        ##return lambda *args, **kwargs: asyncio.run(_async_wrapper(*args, **kwargs))
+        ##File "C:\Dat\dev\Python\Python312\Lib\asyncio\runners.py", line 190, in run
+        ##raise RuntimeError(
+        ##RuntimeError: asyncio.run() cannot be called from a running event loop 
+
+    @handle_errors
+    def show_kg(self) -> str:
+        """Display knowledge graph visualisation"""
+        ## graphml_path: defaults to lightRAG's generated graph_chunk_entity_relation.graphml
+        ## working_dir: lightRAG's working directory set by user  
+        graphml_path = os.path.join(self.working_dir, "graph_chunk_entity_relation.graphml")
+        if not os.path.exists(graphml_path):
+            return "Knowledge graph file not found. Please index documents first to generate Knowledge Graph."
+        #return visualise_graphml(graphml_path)
+        return visualise_graphml(graphml_path, self.working_dir)
+
+    def reset_cancel(self):
+        """Reset cancel event"""
+        self.cancel_event.clear()
+
+    def trigger_cancel(self):
+        """Set cancel event"""
+        self.cancel_event.set()
+
+# Instantiate app logic
+app_logic = LightRAGApp()
+
+# Gradio UI
+def gradio_ui():
+    with gr.Blocks(theme=gr.themes.Soft(), title="LightRAG Knowledge Graph App") as gradio_ui: #demo:
+        gr.Markdown("""
+        # LightRAG-based Knowledge Graph RAG
+        Upload your markdown docs, index and build a knowledge graph, and query with OpenAI or Ollama. Visualise the KG interactively.
+        """)
+        with gr.Row():
+            data_folder = gr.Textbox(value="dataset/data/docs", label="Data Folder (markdown only)")
+            working_dir = gr.Textbox(value="./working_folder", label="lightRAG working folder")
+            llm_backend = gr.Radio(["OpenAI", "Ollama"], value="OpenAI", label="LLM Backend: OpenAI or Local")
+            llm_model_name = gr.Textbox(value=os.getenv("LLM_MODEL", ""), label="LLM Model Name")  #.split('/')[1], label="LLM Model Name")
+        with gr.Row():
+            openai_key = gr.Textbox(value=os.getenv("OPENAI_API_KEY", ""), label="OpenAI API Key", type="password")
+            openai_baseurl = gr.Textbox(value=os.getenv("OPENAI_API_BASE", ""), label="OpenAI baseurl")
+            ollama_host = gr.Textbox(value=os.getenv("OLLAMA_HOST", "http://localhost:11434"), label="Ollama Host")
+            #ollama_host = gr.Textbox(value=os.getenv("OPENAI_API_EMBED_BASE", ""), label="Ollama Host")
+            openai_baseurl_embed = gr.Textbox(value=os.getenv("OPENAI_API_EMBED_BASE", ""), label="OpenAI Embed baseurl")
+            llm_model_embed = gr.Textbox(value=os.getenv("LLM_MODEL_EMBED",""), label="Embedding Model") #.split('/')[1], label="Embedding Model")
+            openai_key_embed = gr.Textbox(value=os.getenv("OPENAI_API_KEY_EMBED", ""), label="OpenAI API Key Embed", type="password")  #("OLLAMA_API_KEY", ""), label="OpenAI API Key Embed", type="password")
+        setup_btn = gr.Button("Initialise App")
+        status_box = gr.Textbox(label="Status / Progress", interactive=True)  #interactive=False)
+        with gr.Row():
+            index_btn = gr.Button("Index Documents")
+            stop_btn = gr.Button("Stop", variant="stop")  ## Add cancel event button
+            query_text = gr.Textbox(label="Your Query")
+            mode = gr.Dropdown(["naive", "local", "global", "hybrid", "mix"], value="hybrid", label="Query Mode")
+            query_btn = gr.Button("Query")
+        answer_box = gr.Markdown(label="Answer")
+        kg_btn = gr.Button("Visualise Knowledge Graph")
+        kg_html = gr.HTML(label="Knowledge Graph Visualisation")
+        
+        # Add progress tracking
+        progress = gr.Textbox(label="Progress", interactive=False)
+        
+        # Button logic with async handling
+        async def setup_wrapper(df, wd, llm, oai, base, base_embed, model, embed, host, embedkey):
+            return await app_logic.setup(df, wd, llm, oai, base, base_embed, model, embed, host, embedkey)
+            
+        async def index_wrapper(df):
+            return await app_logic.index_documents(df)
+            
+        async def query_wrapper(q, m):
+            return await app_logic.query(q, m)
+        
+        def stop_wrapper():  ##SMY sync or async
+            """Cancel event wrapper"""
+            app_logic.trigger_cancel()
+            return "Cancellation requested. Awaiting current step to finish..."
+        
+        # Button handlers
+        ''' previous implementation before async coroutine err
+        setup_btn.click(
+            lambda df, wd, llm, oai, base, model, embed: app_logic.setup(df, wd, llm, oai, base, model, embed),
+            [data_folder, working_dir, llm_backend, openai_key, openai_baseurl, llm_model_name, llm_model_embed],
+            #[data_folder, llm_backend, openai_key, ollama_host, llm_model_name],
+            status_box,
+            )
+        index_btn.click(
+           lambda df: app_logic.index_documents(df),
+                       [data_folder],
+                       [status_box, progress], 
+            )  
+        query_btn.click(
+            lambda q, m: app_logic.query(q, m),
+                        [query_text, mode],
+                        answer_box                        
+            )
+        kg_btn.click(
+            lambda: app_logic.show_kg(),
+            None,
+            kg_html,
+        )              
+        '''
+        '''
+        ## setup() args:
+        async def setup(self, data_folder: str, working_dir: str, llm_backend: str, 
+             openai_key: str, openai_baseurl: str, openai_baseurl_embed: str, llm_model_name: str, 
+             llm_model_embed: str, ollama_host: str, embed_key: str) -> str:
+        '''
+        setup_btn.click(
+            fn=setup_wrapper,
+            inputs=[data_folder, working_dir, llm_backend, openai_key, openai_baseurl, openai_baseurl_embed, llm_model_name, llm_model_embed, ollama_host, openai_key_embed],
+            outputs=status_box,
+            show_progress=True
+        )
+        index_btn.click(
+            fn=index_wrapper,
+            inputs=[data_folder],
+            outputs=[status_box, progress],
+            show_progress=True
+        )
+        query_btn.click(
+            fn=query_wrapper,
+            inputs=[query_text, mode],
+            outputs=answer_box
+        )
+        kg_btn.click(
+            fn=app_logic.show_kg,
+            inputs=None,
+            outputs=kg_html,
+            show_progress=True
+        )
+        stop_btn.click(
+            fn=stop_wrapper,
+            inputs=[],
+            outputs=[status_box]
+        )
+    return gradio_ui
+
+if __name__ == "__main__":
+    #gradio_ui().launch() 
+    
+    ##SMY: assist: https://www.gradio.app/guides/developing-faster-with-reload-mode
+    ##SMY: NB: gradio app_gradio_lightrag.py --demo-name=gradio_ui
+    async def main():
+        try:
+            app_logic = LightRAGApp()
+            gradio_ui().launch()
+        except Exception as e:
+            print(f"An error occurred: {e}")
+        finally:
+            if app_logic.rag:
+                await app_logic.rag.finalize_storages()
+    
+    ##SMY Configure logging before running the main function: See lightrag_openai_compatible_demo.py
+    configure_logging()
+    
+    asyncio.run(main())
+
+    ##SMY: gradio reload-mode watch: https://github.com/huggingface/smolagents/issues/789
+    #run_process(".", target=gradio_ui)

dataset/data/docs/DPSA_MIOS Framework V6 0.pdf-79231b43-278b-48ef-bc26-8335ce9a2f1b.md

@@ -0,0 +1,322 @@
+# MINIMUM INTEROPERABILITYSTANDARDS (MIOS) FRAMEWORKFor Government Information Systems  
+
+Revision 6.00  
+
+March 2017  
+
+# APPROVAL  
+
+I, the undersigned,  
+
+In terms of the Public Service Act, 1994 (Proclamation 103 of  1994 ) sections 3(1)(f) and 3(1)(g) regarding electronic government norms and standards and the Public Service Regulations, 2016 Chapter 6, regulation 97, and the State Information Technology Agency Act, 1988 (Act 88 of 1998) sections 7(6)(a)(i) and 7(6)(b) and the State Information Agency General Regulations, 2005 ( R. 50 of 2005), Part 2, regulation 4.2  and 4.3 regarding interoperability standards and certification, hereby approve and issue the Minimum Interoperability Standard (MIOS) for Government Information Systems version 6.0 set by the State Information Technology Agency (Pty) Ltd (“SITA”) after consultation by SITA with departments and the Government Information Technology Officer Council (GITO Council) ;  
+
+The MIOS v6.0 supersedes and replaces all previous versions thereof, and are effective and must be complied with in terms of Public Service Regulations Chapter 6, regulation 97 from the date of signature; and  
+
+# MINISTER: PUBLIC SERVICE AND ADMINISTRATION  
+
+Ms A.F. Muthambi  
+
+# PUBLICATION ENQUIRIES  
+
+The Minimum Interoperability Standards (MIOS) for Government Information Systems is developed by the State Information Technology Agency (SITA): Norms Standards and Quality Department in consultation with GITOC and SC-AGC participating members.  
+
+Enquiries can be directed to:  
+
+The Chief Executive Officer   
+State Information Technology Agency SOC Ltd   
+459 Tsitsa Street, Erasmuskloof   
+PRETORIA, SOUTH AFRICA   
+The Chairperson   
+Government Information Technology Officers Council   
+Department of Public Service and Administration   
+Batho Pele House, 546 Edmond Street , Arcadia   
+PRETORIA, SOUTH AFRICA  
+
+This document is also available on the SITA website (http://www.sita.co.za)  
+
+# COPYRIGHT, TRADEMARKS AND INTELLECTUAL PROPERTY  
+
+Some of the standards, acronyms and terms that are referenced in this publication and the related addendums or catalogue are protected by copyright and/or intellectual property rights. The omission of the rightful copyright and/or intellectual property right owners’ information from this document is merely intended to simplify the structure of the document.  
+
+This document, in part or in whole, may be freely used on condition that the source is quoted.  
+
+# 1 OVERVIEW .  
+
+1.1 INTRODUCTION.. 5   
+1.2 MANDATE . 7   
+1.3 PURPOSE AND BENEFITS . 8   
+1.4 SCOPE.. . 8   
+1.4.1 Where does MIOS fit into the bigger picture? 8   
+1.4.2 What is included in MIOS?. 8   
+1.4.3 What is excluded from MIOS? . 9   
+1.5 APPLICABILITY AND COMPLIANCE . 9   
+1.5.1 To whom does MIOS apply? . 9   
+1.5.2 Exemption from applicability.. 11   
+2 MANAGEMENT PROCESSES . .12   
+2.1 PRINCIPLES . 12   
+2.2 STANDARD SETTING.. . 12   
+2.2.1 Standard Setting Responsibilities ..... . 12   
+2.2.2 Standard setting process . . 14   
+2.2.3 Standards Selection Principles.. . 16   
+2.2.4 MIOS review frequency .... . 17   
+2.3 STANDARDS CERTIFICATION... . 17   
+2.3.1 Standards Certification Responsibilities . . 17   
+3 MINIMUM INTEROPERABILITY STANDARDS (MIOS) ... ..19   
+3.1 BACKGROUND . . 19   
+3.2 VALIDITY OF THIS DOCUMENT . . 19  
+
+ANNEX A : ABBREVIATIONS . 20  
+
+# FIGURES  
+
+Figure 1: Government ICT House of Value .. Figure 2: e-Government information exchange scenarios . 10 Figure 3: Standards selection and setting process . 14  
+
+# 1.1 INTRODUCTION  
+
+(1) The South African Government, as represented by its National, Provincial and Local spheres and associated agencies, is committed to the continuous improvement of public service delivery. Such commitment has become an underlying theme across all departments’ strategic and annual performance plans. Following on this commitment government Information and Communication Technology leaders have embarked on an e-Government programme in 2001, which aspires to achieve the effective, efficient and economic management and utilisation of Information and Information and Communication Technology Resources in government as illustrated in the Government Information and Communication Technology (ICT) House of Value).  
+
+![](images/15b798157a363c6c3d8747edbabc11a492ead4cf29a334173648fcb467b06581.jpg)  
+Figure 1: Government ICT House of Value  
+
+(2) The Information and Communication Technology House of Value serves as a reference to measure the performance of e-Government projects and systems, which includes interoperability1. The strategic drive to advance the maturity on interoperability not only compels government Information and Communication Technology leaders to collaborate on e-Government initiatives by sharing scarce resources, but it also provides a way for information to be exchanged electronically across traditional government system boundaries in order to improve public service delivery.  
+
+(3) The Information and Communication Technology House of value, comprises a roof, pillars and foundation, each representing the following:  
+
+(a) The outcomes (roof) of the e-Government programme on public sector operations are to:  
+
+(i) Lower cost of government service delivery operations, by reducing time, complexity, repetition and duplication of tasks.   
+(ii) Increased productivity of government operations, by improving the quality and quantity of traditional public sector outputs or introduce new processes to produce outputs and render services that were previously impossible.   
+(iii) Citizen Convenience when interacting with government, by offering equal access to government information systems and services, provides more and better information, improves information service quality and privacy, provides remedies for failures and offers best value for money2.  
+
+(b) The value (pillars) that the e-Government programme contributes to the public sector ICT environment is:  
+
+(i) Security, by ensuring that information systems and related technologies operate in a maintained security environment.   
+(ii) Interoperability, by ensuring that information systems and Information and Communication Technology infrastructure of government can interconnect and exchange information.   
+(iii) Reduced duplication, by eliminating unnecessary duplications, by promoting sharing and consolidation of Information systems and Information and Communication Technology infrastructure across government.   
+(iv) Economies of scale, by leveraging collective purchasing power of government to lower unit prices from industry.   
+(v) Digital inclusion, by promoting the South African ICT industry, with a particular emphasis on Broad Based Black Economic Empowerment (BBBEE), labour absorption, and stimulation of equitable economic growth and skills development of Information and Communication Technology in South Africa.  
+
+(c) The capabilities (foundation) by which to achieve the outcomes and values of eGovernment are:  
+
+(i) ICT planning, the capabilities that set direction and standards for Information and Communication Technology, Enterprise Architecture and to validate/certify conformance and performance thereto.   
+(ii) ICT integration, the capabilities that provide and develop Information and Communication Technology Systems and Technology Infrastructure into integrated Information and Communication Technology solutions.   
+(iii) ICT operations, the capabilities to ensure that Information and Communication Technology Systems and Technology Infrastructure are maintained in a reliable, available and secure environment.  
+
+(4) The advancement of interoperability in Government is an ongoing process and should be managed as a long-term, dynamic and agile programme. It is therefore incumbent upon the members of the Government Information Technology Officers Council to promote the objectives of interoperability and to observe the principles and comply with the standards as set out in MIOS during the life-cycle management of IS/ICT in government. It is also essential that MIOS remains updated and that it aligns to stakeholder requirements, changes in legislative environment, so that government can embrace the potential of technological advancement in the market and address the archival issues inherent to the digital age.  
+
+(5) The Minimum Interoperability Standards (MIOS) provides a set of mandatory standards that will ensure the achievement of the interoperability pillar in the ICT House of Value as illustrated in figure 1 above.  
+
+(6) Previous versions of MIOS were structured in a way which did not allow for sufficient agility to adapt to changing technology fronts or progress. This had the result that these versions of MIOS were found to be irrelevant within a time period of 2 or 3 years, and hence not adding perceived value to Government at large. For the above reason, it was decided to take a different approach with MIOS V6 and on. (Details of these changes are covered in Sections 3.1 and 3.2 of this document)  
+
+# 1.2 MANDATE  
+
+(1) Interoperability between Information Systems and Information-and-Communication Technology (IS/ICT) in government is mandated in accordance with the following legislation:  
+
+(a) Public Service Act, 1994 (Proclamation 103  of 1994) mandates the Minister of Public Service and Administration (“Minister”) to establish norms and standards for Information Management in the Public Service and e-Government respectively;  
+
+(b) Public Service Regulations, 2016  –  
+
+(i) Obligates heads of departments to comply with the MIOS.   
+(ii) Mandates the Minister to issue the MIOS.  
+
+(c) State Information Technology Agency (SITA) Act, 1998 (Act 88 of 1998) sections 7(6) (a) (i) and 7(6) (b) mandates SITA to set standards for interoperability between information systems in government, subject to approval by the Minister and to certify information technology goods and services for compliance against such approved standards.  
+
+(d) State Information Technology Agency General Regulation (R.50 of 2005) sections 4.2 and 4.3 prescribe the processes to set interoperability standards and to certify compliance of information systems thereto.  
+
+(e) Public Finance Management Act, 1999 (Act 1 of 1999) section 38(1)(b) and (e) holds an accounting officer responsible for the effective, efficient, economical and transparent use of the resources and to comply with audit commitments as required by legislation.  
+
+(1) The purpose of the MIOS is to prescribe open system standards that will ensure minimum level of interoperability within and between IS/ICT systems that are utilised in government, industry, citizens and the international community in support of the e-Government objectives.  
+
+(2) The benefits that MIOS provides to stakeholders are: (a) To government IS/ICT management communities, it provides a framework to ensure compliance with interoperability stipulations as set out in the SITA Act and Public Service Regulations respectively. It further underpins the collective value of IS/ICT as a strategic resource of government that must be valued, shared and used to improve public service delivery. (b) To enterprise architects, solution architects, designers and implementers, it provides a basis for designing, using and implementing open standards based solutions to improve interoperability and reduce duplication across government IS/ICT. (c) To acquirers, it provides the minimum mandatory technical specifications that must form part of all bid documents. (d) To the Certification Authority, it serves as a baseline by which to verify and certify conformance of IS/ICT goods and services for use in government. (e) To SITA, it provides the technical standards that are required to function as the Prime Systems Integrator (PSI) for Government. (f) To ICT goods and service providers, it substantiates government’s strategic intent towards the adoption of and migration to open standards and that only MIOS compliant products are considered for integration into the Government Information Infrastructure.  
+
+# 1.4 SCOPE  
+
+1.4.1 Where does MIOS fit into the bigger picture?  
+
+The MIOS is an integral part of the Government’s envisaged IS/ICT Governance Framework. It is also strongly related to, although not part of, the government structured processes because the MIOS prescribes the architecture model and notation standards needed to achieve interoperability among Enterprise Architecture tools and repositories, and the government structured processes, in turn, prescribes the adherence to MIOS during the development of ICT Plans and Blueprints in government.  
+
+# 1.4.2 What is included in MIOS?  
+
+The Minimum Interoperability Standard (MIOS) contains the following:  
+
+(a) The management processes and responsibilities for – (i) the setting and approval of interoperability standards, and (ii) the certification of IS/ICT products and services for compliance with such standards; and  
+
+(b) The set of interoperability standards regarding –  
+
+(i) Data format standards to enable exchange of data between government information systems (IS), and   
+(ii) Technical standards to interconnect, interoperate, access and exchange data among components of government Information and Communication Technology (ICT) infrastructure.  
+
+# 1.4.3 What is excluded from MIOS?  
+
+The MIOS does not prescribe any standards relating to business processes of IS/ICT services, except for the processes to set the standard and to certify compliance with such standards. The IS/ICT business process and service standards, such as ICT Governance practice standards, Enterprise Architecture practice standards, Information System Security practice standards, Quality Management practice standards, System Development Life Cycle (SDLC) practice standard, Project Management practice standard and ICT Service Management standards form part of the prevailing and evolving Government IS/ICT Governance Framework as referenced in par (1.4.1) above.  
+
+# 1.5 APPLICABILITY AND COMPLIANCE  
+
+1.5.1 To whom does MIOS apply?  
+
+The MIOS is normative (it is prescriptive and compliance is mandatory) to  
+
+o Heads of National departments   
+o Heads of Provincial departments   
+o associated agencies/entities as listed in the Schedules to the Public Service Act  
+
+The MIOS is informative (it is descriptive and compliance is not mandatory) to Heads of Local Government  
+
+To what does MIOS apply?  
+
+(1) According to the Public Service Regulations, Chapter 6, (Information Management and Electronic Government) regulation 97)–  
+
+“ (3) Any new information and communication technology system developed or acquired  or any upgrade of any existing information and communication system in the public service shall comply with the MIOS. (4) A head of department shall(a) include compliance with the MIOS in the project approval procedure; and (b) ensure compliance to the MIOS in the acquisition or use of information and communication technology.”  
+
+(2) In context of e-Government, MIOS is applicable for compliance to all e-Government systems through their life-cycle of existence, where:  
+
+(a) e-Government system means “any information system in the public service” and the interoperability of e-Government systems (as illustrated in Figure 2: e-Government information exchange scenarios), is described as  – (i) Government to Government (G2G) information system – any government information system that interconnects and exchanges information with another government information system (including any two information systems within a department). (ii) Government to Business (G2B) information system – any government information system that interconnects and exchanges information with a commercial or non-governmental business entity; and (iii) Government to Citizen (G2C) system – any government information system that interconnects and exchanges information with a citizen or community.  
+
+![](images/46ee1885f7f7aecca245fdd2f32a48e53c68394e86155a6f8156f13db98ca8f9.jpg)  
+Figure 2: e-Government information exchange scenarios  
+
+(b) The  life-cycle stages and conditions when MIOS is applicable, are for –  
+
+(i) A new Government system that is either under development or in acquisition;   
+(ii) An Government system that is upgraded in functionality to enable new business processes or that is upgraded in terms of its technology infrastructure (i.e. same business processes and functionality, but new technology infrastructure)   
+(iii) An existing (legacy) Government system in operation.   
+(iv) All technology stacks currently in use in government are accommodated in this framework. However, all new technologies/software/systems under consideration from the time this framework is adopted must be able to incorporate these standards while ensuring interoperability with legacy systems to ensure investments are protected.  
+
+# 1.5.2 Exemption from applicability  
+
+(1) A department or agency may apply to the Minister for a deviation from complying with MIOS in terms of regulation 4 of the Public Service Regulations, 2016.  
+
+(2) Consideration for exemption will only be given, for information systems that are –  
+
+(a) Specific to the unique operational requirements of a Department or Agency, provided that such a system is not an e-Government system; or   
+(b) Governed by strict international health or safety standards; or   
+(c) Embedded systems or closed systems (such as electro-mechanical systems, closed surveillance systems and real-time monitoring systems) that does not interoperate or exchange data with another system.  
+
+# 2.1 PRINCIPLES  
+
+In addition to the legislation on IS/ICT in government, the following principles regarding MIOS serve as a basis for decision-making:  
+
+(a) Approval of funding for the acquisition (including the development) of new or the modification of existing IS/ICT products or systems are dependent on the IS/ICT product or system being compliant with MIOS.   
+(b) It is the responsibility of the accounting officer of a department or agency to ensure that IS/ICT projects and systems comply with MIOS and that such compliance is subject to be audited/verified by the Auditor-general.   
+(c) When interconnectivity, data interoperability or information access is required between departments’ or agencies’ systems, the cost of rectifying a system that does not comply with MIOS rests with the owner of the non-compliant product or system.  
+
+# 2.2 STANDARD SETTING  
+
+# 2.2.1 Standard Setting Responsibilities  
+
+(1) The responsibilities and process for setting interoperability standards are governed in terms of the following legislation –  
+
+(a) Public Service Act states:  
+
+“3. (1) The Minister [of Public Service and Administration] is responsible for establishing norms and standards relating to – … (f) Information management in the public service; (g) Electronic government;” (b) Public Service Regulations, Chapter 6, Regulation 97, states: “Minimum Interoperability Standards 97(1) The Minister shall issue Minimum Interoperability Standards (herein referred to as the “MIOS”) for the public service.  
+
+(c) SITA Act, states: “7(6) The Agency – (a) Must set standards regarding – (i) The interoperability of information systems subject to the approval of the Minister; (b) Must certify every acquisition of any information technology goods or services by a department for compliance with those standards.”  
+
+(d) SITA General Regulations, states:  
+
+“4.2 SETTING OF STANDARDS  
+
+4.2.1 Before setting or amending standards regarding the interoperability of information systems between departments … in terms of section 7(6)(a) of the Act, the Agency must -  
+
+(a) Consult with departments and the GITO Council in order to assess the status of implemented systems and the proposed requirements;  
+
+(b) Conduct an implementation impact analysis and develop a business case demonstrating the cost-effectiveness of such standards; and  
+
+(c) Give due consideration to all representations received from departments and the GITO Council before submitting proposed standards, or an amendment thereof, to the Minister … for approval … .  
+
+4.2.2 The Agency must set the standards, contemplated in section 7(6)(a) of the [SITA] Act, not later than a date determined by the Minister.”  
+
+4.2.3 The standards set in terms of section 7(6)(a) of the [SITA] Act must be made available to all heads of departments and on the Agency's web site.”  
+
+(2) Following above legislation, the stakeholders and their respective responsibilities regarding the setting of interoperability standards are –  
+
+<html><body><table><tr><td>No</td><td>Stakeholder</td><td>Role and Responsibilities</td></tr><tr><td>1</td><td>Minister of Public Service and Administration (MPSA)</td><td>The standards promulgation authority to - a) Approve and issue the MlOs for implementation.</td></tr><tr><td>2</td><td>State Information Technology Agency (SITA)</td><td>The standards setting authority to - a) Consult with and consider inputs from departments and GlTO Council and keep abreast of standards development in the ICT industry. b) Conduct implementation impact analysis of changes to MIOs. c) Select and set the standards in MlOS subject to approval. d) Manage the development, configuration and</td></tr></table></body></html>  
+
+<html><body><table><tr><td>No</td><td>Stakeholder</td><td>Role and Responsibilities</td></tr><tr><td></td><td></td><td>e) Submit MlOS to GITOC for recommendation to Minister.</td></tr><tr><td>3</td><td>GITO Council</td><td>The standards advisory authority to - a) Give input to SITA on MIOS. b) Recommend the MlOS to the Minister for approval.</td></tr></table></body></html>  
+
+# 2.2.2 Standard setting process  
+
+(1) The process to review and set interoperability standards is inclusive. Therefore, all stakeholders, including Government Departments and their agencies, industry and the users are all encouraged to participate in improving interoperability, and to provide support on the implementation of the MIOS.  
+
+(2) The process to review and set interoperability standards for inclusion in MIOS is a consultative decision-making process that comprises a few steps involving a rule based filtration of interoperability standards as illustrated in Figure 3: Standards selection and setting process, and described as follows  
+
+![](images/3701c5333542c898950f9c623d51fc3a5f13c69c60381a1c37c9b3c6c14f7e8b.jpg)  
+Figure 3: Standards selection and setting process  
+
+(a) Step1: Compile a list of standards for consideration – referred to as the “White List”. The White List is an unbounded (unscreened) list of new or revised interoperability standards that are suggested by all stakeholders to be considered by the standards setting task team for inclusion into MIOS. This list is compiled by means of the following activities –  
+
+(i) Watch or keep abreast of standards development in the ICT market that involves periodic research into national and international standards development organisations and exploring the developments of other governments’ e-Government and interoperability programmes.   
+(ii) Consult with and solicit inputs from government stakeholders and interoperability champions.   
+(iii) Annual re-assessment of the effectiveness and relevance of the interoperability standards that are contained in the existing MIOS to identify standards that are not contributing (anymore) to the advancement of interoperability in government.  
+
+(b) Step 2: Filter the “White List” using the standards selection principles (as contained in section 2.2.3 below) and produce a list of candidate standards – referred to as the “Grey List”. The standards setting task team considers each standard in the White List and test it for conformance with the standard selection principles –  
+
+(i) A conformant standard is placed in the “Grey List”, which will be considered, subject to a further evaluation, for inclusion into MIOS.   
+(ii) A non-conformant standard is discarded, and will not be considered for further evaluation.  
+
+(c) Step 3: Assess the value and risks of standards in the “Grey List” and produce a list of recommended standards that will be added to or supersede existing standards in the MIOS – referred to as the “Green List”. The standards setting task team considers each standard in the Grey List and perform a benefit-risk impact assessment –  
+
+(i) A standard that passes the benefit-risk impact assessment is placed on the “Green List” and will be added to or supersede existing standards in the MIOS.   
+(ii) A standard that fails the benefit-risk impact assessment will be discarded and flagged as deprecated. A deprecated standard does not contribute to the advancement of interoperability in government anymore or it will introduce an unacceptable high risk to the public service delivery.  
+
+# 2.2.3 Standards Selection Principles  
+
+There   are   number of   definitions   of   open   standards   which emphasise   different aspects of   openness,   including   of   the   resulting specification, the openness of the drafting process, and the ownership of rights in the standard.  
+
+The list below contains frequently cited indicators of the openness of a standard.  For the purposes of the MIOS, a standard shall be considered open if it meets all of these criteria. There are standards which we are obliged to adopt for pragmatic reasons which do not necessarily fully conform to being open in all respects.  In such cases, where an open standard does not yet exist, the degree of openness will be taken into account when selecting an appropriate standard:  
+
+• It should be maintained by a non-commercial organization;   
+• Participation in the ongoing development work is based on decision making processes that are open to all interested parties;   
+• Open access:  all may access committee documents,   drafts and completed standards free of cost or for a negligible fee;   
+• It must be possible for everyone to copy, distribute and use the standard free of cost; • The intellectual rights   required   to   implement   the   standard   (e.g. essential   patent claims)   are   irrevocably   available,   without   any royalties attached;   
+• There are no reservations regarding reuse of the standard; and   
+• There are multiple implementations of the standard.  
+
+The following principles shall apply during the selection of interoperability standards for inclusion or amendment to the MIOS:  
+
+(a) Interoperability: The standard is designed to advance interconnectedness and data exchange within and between systems.   
+(b) Openness: the specifications for the standards is open, which is characterised by: (i) The standard should be maintained by a non-commercial organization. (ii) The standard development and decision-making processes are inclusive and open to all interested parties. (iii) The standards development outputs, including documents, drafts and completed standards, are accessible to anyone at no cost or at a negligible fee. (iv) The intellectual rights required to implement the standard (e.g. essential patent claims) are irrevocably available, without any royalties attached. (v) The standard must not favour or provide exclusive rights to a particular vendor or product brand.  
+
+(c) Industry support: the standard is widely supported by the industry, and is likely to reduce the cost of and the risk inherent to systems.  
+
+# 2.2.4 MIOS review frequency  
+
+(1) The MIOS Framework should be reviewed once every two years or as the need arises, unless determined otherwise by the Minister. This review will be known as a major version update. (Note: The latest approved version of MIOS will remain in effect until it is superseded by an updated version).  
+
+(2) The Catalogue of Standards to MIOS Version 6 must be reviewed at least once per annum to incorporate advancements and changes of IS/ICT in government and industry. This review will be known as the “MIOS Catalogue update”. Version control on the Catalogue will be designated by the addition of sequential numbers e.g. MIOS 6.01, 6.02, 6.03, etc. The number $"6"$ will link the addendum to the framework which carries the same number. When the MIOS framework gets updated, a new number range will commence i.e. 7.01, 7.02 etc.  
+
+# 2.3 STANDARDS CERTIFICATION  
+
+# 2.3.1 Standards Certification Responsibilities  
+
+(1) Standards Certification is a process that verifies whether a system complies with the standards that are contained in MIOS. The responsibility to certify that e-Government systems comply with the MIOS are governed in terms of the following legislation:  
+
+(a) Public Service Regulations, 2016 Chapter 6, regulation 97 states: “(4) A head of department shall (a)  include compliance with the MIOS in the project approval procedure; and (b) ensure compliance to the MIOS in the acquisition of use of information and communication technology”  
+
+(b) SITA Act, states: “7(6) The Agency … (b) must certify every acquisition of any information technology goods or services by a department for compliance with those standards.”  
+
+(c) SITA General Regulations, states:  
+
+“4.3 CERTIFICATION OF INFORMATION TECHNOLOGY GOODS AND SERVICES  
+
+4.3.1 The Agency must, conduct standard certification in respect of all information technology goods or services, which were acquired by departments before the commencement of these Regulations. …  
+
+4.3.3 The Agency must conduct standard certification of information technology goods or services –  
+
+(a) acquired … by a department from the Agency; … and (b) procured … by a department through the Agency …”  
+
+(2) From the above legislation, the stakeholders and their respective responsibilities regarding standards certification are as follows:  
+
+<html><body><table><tr><td>No</td><td>Stakeholder</td><td>Role and Responsibilities</td></tr><tr><td>1</td><td>Head of Department</td><td>The Accounting officer, who must ensure and account/report that all e-Government systems (assets) under his/her control comply with the MIOS.</td></tr><tr><td>2</td><td>SITA</td><td>The Certification Authority, who must certify that all e-Government systems - in acquisition and in operation - comply with MlOs.</td></tr><tr><td>3</td><td> Supplier / ICT Industry</td><td>Supplier, Provider and/or Integrator of e-Government systems, who must provide evidence that the e-Government system complies with MlOS in accordance to the MlOs Applicability Assessment provided by SlTA's Certification Authority.</td></tr></table></body></html>  
+
+# 3 MINIMUM INTEROPERABILITY STANDARDS (MIOS)  
+
+# 3.1 BACKGROUND  
+
+(1) The approach to MIOS 6 entails a physical split of the MIOS Framework and Principles Document and that of the Catalogue which contains the actual list of categories and standards. The two documents are linked again through means of cross referencing. (2) This approach will shorten the approval of the selected standards to ensure that these stay up to date and relevant to changing ICT progress and landscape within organs of state.  
+
+# 3.2 VALIDITY OF THIS DOCUMENT  
+
+(1) This document is validated by means of the signature of the Minister and will remain valid until a new version is approved.  
+
+<html><body><table><tr><td>BBBEE</td><td>Broad Based Black Economic Empowerment</td></tr><tr><td>BPMN</td><td>Business Process Modelling Notation</td></tr><tr><td>EA</td><td>Enterprise Architecture</td></tr><tr><td>GCIO</td><td>Government Chief Information Officer</td></tr><tr><td>GITO</td><td>Government Information Technology Officer</td></tr><tr><td>GITOC</td><td>Government Information Technology Officers Council</td></tr><tr><td>GWEA</td><td>Government Wide Enterprise Architecture</td></tr><tr><td>ICT</td><td>Information and Communication Technology</td></tr><tr><td>ISO</td><td>International Organisation for Standardisation</td></tr><tr><td>MIOS</td><td>Minimum Interoperability Standards</td></tr><tr><td>SC-AGC</td><td>Standing Committee on Architecture, Governance and Compliance</td></tr><tr><td>SITA</td><td>State Information Technology Agency</td></tr><tr><td>OMG</td><td>Object Management Group</td></tr><tr><td>TOGAF</td><td>The Open Group Architecture Framework</td></tr><tr><td>UML</td><td>Unified Modelling Language</td></tr></table></body></html>  

dataset/data/docs/DPSA_minimum-interoperability-standards-mios-for-information-systems-in-governm.md

@@ -0,0 +1,397 @@
+# MINIMUM INTEROPERABILITYSTANDARDS (MIOS)  
+
+for Government Information Systems  
+
+Revision 5.0  
+
+November  2011  
+
+# APPROVAL  
+
+I, the undersigned –  
+
+in terms of the Public Service Act (Act 38 of 1994 as amended by Act 30 of 2007) sections 3(1)(f) and 3(1)(g) regarding electronic government norms and standards and the Public Service Regulations 2001 (as amended 2001 to 2010) Chapter 5, Part I and Part III, and the State Information Technology Agency Act (Act 88 of 1998 as amended by Act 38 of 2002) sections 7(6)(a)(i) and 7(6)(b) regarding interoperability standards and certification; and  
+
+after consultation with the Government Information Technology Officer’s Council (GITOC), hereby approves and issues the Minimum Interoperability Standard (MIOS) for Government Information Systems version 5.0; and  
+
+that the MIOS v5.0 supersedes and replaces all previous versions thereof, and be effective and must be complied with in terms of Public Service Regulations Chapter 5, Part III as from the date of signature.  
+
+Date  
+
+# PUBLICATION ENQUIRIES  
+
+The Minimum Interoperability Standards (MIOS) for Government Information Systems is developed by the State Information Technology Agency (SITA): Standards and Certification Unit in consultation with the Government Information Technology Officer Council (GITOC): Standing Committee on Architecture.  
+
+Enquiries can be directed to:  
+
+The Chief Executive Officer   
+State Information Technology Agency (Pty) Ltd   
+459 Tsitsa Street, Erasmuskloof   
+PRETORIA, SOUTH AFRICA   
+The Chairperson   
+Government Information Technology Officer’s Council   
+Department of Public Service and Administration   
+Batho Pele House, 116 Proes Street   
+PRETORIA, SOUTH AFRICA  
+
+This document is also available on the SITA website (http://www.sita.co.za)  
+
+# COPYRIGHT, TRADEMARKS AND INTELLECTUAL PROPERTY  
+
+Some of the standards, acronyms and terms that are referenced in this publication are protected by copyright and/or intellectual property rights. The omission of the rightful copyright and/or intellectual property right owners’ information from this document is merely intended to simplify the structure of the document.  
+
+This document, in part or in whole, may be freely used on condition that the source is quoted.  
+
+1 OVERVIEW .. .6   
+1.1 INTRODUCTION. 6   
+1.2 MANDATE .. 8   
+1.3 PURPOSE AND BENEFITS . . 8   
+1.4 SCOPE.. .. 9   
+1.4.1 Where does MIOS fit into the bigger picture? . .. 9   
+1.4.2 What is included in MIOS?. . 9   
+1.4.3 What is excluded from MIOS? . .. 10   
+1.5 APPLICABILITY AND COMPLIANCE . .... 10   
+1.5.1 To whom does MIOS apply? .. .... 10   
+1.5.2 To what does MIOS apply? .. . 10   
+1.5.3 Exemption from applicability.... .. 12   
+2 MANAGEMENT PROCESSES .... ....13   
+2.1 PRINCIPLES . . 13   
+2.2 STANDARD SETTING... .... 13   
+2.2.1 Standard Setting Responsibilities .. .. 13   
+2.2.2 Standard setting process . . 15   
+2.2.3 Standards Selection Principles... 17   
+2.2.4 MIOS review frequency ..... ..... 17   
+2.3 STANDARDS CERTIFICATION.. .... 18   
+2.3.1 Standards Certification Responsibilities ........ .. 18   
+2.3.2 Certification Process . ... 19   
+3 MINIMUM INTEROPERABILITY STANDARDS (MIOS) .... .....21   
+3.1 INTRODUCTION.. . 21   
+3.2 STANDARDS DEVELOPMENT ORGANISATIONS .... ....... 21   
+3.3 PUBLIC SECTOR AND COMMON DATA STANDARDS ... .... 23   
+3.4 TECHNICAL INTEROPERABILITY STANDARDS. ... 27   
+ANNEX A : ABBREVIATIONS . ..33   
+ANNEX B : PARTICIPANTS . .34   
+ANNEX C : DOCUMENT HISTORY . .....35  
+
+# FIGURES  
+
+Figure 1: Government ICT House of Value. . 6   
+Figure 2: e-Government information exchange scenarios ... . 11   
+Figure 2: Standards selection and setting process.. . 16   
+Figure 3: MIOS Certification Process.. . 19   
+Figure 5: GWEA: Technology Reference Model (TRM) . . 27  
+
+# 1.1 INTRODUCTION  
+
+(1) The South African Government, as represented by its National, Provincial and Local departments and associated agencies, is committed to the continuous improvement of public service delivery. Such commitment has become an underlying theme across all departments’ strategic and annual performance plans. Following on this commitment government ICT leaders have embarked on an e-Government programme in 2001, which aspires to achieve the effective, efficient and economic management and utilisation of Information and ICT Resources in government as illustrated in the Government ICT House of Value).  
+
+![](images/e8e657056a713cee44120e45223b541c6063427753c9f9f09f25188f2cfe37a8.jpg)  
+Figure 1: Government ICT House of Value  
+
+(2) The ICT House of Value serves as a reference to measure the performance of e-Government projects and systems, which includes interoperability1. The strategic drive to advance the maturity on interoperability not only compels government ICT leaders to collaborate on e-Government initiatives by sharing scarce resources, but it also provides a way for information to be exchanged electronically across traditional government system boundaries in order to improve public service delivery.  
+
+(3) The ICT House of value, comprises a roof, pillars and foundation, each representing the following:  
+
+(a) The outcomes (roof) of the e-Government programme on public sector operations are to:  
+
+(i) Lower cost of government service delivery operations, by reducing time, complexity, repetition and duplication of tasks.   
+(ii) Increased productivity of government operations, by improving the quality and quantity of traditional public sector outputs or introduce new processes to produce outputs and render services that were previously impossible.   
+(iii) Citizen Convenience when interacting with government, by offering equal access to government information systems and services, provides more and better information, improves information service quality and privacy, provides remedies for failures and offers best value for money2.  
+
+(b) The value (pillars) that the e-Government programme contributes to the public sector ICT environment is:  
+
+(i) Security, by ensuring that information systems and related technologies operate in a maintained security environment.   
+(ii) Interoperability, by ensuring that information systems and ICT infrastructure of government can interconnect and exchange information.   
+(iii) Reduced duplication, by eliminating unnecessary duplications, by promoting sharing and consolidation of Information systems and ICT infrastructure across government.   
+(iv) Economies of scale, by leveraging collective purchasing power of government to lower unit prices from industry.   
+(v) Digital inclusion, by promoting the South African ICT industry, with a particular emphasis on Brٟoad Based Black Economic Empowerment (BBBEE), labour absorption, and stimulation of equitable economic growth and skills development of ICT in South Africa.  
+
+(c) The capabilities (foundation) by which to achieve the outcomes and values of eGovernment are:  
+
+(i) ICT planning, the capabilities that set direction and standards for ICT, Enterprise Architecture and to validate/certify conformance and performance thereto.   
+(ii) ICT integration, the capabilities that provide and develop ICT Systems and Technology Infrastructure into integrated ICT solutions.   
+(iii) ICT operations, the capabilities to ensure that ICT Systems and Technology Infrastructure are maintained in a reliable, available and secure environment.  
+
+(4) The advancement of interoperability in Government is an ongoing process and should be managed as a long-term programme. It is therefore incumbent upon the members of the Government Information Technology Officers Council to promote the objectives of interoperability and to observe the principles and comply with the standards as set out in MIOS during the life-cycle management of IS/ICT in government. It is also essential that MIOS remains updated and that it aligns to stakeholder requirements, changes in legislative environment, so that government can embrace the potential of technological advancement in the market and address the archival issues inherent to the digital age.  
+
+(5) The MIOS provides a set of mandatory standards that will ensure the achievement of the interoperability pillar in the ICT House of Value as illustrated in figure 1 above.  
+
+# 1.2 MANDATE  
+
+(1) Interoperability between Information Systems and Information-and-Communication Technology (IS/ICT) in government is mandated in accordance with the following legislation:  
+
+(a) Public Service Act (Act 38 of 1994 as amended by Act 30 of 2007) mandates the Minister to establish norms and standards for Information Management in the Public Service and e-Government respectively;   
+(b) Public Service Regulations 2001 (as amended 2001 to 2010) – (i) Obligates heads of departments to comply with the MIOS. (ii) Mandates the Minister to issue the MIOS. (iii) Mandates the GITO Council to review and recommend to the Minister any amendments to the MIOS.   
+(c) State Information Technology Agency (SITA) Act (Act 88 of 1998 as amended by Act 38 of 2002) sections 7(6)(a)(i) and 7(6)(b) mandates SITA to set standards for interoperability between information systems in government and to certify information technology goods and services for compliance against such standards.   
+(d) State Information Technology Agency General Regulation (R.50 of 2005) sections 4.2 and 4.3 prescribe the processes to set interoperability standards and to certify compliance of information systems thereto.   
+(e) Public Finance Management Act (Act 1 of 1999 as amended by Act 29 of 1999) section 38(1)(b) and (d) holds an accounting officer responsible for the effective, efficient, economical and transparent use of the resources and to comply with audit commitments as required by legislation.  
+
+# 1.3 PURPOSE AND BENEFITS  
+
+(1) The purpose of the MIOS is to prescribe open system standards that will ensure minimum level of interoperability within and between IS/ICT systems that are utilised in government, industry, citizens and the international community in support of the e-Government objectives.  
+
+(2) The benefits that MIOS provides to stakeholders are:  
+
+(a) To government IS/ICT management communities, it provides a framework to ensure compliance with interoperability stipulations as set out in the SITA Act and Public Service Regulations respectively. It further underpins the collective value IS/ICT as a strategic resource of government that must be valued, shared and used to improve public service delivery.  
+
+(b) To enterprise architects, solution architects, designers and implementers, it provides a basis for designing, using and implementing open standards based solutions to improve interoperability and reduce duplication across government IS/ICT.   
+(c) To acquirers, it provides the minimum mandatory technical specifications that must form part of all bid documents.   
+(d) To the Certification Authority, it serves as a baseline by which to verify and certify conformance of IS/ICT goods and services for use in government.   
+(e) To SITA, it provides the technical standards that are required to function as the Prime Systems Integrator (PSI) for Government.   
+(f) To ICT goods and service providers, it substantiates government’s strategic intent towards the adoption of and migration to open standards and that only MIOS compliant products be considered for integration into the Government Information Infrastructure.  
+
+# 1.4 SCOPE  
+
+1.4.1 Where does MIOS fit into the bigger picture?  
+
+The MIOS is an integral part of the Government’s envisaged IS/ICT Governance Framework. It is also strongly related to, although not part of, the Government Wide Enterprise Architecture (GWEA) Framework (which sets the minimum standard for developing ICT Plans and Blueprints in government), because the MIOS prescribes the architecture model and notation standards needed to achieve interoperability among Enterprise Architecture tools and repositories, and the GWEA Framework, in turn, prescribes the adherence to MIOS during the development of ICT Plans and Blueprints in government.  
+
+# 1.4.2 What is included in MIOS?  
+
+The Minimum Interoperability Standard (MIOS) contains the following:  
+
+(a) The management processes and responsibilities for – (i) the setting and approval of interoperability standards, and (ii) the certification of IS/ICT products and services for compliance with such standards; and   
+(b) The set of interoperability standards regarding – (i) data format standards to enable exchange of data between government information systems (IS), and  
+
+(ii) technical standards to interconnect, interoperate, access and exchange data among components of government Information and Communication Technology (ICT) infrastructure.  
+
+# 1.4.3 What is excluded from MIOS?  
+
+The MIOS does not prescribe any standards relating to business processes of IS/ICT services, except for the processes to set the standard and to certify compliance with such standards. The IS/ICT business process and service standards, such as ICT Governance practice standards, Enterprise Architecture practice standards, Information System Security practice standards, Quality Management practice standards, System Development Life Cycle (SDLC) practice standard, Project Management practice standard and ICT Service Management standards form part of the prevailing and evolving Government IS/ICT Governance Framework as referenced in par (1.4.1) above.  
+
+# 1.5 APPLICABILITY AND COMPLIANCE  
+
+# 1.5.1 To whom does MIOS apply?  
+
+The MIOS is normative – it is prescriptive and compliance is mandatory – to heads of National and Provincial departments and associated agencies/entities as listed in the Schedules to the Public Service Act, and it is informative – it is descriptive and compliance is not mandatory – to heads of Local Government.  
+
+# 1.5.2 To what does MIOS apply?  
+
+(1) According to the Public Service Regulation, Chapter 5 (e-Government), Part III, C – “C.1 The following systems shall comply with the MIOS:  
+
+(a) every part of any new information system developed or acquired for the public service or any upgrade of any existing information system in the public service; and   
+(b) every legacy system that is part of electronic service delivery in the public service.  
+
+C.2 A head of department shall include compliance with the MIOS in the project approval procedure for the department. The MIOS shall be used in the audit and review of every project of a department.”  
+
+(2) In context of e-Government, MIOS is applicable for compliance to all e-Government systems through their life-cycle of existence, where:  
+
+(a) e-Government system means “any information system in the public service” and the interoperability of e-Government systems (as illustrated in Figure 2: e-Government information exchange scenarios), is described as  –  
+
+(i) Government to Government (G2G) information system – any government information system that interconnects and exchanges information with another government information system (including any two information systems within a department).   
+(ii) Government to Business (G2B) information system – any government information system that interconnects and exchanges information with a commercial or non-governmental business entity; and   
+(iii) Government to Citizen (G2C) system – any government information system that interconnects and exchanges information with a citizen or community.  
+
+![](images/d32dfdbc1de69fc3e3960d6b1575fbe05d64754e9c877b2e63f76d8c8b0778cb.jpg)  
+Figure 2: e-Government information exchange scenarios  
+
+(b) The  life-cycle stages and conditions when MIOS is applicable, are for –  
+
+(i) A new e-Government system that is either under development or in acquisition;   
+(ii) An e-Government system that is upgraded in functionality to enable new business processes or that is upgraded in terms of its technology infrastructure (i.e. same business processes and functionality, but new technology infrastructure)   
+(iii) An existing (legacy) e-Government system in operation.  
+
+# 1.5.3 Exemption from applicability  
+
+(1) A department or agency may apply to the Minister to be exempted from complying with MIOS.  
+
+(2) The MIOS is recommended for, and will not be subjected to compliance certification, for information systems that are –  
+
+(a) Specific to the unique operational requirements of a Department or Agency, provided that such a system is not an e-Government system; or   
+(b) Governed by strict international health or safety standards; or   
+(c) Embedded systems or closed systems (such as electro-mechanical systems, closed surveillance systems and real-time monitoring systems) that does not interoperate or exchange data with another system.  
+
+# 2.1 PRINCIPLES  
+
+In addition to the legislation on IS/ICT in government, the following principles regarding MIOS serve as a basis for decision-making:  
+
+(a) Approval of funding for the acquisition (including the development) of new or the modification of existing IS/ICT products or systems are dependant on the IS/ICT product or system being compliant with MIOS.   
+(b) In terms of the Public Finance Management Act (PFMA) it is the responsibility of the accounting officer of a department or agency to ensure that IS/ICT projects and system comply with MIOS and that such compliance is subject to be audited/verified by the Auditor-general.   
+(c) When interconnectivity, data interoperability or information access is required between departments’ or agencies’ systems, the cost of rectifying a system that does not comply with MIOS rests with the owner of the non-compliant product or system.  
+
+# 2.2 STANDARD SETTING  
+
+# 2.2.1 Standard Setting Responsibilities  
+
+(1) The responsibilities and process for setting interoperability standards are governed in terms of the following legislation –  
+
+(a) Public Service Act states:  
+
+“3. (1) The Minister [of Public Service and Administration] is responsible for   
+establishing norms and standards relating to –  … (f) information management in the public service; (g) electronic government;”  
+
+(b) Public Service Regulations, Chapter 5, Part III, states:  
+
+“B. MINIMUM INTEROPERABILITY STANDARDS  
+
+B.1 The Minister shall, after consultation with the Government Information Technology Officer Council (herein referred to as the “GITO Council”), issue Minimum Interoperability Standards (herein referred to as the “MIOS”) ...  
+
+D. REVIEW OF MIOS  
+
+For the purpose of recommending to the Minister new standards or the amendment or repeal of existing standards, the GITO Council shall from time to time review the MIOS.”  
+
+(c) SITA Act, states: “7(6) The Agency  – (a) must set standards regarding – (i) the interoperability of information systems subject to the approval of the Minister; (b) must certify every acquisition of any information technology goods o services by a department for compliance with those standards.”  
+
+(d) SITA General Regulations, states:  
+
+“4.2 SETTING OF STANDARDS  
+
+4.2.1 Before setting or amending standards regarding the interoperability of information systems between departments … in terms of section 7(6)(a) of the Act, the Agency must -  
+
+(a) consult with departments and the GITO Council in order to assess the status of implemented systems and the proposed requirements;  
+
+(b) conduct an implementation impact analysis and develop a business case demonstrating the cost-effectiveness of such standards; and  
+
+(c) give due consideration to all representations received from departments and the GITO Council before submitting proposed standards, or an amendment thereof, to the Minister … for approval … .  
+
+4.2.2 The Agency must set the standards, contemplated in section 7(6)(a) of the [SITA] Act, not later than a date determined by the Minister.”  
+
+4.2.3 The standards set in terms of section 7(6)(a) of the [SITA] Act must be made available to all heads of departments and on the Agency's web site.”  
+
+(2) Following above legislation, the stakeholders and their respective responsibilities regarding the setting of interoperability standards are –  
+
+<html><body><table><tr><td>No</td><td>Stakeholder</td><td>Role and Responsibilities</td></tr><tr><td>1</td><td>Minister of Public Service and Administration (MPSA)</td><td>The standards promulgation authority to - a) Approve and issue the MlOs for implementation.</td></tr><tr><td>2</td><td>State Information Technology Agency (SITA)</td><td>The standards setting authority to - a) Consult with and consider inputs from departments and GlTO Council and keep abreast of standards development in the ICT industry. b) Conduct implementation impact analysis of changes to MIOS. c) Select and set the standards in MIOS. d) Manage the development, configuration and dissemination of the MIOS. e) Submit MlOS to GITOC for recommendation to</td></tr></table></body></html>  
+
+<html><body><table><tr><td>No</td><td> Stakeholder</td><td>Role and Responsibilities</td></tr><tr><td></td><td></td><td>Minister.</td></tr><tr><td>3</td><td>GITO Council</td><td>The standards recommending authority to - a) Initiate the review of the MIOS. b) Give direction to the working group in 4 below and monitor amendments to MlOS.</td></tr><tr><td>4</td><td>GITO Council Standing Committee on Architecture (SCARC)</td><td>c) Recommend the MlOS to the Minister for approval. The standards working group, delegated by the GITO Council, to - a) Promote the advancement of interoperability. b) Collaborate, improve and resolve technical issues on MIOS improvement. c) Assess the risk and impact of changes to the MlOS on e-Government systems.</td></tr></table></body></html>  
+
+# 2.2.2 Standard setting process  
+
+(1) The task of advancing interoperability between information systems across the public sector is a complex and on-going process. The interoperability standards, as contained in MIOS, must support and enhance Government’s business processes, and also ensure that new technological advances and innovations are leveraged to their full advantage.  
+
+(2) The process to review and set interoperability standards is inclusive. Therefore, all stakeholders, including Government Departments and their agencies, industry and the users are all encouraged to participate in improving interoperability, and to provide support on the implementation of the MIOS.  
+
+(3) The process to review and set interoperability standards for inclusion in MIOS is a consultative decision-making process that comprises a few steps involving a rule based filtration of interoperability standards as illustrated in Figure 3: Standards selection and setting process, and described as follows –  
+
+![](images/1b6df7409dfc1a0c969e0bc83034ca32d2a5d4bc940dea9d681b8abcd6e7cf85.jpg)  
+Figure 3: Standards selection and setting process  
+
+(a) Step1: Compile a list of standards for consideration – referred to as the “White List”. The White List is an unbounded (unscreened) list of new or revised interoperability standards that are suggested by all stakeholders to be considered by the standards setting task team for inclusion into MIOS. This list is compiled by means of the following activities –  
+
+(i) Watch or keep abreast of standards development in the ICT market that involves periodic research into national and international standards development organisations and exploring the developments of other governments’ e-Government and interoperability programmes.   
+(ii) Consult with and solicit inputs from government stakeholders and interoperability champions.   
+(iii) Assess the effectiveness and relevance of the interoperability standards that are contained in the existing MIOS to identify standards that are not contributing (anymore) to the advancement of interoperability in government.  
+
+(b) Step 2: Filter the “White List” using the standards selection principles (as contained in section 2.2.3 below) and produce a list of candidate standards – referred to as the “Grey List”. The standards setting task team considers each standard in the White List and test it for conformance with the standard selection principles –  
+
+(i) A conformant standard is placed in the “Grey List”, which will be considered, subject to a further evaluation, for inclusion into MIOS.   
+(ii) A non-conformant standard is discarded, and will not be considered for further evaluation.  
+
+(c) Step 3: Assess the value and risks of standards in the “Grey List” and produce a list of recommended standards that will be added to or supersede existing standards in the MIOS – referred to as the “Green List”. The standards setting task team considers each standard in the Grey List and perform a benefit-risk impact assessment – (i) A standard that passes the benefit-risk impact assessment is placed on the “Green List” and will be added to or supersede existing standards in the MIOS. (ii) A standard that fails the benefit-risk impact assessment will be discarded and flagged as deprecated. A deprecated standard does not contribute to the advancement of interoperability in government anymore or it will introduce an unacceptable high risk to the public service delivery.  
+
+# 2.2.3 Standards Selection Principles  
+
+The following principles shall apply during the selection of interoperability standards for inclusion or amendment to the MIOS:  
+
+(a) Interoperability: The standard is designed to advance interconnectedness and data exchange within and between e-Government systems.   
+(b) Openness: the specifications for the standards is open, which is characterised by: (i) The standard should be maintained by a non-commercial organization. (ii) The standard developmentٟand decision-making processes are inclusive and open to all interested parties. (iii) The standards development outputs, including documents, drafts and completed standards, are accessible to anyone at no cost or at a negligible fee. (iv) The intellectual rights required to implement the standard (e.g. essential patent claims) are irrevocably available, without any royalties attached. (v) The standard must not favour or provide exclusive rights to a particular vendor or product brand.  
+
+(c) Industry support: the standard is widely supported by the industry, and is likely to reduce the cost of and the risk inherent to e-Government systems.  
+
+# 2.2.4 MIOS review frequency  
+
+(1) The MIOS should be reviewed and updated on a bi-annual basis (once every two years), unless determined otherwise by the Minister. This review will be known as a major version update. (Note: The latest approved version of MIOS will remain in effect until it is superseded)   
+(2) Due to the rapid advancement of technology and associated proliferation of standards, it may be necessary to review parts of the MIOS from time to time to incorporate such advancements and changes of IS/ICT in government and industry. This review will be known as the minor version update.  
+
+# 2.3 STANDARDS CERTIFICATION  
+
+# 2.3.1 Standards Certification Responsibilities  
+
+(1) Standards Certification is a process that verifies whether an e-Government system complies with the standards that are contained in MIOS. The responsibility to certify that e-Government systems comply with the MIOS are governed in terms of the following legislation:  
+
+(a) Public Service Regulations, Chapter 5, Part III, C states: “C.2 A head of department shall include compliance with the MIOS in the project approval procedure for the department. The MIOS shall be used in the audit and review of every project of a department.”   
+(b) SITA Act, states: “7(6) The Agency … (b) must certify every acquisition of any information technology goods or services by a department for compliance with those standards.”   
+(c) SITA General Regulations, states: “4.3 CERTIFICATION OF INFORMATION TECHNOLOGY GOODS AND SERVICES 4.3.1 The Agency must, …, conduct standard certification in respect of all information technology goods or services, which were acquired by departments before the commencement of these Regulations. … 4.3.3 The Agency must conduct standard certification of information technology goods or services – (a) acquired … by a department from the Agency; … and (b) procured … by a department through the Agency …”  
+
+(2) From the above legislation, the stakeholders and their respective responsibilities regarding standards certification are as follows:  
+
+<html><body><table><tr><td>No</td><td>Stakeholder</td><td>Role and Responsibilities</td></tr><tr><td>1</td><td>Head of Department</td><td>The Accounting officer, who must ensure and account/report that all e-Government systems (assets) under his/her control comply with the MIOS.</td></tr><tr><td>2</td><td>SITA</td><td>The Certification Authority, who must certify that all e-Government systems - in acquisition and in operation - comply with MlOS.</td></tr><tr><td>3</td><td> Supplier / ICT Industry</td><td>Supplier, Provider and/or Integrator of e-Government systems, who must provide evidence that the e-Government system comply with MIOS.</td></tr></table></body></html>  
+
+# 2.3.2 Certification Process  
+
+(1) All e-Government systems must comply with MIOS. The certification management process implements the necessary controls into the existing Supply Chain Management, Solution Development and Solution Integration processes in order to meet the legislative requirement on interoperability.  
+
+(2) The certification controls are illustrated in Figure 4: MIOS Certification Process and is described in the following table: (Note: The illustration is not intended to describe the requirements management, supply chain, solution development or solution integration processes of government.)  
+
+![](images/3eabd15aa2e354167a5d1a4c6d02492301e1c6c417dc57d643e8c6086dbaf5d7.jpg)  
+Figure 4: MIOS Certification Process  
+
+<html><body><table><tr><td>No</td><td>Step</td><td>Responsibility and Activities</td></tr><tr><td>1</td><td>Define Requirement</td><td>Government (customer) defines the requirement for the acquisition or renewal of an e-Government System, which include the functional and technical requirements; and submit same to SITA Certification.</td></tr><tr><td>2</td><td>Verify MlOS criteria is part of requirement</td><td>SITA Certification verifies that the requirement (i.e. technical specification) includes the relevant MlOs Conformance Criteria as part of the Mandatory Technical Specifications in the Bid Document. This will inform prospective bidders/suppliers that their product on offer will be subject to MIOs Certification.</td></tr></table></body></html>  
+
+<html><body><table><tr><td>No Step</td><td></td><td>Responsibility and Activities</td></tr><tr><td></td><td></td><td>Note: Any conflicting technical specification (between the customer specification and the MlOS criteria) will be resolved before the request for bid documentation is published to</td></tr><tr><td>3</td><td>Prepare Offer</td><td>prospective suppliers. The prospective suppliers of ICT products prepare their offers and are obliged to indicate conformance of their product(s)</td></tr><tr><td>4</td><td>Certify Offer as MIOS Conformant</td><td>to the MIOS criteria. SITA Certification evaluates and verifies that the specifications of the product as offered by suppliers are conformant to the MlOS criteria, and issue a “MiOs Offer</td></tr><tr><td>5</td><td>Approve Supply of Product(s)</td><td>Certificate of Conformance" based on the offer. The customer verifies that the offer(s) meets his/her requirements and that it conforms to MlOS, and approves that the supply of the product(s) may proceed.</td></tr><tr><td>6a</td><td>Supply Product(s)</td><td>The supplier supplies the product(s) and declares with evidence that the actual product(s) conform to MlOs criteria.</td></tr><tr><td>6b</td><td>Initiate Certification of Installed Product(s)</td><td>SITA Certification may also on behalf of a department initiate a process or project to certify that legacy (installed) e-Government systems conform to MIOS.</td></tr><tr><td>7</td><td>Certify product(s) as MIOS conformant</td><td>SITA Certification unit evaluates and tests the actual installed product(s) - new or legacy product(s)- based on hard evidence by the supplier or interoperability test results or both and issues a "MlOs Product Certificate of</td></tr><tr><td>8</td><td>Account for MIOS compliance</td><td>Conformance". (A Certificate is issued per product) The Customer reports to the designated executive authority and give account to the Auditor General that his/her department comply with MlOs as legislated.</td></tr></table></body></html>  
+
+# 3 MINIMUM INTEROPERABILITY STANDARDS (MIOS)  
+
+# 3.1 INTRODUCTION  
+
+(1) This section of the MIOS defines the minimum set of open standards that are necessary to achieve the minimum level of interoperability across e-Government systems, and cites the standards development organisations from where these standards can be obtained.  
+
+(2) The list of interoperability standards is divided into two sections: (a) Public Sector Records and Data Standards, which must be used to achieve interoperability (data exchange) among e-Government information systems (IS); and (b) Technical Interoperability Standards, which must be used to achieve the required level of interoperability (i.e. network connectivity, data exchange protocols and interfaces, and uniform data access and presentation) across government ICT infrastructure.  
+
+The following convention is used in the respective standards tables:  
+
+“Ref” $\mathbf{\tau}=\mathbf{\tau}$ Unique MIOS Reference Number of the standard.   
+“Provider” means the Standards Development Organisation (SDO) who is either the owner or custodian of the interoperability standard as the case may be.   
+Text in square brackets $[]$ denotes the Standard Reference Number as allocated by the SDO.   
+Text in braces / curly brackets {} denotes a guideline or constraint on the implementation of the standard.  
+
+# 3.2 STANDARDS DEVELOPMENT ORGANISATIONS  
+
+The following Standards Development Organisations (SDOs) are cited in the MIOS. SDOs marked with an asterisk $(^{*})$ indicate that the standards are available from their respective web sites (Uniform Resource Locators (URL)).  
+
+<html><body><table><tr><td> SDO</td><td>Description</td><td>Uniform Resource Locator (URL)</td></tr><tr><td>ADL *</td><td>Advanced Distributed Learning</td><td>http://www.adlnet.gov</td></tr><tr><td>ANSI</td><td>American National Standards Institute</td><td>http://www.ansi.org</td></tr><tr><td rowspan="2">DHA DSD</td><td rowspan="2">Department of Home Affiars (South Africa) Department of Social Development (South Africa)</td><td>http://www.dha.gov.za</td></tr><tr><td>http://www.dsd.gov.za</td></tr></table></body></html>  
+
+<html><body><table><tr><td>SDO</td><td>Description</td><td>Uniform Resource Locator (URL)</td></tr><tr><td>ECMA</td><td>Ecma International - European association for standardizing information and communication systems (formerly known</td><td>http://www.ecma-international.org</td></tr><tr><td>ETSI</td><td>as "European Computer Manufacturers Association") European Telecommunications Standard</td><td>http://www.etsi.org</td></tr><tr><td>NIST</td><td>Institute National Institute of Standards and Technology [USA]: Federal Information</td><td>http://www.itl.nist.gov/fipspubs</td></tr><tr><td>IEEE</td><td>Processing Standards Institute of Electrical and Electronics Engineers</td><td>http://www.ieee.org</td></tr><tr><td>IETF *</td><td>Internet Engineering Task Force</td><td>http://www.ietf.org</td></tr><tr><td>IJS</td><td>Integrated Justice System</td><td>http://www.ijs.gov.za</td></tr><tr><td>ISO</td><td>International Organisation for Standardization</td><td>http://www.iso.org</td></tr><tr><td>ITU</td><td>International Telecommunication Union</td><td>http://www.itu.int</td></tr><tr><td>OAI *</td><td>Open Archives Initiative</td><td>http://www.openarchives.org</td></tr><tr><td>OASIS *</td><td>Organization for the Advancement of Structured Information Standards</td><td>http://www.oasis-open.org</td></tr><tr><td>OCLC</td><td>Online Computer Library Center</td><td>http://www.oclc.org</td></tr><tr><td>OGC *</td><td>Open Geospatial Consortium</td><td>http://www.opengeospatial.org</td></tr><tr><td>OMA</td><td>Open Mobile Alliance</td><td>http://www.openmobilealliance.org</td></tr><tr><td>OMG *</td><td>Object Management Group?</td><td>http://www.omg.org</td></tr><tr><td>PKWARE</td><td>PKWARE? Inc, open standard for compressed file format, ZIP)</td><td>http://www.pkware.com</td></tr><tr><td>SABS</td><td>South African Bureau of Standards (SDO for http://www.sabs.co.za South African National Standards (SANS))</td><td></td></tr><tr><td>SITA *</td><td> State Information Technology Agency</td><td>http://www.sita.co.za http://www.ifms.gov.za</td></tr><tr><td>W3C *</td><td>World Wide Web Consortium</td><td>http://www.w3c.org</td></tr><tr><td>WHO *</td><td>World Health Organisation</td><td>http://www.who.int</td></tr></table></body></html>  
+
+# 3.3 PUBLIC SECTOR SPECIFIC AND COMMON DATA STANDARDS  
+
+<html><body><table><tr><td>Ref</td><td>Component</td><td>Interoperability Standard and Identifier</td><td>Provider</td></tr><tr><td>D-1 </td><td colspan="2"> Governance and Administration data standards</td><td></td></tr><tr><td>D-1.1</td><td>Administration Records</td><td>Integrated Finance Management System (IFMS) Canonical Information Model (CIM): Financial Management, Supply Chain Management and Human Resource Management. {IFMS CIM is under development and is intended to supersede all existing Financial, Supply Chain and Human Resource data interchange standards for the Public Service; and it is not applicable to legacy</td><td>SITA (IFMS)</td></tr><tr><td>D-2</td><td colspan="2">systems} Identification and Citizen Status data standards</td><td>DHA</td></tr><tr><td>D-2.1</td><td>Citizen Status Record</td><td>Citizen Status Record Definition (as per National Population Register (NPR)) {NPR contains information of South African citizens, permanent residents and refugees who is identified by a unique Identity (ID) Number, Birth, Death, Marriage status, emigration or immigration status, passports and identity documents information.}</td><td></td></tr><tr><td>D-2.2</td><td>Biometric Data Element Specification</td><td>[SANS 19785-1]: Information Technology - Common Biometric Exchange Formats Framework - Part 1: Data Element specification</td><td>SABS</td></tr><tr><td>D-2.3</td><td>Biometric Data Interchange</td><td>[SANS 19794]: Information Technology Biometric data interchange formats - Part 1: Framework, Part 2: Finger minutiae data, Part 3: Finger pattern spectral, Part 4: Finger image data, Part 5: Face image data,</td><td>SABS</td></tr><tr><td>D-3</td><td colspan="2">and Part 7: Signature/sign behaviour. Health data standards</td><td></td></tr><tr><td>D-3.1</td><td>Disease codes</td><td>International Statistical Classification of Diseases and Related Health Problems, 10th Revision (ICD-10)</td><td>WHO</td></tr></table></body></html>  
+
+<html><body><table><tr><td>Ref</td><td>Component</td><td>Interoperability Standard and Identifier</td><td>Provider</td></tr><tr><td>D-3.2</td><td>Health lmage records</td><td>Digital lmaging and Communications in Medicine (DICOM), [ISO/IEC 12052]</td><td>ISO</td></tr><tr><td>D-4 D-4.1</td><td colspan="3">Social data standards</td></tr><tr><td></td><td>Child Protection Records</td><td>Child Protection Register data schema (Part A and B: Core Data schema and Data schema to support Integrated Justice System (IJS)) Child In Need of Care and Protection data schema Child Adoption Data schema Child Abduction Data schema Child Trafficked Data schema</td><td>DSD</td></tr><tr><td>D-4.2</td><td>Non-Profit Organisation Records Child In Conflict With</td><td>Non-Profit Organisation Register Data schema</td><td>DSD</td></tr><tr><td>D-4.3</td><td>The Law Records</td><td>Child Youth Care Data schema Secure Care Detention Facility Management (IAS) Data schema Child Justice Forms: Data schema</td><td>DSD</td></tr><tr><td>D-5</td><td colspan="3">Justice data standards</td></tr><tr><td>D-5.1</td><td>Criminal Justice records v1.3.0</td><td>South African Justice XML (SAJXML) Schema {The SAJxML schema is under development</td><td>IJS</td></tr><tr><td>D-6 </td><td colspan="3">and is subject to change.} Education and Learning data standards</td></tr><tr><td>D-6.1</td><td>Learner Unit Records</td><td>Learner Unit Record Information Tracking System (LURITS), Data Interchange</td><td>SITA</td></tr><tr><td>D-6.2</td><td>e-Learning/ Learning Management System</td><td>standard, Version 1.3, March 2010 Sharable Content Object Reference Model (SCORM ) v1.2, Oct 2001</td><td>ADL</td></tr><tr><td>D-7 </td><td colspan="3">Geographic and Location data standards</td></tr><tr><td>D-7.1</td><td>Cadastre and Addressing</td><td>Geographic Information - Address Standard, Part 1: Data format of addresses [SANS 1883-1]</td><td>SABS</td></tr><tr><td>D-7.2</td><td>Geospatial data</td><td>Geospatial Markup Language (GML) [ISO/IEC 19136:2007]</td><td>OGC and ISO</td></tr><tr><td>D-8</td><td colspan="3">Common Data standards</td></tr><tr><td>D-8.1</td><td>Hypertext Markup Language</td><td>Hypertext Markup Language (HTML) v4.01</td><td>W3C</td></tr></table></body></html>  
+
+<html><body><table><tr><td>Ref</td><td>Component</td><td>Interoperability Standard and Identifier</td><td>Provider</td></tr><tr><td colspan="2"></td><td>eXtensible Hypertext Markup Language (XHTML) v1.0 (Second Edition) {Government information systems will be designed so that as much information as possible can be accessed and manipulated from common commercial browsers through utilisation of functionality that is freely supported and available within the browser community. Refer also to MIOS T-</td><td></td></tr><tr><td>D-8.2</td><td>Wireless Hypertext Markup Language</td><td>5.13 Web Content Accessibility Guideline} Wireless Application Protocol (WAP) v2.0</td><td>OMA</td></tr><tr><td>D-8.3</td><td>Extensible Markup Language Syntax</td><td>Extensible Markup Language (XML) Version 1.0 (Fifth Edition) {Avoid the use of any product specific XML extensions that are not being considered for open standardisation within the W3C.}</td><td>W3C</td></tr><tr><td>D-8.4</td><td>Extensible Markup Language Schema</td><td>XML Schema Part 1: Structures Second Edition; and XML Schema Part 2: Data types Second Edition; OR REgular LAnguage for XML Next</td><td>W3C OASIS/ISO</td></tr><tr><td>D-8.5</td><td>Character set</td><td>Generation (RelaxNG), [ISO/IEC 19757] Transformation Format - 8 bit UTF-8/ASCll Formatted Text [RFC 3629] UNICODE [ISO/IEC 10646-1:2000]</td><td>IETF ISO</td></tr><tr><td>D-8.6</td><td>e-Mail message format</td><td>Multipurpose Internet Mail Extensions, MIME [RFC 2045, 2046, 2047, 2048 and 2077] Open Document Format (ODF) v1.0</td><td>IETF SABS</td></tr><tr><td>D-8.7</td><td>Office Document formats</td><td>[SANS 26300) Comma-Separated Values (CSV) [RFC4180] {for use in word-processing, spreadsheet, and presentation office suites}</td><td>IETF</td></tr><tr><td>D-8.8</td><td>Portable Document Format</td><td>Document management - Portable document format - Part 1: PDF 1.7 [SANS 32000-1] </td><td>SABS</td></tr></table></body></html>  
+
+<html><body><table><tr><td>Ref</td><td>Component</td><td>Interoperability Standard and Identifier</td><td>Provider</td></tr><tr><td></td><td></td><td>{for use in publishing and distributing read- only, preformatted forms and non-editable portable documents}</td><td></td></tr><tr><td>D-8.9</td><td>Graphical/still image file format</td><td>Joint Photographic Experts Group (JPEG) [ISO/IEC 10918-1:1994 Digital compression and coding of continuous- tone still images] Portable Network Graphics (PNG) [ISO/IEC 15948:2004] Tagged Image File Format (TlFF) v6 {TIFF should only be used for images that does not tolerate information loss}</td><td>ISO ISO Adobe</td></tr><tr><td>D-8.10</td><td>Multimedia audio/visual format</td><td>Moving Picture Experts Group 1 (MPEG-1), including MPEG-1 Audio Layer III (MP3), [ISO/IEC 11172] Moving Picture Expert Group 2 (MPEG-2), [SANS 13818] MPEG-4 Part 10, Advanced Video Coding</td><td>ISO SABS ISO</td></tr><tr><td>D-8.11</td><td>Compressed file format</td><td>/ H.264 (ISO/IEC 14496-10) Tape Archive (tar) [POSIX.1-2001] using GNU zip (gzip)[RFC1951 and RFC1952] or bzip2 ZIP [APPNOTE.TXT - .ZIP File Format Specification Version: 6.3.2 (2007)]</td><td>POSIX IETF PKWARE</td></tr></table></body></html>  
+
+# 3.4 TECHNICAL INTEROPERABILITY STANDARDS  
+
+(1) The Technical Interoperability Standards are grouped in accordance with the Government Wide Enterprise Architecture Framework: Technology Reference Model as illustrated in Figure 5: GWEA: Technology Reference Model (TRM)  
+
+![](images/2627004931a6aa1539e034d2bc25b9464e692afbe5e522026df49ad6c5b8cc18.jpg)  
+
+Figure 5: GWEA: Technology Reference Model (TRM)   
+
+
+<html><body><table><tr><td>Ref</td><td>Component</td><td>Interoperability Standard</td><td>SDO</td></tr><tr><td>T-1</td><td colspan="3">Communications Infrastructure</td></tr><tr><td>T-1.1</td><td>LAN/WAN interworking</td><td>Internet Protocol (IP) Version 4[RFC 791]; and Transmission Control Protocol (TCP) [RFC 793, RFC 4614]; and User Datagram Protocol (UDP) [RFC 768]. {Government organisations are to interconnect using TCP/IP v4, and noting that RSA Government is</td><td>IETF</td></tr></table></body></html>  
+
+<html><body><table><tr><td colspan="4"></td></tr><tr><td>Ref</td><td>Component</td><td>Interoperability Standard</td><td>SDO</td></tr><tr><td>T-1.2</td><td>LAN/WAN Internet Conferencing</td><td>Audiovisual and multimedia systems, [H.323] Session Initiation Protocol (SIP), [RFC 3261]</td><td>ITU IETF</td></tr><tr><td>T-1.3</td><td>Mobile Data link</td><td>The General Packet Radio Service (GPRS) specifications for Mobile Stations ("2G"), [EN No: 310 113,301 344,301 347 and TS 101 297, 101 351]</td><td>ETSI</td></tr><tr><td>T-1.4</td><td>Mobile Text Message</td><td>The Short Message Service (SMS) specifications for Mobile Stations including, [ETS 300 536 & 537, 300 559& 560]</td><td>ETSI</td></tr><tr><td>T-1.5</td><td>Mobile Multimedia Message</td><td>The Multimedia Messaging Service (MMS) specifications for Mobile Stations, [TS 122 140, 123 140, 126 140]</td><td>ETSI</td></tr><tr><td>T-2 </td><td colspan="3"> Computing Platforms, Peripherals and Sensors</td></tr><tr><td>T-2.1</td><td></td><td>{No prescribed minimum interoperability standards}</td><td></td></tr><tr><td>T-3 </td><td colspan="3"> Database Management Infrastructure</td></tr><tr><td>T-3.1</td><td>Relational Database Query Language</td><td>Structured Query Language (SQL) 2006, [ISO/IEC 9075-14:2006]</td><td>ISO/IEC</td></tr><tr><td>T-3.2</td><td>Content management metadata</td><td>Information and documentation - The Dublin Core metadata element set [SANS 15836]</td><td>SABS</td></tr><tr><td>T-3.3</td><td>Metadata harvesting Ontology-based</td><td>Open Archives Initiative Protocol for Metadata Harvesting 2.0 (OAl-PMH), [T20:42:00Z] Web Ontology Language (OWL) Semantics and|W3C</td><td>OAI</td></tr><tr><td>T-3.4 T-3.5</td><td>information exchange Content-sensitive</td><td>Abstract Syntax OpenURL v1.0 [ANSI/NISO Z38.88-2004]</td><td>ANSI</td></tr><tr><td></td><td>linking</td><td>{The openURL is designed to enable the transfer of the metadata from the information service to a service component that can provide context- sensitive services for the transferred metadata}</td><td></td></tr><tr><td>T-4</td><td colspan="3"> Middleware Infrastructure</td></tr><tr><td>T-4.1</td><td>Directory schema</td><td> X.500 core schema [IsO/iEC 9594].</td><td>IEC/ISO</td></tr><tr><td>T-4.2</td><td>Directory access</td><td>Lightweight Directory Access Protocol LDAP v3 [RFC 4510]</td><td>IETF</td></tr></table></body></html>  
+
+<html><body><table><tr><td>Ref</td><td>Component</td><td>Interoperability Standard</td><td>SDO</td></tr><tr><td></td><td></td><td>{For use in general-purpose directory user access}</td><td></td></tr><tr><td>T-4.3</td><td>Internet domain naming</td><td>Domain Name System (DNS) [RFC 1032 to RFC1035 and related updates] {Projects are to follow the South African</td><td>IETF</td></tr><tr><td>T-4.4</td><td>Web service</td><td>Government Domain Naming policy. Domain Name Services (DNS) must be used for Internet and Intranet IP address name resolution.} Simple Object Access Protocol SOAP v1.2 (Second</td><td>W3C</td></tr><tr><td>T-4.5</td><td>access Web service</td><td>Edition) Universal Description, Discovery and Integration</td><td>OASIS</td></tr><tr><td>T-4.6</td><td>registry Web service</td><td>UDDI v3.0 Web Service Description Language (WSDL) v2.0</td><td>W3C</td></tr><tr><td>T-5 </td><td>description Application Delivery Services and Information Access</td><td></td><td></td></tr><tr><td>T-5.1</td><td colspan="2">Web transport Hypertext Transfer Protocol, HTTP v1.1 [RFC 2616]</td><td>IETF/W3C</td></tr><tr><td>T-5.2</td><td>Web forms</td><td>Xforms v1.1 (2009)</td><td>W3C</td></tr><tr><td>T-5.3</td><td>Browser scripting</td><td> JavaScript [ECMA 262]</td><td>ECMA</td></tr><tr><td>T-5.4</td><td>e-Mail transport</td><td> Simple Mail Transfer Protocol SMTP [RFC 2821,</td><td>IETF</td></tr><tr><td>T-5.5</td><td>e-Mail access</td><td>RFC 2822] 1 Internet Message Access Protocol v4 Rel 1, IMAP v4.1 [RFC 3501] or</td><td>IETF</td></tr><tr><td>T-5.6</td><td>Internet File transfer</td><td>Post Office Protocol version 3, POP3 [RFC 1939] ■ File Transfer Protocol (FTP), [RFC 959, RFC 1579, RFC 2428] Secure copy (SCP) [OpenBSD reference implementation]</td><td>IETF</td></tr><tr><td>T-5.7</td><td>XML Data</td><td>{Restart and recovery functionality of FTP are to be used when transferring very large files} Extensible Stylesheet Language (XSL) v1.1 W3C</td><td></td></tr><tr><td>T-5.8</td><td>transformation XML Data query</td><td>XML Path Language (XPath) v2.0</td><td>W3C</td></tr><tr><td>T-5.9</td><td>XML Signature</td><td>■ XML Signature Syntax and Processing (Second Edition)</td><td>W3C</td></tr><tr><td></td><td></td><td>XML Digital Signatures (XML-DSlG) in the 2006 XML Environment</td><td></td></tr><tr><td>T-5.10</td><td>Digital Object Identification</td><td>Syntax for the Digital Object ldentifier [ANSl z39.84]|ANSI {for use in digital rights management}</td><td></td></tr></table></body></html>  
+
+<html><body><table><tr><td>Ref</td><td>Component</td><td>Interoperability Standard</td><td>SDO</td></tr><tr><td>T-5.11</td><td>Web Content syndication</td><td>Resource Description Framework (RDF) Site Summary (RSS) Version 1.0, [RSS-DEV working Group, http://web.resource.org] Really Simple Syndication (RSS) Version 2.0, [RSS 2.0, Berkman Center at Harvard Law</td><td></td></tr><tr><td>T-5.12</td><td>Distributed 1 searching and Retrieval</td><td>School, http://cyber.law.harvard.edu/rss/] Information Retrieval: Application Service Definition and Protocol Specification, Z39.50 [ANSI/NISO Z39.50, ISO/IEC 23950:1998] Search Retrieval via URL (SRU) Version 1.2 [http://www.loc.gov/standards/sru/]</td><td>ANSI</td></tr><tr><td></td><td>T-5.13|Web Accessibility for the visual impaired</td><td>Web Content Accessibility Guidelines (WCAG) 2.0 (2008) {A guideline for development of government websites and/or web enabled applications to improve access for the visual impaired user</td><td>W3C</td></tr><tr><td>T-6</td><td>community} System Security</td><td></td><td></td></tr><tr><td>T-6.1</td><td> E-Mail Security</td><td>Secure/Multipurpose Internet Mail Extensions (S/MIME) V3 [RFC 2630 to RFC 2633] {shall be used where appropriate for pan government messaging security unless security</td><td>IETF</td></tr><tr><td>T-6.2</td><td>IP Network security and Virtual Private</td><td>requirements dictate otherwisel. Security Architecture for the Internet Protocol (Internet Protocol Security (IPsec)), [RFC 4301]</td><td>IETF</td></tr><tr><td>T-6.3</td><td>Networking IP Network authentication and encapsulation</td><td>IP Authentication Header (AH) [RFC 4302], and 1IP Encapsulating Security Payload (ESP), [RFC 4303]</td><td>IETF</td></tr><tr><td>T-6.4</td><td>security Transport Layer security</td><td>Transport Layer Security (TLS) Protocol Version 1.2, [RFC 5246]</td><td>IETF</td></tr><tr><td>T-6.5</td><td>Encryption algorithms (block and stream</td><td>■Advanced Encryption Standard (AES), [SANS18033-3 Information technology - Security techniques - Encryption algorithms</td><td>SABS</td></tr><tr><td></td><td>ciphers)</td><td>Part 3: Block ciphers]; OR · TWOFISH,[FIPS PUB 197] {AES is the preferred cipher algorithm and it should</td><td>NIST</td></tr></table></body></html>  
+
+<html><body><table><tr><td>Ref</td><td>Component</td><td>Interoperability Standard</td><td>SDO</td></tr><tr><td>T-6.6</td><td></td><td>be used for both block and stream ciphers applications. TWOFiSH should only be used as an alternative where AES is not possible.}</td><td></td></tr><tr><td></td><td>Encryption algorithms (asymmetric ciphers)</td><td>■ RSA 2048bit (Rivest, Shamir and Adleman), [SANS 18033-2 Security techniques - Encryption algorithms Part 2: Asymmetric ciphers]; Or ■ ECC 256 bit (Elliptic Curve Cryptography), [SANS 15946 Security techniques - Cryptographic techniques based on elliptic curves]</td><td>SABS</td></tr><tr><td>T-6.7</td><td>Hashing</td><td>Secure Hash Algorithm II (SHA-ll) SHA-256, or SHA- 384 [SANS 18033 -3 or ISO/IEC 10118-3]</td><td>SABS</td></tr><tr><td>T-6.8</td><td>Message 1 Authentication</td><td>Message Authentication Code (MAC) with Block cipher [SANS 9797-1]; and/or Message Authentication Code (MAC) with Hash function [SANS 9797-2]</td><td>SABS</td></tr><tr><td>T-6.9</td><td>Digital Signatures</td><td>RSA-DSA (Rivest, Shamir and Adleman - Digital Signing Algorithm) [SANS 14888]; or EC-DSA (Elyptic Curve - Digital Signing Algorithm, [SANS 14888]</td><td>SABS</td></tr><tr><td>T-6.10</td><td>Key Management</td><td>Security Techniques - Key Management: Part 3 Mechanisms using asymmetric techniques [SANS 11770-3:2009]</td><td>SABS</td></tr><tr><td>T-6.11</td><td>Public Key Infrastructure certificates</td><td>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (X.509 v3), [RFC 5280]</td><td>ITU </td></tr><tr><td>T-6.12</td><td>XML Security mark-up Secure XML</td><td>Security Assertion Markup Language (SAML) v2.0 OASIS XCBF 1.1 Specification.</td><td>OASIS OASIS</td></tr><tr><td>T-6.13</td><td>Encoding for exchanging biometric data</td><td>Secure XML encodings for the patron formats specified in CBEFF, the Common Biometric Exchange File Format [NISTIR 6529].</td><td></td></tr><tr><td>T-7 T-7.1</td><td colspan="2">System Management Network Simple Network Management Protocol (SNMP) v3|IETF</td><td></td></tr><tr><td></td><td>Management [RFC 3411-RFC 3418] Protocol</td><td></td><td></td></tr><tr><td>T-8</td><td colspan="2"> System Engineering</td><td></td></tr><tr><td>T-8.1</td><td>Software</td><td>Unified Modelling Language (UML) v2.1.1</td><td>OMG</td></tr></table></body></html>  
+
+<html><body><table><tr><td>Ref</td><td>Component</td><td>Interoperability Standard</td><td>SDO</td></tr><tr><td></td><td>Engineering Modelling Language</td><td></td><td></td></tr><tr><td>T-8.2</td><td>Business Process Modelling Language</td><td> Business Process Model and Notation (BPMN) v1.1</td><td>OMG</td></tr><tr><td>T-8.3</td><td>Business Function Modelling Language</td><td>Integrated Definition Language for Function Modelling (IDEF-O)- Federal Information Processing Standard Publication 183, [FlPS PUB</td><td>NIST</td></tr><tr><td>T-8.4</td><td>Model exchange</td><td>183] XML Metadata Interchange (XMl) version 2.1</td><td>OMG</td></tr></table></body></html>  
+
+BBBEE Broad Based Black Economic Empowerment   
+BPMN Business Process Modelling Notation   
+EA Enterprise Architecture   
+GITO Government Information Technology Officer   
+GITOC Government Information Technology Officers Council   
+GWEA Government Wide Enterprise Architecture   
+ICT Information and Communication Technology   
+ISO International Organisation for Standardisation   
+MIOS Minimum Interoperability Standards   
+SCARC Standing Committee on Architecture   
+SITA State Information Technology Agency   
+OMG Object Management Group   
+TOGAF® The Open Group Architecture Framework   
+UML Unified Modelling Language  
+
+MIOS was developed by SITA Standards-and-Certification unit in collaboration and consultation with GITOC and SCARC members.  
+
+<html><body><table><tr><td>No</td><td>Name & Designation</td><td>Representing Department / Agency</td></tr><tr><td>1.</td><td>Henton Katz (Deputy Director: DElS Management Division)</td><td>Defence</td></tr><tr><td>2.</td><td> Jan Opperman (Enterprise Architect)</td><td>Defence</td></tr><tr><td>3.</td><td>Anele Apleni (Enterprise Architect)</td><td> Home Affairs</td></tr><tr><td>4.</td><td>Mashapa Machaba (Enterprise Architect)</td><td> Home Affairs</td></tr><tr><td>5.</td><td>Karl Fischer</td><td> Science and Technology</td></tr><tr><td>6.</td><td>Julius Segole (ClO)- Chairman GITOC</td><td> Social Development</td></tr><tr><td>7.</td><td>Maropeng Nakana (Chief Architect)</td><td>Social Development</td></tr><tr><td>8.</td><td>Bulelani Dediza (ClO)- Chairman SCARC</td><td>Transport</td></tr><tr><td>9.</td><td>Tonie Botha (Solutions Architect: IJS)</td><td>Justice & Constitutional Development</td></tr><tr><td>10.</td><td>Jim Green (Solutions Architect: IJS)</td><td>Justice & Constitutional Development</td></tr><tr><td>11.</td><td>Cecil Spencer (Chief Director: IT)</td><td> National Treasury</td></tr><tr><td>12.</td><td>Moritz Botha</td><td>National Treasury</td></tr><tr><td>13.</td><td>Carel Boonzaier (Adv Specialist: Security Architecture)</td><td> SITA (lnformation System Security)</td></tr><tr><td>14.</td><td>Gerald O'Sullivan (Chief Technical Architect: IFMS)</td><td>SITA (IFMS)</td></tr><tr><td>15.</td><td>Lawrence Boatright (Solutions Architect: IFMS)</td><td>SITA (IFMS)</td></tr><tr><td>16.</td><td>Gail van der Meijden (Solutions Architect: LURITS)</td><td> SITA (Solution Development)</td></tr><tr><td>17.</td><td>Chris Fourie (Snr Specialist: Certification)</td><td>SITA (Standards & Certification)</td></tr><tr><td>18.</td><td>Willie Needham (Chief Enterprise Architect - GWEA/MIOS)</td><td>SITA (Standards & Certification)</td></tr><tr><td>19.</td><td>Maropeng Maeko (Snr Manager: Technology Research)</td><td>SITA (Technology Research)</td></tr><tr><td>20.</td><td>Deon Nel (Senior Specialist)</td><td>SITA (Technology Research)</td></tr><tr><td>21.</td><td> Gerrit Botha (Enterprise Architect)</td><td>South Africa Police Service</td></tr><tr><td>22.</td><td>Ishmael Matsila</td><td>South African Revenue Services</td></tr></table></body></html>  
+
+# Annex C : DOCUMENT HISTORY  
+
+<html><body><table><tr><td>Document Name</td><td>Version</td><td>Date</td><td>Revision Authority</td><td>Modifications</td></tr><tr><td>MIOS v1.PDF</td><td>1.0</td><td>Sep 2001</td><td>SITA Certification</td><td>New document. Adopted from UK e-Gif and customised for Government of South Africa</td></tr><tr><td>MIOS v2.PDF</td><td>2.0</td><td>Nov 2001</td><td>GITOC MIOS Workshop</td><td>Inputs from GITOC</td></tr><tr><td>MIOS3 16 April 2002.doc</td><td>3.0</td><td>Apr 2002</td><td> SITA Strategic Services</td><td>Split MlOS into two Parts: Part 1 is Technical Policies and Standards Part 2 is Implementation Support</td></tr><tr><td>MIOS_30June_2007.odt</td><td>4.0</td><td>Jul 2007</td><td>DPSA</td><td>Included ISO26300 odf document standard. Minor maintenance revisions. Reformatted. [lnternal release, not promulgated]</td></tr><tr><td>MIOS_V4.1_FINAL.PDF</td><td>4.1</td><td>Sep 2007</td><td>GITOC & SITA MIOS workshop</td><td>Update in line with latest UK eGif standards.</td></tr><tr><td>MIOS v5.0.PDF</td><td>5.0</td><td>Nov 2011</td><td>SITA Standards & Certification</td><td>Complete revision of document layout. Include MioS management processes, new set of Public Sector data records interchange standards and revision to technical interoperability standards.</td></tr></table></body></html>  

dataset/data/docs/Determination and Directive on Public Service ICT Service Continuity v13 (2) (1)..md

@@ -0,0 +1,166 @@
+![](images/ae13897b39240fd4f5514d7d3dfa9ae5facff2ba086e20e660e5b13fe05e8389.jpg)  
+
+# DETERMINATION AND DIRECTIVE ON ICT SERVICE CONTINUITY IN THE PUBLIC SERVICE  
+
+# TABLE OF CONTENTS  
+
+1. INTRODUCTION 3   
+2. PURPOSE 4   
+3. AUTHORISATION 5   
+4. SCOPE OF APPLICATION 5   
+5. IMPLEMENTATION OF DETERMINATION AND DIRECTIVE 5   
+NON-COMPLIANCE MANAGEMENT 5   
+DATE OF IMPLEMENTATION 5   
+8.1  Current Minimum ICT Requirements 5   
+8.2  DURING THE ICT DISASTER 8   
+8.3 AFTER THE ICT DISASTER 8  
+
+# 1. INTRODUCTION  
+
+1.1. The effect of the current pandemic has had unimaginable disruption on organizations and businesses globally.   
+1.2. In addition to disruption, the pandemic also presented numerous lessons upon which all stakeholders, including the public service, can learn. For instance, arrangements for alternative workspaces in disruptions proved inadequate as all organizations were affected. This included organizations whose business is the provision of alternative workspaces during disruptions as such environments had to close as well.   
+1.3. Organizations that were ill-prepared for the business disruption were impacted more adversely than those with concrete and implementable plans for continuity of their businesses during disruptions, even within a single sector.   
+1.4. Business Continuity Management System (BCMS) emphasizes the importance of understanding the organization's needs and the necessity for establishing business continuity management policy and objectives, implementing and operating controls and measures for managing an organization's overall capability to manage disruptive incidents, monitoring and reviewing the performance and effectiveness of the BCMS, and continual improvement based on objective measurement (ISO 22301; 2012).  
+
+1.5. A BCMS consists of the following components:  
+
+a) Business Management Policy (inclusive of ICT Service Continuity Issues);   
+b) people with defined responsibilities;   
+c) management processes relating to 1) policy, 2) planning, 3) implementation and operation, 4) performance assessment, 5) management review; and 6) improvement;   
+d) documentation providing auditable evidence; and   
+e) any business continuity management processes relevant to the organizatio (ISO 22301; 2012).  
+
+1.6. Business Continuity Management (BCM), as part of the BCMS, is an integral part of a holistic risk management process that safeguards the interests of an organization's key stakeholders, reputation, brand, and value-creating activities through:  
+
+i. identifying potential threats that may cause adverse impacts on an organization's business operations and associated risks ii. providing a framework for building resilience for business operations;  
+
+iii. providing capabilities, facilities, processes, action task lists, etc., for effective responses to disasters and failures (ISO 247620: 2008).  
+
+1.7 Consequently, BCM is the entire organization's responsibility, which the enterprise risk management function must lead.  
+
+1.8 When planning for business continuity, the alternative arrangements for information processing and communication facilities (ICT service continuity) are essential for ensuring information, communication technology, and service availability during a disaster and serve as part of the base for the disaster recovery of activities going forward. Such fall back arrangements may include third parties in reciprocal agreements or commercial subscription services.  
+
+1.9 Despite the critical role played particularly by the information and communication technology (ICT) during the pandemic, the ability of this capability to maintain and salvage organizational operations during and after disruptions is proportional to the amount of planning that has been embarked upon preparation for such eventuality.  
+
+1.10 Furthermore, ICT service continuity planning is squarely dependent on a functional BCMS of the organization. Departments must understand that any ICT service continuity arrangements in the absence of a fully functional BCMS might not yield the desired outcomes.  
+
+1.11 Consequently, this determination and directive, therefore, assume that departments already have Business Continuity Plans (BCP) as per the provisions of the Corporate Governance of Information and Communication Technology Policy Framework (CGICTPF). The BCP must, amongst other things, identify and or cover minimum critical services that shall continue to be provided by a department even during a disaster. In line with this, the determination and directive focus on information and communication technology fallback arrangements for departments during a disaster.  
+
+# 2. PURPOSE  
+
+2.1. The purpose of this Determination and Directive is to provide clear guidance to departments for the development and implementation of ICT service continuity plans in support of the Department's Business Continuity objectives.   
+2.2. The above is done to ensure the continued availability of ICT systems and services during the disruption and the ability to recover quickly upon being impacted by the disaster.  
+
+# 3. AUTHORIZATION  
+
+The Minister for Public Service and Administration (MPSA) issues this Determination and Directive in terms of section 3(2), read with sections 3(1)(f), and (g) of the Public Service Act, 1994.  
+
+# 4. SCOPE OF APPLICATION  
+
+This Determination and Directive applies to all national and provincial departments, government components, and employees employed in terms of the Public Service Act. This Determination and Directive shall only apply to members of the services, educators or members of the Intelligence Services only in as far as the provisions of this Determination and Directive are not contrary to the laws governing their employment.  
+
+# 5. IMPLEMENTATION OF THE DETERMINATION AND DIRECTIVE  
+
+5.1 The Head of Department must ensure that the current ICT Service Continuity Plan aligns with the contents of this Determination and Directive.  
+
+# 6. NON-COMPLIANCE MANAGEMENT  
+
+Failure to comply with this Determination and Directive will be dealt with in line with the provisions of section 16A of the Public Service Act.  
+
+# 7. DATE OF IMPLEMENTATION  
+
+This Determination and Directive shall come into effect on the date of signature by the MPSA.  
+
+# 8.1CURRENT MINIMUM ICT REQUIREMENTS  
+
+8.1.1 The Head of Department must establish an ICT Disaster Recovery Team for the department. The ICT Disaster Recovery Team led by the GITO will develop, document, and execute processes for a department's data recovery f of business continuity, and IT infrastructure in the event of a disaster/ ICT service / ICT system disruption.   
+8.1.2 Guided by the risk appetite and tolerance of the department, the ICT Disaster Recovery Team must define and agree on what would constitute as an ICT disaster.   
+8.1.3 The Head of Department, through the office of the GITO must identify all departmental Information Systems / ICT Services supporting both internal operations and service delivery to the public, customers, and stakeholders.   
+8.1.4 The Head of Department must determine the impact of Business Impact Analysis (BIA) on the department and the public/customers/stakeholders should each of the identified information systems / ICT Services, referred to in paragraph 8.1.3, not be provided due to disruption/disaster.   
+8.1.5 The Head of Department must determine the system availability/capacity requirements of the department informed by the BIA or their criticality.   
+8.1.6 The Head of Department must ensure that redundancy/continuity arrangements are in place and informed by the department's system availability/capacity requirements.   
+8.1.7 The Head of Department must ensure that the unavailability of critical information systems, as identified by the BIA process, is captured in the department's strategic and operational risk registers.   
+8.1.8 The Head of Department must inform all relevant stakeholders when an ICT disaster is declared, including the GITO.   
+8.1.9 The Head of Department must identify the minimum critical ICT services that must be provided by the department even during the disruption/disaster.   
+8.1.10 The Head of Department must determine the duration within which critical ICT services Recovery Time Objectives (RTO) must be recovered should a disaster/disruption occur, this must be expressed in minutes, hours, or days.   
+8.1.11 The Head of Department must determine the recovery point and the associated data/information that must be retrieved during the disaster. The Recovery Point Objectives (RPO) after the disaster/disruption must be expressed in minutes, hour  and days in case of future disruptions.   
+8.1.12 The Head of Department must ensure the existence and safekeeping of all relevant documentation that will support disaster recovery efforts by the department. Such documents must include but are not limited to the design and configuration of the system documents primarily for critical and other systems, systems recovery procedures, contact details of staff (including 3rd party contractors) to assist/conduct recovery, relevant 3rd party suppliers, etc.   
+8.1.13 The Head of Department must provide an alternative ICT workspace/working environment for employees/recovery teams.   
+8.1.14 The Head of Department must ensure that communication mechanisms of the department determine roles and responsibilities to be performed by various stakeholders once the disaster/disruption strikes.   
+8.1.15 At a minimum, during the development of the ICT Service Continuity plan, the following  
+
+must be addressed:  
+
+# a) The overview of the department's ICT Infrastructure  
+
+The GITO must establish an inventory of the status quo of the environmental ICT infrastructure. This inventory list must include:  
+
+i Hardware   
+ii Software (Including Applications)   
+iii Network information assets (i.e., Servers, Switches, Firewalls, Routers, Virtual Machines)   
+iv Network Diagram/Blueprint of the department  
+
+# b) Backup Procedures  
+
+The GITO must establish a process of creating and storing copies of data that can be used to protect the department against data loss.  
+
+# c) Service and System Risk Ratings  
+
+The GITO must ensure that all the information systems are rated in their criticality/importance (High, Medium, Low) informed by the BIA outcome.  
+
+# d) The ICT Disaster Recovery Process  
+
+The GITO must identify and prioritize their business functions, maintaining the ICT systems that support their operations. The recovery arrangements must also be established to preserve the continuity of ICT services.  
+
+# e) Roles and Responsibilities  
+
+The GITO must ensure that the roles and responsibilities related to the ICT services continuity plan are clearly defined and known to those responsible for implementing the disaster recovery activities.  
+
+# f) Key Contacts  
+
+The GITO must ensure that critical contacts are continuously updated and accessible when needed.  
+
+# g) Testing and Maintenance of the ICT Service Continuity Plan  
+
+The GITO must ensure that the ICT Service Continuity Plan is tested and maintained regularly for effectiveness.  
+
+# h) Review Date of the ICT Service Continuity Plan  
+
+The GITO must ensure that the ICT Service Continuity Plan is reviewed regularly and when required.  
+
+# 8.2 DURING THE ICT DISASTER  
+
+8.2.1 The ICT Disaster Recovery Team must invoke the disaster recovery activities, processes, and procedures as stipulated in the ICT Service Continuity Plan.   
+8.2.2 The ICT Disaster Recovery Team must ensure that the respective role players are informed (including third parties and suppliers).   
+8.2.3 The ICT Disaster Recovery Team must ensure that continuous touch point conversations are convened to ensure ongoing engagements during the disaster.  
+
+# 8.3 AFTER THE ICT DISASTER  
+
+8.3.1 At the end of the disaster, the Head of the Department must ensure that the ICT disaster recovery team conducts a post-implementation review.   
+8.3.2 The Head of Department must ensure that the disaster has been declared over and normal operations are resumed.  
+
+# APPROVED BY THE MINISTER FOR THE PUBLIC SERVICE AND ADMINISTRATION  
+
+The GlTO must ensure that the ICT Service Continuity Plan is tested and maintained regularly for effectiveness.  
+
+# h) Review Date of the ICT Service Continuity Plan  
+
+The GlTO must ensure that the ICT Service Continuity Plan is reviewed regularly and when required.  
+
+# 8.2 DURINGTHEICTDISASTER  
+
+8.2.1 The ICT Disaster Recovery Team must invoke the disaster recovery activities, processes, and procedures as stipulated in the ICT Service Continuity Plan.   
+8.2.2 The ICT Disaster Recovery Team must ensure that the respective role players are informed (including third parties and suppliers).   
+8.2.3 The ICT Disaster Recovery Team must ensure that continuous touch point conversations are convened to ensure ongoing engagements during the disaster.  
+
+# 8.3 AFTERTHEICTDISASTER  
+
+8.3.1 At the end of the disaster,the Head of the Department must ensure that the ICT disaster recovery team conducts apost-implementationreview. The Head of Department must ensure that the disaster has been declared over and normal operations are resumed.  
+
+# APPROVED BY THE MINISTER FOR THE PUBLIC SERVICE AND ADMINISTRATION  
+
+![](images/46475265f87ca91c0fdf4bb6291bfa145549dc2a1da57827aa47fb41a1afaf39.jpg)  
+
+MR T.W.'NXESI, MP   
+ACTING MINISTER FOR THE PUBLIC SERVICE AND ADMINISTRATION   
+DATE:29/11 /202乙  

dataset/data/docs/Directive-on-Public-Service-Information-Security_egov_21_06_2022_.pdf-617e273b-cc20-462a-ad02-79.md

@@ -0,0 +1,497 @@
+# DIRECTIVE ON PUBLIC SERVICE INFORMATION SECURITY  
+
+# Preface  
+
+The current digital era has seen the increased importance of data and information, thus giving it the status of being the economy's raw material. It has brought the importance of protecting data and information to ensure its confidentiality, integrity, and availability.  
+
+The persistent cybersecurity incidents in the Public service reveal the level of vulnerability that the government departments are exposed to with limited ICT security skills to mitigate and combat the cyber-attacks as they emerge.  
+
+In line with this, section $3(1)(\hat{I})$ of the Public Service Act, 1994 (Proclamation No. 103 of 1994) provides for the Minister of Public Service and Administration (MINiSTER) to establish norms and standards relating to information management in the public service.  
+
+Furthermore, requlation 94 of the Public Service Regulations, 2016, specifically provides for the MiNiSTER to issue information security standards for the public service after consultation with relevant Ministers.  
+
+This Directive is issued by the MiNiSTER in terms of section 41(3) of the Public Service Act to elucidate regulations 94, of the Public Service Regulations.  
+
+![](images/333333976beca97d8149d03f1ef66d16dca91cd7288cbbf2ee5237ad391fad24.jpg)  
+
+MR T.W. NXESI. MP  
+
+Table of Contents   
+1. INTRODUCTION . 4   
+2. PURPOSE 4   
+3. AUTHORIZATION.. 4   
+4. SCOPE OF APPLICATION . 4   
+5. DEFINITIONS 5   
+6. IMPLEMENTATION OF THE DIRECTIVE .. 8   
+7. NON-COMPLIANCE AND REPORTING... . 8   
+8. DATE OF IMPLEMENTATION .. . 8   
+9. ROLES AND RESPONSIBILITIES 8   
+10. MANAGEMENT OF ICT RELATED BUSINESS RISK .. 8   
+11. SECURITY AWARENESS TRAINING . 8   
+12. CLASSIFICATION .. . 9   
+13. INFORMATION SYSTEM ACQUISITION, DEVELOPMENT, AND MAINTENANCE .. ...... 9   
+14. INTELLECTUAL PROPERTY RIGHTS. 11   
+15. PHYSICAL SECURITY MANAGEMENT .. . 11   
+16. HR SECURITY . 12   
+16.1 HR SECURITY OPERATIONS ... 12   
+16.2 USER RESPONSIBILITIES 12   
+17. COMMUNICATIONS AND OPERATIONS MANAGEMENT . 13   
+17.2 SYSTEM OPERATIONS . 13   
+17.3 CONTINUOUS VULNERABILITY MANAGEMENT 14   
+17.4 PROTECTION AGAINST MALICIOUS AND MOBILE CODE . 15   
+17.5 PROHIBITED SOFTWARE . 15   
+17.6 NETWORK SECURITY 16   
+17.7 PROTECTION OF INFORMATION SECURITY DEVICES . 17   
+17.8 BACKUPS . . 17   
+17.9 MEDIA HANDLING . 18   
+17.10 DISPOSAL OF MEDIA 18   
+17.11 REMOVAL OF CLASSIFIED DOCUMENTS FROM PREMISES . 18   
+18. THIRD_PARTY ACCESS MANAGEMENT .. .. 19   
+19. ACCOUNTS MANAGEMENT .. 19   
+20. ACCESS CONTROL MANAGEMENT . . 20   
+21. PASSWORD MANAGEMENT . . 20   
+22. MOBILE AND REMOTE COMPUTING ... . 21   
+23. USE OF ICT INFORMATION ASSETS . . 22   
+24. OUTSOURCING REQUIREMENTS . 22   
+25. CYBERSECURITY.. 23   
+26. CLOUD SECURITY . 23   
+27. ELECTRONIC SIGNATURES . 24   
+28. AUDITING AND MONITORING 24   
+29. ICT SERVICE CONTINUITY AND DISASTER RECOVERY .. . 24   
+30. ICT SERVICE PROVIDER MANAGEMENT . 25  
+
+# 1. INTRODUCTION  
+
+The current digital era has seen the increased importance of data and information, thus giving it the status of being the economy's raw material. It has brought the importance of protecting data and information to ensure its confidentiality, integrity, and availability.  
+
+In line with this, section $3(1)(t)$ of the Public Service Act, 1994 (Proclamation No. 103 of 1994) provides for the Minister for the Public Service and Administration (Minister) to establish norms and standards relating to information management in the public service.  
+
+Furthermore, regulation 94 of the Public Service Regulations, 2016, specifically provides for the Minister to issue information security standards for the public service after consultation with relevant Ministers.  
+
+# 2. PURPOSE  
+
+To provide direction in the public service regarding establishing departmental information security governance, practices, and procedures to protect information and technology assets.  
+
+# 3. AUTHORIZATION  
+
+This Directive is issued by the Minister in terms of section 41(3) of the Public Service Act to elucidate regulations 94, of the Public Service Regulations.  
+
+# 4. SCOPE OF APPLICATION  
+
+This Directive applies to all national and provincial departments, government components, and employees employed in terms of the Public Service Act. This Directive shall only apply to members of the services, educators, or members of the Intelligence Services only in as far as the provisions of this Directive are not contrary to the laws governing their employment.  
+
+# 5. DEFINITIONS  
+
+In this Directive, any word or expression bears the meaning which was assigned in the Public Service Act and the Public Service Regulations, unless the context indicates otherwise  
+
+‘Access Control’ means a fundamental component of data security that dictates who's allowed to access and use company information and resources;  
+
+‘Access Control List (ACL)’ means a set of rules used to filter traffic ‘Author’ means any employee, or the person acting on his behalf, who prepares, generates, or initially classifies a document or has it classified;  
+
+‘AGSA’ means the Auditor-General of South Africa;  
+
+‘BCP’ means business continuity plan;  
+
+‘CD-ROM’ means compact disc read-only memory;  
+
+‘Certificate Authority’ means a certificate authority uses its private encryption key to sign and issue a digital certificate verifying the identity of the certified holder;  
+
+‘Classified Information’ means sensitive information which, in the national interest, is held by, produced in, or under the control of the State or which concerns the State, and which must, because of its sensitive nature, be exempted from disclosure in terms of the Protection of Personal Information Act, 2013;  
+
+‘Clearing’ means to clear information at a level of media sanitisation that would protect the confidentiality of information against a robust keyboard attack. Simple deletion of items would not suffice for clearing. Clearing must not allow information to be retrieved by data, disk, or file recovery utilities. It must be resistant to keystroke recovery attempts executed from standard input devices and data scavenging tools;  
+
+‘Compromise’ means the unauthorised disclosure/exposure or loss of sensitive or classified information or exposure of sensitive operations, people, or places, whether by design or through negligence;  
+
+‘Computer Security’ means– that condition created in a computer environment by the conscious provision and application of security measures. This includes information concerning the procedure for the procurement and protection of equipment;  
+
+‘Dimiliterised Zone (DMZ)’ means a perimeter network that protects and adds an extra layer of security to an organization’s internal local-area network from untrusted traffic  
+
+‘DISO’ means Department Information Security Officer;  
+
+‘DPSA’ means the Department of Public Service and Administration;  
+
+‘Encryption’ means a mathematically derived process involving data coding to achieve confidentiality, anonymity, time-stamping, and other security objectives;  
+
+‘‘Firewall’ network security device for monitoring incoming and outgoing network traffic and allows or denies data packets based on a set of security rules. Its purpose is to establish a barrier between your internal network and incoming traffic from external sources (such as the internet) to block malicious traffic  
+
+‘Gateway’ means a computer system used to link different networks;  
+
+‘GITO’ means a Government Information Technology Officer;  
+
+‘Guideline’ is a general rule, principle, or piece of advice;  
+
+‘HR’ means human resources;  
+
+‘ICT’ means all aspects of technology that are used to manage and support the efficient gathering, processing, storing, and dissemination of information;  
+
+‘Incident’ means an adverse event in an information system and/or network or the threat of the occurrence of such an event;  
+
+‘Information Assets’ means computers, communications facilities, networks, data, and encryption keys that may be stored, processed, retrieved, or transmitted by them.  
+
+This includes programs, specifications, and procedures for their operation, use, and maintenance. All such assets are the property of the department and should be protected according to the policies;  
+
+‘Information Security’ means the provision of organisational, technical, and social measures to safeguard information assets against unauthorised access, damage, and interference – both malicious and accidental;  
+
+‘Information Security Event’ means an identified occurrence of a system, service, or network state indicating a breach of information security policy, failure of safeguards, or a previously unknown situation that may be security-relevant;  
+
+‘Information Security Incident’ means a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security.  
+
+‘LAN’ means local area network;  
+
+‘MISS’ means the Minimum Information Security Standard which is a national government policy document on information security standards that must be maintained by all departments;  
+
+‘Minister’ means the Minister for the Public Service and Administration;  
+
+‘System Owner’ means a person or organization having responsibility for the development, procurement, integration, modification, operation, maintenance, and/or final disposition of an information system.  
+
+‘Network Access Control (NAC)’ means a solution for restricting unauthorized users and devices from gaining access to a corporate network  
+
+‘Third-party code’ means software component is a reusable software component developed to be either freely distributed or sold by an entity other than the original vendor of the development platform  
+
+‘Trusted entities’ means ICT service providers rendering a service to a government Department  
+
+‘Virtual LAN’ means a logical group of nodes that appear to be on the same LAN irrespective of the configuration of the underlying physical network.  
+
+# 6. IMPLEMENTATION OF THE DIRECTIVE  
+
+The Head of Department must ensure that -  
+
+a) The department has an Information Security Policy.   
+b) The departmental Information Security Policy is aligned with the provisions set out in this Directive.  
+
+# 7. NON-COMPLIANCE AND REPORTING  
+
+Failure to comply with this Directive will be dealt with in line with the provisions of section 16A of the Public Service Act, 1994.  
+
+# 8. DATE OF IMPLEMENTATION  
+
+This directive becomes effective on the date signed by the MPSA.  
+
+# 9. ROLES AND RESPONSIBILITIES  
+
+a) The Head of Department must delegate an official to fulfill the functions of a Department Information Security Officer (DISO).   
+b) The Department Information Security Officer (DISO) must be accountable to the GITO for matters of Information Security.   
+c) The departmental ICT Steering Committee (established through the Corporate Governance of ICT Policy Framework- CGICTPF) must function as an information security forum.  
+
+# 10. MANAGEMENT OF ICT RELATED BUSINESS RISK  
+
+The Head of Department must ensure that ICT-related business risks are identified during their planning cycle and document such risks on a risk register.  
+
+# 11. SECURITY AWARENESS TRAINING  
+
+The Head of Department must ensure that -  
+
+a) The DISO develops and implements a continuous information security awareness program to reduce cybersecurity risks from employees in the department.   
+b) The information security awareness program must train employees to recognise & report cyberattacks (phishing, baiting, tailgating, etc) as well as train employees to properly handle (store, transfer, and destroy) sensitive data.   
+c) The information security awareness program must include security awareness or skills training targetted for specific roles including system administrators, web application developers, and the helpdesk administrators   
+d) An appropriate summary of the departmental information security policy is included in the HR policies that all employees sign before starting any work in a department.  
+
+# 12. CLASSIFICATION  
+
+The Head of Department must ensure that information is classified according to the uniform sensitivity classification scheme below:  
+
+a) Public: this information has been explicitly approved by management for release to the public. Examples include reports, announcements, job openings, press releases, service brochures, and information published on the website.   
+b) Confidential: this information is private or otherwise sensitive in nature and must be restricted to those with a legitimate business need for access. The unauthorised disclosure of this information could adversely impact the department or third parties. Examples include employee performance evaluations, transaction data, agreements, unpublished memorandums and/or submissions, passwords, internal audit reports, and all client information.   
+c) Secret: this classification applies to the most sensitive business information which is intended strictly for use within a department and restricted to those with a legitimate business need for access. The unauthorised disclosure of this information could seriously and adversely impact the department or third parties.  
+
+# 13. INFORMATION SYSTEM ACQUISITION, DEVELOPMENT, AND MAINTENANCE  
+
+The Head of Department must ensure that - (a)  System development or changes to existing systems follow a formal structured approach whereby information security is considered at all stages of the system development life cycle. These include conception and design, development, quality assurance, and implementation as a production system. All systems or application changes follow a formal change control procedure. All associated or supporting documentation must be appropriately updated in response to the changes made;  
+
+(b) Any system development, including development through a third party, follows an approved system development methodology outlined in the relevant service level agreements and the methodology must include secure application design standards, secure coding practices, and security of third-party code   
+(c) All aspects of how information security is considered and implemented for all new systems or changes to existing systems are recorded. In addition, system developments and changes to existing systems shall have accompanying up-todate documentation before going live. This must include appropriate sign-offs by the system owner, the GITO, and the Head of Department;   
+(d) The use of production data for development testing is prohibited unless such use is approved by the data owner. The use of desensitized production data should never jeopardize the security or business-related privacy;   
+(e) Business application systems only go into production after users and information operations staff have received appropriate documentation and training on the relevant application security-related controls and practices;  
+
+(f) When ICT applications are developed:  
+
+(i) the application is tested and scanned for vulnerabilities. Exploitable and other high-risk vulnerabilities must be remediated before the application is used (Line Management is responsible for ensuring that appropriate testing takes place); and   
+(ii) the following documentation is available: a. technical program documentation; b. end-user documentation;  
+
+(g) System requesters by default become system owners.  
+
+(h) The functionality for checking the validity, accuracy, and completeness of data processed is incorporated into systems that are developed;  
+
+(i) Data output from an application is validated to ensure that the processing of stored information is correct and appropriate to the circumstances.  
+
+# 14. INTELLECTUAL PROPERTY RIGHTS  
+
+The Head of the Department must ensure that - a) Any system (software, information, source code, system design documents) developed by and/or on behalf of the department shall remain the intellectual property of the government and may therefore not be copied, sold, leased, or removed without the express of written consent of the relevant executive authority  
+
+# 15. PHYSICAL SECURITY MANAGEMENT  
+
+The Head of Department must ensure that -  
+
+a) Physical security measures for all departmental ICT assets (ie. lockable server rooms, switches, cabinets, and/or any other related physical assets that are restricted from public and unauthorised access) are put in place;   
+b) There is sufficient protection against environmental threats and hazards such as fire, theft, tampering, water damage, and vandalism;   
+c) Multifactor authentication with access logging is implemented in the data centers/server rooms’ entrances;   
+d) There is adequate security at the entrance of the data center/server rooms and other facilities where ICT infrastructure is housed;   
+e) A generator and uninterrupted power supply is available to power critical ICT systems and is tested quarterly and maintained;   
+f) Confidentiality agreements and maintenance agreements are in place to ensure the security and confidentiality of the information stored on equipment that is subject to $3^{\mathsf{r d}}$ party and off-site access;   
+g) Laptop users have security cables to attach the laptops securely to a desk or similar object, regardless of the location where the laptop is used;   
+h) Users who are assigned devices, including portable computers of whatever nature, smartphones, tablets, and peripheral devices that contain government data or have been connected at any time to the government network, do not leave these devices unattended in motor vehicles or public places;   
+i) FollowMe print must be used to protect the printing of confidential documents. Where FollowMe print cannot be implemented, then users must remove sensitive or restricted documents from printers immediately when printed.   
+j) All users (employees, contractors, and incidental users) are prohibited from making any hardware changes to any shared server or network devices. If there is a business reason for making a hardware change, a change request must be submitted following the department's change management process;   
+k) Non-standard hardware configurations and security configurations (i.e. firewall settings, virtual and physical server settings, router, and switches) are considered for recommendation by the department's GITO;   
+l) Any loss or theft of information assets is treated as a security breach and reported immediately following the departmental loss procedure/protocol. Where necessary and applicable, a mobile device management tool must be implemented to assist with tracking and recovery of government laptops and notebooks.   
+m) Information assets containing government information must be securely stored or retained with the owner while traveling;   
+n) Process, procedures, or technical controls are in place to manage the risks associated with removable media (i.e. data leaks, data loss, data privacy, data sensitivity, malware infection, etc)  
+
+# 16. HR SECURITY  
+
+# 16.1 HR SECURITY OPERATIONS  
+
+The Head of Department must ensure that -  
+
+a) The security roles and responsibilities of employees, and third-party users are defined and documented in the Information Security Policy;   
+b) Background verification checks or security vetting of contractors, and external party users are carried out under relevant laws, regulations, and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks;  
+
+# 16.2 USER RESPONSIBILITIES  
+
+The Head of Department must ensure that -  
+
+a) All personnel is responsible for all activities performed with their user identities and special logon identities. As such, user identities and other logon identities may not be used by anyone other than the persons to whom they have been issued and users shall not perform any activity with identities belonging to other users.   
+b) Passwords are never shared or revealed to anyone else and should never be known by anyone other than the authorised user.   
+c) Users submit a request to the help desk to issue a new password if a password is forgotten, and  users must prove their identity before the password is issued or reset   
+d) Users report any misuse or unlawful use of user identities and passwords to the help desk,   
+e) The unsuccessful login attempts are logged, and investigations should occur where unsuccessful login attempts are out of the normal range.  
+
+# 17. COMMUNICATIONS AND OPERATIONS MANAGEMENT  
+
+# 17.2 SYSTEM OPERATIONS  
+
+The Head of Department must ensure that  
+
+a) Controls for ICT operations are documented and must include employee duties and formal methods to implement changes to ICT systems;   
+b) A formal change control procedure is documented and enforced to govern the application, computer installation, networks, and system development changes;   
+c) The relevant system owner approves all business application changes with a financial impact. The GITO must recommend all infrastructure/architectural changes;   
+d) ICT systems are accessed and authenticated through the Department’s network. The GITO must approve secure emergency remote access/alternative network connection methods;   
+e) Emergency changes that bypass some of the elements of the established change control system require the authorisation of all affected business units/ branches and acknowledgment of the risks involved. These actions must be controlled, logged, restored, and kept to a minimum;   
+f) Production systems are physically separated from test and development systems. Where this is not feasible, all reasonable efforts must be made, to ensure that  
+
+production systems are protected from changes or outages in non-production environments;  
+
+g) The development of new applications or system software is kept separate, both physically and logically, from the production environment. The employee responsible for the development should not normally have access to production systems. For occasional and essential support purposes, the development employee may be granted restricted access for a limited period (e.g., by issuing secure passwords via an emergency access process);  
+
+h) All activities related to changes of systems and performed using supervisory access rights will only be performed once appropriate authorisation is received through the change control process, accompanied by change control documentation. The results of the change will be compared with the change request. This review must be signed-off or electronically verified by the appropriate manager;   
+i) The segregation of duties matrix is developed and maintained by all business units in the department. It should contain all user roles and associated access, and any conflicts or roles with excessive access that can result in unauthorised or fraudulent transactions or activities should be reviewed, adjusted where possible, or monitored closely. The segregation of duties matrix should be reviewed by system owners periodically.   
+j) Approval and confirmation of the new ICT system satisfy all necessary security requirements before that system is used in a department or government production environment.  
+
+# 17.3 CONTINUOUS VULNERABILITY MANAGEMENT  
+
+The Head of Department must ensure that -  
+
+a) The network infrastructure is kept-up-date and is running the latest and stable software versions.   
+b) Operating system updates and application updates are performed at least once a month or more regularly through a patch management process.   
+c) Bi-annual vulnerability scans and vulnerability remediation are performed through a vulnerability management process.  
+
+# 17.4 PROTECTION AGAINST MALICIOUS AND MOBILE CODE  
+
+The Head of Departments must ensure that -  
+
+a) All information devices connected to the government network has up-to-date antivirus and integrity-checking software installed.   
+b) Employees do not knowingly distribute viruses or bypass any detection systems in place.   
+c) Employees exercise caution when opening any email if the source of the email is unknown to the user.   
+d) Employees receiving or downloading data media from any source within, the public service has the responsibility for ensuring that it is checked for viruses before use. Similarly, individuals intending to pass on data media within government or to external parties must ensure that it is first scanned for viruses.   
+e) Employees are prevented from disabling or changing the configuration of the antivirus software installed on their personal computers.   
+f) Autorun for removable media is disabled to control the installation and execution of  malware   
+g) Suspected malicious code attacks are reported immediately on identification by following the internal security incident management procedure.   
+h) New software, portable media, and information in electronic format from external sources are scanned for malicious program code before being introduced into the department network.  
+
+# 17.5 PROHIBITED SOFTWARE  
+
+The Head of Department must ensure that - a) The employees are made aware that the use of the following software is prohibited on any computer departmental network unless specifically recommended by the GITO. i Bootleg software: illegal, pirated, or reproduced copies of software or data. ii Powerful system tools: programs that are designed to investigate and/or exploit a department's information security environment (including password  
+
+crackers, scanners, network sniffing devices, network packet sniffing devices, and other hacking tools).   
+iii Shareware/freeware: all software available from the Internet, where no licensing requirements are given.   
+iv Personal/non-department software.   
+v Inappropriate content: images and /or text involving race, nudity or sexual themes are not appropriate for the workplace  
+
+b) A list of approved software is developed and maintained to identify and prevent the installation of malicious software.  
+
+# 17.6 NETWORK SECURITY  
+
+The Head of Department must ensure that -  
+
+a) Responsibilities for network configuration and operational management are segregated from systems configuration and operational management.   
+b) Establish and maintain the secure configuration of ICT assets (i.e. workstations devices, mobile devices, network devices, virtualization platforms, and servers) and software (operating systems and applications).   
+c) Secure network architecture is established and maintained through segmentation and segregation. i.e. Virtual LANs, ACL, Firewalls, DMZ, NAC, Least privilege & Need-to-know principles, etc   
+d) Information regarding Internal addresses, configurations, related system design for the department, government networks, and computer systems are restricted so that both systems and users outside the internal network cannot access this information without written approval from the Head of Department.   
+e) The creation of a remote access facility never compromises the security of a department or government network or any existing department system or data.   
+f) The layout of wiring and all network devices is documented.   
+g) Firewall rules are reviewed regularly.   
+h) Inactivity timeouts are implemented for remote access connections (i.e. idle sessions for applications, unattended workstations, etc) requiring users to reauthenticate following a timeout.   
+i) All computers with wireless LAN devices use an approved department or government virtual private network (VPN) configured to drop all unauthenticated and unencrypted traffic. The Wireless LAN service set identifier (SSID) is configured so that it does not contain any identifying information about a department, such as a department name, division title, employee name, or product identifier.   
+k) Government employees or other personnel are prohibited from establishing simultaneous connections to both external networks and government networks.   
+l) All remote access usage and logs are monitored regularly (i.e.failed access attempts, user lockouts, and unusual remote access attempts).   
+m) ICT service provider networks and government networks are segregated into logical and physical segments or network domains based on the value and classification of information or assets that need to be accessed.   
+n) GITO authorises all connections to the Department network.  
+
+# 17.7 PROTECTION OF INFORMATION SECURITY DEVICES  
+
+The Head of Department must ensure that -  
+
+a) Secure gateways, firewalls, and other protection devices are used to maintain the level of security when elements of different trust levels are brought together.   
+b) Security systems operating within and across public and department networks are protected against internal and external intruders. The systems are to be installed in a physically secured and access-restricted area.   
+c) Only trusted entities are allowed full access to the department network. All entry points to the department network must be reviewed and approved by the GITO.  
+
+# 17.8 BACKUPS  
+
+The Head of Department must ensure that -  
+
+a) Backups are performed frequently, based on the sensitivity of the data   
+b) Regardless of classification, the availability of all data is maintained through periodic backups and recovery mechanisms.   
+c) Department backups are covered in the existing contract/arrangement of any service provider and the backups containing sensitive data are encrypted.   
+d) The department's minimum and maximum retention periods of information are based on contractual, legislative, regulatory, or industry requirements. The information must be retained for as long as necessary, but for no longer than the data owner's requirements.   
+e) All archival backup data stored off-site is reflected in an up-to-date directory that shows the most recent date when the information was modified and the nature of the information.   
+f) All storage devices on which sensitive, valuable or critical information is stored for periods longer than six months must not be subject to rapid degradation. Such media must be tested at least annually to ensure that the information is still recoverable.  
+
+# 17.9 MEDIA HANDLING  
+
+The Head of Department must ensure that -  
+
+a) Government information is always stored/saved on Departmental network servers.   
+b) Removable computer media is protected against unauthorised access. Any loss or theft of removable computer media must be treated as a security breach and reported immediately.  
+
+# 17.10 DISPOSAL OF MEDIA  
+
+The Head of Department must ensure that -  
+
+a) That destruction of storage devices is conducted only by trained and authorised personnel. Safety and special disposition must be identified and addressed before conducting any media destruction.   
+b) The disposal of removable media is performed in such a manner that the data is not recoverable.  
+
+# 17.11 REMOVAL OF CLASSIFIED DOCUMENTS FROM PREMISES  
+
+The Head of Department must ensure that - a) A destruction/disposal certificate is supplied to the author.  
+
+b) A business unit retention and disposal plans, and other legal and standard obligations are consulted to ensure the timely disposal of information that is no longer required by the government.   
+c) Retention schedules are developed and implemented.   
+d) Records are available to the entire department or only a designated part of the department, based on the user's access permissions.   
+e) Records are retained for a period as determined by legislation or best practices.  
+
+# 18. THIRD_PARTY ACCESS MANAGEMENT  
+
+The Head of Department must ensure that -  
+
+a) ICT human resources from external service providers are suitably vetted, or an oath of secrecy is signed following the institution's security requirements.   
+b) External/third-party access to department information assets is only authorised in cases where there is a clearly defined business need. The access facility provided should limit the external/third party to the agreed method of access, the agreed access rights, and the agreed level of functionality.   
+c) External ICT consultants, computer security response teams, contractors, or temporary staff who require access to the department network must seek authorization in line with the governance arrangements.   
+d) As part of an outsourcing contract procedure, a risk assessment is carried out under the guidance of the DISO to determine the security implications and security control requirements.  
+
+# 19. ACCOUNTS MANAGEMENT  
+
+The Head of Department must ensure that -  
+
+a) A user account registration process is established and maintained. The process must include the use of formal user registration forms (soft copy, hard copy, or online) to create accounts or grant access to the department network and computer systems. The form(s) must be signed off as an acknowledgment that they understand the conditions of the access granted to them.   
+b) Users must use authorised user accounts (unique usernames and passwords) to access government computers, systems, emails, and internet facilities.  
+
+# 20. ACCESS CONTROL MANAGEMENT  
+
+The Head of Department must ensure that - a) Formal access granting, access review, and access revoking processes are established and maintained. These processes must be founded on role-based access control, the least privilege principle of security, and keeping $\&$ maintaining records of granted and revoked privileges or access. The above ensures that users have access only to -  
+
+i. Their own files and data;   
+ii. Publicly available files;   
+iii. and/or files that they have been authorised to access.   
+b) Systems requiring protection against unauthorised access have the allocation of privileges controlled through a formal authorisation process and a record of all privileges allocated must be maintained.   
+c) Login privileges or access allocated to users on a need-to-use and event-by-event basis is authorised, i.e., the minimum access required to perform the role. Department's systems and technical support staff align to a clear separation of functions (such as system administrators vs regular users) to prevent unauthorised access and functions from being performed.   
+e) Users' access rights are enforced by automated access control mechanisms (e.g., menus to control access to application functions; and read, write, delete and execute permissions/limitations) to ensure individual accountability.   
+f) Privileged accounts must not be used for day-to-day use such as reading emails or accessing the internet.   
+g) Privileged access rights, which allow users to override system controls, are regularly reviewed by the GITO and system owners including access rights review of service accounts. It is recommended that these reviews occur more frequently (every three months) than for other access rights.   
+h) User access rights are reviewed and re-allocated when an employee moves from one business unit to another within a department.  
+
+# 21. PASSWORD MANAGEMENT  
+
+The Head of Department must ensure that -  
+
+a) A formal password standard is established and maintained. The password standard must define the length of a password (not less than eight(8) characters), the composition (alphanumeric) and the frequency of change and reuse of passwords.   
+b) Password authentication is used to prevent unauthorized access to transversal government ICT systems and department ICT systems.   
+c) That a procedure for issuing user identities and new or changed passwords is established and implemented with sufficient controls to prevent social engineering attempts from succeeding. A user's identity must be confirmed before resetting a password, providing a temporary password, or issuing a new password.   
+d) Initial passwords issued to new users or when a password is reset are temporary, forcing the user to change the password immediately when he/she logs in to the network with the new password.   
+e) New or changed passwords are communicated to a user securely. The use of electronic mail messages should be avoided when communicating issued passwords.   
+f) Passwords are changed immediately if there is an indication of system or password compromise.   
+g) All stored passwords are encrypted.   
+h) Default system administrator account passwords are changed immediately upon installation, default administrator accounts are renamed where applicable, and  the system and guest accounts are disabled   
+i) Multifactor authentication (MFA) is used on critical systems to enhance security measures by providing an additional layer of protection using a combination of authentication factors (OTP, Graphical passwords(CAPTCHAs), Biometrics ).  
+
+# 22. MOBILE AND REMOTE COMPUTING  
+
+The Head of Department must ensure that -  
+
+a) Line management authorises the issuing of portable computers.   
+b) A formal risk analysis process for applications to which remote access is granted to assess risks and identify controls needed to reduce risks to an acceptable level.   
+c) A procedure for remote user access authorisation and management is established.   
+d) A register of all staff members authorised to use remote access facilities is maintained by the DISO.   
+e) The register of authorised remote access users and the access levels provided is reviewed regularly by system owners and the DISO to confirm that there is still a valid business requirement.   
+f) Users are prohibited from altering or disabling any security features that have been enabled on wireless connections.  
+
+# 23. USE OF ICT INFORMATION ASSETS  
+
+The Head of Department must ensure that -  
+
+a) The administrator and root-level system accounts are strictly controlled.   
+b) Access to administrator and root level accounts is only granted by a DISO and delegation must be kept to an absolute minimum.   
+c) Supervisory access rights are allocated on a business need basis and will be limited to the minimum services and functions necessary. Additional security measures must be implemented to ensure that they are used only for the intended purpose.   
+d) The processes to control the allocation, revocation, and review of powerful access rights are in place. These processes will include authorisation of all access rights by the appropriate line management and mechanisms to ensure that access rights are adjusted appropriately should the person leave or change the job description.   
+e) Critical logical access activities performed using powerful access rights generate audit trails and will be logged. All audit trails and logs must be reviewed monthly by the information owner and/or the GITO and stored for one year.   
+f) Power users do not share usernames and they must be given their unique usernames; therefore, no system generic usernames will be used.   
+g) A procedure allowing staff to obtain emergency access is in place and the assignment of this access will be reported and reviewed by the DISO. Emergency access must be revoked subsequently.  
+
+# 24. OUTSOURCING REQUIREMENTS  
+
+The Head of Department must ensure that -  
+
+a) Outsourcing complies with Condition 7 of Chapter 3 of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013).   
+b) All consultants, temporary employees, and contractors must return all department and government property upon termination or expiration of their contract and all associated government network access (including remote access) rights should be simultaneously terminated.   
+c) External parties only use the information assets entrusted to them for the purposes agreed to in their contract.   
+d) The confidentiality and integrity of sensitive information will be protected when accessed through external party connections. A formal risk analysis must be conducted for each external party connection and appropriate controls must be implemented to reduce risks to an acceptable level.   
+e) A regular review of all previously approved external party access is conducted by the GITO. Any changes to the conditions under which the external party access was previously granted will be reviewed by GITO.   
+f) The external party users are restricted to the minimum services and functions necessary for the business process, as determined by the system owner.   
+g) As a condition of gaining access to a department's computer network, every external party computer must be checked by to ensure that the computer's antivirus software is up to date.   
+h) A register of authorised external party access users, as well as the access levels provided, is reviewed regularly (at least quarterly for ongoing contracts and ad hoc when access is set up) by the DISO to confirm that there is still a valid business requirement.  
+
+# 25. CYBERSECURITY  
+
+The Head of Department must ensure that -  
+
+a) Penetration testing, vulnerability scans, and threat risk analysis are part of the departmental cybersecurity initiatives.  
+
+# 26. CLOUD SECURITY  
+
+The Head of Department must ensure that -  
+
+a) Thorough due diligence of the service provider's integrity, legal agreements, physical location, and security must be conducted before deciding on a cloud service provider.  
+
+# 27. ELECTRONIC SIGNATURES  
+
+The Head of Department must ensure that -  
+
+b) The use of the electronic signatures solution is approved. c) The level of electronic signature selected is appropriate when considering the risks associated with a particular document or approval process.  
+
+# 28. AUDITING AND MONITORING  
+
+The Head of Department must ensure that -  
+
+a) Audit log management (collect, alert, logs review, and retain) occurs to detect malicious activities early. This includes the network traffic through both internal and external gateways, e.g., firewalls, email gateways, Intrusion Detections, and routers monitored for unusual activity (for example, abnormal combinations of connections, deliberate probing, or attacks, and unusually substantial amounts of data being transferred cross-border).   
+b) Systems to which external parties have access (such as client systems, web servers, and dial-up support facilities) have all transactions and system configuration changes monitored in real-time, with alerts escalated to appropriate personnel where unauthorised transactions occur. Such access must be disconnected when not in use. Computer clocks are synchronized to ensure the accuracy of audit logs for investigations or as evidence in legal or disciplinary cases. Computers and communication devices that can operate as real-time clocks should be set to an agreed standard.  
+
+# 29. ICT SERVICE CONTINUITY AND DISASTER RECOVERY  
+
+The Head of Department must ensure that -  
+
+a) There is an ICT service continuity plan that supports the business continuity of the department.   
+b) The continuity plans must include the establishment and maintenance of adequate data recovery processes and data restore testing to prove data recoverability.  
+
+# 30. ICT SERVICE PROVIDER MANAGEMENT  
+
+The Head of Department must ensure that -  
+
+a) There is a process to evaluate ICT service providers who have access to sensitive data or hold sensitive data or a have responsibility for ICT infrastructures to ensure the protection of the data and infrastructure.   
+b) Security requirements are included in the contracts of the service provider (Data encryption, multifactor authentication)  
+
+APPROVED BY THE MINISTER FOR THE PUBLIC SERVICE AND ADMINISTRATION  
+
+![](images/95c4bb3ac86fe74cd69284576d67754d9b9ddd586e7d4d297c0a88992cf0d769.jpg)  
+
+MR T.W. NXESI, MP   
+ACTING MINISTER FOR THE PUBLIC SERVICE AND ADMINISTRATION   
+DATE: $c-11061>032$  

dataset/data/docs/MPSS_Booklet.pdf-61c2352b-0c86-43bc-8fbd-eabfe7d23827.md

@@ -0,0 +1,417 @@
+![](images/fb5833309e091152ac4e37c5af26b4346ba540b88a4f9726cb37fdaf1ca245bf.jpg)  
+
+GOVERNMENT SECURITYREGULATOR(GSR)  
+
+MINIMUM PHYSICALSECURITY STANDARDS(MPSS)  
+
+# FOREWORD:  
+
+MINIMUM PHYSICAL SECURITY STANDARDS (MPSS) 2009  
+
+Government ultimately is responsible for ensuring both the ‘freedom and security of the person as stated in Section 12 of the Constitution.  In doing so, government must take cognisance of a variety of factors and ensure the existence of relevant legislation.The South African Police Service therefor is mandated by the Constitution and secure lives of SA citizens and property.  
+
+In 2000 Cabinet further enhanced the role of SAPS and specifically/explicitly mandated us to regulate physical security in the government, parastatals as well as National Key Points. In response to this, the SAPS formed the Division: Protection and Security Services (PSS) to focus on all security and protection functions.  PSS is now the cornerstone in coordinating and supports the implementation of physical security standard and administration of the National Key Points Act 103 of 1980.  PSS is a catalyst to synchronize the provision of physical security, regulate security within Government sector and National Key Points and harness the multi disciplinary approach in order to align all physical security operations to the legislative framework.  
+
+The South African Police Service has through a consultation process with the affected stakeholders, compiled: Minimum Physical Security Standards for implementation by all organs of state.  The Minimum Physical Security Standards provide guidance on the required minimum levels of physical security.  Also, provided herewith is annexures designed to provide guidelines on the different types of installations and security requirements.  
+
+Whilst the minimum are not legally enforceable, they are necessary.  Furthermore minimum standards are a starting point towards regulations which will be enforceable and binding.  Minimum standards therefor are import in ensuring that institutions are able to properly gear themselves for compliance once the regulations have been promulgated.  
+
+The Minimum Physical Security Standards are some cornerstones of our security, when implemented, they will represent a solid first line of defence. The attached annexures will be reviewed annually, it is expected that minor changes will be effected to ensure that they are in line with existing security developments.  
+
+The Minimum Physical Security Standards will be reviewed every five years to ensure that they remain consistent with our security measures.  
+
+The Minimum Physical Security Standards are promulgated by the National Commissioner of the South Africa Police Service for implementation within the Government Sector, Parastatals and National Key Points. Security is an operational responsibility of every institution. Institutions must continuously conduct vulnerability and security risk assessment in order to mount equivalent protection and security.  Furthermore, government departments as well as municipalities are also required to continue to take important steps that will identify risks and assure the protection of municipal buildings.  
+
+I wish to thank all the stakeholders that provided inputs when the Minimum Physical Security Standards were compiled as well as the Government Sector Security Council who consolidated and ratified the final standard.  
+
+I urge all organs of state all Security Managers to use these standards and also to participate in the processes set to review the Minimum Physical Security Standards.  
+
+![](images/f1efb5965cbdcd18c528e67564a1b3d3890ece520c8658240c142f8b3c50e0a3.jpg)  
+
+ACTING NATIONAL COMMISSIONER: SOUTH AFRICAN POLICE SERVICE DEPUTY NATIONAL COMMISSIONER  
+
+# EDITORIAL:  
+
+# PREFACE  
+
+In 2000 Cabinet enhanced the role of SAPS and specifically/explicitly mandated Protection & Security Services to regulate physical security in the government, parastatals as well as National Key Points. It was our approach to first develop the Minimum Physical Security Standards to be promulgated by the National Commissioner of the South African Police for implementation within Government Sector, Parastatals and National Key Points.  
+
+Government Security Regulator has through a consultation process with the affected stakeholders compiled Minimum Physical Security Standards to provide guidance on the required minimum levels of physical security. Also reference here is made to researched annexures designed to provide guidelines on the different types of installations and security requirements. The annexures will be reviewed annually and the Minimum Physical Security Standards every five years. The annexures will be available on request and any other information on the annexures can be directed to SAS@saps.org.za Tel: 012 400 6054 Fax 012 400 7053. As the chairperson of the Government Sector Security Council, I wish to extend our gratitude to the council for the work and assistance to ensure the final approval of the MPSS.  
+
+In the course of 2003, the South African Cabinet approved the mandated functions and broad structure of the new Protection and Security Services Division of the SAPS. These functions led to the establishment of the Component: Government Security Regulator (GSR) component. The GSR functions will be to regulate the service of all existent and newly identified Strategic Installations and the administration of the National Key Points Act.  
+
+The Government Security Regulator will perform these functions at national and provincial departments (excluding NIA, SASS and the SANDF), Public Entities, Parastatals and private entities which are classified as National Key Points.  
+
+The Government Security Regulator (GSR) was mandated to  compile and implement the Minimum Physical Security Standards (MPSS) as an official document on minimum physical security standards, which must be maintained at all departments / institutions.  
+
+Any comments and/or recommendations in respect of this standard should be forwarded in writing to the Chairperson of the Government Sector Security Council (GSSC). All the representatives to the GSSC are responsible for ensuring that the document and feedback is received from all of their cluster members.  
+
+# Regards  
+
+# TABLE OF CONTENTS  
+
+Chapter 9: Review and Update process Chapter 10: Monitoring Chapter	11: Enforcement  
+
+hapter 1: Introduction hapter 2: Definitions and Abbreviations hapter 3: Functions, Roles and Responsibilities on application of security measures 3.1 The Role and Responsibilities of South African Police Service 3.2 The Role and Responsibilities of National Intelligence Agency 3.3 The Role and Responsibilities of Department of Public Works 3.4 The Role and Responsibilities of COMSEC 3.5 The Role and Responsibilities of Government Sector Security Council 3.6 The Role and Responsibilities of the Owner of a Department/Institution 3.7 The Role and Responsibilities of Security Manager 3.8 Functions of the Security Committee 3.9 Functions and Responsibilities of PSIRA   
+Chapter	4: Minimum Physical Security Standards   
+Chapter 5: Security Policy   
+Chapter	6: Physical Security Training and Awareness   
+Chapter 7: Physical Security Breaches   
+Chapter 8: Contingency Planning  
+
+# CHAPTER 1  
+
+# INTRODUCTION  
+
+# 1.1 STATEMENT OF PURPOSE  
+
+The primary purpose of this directive is to provide guidance to the security managers of the departments and institutions with regards to the implementation and compliance in respect to minimum physical security standards required.  The standards is designed to assist security managers in coordinating and managing compliance within the minimum physical security standards as required in internal physical security policy, procedures, overall efficiency and effectiveness of the physical security programme of the department or institution.  
+
+# 1.2 SCOPE  
+
+The MPSS is aimed for use at all Government Department, National Key Points and Strategic Installations. The guide will assist all security managers in reviewing their physical security related aspects on their respective departments or institutions. All organizational resources, i.e. people, assets and physical protection of information, are covered in this document.  
+
+# 1.3 LEGISLATIVE REQUIREMENTS AND DIRECTIVES  
+
+1.3.1 South African Police Services Act, 1995 (Act No 58 of 1995)   
+1.3.2 National Key Point Act, 1980 (Act No 102 of 1980)   
+1.3.3 Control of Access to Public Premises and Vehicle Act, 1985   
+(Act No 53 of 1985)   
+1.3.4 Protection of Information Act, 1982 (Act No 84 of 1982)   
+1.3.5 Public Finance Management Act, 1999(Act No 1 of 1999   
+1.3.6 Constitution of the Republic of South Africa, 1996 (Act No 108 of 1996)   
+1.3.7 Public Service Act and  Regulations 2001   
+1.3.8 Criminal Procedure Act, 1977 (Act No 51 of 1977)   
+1.3.9 Private Security Industry Regulation Act, 2001 (Act No 56 of 2001)   
+1.3.10 Firearm Control Act, 2000 (Act No 60 of 2000)   
+1.3.11 Occupational Health and Safety Act, 1993 (Act No 85 of 1993)   
+1.3.12 Minimum Information Security Standards  
+
+# CHAPTER 2  
+
+# DEFINITIONS AND ABBREVIATIONS  
+
+2.1 IN THIS DOCUMENT, UNLESS THE CONTEXT OTHERWISE INDICATES:   
+2.1.1 Business Continuity Planning, includes the development of plans, measures, procedures and arrangements to ensure minimal or no interruption of the availability of critical services and assets.   
+2.1.2 Classified information, means sensitive information which, in the national	interest, is held by, produced or is under the control of the state, or which concerns the state and which must by reasons of its sensitive nature be exempt from disclosure and must enjoy protection against compromise.   
+2.1.3 Criminal Record Check, means an investigation to determine the criminal 	record of an individual to determine his/her criminal record status.   
+2.1.4 Compromise, means disclosing, destroying, removing, modifying or interrupting assets without the necessary authorization.   
+2.1.5 Comsec, means the institution identified as Electronic Communication Security (Pty) Ltd established in terms of section 2 of the Electronic Communications Security Act, 2002 (Act No 68 of 2002).   
+2.1.6 Defensive Counter Intelligence, means proactive measures conducted to neutralize the effectiveness of foreign intelligence operations to protect classified information and terrorism aimed at or against personnel, strategic installations and resources of the Republic of SA in accordance with the National Strategic Intelligence Act, 1994 (Act No 39 of 1994).  
+
+2.1.7 Directives, means the Minimum Physical Security Standard (MPSS).  
+
+2.1.8 Institution, means any organ of state as defined in section 239 of the Constitution, 1996 (Act No 108 of 1996), including, but not limited to, any public entity as defined in section 1 of the Public Finance Management Act, 1999 (Act No 1 of 1999).   
+2.1.9 Strategic Installation, means any institution which has been declared by the minister.   
+2.1.10	 MISS, means the minimum information security standards as approved by cabinet on 4 December 1996.   
+2.1.11 Owner, means the HOD/CEO of department/institution municipal manager.   
+2.1.11	 Physical Security, means the use of physical measures to prevent and delay unauthorized intrusion and to protect assets and personnel, detect any attempt or actual break in the physical security environment.   
+2.1.12 Risk, means the likelihood of a threat materializing by exploitation of an event or incident to create vulnerability.  
+
+2.1.13 Physical Security implies, but is not limited to:-  
+
+1. Physical security measures for the protection of information   
+2. Personnel security awareness of physical security matters   
+3. Contingency planning   
+4. Criminal Record check   
+5. Dealing with security breaches relating to physical   
+security matters   
+6. Security investigations   
+7. Auditing and compliance checks to ensure security standards.  
+
+2.1.14 Physical Security Grading different levels of physical security measures of the structure.   
+2.1.15 Security breach, means the negligent or intentional transgression or failure to comply with physical security measures.   
+2.1.16 Security evaluation, means the process to determine the security threat analysis encompassing physical security appraisal, topographical analysis and security appreciation analysis.   
+2.1.17 Security Policy,  means a formal  set of rules that governs the security of an institution’s premises, assets, technology and information assets.   
+2.1.18	 Threat,  means any potential event or act, deliberate or accidental, that could cause injury to persons, compromise the physical security or could cause the loss of or damage to assets.   
+2.1.19 Threat and Risk Assessment,  means  the process of doing a security threat analysis, encompassing physical security appraisal, topographical analysis and security appreciation analysis.   
+2.2 ABBREVIATIONS   
+2.2.1 CEO Chief Executive Officer   
+2.2.2 COMSEC Communication Security/ Electronic Communication Security.   
+2.2.3 GSR Government Security Regulator   
+2.2.4 GSS Government Sector Security   
+2.2.5 GSSC Government Sector Security Council   
+2.2.6 HOD Head of Department   
+2.2.7 MISS Minimum Information Security Standards   
+2.2.8 MPSS Minimum Physical Security Standards   
+2.2.9 NIA National Intelligence Agency  
+
+# CHAPTER 3  
+
+FUNCTIONS, ROLES AND RESPONSIBILITIES ON APPLICATION OF SECURITY MEASURES  
+
+3.1 THE ROLE AND RESPONSIBILITIES OF SOUTH AFRICAN POLICE SERVICE  
+
+2.2.10 NKP   
+2.2.11 PSIRA   
+2.2.12 SAPS   
+2.2.13 SAS   
+2.2.14 SASS   
+2.2.15 SANDF  
+
+National Key Points   
+Private Security Industry Regulatory Authority   
+South African Police Service   
+Security Advisory Service of SAPS   
+South African Secret Service   
+South African National Defense Force  
+
+3.1.1. The SAPS will issue Minimum Physical Security Standards to support institutions in the protection of their installations (including Parastatals, Public and Private Entities).  
+
+3.1.2. SAPS is responsible for assisting institutions (including parastatals, public/private entities that fall under the National Key Points environment) in establishing effective physical security within their own environments and to monitor the physical security compliance/ adherence  as stipulated in the  Minimum Physical Security Standards. To achieve this the SAPS must do the following:  
+
+3.1.2.1	 Advise institutions with regard to the implementation of Minimum Physical Security Standards and any physical security related issues.  
+
+3.1.2.2	 Audit physical security through conducting evaluations and assessments as part of security appraisals, in order to:  
+
+1. Determine the overall standard of physical security and security awareness as far as it relates to physical security.   
+2. Determine whether the extent to which the aspects of the security 	policy of the institutions are consistent with the directive of the Minimum Physical Security Standards.   
+3. Implementation of the security policy and its effectiveness.   
+4. Support the establishment of a physical security emergency reaction capability.  
+
+NB: Any intelligence and information security-related issues detected by SAPS (breaches of information security) must be referred to NIA (Advisory Section) for further handling.  
+
+3.2 THE ROLE AND RESPONSIBILITIES OF NATIONAL INTELLIGENCE AGENCY   
+3.2.1 The National Intelligence Agency is mandated by legislation to coordinate between itself, the South  African Secret Services, the South African Police Services and the South African National Defense Force regarding the implementation of defensive counter - intelligence measures at institutions.   
+3.2.2 The Agency is responsible for assisting and providing guidance to institutions within its legislative mandate to establish effective information security within their own  environments and to monitor their adherence to Minimum  Information Security Standards. In fulfilling this, the agency will:   
+3.2.2.1	 advise institutions on how to identify information that falls within the broader categories of classified information and, therefore, require special protection through classification.   
+3.2.2.2	 advise institutions on the implementation of and adherence to Minimum Information Security Standards.   
+3.2.2.3 assist institutions in ensuring that their security policies include Minimum Information Security Standards.   
+3.2.2.4	 advise, co-ordinate, audit and exercise control with regard to information security in the public, parastatal and private environment in  South Africa (with the exclusion of  SAPS, SASS and SANDF  responsibilities).   
+NB:   Any physical security-related issues (breaches, non-compliance) must be referred  
+
+to the SAPS for further handling.  
+
+3.3 THE ROLE AND RESPONSIBILITIES OF NATIONAL DEPARTMENT OF PUBLIC WORKS   
+3.3.1 When providing facilities for institutions, the National Department of Public Works must:   
+3.3.1.1 ensure that the requirements of physical security directives relating to contracting are complied with.   
+3.3.1.2	 ensure that reliability checks are completed by the relevant National Intelligence Structures of private institutions, companies and individuals who may require access to protected and classified information and assets.   
+3.3.1.3	 ensure that physical security measures as prescribed by SAPS Security Advisory Services for installations of the department/institution, as part of the contracting process, is adhered to.   
+3.3.1.4	 ensure that security assessments of facilities or drawings/architectural designs thereof are undertaken by the SAPS (SAS) and NIA before any  agreement is entered into to procure the property for an institution and all recommendations of the SAPS (SAS) are implemented.   
+3.3.1.5	 involve the SAPS in all structural improvements done to maintain the minimum physical security levels of the institutions.   
+3.4 THE ROLE OF COMSEC (Electronic Communications Security (Pty) Ltd)   
+3.4.1 Electronic Communication Security must:   
+3.4.1.1	 advise and assist institutions on the implementation of the minimum standards relating to communication security contained in the Minimum Information Security Standards, and   
+3.4.1.2	 assess and report on the application of communication security technical devices in both the public and private sectors.   
+3.5 THE ROLE AND RESPONSIBILITIES OF GOVERNMENT SECTOR SECURITY COUNCIL (GSSC)   
+3.5.1 The Government Sector Security Council is a consultative structure for regulating physical security training and security provisioning in the Government Sector (including Public/Private Entities, Parastatals and NKPs).   
+3.5.2 The functions of the GSSC are the following:   
+3.5.2.1	 Consolidate the implementation of Government Sector Security through co-ordinating functions and activities that relate to  physical security.   
+3.5.2.2	 Enhance the monitoring and evaluation initiatives of physical security in the government.   
+3.5.2.3	 Facilitate thorough and effective physical security in government sector buildings and build co-operation between members of the public sector and private sector.   
+3.5.2.4	 Co-ordinate contingency planning exercises and create a platform for communicating the management of physical security incidents and breaches.   
+3.5.2.5	 Integrate and co-ordinate related functions, especially the inspections and audits of the different security agencies i.e. NIA, SAPS, PSIRA.   
+3.5.2.6	 The Council will also enhance understanding of the role of different security agencies such as PSIRA, NIA and SAPS. The GSSC will create an appropriate platform for the liaison of all security managers in the public sector and private sector. NB:   Included in the membership of the GSSC are the representatives of the regulatory bodies i.e. National Nuclear Regulator, NERSA, Rail Safety Regulator, PSIRA, Armaments Co-operation of South African (Ltd), SASSETA and NIA.   
+3.6 THE ROLE AND RESPONSIBILITIES OF THE OWNER OF DEPARTMENT OR INSTITUTION   
+3.6.1 “The owner of department or institution in this regard refer to Head of 	Department, Chief Executive Officer and Municipality Manager”.   
+3.6.1.1	 The owner of the department/institution is accountable for the overall physical security under his/her control.   
+3.6.1.2	 The owner must oversee the development, implementation and maintenance of the security policy as per the needs of the department/ institution.   
+3.6.1.3	 The owner must ensure that a manager is appointed to manage all security 	functions and ensure implementation/adherence to Minimum Physical Security Standards.   
+3.6.1.4	 The owner must ensure that all institutions under him /her have been security evaluated/assessed  by SAPS Security Advisory Services.   
+3.6.1.5	 The owner must ensure that employees and service providers (contractors/consultants) are subjected to reliability record checking process conducted by NIA.   
+3.6.1.6	 The owner must conduct training and awareness programmes with regard to adherence to the Minimum Physical Security Standards.  
+
+3.6.1.7 The owner must ensure that the security section is exposed to appropriate security-related training to empower them in the performance of their functions.  
+
+3.6.1.8	 The owner must ensure that a Security Committee is established within his/her department/institution.  
+
+3.6.1.9	 The owner must see to it that a correct reporting structure is in place with regard to reporting of Security breaches.  
+
+3.6.1.10	 The owner must approve budget as advised by the Security Committee for the recommendations on the security assessment conducted by SAPS (SAS) in the department/institution.  
+
+NB:  With the assistance of the Security Committee, the owner of the department/ institution must ensure that there is a continuous monitoring of the compliance with this Minimum Physical Security Standards by instituting internal departmental policy or directives.  
+
+3.7 RESPONSIBILITIES OF SECURITY MANAGER  
+
+3.7.1 The Security Manager must:   
+3.7.1.1	 Manage all matters relating to the administration and organization of security at the department/institution.   
+3.7.1.2	 Draft security policy for approval by security committee and head of the institution.   
+3.7.1.3	 Manage the security component of the department/institution.   
+3.7.1.4	 Continually monitor all physical security related contracts at the department/institution to ensure compliance with the contract specifications.   
+3.7.1.5	 Ensure that security assessments/evaluations/threat and risk assessments of the installations are conducted by the SAPS at institutions.   
+3.7.1.6	 Enhance the awareness of the staff regarding physical security in the department/institution.   
+3.7.1.7	 Ensure that security audits are conducted every three years.   
+3.7.1.8	 Analyze the audit results, make recommendations to the head of the department/institution to improve physical security measures and prepare a report for the head of the department/institution for submission to the SAPS regarding the findings.   
+3.7.1.9	 Consult with the SAPS on any new developments or changes in the physical security environment.   
+3.7.1.10	 Ensure that applications for criminal record checks are correctly completed before submission to the SAPS.   
+3.7.1.11	 Act as chairperson of the security committee of the department/ institution.   
+3.8. FUNCTIONS OF THE SECURITY COMMITTEE   
+3.8.1 The Security Committee must do the following:   
+3.8.1.1	 Recommend the security policy of the department/institution after having taken the advice provided by SAPS and NIA into account.   
+3.8.1.2	 Make recommendations to the head of institution regarding the implementation and maintenance of security measures.   
+3.8.1.3	 Regularly review the security policy of the department/institution, its prioritization thereof as well as information and advice provided by the SAPS and NIA.   
+3.8.1.4	 Forward the draft policy and any review thereof to the SAPS and NIA for endorsement.   
+3.8.1.5	 After endorsement by SAPS and NIA, submit the policy or any review thereof to the head of the department/institution for approval.   
+3.8.1.6	 Ensure the communication of the approved policy to all staff members and relevant consultants and contractors.   
+3.8.1.7	 Make recommendations to the head of the department/institution regarding directives to be issued by the head of the department/ institution to ensure the implementation of the security policy and any review thereof.  
+
+# 3.9. FUNCTIONS AND RESPONSIBILITIES OF PSIRA  
+
+The Private Security Industry Regulatory Authority (PSIRA) was established in terms of section 2 of the Act. The primary objects of the Authority are to regulate the private security industry and to exercise effective control over the practice of the occupation of security service providers in the public and national interest of the private security industry itself. Other objects include, inter alia, the following:  
+
+3.9.1 To promote a legitimate private security industry which acts in terms of the principles contained in the Constitution and other applicable laws.   
+3.9.2 To ensure that all security service providers act in the public and national interest in the rendering of security services.   
+3.9.3 To determine and enforce minimum standards of occupational conduct in respect of security service providers.   
+3.9.4 To promote high standards in the training of security service providers and prospective security service providers.   
+3.9.5 To promote the protection and enforcement of the rights of security officers and other employees in the private security industry.   
+3.9.6 To ensure that compliance with existing legislation by security service providers is being promoted and controlled through a process of active monitoring and investigation of the affairs of security providers.  
+
+# CHAPTER 4  
+
+# MINIMUM PHYSICAL SECURITY STANDARDS  
+
+# 4.1 STANDARD STATEMENT  
+
+These are minimum physical security related standards that must be adhered to during implementation process. Those standards that may impact on information security have been addressed through the Minimum Information Security Standards. If any standard contained in the Minimum Physical Security Standards document is unclear with regard to the implementation, GSR can be contacted.  
+
+4.2 PHYSICAL SECURITY  
+
+4.2.1 Physical Security Measures:  
+
+The HOD/CEO of a department/institution is responsible for the physical security of the facilities/assets of the institution and must ensure that:  
+
+4.2.1.1	 The budget of the department/institution provides for the costs of implementing proper physical security measures.  
+
+4.2.1.2	 The placement of personnel, assets and functions in existing and newly designed facilities is done in a manner that is conducive to the provision of effective and efficient physical security measures within the department/institution.  
+
+4.2.1.3	 The integration of physical security measures occurs in the early process of selecting, designing or modifying facilities of the institution.  Such integration of security measures must entail:  
+
+1. The selection, design and modification of facilities in order to facilitate physical security measures.   
+2. The demarcation and control of areas at the facilities.   
+3. The installation of the necessary physical security equipment based on the assessments by SAPS-SAS.   
+4. The inclusion of the necessary security specifications for tender documentation process.  
+
+4.2.1.4	 The implementation of physical security measures to:  
+
+1. Delay, detect or prevent unauthorized intrusion to a department/institution.   
+2. Activate appropriate responses to such attempts or actual gaining 	of unauthorized intrusion.   
+3. The implementation of physical security measures to safeguard employees contractors and visitors from harm.   
+4. The secure storage, transportation and disposal of assets of the department/institution.   
+5. The continuous review of physical security measures at facilities of the department/institution in order to reflect changes in the environment and take advantage of new costeffective technologies.  
+
+# CHAPTER 5  
+
+# SECURITY POLICY  
+
+5.1 REQUIREMENTS FOR A SECURITY POLICY   
+5.1.1 It must be a clearly defined document that encompasses the Minimum Physical Security Standards.   
+5.1.2 It must cover all aspects of physical security and provide for different levels of physical security grading.   
+5.1.3 It must set out the obligations of the different role players with regard to the implementation of the policy.   
+5.1.4 The policy must clearly give a direct guide to all personnel and relevant contractors and consultants of the department/institution to adhere / comply with the Minimum Physical Security Standards.   
+5.1.5 The policy must clearly specify that failure by an employee to comply with the policy and the Minimum Physical Security Standards constitutes serious misconduct and that disciplinary measures must be taken against such a person.   
+5.1.6 Security Manager to develop operating standard to ensure that they achieve operational objectives.  
+
+NB:   These can be achieved through exposing employees, contractors and consultants to physical security awareness programmes, by assigning to specific officials the responsibility to develop, co-ordinate and manage physical security training and awareness programmes, including monitoring the compliance with the Minimum Physical Security Standards.  
+
+# 5.2 REPORTING ON SECURITY POLICY  
+
+5.2.1 The Security Manager of a department/institution must report to the HOD/CEO of a department/institution on a quarterly basis on the extent to which the policy has been implemented and its prescripts are being complied with and identify any difficulties experienced with the implementation of the policy and make recommendations to the HOD/CEO on how to address those difficulties.  
+
+5.2.2 The HOD/CEO must take the necessary steps to address the difficulties identified in the report and must report to the SAPS, including his or her comments.  
+
+# CHAPTER 6  
+
+PHYSICAL SECURITY TRAINING AND AWARENESS  
+
+6.1 DEVELOPMENT OF TRAINING AND AWARENESS PROGRAMMES  
+
+6.1.1 The security manager of the department/institution is responsible for developing and implementing physical security training and awareness programmes for the department/institution in close cooperation with:  
+
+6.1.1.1	 The security committee and/or Joint Planning Committee of that department/institution.  
+
+6.1.1.2	 The training component of that department/institution.  
+
+6.1.1.3	 SAPS and NIA security related training and awareness programmes.  
+
+6.2 IMPLEMENTATION OF SECURITY TRAINING AND AWARENESS PROGRAMS  
+
+6.2.1 The Security Manager must:  
+
+6.2.1.1	 Arrange and conduct the physical security awareness programmes within the department/institution.  
+
+6.2.1.2	 Determine the needs for physical security training and awareness of personnel, contractors and consultants, make recommendations to the HOD/CEO of the department/institution in this regard and ensure that the training, as approved by the head of the department/institution, takes place.  
+
+6.2.1.3	 Regularly consult with SAPS (Government Security Regulator) to determine any new developments or changes in the physical security training and awareness fields.  
+
+# CHAPTER 7  
+
+# PHYSICAL SECURITY BREACHES  
+
+# 7.1 SECURITY INCIDENTS/BREACHES REPORTING PROCESS  
+
+7.1.1 The Security Manager must ensure that all physical security breaches, including the prevented incidents/breaches, are reported to the SAPS for investigation and further handling. Recommended reporting structures stand as follows:  
+
+7.1.1.1	 Crime related incidents must be reported to the nearest Police Station.  
+
+7.1.1.2	 Information security related incidents must be reported to NIA.  
+
+NB:   Reporting of physical security breaches as covered in all security dimensions must at all times be dealt with using the highest degree of confidentiality to protect the reporting individual from any injustice or harm.  
+
+7.1.2 The Security Manager must ensure that all staff members are informed, by means of a physical security awareness program, about the procedure that must be followed in the event of the detection of a breach or suspected breach of physical security.  
+
+7.2 PHYSICAL SECURITY INCIDENTS/BREACHES RESPONSE PROCESS  
+
+Every breach of physical security must be inquired into in order to:  
+
+.2.1.1	 Conduct proper investigation process.  
+
+7.2.1.2	 Assess damage that was caused or could possibly have been caused.  
+
+7.2.1.3	 Make recommendations regarding steps to be taken to prevent the breach from re-occurring.  
+
+7.2.2 All breaches or suspected breaches of security that constitute misconduct by an employee must be dealt with by the head of the department/institution through taking appropriate disciplinary measures against the employee concerned.  
+
+7.2.3 All breaches of physical security that may possibly constitute a criminal offence must be referred to the nearest police station for investigation.  
+
+# CHAPTER 8  
+
+CONTINGENCY PLANNING  
+
+CONTINGENCY PLANNING  
+
+8.1.1 An HOD/CEO of a department/institution must have a contingency plan to provide for the continued availability of critical services and assets if a threat materializes and to provide for appropriate steps and procedures to respond to an emergency situation to ensure the safety of employees and visitors.   
+8.1.2 The plan must:   
+8.1.2.1	 Set out measures to ensure the regular review and testing of the plan. Ensure that the emergency evacuation procedures are made available for all possible emergencies.   
+8.1.2.3	 Ensure that there is an appropriate number of trained members to assist with evacuation when an emergency occur.   
+8.1.2.4	 Ensure that equipment is available to assist with evacuation in an emergency.   
+8.1.2.5	 Ensure that awareness programmes include emergency evacuation.   
+8.1.2.6	 Ensure that emergency procedures are available in all passages, control rooms and at emergency escape routes.   
+8.1.2.7	 Ensure proper marking of emergency escape routes.   
+8.1.2.8	 Include floor plans of the department/institution.   
+8.1.2.9	 Ensure that assembly points are demarcated, accessible and well-known.   
+8.1.2.10	 Ensure that signals and signs are clearly defined and communicated.  
+
+# CHAPTER 9  
+
+# REVIEW AND UPDATE PROCESS  
+
+9.1 REVIEW AND UPDATE   
+9.1.1 The Minimum Physical Security Standards will be reviewed by the SAPS (Government Security Regulator) every five years.   
+9.1.2 The annexure to MPSS will be reviewed annually to ensure that they are in line with the new technology.   
+9.1.3 Communication will take place through the GSSC to all relevant role players.  
+
+# CHAPTER 10  
+
+# MONITORING  
+
+# 10.1 MONITORING  
+
+10.1.1 Audits and inspections will be conducted by the SAPS (Government Security Regulator) monitoring compliance with Minimum Physical Security Standards.   
+10.1.2 Certain observations may have such a significant impact, that immediate corrective action required.  In such cases the auditing shall monitor the condition until satisfactory corrective action had been taken.   
+10.1.3 Follow-up inspections/audits is the process by which the auditor determines the adequacy, effectiveness and timeliness of actions taken by management on reported engagement observations and recommendations made.  
+
+# CHAPTER 11  
+
+# ENFORCEMENT  
+
+Senior Management, Security Manager and all employees within the department/ institution are responsible for enforcing these Minimum Physical Security Standards.  
+
+Non-compliance/infringement of these directives must be regarded as misconduct and must be dealt with in accordance with the disciplinary code of the relevant department/institution.  
+
+Annexures will be provided separatly as it will be reviewed annually.  
+
+Annexure a: Grading of National Key Points Annexure b: Grading of Buildings Annexure c: Grading of Residences Annexure d: Grading of Newly Built Residences  
+
+![](images/ab4e1ad36c18909f38a67ff91b20dad4680c5af4b490c3b5691d134bd2ab64f3.jpg)  
+
+![](images/c0315174713e0b983ae1971a3cea7ecb4e69ea666c92f892345319a9ce652bf9.jpg)  

dataset/data/docs/Protection of Information Act 84 of 1982 South African Government_English_Adesemmyk.pdf-0aeaf0b9-0f34-4e8c-a946-.md

@@ -0,0 +1,178 @@
+Please note that most Acts are published in English and another South African official language Currently we only have capacity to publish the English versions.
+This means that this document will only contain even numbered pages as the other language is printed on uneven numbered pages.  
+
+# REPUBLIC OF SOUTH AFRICA  
+# GOVERNMENT GAZETTE  
+[VoL.204]  Cape Town, 16 June 1982 [No. 8248]
+
+
+# OFFICE OF THE PRIME MINISTER  
+
+It is hereby notified that the State President has assented to the following Act which is hereby published for general information:-  
+
+No. 84 of 1982: Protection of Information Act, 1982.  
+# PROTECTION OF INFORMATION ACT, 1982  
+ACT 
+To provide for the protection from disclosure of certain information; and to provide for matters connected therewith.  
+
+RE IT ENACTED by the State President and the House of Assembly of the Republic of South Africa, as follows:-  
+
+[I] Definitions. 
+
+1. 
+(1) In this Act, unless the context otherwise indicates 
+(i) “agent" means any person who is or has been or is reasonably suspected of being or having been directly or indirectly used by or in the name of or on behalf of any foreign State or any hostile organization for the purpose of committing in the Republic or elsewhere an act prejudicial to the security or interests of the Republic, or who has or is reasonably suspected of having committed or attempted to commit such an act in the Republic or elsewhere in the interests of any foreign State or any hostile organization; 
+(ii) “armaments” means armaments as defined in section 1 of the Armaments Development and Production Act, 1968 (Act No.57 of 1968); 
+(iii) “document" means  
+(a）any note or writing, whether produced by hand or by printing, typewriting or any other similar process;   
+(b) any copy, plan, picture, sketch or photographic or other representation of any place or article;   
+(c) any disc, tape, card, perforated roll or other device in or on which sound or any signal has been recorded for reproduction; 
+
+(iv) “foreign State” means any State other than the Republic;  
+(v) “Government” includes the South African Transport Services, the Department of Posts and Telecommunications and any provincial administration;  
+(vi) “hostile organization" means
+(a)any organization declared by or under any Act of Parliament to be an unlawful organization; 
+(b) any association of persons or any movement or institution declared under section 14 to be a hostile organization; 
+(vii) “military” includes army, air force and naval; 
+(viii) “model" includes any design, pattern or specimen; 
+(ix）“prohibited place” means 
+(a) any work of defence belonging to or occupied or used by or on behalf of the Government, including— 
+     (i) any arsenal, military establishment or station, factory, dockyard, camp, ship, vessel or aircraft;   
+     (ii) any telegraph, telephone, radio or signal station or office; and   
+     (iii）any place used for building repairing, making, keeping or obtaining armaments or any model or document relating thereto;  
+(b) any place where armaments or any model or document relating thereto is being built, repaired, made, kept or obtained under contract with or on behalf of the Government or of the government of any foreign State;   
+(c) any place or area declared under section 14 to be a prohibited place; (viii)  
+
+(x) “security matter” includes any matter which is dealt with by the National Intelligence Service or which relates to the functions of that Service or to the relationship existing between any person and that Service.  
+
+(2）In this Act, unless the context otherwise indicates  
+(a) any reference to the disclosing or receiving of anything includes a reference to the disclosing or receiving of any part or the substance, effect or description thereof;   
+(b) any reference to the obtaining or retaining of anything includes a reference to the obtaining or retaining of any part or the copying or causing to be copied of the whole or any part thereof, whether by photography or otherwise; 
+(c) any reference to the disclosing of anything includes a reference to the transmission or transfer thereof; and   
+(d）any reference to any offence or prosecution under any provision of this Act includes a reference to an offence or a prosecution under the provisions of section 18 of the Riotous Assemblies Act,1956（Act No.17 of 1956), read with the relevant provisions of this Act.  
+
+[Prohibition of certain acts in relation o prohibited places]
+2. Any person who approaches, inspects, passes over, is in the neighbourhood of or enters any prohibited place for any purpose prejudicial to the security or interests of the Republic, shall be guilty of an offence and liable on conviction to imprisonment for a period not exceeding 20 years.  
+
+[Prohibition of obtaining and disclosure of certain information]
+3. Any person who, for purposes of the disclosure thereof to any foreign State or to any agent, or to any employee or inhabitant of, or any organization, party, institution, body or movement in, any foreign State, or to any hostile organization or to any office-bearer, officer, member or active supporter of any hostile organization—  
+(a) obtains or receives any secret official code or password or any document, model, article or information used, kept, made or obtained in any prohibited place; or   
+(b) prepares, compiles, makes, obtains or receives any document, model, article or information relating to 
+     (i) any prohibited place or anything in any prohibited place, or to armaments; or 
+     (ii) the defence of the Republic, any military matter, any security matter or the prevention or combating of terrorism; or 
+     (iii) any other matter or article, and which he knows or reasonably should know may directly or indirectly be of use to any foreign State or any hostile organization and which, for considerations of the security or the other interests of the Republic, should not be disclosed to any foreign State or to any hostile organization, 
+shall be guilty of an offence and liable on conviction to the penalty prescribed in section 2.  
+
+[Prohibition of disclosure of certain information.]
+4.(1) Any person who has in his possession or under his control or at his disposal
+(a) any secret official code or password; or 
+(b）any document, model, article or information 
+     (i）which he knows or reasonably should know is kept, used, made or obtained in a prohibited place or relates to a prohibited place, anything in a prohibited place, armaments, the defence of the Republic, a military matter, a security matter or the prevention or combating of terrorism; 
+     (ii) which has been made, obtained or received in contravention of this Act; 
+     (iii) which has been entrusted in confidence to him by any person holding office under the Government;   
+     (iv) which he has obtained or to which he has, had access by virtue of his position as a person who holds or has held office under the Government, or as a person who holds or has held a contract made on behalf of the Government, or a contract the performance of which takes place entirely or partly in a prohibited place, or as a person who is or has been employed under a person who holds or has held such office or contract, and the secrecy of which document, model, article or information he knows or reasonably should know to be required by the security or the other interests of the Republic, or 
+     (v)of which he obtained possession in any manner and which document, model, article or information he knows or reasonably should know has been obtained by any other person in any of the ways referred to in paragraph (iii) or (iv) and the unauthorized disclosure of such document, model, article or information by such other person he knows   
+35 or reasonably should know will be an offence under this Act, and who 
+(aa) discloses such code, password, document, model, article or information to any person other than a person to whom he is authorized to disclose it or to whom it may lawfully be disclosed or to whom, in the interests of the Republic, it is his duty to disclose it; 
+(bb) publishes or uses such code, password, document, model, article or information in any manner or for any   
+45 purpose which is prejudicial to the security or interests of the Republic; 
+(cc) retains such code, password, document, model, article or information when he has no right to retain it or when it is contrary to his duty to retain it, or neglects or fails to comply with any directions issued by lawful authority with regard to the return or disposal thereof; or 
+(dd) neglects or fails to take proper care of such code, password, document, model, article or information, or so to conduct himself as not to endanger the safety thereof, 
+
+shall be guilty of an offence and liable on conviction to a fine not exceeding R10 000 or to imprisonment for a period not exceeding 10 years or to both such fine and such imprisonment, or, if it is proved that the publication or disclosure of such secret official code or password or of such document, model, article or information took place for the purpose of its being disclosed toa foreign State or to a hostile organization, to the penalty prescribed in section 2.  
+
+(2) Any person who receives any secret official code or password or any document, model, article or information, knowing or having reasonable grounds to believe, at the time when he receives it, that such code, password, document, model, article or information is being disclosed to him in contravention of the provisions of this Act, shall, unless he proves that the disclosure thereof to him was against his wish, be guilty of an offence and 5 liable on conviction to a fine not exceeding R10 o00 or to imprisonment for a period not exceeding 10 years or to both such fine and such imprisonment.  
+
+[Prohibition of certain acts prejudicial to security or interests of Republic.]
+5. 
+(1) Any person who, for the purpose of gaining or assisting any other person to gain admission to any prohibited place, or for any other purpose prejudicial to the security or interests of the Republic  
+(a) without lawful authority uses or wears any military, police or other official uniform of the Republic, or any uniform worn by a person employed at or in a prohibited place, or any uniform so closely resembling any of the said uniforms as to be calculated to deceive, or falsely represents himself to be a person who is or has been entitled to use or wear any such uniform;   
+(b) orally or in writing in any declaration or application, or in any document signed by him or on his behalf, knowingly makes any false statement or omits any relevant fact;   
+(c) forges, alters or tampers with any passport or any official pass, permit, certificate, licence or other similar document (hereinafter in this section referred to as an official document), or uses or has in his possession any forged, altered or irregular official document;   
+(d) impersonates or falsely represents himself to be a person holding, or in the employment of a person holding, office under the Government, or to be or not to be a person to whom an official document or a secret official code or password has been duly issued or disclosed, or, with intent to obtain an official document or any secret official code or password, whether for himself or for any other person, knowingly makes any false statement; or   
+(e) uses or has in his possession or under his control, without lawful authority, any official die, seal or stamp of the Republic or any die, seal or stamp so closely resembling any such official die, seal or stamp as to be calculated to deceive, or counterfeits any such official die, seal or stamp, or uses or has in his possession or under his control any such counterfeited die, seal or stamp,  
+
+shall be guilty of an offence and liable on conviction to a fine not exceeding R5000 or to imprisonment for a period not exceeding five years or to both such fine and such imprisonment.  
+
+(2) Any person who
+(a) retains for any purpose prejudicial to the security or interests of the Republic any official document, whether or not completed or issued for use, when he has no right to retain it or when it is contrary to his duty to retain it, or neglects or fails to comply with any directions issued by lawful authority with regard to the return or disposal thereof; 
+(b) allows any other person to have possession of any official document issued for his use alone, or without lawful authority or excuse has in his possession any official document or secret official code or password issued for the use of some person other than himself, or, on obtaining possession of any official document, whether by finding or otherwise, neglects or fails to hand it over to the person or authority by whom or for whose use it was issued or to a member of the South African Police or the South African Railway Police Force; or 
+(c) without lawful authority or excuse manufactures or sells, or has in his possession for sale, any die, seal or stamp referred to in paragraph (e) of subsection (1), shall be guilty of an offence and liable on conviction to the penalties prescribed in subsection (1).  
+
+[Obstructing persons on guard at prohibited places.  ]
+6. Any person who obstructs, knowingly misleads or otherwise interferes with any person engaged on guard, sentry, patrol or other similar duty in relation to any prohibited place shall be guilty of an offence and liable on conviction to a fine not exceeding R1000 or to imprisonment for a period not exceeding 12 months or to both such fine and such imprisonment.  
+
+
+[Harbouring or concealing certain persons and failing to report information relating to agents.  
+7. Any person who—  
+(a) knowingly harbours or conceals any person whom he knows or has reason to believe to be a person who is about to commit or who has committed an offence under this Act, or knowingly permits any such persons to meet or assemble in any premises in his occupation or under his control;  
+(b) having harboured or concealed any such person, or permitted such persons to meet or assemble in any premises in his occupation or under his control, wilfully omits or refuses to disclose to any member of the South African Police or the South African Railway Police Force any information it is in his power to give in relation to any such person; or  
+(c) knowing that any agent or any person who has been or is in communication with an agent, whether in the Re  
+30 public or elsewhere, is in the Republic, fails forthwith to report to any member of the South African Police or the South African Railway Police Force the presence of or any information it is in his power to give in relation to any such agent or person, 
+
+shall be guilty of an offence and liable on conviction to a fine not exceeding R1000 or to imprisonment for a period not exceeding 12 months or to both such fine and such imprisonment.  
+
+
+[Communication with agent proof of certain facts.]  
+8. 
+(1) If in any prosecution upon a charge under section 3, or upon a charge under section 4 (1) in connection with the publi40 cation or disclosure of a secret official code or password or a document, model, article or information as referred to in that section, it is proved that the accused  
+(a) has been in communication, or has attempted to communicate, with an agent in the Republic or elsewhere; or   
+(b) is an agent or is being or has been or is reasonably suspected of being or having been directly or indirectly used by a foreign or international body or institution, or has entered or is within the Republic in contravention of any law    
+
+it shall, unless the contrary is proved, be presumed that the document, model, article or information referred to in section 3 has been prepared, compiled, made, obtained or received, or the secret official code or password or the model, article, document or information referred to in section 4 (1) has been published or disclosed, as the case may be, for purposes of the disclosure thereof to a foreign State or to a hostile organization.  
+
+(2) For the purposes of subsection (1)-  
+(a) a person shall, unless he proves the contrary, be pre60 sumed to have been in communication with an agent if  
+(i) he has, in the Republic or elsewhere, visited the address of an agent or associated with an agent; or  
+(ii) in the Republic or elsewhere, the name or address of or any other information regarding an agent has been found in his possession or under his control, or has been supplied by him to any other person or has been obtained by him from any other person;  
+
+(b) any address, in the Republic or elsewhere, reasonably suspected to be an address used for the receipt of communications intended for an agent, or at which an agent resides, or to which he resorts for the purpose of giving or receiving communications, or at which he carries on any business, shall be deemed to be the address of an agent, and any person who addresses communications to such address shall be deemed to have been in communication with an agent.  
+
+[Proof that certain information may directly or indirectly be of use to foreign State or hostile organization.]  
+9. 
+If in any prosecution against any person for an offence under section 3 it is proved that he is an agent or that he is or has been or is reasonably suspected of being or having been directly or indirectly used by or on behalf of any foreign or international body or institution or that he has entered or is within the Republic in contravention of any law and that he has prepared, compiled, made, obtained or received any document, model, article or information other than that referred to in section 3 (a), or any document, model, article or information relating to a place, article or matter other than that referred to in section 3 (b) (i) or (ii),   
+
+it shall, unless the contrary is proved, be presumed that such document, model, article or information may directly or indirectly be of use to a foreign State or a hostile organization.  
+
+[Proof of purpose prejudicial to security or interests of Republic.  ]
+10. 
+(1) In any prosecution under this Act upon a charge of committing an act for a purpose prejudicial to the security or interests of the Republic, it shall, if, from the circumstances of the case or the conduct of the accused, it appears that his purpose was a purpose prejudicial to the security or interests of the Republic, be presumed, unless the contrary is proved, that the purpose for which that act has been committed, is a purpose prejudicial to the security or interests of the Republic.  
+
+(2) If in any prosecution under this Act upon a charge of publishing or disclosing any secret official code or password or any document, model, article or information for a purpose prejudicial to the security or interests of the Republic, it is proved that. 
+it was published or disclosed by any person other than a person acting under lawful authority, or by an agent or by a person who is or has been or is reasonably suspected of being or having been directly or indirectly used by any foreign or international body or institution or who has entered or is within the Republic in contravention of any law,  
+it shall, unless the contrary is proved, be presumed that the purpose for which it was published or disclosed is a purpose prejudicial to the security or interests of the Republic.  
+
+
+[Extra-territorial application of Act, and jurisdiction.  ]
+11. 
+(1) Any act constituting an offence under this Act and   
+50 which is committed outside the Republic by any South African citizen or any person domiciled in the Republic shall be deemed to have been committed also in the Republic. 
+(2) Any offence under this Act shall, for the purposes of determining the jurisdiction of a court to try the offence, be deemed to have been committed at the place where it actually was committed and also at any place where the accused happens to be.  
+
+
+[Authority of attorney-genera; required for institution of criminal proceedings.]
+12. No trial or preparatory examination in respect of any offence under this Act, except any contravention of section 6, shall be instituted without the written authority of the attorney-general having jurisdiction in the area concerned. 
+
+[Criminal proceedings may take place behind closed doors.]  
+13. Any court may, if it appears to that court to be necessary for considerations of the security or the other interests of the Republic, direct that any trial or preparatory examination in respect of an offence under this Act, shall take place behind closed doors or that the general public or any section thereof shall not be present thereat, and if the court issues any such direction, the court shall have the same powers as those conferred upon a court by section 154 (1) of the Criminal Procedure Act, 1977 (Act No. 51 of 1977)，and the provisions of subsections (1),(4) L0 and (5) of the said section 154 shall apply *mutatis mutandis*.  
+
+
+[Prohibited places and hostile organizations.]  
+14. The State President may, for the purposes of this Act, by proclamation in the *Gazette* declare-—  
+(a) any place or area to be a prohibited place if he is satisfied that information with respect to that place or area, or the loss, damage, disruption or immobilization thereof could be of use to a foreign State or a hostile organization; or  
+(b) any association of persons, movement or institution outside the Republic to be a hostile organization if he is satisfied that that association of persons, movement or institution incites, instigates, commands, aids, advises, encourages or procures any person in the Republic or elsewhere to commit in the Republic an act of violence for any purpose prejudicial to the security or interests of the Republic,  
+
+and may in like manner at any time repeal or amend any such proclamation.  
+
+[Repeal of laws.]  
+15. The laws specified in the Schedule are hereby repealed to 1 the extent set out in the third column of the Schedule.  
+
+
+[Short title.]  
+16. This Act shall be called the Protection of Information Act, 1982.  
+
+
+# Schedule  
+
+LAWS REPEALED   
+<html><body><table><tr><td>No. and year of law</td><td>Title</td><td>Extent of repeal</td></tr><tr><td>Act No. 16 of 1956...</td><td>Official Secrets Act, 1956</td><td>The whole.</td></tr><tr><td>Act No. 65 of 1956.</td><td>Official Secrets Amendment Act, 1956.</td><td>The whole.</td></tr><tr><td>Act No. 7 of 1958</td><td>Police Act, 1958</td><td>Section 27C.</td></tr><tr><td>Act No. 101 of 1969.</td><td>General Law Amendment Act, 1969</td><td>Sections 10, 11 and 12.</td></tr><tr><td>Act No. 102 of 1972.</td><td>General Law Amendment Act, 1972</td><td>Section 10.</td></tr></table></body></html>  

dataset/data/docs/Signed - MIOS CATALOGUE OF STANDARDS.pdf-d1383b54-4c4e-4722-bd01-16a3b8e9899f.md

@@ -0,0 +1,116 @@
+# Catalogue of Standards to the MINIMUM INTEROPERABILITY STANDARDS (MIOS) 6  
+
+Catalogue 1 of 2017  
+
+November 2017  
+
+11   
+1  
+
+# APPROVAL  
+
+I, the undersigned -  
+
+In terms of the Public Service Act, 1994 (Proclamation 103 of 1994 ) sections 3(1)(f) and 3(1)(g) regarding electronic government norms and standards and the Public Service Regulations, 2016 Chapter 6, regulation 97, regarding interoperability standards, I hereby approve the Catalogue of Standards in support of the Minimum Interoperability Standard (MiOs) for Government Information Systems version 6. These standards have been developed by a Specialist Task Team, in consultation with the Government information and Technology Officers Council (GITOC).  
+
+This Catalogue of Standards to MlOs will be reviewed and updated on an annual basis to keep it relevant and up to date.  
+
+This Catalogue of Standards to MlOs Version 6.00 supersedes and replaces all previous versions thereof and must be complied with in terms of the relevant legislation.  
+
+Take note that the Catalogue augments the MlOS Framework Document and as such this document must always be read in conjunction with the MiOs Framework.  
+
+![](images/3b519f0c8677bd246446a361f2d987311560793e2344aee30a7aa603672f123f.jpg)  
+
+MS F. MUTHAMBI, MP MINISTER FOR THE PUBLIC SERVICE AND ADMINISTRATION DATE: $2018\cdot02\cdot06$  
+
+# PUBLICATIONENQUIRIES  
+
+The "Catalogue of Standards to the Minimum Interoperability Standards (MiOS)" for Government Information Systems is developed by the State Information Technology Agency (SITA): Norms Standards and Quality Department in consultation with the GITOC, SC-AGC and appointed MIOS Update Task Team.  
+
+Enquiries can be directed to:  
+
+Office of the Government Chief Information Office Department of Public Service and Administration Batho Pele House, 546 Edmond Street, Arcadia Pretoria, South Africa.  
+
+This document will be made available on the DPSA websitewww.dpsa.gov.za  
+
+This document is also available on the DPSA website (http://www.dpsa.gov.za)  
+
+# COPYRIGHT, TRADEMARKS AND INTELLECTUAL PROPERTY  
+
+Some ot the standards, acronyms and terms that are referenced in this publication and the related addenda or catalogue are protected by copyright and/or intellectual property rights. The omission of the rightful copyright and/or intellectual property right owners' information from this document is merely intended to simplify the structure of the document.  
+
+I his document, in part or in whole, may be freely used on condition that the source is auoted.  
+
+# CONTENTS  
+
+. Overview ..... 5   
+1.1 Standards Development Organisatons.. 5   
+1.2 Catalogue of MlOs Standards. 7   
+1.3 Hardware Infrastructure Considerations... 14   
+Innex A: Abbreviations... \*\*\* 16  
+
+# OVERVIEW  
+
+1. This document, known as the "Catalogue of Standards to MlOs" is irrevocably linked to the prescripts, guidelines and principles of the latest approved “MiOs Framework".   
+2. This section of the MlOS defines the minimum set of open standards that are necessary to achieve the minimum level of interoperability across e-Government systems, and cites the standards development organisations from where these standards can be obtained.  
+
+3. The list of interoperability standards is divided into two sections:  
+
+(a) Public Sector Records and Data Standards, which must be used to achieve interoperability (data exchange) among e-Government information systems (IS); and   
+(b) Technical lnteroperability Standards, which must be used to achieve the required level of interoperability (i.e. network connectivity, data exchange protocols and interfaces, and uniform data access and presentation) across government ICT infrastructure.  
+
+The following convention is used in the respective standards tables:  
+
+P "Ref" $\mathbf{\sigma}=\mathbf{\sigma}$ Unique MiOs Reference Number of the standard. "Provider" means the Standards Development Organisation (SDO) who is either the owner or custodian of the interoperability standard as the case may be. Text in square brackets [] denotes the Standard Reference Number as allocated by the SdO. Text in braces / curly brackets [} denotes a guideline or constraint on the implementation of the standard.  
+
+# 1.1 STANDARDS DEVELOPMENT ORGANISATIONS  
+
+The following Standards Development Organisations (SDOs) are cited in the MiOS. SDOs marked with an asterisk $(^{*})$ indicate that the standards are available from their respective web sites (Uniform Resource Locators (URL)).  
+
+<html><body><table><tr><td>SDO</td><td>Description</td><td>Uniform Resource Locator (URL)</td></tr><tr><td>ADL*</td><td>Advanced Distributed Learning</td><td>http://www.adlnet.gov</td></tr><tr><td>ANSI</td><td>American National Standards Institute</td><td>http://www.ansi.org</td></tr><tr><td>ECMA</td><td>ECMA International- European association http://www.ecma-international.org for standardizing information and communication systems (formerly known as "European Computer Manufacturers Association")</td><td></td></tr><tr><td>ETSI</td><td>European Telecommunications Standard Institute</td><td>http://www.etsi.org</td></tr></table></body></html>  
+
+<html><body><table><tr><td>NIST</td><td>National Institute of Standards and Technology [USA]: Federal Information Processing Standards</td><td>http://www.itl.nist.gov/fipspubs</td></tr><tr><td>IEEE</td><td>Institute of Electrical and Electronics Engineers</td><td>http://www.ieee.org</td></tr><tr><td>IETF *</td><td>Internet Engineering Task Force</td><td>http://www.ietf.org</td></tr><tr><td>ISO</td><td>International Organisation for Standardization</td><td>http://www.iso.org</td></tr><tr><td>ITU</td><td> International Telecommunication Union</td><td>http://www.itu.int</td></tr><tr><td>OAI *</td><td>Open Archives Initiative</td><td>http://www.openarchives.org</td></tr><tr><td>:OASIS *</td><td>Organization for the Advancement of Structured Information Standards</td><td>http://www.oasis-open.org</td></tr><tr><td>OCLC</td><td>Online Computer Library Center</td><td>http://www.oclc.org</td></tr><tr><td>OGC *</td><td>Open Geospatial Consortium</td><td>http://www.opengeospatial.org</td></tr><tr><td>OMA</td><td>Open Mobile Alliance</td><td>http://www.openmobilealliance.org</td></tr><tr><td>OMG *</td><td>Object Management Group@</td><td>http://www.omg.org</td></tr><tr><td>PKWARE</td><td>PKWARE? Inc, open standard for compressed file format, ZIP)</td><td>http://www.pkware.com</td></tr><tr><td>SABS</td><td>South African Bureau of Standards (SDO forhttp://www.sabs.co.za South African National Standards (SANS))</td><td></td></tr><tr><td>W3C *</td><td>World Wide Web Consortium</td><td>http://www.w3c.org</td></tr><tr><td>WHO *</td><td>World Health Organisation</td><td>http://www.who.int</td></tr></table></body></html>  
+
+# 1.2 CATALOGUE OF MIOS STANDARDS  
+
+Please Note: All quoted RFC standards include their relevant updates.  
+
+<html><body><table><tr><td>Ref</td><td>Component</td><td>Interoperability Standards and Identifier</td><td>Provider</td></tr><tr><td>C01 Data Standards</td><td colspan="3"></td></tr><tr><td>C01.01</td><td>Disease Codes</td><td>10th Revision [ICD-10] International Statistical Classification of Diseases and Related Health Problems,</td><td>WHO</td></tr><tr><td>C01.02</td><td>Health Image Records</td><td>Digital Imaging and Communications in Medicine [ISO 12502]</td><td>ISO/IEC</td></tr><tr><td>C01.03</td><td>Management System e-Learning / Learning</td><td>(SCORM) v1.2, Oct 2001 Sharable Content Object Reference Model SCORM</td><td></td></tr><tr><td>C02</td><td colspan="3">Interconnection Standards and Specifications</td></tr><tr><td>C02.01</td><td> Web Transport</td><td>Hypertext Transfer Protocol (HTTP/1.1) [RFC 7230- RFC 7237] Upgrading to TLS Within HTTP/1.1 (HTTPS)IETF</td><td>ETF</td></tr><tr><td>C02.02</td><td>e-Mail Transport</td><td>[RFC2817] Simple Mail Transfer Protocol (SMTP) [RFC 5321]</td><td>IETF</td></tr><tr><td></td><td> C02.03 Internet Message Format</td><td>Internet Message Format (IMF)[RFC 5322]</td><td>IETF</td></tr><tr><td></td><td></td><td>Multipurpose Internet Mail Extensions (MIME) [RFC 2045 -RFC 2047, RFC 4289] The Model Primary Content for Multipurpose Internet Mail Extensions</td><td>IETF IETF</td></tr><tr><td>C02.04</td><td>Mailbox Access</td><td>[RFC 2077] v4.1) [RFC 3501] Internet Message Access Protocol (IMAP Post Office Protocol Version 3 (POP3)</td><td>IETF</td></tr><tr><td>C02.05</td><td>Directory</td><td>[RFC 1939] x.500 [ISO 9594-1]</td><td>IETF ISO/IEC</td></tr><tr><td></td><td></td><td>Lightweight Directory Access Protocol (LDAP) [RFC 4510- RFC 4519]</td><td>IETF</td></tr><tr><td>C02.06</td><td>: Domain Name System</td><td>Domain Name System (DNS) [RFC 1032 - RFC 1035]</td><td>IETF</td></tr></table></body></html>  
+
+<html><body><table><tr><td></td><td></td><td>Domain Name System Security (DNSSec) [RFC 4033 - RFC 4035]</td><td>IETF</td></tr><tr><td></td><td rowspan="4">C02.07File Transfer Protocols</td><td>File Transfer Protocol (FTP) [RFC 959]</td><td>IETF</td></tr><tr><td></td><td>Firewall-Friendly FTP [RFC 1579]</td><td>IETF</td></tr><tr><td></td><td>FTP Extensions for IPv6 and NATs [RFC 2428] The Secure Shell (SSH) Transport Layer</td><td>IETF</td></tr><tr><td>Protocol Secure Copy (SCP) (OpenBSD Reference</td><td>[RFC 4253]</td><td></td></tr><tr><td></td><td>C02.08LAN/WAN Interworking</td><td colspan="2">Implementation) Internet Protocol v4 (IPv4) [RFC 791] 1ETF</td></tr><tr><td></td><td></td><td>Internet Protocol v6 (IPv6)[RFC 2460]</td><td>IETF</td></tr><tr><td></td><td>C02.09Network Management Protocol Transport</td><td>Simple Network Management Protocol (SNMP) [RFC 3411- RFC 3418]</td><td>IETF</td></tr><tr><td>C02.10</td><td></td><td>Transmission Control Protocol (TCP) [RFC 793] A Roadmap for Transmission Control</td><td>IETF</td></tr><tr><td></td><td></td><td>Protocol (TCP) Specification Documents [RFC 7414]</td><td>IETF</td></tr><tr><td>C03</td><td>Data Interoperability Standards and Specifications</td><td>User Datagram Protocol (UDP) [RFC 768]</td><td>IETF</td></tr><tr><td>C03.01</td><td colspan="3">Metadata / MetaLanguageeXtensible Markup Language (XML 1.0)</td></tr><tr><td>C03.02</td><td>XML Metadata Definition</td><td> XML Schema: Part 1: Structure Second</td><td>W3C W3C</td></tr><tr><td></td><td></td><td>Edition XML Schema: Part 2: Data types Second</td><td></td></tr><tr><td></td><td></td><td>Edition OR</td><td>W3C</td></tr><tr><td>C03.03</td><td></td><td>Regular Language for XML Next Generation ISO/IEC (RelaxNG) [ISO 19757]</td><td></td></tr><tr><td></td><td>XML Metadata Transformation</td><td> Extensible Stylesheet (XSL 1.1)</td><td>W3C</td></tr><tr><td>C03.04</td><td> XML Data Query</td><td>XPath 2.0</td><td>W3C</td></tr><tr><td>C03.05</td><td>XML Signature</td><td>XML Signature Syntax and Processing (Second Edition)</td><td>W3C</td></tr></table></body></html>  
+
+<html><body><table><tr><td></td><td></td><td>XML Digital Signatures (XML-DSIG)</td><td>W3C</td></tr><tr><td></td><td>C03.06 XML Security Markup</td><td>v2.0) Security Assertion Markup Language (SAML W3C</td><td></td></tr><tr><td></td><td>C03.07Public Key Infrastructure</td><td>Internet x.509 Public Key Infrastructure i Certificate and Certificate Revocation List (CRL) Profile (X.509 v3) [RFC 5280]</td><td>IETF</td></tr><tr><td>C03.08</td><td>Minimum Interoperable Character Set</td><td>Transformation Format - 8 bit UTF-8, by case basis [RFC 3629] individual items in the XML Schema may be further restricted in character set on a case</td><td>IETF</td></tr><tr><td>C03.09</td><td>Language</td><td>Modelling and Description Unified Modelling Language (UML 2.1.1)</td><td>UML</td></tr><tr><td></td><td>C03.10Ontology Based Information Exchange</td><td>Abstract Syntax (OWL) Web Ontology Language Semantics and</td><td>W3C</td></tr><tr><td>C03.11</td><td>:Model Exchange</td><td>XML MetaData Interchange (XMI v2.1)</td><td>OMG</td></tr><tr><td>C03.12</td><td> Language</td><td>(BPMN v1.1) Business Process Modelling Business Process Model and Notation</td><td>OMG</td></tr><tr><td>C03.13</td><td>Business Function Modelling Language</td><td>Information Processing Standard [FIPS PUB 183] Integrated Definition Language and Function Modelling (IDEF-0) - Federal</td><td>IDEF</td></tr><tr><td>C03.14</td><td>Data : Form Representation and</td><td> XForms 2.0</td><td>W3C</td></tr><tr><td>C03.15</td><td>Geospatial Data</td><td>Geospatial Markup Language (GML) as defined by Open Geographic Council Geospatial Markup Language (GML)</td><td>OGC</td></tr><tr><td>C03.16</td><td> Cadastre and Addressing</td><td>[ISO 19136:2007] Geographic Information - Address Standard, Part 1: Data Format of Addresses</td><td>ISO/IEC SABS</td></tr><tr><td></td><td></td><td>[SANS 1883-1] Geographic Information - Address</td><td>SABS</td></tr><tr><td>CO4 Standards for Web Service</td><td></td><td>allocation and updates [SANS 1883-3] Standard, Part 3: Guidelines for address</td><td></td></tr><tr><td colspan="6">C04.01 Web Service Request</td></tr><tr><td></td><td>Delivery</td><td>(Second Edition) Simple Object Access Protocol SOAP v1.2</td><td>:W3C</td></tr><tr><td></td><td>C04.02Web Service Request Registry</td><td>Integration (UDDI) Universal Description, Discovery and</td><td>UDDI</td></tr><tr><td>C04.03</td><td>Web Service Request</td><td> Web Services Description Language (WSDL</td><td>W3C</td></tr></table></body></html>  
+
+<html><body><table><tr><td colspan="4">2.0) Language</td></tr><tr><td>CO5</td><td colspan="3">Standards and Specifications for Information Access</td></tr><tr><td></td><td>C05.01Hypertext Interchange Formats</td><td>Hypertext Markup Language 5 (HTML v5)</td><td>W3C</td></tr><tr><td>C05.02</td><td>Working Office Document Formats</td><td>UTF-8/ASCIl Formatted Text [RFC 3629] Open Document Format for Office Applications (ODF) [ISO 26300 Part 1- 3]</td><td>IETF ISO/IEC</td></tr><tr><td>C05.03</td><td>Document Formats for Presentation View</td><td>Comma-Separated Value (CSV) [RFC 4180] (XHTML v1.0) (in use for HTML 4) The Extensible Hypertext Markup Language W3C</td><td>1ETF</td></tr><tr><td>C05.04</td><td> Relational DB Access</td><td>[ISO 32000-1:2008] Portable Document Format (PDF v1.7)</td><td>ISO/IEC</td></tr><tr><td>C05.05</td><td> Character Sets and</td><td>Structure Query Language (SQL) 2011 [ISO 9075:2011] Universal Multiple-Octet Coded Character</td><td>ISO/IEC</td></tr><tr><td>C05.06</td><td>Alphabets Graphical/Still Information  JPEG - Digital compression and coding of</td><td>Set (UCS) - Part 1: Architecture and Basic Multilingual Plane [ISO 10646-1]</td><td>ISO/IEC</td></tr><tr><td></td><td>Exchange</td><td>continuous-tone still images [ISO 10918 Part 1-6] Portable Network Graphics [ISO 15948]</td><td>ISO/IEC ISO/IEC</td></tr><tr><td>C05.07</td><td>Multimedia Audio/Visual Content</td><td>Tag Image File Format (.tif) (For images that will not tolerate information loss (TIFF</td><td></td></tr><tr><td rowspan="5"></td><td rowspan="5"></td><td>6.0) MPEG-1 (Coding of moving pictures and</td><td>ISO/IEC</td></tr><tr><td>associated audio for digital storage media at up to about 1.5 Mbit/s - Part3: Audio) [ISO 11172-3]</td><td></td></tr><tr><td>Pictures and Associated Audio Information: Part 1 - Part 3) [ISO 13818-1, ISO 13818-2, ISO 13818-3] MPEG-2 (Generic Coding of Moving</td><td>ISO/IEC</td></tr><tr><td>H.264 [ISO 14496-10] MPEG-4 Part 10, Advanced Video Coding /</td><td>ISO/IEC</td></tr><tr><td>OGG [https://ww.xiph.org/ogg] The OGG Encapsulation Format Version O</td><td>XIPH HETF</td></tr></table></body></html>  
+
+<html><body><table><tr><td rowspan="8"></td><td colspan="2">[RFC 3533]</td></tr><tr><td>OGG Media Types [RFC 5334]</td><td>XIPH</td></tr><tr><td>Container)</td><td>VORBIS (Audio Codec. Used with the OGG XIPH</td></tr><tr><td>THEORA (Video Codec. Used with the OGGXIPH Container)</td><td></td></tr><tr><td>WebM Multimedia Container Guidelines</td><td>WebM</td></tr><tr><td>VP8 Data Format and Decoding Guide (forIETF use within WebM) [RFC 6386]</td><td></td></tr><tr><td>OPUS (Definition of the Opus Audio Codec)IETF [RFC 6716]</td><td></td></tr><tr><td>C05.08 Browser Scripting</td><td>JavaScript (ECMAScript Language Specification) [ECMA 262]</td><td>ECMA</td></tr><tr><td>C05.09 Internet Conferencing C05.10 File Compression</td><td>Session Initiation Protocol (SIP) [RFC 3261]IETF</td><td></td></tr><tr><td rowspan="4"></td><td>TAR [POSIX.1-2001]</td><td>IEEE</td></tr><tr><td>GZIP (DEFLATE Compressed Data Format Specification version 1.3) [RFC 1951]</td><td>IETF</td></tr><tr><td>GZIP (GZIP File Format Specification version 4.3) [RFC 1952]</td><td>: IETF</td></tr><tr><td>ZIP v6.3.4 (.zip File Format Specification)</td><td>PKWARE</td></tr><tr><td>C05.11 C06</td><td>Web Accessibility for the Web Content Accessibility Guidelines Visually Impaired (WCAG 2.0)</td><td>W3C</td></tr><tr><td colspan="3">Standards for Content Management Metadata C06.01 Content Management</td></tr><tr><td></td><td>Metadata Elements and Refinements</td><td>Dublin Core (The Dublin Core Metadata Element Set) [ISO 15836]</td><td>ISO/IEC</td></tr><tr><td>C06.02 C06.03</td><td>Content Management Interoperability Metadata Harvesting</td><td>Content Management Interoperability Services (CMIS) Open Archives Initiative Protocol for</td><td>OASIS</td></tr><tr><td>C06.04</td><td>Content Syndication</td><td>Metadata (OAI-PMH) Resource Description Framework (RDF) Site W3C</td><td>OAI</td></tr><tr><td></td><td></td><td>Summary (RSS) Version 1.0 (RSS-Dev Working Group)</td><td></td></tr></table></body></html>  
+
+<html><body><table><tr><td colspan="3"> Really Simple Syndication (RSS) Version 2.0</td></tr><tr><td>C06.05</td><td>Content Sensitive Linking</td><td>(RSS 2.0) (Berkman Center at Harvard Law School The OpenURL Framework for Context- ANSI/NISO</td></tr><tr><td>C06.06</td><td>Distributed Searching</td><td>Sensitive Services [z39.88] Information Retrieval: Application Service ANSI/NISO Definition and Protocol Specification</td></tr><tr><td></td><td>[z39.50] [SRU v2.0]</td><td>Search Retrieval via URL (SRU version 1.2) SRU</td></tr><tr><td>C07 Standards for ldentifiers</td><td colspan="2"></td></tr><tr><td>C07.01</td><td>Persistent and Unique Syntax for the Digital Object Identifier Logical ldentifiers [ANSI z39.84]</td><td>ANSI</td></tr><tr><td>C08</td><td colspan="2">Standards for Mobile Phones</td></tr><tr><td>C08.01 C08.02</td><td>WAP Specifications WAP 2.0 GPRS</td><td>OMA The General Packet Radio Service ETSI</td></tr><tr><td></td><td></td><td>Specifications for Mobile Stations [EN 301 113, EN 301 344, EN 301 347, TS 101 297, TS 101 351]</td></tr><tr><td>C08.03 SMS</td><td>ETS 300 560]</td><td>The Short Message Service Specifications ETSI for Mobile Stations [ETS 300 536, ETS 300 537, ETS 300 559,</td></tr><tr><td>C08.04</td><td>MMS</td><td>The Multimedia Messaging Service ETSI Specifications for Mobile Stations [TS 122 140, TS 123 140, TS 126 140]</td></tr><tr><td colspan="3">c09 Standards for Biometric Data Interchange OASIS XCBF 1.1 Specification</td></tr><tr><td>C09.01</td><td>Secure XML Encoding for Exchanging Biometric Data</td><td>OASIS OASIS XCBF 1.1, Secure XML encodings for NISTIR the patron formats specified in CBEFF, the Common Biometric Exchange File Format [NISTIR 6529]</td></tr><tr><td>C09.02</td><td> Data Element Specification</td><td>Common Biometric Exchange Formats Framework - Part 1: Data Element Specification [ISO 19785-1]</td><td> ISO/IEC</td></tr><tr><td>C09.03</td><td>Interchange Format Framework</td><td>Information Technology Biometric Data Interchange Formats - Part 1: Framework [ISO 19794-1]</td><td>ISO/IEC</td></tr><tr><td></td><td>C09.04 Interchange Formats for Finger Minutiae Data</td><td>Information Technology Biometric Data Interchange Formats - Part 2: Finger</td><td>ISO/IEC</td></tr></table></body></html>  
+
+<html><body><table><tr><td></td><td></td><td>Minutiae Data [ISO 19794-2]</td><td></td></tr><tr><td></td><td>C09.05 Interchange Formats for Finger Pattern Spectral</td><td>Information Technology Biometric Data Interchange Formats- Part 3: Finger Pattern Spectral [ISO 19794-3]</td><td>ISO/IEC</td></tr><tr><td>C09.06</td><td>Interchange Formats for Finger Image Data</td><td>Information Technology Biometric Data Interchange Formats - Part 4: Finger Image Data [ISO 19794-4]</td><td>ISO/IEC</td></tr><tr><td>C09.07</td><td>Interchange Formats for Face Image Data</td><td>Information Technology Biometric Data Interchange Formats - Part 5: Face Image Data [1SO 19794-5]</td><td>ISO/IEC</td></tr><tr><td>C09.08</td><td>Interchange Formats for Signature/Sign Behaviour Data</td><td>Information Technology Biometric Data Interchange Formats - Part 7: Signature/Sign Behaviour [ISO 19794-7]</td><td>ISO/IEC</td></tr><tr><td>C10 C10.01</td><td colspan="3">System Security e-Mail Security</td></tr><tr><td rowspan="4"></td><td rowspan="4"></td><td>Cryptographic Message Syntax [RFC 5652]</td><td>IETF</td></tr><tr><td>Cryptographic Message Syntax Algorithms IETF [RFC 3370]</td><td></td></tr><tr><td>Diffie-Hellman Key Agreement Method [RFC 2631] Secure/Multipurpose Internet Mail</td><td>IETF</td></tr><tr><td>Extensions (S/MIME) Version 3.2 Certificate Handling [RFC 5750] Secure/Multipurpose Internet Mail</td><td>IETF IETF</td></tr><tr><td rowspan="4">C10.02</td><td rowspan="4">IP Security</td><td>Extensions (S/MiME) Version 3.2 Message Specification [RFC 5751] Security Architecture for the Internet</td><td>IETF</td></tr><tr><td>Protocol (Internet Protocol Security (IPSec)) [RFC 4301]</td><td></td></tr><tr><td>IP Authentication Header [RFC 4302] Cryptographic Algorithm Implementation</td><td>IETF</td></tr><tr><td>Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH) [RFC 7321]</td><td>IETF</td></tr><tr><td></td><td>IP Encapsulation Security</td><td>IP Encapsulating Security Payload (ESP) [RFC 4303] Cryptographic Algorithm Implementation</td><td>IETF IETF</td></tr></table></body></html>  
+
+<html><body><table><tr><td></td><td></td><td>Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH) [RFC 7321]</td><td></td></tr><tr><td>C10.04 C10.05</td><td>Transport Security Encryption Algorithms</td><td>The Transport Layer Security (TLS) Protocol IETF [Version 1.2 [RFC 5246] Advanced Encryption Standards (AES)</td><td>SABS</td></tr><tr><td rowspan="4"></td><td></td><td>(Information Technology -- Security Techniques -- Encryption Algoriths Part 3: Block Ciphers) [SANS 18033-3] OR</td><td></td></tr><tr><td rowspan="3"></td><td>Advance Encryption Standard [FIPS PUB 197]</td><td>FIPS</td></tr><tr><td>TWOFISH [RFC 4880] RSA 2048 bit (Rivest, Shamir and Adleman) ISO/IEC</td><td>IETF</td></tr><tr><td>(Security Techniques - Encryption Algorithms Part 2: Asymmetric Ciphers) [ISO 18033-2] OR ECC 256 bit (Elliptic Curve Cryptography) ISO/IEC</td><td></td></tr><tr><td>C10.06</td><td>Hashing</td><td>Techniques based on Elliptic Curves) [ISO 15946] Secure Hash Algorithm IIl (SHA-Il) SHA-256,</td><td>: SABS</td></tr><tr><td>C10.07</td><td> Digital Signatures</td><td>or SHA-384 [SANS 18033-3 or ISO 10118-3]ISO/IEC Digital Signatures with Appendix: Part 1: General [SANS 14888-1] RSA-DSA (Rivest, Shamir and Adleman -</td><td>SABS SABS</td></tr><tr><td>C10.08</td><td> Key Management</td><td>Digital Signing Algorithm) [SANS 14888-2] OR EC-DSA (Ellyptic Curve- Digital Signing Algorithm [SANS 14888-3]</td><td>SABS</td></tr><tr><td>C10.09</td><td> Message Authentication</td><td>Security Techniques - Key Management: Part 3: Mechanisms using asymmetric techniques [SANS 11770-3:2009]</td><td>SABS</td></tr><tr><td></td><td></td><td>Message Authentication Code (MAC) with Block Cipher [SANS 9797-1] AND/OR Message Authentication Code (MAC) withSABS Hash Function [SANS 9797-2]</td><td>SABS</td></tr></table></body></html>  
+
+# 1.3 HARDWARE INFRASTRUCTURE CONSIDERATIONS  
+
+In Terms of Hardware Infrastructure,for reference to the relevant standards/specifications (which undergo their own certification processes), please refer to the following:  
+
+Personal Computing Devices   
+http://www.sita.co.za/Prod%20Cert/1%20PCs&Periph/Detail%20Spec%20PCs&Periph.xlsx   
+Peripherals   
+http://www.sita.co.za/Prod%20Cert/1%20PCs&Periph/Detail%20Spec%20PCs&Periph.xlsx   
+Servers and Storage   
+http://www.sita.co.za/Prod%20Cert/2%20Srv&Stor/Detail%20Spec%20Servers%20&%20Storage.xl   
+SX   
+Audio visual   
+http://www.sita.co.za/Prod%20Cert/3%20AVC/Detail%20Spec%20AVCT.xlsx   
+Networking   
+http://www.sita.co.za/Prod%20Cert/Networking/Detail%20Spec%20Networking.xlsx   
+Infrastructure   
+http://www.sita.co.za/Prod%20Cert/infra/Detail%20Spec%20lnfrastructure.xlsx  
+
+# ANNEXA:ABBREVIATIONS  
+
+<html><body><table><tr><td>BBBEE</td><td> Broad Based Black Economic Empowerment</td></tr><tr><td>BPMN</td><td>Business Process Modelling Notation</td></tr><tr><td>EA</td><td>Enterprise Architecture</td></tr><tr><td>GITO</td><td> Government Information Technology Officer</td></tr><tr><td>GITOC</td><td>Government Information Technology Officers Council</td></tr><tr><td>GWEA</td><td>Government Wide Enterprise Architecture</td></tr><tr><td>ICT</td><td> Information and Communication Technology</td></tr><tr><td>ISO</td><td> International Organisation for Standardisation</td></tr><tr><td>MIOS</td><td>Minimum Interoperability Standards</td></tr><tr><td>SCARC</td><td> Standing Committee on Architecture</td></tr><tr><td>SITA</td><td>State Information Technology Agency</td></tr><tr><td>OMG</td><td>Object Management Group</td></tr><tr><td>TOGAF?</td><td> The Open Group Architecture Framework</td></tr><tr><td>UML</td><td>Unified Modelling Language</td></tr><tr><td>ADL</td><td>Advanced Distributed Learning</td></tr><tr><td>ANSI</td><td> American National Standards Institute</td></tr><tr><td>ECMA</td><td> European association for standardizing information and communication systems</td></tr><tr><td>ETSI</td><td> European Telecommunications Standard Institute</td></tr><tr><td>NIST</td><td> National Institute of Standards and Technology</td></tr><tr><td>IEEE</td><td> Institute of Electrical and Electronics Engineers</td></tr><tr><td>1ETF</td><td> Internet Engineering Task Force</td></tr><tr><td>ISO</td><td>International Organisation for Standardization</td></tr><tr><td>ITU</td><td> International Telecommunication Union</td></tr><tr><td>OAI</td><td>Open Archives lnitiative</td></tr><tr><td>OASIS</td><td> Organization for the Advancement of Structured Information Standards</td></tr><tr><td>OCLC</td><td> Online Computer Library Center</td></tr><tr><td>OGC</td><td>Open Geospatial Consortium</td></tr></table></body></html>  
+
+<html><body><table><tr><td colspan="2"></td></tr><tr><td>OMA</td><td>Open Mobile Alliance</td></tr><tr><td>OMG</td><td>Object Management Group?</td></tr><tr><td>PKWARE</td><td>PKWARE? Inc, open standard for compressed file format, ZIP)</td></tr><tr><td>SABS</td><td>South African Bureau of Standards</td></tr><tr><td>W3C</td><td>World Wide Web Consortium</td></tr><tr><td>WHO</td><td>World Health Organisation</td></tr></table></body></html>  

dataset/data/docs/chibanda-and-kabanda_Towards an African cybersecurity community of practice.pdf-d4bd0d.md

@@ -0,0 +1,159 @@
+# Towards an African cybersecurity community of practice  
+
+Rutendo Chibanda and Salah Kabanda Information Systems Department University of Cape Town, Cape Town chbrut002@myuct.ac.za, salah.kabanda@uct.ac.za  
+
+# Abstract  
+
+In recent years cybersecurity challenges and concerns have become a common theme for discussion by both the government and private sector. These challenges are partly brought on by the continued use of and dependence on information technology, such as the internet, wireless networks and the development and use of smart devices. Additionally, the Covid-19 pandemic has also led to the increase in internet use as it altered the way in which people live and work through forcing businesses and even schools to move to remote working. All these events have made cybersecurity challenges and concerns spiral and more so in Africa where cybercrime continues to rise and be a constant threat. This study proposes a cybersecurity community of practice as a strategy to address African contextual cybersecurity challenges. This qualitative enquiry, based on organizations on the African continent, identifies key characteristics and objectives of an African cybersecurity CoP. These findings provide practical implications for CoP African members and a steppingstone on what to consider prior to implementing an African CoP for addressing cybersecurity challenges and concerns.  
+
+# Keywords  
+
+Cybersecurity Challenges, Cyber threats, and Cybersecurity Community of Practice  
+
+# 1. Introduction  
+
+The number of internet users worldwide in 2019, was 3.97 billion up from 3.74 billion in the previous year  (Johnson, 2021; Oforji et al., 2017). This increase in internet use could be due to, an ease of access to computers, modernisation of countries around the globe as well as, a rise in the utilisation of smartphones (Johnson, 2021). There are various benefits associated with the increased use of the internet such as, the ability to communicate over geographical locations especially in these difficult times of the Covid-19 pandemic, easier access to information and better storage of vast amounts of data through cloud computing (Schatz et al., 2010). Researchers have associated this increased internet use during the pandemic with lower depression level scores and thus, a better quality of life in middle aged and older people as communication may counter isolation or loneliness (Wallinheimo & Evans, 2021).  
+
+However, the increased use of the internet has also led to an increase in cybersecurity challenges as there is the threat of attackers, intruders, spammers, and hackers within these environments (Namasudra et al., 2020). Cybersecurity refers to the protection of internet connected systems from cyberattacks (Srinivas et al., 2019). This increase in cybersecurity challenges is due to, cyber criminals having found an opportunity to compromise the databases and confidential data of both small and large enterprises in developing and developed countries  (Tao et al., 2019). In recent years cybersecurity has risen due to the continued use and dependence on computer systems, the internet, wireless networks such as, WIFI or Bluetooth and the development and use of smart devices as a part of the Internet of Things (IoT) (Oforji et al., 2017). Africa has been recorded as one of the regions with the fastest growing cybercrime activities partly due to the vulnerability of the information systems in these contexts which gives rise to the increased number of threats (Kshetri, 2019). Prior studies have documented the challenges associated with cybersecurity in Africa and strategies for addressing them. Yet, cybersecurity concerns remain and are increasing day by day. The persistence and dangerous nature of this problem confirms that researchers and practitioners are yet to understand the cybersecurity landscape and its associated challenges in Africa.  This study proposes a cybersecurity community of practice that seeks to address African contextual cybersecurity challenges. A CoP has the potential to create opportunities for leveraging knowledge from key stakeholders such as various government, industry, and academia experts (Wenger, 2011). This knowledge would contribute towards a better understanding of cybersecurity challenges. Thus, this study seeks to address the question: what should be the key characteristics, and objectives, of an African cybersecurity community of practice (CoP)?  
+
+# 2. Related work on Cybersecurity and Community of Practice  
+
+Cyber attackers have become more technologically advanced in imposing threats and intrusions to computer systems, networks, or mobile devices as the cyber space is a fast-evolving technological environment (Fischer, 2016). These attacks are voluminous, evolve constantly, have high speed, very sophisticated, and persistent which causes substantial challenges to the preventive security services (Thames & Schaefer, 2017). Some attacks experienced such as, Denial of Service attacks can slow or stop authorised users from gaining access to their systems. In some cases, attackers even take full control of the system leaving organisations crippled (Fischer, 2016). However, despite some organisations implementing cybersecurity strategies, incidents such as cyber-attacks still show a rising trend (Deloitte, 2021). For example, Kenya experienced a spike in cyber threats within the second quarter up until December 2020. A report by the Communications Authority of Kenya stated that cyber threats increased in cost from 35.1 million dollars  in the previous quarter to 59.8 million dollars which is a $59.8~\%$ increase in cyber threats. (Telecompaper, 2021). Other cybersecurity challenges affecting African organisations include cyber-attacks such as, hacks (Sawyer & Hancock, 2018), breaches  (Mitts & Talley, 2019), ransomware and phishing (Kaspersky, 2021). Nigeria had lost N127 billion annually to cyber-crime attacks (This Day, 2019); and in South Africa, cyber-attacks cost more than R2.2 billion annually. In 2018 there was approximately $75.3\%$ rise in cyber-attacks within the banking sector  (The Banking Association South Africa, 2020). These cyber-attacks and threats have become more sophisticated and are thus, capable of causing greater damage as cyber attackers have become more focussed and experienced in issuing their attacks  (Smith, 2021). For example, phishing attacks in South Africa have risen by $57\%$ from the time the Covid-19 pandemic began (Smith, 2021). This could be as a result of, more organisations working remotely but with little or no cybersecurity mechanisms in place to fight against such cyber-attacks.  
+
+These cybersecurity challenges become more complicated to resolve as the cyber space is a dynamic fast evolving technological environment comprising of a myriad of challenges in the form of costs, SETA, ransomware threats (Mohurle & Patil, 2017), malware  (Iliev et al., 2019), cultural and legal components (Fischer, 2016). One of the significant challenges in tackling cybersecurity has been the cost as far more specialised technology and strategies are used to defend modernised businesses more effectively (Milne, 2021). These strategies involve significantly large investments in human and financial resources which allow organisations to conform to the information security procedures (Tatar et al., 2014). Moreover, educating employees within organisations about cybersecurity strategies is also quite expensive as, the activities are hands-on, experiential and the learning follows a guided approach, making it quite labour and time intensive  (McGettrick et al., 2014). Another challenge pertains to the security education and training  (Razvan et al., 2018) and awareness, which are limited in most African organisations setting. Global Cyber Alliance report (2019) stated that the cost of cyber-crime in Africa increased from approximately half a billion dollars in 2015 to 3 billion dollars in 2019; making it paramount to enhance cybersecurity education and hygiene to mitigate threats in businesses. Yet, such awareness, training and education program as well as strategies for addressing cybersecurity challenges are costly for most developing countries, and Africa in particular. To address these challenges, this study proposes the adoption of an African cyber security Community of Practice (CoP) - a group of people that share passions and concerns for a common idea or something they engage in, and they learn to improve on it through further interactions (Wenger, 2011). A CoP is defined by three characteristics namely, practice (Wenger, 2011) which is the contribution, sharing and exchange of information between the members of a team. Secondly, community  (Nobles & Burrell, 2018) which is described as the interactions between members for the purpose of knowledge management and finally, the domain (Wenger, 2011) which addresses the subject to be dealt with in interactions and helps with the integration of members. Some of the key features offered by a community of practice include knowledge preservation and reuse, knowledge transfer mechanism (Huang & Perng, 2017), clear focus (King, 2016), diversity (Pohjola et al., 2016), active learning  (King, 2016), and participation commitment. In addition, performance improvements such as, increased core competencies, heightened innovation learning as well as, enhanced work efficiency, and amplified responsiveness can be gained by organisations which operate CoPs both internally and externally (Chu & Khosla, 2009).  
+
+Prior studies have shown that a cybersecurity community of practice has been used in developed economies to leverage knowledge from government, industry, and academia experts  (Nobles & Burrell, 2018). Pittman and Pike (2016) presented a study were a CoP was adopted in order to support peer learning centered on cybersecurity education amongst high school learners. They advocated for further studies in peer learning and CoP structures to support cybersecurity education. Chen et al. (2017) also discussed how a CoP was adopted by medical students to develop their levels of innovation, leadership skills, knowledge, and peer support. Some researchers have suggested there is some level of difficulty associated with choosing the most appropriate CoP type for a particular business or event as, their characteristics differ according to culture, type of business, structure, and scale of organisation  (Hong, 2017). A CoP can be classified into categories, namely informal, sponsored, and strategic CoPs. In an informal CoP, members participate through free will and no one should be forced to engage or participate in various activities  (Hong, 2017). Additionally, the members also engage based on a shared common interest but, formal CoPs usually have goals that are closely linked to the organisation’s objectives and its purpose. In terms of strategic CoP employees can only gain membership through applications and adherence to CoP rules  (Hong, 2017). Although this classification provides a starting point of describing a CoP, this study seeks to identify the type and characteristics of an African cyber security Community of Practice (CoP). Given that contextual challenges in Africa differ from those of developed economies, and the fact that “Africa is a region with one of the highest rates of cybercrime and significant financial losses” (Bada et al., 2019) it becomes imperative to explore and describe a CoP that befits this context.  
+
+Towards an African cybersecurity community of practice  
+
+# 3. Methodology  
+
+A qualitative enquiry approach to the study was adopted. To the best of the researcher’s knowledge, they have not found a paper in Africa that addresses the topic of a Cybersecurity Community of Practice, despite Africa being one of the leading regions in terms of Cybersecurity attacks  (Bada et al., 2019). The study population comprised of large organisations that have the resources to have cybersecurity strategies in place on the African continent – bearing in mind that such strategies tend to be quite costly (Tatar et al., 2014). The study adopted a purposeful/selective sampling technique, commonly used by qualitative researchers to recruit participants who can provide in-depth information on the phenomenon under investigation  (Palinkas et al., 2015).  The researcher chose participants from Linked In, and some were selected from various guest lectures that came to speak to the Honours students. Additionally, others were selected through referrals, and some were within the academia industry. Thorough selection process was conducted and only participants that were aware of and experienced in cybersecurity were selected.  
+
+Data was collected from seven organisations using qualitative semi-structured interviews. The development of the research instrument was guided by the research question.  and cybersecurity and CoP key concepts from literature: Cybersecurity challenges, and the perceptions of a Community of Practice (CoP) for addressing cybersecurity challenges and concerns. The instrument was structured as follows, Section A: Demographic information of respondents and the goal of this section was determine, whether the respondents are an accurate representation of the research sample. Additionally, to elicit information based on organisation background in terms of its establishment, size (based on turnover levels- the higher the turnover the better as such organisations are more likely to afford cybersecurity strategies), industry, and sector classification. Section B was Cybersecurity Challenges because the key research objective was identifying the key characteristics and objectives of an African cybersecurity CoP. In order to do so it was essential for the researcher to ask questions related to the cybersecurity challenges that have been experienced in the organisations, and the corresponding cybersecurity strategies that were implemented to mitigate these challenges. Finally, Section C was Perceptions of a CoP and these aimed to identify whether the interviewees are aware of the existence of CoPs, and their benefits, challenges even the types of Cops as well as, their Critical success factors.  
+
+Secondary data was also used to elicit information that could assist in improving the quality of this study. To accomplish this, the researcher attended 1 Organisational Cybersecurity Webinar which was centered on cyber threats and attacks in Sub-Saharan Africa (SSA) and cybersecurity vulnerabilities of people SSA.  
+
+This research adopted thematic analysis to identify and analyse various patterns of themes within qualitative data. Firstly, the qualitative interviews were transcribed into text by manually listening to the audio recordings recorded through MS Teams and typing the transcribed data into Microsoft Word. After the data was transcribed, all the sensitive or confidential information provided by the interviewees were replaced with pseudonyms. For example, the interviewees’ personal details such as names and their company names were given unique IDs in order to adhere to the ethical considerations of the Ethics Committee. The files were also renamed according to the company pseudonyms and their corresponding participant’s ID, for example UNV03_L07 or IT01_L12. This process of transcription of the data was a good way for the researchers to start familiarising themselves with the data. Moreover, according to Bird (2005) transcription is a critical phase which must be done in an interpretive qualitative study. Following the transcription phase, the researcher actively read the transcribed data repeatedly to avoid missing out on any important themes or concepts alluded to in the responses given. Then, the code generation was initialized to identify various features that may be interesting in the data regarding cybersecurity community of practice. The codes generated were colour coded to represent what emerged as cybersecurity challenges, CoP perceptions or any links between the codes were shown as  
+
+Towards an African cybersecurity community of practice relationships. After having the initial codes, NVivo 12 Pro was then used to assist with the pattern identification.  
+
+# 4. Findings  
+
+# 4.1Descriptive Findings  
+
+The researcher interviewed 12 participants from 7 organisations situated in Africa. The participants where all based in the countries indicated on the demographic table.  
+
+The findings showed that most of the respondents were male.  There were various organisations that were interviewed which fall within the tertiary education sector. According to respondent UNV03 _L07 “the UNV03 the institution is very mindful of security and has cybersecurity strategies in place to combat cyber threats and attacks.” The other organisations that were interviewed where within the Transport and Logistics, Accounting, Information Technology, and Health sectors. For example, “Organization IT 01 was in the Information Technology space and had recently merged with several organisations from Kenya and South Africa. The company employs about 28000 people across 46 countries and makes use of cybersecurity strategies religiously to fight cyber - attacks.” (IT01_L12). Table 1 shows the respondent’s profile and experiences in different sectors. For example, respondent IT01_L12 was “previously a Cybersecurity Engineer and consultant; but currently working as a Practice Lead Manager for Security Services.”  
+
+Table 1: Demographics of details of respondents   
+
+
+<html><body><table><tr><td>Organisation</td><td>Participant</td><td>Gender</td><td>Position</td><td>Years (#)</td><td>Industry/sector</td><td>Country</td></tr><tr><td rowspan="3">UNV01</td><td>UNV01_L01</td><td>Male</td><td>Senior Technical</td><td>６</td><td rowspan="6">Hitution Education</td><td rowspan="6">South Africa</td></tr><tr><td>UNV01_L02</td><td>Male</td><td>Professor</td><td>21</td></tr><tr><td>UNV01_L03</td><td>Male</td><td>Senior</td><td>3</td></tr><tr><td>UNV02</td><td>UNV02_L05</td><td>Male</td><td>Researcher Lecturer</td><td>13</td></tr><tr><td>UNV03</td><td>UNV03_L07</td><td>Male</td><td>Professor</td><td>20</td></tr><tr><td>ACC01</td><td>ACC01_L08</td><td>Male</td><td>Senior Manager</td><td>4</td><td>Advisory/Consulting</td></tr><tr><td rowspan="2">TL01</td><td>TL01_L09</td><td>Female</td><td>Chief Executive</td><td>3</td><td>Transport/Logistics</td><td rowspan="3">Zimbabwe</td></tr><tr><td>TL01_L10</td><td>Male</td><td>Officer (CEO) Junior Manager</td><td>3</td><td>Transport/Logistics</td></tr><tr><td>PM01</td><td>PM01_L11</td><td>Female</td><td>CEO/Founder</td><td></td><td>Pharmaceutical</td></tr><tr><td>IT01</td><td>IT01_L12</td><td>Male</td><td></td><td>3 10</td><td></td><td>Knya, South</td></tr><tr><td>TL01</td><td>TL01_L13</td><td>Male</td><td>Manager</td><td>5</td><td>Transport/Logistics</td><td></td></tr><tr><td>PM01</td><td>PM01_L14</td><td>Male</td><td>Manager</td><td>4</td><td>Pharmaceutical</td><td>Zimbabwe</td></tr><tr><td>UNV01#SD</td><td>Secondary Data</td><td></td><td></td><td></td><td>Information Technology</td><td>South Africa</td></tr></table></body></html>  
+
+Participant UNV03_L07 holds a top management role and acts as a coordinator for a short program in Cybersecurity at the institution. Participant ACC01_L08 worked with cybersecurity strategies as a top management personnel. His role as a senior manager consultant involves advising clients on cybersecurity measures and perform audits on cybersecurity controls… and gauge the cybersecurity state to help the clients we are auditing to improve. Participants from countries such as, Zimbabwe had the least years of experience as compared to those from more developed African countries such as, South Africa where two of the interviewed respondents had more than 20 years of experience. For the more experienced respondents, the 20 years of working with cybersecurity strategies was attained in corporate and 5 years attained in academia as respondent UNV03_L07 explains: “I have worked with cybersecurity strategies - From an academic point of view, 5 years. From a corporate point of view 20 years.”  Although the findings show that countries that are more developed tend to have more experienced employees; it should be borne in mind that the number of years one is in a particular position does not directly translate into the knowledge or level of experience  in cybersecurity.  
+
+# 4.2Empirical findings  
+
+# 4.2.1 Cybersecurity Awareness, Training and education  
+
+Cybersecurity awareness and education was consistently identified as a challenge and according to respondent ACC01_L08, the need for continuous improvement in strategies cannot be understated. The respondent explains that employees lack awareness and if they are aware, they fail to practice security measures and still fall victim to attacks such as phishing. The respondent posits that “the root cause can be traced back to a lack of understanding of cybersecurity by business leaders as a business risk. They would see Cybersecurity as just an IT risk without realising that it is something that could tear the business to pieces. They lack governance of cybersecurity. Due to the limited knowledge organisations have on cybersecurity, several cybersecurity practitioners engaged in training and education programs as a means of educating and helping clients to understand [cybersecurity challenges] so that they are able to make the best decisions when choosing how to secure their systems most effectively.” (IT01_L12). According to some respondents, for training to be effective and acted upon by all members of the organisation, the training was to start at management level. Respondent ACC01_L08 clarifies: “Yes, how seriously do organisations take security? It starts with leadership and governance”. In addition to training, there was a need for cyber security practitioners to be sensitive to the terminologies used during the training and education programs. For example, it was noted that “some of the terms used that are related to cybersecurity are not easily understandable to clients” (IT01_L12)  
+
+The lack of awareness, training and education on cybersecurity according IT01_L12 was seen to negatively impact security monitoring processes despite having the tools to avoid security concerns because “when clients are unaware; they really don’t know what they don’t know, and they can still be hit by ransomware even when they have the tools to curb this from happening… we conduct training as a means of educating and helping clients to understand so that they are able to make the best decisions when choosing how to secure their systems most effectively.”(IT01_L12).  A consistent note from respondents was that most organisation failed to implement comprehensive solutions or tools in place not because they do not have the tools or basic resources, but because cyber security practitioners in these organisations lack awareness and the education to know what solutions to implement. A further concern from most respondents was that “some clients implemented improper cybersecurity framework which does not match their organisation or is incompatible with the way in which the organisation is run due to lack of awareness and education, and this resulted in various security loopholes” (ACC01_L08). According to the findings in the secondary data collected from Organisational cybersecurity Webinars which were centred on cyber threats and attacks in Sub-Saharan Africa (SSA), this was problematic and called for: “The need to build in-house capacity, specifically technical and non-technical indigenous solutions tailored to address contextual challenges. We need solid awareness and training programmes, and this should be a shared responsibility” (UNV01_SD#1). Respondents saw a CoP not only as a potential strategy that would allow stakeholders to come together and engage in capacity building, sharing of knowledge and awareness creation of cybersecurity challenges in  
+
+Africa; but also, as a starting point of addressing silo initiatives that fail to provide context specific solution tackling cybersecurity challenges to the continent (UNV01_SD#1).  
+
+# 4.2.2 Shared Values, Knowledge sharing and trust amongst stakeholders  
+
+Some respondents argued that it is important for stakeholders who intend to participate in the CoP to have a shared understanding of cybersecurity and shared values around it. Respondent UNV02_L05 remarked that “we must have shared values and understanding to help work together more effectively.” Respondent UNV03_L07 stated that “Having shared values or rather the same mind about cybersecurity helps in its successful implementation.” According to respondent UNV01_L02 “If a shared understanding exists it will increase the level of the knowledge shared. People can share knowledge that’s either tacit or explicit. So, a CoP can work if we are of the same mind. I would say it can work even more effectively in our African context due to the existence of ideologies like Ubuntu given that cybersecurity is now a social problem” (UNV01_L02). Shared values can be fostered when members have the same knowledge and understanding about cybersecurity. Knowledge sharing was highlighted as crucial aspect of a CoP in Africa due to the minimal cybersecurity awareness, education, and training. According to respondent IT01_L12 “One bank can be hacked in one way and 3 other banks will be hacked in the same way. But because they don’t share knowledge, they all suffer the same fate.” According to respondent UNV01_L01 “the more knowledge that is shared pertaining to cybersecurity the higher the level of cybersecurity education and awareness” (UNV01_L01). This perception was shared among all participants. The more cybersecurity challenges are treated as a shared responsibility in which cybersecurity knowledge is shared within and across organisations, the easier it would be to address the challenges. However, sharing of knowledge was hampered by a lack of trust Respondent IT01_L12points that: “It is important to note that this knowledge can only be shared most effectively when trust has been built and the individuals are committed to solving the challenges at hand whilst working as one team.” (IT01_L12). The lack of trust was seen to be triggered by the lack of successful prosecution of cybercriminal activities.  Whilst cybersecurity education was important, there was also a need to strengthen how cybercrimes were addressed. According to respondent UNV03_L07: “people don’t understand cyber-crime; especially the cyber laws in the country; they have not actually seen a successfully prosecuted cyber-criminal in any one of the courts. People have lost confidence in the legal system as there are no concrete actions taken, which makes it feel pointless for some individuals to share their knowledge of cyber related crimes as there is no concrete regard that those who commit cyber-crimes will be ‘brought to book.” (UNV03_L07).  IT01_L12 stated that: “In Africa we need to change our policies and governance, so that we can share information. For example: sharing information as countries and having regular meetings were we talk about EDR, and someone explains how that is helping them.” (IT01_L12) Respondent UNV01_L01 agreed and suggested that: “cybersecurity policies and legislation development should always be seen as an iterative process, the strategies are effective, but they can always be continuously improved.”  
+
+# 4.2.3 Commitment, collaboration and Continuous learning  
+
+The findings showed that it is important for all stakeholders participating in a CoP to be committed to the mission of addressing cybersecurity. This commitment was highly linked to how resources such as knowledge are shared in the CoP and how trusting individuals are (UNV01_L01). According to UNV02_L05 “the sharing of knowledge will allow members to be more committed to solving the problems at hand especially if they trust each other enough to share their intellectual property. Mutual trust and respect are important as it fosters commitment, and this commitment will have a positive influence on the way in which people work as a team.” Whilst commitment to the CoP cybersecurity agenda was perceived as important, there was also a perception that collaboration in African states was key to its success (PM01_L11). Respondents mentioned that “there is no perfect solution for  
+
+cybersecurity (UNV01_L02) as the attacks come about in various forms.”  The respondent noted that “organisations must develop a culture of continuously improving the strategies in place because strategies can never be 100% fool-proof. There must be a continuous effort, the organisation must work with other institutions to fight against cyber-attacks.” (UNV01_L02). Respondent ACC01_L08 noted his observation that “organisations do not have a broad range of cybersecurity strategies in place and when they do, there is a lack of consistency in applying cybersecurity controls which then affects incidence response planning and recovery.” Respondent IT01_L12 explained that these challenges can easily be addressed within a CoP “where a culture of continuously learn to improve the strategies and thus successfully combat cybersecurity concerns exists” (IT01_L12).  
+
+# 4.2.4 Identify and understand the threat landscape  
+
+Every participant provided the researcher with various cyberattacks experienced within their organisations. Respondent IT01_L12 explained that organisations are not only attacked from external sources, but insiders can attack their own to give cyber attackers access to insert malicious software in the system. “In some instances, employees were offered a lot of money to install malicious software on the company system. This is dangerous because some employees may be in tough positions and thus, engage in such actions.” (IT01_L12). Respondent ACC01_L08 further explained that insider attacks can also transpire through non-malicious threats. “There are also non-malicious cyber threats such as, attaching the wrong file and sending to the wrong recipient. These attacks are serious and, in most cases, would occur because the strategies in place can never be $100\%$ fool-proof. Measures can only be effective for now.” (ACC01_L08). Several respondents identified human behaviour as the main threat that exacerbated the challenges of cybersecurity. Respondent UNV01_L02 explained that some employees still refuse to adhere to cybersecurity good practices but prefer to share their passwords with their lovers or save them on unsecure websites which shows that cybersecurity can be identified as a social problem. He explains: “the solution to cyber-crime cannot be just infrastructure as it is more of a social problem (dealing with human beings). For example, have the people been brought up to speed on cyber related challenges - (that is questionable). We still have people that leave their passwords under the keyboard or save them on their browsers, give passwords to their lovers” (UNV01_L02). Other respondents identified cybersecurity as more than a technical or social problem but rather as a cultural problem and they advised that in order to solve this problem “punitive measures such as cybersecurity policies and governance must be put in place and anyone who violates the cybersecurity legislation in place must be apprehended.” (UNV03_L07). These findings were supported by the secondary data from the cybersecurity panel who not only called for the need to coordinate and collaborate to solve these cyber threats but proposed the need to comprehensively identify, document and understand the threat landscape – “we need to know what threats we are facing to solve the cybersecurity challenges” (UNV01_SD#1). To have a coordinated and shared understanding of the threat landscape, is perceived as key in the development and implementation of a CoP in Africa (ACC01_L08).  
+
+# 4.2.5 Cost  
+
+A continuous claim by respondents was that cybersecurity education was expensive and this negatively impacted training and awareness. Apart from the cost of education, implementing cybersecurity strategies was also perceived as expensive (TL01_L09). Respondent TL01_L10 felt that the costs associated with implementing cybersecurity solutions have affected their ability to effectively combine various strategies to manage cybersecurity challenges more robustly. He explains: “The strategies need to be continuously improved to ensure they can mitigate all the challenges being experienced. I would think combining the strategies we have with other strategies would be helpful. However, the issue of cost has crippled our capacity to do that.” (TL01_L10) “One potential avenue for addressing cost related to cybersecurity was through a CoP were people with knowledge on cybersecurity can share ideas and help educate other employees who may be unaware. You can start in-house then go outside. i.e.: set up short programs where professors and lecturers with sufficient knowledge teach others about cybersecurity” (UNV03_L07).  Some respondents noted that cybersecurity frameworks were too expensive to implement and maintain in order to obtain defence mechanisms to fight against cyber-attacks and were also very time consuming to set up (ACC01_L08).  
+
+# 5. Discussion of the findings  
+
+The findings show that an African cybersecurity CoP is characterised by three main structures: the cybersecurity landscape, structures that create shared understanding of cybersecurity in Africa (Kshetri, 2019), and shared values and trust as presented in Figure 1. These structures are not static and each structure influences and is influenced by the other. Starting with the cybersecurity landscape, the findings showed that most respondents were males employed in top management positions of the organisations. Although these findings could be brought upon by sampling limitation, these findings still confirm and reiterate that gender gaps are still prevalent within the Information Technology sector and more specifically in the cybersecurity space (Kamberidou & Pascall, 2019). In the year 2019 women comprised of only $9\%$ of these professionals in Africa  (Poster, 2018). Women underrepresentation in the information technology remains a persistent challenge despite the efforts to ensure equal opportunities in legislation and government policies  (Reinking & Martin, 2018; Wang & Degol, 2017). One of the reasons for the gender gaps in Africa has been the belief that cybersecurity is a male-dominated and highly specialised field (Peacock & Irons, 2017) and therefore not a suitable fit for women. In addition to providing government intervention of having inclusive policies that target gender gaps, there remains a need for a conscious cultural and society shift in Africa to allow women to venture into male dominated fields and specialisation  (Akinola, 2018).  
+
+A cybersecurity CoP for Africa was well received by participants who perceived a CoP as a means of addressing the ongoing dynamic challenges of cybersecurity in Africa. They however identified pertinent attributes that the CoP needs to possess and engage in for it to adequately address African contextual cybersecurity challenges. Firstly, there was a need for individual states and private sectors to collectively embark on cybersecurity awareness, training and education programs that serve as a foundation for understanding what it is, what you don’t know and using what you already have, how can you address what you know (IT01_L12). These findings reiterate prior studies that lack of awareness of threats and risks within the cyber space is a challenge  (Bada et al., 2019), which is compounded by the lack of cybersecurity education and training (Security Boulevard, 2021) brought upon by the inadequate infrastructure required to offer cybersecurity training programs in Africa (Barinov & Sharova, 2021; Goussard, 2021; Gregory & Sovacool, 2019) as well as the high levels of computer illiteracy and inadequate regulatory measures against cyber-attacks. Once the cybersecurity landscape has been explored and understood, for example foundation of awareness, training and education on cybersecurity have been implemented, this will serve as a steppingstone for African states to come together and collectively develop and form shared understanding of cybersecurity concerns and strategies that could lead to having shared view and values on how to address cybersecurity challenges. In Africa, prior studies have noted that when a community has shared values and a shared understanding of some phenomenon, those attributes help to uphold the Ubuntu principles of solidarity, cohesiveness, collectivism, and participatory leadership (Kamwangamalu, 1999; Mulaudzi et al., 2009). Practising and upholding these principles, allows members to learn (Barinov & Sharova, 2021; Goussard, 2021; Gregory & Sovacool, 2019). A cybersecurity CoP in Africa that demonstrated Ubuntu principles which encourages unity and working together to achieve one goal of “I am because we are” (Kamwangamalu, 1999; Mulaudzi et al., 2009) was perceived as an important step towards the agenda of addressing cybersecurity challenges in Africa. Knowledge sharing and building trust amongst stakeholders was regarded as one of the mechanisms of keeping to the principles of Ubuntu. With shared knowledge, comes shared understanding and in due course shared values (IT01_L12). With shared values, stakeholders can ultimately build trust, a key prerequisite for a successful CoP in Africa (Pohjola et al., 2016). It is therefore imperative that conducive structures for knowledge sharing are made to facilitate the process of trust building in a CoP within the context of Africa where challenges such as culture, and language make it difficult to arrive at a shared understanding  (De Barros Jerônimo et al., 2018).  Such structures should lead members of a CoP to become committed and allow them to easily collaborate when addressing cybersecurity concerns. A lack of commitment and collaboration could negatively impact knowledge shared, and consequently leading to lack of trust within the CoP  (De Barros Jerônimo et al., 2018).  
+
+![](images/72e1b1c11358887f3fdf2c33c7d738e3a4f81aa4da166f96af74ecad4c50d2a6.jpg)  
+Figure 1: A Cybersecurity CoP for Africa  
+
+Findings in this study identified the need for members of a cybersecurity CoP to cultivate a culture of continuous learning and improvement of cybersecurity strategies, given the already existing limited awareness, education, and training programs around the phenomenon. These findings echo prior studies in the field of continuous learning  (Shafqat & Masood, 2016; Teoh & Mahmood, 2017). The continuous improvement of cybersecurity strategies would require an ongoing process of identification and understanding of the cyber security threat landscape in Africa where the cyber threat landscape is continuously evolving (Fischer, 2016). There was a continuous call from participants that an African cybersecurity CoP should possess structures that allow cost effective implementation of the proposed strategies and solutions. The findings pointed to costs being high and reflect those of Milne (2021) who stated that organisations that implement cybersecurity strategies face the challenge of using exorbitant amounts of money as, far more specialized technology is used to defend modernized businesses more effectively. This challenge is more prominent in Africa where most organisations do not have sufficient resources to implement cybersecurity strategies  (Dlamini & Mbambo, 2019; Leenen et al., 2020).  
+
+Based on these findings, and the presentation by Hong (2017), this study advocates for a formal CoP that mirrors the characteristics of both a sponsored and strategic formal CoP. The objectives of the African cybersecurity CoP are to create awareness, education, and training on cybersecurity, establish a culture of continuous learning and develop structures of developing cost-effective solutions for cybersecurity. The CoP objectives further includes the identification and solving of cybersecurity concerns, establishment of collective shared values and the development of structures for knowledge sharing, trust building, commitment and collaboration. The development of the African cybersecurity CoP should be a strategic endeavor and includes members who have a shared goal of addressing cybersecurity challenges. Thus, CoP membership participation is by free will of those interested in addressing cybersecurity concerns; or invited by colleague/cybersecurity expert/practitioner. By doing so, the CoP is not limited to individuals who work or participate in the formal cybersecurity space alone but is open to other stakeholders who are affected by cybersecurity challenges. However, to ensure social inclusion and gender justice as an integral part of the CoP, membership should include targeted identification of individuals that meet transformative agenda of social inclusion, who share the common interest of addressing cybersecurity concerns. As Chiweshe (2019,1) reiterates that without “a concerted effort to undertake socially inclusive processes the Information technology revolution will in many ways fail women, especially in Africa”. These efforts should be accompanied by, among other solutions, policy frameworks for social inclusion programmes in cyber security education to train more young women in science, technology, engineering, and mathematics  (Chiweshe, 2019). A CoP that follows a public–private partnership (PPP) model is advocated for in this study to ensure that stakeholders such as the government and the industry collaborate and prepare resilient cybersecurity strategies; bearing in mind of course, the critical success factors of implementing a PPP model in developing countries such as those in Africa  (Pomerleau & Lowery, 2020). A PPP model would assist in reducing the exorbitant costs, resources and infrastructure challenges associated with cybersecurity in Africa  (Barinov & Sharova, 2021; Goussard, 2021; Gregory & Sovacool, 2019; Milne, 2021) and challenges posed by cybersecurity management  
+
+# 6. Conclusion  
+
+Africa continuous to experience cyberattacks and is perceived by many as the haven for cyber criminals. Although several strategies are proposed in literature on how to address cybersecurity in Africa, the challenges associated with cyber related crimes remain. This study proposes a formal cybersecurity community of practice as a starting point for Africans to collectively address cyber related challenges. Following a qualitative enquiry approach across the continent with cybersecurity experts and practitioners, the study presents key characteristics and espoused objectives of an effective formal African cybersecurity CoP. Such descriptive findings contribute towards a better understanding on how to implement a formal cybersecurity CoP that seeks to address Africa’s cybersecurity challenges and concerns.  
+
+# References  
+
+Akinola, A. O. (2018). Women, Culture and Africa’s Land Reform Agenda. Frontiers in Psychology, 9(1), 1-3. https://doi.org/https://doi.org/10.3389/fpsyg.2018.02234   
+Bada, M., von Solms, B., & Agrafiotis, I. (2019). Reviewing National Cybersecurity Awareness in Africa: An Empirical Study. Paper presented at the The Third International Conference on Cyber-Technologies and Cyber-Systems, CYBER 2018, 78-83. https://doi.org/10.17863/CAM.40856 https://www.repository.cam.ac.uk/handle/1810/293742   
+Barinov, A. K., & Sharova, A. Y. (2021). Infrastructure development in Africa (East African Transport). Asia and Africa Today, (7), 38-46.   
+Chiweshe, M. K. (2019). Fourth Industrial Revolution: What's in it for African Women? Africa Portal. https://www.africaportal.org/publications/fourth-industrial-revolution-whats-it-africanwomen/   
+Chu, M., & Khosla, R. (2009). Index evaluations and business strategies on communities of practice. Expert Systems with Applications, 36(2), 1549-1558. https://doi.org/10.1016/j.eswa.2007.11.053   
+De Barros Jerônimo, T., Coutinho de Melo, Fagner José, Tomaz de Aquino, J., Gonzaga de Albuquerque, André Philippi, & Dumke de Medeiros, D. (2018). Knowledge management alignment to the community of practice in a company of cutting and bending steel. Brazilian   
+Towards an African cybersecurity community of practice R. Chibanda and S. Kabanda Journal of Operations & Production Management, 15(1), 1-11. https://doi.org/10.14488/BJOPM.2018.v15.n1.a1   
+Deloitte. (2021). Impact of COVID-19 on Cybersecurity. Deloitte. https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.html   
+Dlamini, S., & Mbambo, C. (2019). Understanding policing of cyber-crime in South Africa: The phenomena, challenges and effective responses. Cogent Social Sciences, 5(1), 1675404.   
+Fischer, E. A. (2016). Cybersecurity Issues and Challenges: In Brief. Congressional Research Service, Senior Specialist in Science and Technology , 1-9.   
+Goussard, H. (2021). Expert Eye: A new way to analyse African Infrastructure | Industry Insights. Africa Outlook Magazine. https://www.africaoutlookmag.com/industry-insights/article/1094- expert-eye-a-new-way-to-analyse-african-infrastructure   
+Gregory, J., & Sovacool, B. K. (2019). The financial risks and barriers to electricity infrastructure in Kenya, Tanzania, and Mozambique: A critical and systematic review of the academic literature. Energy Policy, 125, 145-153.   
+Hong, J. (2017). A method for identifying the critical success factors of CoP based on performance evaluation. Knowledge Management Research & Practice, 15(4), 572-593. https://doi.org/10.1057/s41275-017-0066-6   
+Huang, H., & Perng, Y. (2017). Factors Influencing the Success of Communities of Practice in the Interior Decoration Industry. Paper presented at the Proceedings of the 2017 International Conference on Organizational Innovation,341-345. https://doi.org/10.2991/icoi-17.2017.59   
+Iliev, A., Kyurkchiev, N., Rahnev, A., & Terzieva, T. (2019). Some models in the theory of computer viruses propagation. LAP LAMBERT Academic Publishing.   
+Johnson, J. (2021). Global number of internet users 2005-2019. Statista. https://www.statista.com/statistics/273018/number-of-internet-users-worldwide/   
+Kamberidou, I., & Pascall, N. (2019). The digital skills crisis: engendering technology–empowering women in cyberspace. European Journal of Social Sciences Studies, 4(6), 1-33.   
+Kamwangamalu, N. M. (1999). Ubuntu in South Africa: A sociolinguistic perspective to a panAfrican concept. Critical Arts, 13(2), 24-41.   
+Kaspersky. (2021). Over half of ransomware victims pay the ransom, but only a quarter see their full data returned. Kaspersky. https://www.kaspersky.com/about/press-releases/2021_over-half-ofransomware-victims-pay-the-ransom-but-only-a-quarter-see-their-full-data-returned   
+King, M. (2016). 6 Key Features of a successful Community of Practice.37(6), 1-3.   
+Kshetri, N. (2019). Cybercrime and Cybersecurity in Africa. Journal of Global Information Technology Management, 22(2), 77-81. https://doi.org/10.1080/1097198X.2019.1603527   
+Leenen, L., van Vuuren, J. J., & van Vuuren, A. J. (2020). Cybersecurity and Cybercrime Combatting Culture for African Police Services. Paper presented at the IFIP International Conference on Human Choice and Computers, 248-261.   
+McGettrick, A., Cassel, L., Dark, M., Hawthorne, E., & Impagliazzo, J. (2014). Toward curricular guidelines for cybersecurity. Paper presented at the 81-82. https://doi.org/https://doi.org/10.1145/2538862.2538990   
+Milne, A. (2021). The rising cost of cyber security expertise. Field Effect. https://fieldeffect.com/blog/rising-cost-cyber-security-expertise/   
+Mitts, J., & Talley, E. (2019). Informed trading and cybersecurity breaches. Harv.Bus.L.Rev., 9, 1.   
+Mohurle, S., & Patil, M. (2017). A brief study of wannacry threat: Ransomware attack. International Journal of Advanced Research in Computer Science, 8(5), 1938-1940. https://doi.org/10.26483/ijarcs.v8i5.4021   
+Towards an African cybersecurity community of practice   
+Mulaudzi, F. M., Libster, M. M., & Phiri, S. (2009). Suggestions for Creating a Welcoming. International Journal for Human Caring, 13(2)   
+Namasudra, S., Devi, D., Kadry, S., Sundarasekar, R., & Shanthini, A. (2020). Towards DNA based data security in the cloud computing environment. Computer Communications, 151, 539-547. https://doi.org/10.1016/j.comcom.2019.12.041   
+Nobles, C., & Burrell, D. (2018). Using Cybersecurity Communities of Practice (CoP) to Support Small and Medium Businesses. Paper presented at the ICIE 2018 6th International Conference on Innovation and Entrepreneurship: ICIE 2018, 333. https://search.proquest.com/docview/2291516634   
+Oforji, J. C., Udensi, E. J., & Ibegbu, K. C. (2017). Cybersecurity challenges in Nigeria: The way forward. SosPoly Journal of Science and Agriculture, 2, 1-5.   
+Palinkas, L. A., Horwitz, S. M., Green, C. A., Wisdom, J. P., Duan, N., & Hoagwood, K. (2015). Purposeful sampling for qualitative data collection and analysis in mixed method implementation research. Administration and Policy in Mental Health, 42(5), 533-544. https://doi.org/10.1007/s10488-013-0528-y   
+Peacock, D., & Irons, A. (2017). Gender inequality in cybersecurity: Exploring the gender gap in opportunities and progression. International Journal of Gender, Science and Technology, 9(1), 25-44.   
+Pittman, J. M., & Pike, R. (2016). An Observational Study of Peer Learning for High School Students at a Cybersecurity Camp. Information Systems Education Journal, 14(3), 4. http://isedj.org/2016-14/n3/ISEDJv14n3p4.html   
+Pohjola, I., Puusa, A., & Iskanius, P. (2016). Antecedents of Successful Collaboration in Community of Practice between Academia and Industry: A Case Study. Electronic Journal of Knowledge Management : EJKM, 14(3) https://search.proquest.com/docview/1816797111   
+Pomerleau, P., & Lowery, D. L. (2020). Conclusions and Implications for Practice and Future Studies on Public–Private Partnerships In Countering Cyber Threats to Financial Institutions . Palgrave Macmillan.   
+Poster, W. R. (2018). Cybersecurity needs women. Nature,555(7698), 577-   
+580.https://doi.org/10.1038/d41586-018-03327-w   
+Razvan, B., Dat, T., Cuong, P., Ken-ichi, C., Yasuo, T., & Yoichi, S. (2018). Integrated framework for hands-on cybersecurity training: CyTrONE. Computers & Security, 78, 43-59. http://hdl.handle.net/10119/16450   
+Reinking, A., & Martin, B. (2018). The gender gap in STEM fields: Theories, movements, and ideas to engage girls in STEM. Journal of New Approaches in Educational Research, 7(2), 148-153. https://eric.ed.gov/?id=EJ1185331   
+Sawyer, B. D., & Hancock, P. A. (2018). Hacking the human: the prevalence paradox in cybersecurity. Human Factors, 60(5), 597-609.   
+Schatz, M. C., Salzberg, S. L., & Langmead, B. (2010). Cloud computing and the DNA data race. Nature Biotechnology; Nat Biotechnol, 28(7), 691-693. https://doi.org/10.1038/nbt0710-691   
+Security Boulevard. (2021). Navigating Cybersecurity Gaps in Uncertain Times. Security Boulevard. https://securityboulevard.com/2021/04/navigating-cybersecurity-gaps-in-uncertain-times/   
+Shafqat, N., & Masood, A. (2016). Comparative analysis of various national cyber security strategies. International Journal of Computer Science and Information Security, 14(1), 129.   
+Smith, C. (2021, May 1,). Move aside malware, the rising threat is stalkerware. Fin24 https://www.news24.com/fin24/companies/ict/move-aside-malware-the-rising-threat-isstalkerware-20210501   
+Srinivas, J., Das, A. K., & Kumar, N. (2019). Government regulations in cyber security: Framework, standards and recommendations. Future Generation Computer Systems, 92, 178-188. https://doi.org/10.1016/j.future.2018.09.063  
+
+Tao, H., Bhuiyan, M. Z. A., Rahman, M. A., Wang, G., Wang, T., Ahmed, M. M., & Li, J. (2019). Economic perspective analysis of protecting big data security and privacy. Future Generation Computer Systems, 98, 660-671.   
+Tatar, Ü, Çalik, O., Çelik, M., & Karabacak, B. (2014). A Comparative Analysis of the National Cyber Security Strategies of Leading Nations . International Conference on Cyber Warfare and Security. Academic Conferences International Limited, 34, 211. https://search.proquest.com/docview/1779459625   
+Telecompaper. (2021). Kenya registers spike in cyber threats in Q2. Broadband. https://www.telecompaper.com/news/kenya-registers-spike-in-cyber-threats-in-q2--1378150   
+Teoh, C. S., & Mahmood, A. K. (2017). National cyber security strategies for digital economy. Paper presented at the 2017 International Conference on Research and Innovation in Information Systems (ICRIIS), 1-6.   
+Thames, L., & Schaefer, D. (2017). Cybersecurity for Industry 4.0 and Advanced Manufacturing Environments with Ensemble Intelligence. Cybersecurity for Industry 4.0. Analysis for Design and Manufacturing (pp. 243-265). Springer, Cham. https://doi.org/https://doi.org/10.1007/978- 3-319-50660-9_10   
+The Banking Association South Africa. (2020, Jun 23,). Sabric Annual Crime Stats. Sabric https://www.banking.org.za/news/sabric-annual-crime-stats-2019/   
+This Day. (2019, -06-19T03:16:01+00:00). Nigeria Losses About N127bn to Cybercrime Annually. https://www.thisdaylive.com/index.php/2019/06/19/nigeria-losses-about-n127bn-to-cybercrimeannually/   
+Wallinheimo, A., & Evans, S. L. (2021). More Frequent Internet Use during the COVID-19 Pandemic Associates with Enhanced Quality of Life and Lower Depression Scores in MiddleAged and Older Adultshttps://doi.org/10.3390/healthcare9040393   
+Wang, M., & Degol, J. L. (2017). Gender gap in science, technology, engineering, and mathematics (STEM): Current knowledge, implications for practice, policy, and future directions. Educational Psychology Review, 29(1), 119-140.   
+Wenger, E. (2011). Community of Practice: A brief introduction. Scholars’ Bank, 1-7. http://hdl.handle.net/1794/11736  

dataset/data/docs/egovernment_02_02_2022.pdf-8ee94aec-ed5a-45f3-80c7-14a5acd14b15.md

@@ -0,0 +1,374 @@
+# the dpsa  
+
+Department: Public Service and Administration REPUBLIC OF SOUTH AFRICA  
+
+Private Bag X916,PRETORIA, 0001 Tel: (012) 336 1000, Fax: (012) 326 7802   
+Private Bag X9148, CAPE TOWN, 8000 Tel: (021) 467 5120, Fax:(021) 467 5484  
+
+Enquiries : Ayanda Nkundla Tel No. : (012) 336 1250/061 442 0471 Email : ayanda.nkundla@dpsa.gov.za  
+
+TO ALL HEADS OF NATIONAL AND PROVINCIAL DEPARTMENTS  
+
+CIRCULARNO.01OF 2022  
+
+PUBLIC SERVICE CLOUD COMPUTING DETERMINATION AND DIRECTIVEAWARENESS  
+
+1. The Minister for Public Service and Administration has approved the Public Service Cloud Computing Determination and Directive (Attached) for implementation by the departments. The Determination and Directive is issued in terms of section 3(1) (f) (g)& (i) of Public Service Act, 1994.  
+
+2. The purpose of the Determination and Directive is to provide clear guidance to Public Service departments on adopting and using Cloud Computing services and technologies.  
+
+3. The prescripts set out in the Determination and Directive must be applied to all Cioud Services where Government data is either stored and or processed.  
+
+# DETERMINATION AND DIRECTIVE ON THE USAGE OFCLOUD COMPUTING SERVICES IN THE PUBLIC SERVICE  
+
+# TABLE OF CONTENTS  
+
+DEFINITIONS . 3   
+1. INTRODUCTION ... 5   
+2. PURPOSE . 5   
+3. AUTHORISATION . 5   
+4. SCOPE OF APPLICATION .. 5   
+5. REGULATORY FRAMEWORK ( PROVIDES THE CONTEXT WITHIN WHICH THE DETERMINATION   
+AND DIRECTIVE EXISTS) . ... 6   
+6. IMPLEMENTATION OF THE DETERMINATION AND DIRECTIVE ... .. 6   
+7. NON-COMPLIANCE MANAGEMENT . .. 6   
+8. DATE OF IMPLEMENTATION .. . 6   
+9. PROVISIONS ON THE USAGE OF CLOUD COMPUTING SERVICES . 6   
+9.1. WHAT IS CLOUD COMPUTING? 6   
+9.2. GENERAL CLOUD CONSIDERATIONS . . 8   
+9.3. BEFORE ACQUIRING AND IMPLEMENTING CLOUD SERVICES .. . 8   
+9.4. DURING  CLOUD SERVICE CONSUMPTION . 11   
+9.5. CLOUD SERVICE TERMINATION . 11   
+9.6. GENERAL . 11   
+REFERENCES .. . 12   
+APPENDIX A – CLOUD READINESS ASSESSMENT CHECKLIST. 14  
+
+# DEFINITIONS  
+
+<html><body><table><tr><td>TERM</td><td>DEFINITION</td></tr><tr><td>ACT</td><td>Public Service Act, 1994</td></tr><tr><td>BIG DATA</td><td>Refers to data that is so large, fast or complex that it's difficult or impossible to process using traditional methods</td></tr><tr><td>BUSINESS CASE CLOUD WORKLOAD</td><td>A business case is a document where a proposed action is presented and coherently supported with detailed reasoning and expected net benefits for the business. Is a specific application, service, capability or a specific amount of work</td></tr><tr><td>CONFIDENTIAL</td><td>that can be run on a cloud resource. Virtual machines, databases, containers, Hadoop nodes and applications are al considered cloud workloads. Access to confidential data requires specific authorization and/or</td></tr><tr><td>DATA CSP</td><td>clearance. Types of confidential data might include Social Security numbers, cardholder data, M&A documents, and more. Usually, confidential data is protected by laws like HIPAA and the PCl DSS.</td></tr><tr><td>DATA</td><td>Cloud service provider: A third-party company offering a cloud-based platform, infrastructure, application, or storage services. Refers to a process of organising data by relevant categories so that it</td></tr><tr><td>CLASSIFICATION DATA MINING</td><td>may be used and protected more efficiently. Data mining is defined as a process used to extract usable data from a</td></tr><tr><td>DATA PROCESSING</td><td>larger set of any raw data. It implies analysing data patterns in large batches of data using one or more software. Data processing occurs when data is collected and translated into usable information. Usually performed by a data scientist or team of data scientists, it is important for data processing to be done correctly as not to</td></tr><tr><td>DATA RESIDENCY</td><td>negatively affect the end product, or data output. Refers to the physical or geographic location of an organization's data or information.</td></tr><tr><td>DATA SECURITY SOLUTIONS DATA</td><td>Work by providing visibility and security at the same time</td></tr><tr><td>SOVEREIGNTY</td><td>Describes the legal principle that information (generally in electronic form) is regulated or governed by the legal regime of the country in which that data resides.</td></tr><tr><td>DEPARTMENT</td><td>National department, a National government component, the Office of a Premier, a Provincial department or a provincial government component.</td></tr><tr><td>DETERMINATION AND DIRECTIVE</td><td>The Determination to provide clear guidance on the adoption and use of cloud computing in the public service and the Directive on numerous issues to be considered by departments before, during and after acquiring cloud-based computing services.</td></tr><tr><td>DPSA</td><td>Department of Public Service and Administration</td></tr><tr><td>eGSIM</td><td>eGovernment Service and Information Management</td></tr><tr><td>HEAD OF DEPARTMENT(HOD)</td><td>The incumbent of a post mentioned in column 2 of Schedule 1, 2 or 3 and it includes any employee acting in such post.</td></tr><tr><td>laaS</td><td>Infrastructure as a service: is a cloud computing offering in which a vendor provides users access to computing resources such as storage,</td></tr><tr><td>ICT</td><td>networking, and servers. Information and communication technology refers to all communication technologies.</td></tr></table></body></html>  
+
+<html><body><table><tr><td colspan="2">IP Intellectual property refers to creations of the mind, such as inventions; literary and artistic works; designs; and symbols, names and images used</td></tr><tr><td>ISO</td><td>in commerce. International Organization for Standardization</td></tr><tr><td>IT</td><td>Information technology is the use of any computers, storage, networking and other physical devices, infrastructure and processes to create,</td></tr><tr><td>MISS</td><td>process, store, secure and exchange all forms of electronic data. Minimum Information Security Standards, data and information</td></tr><tr><td>MPSA</td><td>classification Minister for the Public Service and Administration</td></tr><tr><td>MSP</td><td>Managed service provider</td></tr><tr><td>NIST</td><td>The National Institute of Standards and Technology</td></tr><tr><td>OPENDATA</td><td>Means data that is made freely available to everyone for use, re-use and republishing as they wish, subject to ensuring the protection of privacy,</td></tr><tr><td>OPEN DATA PRINCIPLES</td><td>confidentiality and security in line with the Constitution. Government data shall be considered open if it is made public in a way that complies with the principles: Complete; Primary; Timely; Accessible;</td></tr><tr><td>PaaS</td><td>Machine processable; Non-discriminatory; Non-proprietary; License-free. Platform as a service is a service provider that offers access to a cloud- based environment in which users can build and deliver applications.</td></tr><tr><td>PERSONAL INFORMATION</td><td>Means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.</td></tr><tr><td>PSR</td><td>The Public Service Regulations , 1996</td></tr><tr><td>PUBLIC DATA</td><td>This type of data is freely accessible to the public (i.e. all employees/company personnel). It can be freely used, reused, and redistributed without repercussions. An example might be first and last</td></tr><tr><td>RACI</td><td>names, job descriptions, or press releases. Responsible, accountable, consulted, informed</td></tr><tr><td>SaaS</td><td>Software as a service is a service provider that delivers software and applications through the internet.</td></tr><tr><td>SECRETDATA</td><td>The classification level applied to information the unauthorized disclosure of which reasonably could be expected to cause serious damage to national security that the original classification is able to identify or</td></tr><tr><td>SLA</td><td>describe. Service level agreement defines the level of service you expect from a vendor, laying out the metrics by which service is measured, as well as remedies or penalties should agree-on service levels not be achieved.</td></tr><tr><td>TCO</td><td>Total cost of ownership is the metric that organizations use to quantify and measure cloud adoption success.</td></tr></table></body></html>  
+
+# 1. INTRODUCTION  
+
+1.1. Rapid advancements in information and communication technology have made it difficult for Government departments to keep up and or sustain investment in this area. This has further ensured that the required and appropriate skills remain concentrated outside departments and or the public sector in general.  
+
+1.2. Cloud computing services can provide government departments with access to ondemand ICT hardware and software resources over the Internet. These include ICT resources, such as computing power, data storage capacity, software services and operating system functionality. These resources run on computer servers, storage devices, and networking equipment located in physical data centers operated by a cloud service provider (CSP). The service provider is responsible for the security, maintenance, and backup of the hardware, software, and data stored in these facilities, freeing up the department to focus on its core service delivery functions.  
+
+1.3. The economic efficiencies, privacy and information security concerns, environmental impact (carbon emissions) issues associated with technological practices as well as the general opportunities associated with technological developments particularly in the area of cloud computing services have further prompted the issuing of this determination and directive.  
+
+# 2. PURPOSE  
+
+2.1. The purpose of this Determination and Directive is to provide clear guidance on the adoption and use of cloud computing services in the public service.  
+
+# 3. AUTHORISATION  
+
+3.1. This Determination and Directive is issued by the MPSA in terms of section 3(1) (f) (g) & (i) of Public Service Act, 1994.  
+
+# 4. SCOPE OF APPLICATION  
+
+4.1. This Determination and Directive applies to all departments and its employees employed in terms of the Act and the members of the services only in so far as the provisions of the Determination and Directive are not contrary to the laws governing their employment.   
+4.2. Furthermore, the prescripts set out in this determination and directive must be applied to all cloud services where Government data is either stored and or processed.  
+
+# 5. REGULATORY FRAMEWORK ( PROVIDES THE CONTEXT WITHIN WHICH THE DETERMINATION AND DIRECTIVE EXISTS)  
+
+5.1. Constitution of the Republic of South Africa, 1996.   
+5.2. Public Service Act, 1994, Section 3(1) (f) (g) & (i).   
+5.3. The Protection of Personal Information Act 4 of 2013(POPI), Section 72.   
+5.4. Promotion of Access to Information Act 2 of 2000 (PAIA), Section 63-66.  
+
+# 6. IMPLEMENTATION OF THE DETERMINATION AND DIRECTIVE  
+
+6.1. The prescripts set out herein must be applied to every Cloud service where government data will either be stored and or processed before implementing the cloud service.   
+6.2. Where a department had implemented a cloud solution before the approval date of this Directive, the Head of Department must ensure that a risk assessment is conducted and a risk assessment report is tabled at the departmental risk committee.   
+6.3. The Head of Department must ensure that all requirements of this determination and directive are met within 6 months of the approval and publication of this determination and directive.  
+
+# 7. NON-COMPLIANCE MANAGEMENT  
+
+7.1. Failure to comply with this Determination and Directive will be dealt with in line with the provisions of the Public Service Act, 1994, section 16A and 16B.  
+
+# 8. DATE OF IMPLEMENTATION  
+
+8.1. This Determination and Directive shall come into effect on the date of signature by the MPSA.  
+
+# 9. PROVISIONS ON THE USAGE OF CLOUD COMPUTING SERVICES  
+
+There are numerous provisions to be considered by departments before, during, and after acquiring cloud-based computing services. The following points outline the provisions:  
+
+# 9.1. WHAT IS CLOUD COMPUTING?  
+
+Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal  
+
+management effort or service provider interaction. This cloud model promotes availability and is composed of three service models and four deployment models.  
+
+![](images/e40ea96362346f4c5d2e198b7de44b3a0554c0faf70decd741a8e85d67d6253c.jpg)  
+Figure 1. Cloud Deployment Models adapted from NIST  
+
+# Cloud Service Models  
+
+Software as a Service (SaaS): The capability provided to a department is to use the provider’s applications running on a cloud infrastructure. The applications are accessible through a web browser (e.g. Gmail). The department does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities.  
+
+Platform as a Service (PaaS):  Departments develop applications using the Cloud Service provider’s hosted hardware and software platforms. The department does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.  
+
+Infrastructure as a Service (IaaS):  The capability provided to the department is to provision processing, storage, networks, and other fundamental computing resources where the department is able to deploy and run arbitrary software, which can include operating systems and applications. The department does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).  
+
+# 9.2. GENERAL CLOUD CONSIDERATIONS  
+
+9.2.1. The Head of Department must ensure that Cloud Services are the first option explored before any on-premise infrastructure investment is made. This option must be fit for purpose, and preference (not exclusive use) must be given to private government cloud where the capability exists.   
+9.2.2. The Head of Department must ensure that the proposed cloud-based computing services and/or solutions are fit-for-purpose and appropriate for the delivery of the respective department processes. This must be applied to all cloud services, whether long-term or short-term, and care should be taken to only procure services when they are ready to be consumed to avoid fruitless and wasteful expenditure.   
+9.2.3. The Head of Department must ensure that the proper procurement processes concerning the procurement of ICT goods and services/Cloud are followed.   
+9.2.4. The Head of Department must ensure that scaling up of cloud services is based on operational requirements, rather than purchasing upfront and not utilizing until the operational need arises.  
+
+# 9.3. BEFORE ACQUIRING AND IMPLEMENTING CLOUD SERVICES  
+
+9.3.1. The Head of Department must ensure that all data is classified according to the classification system prescribed in the Minimum Information Security Standards (MISS).  
+
+9.3.2. The Head of Department must, as far as practically possible, avoid moving data classified as “Secret" or “Top Secret”, to the Public, Hybrid or Community Clouds.  
+
+9.3.3. The Head of Department must as far as practically possible, ensure that data that is intended for general public consumption, such as data hosted on Departmental public-facing websites, is moved to a Public Cloud.  
+
+9.3.4. The Head of Department must ensure that data always resides within the borders of South Africa. Where such is not practically possible, the Head of Departments must ensure that provisions of section 72 of the POPI Act are complied with.  
+
+![](images/5339fdb3e00a2b5c85750186c18a4afbec531685afa8ca80062049228167aabe.jpg)  
+
+9.3.5. The Head of Department is accountable for managing the risks to the Department even concerning services provided by service providers/contractors.  
+
+9.3.6. The Head of Department must ensure that a comprehensive  
+
+![](images/e5cfc21db194aba126b5cf6fa088976b49aca95876be43cf6c7867a59f578554.jpg)  
+
+Risk assessment is undertaken for each cloud service that the Department intends to utilise. The details of the risk assessment must be captured in the relevant business case and presented to the Department Risk Committee.  
+
+9.3.7. The Head of Department must ensure that a Cloud Readiness Assessment is conducted before the decision is made to move to cloud-based computing services. The Cloud Readiness Assessment Checklist (Appendix A) can be used to guide departments.  
+
+9.3.8. The Head of Department must ensure that a Business Case is developed. The Business Case must include at a minimum:  
+
+a) The scope of the Cloud Services required;   
+b) The budget over the short, medium and long term;   
+c) A calculation of the Total Cost of Ownership over the medium and long term;   
+d) The Human resource skills required to support the cloud services environment;   
+e) The infrastructure required to enable the proper operation of the cloud service (Broadband connectivity etc);   
+f) The intended benefit to the department through the use of the cloud service.   
+g) The detailed outcome of the Risk Assessment, a summary of the key risks, and the recommendations for mitigation.  
+
+9.3.9. The Head of Department must ensure that the Business Case is approved before the Cloud Services are consumed,  and reviewed at regular intervals.  
+
+9.3.10. The Head of Department must ensure that a valid contract exists between the Department and the CSP before utilising a cloud service.  
+
+![](images/fb4efcc3bc8dea1b1b06fb6f2cc210d08c40e76d29c40551f1abb2c78733b7d0.jpg)  
+
+9.3.11. At a minimum the contract must:  
+
+a) Explicitly state that the department is the owner of all rights, title, and interest in the data and that all data will be maintained, backed up and secured until returned on termination of the agreement (unless other provisions are made for the migration, transfer or destruction of the data).   
+b) State that data processing (mining) shall be carried out in a manner provided for by the POPI Act and shall be authorized by the Department.   
+c) Identify the actual geographic locations where data storage and processing will occur.   
+d) Confirm the jurisdiction which governs the operation of the contract.   
+e) Confine data storage and processing to specified locations where the regulatory framework and technical infrastructure allow the department to maintain adequate control over the data.   
+f) Make provisions for the safe return/transfer of data should the cloud service provider be the subject of a takeover.   
+g) Specify what will happen to the data, applications, infrastructure, etc., (e.g. transfer to a new provider, returned to the department, permanently deleted) once the Contract ends.   
+h) Define contract provisions relating to the migration of data on termination of the contract (i.e. CSP takes full responsibility for data migration and or who plays what role during data migration).  
+
+9.3.12. The Head of Department may enter into a medium-term contract (that is, contract period of more than 3 years but less than 5 years) for cloud services. The Head of Department must ensure that such a medium-term contract makes provisions for early termination and must agree at the time of contracting on the method of calculation for damages, should damages be applicable. In the event that a Department has entered into a medium-term contract but wishes to terminate such a contract prior to its expiry date, the Head of Department must ensure that there are no damages for early termination payable by the Department or ensure that it is aware of any potential damages that may flow for early termination.  
+
+# 9.4. DURING  CLOUD SERVICE CONSUMPTION  
+
+9.4.1. The Head of Department must ensure the security of the data in line with the existing departmental information security policy.   
+9.4.2. The Head of Department must ensure that access rights to data stored or processed in the Cloud are regularly reviewed.   
+9.4.3. Cloud Service Subscription levels can be scalable up or down according to demand, resulting in variable costs. The Head of Department must ensure that officials are not able to scale up cloud services without proper authorisation.   
+9.4.4. The Head of Department must ensure that an inventory of Assets (Data or applications) is developed and maintained during the contract period.   
+9.4.5. The Head of Department must ensure that the department’s Business Continuity plans are updated following the implementation of the cloud service and ensure that the department conducts regular business continuity testing.   
+9.4.6. The Head of Department must ensure that mechanisms exist to backup departmental data. Backups of data must be regularly reviewed to ensure that the risk of data loss is minimised.  
+
+# 9.5. CLOUD SERVICE TERMINATION  
+
+9.5.1. At the termination of the agreement with a CSP, the Head of Department must ensure that all data and/or applications that belong to the Department are transferred to a new provider, returned to the department and/or permanently deleted.  
+
+# 9.6. GENERAL  
+
+9.6.1. Departments must submit copies of the following to the DPSA before acquiring and deploying cloud services :  
+
+9.6.1.1. The approved Business Case aligned to the prescripts set out in 9.3.8 above.   
+9.6.1.2. Evidence of having complied with the requirements set out in 9.3.6 above.  
+
+# 9.6. GENERAL  
+
+9.6.1. Departments must submit copies of the following to the DPSA before acquiring and deploying cloud services :  
+
+9.6.1.1. The approved Business Case aligned to the prescripts set out in 9.3.8 above.  
+
+9.6.1.2.Evidence of having complied with the requirements set out in 9.3.6 above.  
+
+# APPROVED BY THE MINISTER FOR PUBLIC SERVICE AND ADMINISTRATION  
+
+![](images/9b25bc4eb00b56bf27129e8d18f28cd0ec2dfaee5d37b30a5678dfbe41336965.jpg)  
+
+MS AYANDA DLODLO, MP   
+MINISTER FOR THE PUBLIC SERVICE AND ADMINISTRATION   
+DATE: $14101120222-$   
+0. Cloud Computing Policy. Office of the Chief Information Officer, 31 October 2016. Available at: https://ocio.commerce.gov/page/cloud-computing-policy. Cloud Policy. Office of the Government Chief Information Officer (blog), 24 May 2016. Available at: https://gcio.wa.gov.au/2016/05/24/cloud-policy-2/.   
+12. Cloud-Computing-Transforming-the-Government-of-Canada-for-the-DigitalEconomy.pdf. Available at: http://itac.ca/wp-content/uploads/2015/08/CloudComputing-Transforming-the-Government-of-Canada-for-the-Digital-Economy.pdf [Accessed 15 February 2018].   
+13. LSSA – An introduction to cloud computing, v2 September 2014.pdf. Available at: http://www.lssa.org.za/upload/documents/LSSA%20Introduction%20to%20cloud%20 computing%20v2%20September%202014.pdf. Cloud Security Guidance IBM Recommendations for the Implementation of Cloud Security. Available at: http://www.redbooks.ibm.com/abstracts/redp4614.html?Open Are You Rather a SI, ISV, MSP, VAR or a Reseller? Available at: https://ormuco.com/blog/cloud-provider-rather-si-isv-msp-var-reseller. 6. Multi-cloud strategy: Pros, cons and tips. Available at: https://www.cio.com/article/3441856/multi-cloud-strategy-pros-cons-andtips.html#:\~:text=Multi%2Dcloud%20defined&text $\c=$ Gartner%20has%20a%20more%2 0formal,says%20Gartner%20analyst%20David%20Smith.   
+17. How to Avoid Cloud Vendor Lock-in with Four Best Practices. Available at: precisely.com | 877 700 0970. Gartner, Inc. (2020). Decision Model to Optimize Risk, Value and Cost, ID: G00466040. Gartner, Inc.   
+19. How TCO Benefits Make Cloud Computing a No-Brainer for Many SMBs and MidMarket Enterprises, https://knowledgehubmedia.com/tco-benefits-cloud-computingnobrainer-smbs-midmarket-enterprises/   
+20. Section 72 (Transfers of personal information outside Republic) of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013).  https://popia.co.za/section-72- transfers-of-personal-information-outside-republic/ SaaS vs PaaS vs SaaS Enter the Ecommerce Vernacular: What You Need to Know, Examples & More, https://www.bigcommerce.com/blog/saas-vs-paas-vs-iaas/ Big Data, https://www.sas.com/en_za/insights/big-data/what-is-big-data.html 3. Open Government Data Principles, https://public.resource.org/8_principles.html   
+24. 4 Ways to Classify Data , https://kirkpatrickprice.com/blog/classifying-data/   
+25. Cloud Workloads, https://www.delltechnologies.com/en-us/learn/cloud/cloudworkloads.htm#:\~:text=A%20cloud%20workload%20is%20a,are%20all%20considere d%20cloud%20workloads.   
+26. What is Intellectual Property?, https://www.wipo.int/about-ip/en/ What is data processing?; https://www.talend.com/resources/what-is-dataprocessing/ Data Mining, https://economictimes.indiatimes.com/definition/data-mining 9. What is a Business Case?, https://www.myaccountingcourse.com/accountingdictionary/business-case   
+30. IMB Cloud Education , https://www.ibm.com/za-en/cloud/learn/iaas-paas-saas   
+31. What is an SLA? Best practices for service-level agreements, https://www.cio.com/article/2438284/outsourcing-sla-definitions-and-solutions.html  
+
+The total cost of ownership for Cloud, https://www.ibm.com/garage/method/practices/discover/total-cost-ownership-cloud/  
+
+33. Information technology, https://www.google.com/search?q=what+is+information+technology+definition&sxsrf= ALeKk007SzYrqrtXb9rm4X_iM9yPpCcmhQ%3A1625202893420&ei=zaDeYOWRGe TC8gKE9YuADQ&oq=what+is+Information+technology+de&gs_lcp=Cgdnd3Mtd2l6E AEYATICCAAyAggAMgIIADICCAAyAggAMgIIADIGCAAQFhAeMgYIABAWEB4yBgg AEBYQHjIGCAAQFhAeOgcIABBHELADSgQIQRgAUMSCBljwiwZgg58GaAFwAngA gAHFBIgBrgySAQkyLTEuMS4xLjGYAQCgAQGqAQdnd3Mtd2l6yAEIwAEB&sclient= gws-wiz  
+
+34. ICT Definition, https://techterms.com/definition/ict  
+
+# APPENDIX A – CLOUD READINESS ASSESSMENT CHECKLIST  
+
+Moving your IT systems to the Cloud offers many benefits including reduced costs, flexibility, increased efficiency, and in many cases, better performance and security. SaaS, PaaS, and IaaS all present several key differences in terms of security, performance, reliability, and management. This guide will help you assess your readiness to transition to cloud computing and identify any areas that need to be re-evaluated.  
+
+After reading through these checklists and determining your department’s current cloud computing readiness, you’ll have the tools you need to start preparing for your transition.  
+
+# 1. WILL MY DEPARTMENT BENEFIT FROM TRANSITIONING SERVICES TO THE CLOUD?  
+
+Although most departments will benefit from transitioning some or all of their IT services into the Cloud, not all will. Start with these questions to help determine whether your department should transition to cloud computing.  
+
+<html><body><table><tr><td>What is your department's current IT infrastructure expenditure?</td><td></td></tr><tr><td>Is Cloud computing likely to reduce costs?</td><td></td></tr><tr><td>How much does usage fluctuate over time?</td><td></td></tr><tr><td>Would your department benefit from a more elastic solution?</td><td></td></tr><tr><td>Does your department need to add applications or functionality but cannot make a large capital expenditure for additional IT infrastructure?</td><td></td></tr></table></body></html>  
+
+Table 1   
+
+
+<html><body><table><tr><td>Is your IT department able to effectively provide maintenance and security, and maximise efficiency for your IT infrastructure?</td><td></td></tr><tr><td>Will your department benefit strategically or financialy from a reduction in IT focus?</td><td></td></tr><tr><td>Does your department have a BCM (Business Continuity Management Planning (BCM)) in place?</td><td></td></tr><tr><td>Does your department need to secure sensitive data on proprietary servers?</td><td></td></tr><tr><td>Will the increased accessibility of the Cloud improve your company's performance?</td><td></td></tr></table></body></html>  
+
+Use these questions to get a brief overview of your company’s current Cloud Computing readiness and to identify areas that need to be addressed.  
+
+Table 2   
+
+
+<html><body><table><tr><td>What is the extent of your department's current IT usage?</td></tr><tr><td>How quickly would you like to transition to the Cloud?</td></tr><tr><td>Have you prepared a cost-benefit analysis?</td></tr><tr><td>Do you have a team capable of managing the transition?</td></tr><tr><td>Have you classified your data?</td></tr><tr><td>Are you prepared to transition data securely?</td></tr><tr><td></td></tr><tr><td>Do you plan to use laaS, PaaS, or SaaS? Will the increased accessibility of the Cloud improve your department's performance?</td></tr></table></body></html>  
+
+Security is a key concern in using Cloud Computing technology. This checklist will help you identify key considerations for safely transitioning and securing data.  
+
+# Outlining the security plan  
+
+Table 3   
+
+
+<html><body><table><tr><td>Have you made an outline of your top security goals and concerns?</td><td></td></tr><tr><td>What types of assets will be managed by the system?</td><td></td></tr><tr><td>Have key assets been listed and rated based on their sensitivity?</td><td></td></tr><tr><td>How assets are currently managed and how will this change when transitioned to the Cloud?</td><td></td></tr><tr><td>Has the right cloud delivery model been assigned based on the assets' sensitivity?</td><td></td></tr><tr><td>Has the network topology been mapped?</td><td></td></tr></table></body></html>  
+
+# Enumerating safeguards and vulnerabilities  
+
+Table 4   
+
+
+<html><body><table><tr><td>Have the security controls been enumerated, verified, and evaluated?</td></tr><tr><td>Will all sensitive data stored in the Cloud be encrypted?</td></tr><tr><td>Are remote connections to the Cloud properly encrypted?</td></tr><tr><td></td></tr><tr><td>Have you evaluated the security risk of the server's physical location?</td></tr><tr><td>Are the servers housed in guarded and locked rooms?</td></tr><tr><td>Have all vulnerabilities been identified and addressed? Are staff properly trained on the new security protocols?</td></tr></table></body></html>  
+
+# Complying with regulations  
+
+<html><body><table><tr><td>Have you reviewed your cloud service provider's security policies?</td></tr><tr><td>Do they comply with POPl Act, PAlA, ECT Act or other regulations your data may be subject to?</td><td></td></tr><tr><td>Have you drafted any contracts or agreements with your cloud service provider to bridge compliance gaps?</td><td></td></tr></table></body></html>
+
+Table 5  
+
+# 2. PERSONNEL CONSIDERATIONS  
+
+A department’s staff must be properly prepared for the cloud computing transition to ensure that it does not interfere negatively with day-to-day operations. Use these questions to make sure your team is ready.  
+
+# Preparing your cloud adoption team  
+
+<html><body><table><tr><td>Who will be heading the effort to move systems to the Cloud?</td><td></td></tr><tr><td>Has a team been assembled to plan and execute cloud adoption?</td><td></td></tr><tr><td>Who are the key human resource assets for the plan?</td><td></td></tr><tr><td>Is management in full support of the adoption strategy?</td><td></td></tr><tr><td>Do you need to bring on additional staff or consultants to help adopt Cloud computing technology?</td><td></td></tr></table></body></html>
+
+Table 6  
+
+# Training the staff  
+
+Table 7   
+
+
+<html><body><table><tr><td>How will using cloud computing affect the everyday operations of the department?</td><td></td></tr><tr><td>Will staff need to learn new skills to function after the transition?</td><td></td></tr><tr><td>Has a training plan been drafted?</td><td></td></tr><tr><td>Is there a team in place to train staff on the new technology?</td><td></td></tr><tr><td>Are staff aware of any changes to security protocol that cloud adoption will bring?</td><td></td></tr></table></body></html>  
+
+# Reconfiguring the ICT department  
+
+<html><body><table><tr><td>Do the current IT employees have the expertise to properly maintain the new systems?</td></tr><tr><td>Will this change necessitate hiring additional staff?</td></tr><tr><td>Will this change require that certain staff members be redeployed?</td></tr></table></body></html>
+
+Table 8  
+
+# 3. LOCATION CONSIDERATIONS  
+
+Moving to cloud computing means your servers will be physically located in another place.   
+This can have ramifications for your IT infrastructure’s speed, security and reliability.  
+
+<html><body><table><tr><td>Where is the cloud service provider located?</td></tr><tr><td>Is the location near your user base (customers or staff)?</td></tr><tr><td></td></tr><tr><td>Will speed be adversely affected by the server's location?</td></tr><tr><td>Can you visit the data centre where your Cloud will be hosted?</td></tr></table></body></html>
+
+Table 9  
+
+# 4. RELIABILITY  
+
+Ensuring the reliability of your IT infrastructure is a critical step in transitioning to cloud computing. Make sure the Cloud will be as reliable as in-house IT infrastructure by going through the following checklist.  
+
+# Assessing the cloud provider’s reliability  
+
+Table 10   
+
+
+<html><body><table><tr><td>Does your cloud service provider have a reputation for reliability?</td><td></td></tr><tr><td>How long have they been operational?</td><td></td></tr><tr><td>What is their average uptime over the past three years?</td><td></td></tr><tr><td>Do they have a reliability guarantee?</td><td></td></tr><tr><td>Do they use reliability safeguards like backup power sources and redundant servers?</td><td></td></tr><tr><td>Will they promptly inform you of any planned or unplanned outages?</td><td></td></tr><tr><td>Is the cloud service provider regularly assessed by a third-party auditor?</td><td></td></tr><tr><td>Does the cloud provider offer comprehensive support?</td><td></td></tr><tr><td>Will your in-house IT team be responsible for support?</td><td></td></tr></table></body></html>  
+
+# Making a continuity plan  
+
+<html><body><table><tr><td>Do you have a backup system if the Cloud goes down for any reason?</td><td></td></tr><tr><td>Is there a contingency plan to continue mission-critical functions if the Cloud cannot be accessed?</td><td></td></tr><tr><td>Will you store copies of your data in-house?</td><td></td></tr><tr><td>Is your data safe-harbored with a third party who can protect against data loss?</td><td></td></tr></table></body></html>
+
+Table 11  
+
+# 5. PERFORMANCE CONSIDERATIONS  
+
+One of the primary concerns when moving to the Cloud is how it will affect performance. In many cases speed can be improved when using cloud computing solutions. Answer the following questions to make sure your performance is not adversely affected by a transition to the Cloud.  
+
+<html><body><table><tr><td>Is the cloud provider's hardware sufficient to handle your workload?</td><td></td></tr><tr><td>Will you be using the public or private Cloud?</td><td></td></tr><tr><td>Will you be using dedicated hardware?</td><td></td></tr><tr><td>What steps will the cloud provider take to ensure consistent performance?</td><td></td></tr><tr><td>Does the cloud provider make any performance guarantees?</td><td></td></tr><tr><td>Will the cloud solution offer the same or better performance compared to an in-house solution?</td><td></td></tr></table></body></html>
+
+Table 12  
+
+# 6. FINANCIAL CONSIDERATIONS  
+
+Most departments can save considerably when moving systems and applications into the Cloud. Use this checklist to help you consider the total financial impact of the move.  
+
+# Cloud provider fees  
+
+<html><body><table><tr><td>What are the initial set-up fees?</td></tr></table></body></html>  
+
+<html><body><table><tr><td>How complex is the pricing model? Is it transparent?</td></tr><tr><td></td></tr><tr><td>Can the provider increase fees at regular intervals?</td></tr></table></body></html>  
+
+# Table 13  
+
+# Migration costs  
+
+<html><body><table><tr><td>Will there be additional human resource costs associated with the transition?</td></tr><tr><td>Will there be additional hardware costs associated with the transition?</td></tr><tr><td></td></tr><tr><td>What will be the cost of an outage during migration?</td></tr></table></body></html>  
+
+Table 14  
+
+# Planning the financial impact  
+
+<html><body><table><tr><td>Is your department moving to the Cloud to take advantage of reduced overhead?</td></tr><tr><td>How will the transition costs and provider fees be offset by potential savings?</td></tr><tr><td>How will moving to the Cloud affect your IT costs?</td></tr><tr><td></td></tr><tr><td> Have you drafted a cost-benefit analysis for the move?</td></tr><tr><td>How will your department finance the transition?</td></tr><tr><td>What to do with your IT hardware that has not reached end of life?</td></tr></table></body></html>
+
+Table 15  
+
+# 7. LEGAL CONSIDERATIONS  
+
+Although often overlooked, legal considerations are extremely important when moving to the Cloud. Use this checklist to make sure the transition is made legally.  
+
+# Understanding the legal agreement with your cloud provider  
+
+Table 16   
+
+
+<html><body><table><tr><td>Have you read the cloud provider's standard contract and or Service level agreement (SLA)?</td></tr><tr><td>How does the contract affect your data's property rights?</td><td></td></tr><tr><td>Do you have the full legal rights to the data you will be moving to the Cloud?</td><td></td></tr><tr><td>Is the cloud provider's privacy policy compatible with your department's?</td><td></td></tr><tr><td>Does the cloud provider have the right to access your data?</td><td></td></tr><tr><td>If hosted in another country, which law applies to you?</td><td></td></tr></table></body></html>  
+
+# Complying with regulations  
+
+<html><body><table><tr><td>Is your data subject to any government regulations?</td></tr><tr><td>Does the cloud provider comply with those regulations?</td></tr><tr><td>Who is legally responsible for your data's security?</td></tr><tr><td></td></tr><tr><td>Are you able to audit your cloud provider's compliance with regulations?</td></tr></table></body></html>
+
+Table 17  
+
+# Terminating the service  
+
+<html><body><table><tr><td>What are the terms of cancellation?</td><td></td></tr><tr><td>What will happen to your data after the service is terminated?</td><td></td></tr></table></body></html>
+
+Table 18  

dataset/data/docs/ehiane-and-olumoye_2023_Introduction and Contextu.md

@@ -0,0 +1,215 @@
+# Introduction and Contextual Background of Cybercrime as an Emerging Phenomenon in Africa  
+
+Stanley Osezua Ehiane and Mosud Y. Olumoye  
+
+# Introduction  
+
+In many ways, information, and communication technologies (ICTs) have shrunk the world, but they have also exposed the world to influences that have never been as diverse and difficult (Seemma et al., 2018). Modern communication equipment, internet access, and robust computer systems for data processing were all made possible by the development of digital technology (Hunda et al., 2014). The vulnerability of these systems and the potential for abuse or criminal activities have increased due to the rapid proliferation of large-scale computer networks with the ability to access multiple systems over conventional telecommunication lines (Oghenevwogaga, 2017). Information technology, according to Dalal (2006), is a double-edged sword with both destructive and beneficial uses. Governments, organisations, and individuals now all rely heavily on the Internet. ICT and computer networks are used by many people, businesses, and governmental organisations to carry out simple and sophisticated tasks, such as social networking, research, and business and trade. But as more businesses, organisations, and people are duped by cybercriminals both domestically and abroad, cyberspace is growing more and more susceptible (Onuora et al., 2017). According to McCusker (2006), cybercrime has evolved into a significant component of the global danger to the environment and evokes urgent imagery of sinister and intricate online behaviour. Borders are irrelevant to cybercrime. Cybercrime concerns are getting worse as broadband internet access and mobile-related services become more widely available in African nations. Cybercrime is becoming a bigger issue as a result of the increased use of contemporary ICTs (Bande, 2018). According to a Norton (2012) analysis, the annual cost of cybercrime around the world is $\$110$ billion.  
+
+According to Chinweze et al. (2019), the rate at which the African continent is embracing digital technology is encouraging the introduction of new attack methods and opportunities for cybercriminals. National, regional, and worldwide peace and security are already threatened by growing global cyber threats and cyberattacks (Chiluwa et al., 2022). Cyber dangers are global issues, necessitating the use of global frameworks as tools to advance stability and security in cyberspace. Few cybersecurity measures have been adopted at the continental level, although cybersecurity issues go beyond just national security (Al-Shalam, 2022). The use of computers for criminal purposes began at the end of the twentieth century and is continuing to grow in the twenty-first (Akuta et al., 2011). Without question, emerging economies are becoming the focus of cybercrime. Unsurprisingly, several African economies have developed into significant providers of cyber threats as well as their victims (Kshetri, 2019a). Even in technologically advanced nations like the United States, cybercrimes have advanced beyond traditional crimes and now pose a threat to all nations’ national security (Laura, 2005). When it comes to cybercrime activity growth, Africa has been one of the fastest-growing continents. Significant cyberattacks on the rest of the world originate from the continent as well (Kshetri, 2019a). Analysts have proposed a threshold level of $10\mathrm{-}15\%$ internet penetration as the source of substantial hacking operations when examining the trend of cybercrimes across nations (Kshetri, 2013). One of the areas with the greatest incidence of cybercrime and considerable monetary losses is Africa. Africa is a continent where cybercrime is thriving.  
+
+According to Maitanmi et al. (2013), cybercrime is an international epidemic that is spreading rapidly throughout Africa. Cybercriminals have long viewed Africa as an ideal location for their illegal activities. As a result, Africa has developed into a “safe haven” for online scammers. Despite several efforts by the international community to combat cybercrime worldwide, these factors—technology, globalisation, and digital capitalism—seem to have a positive influence on the crime rate. Cybercrime keeps growing as technology and digital capitalism do (Green et al., 2020; Norris et al.,  2019). For instance, to combat cybercrime, the United Nations (UN) Commission on Crime Prevention and Justice (CCPJ) has been strengthened with cyber professionals to support cyberrelated crimes in the global economy (Aribake & Aji, 2022; Jerome, 2019).  
+
+Due to the large number of domains and poor network and information security, statistics from a variety of sources suggest that Africa is particularly vulnerable to cyber-related dangers (Symantec Corporation, 2014). According to Physorg (2022), cybercrime cost the continent of Africa’s GDP more than $10\%$ of its total GDP in 2021, or $\$4.12$ billion. Online scams are the most pervasive and urgent cyber threat, according to Institute for Security Studies (2022). In particular, credit card and banking fraud are seen as severe threats throughout Africa. It entails the theft of private information, including banking information, which is then utilised by a threat actor to make purchases, steal money, or resell items (Danquah & Longe, 2021). The sophistication of cyberattacks and the financial harm they cause have been growing at exponential rates for several years, and cybersecurity has now become a serious worry for everyone around the globe. Cybercrime has a significant impact that transcends national boundaries (Olalekan & Kamarudeen, 2021). A strong cybersecurity culture, effective response capabilities, and the adoption of appropriate and effective national policies are the only ways to fully address the threats that Africa is currently facing regarding Internet security measures to prevent and control technological and informational risks (Das & Nayak, 2013).  
+
+In Africa, a new type of criminal behaviour has emerged as a result of the growth of the Internet and the development of new accessible technologies (Goodman & Brenner, 2022). It is alarming to see how quickly cybercrime is spreading throughout Africa. An upsurge in the fight against cybercrime in Africa has been brought on by the prevalence of this crime (Akuta et al., 2011). Cybercrime is steadily increasing in frequency in emerging nations. It’s crucial to keep in mind that what makes cybercrime intriguing is that it affects both Africa and other continents equally (Adewole et al., 2021). Without a doubt, every nation and region deals with cybercriminals and endures losses at the hands of their citizen cybercriminals. However, compared to any Western or Asian nation, Africa is more commonly referred to as a “continent of cybercriminals” in the public sphere (Das & Nayak, 2013). The various difficulties that the continent faces and the emotive nature of the kind of crimes committed there, however, have helped to give Africa the distinctive reputation of being a continent rife with corruption and criminals. This study divided cybercrimes into two categories: those that target networks or devices and those that include the use of gadgets as a tool for criminal activity. The latter, however, is the subject of this essay.  
+
+# The Meaning and Nature of Cybercrime  
+
+Cybercrime is still a highly undefined idea. There are numerous contradictory “facts” about the breadth of cybercrime as a result of the various “lenses” employed to observe it. The definition of cybercrime must be understood to recognise it as a developing global problem (Chiluwa et al., 2022). The word “cyber” comes from the word “cybernetic,” which is derived from the Greek word “cybernetics” (Ogunleye et al., 2022). A wide variety of online crimes, including fraud , blackmail, child pornography, digital forgery, cyber espionage, and cyber terrorism have all been referred to as cybercrime (Green et al., 2020). There are numerous attempts in the literature to categorise and define cybercrime. The term “cybercrime” is widely used by people in our modern world. With the development of information and communication technologies came the idea of cybercrime. People from all walks of life have benefited greatly from the Internet’s massive digitisation and unprecedented interconnection (Onuora et al., 2017). Cybercrime refers to any type of crime committed using a computer or the Internet (Ibikunle, 2022). According to Abdul-Rasheed Ishowo, Muhammed, and Abdullateef (2016), cybercrime is a relatively new phenomenon; crime itself is not. Numerous people have explored the subject of cybercrime from a variety of angles, the majority approaching it from a different angle than others. Cybercrimes have developed beyond traditional crimes and now pose a threat to the national security of all countries, even technologically developed countries (Makeri, 2017).  
+
+In 2021, Manish Cybercrimes are thought of as any unethical, illegal, or unauthorised action of humans involving the usage of Computer Systems and Networks, as well as the automatic processing and transmission of data. According to the United Nations (2018), cybercrime is any illicit activity directed through electronic means that compromises the security of computer systems and the data they process. Cybercrime is characterised as crimes performed online using a computer as a tool or a specific target. A crime connected to computers, computer networks, and the internet is referred to as cybercrime. Although the term “cybercrime” is now widely used, scholars have long faced the severe issue that there is no one, accepted definition of this term (Williams & Levi, 2015). It is a word frequently used to refer to a variety of illegal acts that make use of ICTs (information and communication technologies). Other phrases that might be used interchangeably include “virtual crime,” “net crime,” “hi-tech crime,” and “computer crime” (Wall, 2004). Cybercrime is any criminal offence that includes the use of the Internet or another computer network. They are crimes committed against a person or group of people with the intent to harm the victim’s reputation abroad or to harm the victim’s physical or mental health using contemporary telecommunication networks directly or indirectly like the Internet and mobile phones (Akogwu, 2012). Similar to this, Quarshie and Martin-Odoom (2012) define cybercrimes as crimes carried out online that use a computer as a tool or a specific target. Depending on which of the two is the primary goal, cybercrimes can affect both the computer and the person operating it as victims. Consequently, the computer could be examined as either a target or a tool. Any illegal, unethical, or unauthorised behaviour in a system that transports data or processes information automatically is considered a cybercrime (Solak & Topaloglu, 2015: 591). When a digital tool or information system is used as a target or simply a mix of both, this is known as cybercrime. According to Sabilloni et al. (2016), the terms “cybercrime” and “e-crime,” as well as “high-technology crime,” “information age crime,” “cybernetic crime,” and “computer-related crime” can all be used interchangeably to refer to the same thing. The European Commission on Cyber Security Strategy (2013) refers to cybercrime as:  
+
+a broad range of different criminal activities where computers and information systems are involved either as a primary tool or as a primary target. Cybercrime comprises traditional offences (such as fraud, forgery, and identity theft), content-related offences (such as online distribution of child pornography or incitement to racial hatred) and offences unique to computers and information systems (such as attacks against information systems, denial of service and malware).  
+
+Criminal activities carried out online and through computers are referred to as cybercrime. According to Ibikunle and Eweniyi (2013), this might range from downloading illicit music files to stealing millions of dollars from online bank accounts. Cybercrime also encompasses non-financial offences like developing and disseminating viruses on other computers or publishing private company data online.  
+
+According to Shinder (2002), cybercrime is any criminal act that includes the use of the Internet or another computer network. Cybercrimes are crimes committed against a person or a group of people with the intent to harm the victim’s reputation abroad or to directly or indirectly cause them physical or mental harm using contemporary telecommunications networks like the Internet and mobile phones (Okeshola $\&$ Adeta, 2013). Because everyone on the planet, whether in the public or private sector, is vulnerable to them since we are living in the information age, even though cybercrimes are a relatively new phenomenon, they have become the focus of global attention (Encyclopedia of Library and Information Science, 1977). In particular, cybercrimes first appeared with the development of the Internet, creating a favourable environment for crimes perpetrated by cybercriminals (Ajayi, 2016). Computers are either the target of cybercrime or are a tool used to commit the crime. A cybercriminal may disable a device or utilise it to get access to a user’s private information, sensitive corporate information, or government information. Selling or obtaining the aforementioned information online is a cybercrime. Aghatise (2014) describes cybercrime as a crime carried out online using a computer as either a tool or a specific target. The increasing reliance of society on computer systems and the development of its technological capabilities might be seen as a cause of cybercrime and technology abuse. According to Herselman and Warren (2013), cybercrime has no geographical borders and is not subject to import, customs, or foreign exchange restrictions, making it a target for anyone in the globe.  
+
+Three broad categories can be used to categorise cybercrimes: those committed against people, those committed against property, and those committed against the government. Cybercrimes against people encompass a variety of offences including sending child pornography and harassing anyone using a computer or email. known today as cybercrimes. Cybercrimes against all types of property fall under the second category of cybercrimes. These offences include the dissemination of malicious programs and computer vandalism (the destruction of another person’s property). Government-related cybercrimes make up the third type of cybercrimes. One specific type of crime in this category is cyberterrorism. The expansion of the internet has demonstrated that both people and groups are using cyberspace as a means of terrorising a nation’s citizens as well as posing a threat to other nations. When a person “cracks” into a website run by the government or the military, this offence takes on terrorist characteristics (Ayofe & Irwin, 2010). According to Tade and Aliyu (2011), cybercrime is a highly networked crime. It entails “geographic coding” and the disclosure of government information to deceive online users. Because it permits the unrestrained expression of norms and values that encourage crime as opposed to the regulated norms and values of the physical realm, the Internet thus provides a platform for cybercriminals.  
+
+# Phenomenon of Cybercrime  
+
+The threat of cybercrime to national security, economic growth, citizenry quality of life, and the world as a whole is ever-evolving in cyberspace. Rapid internet adoption and the digitisation of commercial processes have given rise to a new generation of criminals. Globally, cybercrime has increased at an unprecedented rate in recent years. The fastest-growing type of international crime nowadays is cybercrime (Pedro, 2020). One of the biggest, most baffling, and possibly most complicated problems in the digital world is cybercrime (Okpa et al., 2020). The beginning of cybercrime can be attributed to a few unhappy workers who physically harmed the computers they used to retaliate against their supervisors. Cybercriminals started concentrating their efforts on the home user as the capacity to have personal computers at home grew more available and well-liked (Obiora et al., 2017). According to Guillaume and Fortinet (2009), the proliferation of personal computers and computer networks turned “computer crime” into actual cybercrime.  
+
+In the year 1820, the first “cybercrime” was officially documented. That is not surprising considering that India, Japan, and China have all used abacuses, which are regarded to be the earliest type of computer, since 3500 BC. However it was Charles Babbage’s analytical engine that gave rise to the current era of computers (Khan, 2011). Cyberspace has proven robust to attacks, but the fundamental dynamic of the online world has always been that it is simpler to attack than to protect, according to the World Economic Forum’s Global Risks (2014) report. The rising level of internet insecurity is worrying to the point where online transactions are now questioned (Ayofe & Irwin, 2010). Cybercrime is getting worse and more common. Acts of cybercrime are widespread worldwide and motivated by money. Such computer-related fraud is widespread and accounts for about one-third of all crimes committed worldwide. One of the biggest legal grey areas today is cybercrime, which has spawned a variety of new crimes including identity theft, privacy invasion, sabotage, espionage, burglary, conspiracy, embezzlement, bribery, larceny, extortion, and even more brutal offences like attempted murder, kidnapping, and manslaughter (Laura, 2011). According to McConnel (2000), there are four key ways that cybercrimes differ from most terrestrial crimes: they are simple to learn, require low resources compared to the potential harm they might inflict, can be conducted in a jurisdiction without being physically there, and are frequently legal. As a result, cybercrime has grown to be one of the world’s and law enforcement organisations’ top security concerns. Cybercrime is defined as any criminal behaviour using the infrastructure of information technology, including unauthorised access, unauthorised interception, tampering with data or systems, tampering with identity, and electronic fraud. Cybercrime and traditional crime are not dissimilar from one another.  
+
+# Cybercrime in Africa: Nature, Causes, and Implications  
+
+Incidences of cybercrime are increasing rapidly on the African continent. This is possibly a result of the increase in internet users in Africa (Ndubueze, 2019). Between 2000 and 2016, the information and communications technology sector in Africa increased by $7.00\%$ , with internet penetration reaching around $28\%$ (Adanikin, 2018). Internet adoption increased from $5\%$ in 2007 to $28\%$ in 2015, closing the digital divide between Africa and the rest of the world. Within the next ten years, Africa should have access rates comparable to those of the developed world (Chinweze et al., 2019), assuming this growth pace is maintained.  
+
+Utilising ICT, and particularly the Internet, has become a strategic issue. These innovations not only promote economic growth but also increase productivity, efficiency, and innovation throughout the continent and promote the free exchange of ideas and information.  
+
+Regarding security risks, violation of intellectual property, and the protection of personal data, Africa is currently dealing with several internet-related issues. The majority of African governments lack the technological or financial resources to identify and monitor electronic exchanges deemed critical for national security (Chawe, 2021; Ogunleye et al., 2022). As a result, cybercriminals target people both inside and outside of their national borders. The internet’s quick development has also opened up new avenues for cybercrime, which is projected to cost African economies over one billion US dollars annually. As internet use spreads throughout all aspects of our socioeconomic life, including electronic banking, electronic commerce, electronic education, and electronic governance, new types of cybercrimes are emerging (Obiora et al., 2017). Since many computer systems are not adequately safeguarded, a lot of cybercrime originates from the African continent, where it is also easy for these threats to propagate. Considerable risk of online abuse exists in Africa. This is because law enforcement organisations do not have security awareness programs or specialised training.  
+
+As cyberattacks have increased in frequency over the past 20 years, they have become a significant problem in Africa. Since many computer systems are not adequately safeguarded, a lot of cybercrime originates from the African continent, where it is also easy for these threats to propagate. According to Quarshie and Martin-Odoom (2012), this demonstrates how the continent is susceptible to a variety of online criminal activities, like financial fraud, drug and human trafficking, and terrorism. Nigeria, the top-ranked nation in the area, is frequently the target and the origin of malicious internet activities, which are spreading across the continent (Quarshie & Martin-Odoom, 2012). Africa is increasingly becoming a key source of cybercrimes. Without question, there is a lot of potential for internet abuse in Africa. This is because law enforcement organisations do not have security awareness programs or specialised training.  
+
+Africans have given cybercrime their own names. For instance, it is referred to as “Sakawa” or “Yahoo yahoo” in Ghana (Coomsom, 2009), “Faymania” in Cameroon (Oumarou, 2007), and “yahoo boys” in Nigeria (Adeniran, 2008; Longe & Chiemeke, 2008; Tade & Aliyu, 2011). However, compared to any Western or Asian nation, Africa is more commonly referred to as a “continent of cybercriminals” in the public sphere (Das & Nayak, 2013). This is true for two reasons: first, African nations have recently suffered from poor governance, and second, victims of African fraudsters experience both financial and emotional losses (Ajah & Chukwuemeka, 2019). In Africa, there are primarily two categories of cybercriminals: “Yahoo boys” and “next-level cybercriminals.” Under the direction of ringleaders or masterminds, Yahoo guys excel at committing straightforward fraud (advance fee, stranded traveller, and romantic scams/fraud). Next-level cybercriminals, on the other hand, are more skilled and like carrying out “long cons” (such as tax scams/ fraud and business email compromise [BEC]) or crimes that need more time, resources, and effort. They employ software that facilitates crime, such as email automation and phishing tools, that is readily available from black markets, such as malware (keyloggers, remote access tools/Trojans [RATs], etc.) (TrendLabs, 2016).  
+
+Scholars have focused on the socioeconomic impact of cybercrime and its rapid and persistent expansion. It is generally known that cybercrime has had a significant impact on the economies of many African nations (Ogunleye et al., 2022). Africa has experienced a sharp increase in cybercrime in recent years, making it one of the world’s most exposed areas to cyber threats. Because the continent lacks a strong cybersecurity architecture, cybercriminals are increasingly targeting African nations with highly sophisticated attacks (Fra˛ckiewicz, 2023). The second most frequently reported crime in Africa, after fraud, is cybercrime, according to a survey by the African Union. This demonstrates that Africa has had one of the greatest rates of growth for cybercrime (Norris et al., 2019). Additionally, substantial cyberattacks against the rest of the world originate from the continent.  
+
+Cybercrimes impact all nations, but Africa is particularly at risk due to its underdeveloped networks and security. Over $90\%$ of firms on the continent are reportedly operating without the essential cybersecurity processes in place, according to Interpol’s Africa Cyberthreat Assessment Report. Cybercrime cost Africa’s GDP $\$4$ billion in 2021 or $10\%$ of its total GDP. According to Odueso (2022), cybercrime costs Africa $\$4$ billion every year. More specifically, Mitchell (2022) said that although the region’s insufficient efforts to combat cybercrime could hamper this rise, the continent’s e-economy is anticipated to reach $\$180$ billion annually by 2025. Africa is said to lose $\$4$ billion a year to cybercrime. According to estimates by Onuora et al. (2017), it costs the economies of South Africa $\$570$ million annually, Nigeria $\$500$ million, and Kenya $\$36$ million.  
+
+Despite the ongoing problem of cybercrime, Kshetri (2019a) noted that many African economies view cybersecurity as a luxury rather than a need. Its significance in the continent is still not properly understood or acknowledged. According to reports, many businesses’ cybersecurity budgets are less than $1\%$ , and many of them have no budget at all (Ogunleye et al., 2022). Globally, billions of dollars are lost each year as a result of cybercrime, which also poses a threat to the security and economic well-being of a country. A company can also sustain losses as a result of computer crime when a hacker steals its private data and business plans (Anah et al., 2012). Similar to traditional crimes, cybercrimes include child exploitation, online gambling, online prostitution, and similar activities that erode society’s morality and increase the likelihood that societal norms and values may disintegrate (Folashade & Abimbola, 2013). According to Shehu (2014), from a societal standpoint, cybercrime activities including cyberstalking, harassment, blackmail, and cyberterrorism pose a threat to a person’s right to privacy and fundamental freedoms.  
+
+# An Overview of Cybersecurity Strategy  
+
+The ongoing use of the Internet by immoral cyberspace users to conduct crimes over the past 20 years has caused a growing sense of dread among the general public as well as conflicting feelings of admiration and fear. Recently, this phenomenon has grown increasingly complex and remarkable, necessitating a prompt response in the form of regulations that would safeguard cyberspace and its users (Makeri, 2017). Technical, organisational, policy, and legal considerations are all part of cybersecurity governance measures. The development of regulations that forbid any actions that compromise the confidentiality, integrity, and accessibility of data, systems, and vital information infrastructure is another aspect of promoting strong cybersecurity (Gumbi, 2018). To protect an organisation’s and a user’s assets from relevant security risks in the cyber environment, cybersecurity aims to ensure their attainment and maintenance. The set of regulations established for the protection of cyberspace is known as cybersecurity. However, as our reliance on the internet grows, there are new dangers.  
+
+According to Oforji et al. (2017), cybersecurity is the defence of cyberspace and other related technologies, including records and electronic data as well as physical structures and security measures. Information security is a field in which cybersecurity is crucial (Kavitha & Preetha, 2019). Cybersecurity can serve as a safeguard against unauthorised monitoring of and intelligence collection from an information system. In the continual evolution of information technology and internet services, cybersecurity is crucial. Each country’s security and economic health depend on enhancing cybersecurity and safeguarding vital information infrastructure. Making cyberspace safe from threats, namely cyber threats, is the goal of cybersecurity. Because information security is at the core of the issue, cybersecurity is more than just information security or data security but is nonetheless intimately tied to those two subjects. All facets of information protection are referred to as information security (Olayemi, 2014). The preventive technique or practice known as cybersecurity is used to protect the integrity and dependability of networks, programs, and data from harm, intrusion, or unauthorised access. It entails safeguarding data and systems from common cyber threats such as cyberterrorism, cyberwarfare, and cyber espionage. The goals of cybersecurity, according to Makeri (2017), are as follows:  
+
+. To help people reduce the vulnerability of their Information and Communication Technology systems and networks.   
+. To help individuals and institutions develop and nurture a culture of cybersecurity.   
+. To work collaboratively with public, private, and international entities to secure cyberspace.   
+. To help understand the current trends in IT/cybercrime and develop effective solutions.   
+Availability.   
+. Integrity, which may include authenticity and non-repudiation, and   
+. Confidentiality.  
+
+Cybersecurity has grown to become a national issue as the risk it now requires to be taken more seriously (Ibikunle, 2013). Improving cybersecurity and guarding vital information infrastructures are essential to national security and economic well-being (Odinma, 2010). The challenges of cybersecurity in Africa include:  
+
+Lesser security availability is adequate to avert and manage technological and informational threats.   
+. Deficiency of technical know-how regarding cybersecurity and failure to watch or monitor and secure national networks, making Nigeria and several African countries susceptible to cyber espionage, and incidences of cyber terrorism.   
+. Failure to develop and improve the required cybersecurity legal structure to battle cybercrime. Cybersecurity issues are more extensive in scope than national security concerns. However, few major significant cybersecurity measures in Africa have their implementation done. Cybersecurity is a serious concern that needs absolute tackling.   
+. There is also a necessity to develop an information society that respects values, rights, and freedoms and assures the same access to information, even stirring up the establishment of genuine knowledge that can put up assurance and confidence in the use of ICTs in Africa.   
+. Limited levels of consciousness of ICT-related security concerns by stakeholders, like ICT regulators, law enforcement agencies, the judiciary, information technology professionals and users (United Nations Economic Commission for Africa, 2014)  
+
+It is essential that, among other current government priorities, the subject of cyber security receives the highest level of attention. Cybersecurity issues are currently undoubtedly garnering attention on a global scale. Given its importance, policymakers, governments, and other interested parties are compelled to carefully design guiding principles in the form of policies and strategies to be used in governing cybersecurity-related issues (Osho & Onoja, 2015).  
+
+When considered on a worldwide scale, cybersecurity has recently progressively and certainly taken a more prominent position. This is due to its potentially positive effects if handled properly as well as potential negative effects if neglected on a national level. This has led to the elevation of cybersecurity-related issues to the status of crucial national concerns and top priorities in many different nations throughout the world. As seen in numerous nations on every continent, this has caused national cybersecurity initiatives to spring up all over the world. From the military and national defence viewpoint, Watanabe (2013) assessed France’s Cyber Security Strategy, taking into account its capabilities, obligations, and potential for improving national cybersecurity. He emphasized that the French government’s white paper on cybersecurity acts as a tool for adapting to recent changes in the strategic environment. S¸entürk et al. (2012), Nitta (2013), and Watanabe (2013) all acknowledged the crucial worldwide role the United States played in advancing cybersecurity. ¸Sentürk et al. (2012) stated in their examination of the Turkish cybersecurity strategy that the national cybersecurity strategy of the United States is considered as being the most investigated among others, showing the country’s lofty cybersecurity worldwide relevance. In her examination of the Japanese cybersecurity strategy, Nitta (2013) made an effort to identify several flaws and suggest remedies. She commended Japan for moving toward greater international cooperation while promoting national cybersecurity independence.  
+
+The Cybersecurity Strategy in Canada approaches national security in cyberspace from the unique vantage point of safeguarding vital national infrastructure. This can be seen from the three key pillars of the policy, which are helping Canadians stay safe online, securing government networks, and collaborating to secure all crucial cyber systems outside the federal government. These were primarily designed to combat three types of threats, including state-sponsored military activity and cyber espionage, terrorist internet use, and cybercrime (Government of Canada, 2010). The National Cyber Security Strategy of France reflects the widespread use of contemporary cyber technology by its people. Therefore, it concentrated on becoming a global leader in cyber defence while also developing and safeguarding National Information Infrastructures and information relevant to sovereignty. Collectively, France approaches cybersecurity from a defensive stance in its strategy (French Network & Information Security Agency, 2011).  
+
+In its Cyber Security Strategy from 2011, the UK put special emphasis on the huge social and economic value that can be derived from a safe, active, and resilient cyberspace. The basic values were intended to boost the economy and strengthen national security in the UK (Osho & Onoja, 2015). The Netherlands’ National Cyber Security Strategy intends to transform the country’s cybersecurity posture from awareness to capabilities. After gaining a better understanding of cyber threats, the Netherlands developed a strategy that aims to take a fresh approach to cybersecurity problems by stepping up efforts to counter them rather than raising awareness of their existence (National Coordinator for Security & Counterterrorism, 2014). The main goal of Japan’s National Cyber Security Strategy was to defend the country’s information system from widespread cyberattacks, which have grown more and more popular in recent years. To provide the best possible supply of security for national information systems, several well-developed action plans were recommended for implementation (Information Security Policy Council, 2010). Cybersecurity measures, such as the creation of technical defences or user education to shield them from being victims of cybercrime, can aid in lowering the risk of cybercrime. In the struggle against cybercrime, the creation and support of cybersecurity initiatives are essential.  
+
+# Fighting Cybercrime in Africa: Issues, Challenges and Remedial Actions  
+
+Although a crimeless society is a myth, crime is an omnipresent phenomenon, and it is an inseparable part of social existence. No one can deny that crime is a social phenomenon, it is omnipresent, and there is nothing new in crime as it is one of the characteristic features of all societies, be it developed or developing, and it is one of the basic instincts of all human behaviour. However, it should be borne in mind that the social concern for the high crime rate is not because of its nature, but due to the potential disturbance, it causes to society (Sumanjit & Tapaswini, 2013).  
+
+Experts and politicians have grown more concerned in recent years about safeguarding ICT systems from cyberattacks, which are purposeful attempts by unauthorised individuals to gain access to ICT systems with the intent of committing theft, disruption, destruction, or other illegal acts. According to several analysts, during the coming years, cyberattacks will become more frequent and more severe (Rainie et al., 2014). Cybercrime is a serious issue that threatens both personal freedom and the integrity of the Internet, as well as the growth of technology (Olumoye, 2013). The entire society is impacted by cybercriminals’ wrongdoings, although they may believe their acts have no victims in the vicious circle. A comprehensive and coordinated strategy is needed to combat cybercrime, however, in Africa, poverty and underdevelopment are major causes for the growth of cybercrime in the region. There are significant obstacles to the fight against cybercrime. However, the majority of African nations face difficulties like (i) never-ending cyber wars (supremacy disputes) between law enforcement, intelligence, and security agencies; (ii) a lack of collaboration between the public and private sectors in the fight against cybercrime; and (iii) inadequacy in the policy option that addresses the issues of surveillance. However, the recommendations are crucial to reduce the frequency of cybercrimes in Africa. Although it cannot be completely stopped, cybercrime can be reduced. The government, businesses, and individuals working together might do a lot to bring it down to a manageable level. According to Hassan et al. (2012), the threat of cybercrime in Africa must be addressed by enacting the required legislation to enforce property rights. However, this will only be possible if property owners take reasonable precautions to secure their property in the first place. Africa is undoubtedly plagued by a variety of sociopolitical, economic, and insurgency-related issues as well as other crimes. This reduces their ability to address cybercrime effectively. However, African nations must take action to make sure that their criminal and procedural laws are sufficient to handle the problems created by cybercrimes.  
+
+# Chapter Content  
+
+The prevalence and the proliferation of cybercrime have received global attention (Lewis, 2018). This book focuses on the prevalence and the phenomenon of cybercrime in Africa. It adopts a multidisciplinary approach, written by scholars from different backgrounds and disciplines. The book comprises ten (10) chapters, focusing on different aspects of cybercrimes and the implication of the match towards the attainment of sustainable development in Africa.  
+
+In the introduction to the book, Stanley Ehiane and Mosud Olumoye discuss the historical context of cybercrime as an emergent phenomenon in Africa. According to the author, a variety of internet criminal activities, such as financial fraud, drug trafficking, human trafficking, and terrorism, can target Africa as a continent. As a result, Africa is developing into a “safe haven” for online scammers. This indicates that more cybercrimes are being committed in Africa. Despite an upsurge in studies on cybercrime over the past ten years, the subject is still important and understudied, especially from a social science standpoint. Nevertheless, some African nations are trying to implement security measures that can assist in fighting this ailment. Even though these initiatives are ongoing, they have been largely ineffective at repealing cybercrime. This reveals that the way forward is for Africa to learn from the experiences of developed countries in fighting cybercrime.  
+
+Chapter two written by Sphamandla Lindani Nkosi and Sogo Angel Olofinbiyi analyses the types of cybercrime that occur in South Africa with a focus on the economic impact of identity theft. The chapter investigates and estimates the damage that identity theft has done to South Africa’s economy as well as the suffering that victims—citizens and business sectors—have gone through because of the fraudulent acts related to identity theft. It outlines several socioeconomic issues, such as unemployment, that exacerbate identity theft. It contends that ongoing encryption of sensitive data is crucial and that periodic inspection and maintenance of cybersecurity measures stand as two essential preventative strategies.  
+
+In Chapter 3, Vuyelwa Kemiso Maweni, Aden Dejene Tolla, and Sphamandla Lindani Nkosi concentrate on the nature of cybercrime in poor societies and describe how technology facilitates human trafficking. They contend that technology makes it simpler for traffickers to find, entice, control, and coerce their victims. The more sophisticated end of the trafficker spectrum uses technology and the Internet, both of which are tools for cybercrime. Through phones, emails, instant messaging, websites, phone applications, and other means of communication, the Internet gives traffickers access to a larger pool of possible victims. Since conventional physical and geographic barriers no longer exist, the Internet today easily connects a far bigger number of potential victims. The chapter explains the many strategies criminals employ to find their victims of sex trafficking online, with a focus on Ethiopia, Nigeria, and South Africa.  
+
+In Chapter 4, Samuel Fikiri Cinini, Stanley Ehiane, Osaiyi Fadekemi Janet, and Irewunmi Banwo focus on new challenges in Africa and cybersecurity. The protection of personal data has grown increasingly important as digital technologies are used more frequently in industries like healthcare and education. Lack of capability is one of the main issues facing Africa in terms of cybersecurity. This pertains to both a shortage of qualified individuals and a lack of funding. Simply put, many African nations lack the infrastructure and knowledge needed to effectively combat cyber attacks. The chapter looked at the rise of cybersecurity in Africa and the many cyber threats that have emerged recently. It also provided an overview of the African Union Convention on Cybersecurity and Personal Data Protection and the difficulties the continental body has faced in tackling these issues. The chapter suggests that Africa must take full advantage of the digital revolution to empower its citizens and enhance transparency in government and the private sector. This will not happen until data is stored in safe and trusted systems that protect privacy and are difficult for criminals to breach.  
+
+Anthony Minnaar in Chapter 5 paid to the threat from and risk from cybercrime has been increasing over time, both in terms of the number of reported cyberattacks and the level of complexity of those attacks. Every year, ransomware incidents and the additional expenditures associated with installing better protection measures result in considerable financial losses for enterprises, individuals, and the public sector. Cybercrime is appealing to criminals due to the potential and lucrative profits as well as the low risk of detection, physical detention (being a so-called “borderless” but still international crime), and the challenge of authorities bringing charges against “absent” and challenging to track and trace suspected culprits.  
+
+Chapter 6, written by Sazelo Michael  Mkhize  focused on drug trafficking and the Internet. Over the past few decades, the war on drugs has been a major source of worry. The abuse and trafficking of narcotic and psychoactive substances have long been a problem, but it has become worse with the advent and diffusion of new technologies, particularly the Internet. Over the past ten years, the Internet’s explosive expansion has brought about unheard-of shifts in criminal activity, creating new chances and infrastructure for these kinds of crimes. The African continent has developed over the past ten years into a major route for drug exports, a source of illegally obtained natural resources, a starting place for human trafficking, and a route for migrant smuggling. Drugs are cleverly disguised to hide their origins and avoid scrutiny, making Africa one of the main transhipment routes for drug trafficking. The use of the Internet as a means of drug distribution creates both new investigation obstacles and opportunities for skilled investigators.  
+
+Slindile Ngcece and Sazelo Michael Mkhize in chapter seven analyzed the role played by the South African Police Service in battling cybercrime. For police agencies, the threat of cybercrime is becoming more and more challenging. The development of advanced techniques to commit cybercrime has made it more difficult and time-consuming to implement and investigate. South Africa is among the top 10 nations on the list of cybercrime predators, however. Cybercrimes have been the subject of extensive research. However, there is still much to be learned about this subject, especially regarding how law enforcement agencies have handled the difficulties presented by online crimes and whether the South African legal system has been successful in reining in cybercriminals. The chapter identified a lack of cooperation among pertinent role-players to increase internal resources for cybercrime investigation, which led to capacity issues with handling the workload.  
+
+Claudine Anita Hingston and Danita Hingston in Chapter 8 focus on the nature of human trafficking. They view human trafficking, which is one of the world’s fastest-growing illegal sectors, as being equivalent to slavery. Cyberspace enables traffickers to abuse more victims globally and carry out new trafficking operations while the traditional channels of human trafficking continue to exist. Human trafficking has evolved into one of the biggest global organised crimes as a result of the development of technology. Traffickers use social media to masquerade as victims, disseminate false information, disseminate intimate photos, or even continue to monitor a victim’s account activity after they have left the trafficker. The four steps of trafficking—recruitment, transportation, victim exploitation, and management of illicit profits—were highlighted in the chapter. Offenders exploit digital tools at each of these four stages of the trafficking cycle. It implies that because of how serious human trafficking is, how it violates human rights, and how badly it affects its victims, this topic must continuously be at the forefront of research.  
+
+In chapter nine, Ndivhuwo Doctor Sundani focuses on the methods for preventing human trafficking on South African online platforms. The increased use of digital technologies in Africa is fostering the expansion of human trafficking operations there. It was found that the development of social media and the Internet have provided traffickers with more opportunities to seduce victims. The possibility of raising awareness of human trafficking is growing. The underlying economic, political, and cultural issues must be resolved for South Africa to succeed in its fight against human trafficking. Additionally, groups that serve as a conduit between key players, the government, and victims require more support.  
+
+Shandu Smangele and Maluleke Witness in chapter ten highlighted in South Africa the perceptions and trends of electronic tax fraud filing. In the KwaZulu-Natal (KZN) Province of South Africa, the chapter analyzes current perspectives on investigations and prosecutions of electronicFiling (Tax) fraud. Tax fraud happens when taxpayers don’t pay their taxes on time or use shady tactics to get out of paying back taxes. Therefore, one of the things preventing South Africa from collecting taxes is tax fraud. To evade tax requirements, such as paying annual tax on any money generated, people who engage in lawful activities such as barter and financial transactions often conceal the real and taxable income they have made. This practice is known as the shadow economy. The chapter makes the case that taxes are an essential component in ensuring that South Africa’s economy remains strong for years to come. The authors advised the local SAPS DPCI to request an upgrade to the SARS e-Filing system so that it can better track applicants’ history and identify fraudulent information. Accountable investigators should carefully examine current trends to enhance their current investigation methods.  
+
+# Concluding Remarks  
+
+Africa is reportedly the continent where cybercrime is expanding the fastest. Internet users have increased because of the expansion of broadband services across the continent (Ojedokun, 2015). African countries are increasingly using the Internet to carry out sensitive business and retain vital information. Cybercriminals are targeting the continent as a result of the majority of African states’ shortcomings in bolstering cybersecurity and combating cybercrime. The problem of cybercrime and its detrimental effects on Africa are worrying and demoralising. To combat the threat and lessen its impact on the populace, the governments of Africa must adopt a proactive and laser-like focus. Africa needs to be developed into a society free from crime to serve as a productive foundation for economic breakthrough. Criminals who operate online will always stay current with technological developments. Indeed, technology contributes to cybercrime; we can either accept this or take significant action to address it. We must recognise that the difficulty of law enforcement organisations and individuals to bring criminal charges against online fraudsters feeds the cycle of online fraud (Boateng et al., 2019). Policymakers will need to put into place effective measures to prevent the surge of cyber threats if they want Africa to reach its full potential. Hitherto, Africa must start working together to combat cyber threats at the national and regional levels. Africa should create a body to keep track of and report international cybercrimes.  
+
+To meet the upcoming difficulties of cybercrime, Africa needs strong information and computer technology institutions to train cybersecurity experts with significant skills in system administration, security audit, forensic investigation, information security, and software development. Pedro (2020) argues that to avoid and stop new criminality trends, we must constantly make modifications to the way we prevent and secure the cyberspace environment. These efforts have expanded well beyond the conventional boundaries of the Law Enforcement Agencies’ workplace. The issue of cybersecurity needs to be taken seriously since it is affecting how the world perceives the continent. The public, cybercafés, the government, security agencies, and internet users must all contribute to the development of a security-aware culture. It is unreasonable to expect states to adopt the entire agreement right away, so African states should concentrate on the convention’s sections about cybersecurity and cybercrime first. African nations must support capacity-building initiatives and sign on to international accords against cybercrime that extends beyond the continent. These steps will have the most immediate effect in curbing the growth of cybercrime in Africa and worldwide. African states that fail to adequately address the evolving cybercrime problem will jeopardise their economic growth and national security. Unless and until there is a broad global agreement on criminalising cybercrime and robust international cooperation to enforce those laws, cybercriminals operating in cybercrime safe havens will continue to target individuals, businesses, and governments with impunity.  
+
+# References  
+
+Abdul-Rasheed Ishowo, S. L., Muhammed, L. A., & Abdullateef, Y. R. (2016). Cybercrime and Nigeria’s external image: A critical assessment. Africology: The Journal of Pan African Studies, 9(6), 119–132.   
+Adanikin, O. (2018, May 3, Thursday). Cybercrooks attempt to steal $\$3.90$ from the maritime sector. The Nations Newspaper, $12~\mathrm{pp}$ .   
+Adeniran, A. (2008). The internet and the emergence of Yahoo boys sub-culture in Nigeria. International Journal of Cyber Criminology (IJCC), 2(2), 368– 381.   
+Adewole, K. S., Isiaka, R. M., & Olayemi, R. T. (2021). An inquiry into the awareness level of cyber security policy and measures in Nigeria. Journal of Science and Advanced Technology, 1(7), 91–96.   
+Aghatise, J. (2014, September 5). Cybercrime definition. https://www.resear chgate.net/publication/265350281_Cybercrime_definition. Accessed 14 Nov 2021.   
+Ajah, B. O., & Chukwuemeka, O. D. (2019). Neo-economy and militating effects of Africa’s profile on cybercrime. International Journal of Cyber Criminology, 13(2), 326–342.   
+Ajayi, E. F. G. (2016). Challenges to enforcement of cyber-crimes laws and policy. Journal of Internet and Information Systems, $\delta(1)$ , 1–12.   
+Akogwu, S. (2012). An assessment of the level of awareness on cybercrime among internet users in Ahmadu Bello University. Zaria. Unpublished B.Sc. project.   
+Akuta, E. A., Ong’oa, I. M., & Jones, C. R. (2011). Combating cyber-crime in Sub-Sahara Africa: A discourse on law, policy and practice. Journal of Peace, Gender and Development Studies, 1(4), 129–137.   
+Al-Shalam, A. (2022). Cybercrime fear and victimization: An analysis of a national survey [Ph.D dissertation submitted to Mississippi State University].   
+Anah, B., Funmi, D., & Makinde, J. (2012). Cybercrime in Nigeria: Causes, effects and the way out. ARPN Journal of Science and Technology, 1(2), 193– 195.   
+Aribake, F. O., & Aji, Z. M. (2022). The mediating role of perceived security on the relationship between internet banking users and their determinants. International Journal of Advanced Research in Engineering and Technology, 11(2), 296–318.   
+Ayofe, A. M., & Irwin, B. (2010). Cybersecurity: Challenges and the way forward. Computer Science and Telecommunications, 6(29), 56–69.   
+Bande, L. C. (2018). Legislating against cybercrime in Southern African development community: Balancing international standards with country-specific specificities. International Journal of Cyber Criminology, 12(1), 9–26.   
+Boateng, R., Long, O., Mbarika, V., & Avevor, I. (2019). Cyber crime and criminality in Ghana: Its forms and implications. Americas Conference on Information System, 507.   
+Chawe, M. (2021, June 14). Cybercrime costs Zambian banks $\$40$ . Africa Review. www.africareview.com/News/Cybercrime-costs-Zambian-banks-- $-4\mathrm{mi}$ llio/-/979180/1883006/-/128vr2iz/-/index.html   
+Chiluwa, I. M., Kamalu, I., & Anurudu, S. (2022). Deceptive transparency and masked discourses in Ponzi schemes: A critical discourse analysis of MMM Nigeria. Critical Discourse Studies, 19(1), 55–72.   
+Chinweze, U. C., Chukwuemeka, O. D., & Egbegi, F. R. (2019). An exploratory study of cybercrime in the contemporary Nigeria value system. European Journal of Social Sciences Studies, 4(3), 131–141.   
+Coomson, J. (2009, October 4). Cybercrimes in Ghana. Ghanaian Chronicle. http://allafrica.com/stories/200610040856.html. Accessed 12 July 2023.   
+Dalal, P. (2006). Wireless security: Some measures. Computer Crime Research Center. http://www.crime-research.org/articles. Accessed 23 Apr 2022.   
+Danquah, P., & Longe, O. B. (2021). Cyber deception and theft: An ethnographic study on cyber criminality from a Ghanaian perspective. Journal of Information Technology Impact, 11(3), 169–182.   
+Das, S., & Nayak, T. (2013). Impact of cybercrime: Issues and challenges. International Journal of Engineering Sciences & Emerging Technologies, 6(2), 142–153.   
+Encyclopedia of Library and Information Science. (1977). https://books.goo gle.co.bw/books/aboutEncyclopedia_of_Library_and_Information.html?id $\c=$ MCwqxVvW3zMC&redir_esc=y. Accessed 14 May 2023.   
+European Commission. (2013). Joint Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions. Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace, Brussels JOIN, 2013, 1.   
+Folashade, B. O., & Abimbola, K. A. (2013). The nature causes and consequences of cybercrime in tertiary institutions in Zaria-Kaduna State, Nigeria. American International Journal of Contemporary Research, 3(9), 98–114.   
+Fra˛ckiewicz, M. (2023). The importance of cybersecurity in Africa’s Digital Age. https://ts2.space/en/the-importance-of-cybersecurity-in-africas-digitalage/. Accessed 10 July 2023.   
+French Network and Information Security Agency. (2011). Information systems defense and security—France’s strategy. Retrieved April 23, 2021, from http://www.enisa.europa.eu/media/news-items/french-cybersecuritystrategy-2011. Accessed 8 July 2023.   
+Goodman, M. D., & Brenner, S. (2022). The emerging consensus on criminal conduct in cyberspace. International Journal of Law and Information Technology, 10(2), 139–223 at 142, 146–150.   
+Government of Canada. (2010). Canada’s cybersecurity strategy. www.publicsaf ety.gc.ca/cnt/rsrcs/pblctns/cbr-sctr-strtgy/index-eng.aspx. Accessed 12 Mar 2022.   
+Green, B., Gies, S., Bobnis, A., Piquero, N. L., Piquero, A. R., & Velasquez, E. (2020). The role of victim services for individuals who have experienced serious identity-based crime. Victims and Offenders, 15(6), 720–743.   
+Guillaume, L., & Fortinet, D. (2009). Fighting cybercrime: Technical, juridical and ethical. https://www.virusbulletin.com/conference/vb2009/abstracts/ fighting-cybercrime-technical-juridical-and-ethical-challenges/. Accessed 12 May 2023.   
+Gumbi, D. (2018). Understanding the threat of cybercrime: A comparative study of cybercrime and the ICT legislative frameworks of South Africa, Kenya, India, the United States and the United Kingdom. A thesis submitted to the University of Cape Town as part of the requirements for the award of Master of Law (LLM) Degree.   
+Hassan, A. B., Lass, F. D., & Makinde, J. (2012). Cybercrime in Nigeria: Causes, effects and the way out. ARPN Journal of Science and Technology, 2(7), 1–6.   
+Herselman, M., & Warren, M. (2013). Cybercrime influencing businesses in South Africa. Issues in Information Science and Information Technology, 3(2), 253–266.   
+Hunda, R. S., Singh, K., & Singh, M. D. (2014). Aspects to ensure admissibility of digital evidence. Law Journal, Gurn Nanak Dev University, Amritsar, 13(1), 1–10.   
+Ibikunle, A. (2022). Investigation of computer crime in information technology industry [Unpublished Master’s Thesis]. Ladoke Akintola University of Technology.   
+Ibikunle, F., & Eweniyi, O. (2013). Approach to cybersecurity issues in Nigeria: Challenges and solution. International Journal of Cognitive Research in science, engineering and education, 1(1), 1–11. http://www.scribd.com/doc/ 71120466/. Accessed 4 June 2022.   
+Information Security Policy Council. (2010). Information security strategy for protecting the Nation. www.nisc.go.jp/eng/pdf/New_Strategy_English.pdf. Accessed 15 July 2022.   
+Institute for Security Studies. (2022). Africa can’t risk a major maritime cyberattack. https://issAfrica.org/iss-today/Africa-cant-risk-a-major-maritime-cybera ttack.   
+Jerome-Orji, U. (2019). An inquiry into the legal status of the ECOWAS cybercrime directive and the implications of its obligations for member states. Computer Law and Security Review, 35(6), 105330.   
+Kavitha, V., & Preetha, S. (2019). Cybersecurity issues and challenges: A review. International Journal of Computer Science and Mobile Computing, 8(11), 1–6.   
+Khan, A. (2011). The-first recorded-cyber-crime-took-place-in-the-year-1820. http://www.scribd.com/doc/71120466/. Accessed 12 June 2022.   
+Kshetri, N. (2013). Cybercrime and cybersecurity in the Global South. Palgrave Macmillan.   
+Kshetri, N. (2019a). Cybercrime and cybersecurity in Africa. Journal of Global Information Technology Management, 22(2), 77–81.   
+Kshetri, N. (2019b). The economics of click fraud. IEEE Security & Privacy Magazine, 8(3), 45–53.   
+Laura, A. (2005, 2011). Cyber crime and national security: The role of the penal and procedural law. Research Fellow, Nigerian Institute of Advanced Legal Studies.   
+Lewis, J. (2018). Economic impact of cybercrime: No slowing down. Centre for Strategic and International Studies. https://www.csis.org/analysis/economicimpact-cybercrime. Accessed 12 May 2023.   
+Longe, O. B., & Chiemeke, S. C. (2008). Mediated cyber-crime: An investigation of the role of internet access points in the facilitation of cybercrime in Southwest Nigeria. European Journal of Social Sciences, 6, 466–472.   
+Maitanmi, O., Ogunlere, S., Ayinde, S., & Adekunle, Y. (2013). Impact of cybercrimes on Nigerian Economy. The International Journal of Engineering and Science (IJES), 2(4), 19–25.   
+Makeri, Y. A. (2017). Cybersecurity issues in Nigeria and challenges. International Journal of Advanced Research in Computer Science and Software Engineering, 7 (4), 315–413.   
+Manish, L. (2021). Cyber Laws: A global perspective. http://unpan1.un.org/ intradoc/groups/public/documents/apcity/unpan005846.pdf. Accessed 10 May 2023.   
+McConnel, J. C. (2000). Juju and justice at the movies: Vigilantes in Nigerian popular video. African Studies Review, 47 , 51–67.   
+McCusker, R. (2006). Transnational organised cybercrime: Distinguishing threat from reality. Crime, Law and Social Change, 46(4&5), 257–273.   
+Mitchell, J. (2022). Africa faces huge cybercrime threat as the pace of digitalisation increases. https://www.investmentmonitor.ai/features/africa-cybercrime-threat-digitalisation/. Accessed 7 May 2023.   
+National Coordinator for Security and Counterterrorism. (2014). National cybersecurity strategy 2. http://www.enisa.europa.eu/media/news-items/dutchcybersecurity-strategy-2011. Accessed 20 Oct 2021.   
+Ndubueze, P. N. (2019). Cybercrime and Legislation in an African Context. In The Palgrave handbook of international cybercrime and cyberdeviance. Palgrave Macmillan. https://doi.org/10.1007/978-3-319-90307-1_74-1. Accessed 6 July 2023.   
+Nitta, Y. (2013). Japan’s approach towards an international strategy on cybersecurity cooperation. http://lsgs.georgetown.edu/sites/lsgs/files/Japan_edited% 20v2.pdf_for_printout.pdf. Accessed 25 Oct 2022.   
+Norris, G., Brookes, A., & Dowell, D. (2019). The psychology of internet fraud victimisation: A systematic review. Journal of Police and Criminal Psychology, 34(3), 231–245.   
+Norton Study. (2012). Consumer cybercrime estimated at \$110 billion annually. www.symantec.com/about/news/release/article.jsp?prid $\c=$ 20120. Accessed 28 Aug 2021.   
+Obiora, C. A. O., Tiebiri, J. E. J., & Mmaduabuchi, O. U. (2017). Cybercrimes and the challenges of economic development in Nigeria. NG—Journal of Social Development, 6(4), 59–71.   
+Odinma, A. C. (2010, November 1–2). Cybercrime and cert: Issues and probable policies for Nigeria, DBI Presentation.   
+Odueso, T. (2022). Africa is losing $\$4$ billion annually to cybercrime. Can conversations at Cyber Africa Forum help? https://techcabal.com/2022/05/06/afr ica-cybercrime-cyber-africa-forum/. Accessed 12 May 2023.   
+Oforji, J. C., Udensi, E. J., & Ibegbu, K. C. (2017). Cybersecurity challenges in Nigeria: The way forward. SosPoly Journal of Science & Agriculture, 2, 1–55.   
+Oghenevwogaga, T. D. (2017). ICT use and its impact in combating cybercrimes in Abraka, Delta State, Nigeria. Research Journal of Mass Communication and Information Technology, 3(1), 10–24.   
+Ogunleye, Y. O., Ojedokun, U. A., & Aderinto, A. A. (2022). Pathways and motivations for cyber fraud involvement among female undergraduates of selected universities in South-West Nigeria. International Journal of Cyber Criminology, 13(2), 309–325.   
+Ojedokun, A. A. (2015). The evolving sophistication of Internet abusers in Africa. The International Information and Library Review, 37 (1), 11–17.   
+Okeshola, F. R., & Adeta, A. K. (2013). The nature causes and consequences of cyber-crime in tertiary institutions in Zaria-Kaduna State, Nigeria. American International Journal of Contemporary Research, 3(9), 98–114.   
+Okpa, J. T., Adebayo, I. A., & Emmanuel, E. (2020). Cybercrime and socioeconomic development of corporate organizations in Cross River State, Nigeria. Asian Journal of Scientific Research, 13, 205–213.   
+Olalekan, A., & Kamarudeen, O. (2021). Buhari agrees with Cameron that Nigeria is ‘fantastically corrupt’. Punch News. Retrieved from https://pun chng.com/buhariagrees-cameron-nigeria-fantastically-corrupt-2. Accessed 10 May 2023.   
+Olayemi, O. J. (2014). A socio-technological analysis of cybercrime and cybersecurity in Nigeria. International Journal of Sociology and Anthropology, $6(3)$ , 116–125.   
+Olumoye, M. Y. (2013). Cybercrime and technology misuse: Overview, impacts and preventive measures. European Journal of Computer Science and Information Technology, 1(3), 10–20.   
+Onuora, A. C., Uche, D. C., Ogbunude, F. O., & Uwazuruike, F. O. (2017). The challenges of cybercrime in Nigeria: An overview. AIPFU Journal of School of Sciences (AJSS), 1(2), 6–11.   
+Osho, O., & Onoja, A. D. (2015). National cybersecurity policy and strategy of Nigeria: A qualitative analysis. International Journal of Cyber Criminology, 9(1), 120–143.   
+Oumarou, M. (2007). Brainstorming advanced fee fraud: ‘Faymania’—The Camerounian Experience. In N. Ribadu, I. Lamorde, & D. W. Tukura (Eds.), Current trends in advanced fee fraud in West Africa (pp. 33–34). EFCC.   
+Pedro, D. (2020, July 27–29). Challenges for cybercrime prevention. In 6th meeting of the intergovernmental expert group on cybercrime in Viena.   
+Physorg, L. (2022). Rights group launches tool to stem cybercrime in Africa. https://phys.org/news/2021-05-rights-group-tool-stem-cybercrime.html   
+Quarshie, H. O., & Martin-Odoom, A. (2012). Fighting cybercrime in Africa. Computer Science and Engineering, 2(6), 98–100.   
+Rainie, L., Anderson, J., & Connolly, J. (2014). Cyber-attacks likely to increase (Pew Research Internet Project, April 2021). http://www.pewInternet.org/ 2021/04/29/cyber-attacks-likely-to-increase/. Accessed 18 June 2022.   
+Sabilloni, R., Cano, J., Cavaller, V., & Serra, J. (2016). Cybercrime and cybercriminals: A comprehensive study. International Journal of Computer Networks and Communications Security, 4(6), 165–176.   
+Seemma, P. S., Nandhini, S., & Sowmiya, M. (2018). Overview of cybersecurity. International Journal of Advanced Research in Computer and Communication Engineering, 7 (11), 125–130.   
+S¸ entürk, H., Çil, Z. C., & ¸Seref, S. (2012). Cybersecurity analysis of Turkey. International Journal of Information Security Science, 1(4), 112–125.   
+Shehu, A. (2014). Cyber-terrorism: The shape of future conflict. Royal United Service. Available: https://rusi.org/explore-our-research/topics. Accessed 20 July 2022.   
+Shinder, D. L. (2002). Scene of the cyber-crime: Computer forensics handbook. Syngress Publishing Inc.   
+Solak, D., & Topaloglu, M. (2015). The perception analysis of cybercrimes given computer science students. Procedia: Social and Behavioural Sciences, 182, 590–595.   
+Sumanjit, D., & Tapaswini, N. (2013). Impact of cyber-crime: Issues and challenges. International Journal of Engineering Sciences & Emerging Technologies, $6(2)$ , 142–153.   
+Symantec Corporation. (2014). Internet Security Threat Report 2013, 2012 Trends. www.symantec.com/content/en/us/enterprise/other_resour ces/b-istr_main_report_v18_2012_21291018.enus.pdf.   
+Tade, O., & Aliyu, I. (2011). The social organisation of cybercrime among university undergraduates in Nigeria. International Journal of Cyber Criminology, 5, 860–875.   
+TrendLabs. (2016). Trend Micro Security News. “The Many Faces of Cybercrime.” http://www.trendmicro.com/vinfo/us/security/news/cyb ercrime-and-digital-threats/the-many-faces-of-cybercrime. Accessed 15 July 2021.   
+United Nations Economic Commission for Africa. (2014). Tackling the challenges of Cybersecurity in Africa. Policy Brief, NTIS/002/2014, Economic Commission for Africa.   
+Wall, D. (2004). What are cybercrimes? Criminal Justice Matters, 58(1), 20–21.   
+Watanabe, L. (2013). France’s new strategy: The 2013 white paper [White paper]. http://www.css.ethz.ch/publications/pdfs/CSSAnalysis-139-EN.pdf. Accessed 16 Nov 2022.   
+Williams, M., & Levi, M. (2015). Perceptions of the e-crime controllers: Modelling the Influence of Cooperation and Data Source Factors. Security Journal, 28(3), 252–271.   
+World Economic Forum’s Global Risks. (2014). https://www.un-spider.org/ news-and-events/news/world-economic-forum-publishes-global-risks-report2014. Accessed 5 June 2023.  

dataset/data/docs/grobler-et-al._2012_Implementation of a Cy.md

@@ -0,0 +1,164 @@
+# Implementation of a Cyber Security Policy in South Africa: Reflection on Progress and the Way Forward  
+
+Marthie Grobler, Joey Jansen van Vuuren, and Louise Leenen  
+
+Council for Scientific and Industrial Research, Pretoria, South Africa {mgrobler1,jjvvuuren,lleenen}@csir.co.za  
+
+Abstract. Cyber security is an important aspect of National Security and the safekeeping of a Nation's constituency and resources. In South Africa, the focus on cyber security is especially prominent since many geographical regions are incorporated into the global village in an attempt to bridge the digital divide. This article reflects on current research done in South Africa with regard to a cyber security policy, and proposes the development of methodologies and frameworks that will enable the implementation of such a policy. The focus of this article is the use of an ontology-based methodology to identify and propose a formal, encoded description of the cyber security strategic environment. The aim of the ontology is to identify and represent the multi-layered organisation of players and their associated roles and responsibilities within the cyber security environment. This will contribute largely to the development, implementation and rollout of a national cyber security policy in South Africa.  
+
+Keywords: cyber security, ontology, policy, security awareness.  
+
+# 1 Introduction  
+
+Information and its related infrastructures are fundamental to cyber security and the implementation of an associated cyber security policy. On the one hand, cyber security pertains to the maintenance of National Security and the interests of citizens; whilst, on the other hand, it can refer to politically motivated hacking to conduct sabotage and espionage against specific nation states. Therefore, the rationale behind national cyber security is to enable the safekeeping of a Nation's constituency and its associated organisational, human, financial, technological and informational resources. This is done to facilitate the achievement of its National objectives [9].  
+
+In South Africa, cyber security has been identified as a critical component contributing towards National Security. More geographical regions of South Africa are becoming integrated into the global village, necessitating additional government initiatives aimed at bridging the digital divide and addressing cyber security. One of these initiatives is the development and implementation of a South African specific cyber security policy.  
+
+Despite the African continent's recent explosive growth in information and communication technologies, Africa is generally considered as being spared the global high levels of cyber crimes. Although this is often attributed to its traditionally low  
+
+Internet penetration levels with only 139 million Internet users out of a population of more than 2 billion people [16], Africans tend to increasingly fall prey to online predators [14]. In addition, many of the factors that traditionally make African countries more vulnerable (such as increasing bandwidth, use of wireless technologies and infrastructure, high levels of computer illiteracy, ineffective or insufficient legislation to deal with cyber attacks and threats) further expose these countries’ crucial infrastructures to cyber risks [12]; hence an effective cyber security policy is urgently needed in order to be able to respond to these risks. A national cyber security policy framework would “bolster and improve South Africa’s cyber security” [14].  
+
+This article will look at the current and future research and development done towards the implementation of a cyber security policy in South Africa. It will present retrospective reflections, as well as proposed future work on selected methodologies and frameworks that will enable the implementation of such a policy. The innovative contribution of this research lies in the argument that an ontology can assist in defining a model that describes the relationships between different cyber security components. Section 2 summarises the development process of a cyber security policy for South Africa. Section 3 gives an overview of cyber security research in South Africa and discusses ways in which the research relates to the development of a cyber security policy. From these two sections it becomes clear that a descriptive model of the cyber security environment in South Africa is required. This leads to a proposal for the development of a cyber security ontology in Section 4. Future research is discussed in Section 5 and the article is concluded in Section 6.  
+
+# 2 Background  
+
+South Africa has a huge responsibility to promote cyber security awareness, since the State can be held responsible for wrongful acts committed inside a country, and is obliged to fulfil the interests of the entire international community. As a result, the national cyber security policy framework for South Africa is a long time coming, and initial workshops on the topic were held already in January 2009. Despite the time and effort put into the development of the policy framework, the process of implementation is still not complete.  
+
+At the time of writing, the initial published draft version of the policy declared milestones for the imminent establishment of the security CSIRT (Computer Security Incident Response team) and the sector CSERT (Computer Security Emergency Response team) [8]. The decision was made in February 2012 that the Department of State Security should take over responsibility from the Department of Communications (DOC) for drawing the government's policy on cyber crime. In 2010, a similar decision was made to reassign the mandate from the Department of Science and Technology (DST) to the DOC [10].  
+
+Given the current status of the policy framework in South Africa, it is agreed that there is not enough emphasis on the national cyber security policy, although reference is made to the policy as the overarching strategy that must guide cyber security. In response, this article proposes five elements as a foundation for the South African cyber security policy requirements: (i) political will; (ii) adapted organisational structures; (iii) identifying accurate proactive and reactive measures; (iv) reducing criminal opportunities; and (iv) education and awareness [9].  
+
+It is recommended that these five elements should be present in developing a national strategy for an effective cyber security approach and culture. The next section addresses these elements in more detail, with a preliminary mapping of current South African cyber security research to determine the current state and progress of a cyber security policy implementation. These elements fit with the South African proposed multi-faceted approach to reduce cyber crime [7].  
+
+# 3 Current State of Cyber Security Research in South Africa  
+
+The dynamic and volatile nature of the Internet and the cyber domain in general make cyber security research within South Africa an important area to address. Since the cyber domain is inherently globalised, it cannot truly be considered in isolation or on a purely national basis [18]. As such, the South African Justice minister, Jeff Radebe, stated at a parliamentary briefing in February 2012 that finalising specific cyber crime plans would be a priority in 2012 [7]. In addition, the DOC stated that its “decision to boost cyber security comes in conjunction with the government’s plans to battle crime using technology-based solutions and partnerships” [14]. With this in mind, the five elements identified above as part of the successful development of a national cyber security strategy [9] are discussed next, in relation to current South African research.  
+
+# 3.1 Political Will  
+
+To ensure that the cyber security action plan receives government-wide attention, national leadership is imperative both at an individual and organisational level. Furthermore, national cyber security policies as well as national and international strategies should be in place to fight cyber crime. The draft cyber security policy presented by the DOC aims to ensure that organs of state as well as the private sector can cooperate to ensure the security of South Africa’s information networks [14].  
+
+As mentioned in Section 2, the South African national strategy for cyber security is under development, albeit not yet implemented or enforceable. The draft policy does address some levels of compatibility with international efforts, as proposed by Ghernouti-Hélie [9]. For example, co-operation between police in the Southern African Development Community region and Interpol is a high priority in 2012 to fight cyber criminal syndicates [7].  
+
+# 3.2 Adapted Organisational Structures  
+
+It is recommended that adequate national organisational structures should exist to support the deployment of an effective cyber security solution for individuals, organisations and governmental agencies. These organisational structures should be adapted from other national models to take elements such as country-specific culture, economic context and ICT infrastructure development into account [9].  
+
+In terms of cyber security, a national CSIRT could be the most appropriate organisational structure for linking communication networks and information systems with economic and social development. Earlier South African research has identified nine steps to ensure that the CSIRT meets the needs of such an organisational structure. The first and most crucial of these steps would be clarifying the mandate and policy related issues involved [10]. At the time of writing, a new move towards the development and establishment of one of the South African CSIRTs is underway by the DOC and joint partners. The necessity of national CSIRTs is underscored in the draft South African cyber security policy [8].  
+
+# 3.3 Identifying Accurate Proactive and Reactive Measures  
+
+Since everyday activities have an increasing digital component, it is becoming increasingly urgent to augment and automate cyber security in order to maximise outputs and minimise human error. Both South African individuals and groups are largely dependent on data. This dependence relates not only to physical data, but also to the relationship of this data to specific infrastructures. Accordingly, it is important that these actions can be both proactive and reactive in nature.  
+
+Ghernouti-Hélie [9] proposed that cyber security actors can be classified into three roles: the protector; the protected; or the criminal. Once the South African cyber security policy is implemented, it is envisioned that the roles would be addressed appropriately, and South African citizens should have a better understanding of where they fit in terms of, for example, who will play the role of the protector, and what is the punishment for the criminals. Existing South African legislation already addresses criminal punishment for cyber security crimes; this includes: the Electronic Communications and Transactions Act $\Nu_{0}\ 25$ of 2002; the Regulation of Interception of Communications and Provision of Communication-related information Act No 70 of 2002; and the Protection of Personal Information Bill of 2010 [1].  
+
+# 3.4 Reducing Criminal Opportunities  
+
+Due to the international scope of the Internet and wide usage of technology, cyber security intersects largely with the application and implementation of international legislation. Regardless, the foundation for an adequate security strategy is twofold: raise the level of risks taken by the criminal, and raise the level of difficulties faced by the criminal. In all instances, legislative and regulatory measures should concomitantly raise the level of risk perceived by a criminal, and decrease the favourable context to perpetrate an illegal action [9]. Reducing opportunities for crime is one of the ultimate benefits of implementing a cyber security policy framework. As such, South Africa is one of the signatories of the Council of Europe's Convention on Cybercrime [5].  
+
+# 3.5 Education and Awareness  
+
+Organisational structures should encourage, lead or coordinate continuing education for professionals in the legal, economical and political fields. In addition, the realisation of a global cyber security awareness culture will contribute to achieving part of the goals of a national cyber security strategy [9]. In South Africa, there are several cyber security awareness programmes aimed at educating user groups in different geographical areas of the country [11], made necessary by the increasing rate of bandwidth consumption or utilisation in South Africa. Already in 2007/2008, South Africa’s overall online activity was estimated to be $67\%$ of overall online activity in Africa, whilst its population accounted for only $5\%$ of that of entire continent [19]. This emphasises the importance of proper cyber security awareness and formalised training in this domain.  
+
+Research done in the South African provinces of Gauteng, Mpumalanga and Limpopo in general indicates good Internet behaviour on the part of South African citizens. Completed questionnaires were retrieved from different geographical areas and were grouped under urban areas, semi-rural areas and rural areas. The levels of cyber security awareness were calculated as $69\%$ for urban areas, $53\%$ for semi-rural areas, and $40\%$ for rural areas. A cumulative extrapolation of total awareness in South Africa based on the overall awareness of the sample group is estimated at $51\%$ [17]. This aspect still requires a lot of attention in South Africa.  
+
+The next section introduces the use of an ontology to assist in the development and implementation of a South African cyber security policy.  
+
+# 4 Using an Ontology to Implement Cyber Security  
+
+The mapping of South African research and development activities on the five practical elements as proposed for international cyber security policy implementation (refer to Section 3) shows that some progress has been made. The discussions also highlighted the involvement of a number of entities and functions to ensure the successful implementation of a national cyber security policy. However, since the cyber security environment is not clearly bounded and defined, it is very difficult to put forward an easily understandable and implementable cyber security policy. As such, the authors propose to use an ontological model to formally define and describe the roles of players in this environment together with their functions and responsibilities, as well as the roles of the different stakeholders in the cyber security environment. It is important to realise that there are multiple levels of role players in the cyber security environment and that roles and responsibilities often overlap. It is precisely this layer of complexity that necessitates a structured, formal description of the environment before implementation of the policy can succeed.  
+
+This ontology will provide a model of the shared environment (i.e. the cyber security domain), a common vocabulary and formal descriptions of the inter-relationships between the relevant entities and functions as identified in Section 3. Ontologies have been used previously to define policy frameworks and instantiate policies [6]. Although the use of an ontology as proposed here is different to that of Cuppens-Boulahia et al., it is clear that ontologies can be used to assist with the implementation of policy in various ways. Ontologies could therefore be a valuable contribution to the final implementation of a cyber security policy in South Africa.  
+
+The methodology of using an ontological model will benefit the communication and sharing of information between role players during the implementation of the policy, the modelling of the implementation phases and functions, and for education and training.  
+
+The next sub-section contains an overview of ontologies in general and the subsequent sub-section describes an initial high-level ontology for the cyber security strategic environment.  
+
+# 4.1 What Is an Ontology?  
+
+For the purpose of this paper, an ontology is a technology that provides a way to exchange semantic information between people and systems. It consists of an encoded, common domain vocabulary and a description of the meaning of terms in the vocabulary. Grüber [13] defines an ontology as “formal, explicit specification of a shared conceptualisation”. A formal ontology specifies a machine-readable domain model depicting entities and their inter-entity relationships. It generally consists of a descriptive part and reasoning technologies. The descriptive part of an ontology captures the domain from the domain experts’ point of view, expressing domain information in a way that can be processed by computers and be understood by humans. The use of reasoning technologies enables new information to be derived from the facts contained in an ontology.  
+
+The information in an ontology is expressed in an ontology language (logic-based language), and then progressively refined. The construction and maintenance of ontologies greatly depend on the availability of ontology languages equipped with welldefined semantics and powerful reasoning tools. Fortunately, there already exists a class of logics, called description logics (DLs), that provides for both, and are therefore ideal candidates for ontology languages [2]. The Web Ontology Language (OWL) 2.0 was granted the status of a W3C recommendation in 2009, and is the official Semantic Web Ontology language. OWL was designed to provide a common way to process the content of Web information instead of displaying it. It is intended to be interpreted by computer applications and not to be read by people [22]. In this research, OWL was used to interpret the ontological model developed for the cyber security strategic domain.  
+
+The use of ontologies is growing rapidly in a variety of application areas, and is the underlying technology driving the Semantic Web initiative [3]. Ontologies vary greatly in their content and intent [4], [25]: upper-level ontologies define general, descriptive terms that are domain independent; core ontologies contain only terms that are domain-neutral, that is, terms that apply to multiple sub-domains; and domain ontologies represent specific terms in a particular domain and are detailed.  
+
+# 4.2 A Domain Ontology for the Cyber Security Environment  
+
+There are many benefits to implementing ontologies. As such, the authors used an ontological model to identify and propose a formal, encoded description of the cyber security strategic environment. This will contribute largely to the development, implementation and roll out of a national cyber security policy in South Africa. Benefits include:  
+
+• To enable the re-use of domain knowledge. There are many role players in South Africa that have performed research and development work on cyber security. Involving these role players as domain experts in the development of the ontology will maximise the utilisation of any existing domain knowledge.   
+• To share a common understanding of domain concepts and information among the members of a community. Due to the dynamic and volatile nature of the cyber security domain, there are often multiple explanations or ambiguous understandings of domain specific concepts. An ontology will assist in standardising these concepts.   
+• To facilitate information integration and interoperability between heterogeneous knowledge sources. As pointed out in Section 3, entities and functions involved in the cyber security domain range from local to international, humans to organisations, and policies to implementation tools. By using an ontology, it would be possible to ensure integration and interoperability between different components of the larger South African cyber domain.   
+• To analyse domain knowledge. Existing domain knowledge, once identified and captured within an ontological model, can be used to finalise the South African cyber security policy, and implement its components to ensure the better protection of National Security and safekeeping [20].  
+
+The main benefit of the high-level ontology envisaged here is that a formal, encoded description of the cyber security strategic environment will be created: that is, all the entities, their attributes and their inter-relationships will be defined and represented. There will be a single shareable model of the environment, agreed-upon by subject experts.  
+
+This paper presents the upper-level entities of an initial ontology. Subject matter experts have identified these entities. The proposed cyber security strategy environment ontology is implemented in ‘Protégé’, a free, open-source platform that provides a suite of tools to construct domain models and knowledge-based applications with ontologies [23]. The main entities in the environment are the Human Domain, Information, Infrastructure and Tools. Figure 1 illustrates the main entities and their attributes and relationships.  
+
+The Human Domain entity consists of either individuals or groups. A group can be public (e.g. a state department) or private (e.g. a company or a terrorist organisation).  
+
+A group has the following attributes: size, goal, role, motivation, and it can be regarded as a target.  
+
+A goal is an intended outcome whilst a motivation is related to an individual or a group's needs.  
+
+An individual shares all of these attributes, but its size is exactly one.  
+
+Humans use tools, measures, guidelines, policies, techniques, applications, etc. and infrastructure to protect or attack information security and to manipulate information.  
+
+Infrastructure can consist of physical infrastructure, electronic infrastructure, or software. Infrastructure has a location as attribute.  
+
+Information has a type and format as attributes. Information and Infrastructure have a security classification, and Information has Infrastructure (e.g. is stored somewhere).  
+
+![](images/5740f1386353d31d376aadcc52b18423b2b9a1b1b5e38f6abb5e27ef7387e860.jpg)  
+Fig. 1. Illustration of high-level cyber security strategy environment ontology  
+
+Cyber security awareness and training are relevant in determining the type of information that must be represented in the ontology, and initial steps have been taken towards the establishment of a Cyber Security Hub in South Africa [19]. This Hub will be responsible for cyber security awareness on a national level. The main role players in terms of cyber security awareness in South Africa are the DOC, the Department of Basic Education, and the South African Police Service (SAPS). A second level of role players includes: Universities and Further Education Training colleges, including the Department of Higher Education and Training; research institutions under the auspices of the DST; non-governmental organisations (NGOs); private organisations; banking sector; mobile sector; MICT SETA (Information Systems, Electronics and Telecommunication Technologies Education and Training Authority); Department of Defence (DOD) and the State Security Agency (SSA); Internet Service Providers; and other government departments.  
+
+Most stakeholders have more than one role in the implementation and the application of the policy. For example, DST, the Department of Higher Education and Training and the SSA are jointly responsible for general research on cyber security policy, whilst the SSA takes responsibility for implementing the cyber security policy [15]. Various centres and civil societies in general are responsible for reporting cyber incidents. When a cyber security incident has been reported or a specific instance of the policy has to be implemented, the relevant stakeholders have to be identified and contacted. The initial ontology can be used to support this task.  
+
+Fig. 1 only shows the high-level categories of these entities. However, when analysed in more detail, there is a close correlation between the entities identified in Section 3 and the entities in the proposed ontology. For example, the DOC (refer to Section 3.1) can be classified as a public group with the role of leader that uses the cyber security policy as tool (reactive measures) which uses the physical infrastructure of the CSIRT. Citizens (refer to Section 3.3) can be classified as an individual with the role of protected, and an attribute of target. Cyber security awareness programmes (refer to Section 3.5) can be classified as defence tools (proactive measures) that use physical, software and electronic infrastructure in the location of Limpopo.  
+
+# 5 Future Research  
+
+The first task in creating the cyber security policy is to set up an implementation framework. The first step must comprise an analysis of the current situation in South Africa. The rationale for this analysis is to break down the implementation into manageable, understandable components, because the role players responsible for the implementation are not necessarily the people who formulated the policy. In addition, the output of the analysis will greatly determine the final organisational structure. It is also necessary to be able to determine the strategies that will achieve the identified objectives of the policy. A final organisational structure needs to be investigated and human, financial, technological and physical resources allocated. A change management plan and commitment plan need to be set up to ensure co-operation between the parties involved. The future research will include:  
+
+Development of the implementation framework;   
+Expansion of the analysis of the current structures and role players of cyber security in South Africa. Several other methodologies would be used including Morphological Analysis, a method for systematically structuring and analysing multi-dimensional, non-quantifiable problems [24]. The detailed domain ontologies will be built using all this information;   
+Development of organisational structures necessary for implementation of the cyber security policy; Extension and implementation of the Cyber Security Awareness Toolkit (CyberSAT);   
+• Development of change management and commitment plans.  
+
+Hence, the use of an ontology is initially envisaged to define the role players and their functions. Later on the authors foresee other uses for an extended ontology. Since the cyber domain environment is vast, a core high-level ontology is proposed to be developed in conjunction with sub-domain ontologies. For example, a sub-domain ontology can be developed for predicting network attacks as a sub-component of the proposed cyber security policy implementation. All the sub-domain ontologies which have been developed can be merged once completed with existing techniques, to provide a combined ontological system that can be further extended.  
+
+# 6 Conclusion  
+
+This article describes the implementation of a cyber security policy in South Africa, summarises progress made so far of the research and development performed, and proposes the way forward. The authors discuss the requirements that will enable the implementation of the cyber security policy and reflect on research that is currently being done on the use of an ontology in this regard. The aim of the ontology is initially to provide a formal description of role players and their function in the cyber security environment.  
+
+Although several research articles and projects have been undertaken during the last three years, only limited research has been done on the implementation of the cyber security policy in South Africa. The article by Phahlamohlaka [21] discussed the CyberSAT as an implementation strategy. This lack of research could be attributed to the delay in the promulgation of the cyber security policy in South Africa. Cyber security awareness is the only research aspect of the cyber security implementation that has been covered in some detail since 2009, with several players starting to implement some awareness training in South Africa.  
+
+# References  
+
+1. Acts: Acts Online (2012), http://www.acts.co.za/ (accessed March 28, 2012)   
+2. Baader, F., Calvenese, D., McGuinness, D., Nardi, D., Patel-Schneider, P.: The Description Logic Handbook: Theory, Implementation, and Applications. Cambridge University Press, Cambridge (2003)   
+3. Berners-Lee, T., Hendler, J., Lassila, O.: The Semantic Web. Scientific American 284(5), 33–43 (2001)   
+4. Boury-Brisset, A.: Ontological Approach to Military Knowledge Modeling and Management. In: Symposium on Military Data and Information Fusion, Czech Republic, Prague (2003)   
+5. Council of Europe: Convention on Cybercrime. CETS No.: 185 (2010), http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT $\scriptstyle{\frac{\prime}{\sqrt{\frac{\displaystyle1}{\displaystyle\left.\left(\frac{\displaystyle1}{\displaystyle\left.\left.\left(\frac{\displaystyle\sqrt{\frac{\displaystyle\left.\sqrt{\frac{\left.\sqrt{\frac\sqrt{\pi}}{\displaystyle\left.\sqrt{\frac\sqrt{\frac\pi}{\left.\sqrt}{\frac\sqrt{\frac\sqrt{\pi}}{\left.\sqrt}{\frac\sqrt{\frac\sqrt}{\left.\sqrt}{\frac\sqrt{\sqrt}{\frac\sqrt}{\left.\sqrt}{\frac\sqrt{\sqrt}{\frac\sqrt}{\sqrt}{\frac\sqrt{\sqrt}{\frac\sqrt}{\sqrt}{\frac\sqrt{\sqrt}{\frac\sqrt}{\sqrt}{\frac\sqrt{}\sqrt}{\frac\sqrt{}\sqrt}{\frac\sqrt{}\sqrt}{\frac\sqrt{}\sqrt}{\frac\sqrt{}\sqrt}{\frac\sqrt{}\sqrt}{\frac\sqrt{}\sqrt}{\frac\sqrt{}\sqrt}{\frac\sqrt{}\sqrt}{\frac\sqrt{}\sqrt}{\frac\sqrt{}\sqrt}{\frac\sqrt{}\sqrt}{\frac\sqrt{}\sqrt}{\frac\sqrt{}\sqrt}{\frac\sqrt{}\sqrt}{\frac\sqrt{}\sqrt}{\frac\sqrt{}\sqrt}{\frac\sqrt{}\sqrt}{\frac\sqrt{}\sqrt}{\frac\sqrt{}\sqrt}{\frac\sqrt{}\sqrt}{\frac\sqrt{}\sqrt\frac{}\sqrt{}\sqrt\frac{}\sqrt\sqrt{}\frac{\sqrt}\sqrt{}\frac\sqrt{}\sqrt\frac{}\sqrt\sqrt{}\frac{\sqrt}\sqrt{}\frac\sqrt{}\sqrt\frac{}\sqrt\frac{}\sqrt\sqrt{}\frac\sqrt{}\sqrt\frac{}\sqrt\sqrt{}\frac\sqrt\sqrt{}\frac\sqrt{}\sqrt\frac{}\sqrt\frac\sqrt{}\sqrt\frac{}\sqrt\frac\sqrt{}\sqrt\frac\sqrt{}\frac\sqrt\sqrt{}\frac\sqrt\frac{}\sqrt\sqrt\ \ \ }\ \ \ \ }}}}}}\end$ $85\&C\mathrm{M}=8\&D\mathrm{F}=28/10/2010\&C\mathrm{L}=\mathrm{ENG}$ (accessed March 28, 2012)   
+6. Cuppens-Boulahia, N., Cuppens, F., de Vergara, L., Vázquez, E., Guerra, J., Debar, H.: An Ontology-based Approach to React to Network Attacks. International Journal of Information and Computer Security 3(4), 280–305 (2009)   
+7. Davis, G.: State Security in Charge of Cybercrime Plans (2012), http://www.iol.co.za/dailynews/news/state-security-incharge-of-cybercrime-plans-1.1238243 (accessed February 21, 2012)   
+8. Department of Communications: National Cybersecurity Policy Framework for South Africa – Draft. Unpublished document (2011)   
+9. Ghernouti-Hélie, S.: A National Strategy for an Effective Cybersecurity Approach and Culture. In: ARES 2010 International Conference on Availability, Reliability and Security, Krakow, pp. 370–373 (2010)   
+10. Grobler, M., Bryk, H.: Common Challenges Faced During the Establishment of a CSIRT. Presented at the ISSA Conference 2010, Sandton, South Africa (2010)   
+11. Grobler, M., Flowerday, S., Von Solms, R., Venter, H.: Cyber Awareness Initiatives in South Africa: A National Perspective. In: Proceedings of Southern African Cyber Security Awareness Workshop (SACSAW 2011), pp. 32–41 (2011)   
+12. Grobler, M., Dlamini, Z.: Global Cyber Trends a South African Reality. In: Proceedings of IST-Africa Conference (IST-Africa 2012) (2012)   
+13. Grüber, T.: A translation approach to portable ontology specifications. Knowledge Acquisition 5, 191–220 (1993)   
+14. Guy: Cyber Security Policy Will Go Before Cabinet For Approval This Year (2011), http://www.defenceweb.co.za/index.php?option $\vartriangle{\v{x}}$ com_content&vie w=article&id=13783:cyber-security-policy-will-go-beforecabinet-for-approval-thisyear&catid $\scriptstyle1=48$ :Information $\frac{9}{10}20\frac{9}{10}20$ Communication%20Technologies& Itemid $\scriptstyle\mathtt{.=109}$ (accessed February 24, 2012)   
+15. ICT Procurement: Cyber Security Mandate Transferred (2012), http://ictprocurement.com/security/cyber-security-mandatetransferred.html (Accessed May 3, 2012)   
+16. Internetworldstats: Internet Usage Statistics for Africa (2012), http://www.internetworldstats.com/stats1.htm (accessed February 27, 2012)   
+17. Jansen van Vuuren, J.C., Grobler, M.M., Zaaiman, J.: The Influence of Cyber Security Levels of South African Citizens on National Security. In: Proceedings of ICIW 2012, Seattle, USA, pp. 138–147 (2012)   
+18. Kramer, F.D.: Cyberpower and National Security: Policy Recommendations for a Strategic Framework. In: Kramer, F.D., Star, S.H., Wentz, L.K. (eds.) Cyberpower and National Security, pp. 3–23. Centre for Technical and National Security Policy, Washington (2009)   
+19. Moyo, A. , Kayle, A.: DOC Calls for Collaboration, Security Innovation (2012), http://www.itweb.co.za/index.php?option $\l=$ Com_content&view $\mathbf{\bar{\rho}}=\mathbf{\bar{\rho}}$ article&id=54874 (accessed August 8, 2012)   
+20. Noy, N.F., McGuiness, D.L.: Ontology Development 101: A Guide to Creating Your First Ontology. Technical Report KSL-01-05. Stanford Knowledge Systems Laboratory (2001)   
+21. Phahlamohlaka, L.J., Jansen van Vuuren, J.C., Radebe, J.: Cyber Security Awareness Toolkit for National Security: an Approach to South Africa’s Cyber Security Policy Implementation. In: Proceedings of the First IFIP TC9/ TC11 Southern African Cyber Security Awareness Workshop 2011 (SACSAW 2011), Gaborone, Botswana, pp. 1–14 (2011)   
+22. OWL 2 Web Ontology Language (2012), http://www.w3.org/TR/owl-overview (accessed March 27, 2012)   
+23. Protégé ontology editor (2012), http://protege.stanford.edu/ (accessed February 7, 2012)   
+24. Ritchey, T.: Wicked Problems. Structuring Social Messes with Morphological Analysis. Adapted from a lecture given at the Royal Institute of Technology in Stockholm (2004), http://www.swemorph.com/downloads.html (2005)   
+25. Smith, B., Miettinen, K., Mandrivk, W.: The Ontology of Command and Control. In: Proceedings of the 14th International Command and Control Research and Technology Symposium, Buffalo, National Centre for Ontological Research, New York (2009)  

dataset/data/docs/law-society-of-south-africa_2023_LSSA guidance on cyber law.pdf-13cda54c-057d-4c47-8688-73acee399122.md

@@ -0,0 +1,170 @@
+# CYBER LAW  
+
+Cyber law is part of the overall legal system that deals with the Internet, cyberspace, and their respective legal issues. Cyberlaw covers a fairly broad area, encompassing several subtopics, including freedom of expression, Internet access to and usage, and online privacy. Generically, cyber law is called the Law of the Internet.  
+
+Cyber laws prevent or reduce damage from cybercriminal activities by protecting information access, privacy, communications, intellectual property (IP) and freedom of speech related to the use of the Internet, websites, email, computers, cell phones, software and hardware, such as data storage devices. Due to the various jurisdictions that cyber activities traverses, enforcement is difficult.  
+
+Cybercrime in South Africa has increased exponentially, and the Cybercrimes Act aims to keep people safe from criminals, terrorists, and other states. It also consolidates cybercrime laws and related regulations into the Cybercrimes Act. The law's primary goal is to improve data transmission over the internet whilst keeping it safe.  
+
+NB: The South African Cybercrimes Act has severe consequences for non‐compliance.  
+
+# Impact  
+
+The  Cybercrimes Act [the Act] impacts all organisations and all individuals. It now criminalises the perpetrators of cybercrimes and non‐compliance in specific instances [punitive]. It should be noted that as this is a cross‐border practice, South Africa has to comply with its international obligations.  It impacts everyone who processes data or uses a computer, organisations and private individuals. Together with the Protection of Personal Information Act [POPiA] and the Electronic Communications Transaction Act [ECTA], this legislative regimen will impact the everyday lives of all South Africans. I  
+
+The President signed the Bill into law on 26 May 2021. The proclamation date of certain sections of the Cybercrimes Act is 1 December 2021. The President may set different dates for different provisions of the Act.  
+
+The Act ‐ Act No. 19 of 2020: Cybercrimes Act, 2020  
+
+The main objectives of the Cybercrimes Act are to deal with offences relating to cybercrimes, powers  of  investigation,  criminalisation  of  the  distribution  of  data  messages  which  are harmful, provide for interim protection orders, evidence gathering, regulate the jurisdiction of courts, the establishment of a specified point of contact and the reporting of obligations and penalties.  
+
+The Cybercrimes Act criminalises various types of cybercrimes, including illegally accessing a computer system or intercepting data, cyber extortion, unlawfully acquiring a password, cyber fraud, and theft of incorporeal property. Any person who violates this Act could face a fine, imprisonment of up to 15 years or both. The broad scope of jurisdiction created by this Act means that the South African courts will have the power to try persons that are non‐SA citizens and persons that commit crimes in other countries, where this affects a person or business in South Africa. The South African Police Services (“SAPS”) have been given extensive search and seizure powers under the Cybercrimes Act, including searching and seizing information held within a private database or network without a search warrant. This could potentially give rise to  many  Constitutional  rights  being  infringed,  such  as  the  right  to  privacy  and  freedom  of expression. Jurisprudence will develop as SA courts deal with these matters over time.  
+
+The act sets out the objectives of the legislation:  
+
+to create offences which have a bearing on cybercrime;   
+to criminalise the disclosure of data messages which are harmful and to provide for interim protection orders;   
+to further regulate jurisdiction in respect of cybercrimes;   
+to further regulate the powers to investigate cybercrimes;   
+to further regulate aspects relating to mutual assistance in respect of the   
+investigation of cybercrimes;   
+to provide for the establishment of a designated Point of Contact; to further provide for the proof of specific facts by affidavit;   
+to impose obligations to report cybercrimes;   
+to provide for capacity building;   
+to provide that the Executive may enter into agreements with foreign States to promote measures aimed at the detection, prevention, mitigation and investigation of cybercrimes;   
+to delete and amend provisions of specific laws; and   
+to provide for matters connected in addition to that.  
+
+The Cybercrimes Act has imposed new responsibilities on institutions and businesses to comply with far more stringent security requirements in managing the data of citizens and employees, which will play a key role in protecting South Africa against cybercrimes.  
+
+# Sections of the Act that are now in operation:  
+
+Chapter 1: Sets out the definitions of the Act. Chapter 2: This chapter sets out all the new cybercrimes created by the Act. The section deals with obtaining orders to protect the complainant pending finalising criminal proceedings that are not yet in operation. NB: [excludes Part VI]  Chapter 3: This section refers to the jurisdiction of the Act. A South African court will have the authority to try any offence created in the Act if the violation affects any person or business in South Africa or if the crime was committed outside of South Africa against any citizen or ordinarily resident in South Africa. Chapter 4: This chapter deals with the authorities powers to investigate, search, access or seize. The excluded sections deal with the preservation of data directions. NB: [excludes 38(1)(d), (e) and (f), 40(3) and (4), 41, 42, 43 and 44].  
+
+Chapters 5: This section is not yet in operation.  This relates to mutual assistance with foreign requests and establishing a designated Point of Contact within the South African Police Services [SAPS].  
+
+Chapter 6: This section is not yet in operation and  
+
+Chapter 7: This section sets out the process to prove facts by submission of an affidavit by a suitably qualified individual.  
+
+Chapter 8:  deals with reporting obligations and capacity building to investigate and prosecute cybercrimes. The reporting obligations for electronic communications service providers and financial institutions are not yet in operation. NB: [excludes section 54]  
+
+Chapter 9: This section deals with the general provisions and sets out which other rules are repealed or amended by this Act. The Act replaces sections of the Electronic Communications and Transactions Act, 25 of 2002, dealing with unlawful accessing, interception or interference with data messages. Several proposed amendments related to prosecuting harmful disclosure of pornography (“revenge porn”) are not yet in operation. However, the offence of “revenge porn” is in process. NB: [excludes sections 11B, 11C, 11D, and 56A(3)(c), (d) and (e) of the Criminal Law (Sexual Offences and Related Matters) Amendment Act, 2007, from the Schedule of laws repealed or amended in terms of section 58].  
+
+# Cybercrime and Cybersecurity  
+
+Areas that are related to cyber law include cybercrime and cybersecurity. With proper cybersecurity, businesses and people can protect themselves from cybercrime. Cybersecurity looks to address weaknesses in computers and networks. The International Cybersecurity Standard is known as ISO 27001.  
+
+Cybersecurity policy is focused on guiding anyone that might be vulnerable to cybercrime.   
+This includes businesses, individuals, and even the government.  
+
+Information and training are essential ways to improve cybersecurity.  
+
+Cybercrimes are committed against society, including governments, businesses, and people.  
+
+# UNODC excerpt:  
+
+Cybercrime law identifies standards of acceptable behaviour for information and communication technology (ICT) users; establishes socio‐legal sanctions for cybercrime; protects ICT users, in general, and mitigates and/or prevents harm to people, data, systems, services, and infrastructure, in particular; protects human rights; enables the investigation and prosecution of crimes committed online (outside of traditional real‐world settings); and facilitates cooperation between countries on cybercrime matters.  
+
+Cybercrime law provides rules of conduct and standards of behaviour for the use of the Internet, computers, and related digital technologies, and the actions of the public, government, and private organizations; rules of evidence and criminal procedure, and other criminal justice matters in cyberspace; and regulation to reduce risk and/or mitigate the harm done to individuals, organisations, and infrastructure should a cybercrime occur. Accordingly, cybercrime law includes substantive, procedural and preventive law.  
+
+# Categories of Cyber Crime  
+
+Generally, there are three major categories of cybercrimes, including:  
+
+Crimes Against People. While these crimes occur online, they affect the lives of ordinary people. Some of these crimes include cyber harassment and stalking, distribution of child pornography, various types of spoofing, credit card fraud, human trafficking, identity theft, and online‐related defamation etc. Crimes Against Property. Some online crimes attack property, such as a computer or server. These crimes include hacking, virus transmission, cyber, computer vandalism, and copyright infringement [including IP] violations. In many instances, the attackers lock users out of their systems and release access once the ransom is paid  [usually in crypto currency] – referred to as ‘ransomware.’ Crimes Against Government. When a cybercrime is committed against the government, it is considered an attack on that nation's sovereignty. Cybercrimes against the government include hacking, accessing confidential information, cyber warfare, cyber terrorism, and pirated software.  
+
+# Cyber Law Trends  
+
+Cyber law is increasing in importance every single year. This is because cybercrime is increasing. To fight these crimes, there have been recent trends in cyber law. These trends include the following:  
+
+New and more stringent regulations.   
+Reinforcing current laws.   
+Increased awareness of privacy issues.   
+Cloud computing.   
+How virtual currency might be vulnerable to crime.   
+Usage of data analytics.  
+
+Creating awareness of these issues will be a primary focus of governments and cyber law agencies.  
+
+Companies specialising in Cyber protection generally offer a holistic service, including specialist digital and internet tools [software including AI] and advisory services. Many institutions provide free online guidance, registering to receive newsletters with updates etc.  
+
+NIST‐ National Institute of Standards and Technology ‐ https://www.nist.go  
+
+CISA – Cybersecurity & Infrastructure Security Agency ‐ https://www.cisa.gov  
+
+Register to receive newsletters with updates etc.  
+
+Many ICT companies also have valuable website guidance [register for email advisories].  
+
+# Cyber Law and Intellectual Property  
+
+An essential part of cyber law is intellectual property. Intellectual property includes art, literature, music, and businesses. IP rights related to cyber law generally fall into the following categories:  
+
+Copyright protects almost any piece of IP you can transmit over the internet. This includes books, music, movies, etc.  
+
+Patents are generally used to protect an invention. These include software and online business processes, including systems, etc.  
+
+Trademarks are used virtually as they are in the real world. Trademarks will be used for websites and special services provided online.  
+
+Trade Secrets.  Online businesses can use trade secret protections, although these can be reversed engineered in the modern online world.  
+
+Domain Disputes are about who owns a web address.  
+
+Contracts. Any person accessing a website generally has to agree to the terms of service. ‐ This is a contract.  
+
+Privacy. Online services and any electronic storage of client information are subject to data privacy laws, POPiA. The storage or retention of client information is prohibited unless there is an ongoing business relationship with the client.  
+
+# Cyber Security Strategies  
+
+Besides understanding cyber law, organisations must build cybersecurity strategies. These, at a minimum, must cover the following areas:  
+
+Ecosystem. A robust ecosystem helps prevent cybercrime. Your ecosystem includes three areas—automation, interoperability1, and authentication. A robust system can prevent cyberattacks like malware, attrition, hacking, insider attacks, and equipment theft.  
+
+Framework. An assurance framework is a strategy for complying with security standards. This allows updates to infrastructure. It also allows governments and businesses to work together in what's known as "enabling and endorsing'.  
+
+Open Standards. Open standards lead to improved security against cybercrime. They allow businesses and individuals to use proper protection easily. Open standards can also improve economic growth and new technology development.  
+
+It is strengthening Regulation. This speaks directly to cyber law. Governments can work to improve this legal area.  
+
+E‐Governance. E‐governance is the ability to provide services over the Internet. Developing this technology is an integral part of cyber law.  
+
+Infrastructure. Protecting infrastructure is one of the most critical parts of cybersecurity.  
+
+Refer to the LSSA website for guidance in this regard www.LSSA.org.za  
+
+# Mitigating Risk  
+
+Cyberlaw aims to reduce the risk, including the protection of network security.  
+
+Cybersecurity should be treated as a business risk and mitigated [reduced]. The general rule is that ‘it is not if but will you be hacked.’  
+
+This requires a business continuity plan [to recover fast], with cloud computing being the preferred choice.  
+
+Cyber security practitioners have enhanced the simulation and scenario planning in risk mitigation.  
+
+Breach and Attack Simulations (BAS) are growing in popularity as a way of testing cyber resilience. The technology is used to automatically spot weaknesses in an organisation’s cyber security, a little like automated, ongoing penetration testing.  
+
+For risk mitigation strategies, resources including cyber guidance, visit the LSSA website: www.LSSA.org.za  
+
+# Cyber Law Business Consideration  
+
+A business's website is a significant asset. It is also highly vulnerable to cybercrime. Various agencies and organisations provide guidance; in many instances, these are ICT companies or State agencies.  
+
+# Clients  
+
+Protecting your client's personal information is essential to comply with cyber law and POPiA. This is true even if your business lacks a website or the client information is not digitally stored [hard copies].  
+
+Regarding POPiA, your business's privacy and security policies must be available to your clients. This confirms your commitment to protecting their personal and financial information when they use your website.  
+
+# Cyber Law Terms and Laws  
+
+There are three main terms that people need to know related to cyber law.:  
+
+1. Information Technology Law. These laws refer to digital information. It describes how this information is gathered, stored, and transmitted.‐ POPiA / ECTA   
+2. Cyber Law/Internet Law.  These laws cover the usage of the internet. ECTA & Cybercrimes Act   
+3. Computer Law. This covers a sizeable legal area. It includes both the internet and laws related to computer IP. – ECTA   
+4. Critical Infrastructure. The State's physical or virtual systems and assets are so vital that their incapacitation or destruction may debilitate a State’s security, economy, public health or safety, or the environment.   
+5. Cyber Infrastructure. The communications, storage, and computing devices upon which information systems are built and operate.   
+6. Cyber Operation. The employment of cyber capabilities to achieve objectives in or through cyberspace.   
+7. Cyberspace. Physical and non‐physical components form the environment to store, modify, and exchange data using computer networks.  

dataset/data/docs/sibe_2022_Forbes_Africas-Chaotic-Legal-And-Regulatory-Cyberse.md

@@ -0,0 +1,53 @@
+INNOVATION  
+
+# Africa's Chaotic Legal And Regulatory Cybersecurity Landscape Requires Harmonization  
+
+![](images/45cbcec27718a1ffb70be0cc847bfd5af0ce419a1eab65753e2f3db6b30f7c26.jpg)  
+
+By Robinson Sibe,  Forbes Councils Member. for Forbes Technology Council, COUNCIL POST | Membership (fee-based)  
+
+Aug 02, 2022, 10:00am EDT  
+
+Dr. R.T. Sibe is the CEO/Lead Forensic Examiner of Digital Footprints Nig. Limited. He is a member of the Forbes Technology Council.  
+
+![](images/950ab09d6e7c9ca1a5a0a2d28671f2b12e4dbd056d907b8d53f12dc7c04866d8.jpg)  
+
+GETTY  
+
+There are more than 600 million total internet users in Africa. This is more than the total number of internet users in North America, South America and the Middle East. The last two decades have witnessed increased technology adoption in Africa. While this has obviously increased the efficiency of Africa's workforce, it has also come with associated risks—one of which is the risk of cyberattacks. Although this risk is global and not exclusive to Africa, Africa's preparation and response have not been coordinated as one would wish for.  
+
+According to a recent Interpol report (download required), about $90\%$ of African businesses are operating without the necessary cybersecurity protocols and, therefore, are exposed to cyberattacks. The report also noted that there were more than 700 million threat detections in Africa within a one-year period. French newspaper Le Monde (via the Council on Foreign Relations) previously reported that the servers of the Chinese-built Africa Union headquarters in Ethiopia were bugged and that data had been routinely transmitted at night through a backdoor between 2012 and 2017. While China has denied this allegation, this is a classic example of how the continent is exposed—even at such high-level institutions.  
+
+# Scramble For Response  
+
+Over the years, there have been efforts from different African countries to address the cybersecurity challenge. While most jurisdictions have taken steps, many others have been lagging. For instance, some countries have enacted laws and regulations around the cybersecurity space. In Nigeria, the parliament enacted the Cybercrime Act 2015. The National Information Technology Development Agency (NITDA) also rolled out the Nigerian Data Protection Regulation (NDPR) in 2019.  
+
+In South Africa, President Cyril Ramaphosa signed the Cybercrimes and Cybersecurity Act in 2021. This law mandates electronic communication service providers and financial institutions to act when their systems suffer a cybersecurity attack or breach. South Africa had previously signed the Protection of Personal Information Act No. 4 of 2013 Act into law.  
+
+Ghana passed its Cybersecurity Act 2020 to coordinate the nation's response to the prevention and management of cyberattacks and breaches. Ghana previously signed into law the Data Protection Act, 2012 to protect the privacy and personal data of individuals. Egyptian President Abdel Fattah al-Sisi ratified the nation's "Anti-Cyber and Information Technology Crimes" law in 2018, and Egypt promulgated its Data Protection Law, which also reflects some aspects of the EU's GDPR.  
+
+# Regional And Continental Response  
+
+At the regional level, there have been some efforts as well. For instance, the Economic Community of West African States (ECOWAS) adopted the ECOWAS Regional Cybersecurity and Cybercrime Strategy at the 2020 Second Ordinary Session. ECOWAS had previously adopted the Supplementary Act on Personal Data Protection in 2010.  
+
+At the continental level, the African Union (AU) adopted the Convention on Cyber Security and Personal Data Protection—also known as the Malabo Convention—in 2014. This was followed by the release of the Personal Data Protection Guidelines for Africa—a collaborative measure between the Internet Society and the AU—in 2018. According to the United Nations Conference on Trade and Development (UNCTAD), out of the 54 countries in Africa, only 33 $(61\%)$ have a data protection law in place.  
+
+# Africa's Challenging Landscape And The Need For Harmonization  
+
+Despite the commendation of AU's efforts in this regard, the Malabo Convention has had a hard start. For instance, as of 2021, only eight out of 55 AU members (Angola, Ghana,  
+
+Guinea, Mauritius, Mozambique, Namibia, Rwanda and Senegal) had ratified the convention, which needs to be ratified by at least 15 countries. Interestingly, the countries that had not ratified the convention include continental giants such as Nigeria, South Africa and Kenya. Therefore, this Malabo Convention remains largely a document with little action.  
+
+Clearly, while Africa may not be in short supply of laws, the implementation has been largely abysmal. Beyond this, the myriad of national and regional laws on the same issue may be confusing—particularly as the continent seeks to dismantle trade barriers through the Africa Continental Free Trade Area (AfCFTA). For AfCFTA to be successful, the continent needs continental risk management—a key aspect of which is tackling the emerging cybersecurity risks. The pockets of discordant laws across the continent leave the landscape chaotic.  
+
+# Conclusion  
+
+African enterprises continue to make exploits despite the chaotic cybersecurity landscape. The last few years have seen the emergence of seven unicorns, and all are relying on technology to do business. Africa's growing financial institutions continue to leverage technology to serve the continent and beyond. These enterprises are facing the continent's challenging and rapidly evolving cybersecurity landscape. Billions of dollars are lost annually across the continent from cybercrime and cybersecurity breaches.  
+
+Therefore, it is imperative for the continent to put forward a united front in the cybercrime war, cybersecurity and data protection regulation. African nations need to ratify the Malabo protocol and continue to fine-tune the laws and regulations reflective of the evolving threat landscape. How Africa manages cybersecurity risk will determine the growth trajectory in the next decade.  
+
+Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?  
+
+Follow me on LinkedIn. Check out my website.  
+
+![](images/f6a30807a060e3d132ecc8e28e4316175c7529f158224b599ccdfa0bf315422b.jpg)  

dataset/data/docs/south-africa-government_2015_National Cybersecurity Policy Framework.pdf-dde97d67-d3fd-41b3-b.md

@@ -0,0 +1,524 @@
+# STATESECURITYAGENCY  
+
+NO.609  
+
+04DECEMBER2015  
+
+# THE NATIONAL CYBERSECURITY POLICY FRAMEWORK (NCPF)  
+
+![](images/dc9adfb78de629c217b47fe40b74549738f01af07a8be30159a9ca688f98a94e.jpg)  
+
+![](images/45d938bdb87226ba4442bccd7837bd539f5b1c54da64a2231df77d0ba976ebff.jpg)  
+
+NATIONALCYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA  
+
+# Table of Contents  
+
+ABBREVIATIONS P EXECUTIVE SUMMARY 5 DEFINITIONS 8  
+
+1. Introduction 10   
+2. The South African Context .12   
+3. Purpose of the NCPF .14   
+4. Key Objectives of the NCPF. .15   
+5. Capacity to Respond to Cybersecurity lmperatives .15   
+6. Cybersecurity Hub and Additional CSiRTs. .18   
+7. Verification of Information Security Products and Systems .19   
+8. NCII Protection.. .20   
+9. Cryptography .21   
+10. Online E-ldentity Management in Cyberspace. .21   
+11. Promote and Strengthen Local and International Cooperation.. .23   
+12. Capacity Development, Research and Development .24   
+13. Cyber-warfare. .24   
+14. Promotion of a Cybersecurity Culture. .25   
+15. Technical and Operational Standards Compliance. .25   
+16. The Role and Responsibility of the State .26   
+17. The role and Responsibility of the Private Sector .. .29   
+18. The Role and Responsibility of Civil Society .29   
+19. Conclusion. 30  
+
+# ABBREVIATIONS  
+
+CII Critical Information Infrastructure   
+CRC Cybersecurity Response Committee   
+CSIR Council for the Scientific and Industrial Research   
+CSIRT Computer Security Incident Response Team   
+DOJ&CD Department of Justice and Constitutional Development   
+DOD&MV Department of Defence and Military Veterans   
+DST Department of Science and Technology   
+DTPS Department of Telecommunications and Postal Services   
+ECS Electronic Communications Security   
+ECT Electronic Communications and Transactions   
+FIRST Forum for Incident Response and Security Teams   
+GCA Global Cybersecurity Agenda   
+GRC Governance, Risk Management and Compliance   
+HLEG High-Level Experts Group   
+ICT Information and Communications Technology   
+ICASA Independent Communications Authority of South Africa   
+IPR Intellectual Property Rights   
+ISP Internet Service Provider   
+ITU International Telecommunication Union   
+JCPS Justice, Crime Prevention and Security (Cluster)   
+MOU Memorandum of Understanding   
+NCAC National Cybersecurity Advisory Council   
+NCII National Critical Information Infrastructure   
+NCPF National Cybersecurity Policy Framework   
+NPA National Prosecuting Agency   
+PKI Public Key Infrastructure   
+SAPS South African Police Service   
+SIEM Security Information and Event Management   
+SITA State Information Technology Agency   
+SOE State Owned Entity   
+SSA State Security Agency   
+UNODC United Nations Office on Drugs and Crime   
+WSIS World Summit on the Information Society  
+
+# EXECUTIVESUMMARY  
+
+1. Information and Communications Technologies (lCTs) are indispensable in modern society.The interconnectivity of computer networks contributes significantly to economic growth, education, citizens' participation in social media and many others.   
+2. This new electronic environment is commonly known as cyberspace. The dependence of the daily functioning of society on information communication technology solutions has led to a concomitant need for the development of adequate security measures. This is because the danger that Cybersecurity threats pose, is real.   
+3.The numerous cyber-attacks launched in recent years against advanced information societies aimed at undermining the functioning of public and private sector information systems have placed the abuse of cyberspace high on the list of international and also local security threats. Given the seriousness of cyber threats and of the interests at stake, it is therefore imperative that the comprehensive use of information communication technology solutions be supported by a high level of security measures and be embedded in a broad and sophisticated Cybersecurity culture. For this reason, the cyber threats need to be addressed at both the global and national levels.   
+4. National Cybersecurity is a broad term encompassing the many aspects of electronic information, data and media services that affect a country's security, economy and welbeing. Ensuring the security of a country's cyberspace therefore comprises a range of activities at different levels.   
+5.World-wide Cybersecurity strategies are being developed and are aimed at setting policy goals, measures and institutional responsibilities in a succinct manner. Generally, the primary concern is to ensure the confidentiality, integrity and availability (C-I-A) of computer data and systems and to protect against or prevent intentional and non-intentional incidents and attacks. Priority is also given to critical information infrastructure protection (CIIP).   
+6. These strategies normally also contain measures against or reference to cybercrime. Measures against cybercrime provide a criminal justice response to C-l-A attacks against computers and thus complement technical and procedural Cybersecurity responses. However, cybercrime comprises also offences committed by means of computer data and systems, ranging from the sexual exploitation of children to fraud, hate speech, intellectual property rights (IPR) infringements and many other offences. Furthermore, any crime may involve electronic evidence in one way or the other. While this may not be labelled “cybercrime", a cybercrime strategy would nevertheless need to ensure that the forensic capabilities be created that are necessary to analyse electronic  
+
+# NATIONAL CYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA  
+
+evidence in relation to any crime, or that all law enforcement officers, prosecutors and judges are provided at least with basic skills in this respect.[1]  
+
+7.This South African National Cybersecurity PolicyFramework is aligned to these goals and is necessitated to ensure a focussed and an all-embracing safety and security response in respect of the Cybersecurity environment and establishes and addresses the following:  
+
+a) The development and implementation of a Government led, coherent and integrated Cybersecurity approach to address Cybersecurity threats;   
+b) Establishing a dedicated policy, strategy and decision making body to be known as the JCPS Cybersecurity Response Committee,to identify and prioritise areas of intervention and focussed attention regarding Cybersecurity related threats. The Cybersecurity Response Committee will be chaired by the State Security Agency (SSA) and will be supported operationally by a Cybersecurity Centresituated at the SSA   
+c) The capability to effectively coordinate departmental resources in the achievement of common Cybersecurity safety and security objectives (including the planning， response coordination and monitoring and evaluation);   
+d) Fighting cybercrime effectively through the promotion of coordinated approaches and planning and the creation of required staffing and infrastructure;   
+e) Coordination of the promotion of Cybersecurity measures by all role players (State, public, private sector, and civil society and special interest groups) in relation to Cybersecurity threats, through interaction with and in conjunction with the Cybersecurity Hub (to be established within the Department of Telecommunications and Postal Services);   
+f) Strengthening of intelligence collection, investigation, prosecution and judicial processes, in respect of preventing and addressing cybercrime, cyber terrorism and cyber warfare;   
+g) Ensuring of the protection of national critical information infrastructure;  
+
+# NATIONAL CYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA  
+
+h) The promotion of a Cybersecurity culture and compliance with minimum security standards;   
+i) The establishment of public-private partnerships for national and action plans in line with the NCPF; and   
+j) Ensuring a comprehensive legal framework governing cyberspace.  
+
+8. The National Cybersecurity Policy Framework (NCPF) is aligned with and dealt within the JCPS Cluster's mandate and obligations under Outcome $_{3:}$ All people are and feel safe in South Africa. In this regard, Output 8 of Outcome 3 requires the development and implementation of a Cybersecurity policy and the development of capacity to combat and investigate cybercrime that seeks to promote thefollowing  
+
+a) Measures to address national security threats in terms of cyberspace;   
+b) Measures to promote the combating of cybercrime;   
+c) Measures to build confidence and trust in the secure use of ICT; and   
+d) The development, review and update of existing substantive and procedural laws to ensure alignment.  
+
+9.The NCPF is intended to provide a holistic approach pertaining to the promotion of Cybersecurity measures by all role players and will be supported by a National Cybersecurity Implementation Plan which will be developed by the JCPS Cluster in consultation with relevant stakeholders, identifying roles and responsibilities, timeframes, specific performance indicators, and monitoring and evaluation mechanisms. The development and large-scale implementation of a system of security measures as implemented elsewhere in the world will form part of the National Cybersecurity Implementation Plan.  
+
+# NATIONALCYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA  
+
+# DEFINITIONS  
+
+# In the context of this policy,  
+
+"National Critical Information Infrastructure" means all ICT systems, data systems, data bases,networks (including people, buildings,facilities and processes), that are fundamental to the effective operation of the Republic1;  
+
+"Computer Security Incident Response Team (CsiRT)" is a team of dedicated information security specialists that prepares for and responds to Cybersecurity breaches (Cybersecurity incidents);  
+
+"Cybersecurity" is the practice of making the networks that constitute cyberspace secure against intrusions,maintaining confidentiality, availability and integrity of information, detecting intrusions and incidents that do occur, and responding to and recovering from them.  
+
+"Cybersecurity Hub" means a CSiRT established to pool public and private sector threat information for the purposes of processing and disseminating such information to relevant stakeholders including the Cybersecurity centre.  
+
+"Cyberspace" means a physical and non-physical terrain created by and/or composed of some or all of the following:  
+
+computers, computer systems, networks and their computer programs, computer data, content data, traffic data, and users;  
+
+"Cyber warfare" means actions by a nation/state to penetrate another nation's computers and networks for purposes of causing damage or disruption²;  
+
+"Cyber espionage" means the act or practice of obtaining secrets without the permission of the holder of the information (personal, sensitive, proprietary or of classified nature),from individuals, competitors, rivals, groups, Governments and enemies for personal, economic, political or military advantage3;  
+
+# NATIONALCYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA  
+
+"Cyber terrorism" means use of Internet based attacks in terrorist activities by individuals and groups, including acts of deliberate large scale disruptions of computer networks, especially computers attached to the Internet, by the means of tools such as computer viruses4;  
+
+"Cybercrime" means illegal acts, the commission of which involves the use of information and communication technologies;  
+
+"ICT"(Information and Communication Technologies) mean any communications device or application including radio, television, cellular phones, satellite systems, computers, network hardware and software and other services such as videoconferencing :  
+
+"Information society” means people-centred, inclusive and development-oriented information, where everyone can create, access, utilise and share information and knowledge, enabling individuals, communities and people to achieve their full potential in promoting their sustainable development and improving the quality of their life.  
+
+"JCPS CRC" means Justice, Crime Prevention and Security Cluster's Cybersecurity Response Committee.  
+
+"Malware” means malicious software, and is programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behaviour. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or dangerous software or program code. Malware's most common pathway from criminals to users is through the Internet: primarily by e-mail and the World Wide Web.(Symantec published a report in 2oo8 indicating that "the release rate of malicious code and other unwanted programs may be exceeding that of legitimate software applications.“According to F-Secure,"As much malware [was] produced in 20o7 as in the previous 20 years altogether." $^5)$  
+
+"Organisation and user's assets” include connected computing devices, personnel, infrastructure,applications, services, telecommunication systems, and a totality of transmitted and/or stored information in the cyber environment.  
+
+"Organ of State" means an Organ of the State as defined in section 239 of the Constitution.  
+
+"Phishing" indicates, as an example, the fraudulent way of attempting to acquire sensitive information such as usernames, passwords and credit card details by someone masquerading as a trustworthy entity in an electronic communication,to lure the unsuspecting public.These modus  
+
+# NATIONAL CYBERSECURITY POLICY FRAMEWORK FOR SOUTH AFRICA  
+
+operandi are constantly evolving and is included here as typical examples of Cybersecurity / cybercrime threats that many people will encounter when using computers and information communication technology. Phishing is typically carried out by e-mail or instant messaging and it often directs users to enterdetails at a fakewebsitewhose look andfeelare almost identical to the legitimate one.  
+
+# 1. Introduction  
+
+1.1 A number of strategic interventions and tactical interventions have been successfully implemented over the past few years and other interventions are in the process of being implemented within the Justice, Crime Prevention and Security (JCPS) Cluster in the fight against crime with the objective of making South Africa Safe. As part of Government's Outcome based priorities, the JCPS Cluster signed on 24 October 2010, the JCPS Delivery Agreement, relating to Outcome 3: “All People in South Africa Are and Feel Safe". This Outcome focuses on certain areas and activities, clustered around specific Outputs,where interventions will make a substantial and a positive impact on the safety of the people of South Africa. One such area relates to Output 8: which requires the development and implementation of a Cybersecurity Policy and the development of capacity to combat and investigate cybercrime. In line herewith, this document therefore sets out a National Cybersecurity Policy Framework (NCPF) for South Africa.  
+
+1.2 It is generally accepted that Information and Communications Technologies (ICTs) have become indispensable in modern society. The increased interconnectivity of computer networks and the expansion of broadband including mobility are contributing significantly to economic growth, digital integration, education, electronic governance, citizens' participation in governance and many others. This new electronic environment is commonly known as cyberspace. It has created a “global village” with instantaneous communication possible between persons on the opposite sides of the world. The NCPF Policy Framework therefore recognises that Cybersecurity threats and the combating thereof have a personal, national and international context.  
+
+1.3Cyberspace comes with new types of challenges to the governments of the world and it therefore introduces a further dimension to National Security. It is a borderless platform that enables more sophisticated threats such as cybercrime, cyber terrorism, cyber war and cyber espionage. The numerous cyber-attacks launched in recent years against advanced information societies aimed at undermining the functioning of public and private sector information systems have placed the abuse of cyberspace high on the list of security threats. The acknowledgment that such attacks pose a threat to international security reached new heights in 2007 owing to the first-ever co-ordinated cyber-attack against an entire country and also because of large-scale cyber-attacks against information systems in many other countries as well. The co-ordinated cyber-attacks against government agencies, banks,  
+
+# NATIONALCYBERSECURITY POLICYFRAMEWORKFOR SOUTHAFRICA  
+
+media and telecommunications companies in Estonia demonstrated the vulnerability of a society's information infrastructure as an aspect of national security that needs attention in all countries. There are views that Internet is becoming more and more militarized.The problem is very specific to malware being distributed through terror groups.  
+
+1.4The recurrence and growing incidence of cyber-attacks indicate the start of a new era in which the security of cyberspace requires a global dimension and the protection of National Critical Information Infrastructure must be elevated, in terms of national security, on par with traditional defence interests.  
+
+1.5National Cybersecurity is a broad term encompassing many aspects of electronic information, data, and media services that affect a country's security, economy and welbeing. Ensuring the security of a country's cyberspace thus comprises of a range of activities at different levels.Towards this end, the most important policy domains include reducing the vulnerability of cyberspace, preventing cyber threats and attacks in the first instance and,in the event of an attack, ensuring a swift recovery of the functioning of critical information systems.  
+
+1.6 Thus, a Cybersecurity strategy must appraise the vulnerability of a country's critical information infrastructure, devise a system of preventative measures against cyber-attacks, and decide upon the alocation of tasks relating to Cybersecurity management at the national level. Moreover, it is also important to improve the legal framework against cyber-attacks, to enhance international and institutional co-operation, and to raise public awareness and develop training and research programmes on Cybersecurity.  
+
+1.7 The above threats necessitate a comprehensive and all-encompassing approach in dealing with cyber threats.In short, a Cybersecurity culture, driven in main by the State, is critical to ensure that citizens take advantage of the information age, whilst remaining conscious of the threats and vulnerabilities of cyberspace. The NCPF recognises the need to balance, on the one hand, the risks associated with the use of information systems and, on the other hand, the indispensability of extensive and free use of information technology to the functioning of open and modern societies. The growing threats to Cybersecurity should not hinder the crucial role of information and communications technology in stimulating the growth of economies and societies.  
+
+1.8In response to the above challenges, Governments worldwide have established policies and structures that govern interaction and collaboration between Government, private sector, academia and civil society in an effort to prevent, react to, combat and mitigate Cybersecurity vulnerabilities and attacks.  
+
+1.9 The NCPF recognises that the State is charged with implementing a Government led, coherent and integrated Cybersecurity approach which, amongst others,will:  
+
+# NATIONAL CYBERSECURITY POLICYFRAMEWORK FOR SOUTHAFRICA  
+
+a) Promote a Cybersecurity culture and demand compliance with minimum security standards;   
+b) Strengthen intelligence collection, investigation, prosecution and judicial processes, in respect of preventing and addressing cybercrime,cyber terrorism and cyber warfare and other cyber ills;   
+c) Establish public-private partnerships for national and international action plans;   
+d) Ensure the protection of National Critical Information Infrastructure; and   
+e) Promote and ensure a comprehensive legal framework governing cyberspace.  
+
+1.10 This framework is intended to implement an allencompassing approach pertaining to allthe role players (State, public, private sector, civil society and special interest groups) in relation to Cybersecurity. This framework will be supported by a National Cybersecurity Implementation Plan which will be developed by the SSA in consultation with relevant stakeholders, identifying roles and responsibilities, timeframes, specific performance indicators, and monitoring and evaluation mechanisms.  
+
+# 2. The South African Context  
+
+2.1 South Africa like many other countries has become dependent on the Internet to govern, to conduct business and for other social purposes. The Internet has become indispensable to many South Africans and will continue to be, as more people access the information highway. Taking into consideration the increase in national and international bandwidth in South Africa, cybercrimes and threats are and will continue to increase. These cybercrimes and threats have the potential to impact on our national security and economy.  
+
+2.2 Currently there are various pieces of legislation, some with overlapping mandates administered by different Government Departments and whose implementation is not coordinated. Furthermore, the legislation when viewed collectively does not adequately address South Africa's Cybersecurity challenges.  
+
+2.3 The absence of an aligned legal and regulatory framework, and the challenge of uncoordinated Cybersecurity eforts is not unique to South Africa, other jurisdictions arefaced with the same challenges.  
+
+2.4Statistics in 2011 indicate that South Africa was in the top three countries that are targeted for phishing purposes, the other countries are the USA and the UK. In addition to phishing, other e-Crime incidents in the RSA have increased to the value of millions of rands. The banking sector is especially vulnerable to cybercrime. In light of the above and many more unreported incidents, there is a need to combat cybercrime.  
+
+2.5 The borderless nature of cybercrimes introduces a further dimension to National Security. Numerous cyber-attacks have been launched against a number of countries,such as the attack on Estonia in 2007, which crippled the country's electronic systems. South Africa is not immune to such atacks. The protection of South Africa's critical information infrastructure and the coordination thereof is therefore essential. South Africa needs to develop mechanisms that will ensure proactive and coordinated national response to cyber threats and incidents including combating cybercrime. The Government's leadership role in this regard is important, whilst acknowledging that Cybersecurity is everyone's responsibility, public sector, private sector and civil society.  
+
+2.6 The role of the ICTs in social and economic development of a country has been widely acknowledged; however the full potential of ICTs cannot be realized unless there is confidence and trust in the secure use of ICTs. Government should take responsibility to ensure that theprivate sector and civil society are not only aware of the dangers of operating in cyberspace but also take necessary measures not to become victims of cybercrime. It is thus prudent to develop within South Africa a culture of Cybersecurity that will address the needs of the public sector, private sector and civil society.  
+
+2.7 Opportunities of ICT and the challenges of Cybersecurity are fuelled by advances in technology. Consequently, there is a need to develop the requisite skills to exploit the opportunities of an information economy and meet the dynamic challenges of Cybersecurity. South Africa will always lag behind or be vulnerableunless we develop requisite skills. There is a need to create an enabling environment for Cybersecurity training, education,research and development and skills development programmes in South Africa.  
+
+2.8 South Africa is a consumer of ICTs and depends on overseas manufactured technologies to secure its cyberspace.The downside of this, is that our critical information infrastructure will continue to have some degree of vulnerability. Thus it is important to develop indigenous Cybersecurity technologies. Unless we develop Research and Development capabilities to address this, we will continue to rely of foreign technologies for this purpose. The absence of stringent compliance monitoring to ensure that technologies used comply to international and national Cybersecurity standards.  
+
+2.9 South Africa will in the promotion and development of Cybersecurity measures in relation to this NCPF bear in mind the international instruments and measures that may be relevant such  
+
+# NATIONAL CYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA  
+
+as the work of the various agencies of the United Nations.° In 2011, the International Telecommunications Union (ITU) and the UN Office on Drugs and Crime (UNODC) signed a memorandum of understanding (MOU) to help secure cyberspace for consumers, businesses, and children and to mitigate the risks posed by cybercrime. The MOU will enable the parties to avail the necessary expertise and resources to establish legal measures and legislativeframeworks atnational level,forthebenefit of allinterestedcountries.This initiative is a major milestone in implementing a co-ordinated global approach to an increasingly serious global problem.'  
+
+# 3. Purpose of the NCPF  
+
+3.1The purpose of the NCPF is to create a secure, dependable,reliable and trustworthy cyber environment that facilitates the protection of critical information infrastructure whilst strengthening shared human values and understanding of Cybersecurity in support of national security imperatives and the economy. This will enable the development of an information society which takes into account the fundamental rights of every South African citizen to privacy, security, dignity, access to information, the right to communication and freedom of expression.  
+
+3.2 The NCPF seeks to ensure that Government, business and civil society are able to enjoy the full benefits of a safe and secure cyberspace. To this end, the public sector, private sector and civil society willneed to work together tounderstand and address the risks,reduce the benefits to criminals and seize opportunities in cyberspace to enhance South Africa's overall security and safety including its economic well-being.  
+
+3.3 This NCPF therefore provides for:  
+
+a) Measures to address national security in terms of cyberspace; b) Measures to combat cyber warfare, cybercrime and other cyber ills; c) The development, review and updating existing substantive and procedural laws to ensure alignment; and d) Measures to build confidence and trust in the secure use of ICT.  
+
+# NATIONAL CYBERSECURITY POLICYFRAMEWORKFORSOUTHAFRICA  
+
+# 4. Key Objectives of the NCPF  
+
+4.1The NCPF articulates the overall aim and objectives of the South African Government and sets out strategic priorities that will be pursued to achieve these objectives. In order to achieve the strategic visionset out in thispolicy, it is expected that this National Cybersecurity Policy Framework will:  
+
+4.1.1 Centralise coordination of Cybersecurity activities,by facilitating the establishment of relevant structures, policy frameworks and strategies in support of Cybersecurity in order to combat cybercrime, address national security imperatives and to enhance the information society and knowledge based economy;   
+4.1.2 Foster cooperation and coordination between Government, the private sector and civil society by stimulating and fostering a strong interplay between policy, legislation, societal acceptance and technology;   
+4.1.3 Promote international cooperation;   
+4.1.4 Develop requisite skills, research and development capacity;   
+4.1.5 Promote a culture of Cybersecurity; and   
+4.1.6 Promote compliance with appropriate technical and operational Cybersecurity standards.  
+
+# 5. Capacity to Respond to Cybersecurity lmperatives  
+
+5.1The Justice Crime Prevention and Security Cluster (JCPS),working in consultation with other Government Clusters , will oversee the implementation of this policy framework, with the aim to ensure centralized coordination of Cybersecurity issues.  
+
+5.2Adedicated JCPSCybersecurity Response Committee will be established within the JCPS Cluster to coordinate Cybersecurity activities, drive the implementation of the NCPF and manage the implementation of Output 8. The Cybersecurity Response Committee will be chaired by the State Security Agency (SSA) and it will be supported operationally by a CybersecurityCentresituated at the SSA.All relevant JCPS departments willberepresented on the Cybersecurity Response Committee.  
+
+5.3 The role of the JCPS Cybersecurity Response Committee will, amongst others, be to:  
+
+# NATIONALCYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA  
+
+5.3.2 Coordinate Cybersecurity activities and be a central point of contact on all Cybersecurity matters pertinent to national security (national defence, national intelligence and cybercrime);  
+
+.3 Identify and prioritise areas of intervention and promote focussed attention and guidance where required regarding Cybersecurity related threats and incidents;  
+
+5.3.4 Promote, guide and coordinate activities aimed at improving Cybersecurity measures by all role players, which would include amongst others, the strengthening of intelligence collection and improved State capacity to investigate, prosecute and combat:  
+
+a) Cybercrime,   
+b) Cyber terrorism,   
+c) Cyber espionange,   
+d) Cyber warfare and   
+e) Any other cyber related threats;  
+
+5.3.5 Oversee and guide the functioning of the Cybersecurity Centre, Cybersecurity Hub, RSA Government Electronic Communications Security Computer Security Incident Response Team (ECS -CSiRT) and any other CSiRT established in SA.  
+
+5.3.6 Promote and provide guidance to the process of the development and implementation of:  
+
+a) The protection of national critical information infrastructure Plan;   
+b) Situational analysis and awareness campaign concerning the risk environment of South African cyberspace;   
+c) Cybersecurity culture and compliance with minimum security standards;   
+d) Public-private partnerships for national and action plans in line with the NCPF;   
+e) Compliance with appropriate technical and operational Cybersecurity standards;   
+f) Cybersecurity training, education, research and development and skills development programmes;   
+g) International cooperation;   
+h) Facilitation of interaction, both nationally and internationally, including through international memberships to organisations such as the Forum for Incident Response and Security Teams (FiRST); and develop policy guidelines to inform such interaction;  
+
+# NATIONALCYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA  
+
+i) Establishment of sector, regional and continental CSiRTs; and j) Comprehensive legal framework governing cyberspace.  
+
+5.4 The role of the Cybersecurity Centre will be to:   
+5.4.1 Facilitate the operational coordination of Cybersecurity incident response activities regarding national intelligence, national defence and cybercrime;   
+5.4.2 Develop measures to deal with Cybersecurity matters impacting on national security;   
+5.4.3 Facilitate the analysis of Cybersecurity incidents, trends, vulnerabilities, information sharing, technology exchange on national security and threats to improve technical response coordination;   
+5.4.4 Provide guidance to and facilitate the identification, protection and securing of National Critical Information Infrastructure (NCIl);   
+5.4.5 Ensure regular assessment and testing of National Critical Information Infrastructures, including vulnerability assessments, threat and risk assessment and penetration testing;   
+5.4.6 Provide coordination and guidance regarding Corporate Security and Policy Development; Governance, Risk Management, and Compliance (GRC); ldentity and Security Management; Security Information and Event Management (SiEM), and Digital Forensics as it pertains to Cybersecurity matters within Organs of State;   
+5.4.7 Develop response protocols to guide coordinated responses to Cybersecurity incidents and interaction with the various stakeholders;   
+5.4.8 Ensure the conducting of Cybersecurity audits, assessments and readiness exercises and provide advice on the development of national response plans;   
+5.4.9 Provide the Secretariat services required in relation to the JCPS Cybersecurity Committee, and   
+5.4.10 Perform any other function consistent with the strategic and policy objectives set out herein.  
+
+# 6. Cybersecurity Hub and Additional CSlRTs  
+
+6.1 Notwithstanding the envisaged JCPS Cybersecurity Response Committee, the Cybersecurity Centre and the existing ECS-CSiRT, there is also a need to ensure appropriate consultation between the JCPS cluster departments, the private sector and civil society regarding Cybersecurity matters.   
+6.2 To deal with the above stated, this policy recognises that the crucial need for the facilitation of interaction between the key role players in the public sector, private sector and the broader civil society. The NCPF therefore promotes the coordination and consultation between the JCPS cluster departments, the private sector and civil society regarding Cybersecurity matters through the establishment of a Cybersecurity Hub within the Department of Telecommunications and Postal Services (DOC). The Cybersecurity Hub will be operated within the DOC in accordance with national security guidelines and standards issued by the JCPS Cybersecurity Response Committee.   
+6.3 To enhance interaction, consultations and to promote a coordinated aproach regarding engagements with the private sector and civil society, Cybersecurity Hub will amongst others, have the responsibility to:   
+6.3.1 Coordinate general Cybersecurity activities, in consultation with JCPS CRC as well as including identifying stakeholders and developing public-private relationships and collaborating with any sector CSiRTs that may be established;   
+6.3.2 Disseminate relevant information to othersector CSiRTs, vendors, technology experts on Cybersecurity developments;   
+6.3.3 Provide best practice guidance on ICT security for Government, business and civil society;   
+6.3.4 Initiate Cybersecurity awareness campaigns;   
+6.3.5 Promote compliance with standards, procedures and policy developed by the JCPS Cybersecurity Response Committee regarding Cybersecurity matters with a bearing on national security.   
+6.3.6 Encourage and facilitate the development of appropriate additional sector CSiRTs. The sector CSIRTs will:   
+6.3.6.1 Be a point of contact for that specific sector on Cybersecurity matters;   
+6.3.6.2 Coordinate Cybersecurity incident response activities within that sector;  
+
+NATIONALCYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA   
+
+
+<html><body><table><tr><td></td><td></td></tr><tr><td>6.3.6.3</td><td>Facilitate information and technology sharing within the sector;</td></tr><tr><td>6.3.6.4</td><td>Facilitate information sharing and technology exchange with other sector CSIRTs;</td></tr><tr><td>6.3.6.5</td><td>Establish national security standards and best practices for the sector in consultation with the Cybersecurity Centre and the JCPS Cybersecurity Response Committee which are consistent with guidelines, standards and best practices</td></tr><tr><td>6.3.6.6</td><td>Develop agreed upon measures;</td></tr><tr><td>6.3.6.7</td><td>Conduct Cybersecurity audits, assessments and readiness exercises for the sector; and</td></tr><tr><td>6.3.6.8</td><td>Provide sector entities with best practice guidance on ICT security.</td></tr></table></body></html>  
+
+# 7. Verification of Information Security Products and Systems  
+
+7.1 South Africa needs to independently assess and certify products and systems that are used to process or store information that can have an impact on national security. The NCPF therefore promotes the facilitation by the JCPS Cybersecurity Response Committee and the National Cybersecurity Hub of the development of a National Information Security Verification Framework that will enable the achievement of this objective by executing the following:  
+
+a) Facilitating effective partnerships between the Republic of South Africa and countries with established capacity to perform information security assessments and certifications.   
+b) Facilitating effective partnerships between the Government of South Africa, the private sector, academic and research institutions to ensure that there is always capacity to perform information security assessments and certifications within the borders of the Republic.   
+c) Developing National regulations for verification of products and systems with applications in Information Security.   
+d) Facilitating effective partnerships among government institutions, e.g. those tasked with technical assessments, and those whose responsibility is licensing, and those  
+
+# NATIONAL CYBERSECURITYPOLICY FRAMEWORKFOR SOUTH AFRICA  
+
+who monitor, (e.g. the Auditor General), to ensure that solutions are implemented in accordance with certification conditions and legislation.  
+
+e) Establishing a body that will centrally coordinate the required national verification functions.  
+
+# 8. NCll Protection  
+
+8.1 The NCPF recognises the need to provide a mechanism to ensure that South Africa's critical information infrastructure is protected and secured against cyber related crimes. It is also noted that a more secured critical information infrastructure will help to achieve the continued provision of essential services and support national security, economic prosperity and social well-being of the Republic. The policy framework recognises that a significant proportion of SA's national critical information infrastructure (NCll) is privately owned or operated on a commercial basis.  
+
+8.2 The NCPF therefore seeks to ensure that appropriate steps are taken to ascertain that all National Critical Information Infrastructure (NCll) are identified and properly protected from a variety of threats. For continued availability of the critical information infrastructure, the NCPF thus promotes the development of a National Critical Information Infrastructure (NCIl) Strategy that will address the identification and protection of NCll by:  
+
+a) Developing National Critical Information Infrastructure regulations, relating,inter alia, to:  
+
+i. Information Classification and Information Security Policy and Procedures;   
+ii. Third Party Access to NCII;   
+1i1. Access to and authentication on NCll;   
+iv. Storage and archiving of critical databases;   
+V. Incident management and business continuity; and vi. Physical and technical protection of all NCll.  
+
+b) Facilitate an effective business - government partnership relating to the implementation of the Cll Protection Plan. To this end, the private sector, State Owned Enterprises (SOE's), and other government agencies and institutions such as the State Information Technology Agency (SiTA) will play a critical role in ensuring the implementation of NCIl protection plan.  
+
+# 9. Cryptography  
+
+9.1 There are an ever-increasing numbers of cryptographic devices, crypto graphic software and users requiring secure communications and the geographic spread of locations of these devices. The NCPF therefore provides for the regulation of cryptography given the critical role it plays in ensuring improved secure communications.  
+
+9.2 The NCPF notes that various attempts at regulating cryptography were initiated as a way of developing a coherent and integrated approach to this matter. These strategies are found in various laws such as:  
+
+a) National Convention Arms Control Act (Act 41 of 2002)   
+b) Electronic Communications and Transactions Act (Act 25 of 2002)   
+c) Electronic Communications Security (Pty) Ltd Act (Act 68 of 2002)   
+d) Regulation of Interception of Communications and Provision of Communications Related Information Act (Act 70 of 2002)   
+e) State Information Technology Agency Act (Act 88 of 1998)   
+f) Conventional Arms Control Regulations (R7969 of 2004)   
+g) Cryptographic regulations (R8418 of 2006)  
+
+9.3Taking into consideration the above-mentioned legislation,the NCPF recognises that there is a need to:  
+
+a) Review the existing legislation and regulations thereof; and b) Develop an integrated regulatory framework for Cryptography for the country.  
+
+# 10.Online E-ldentity Management in Cyberspace  
+
+10.1 It is noted that the Electronic Communications and Transactions Act, 20o2 (Act 25 of 2002) (ECT Act) provides for the establishment of the South African Accreditation Authority to facilitate the accreditation and regulation of authentication services and products. It further provides for advanced electronic signatures and facilitates the recognition of electronic documents as legal and binding.  
+
+10.2 The NCPF notes that the South African Post Offce (which in terms of the ECT Act, 2002 is a preferred service provider for advanced electronic signatures) has developed a Public Key Infrastructure (PKl) to support advanced electronic signatures (e-identity) and the Department of Public Service and Administration pursuant to its mandate in E--Government willdevelop a  
+
+# NATIONALCYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA  
+
+PKI Strategy. The Department of Telecommunications and Postal Services (DOC), pursuant to its mandate established the South African Accreditation Authority to accredit and regulate authentication services and products.  
+
+10.3The issue of identity management in cyberspace is central to building confidence and trust in the secure use of ICTs. The NCPF seeks to address the fragmented approach by promoting the development of an integrated National E-identity and PKl strategy. Such a strategy and implementation thereof will be critical inproviding inter alia e-government services as well as to ensure security, confidentiality and integrity. Uptake and usage of e-identity in e government services will stimulate other sectors as well.  
+
+10.4 The NCPF acknowledges that transmission of information over the Internet for trading and communication purposes presents new and sophisticated threats for both the senders and recipients of information. Therefore to ensure online transaction security, the NCPF provides for the development of a holistic National E-ldentity and PKl Strategy. The strategy will, amongst others, assist to address:  
+
+a) Authentication and securing of the identities of the parties to an e-transaction;   
+b) Confidentiality, ensuring information is kept private;   
+c) Integrity issues, by ensuring the information or process has not been modified or corrupted;   
+d) Non-repudiation issues, by ensuring that neither party can refute that the transaction occurred (i.e. the trans action is binding); and   
+e) The structure and regulatory framework for E-ldentity and a Public Key Infrastructure.  
+
+10.5 The NCPF also requires that the development of a holistic National E-ldentity and PKI Strategy should be aligned to the broader objectives set out herein and in particular the roles and the responsibilities of the critical stakeholders in the implementation of the NCPF.  
+
+# 11. Promote and Strengthen Local and International Cooperation  
+
+11.1 In terms of this policy framework, the Cybersecurity Hub will foster cooperation and coordination between the public sector, private sector and civil society.  
+
+# 11.2 Local cooperation  
+
+11.2.1 The NCPF promotes the Public-Private-Civil sector collaboration and the use of industry perspectives, equities and knowledge to enhance Cybersecurity. The Public-PrivateCivil sector partnership is based on the understanding that Cybersecurity is everyone's responsibility and there is a need to leverage on joint knowledge and perspectives, to combat cybercrime.  
+
+11.2.2 The NCPF thus promotes the establishment of collaboration with local stakeholders, with a focus on the following aspects:  
+
+(a) Inclusion of the industry and creating an enabling environment for a successful partnership;   
+(b) Encouraging private sector groups to address common security interests and collaborate with government including encouraging cooperation among groups from interdependent industries;   
+(c) Bringing private sector and government together in trusted forums; and   
+(d) Creating a common understanding of the threats and vulnerabilities that the country faces and the responses required.  
+
+# 11.3 International Cooperation  
+
+11.3.1 Internet as a form of media can in essence not be regulated in total by an authority or government. Given the borderless nature of the Internet and the challenges it poses in terms of jurisdiction, it is important that countries learn and collaborate with each other in order to combat cybercrimes.  
+
+11.3.2 Therefore, international collaboration is critical in securing cyberspaces nationally and globally. Recognising the need for global collaboration on matters regarding Cybersecurity, South Africa is required to collaborate with relevant and appropriate international organisations and governments, in line with the Constitution, national security imperatives, foreign policy and existing international agreements. To this end, South Africa will:  
+
+# NATIONAL CYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA  
+
+(a) Participate in regional, African Union and international fora on matters pertinent to Cybersecurity in order to advance South Africa's views in the definition and elaboration of the global Cybersecurity agenda in combating cybercrime and building confidence and trust in the secure use of ICTs.   
+(b) Forge bilateral and multilateral partnerships in our national interest through various instruments inter alia Memorandum of Understanding, Convention, Treaty, etc.   
+(c) Afiliate to relevant international organisations in order to promote a coordinated global response to threats and vulnerabilities and to keep abreast of developments in the Cybersecurity front.  
+
+# 12. Capacity Development, Research and Development  
+
+12.1 The dynamic nature of Cybersecurity challenges necessitates the continuous development of capabilities and requisite skills.  
+
+# 12.2 The NCPF therefore promotes:  
+
+a) Development of capacity building strategies to address South Africa's, specific skills requirements to meet the ever increasing challenges of addressing Cybersecurity threats;   
+b) Development of recruitment and retention strategies aimed at ensuring a sufficient level of technical expertise is developed and maintained within the Republic; and   
+c) Development of a Cybersecurity research and development agenda and enhancement of Cybersecurity research within South African Universities, industry and the Department of Science and Technology.   
+d) Enterprise development so as to grow the information security sector in terms of skills and growing enterprises that produce technology that protect cyberspace.  
+
+# 13.Cyber-warfare  
+
+13.1 In order to protect its interests in the event of a cyber-war, a cyber defence capacity has to be built. The NCPF thus promotes that a Cyber Defence Strategy, that is informed by the National Security Strategy of South Africa, be developed, guided by the JCPS Cybersecurity Response Committee.  
+
+# 14. Promotion of a Cybersecurity Culture  
+
+14.1 T0 effectively deal with Cybersecurity, it is prudent that civil society, government and the private sector play their part in ensuring South Africa has a culture of Cybersecurity. Critical to this is the development of a culture of Cybersecurity, in whichrole players understand the risks of surfing in cyberspace. To facilitate the building of a Cybersecurity culture, the NCPF provides for inter alia:  
+
+14.1.1 Implementing Cybersecurity awareness programs for private sector, public sector and   
+civil society users;   
+14.1.2 Encouraging business to develop a positive culture for Cybersecurity;   
+14.1.3 Supporting outreach to civil society, children and individual users;   
+14.1.4 Promoting a comprehensive national awareness program and guidelines;   
+14.1.5 Reviewing and updating existing privacy regime;   
+14.1.6 Develop awareness of cyber risks and available solutions;   
+14.1.7 Continuously review cyber applications and the impact from a Cybersecurity   
+perspective.   
+14.1.8 Compliment the culture of Cybersecurity with online support mechanisms.  
+
+# 15. Technical and Operational Standards Compliance  
+
+15.1 The NCPF also promotes:  
+
+a) The recognition of and compliance with appropriate international and local technical andoperational Cybersecurity standards. The Ministerof Communications shall enforce compliance with such standards where appropriate and in consultation with the National Cybersecurity Advisory Council;   
+b) The continuous monitoring, review and assessment of regulatory frameworks that support Cybersecurity ; and  
+
+# NATIONALCYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA  
+
+c) The development and/or adoption of standards by the South African Bureau of Standards in consultation with relevant Government Departments, ICASA and industry. This will ensure a safe and secure cyberspace environment that will enable the growth of e-commerce and an inclusive information society.  
+
+# 16.The Role and Responsibility of the State  
+
+This policy recognizes that there are a number of Organs of State that play a critical role in the implementation of Cybersecurity measures. For effective implementation of this policy framework, the role of some of the main relevant Organs of State are set out below. Inclusive of the various roles and responsibilities set out, all other governmental priorities such as the protection of vulnerable groups,promotion of job creation and general protection of Constitutional values and principles are endorsed and should be promoted in the development of implementation plans and activities. Liaison with other clusters such as the economic cluster will be essential in the development of the various implementation plans guided by the NCPF.  
+
+16.1 The Department of Justice and Constitutional Development (DOJ&CD) and the National Prosecuting Authority (NPA) have an overall responsibility for facilitating cybercrime prosecution and court processes in accordance with the applicable laws.  
+
+a) The NCPF also requires the DOJ&CD to develop an implementation plan for the review and alignment of all Cybersecurity laws with the policy objectives and mandates of the State institutions as set out herein. In this regard, the DOJ&CD will be required to lead a process, in consultation with other JCPS Cluster Departments, for the review and alignment of Cybersecurity laws and will be required to submit progress reports to the JCPS Cluster Cybersecurity implementation team on a continuous basis in accordance with the approved JCPS implementation plan.  
+
+b) The process for the review of the Cybersecurity laws seeks to ensure that all relevant laws are aligned to this policy framework, and create a coherent and integrated cybercrime legal framework and prosecution approach in the Republic. This would require initiation of processes to effect necessary amendments to relevant legislation in order to make cybercrime or related crimes punishable in law.  
+
+# NATIONAL CYBERSECURITY POLICY FRAMEWORKFOR SOUTH AFRICA  
+
+16.2The Ministry of State Security and the State Security Agency (SSA) has overall responsibility and accountability for coordination, development and implementation of Cybersecurity measures in the Republic as an integral part of its National Security mandate.  
+
+16.2.1 The Ministry of State Security and SSA shall, amongst others, be required to perform the following key roles and responsibilities in relation to cybersecutity in the Republic:  
+
+(a) Ensure that the JCPS cluster is properly capacitated and is able to perform its function as set out in this Policy framework including ensuring that the JCPS cluster has the the necessary capacity to monitor, promote and guide the implementation of the NCPF.  
+
+(b) Ensure, in consultation with the relevant stakeholders, the establishment of the Cybersecurity Response Committee, Cybersecurity Centre and proper function of the existing RSA Government CSiRT in line with the approved JCPS implementation plan.  
+
+(c) Initiate and lead a process within the JCPS cluster for the development and approval of guidelines and National security norms for the establsihment of varioussector CSiRTs asprovidedfor inthepolicyframework.  
+
+(d) Have an overall responsibility for the development and formulation of National Cybersecurity in Republic and in consultation with stakeholders. This includes reviewing and amending existing Cybersecurity policies as well as prescribing regulations on information and communications technology security for the Republic in order to advance the National Security interests of the Republic  
+
+(e) Provide information assurance and secure information and communications technology infrastructure of National importance in support of national security; This should include the development of State capacity to provide threat monitoring, alerting, co-ordination and response for information communications technology related incidents pertaining to National Critical Information Infrastructure of the State;  
+
+(f) Prescribe a regulatory frameworkfor the control by the State of the provision and application of cryptographic solutions, development of National strategy and regulations for the protection of National Critical Information Infrastructure, and prescribe information communications technology security technical standards to which the electronic communications security products and services of organs of State must comply;  
+
+# NATIONAL CYBERSECURITY POLICY FRAMEWORKFOR SOUTH AFRICA  
+
+16.2.2 The implementation of these responsibilities by SSA shall include aspects of developing and implementing regulations, collecting intelligence both locally and internationally, conducting necessary Cybersecurity investigations and reporting on South Africa's Cybersecurity situation.  
+
+16.3 The Department of Police and the SAPS shall, in terms of the NCPF, be responsible for the prevention, investigation and combating of cybercrime in the Republic, which includes development of cybercrime policies and strategies, and providing for specialized investigative capacity and interaction with national and international stakeholders. Development of the anticybercrime policy and implementation plans should include operational priorities pertaining to:  
+
+(a) The fight against child sexual/physical abuse material on the Internet;   
+(b) Actions to counter massive attacks against information systems such as“denial-ofservice attacks (such as those affecting the banking sector);   
+(c) Actions combating identity fraud;   
+(d) The development of cross-border law enforcement cooperation;   
+(e) Public-private cooperation to fight cybercrime (in particular between law enforcement authorities and private companies); and   
+(f) Promote enhanced international cooperation to fight cybercrime by taking part in various international initiatives such the UN High Level Expert Group on Cybersecurity and the International Telecommunication Union.  
+
+16.4 The Department of Telecommunications and Postal Services (DTPS) has the responsibility for:  
+
+(a) Developing and implementing policies, regulations and industry standards regarding ICT aspects in general and to assist in the provision of strategic direction and coordination on local and international Cybersecurity matters pursuant to building an information economy and building confidence and trust in the secure use of ICTs. This includes building trust and confidence in the secure use of ICTs and to advise the Minister of Telecommunications and Postal Services on policy and technical issues and other matters pertinent to Cybersecurity;  
+
+# NATIONALCYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA  
+
+Establishing the National Cybersecurity Advisory Council (NCAC) to advise the Minister of Telecommunications and Postal Services on policy and technical issues, and other matters pertinent to Cybersecurity pursuant to building confidence and trust in the secure use of ICTs; (c) Establishing the Cybersecurity Hub and to facilitate the establishment of any other sector CSIRTs.  
+
+16.5 The Department of Defence and Military Veterans (DOD&MV) has overall responsibility for coordination， accountability and implementation of cyber defence measures in the Republic as an integral part of its National defence mandate. To this end, the Department will develop policies and strategies pursuant to its core mandate.  
+
+16.6 The Department of Science and Technology (DsT) has the responsibility for the development, coordination and implementation of national capacity development program. Furthermore, the Department shall be responsible for developing and facilitating the implementation of a national Cybersecurity research and development agenda for South Africa.  
+
+16.7 All other Organs of State are required to align their ICT policies and practices with this NCPF in so far as it relates to Cybersecurity.  
+
+# 17.The role and Responsibility of the Private Sector  
+
+17.1 The private sector is responsible for implementing information security measures at least equivalent to those that are implemented by Government. The NCPF therefore promotes cooperation between the information security bodies that predominantly represent the private sector with equivalent bodies in Government. The Department of Telecommunications and Postal Services (DTPS) and the National Cybersecurity Hub will help facilitate such cooperation.  
+
+# 18. The Role and Responsibility of Civil Society  
+
+18.1 Each person has a responsibility to ensure that his or her computer, mobile phone or any ICT infrastructure at his or her disposal that links to the cyberspace has updated malware protection. Each person also has a responsibility to report information security incidents to the police or the most accessible CSiRT. DTPS will help facilitate campaigns to raise awareness in this regard.  
+
+# NATIONAL CYBERSECURITY POLICYFRAMEWORKFORSOUTHAFRICA  
+
+# 19. Conclusion  
+
+19.1 It is envisaged that the NCPF will achieve the following benefits:  
+
+a) A safer and more secure cyberspace that underpins national security priorities;   
+b) The establishment of institutional structures to support a coordinated approach to addressing Cybersecurity;   
+c) The identification and protection of national critical information infrastructure;   
+d) A secure e-environment that stimulates economic growth and competitiveness of South Africa;   
+e) Promotion of a national research and development agenda relating to Cybersecurity;   
+f) The effective prevention, combating and prosecution of cybercrime; and   
+g) The enhanced management of Cybersecurity.  

dataset/data/docs/south-africa-government_2017_MIOS Framework V6.pdf-4d93567c-6001-40ee-8aba-836a49bd1f69.md

@@ -0,0 +1,204 @@
+# MINIMUMINTEROPERABILITYSTANDARDS(MIOS)FRAMEWORK  
+
+For Government Information Systems  
+
+Revision 6.0  
+
+November 2017  
+
+The Minimum information Interoperability Standards (MiOS) sets out Government's technical principles and  standards for achieving interoperability and information systems coherence across the public sector. The MiOS defines the essential prerequisite for joined-up and web enabled Government. Combined with Information and Communication Technology security, it is an essential component of electronic government.  
+
+Adherence to the MiOs is mandatory as set out in the Public Service Regulations, Chapter 6, 97 (1) The Minister shall issue Minimum Interoperability Standards, (herein referred as the “MiOs") for the public service. (2) The MiOs shall include provision for standards and specifications for - (a) interconnectivity; (b) data integration; and (c) information access. (3)  
+
+Any new information and communication technology system developed or acquired or any upgrade of any existing information and communication technology systems in the public service shall comply with the MlOs. (4) A Head of Department shall - (a) include compliance with the MlOS in the project approval procedure; and (b) ensure compliance to the MlOs in the acquisition or use of information and communication technologv.  
+
+The objective of achieving interoperability must be managed as an ongoing initiative. In this regard, the Government Information Technology Officers within government departments are crucial and instrumental in carrying these objectives forward and through to implementation.  
+
+I, Faith Muthambi, Minister for Public Service and Administration, hereby wish to proclaim that the Minimum Interoperability Standards (MIOS) Version 6.0, November 2017 is the Standard for Information and Communication Technology for the South African Government, as set out in theChapter 6 of the Public Seryice Regulations (PSR), as amended in 2016.  
+
+![](images/a7b5ff729b5c6badaa1c4051dc10adc2fe4e5b8fc3ffbdabb5ce6bbbe83209c4.jpg)  
+
+MS A.F. MUTHAMBI, MP MINISTERFORTHEPUBLIC SERVICE ANDADMINISTRATION DATE:201802·06  
+
+# PUBLICATION ENQUIRIES  
+
+The Minimum Interoperability Standards (MlOS) for Government Information Systems has been developed by a Specialist Task Team set up by the Government Information Technology Officers Council (GlTOC) and the Offce of the Government Chief Information Office (OGClO) at the Department of Public Service and Administration (DPSA).  
+
+Enquiries can be directed to:  
+
+Office of the Government Chief Information Office Department of Public Service and Administration Batho Pele House, 546 Edmond Street, Arcadia Pretoria, South Africa.  
+
+This document will be made available on the DPSA website www.dpsa.gov.za  
+
+# COPYRIGHT, TRADEMARKS AND INTELLECTUAL PROPERTY  
+
+Some of the standards, acronyms and terms that are referenced in this publication and the related addendums or catalogue are protected by copyright and/or intelectual property rights. The omission of the rightful copyright and/or intellectual property right owners' information from this document is merely intended to simplify the structure of the document.  
+
+This document, in part or in whole, may be freely used on condition that the source is quoted.  
+
+1 INTRODUCTION   
+2. MANDATE   
+/ 3. PURPOSE AND BENEFITS. / 4. SCOPE.. 8 5. COMPLIANCE.. .9 6. PRINCIPLES UNDERPINNING MIOS 10 APPENDIX A- ABBREVIATIONS. .12 APPENDIX B - DOCUMENT HISTORY .. 13  
+
+# FIGURES  
+
+Figure 1: Government ICT House of Value . 5   
+Figure 2: e-Government information exchange scenarios . 10  
+
+# INTRODUCTION  
+
+1.1The Minimum Interoperability Standard (MiOS) willbe for use by National, Provincial departments and for those government components set out in the Schedule 3, Part A, of the Public Service Act as updated on the $7^{\mathrm{th}}$ October 2015.  
+
+1.2These institutions are committed to the continuous improvement of public service delivery. Such commitment has become an underlying theme across all departments' strategic and annual performance plans.  
+
+1.3As these Standards impact on the interoperability of e-government systems, we need to outline the definition of Electronic government as set out in the Public Service Act, 1994 - 1 (Proclamation 103 published in GG 15791 of 3 June 1994)-  
+
+'Electronic government' means the use of information and communication technologies in the public service to improve its internal functioning and to render services to the public.  
+
+1.4 To ensure that the commitment to the improvement of public service delivery, Cabinet embarked on an e-Government programme in 2oo1 by endorsing the policy document: "Electronic Government: The Digital Future - A public service IT Policy Framework.  
+
+1.5 This policy aspired to achieve the effective, efficient and economic management and utilisation of Information and Information and Communication Technology Resources in government as illustrated in the Government Information and Communication Technology (ICT) House of Values).  
+
+![](images/70e629fa9ab385533672df6cbd5379edc514e8f6692250163a421da416706531.jpg)  
+Figure 1: Government ICT House of Value  
+
+The Information and Communication Technology House of Values serves as a reference to measure the performance of e-Government projects and systems, which includes interoperability1. The strategic drive to advance the maturity on interoperability not only compels government Information and Communication Technology leaders to collaborate on e-Government initiatives by sharing scarce resources, but it also provides a way for information to be exchanged electronically across traditional government system boundaries in order to improve public service delivery.  
+
+The Information and Communication Technology House of value, comprises a roof, pillars and foundation, each representing the following:  
+
+1.6 The outcomes (roof) of the e-Government programme on public sector operations are to:  
+
+(i) Lower cost of government service delivery operations, by reducing time, complexity, repetition and duplication of tasks.   
+(ii) Increased productivity of government operations, by improving the quality and quantity of traditional public sector outputs or introduce new processes to produce outputs and render services that were previously impossible.   
+(iii) Citizen Convenience when interacting with government, by offering equal access to government information systems and services, provides more and better information, improves information service quality and privacy, provides remedies for failures and offers best value for money?.  
+
+(b) The value (pillars) that the e-Government programme contributes to the public sector iCT environment is:  
+
+(i) Security, by ensuring that information systems and related technologies operate in a maintained security environment.   
+(ii) Interoperability, by ensuring that information systems and Information and Communication Technology infrastructure of government can interconnect and exchange information.   
+(iii) Reduced duplication, by eliminating unnecessary duplications, by promoting sharing and consolidation of Information systems and Information and Communication Technology infrastructure across government.   
+(iv) Economies of scale, by leveraging collective purchasing power of government to lower unit prices from industry.   
+(v) Digital inclusion, by promoting the South African ICT industry, with a particular emphasis on Broad Based Black Economic Empowerment (BBBEE), labour absorption, and stimulation of equitable economic growth and skills development of Information and Communication Technology in South Africa.  
+
+(c) ）The capabilities (foundation) by which to achieve the outcomes and values of eGovernment are:  
+
+(i) ICT planning, the capabilities that set direction and standards for Information and Communication Technology， Enterprise Architecture and to validate/certify conformance and performance thereto.  
+
+(i) ICT integration, the capabilities that provide and develop Information and Communication Technology Systems and Technology Infrastructure into integrated Information and Communication Technology solutions.   
+(iii) ICT operations, the capabilities to ensure that Information and Communication Technology Systems and Technology Infrastructure are maintained in a reliable, available and secure environment.  
+
+(4) The advancement of interoperability in Government is an ongoing process and should be managed as a long-term, dynamic and agile programme. It is therefore incumbent upon the Government Information Technology Officers as heads of Information and Communication technology within each department, under the umbrella of the Government Information Technology Officers Council (GlToC) to promote the objectives of interoperability and to observe the principles and comply with the standards as set out in MlOs during the life-cycle management of iS/iCT in government. It is also essential that MiOS remains updated and that it aligns to stakeholder requirements, changes in legislative environment, so that government can embrace the potential of technological advancement in the market and address the archival issues inherent to the digital age.  
+
+The Minimum Interoperability Standards (MiOS) provides a set of mandatory standards that will ensure the achievement of the interoperability pillar in the ICT House of Value as illustrated in figure 1 above.  
+
+# 2.MANDATE  
+
+(1) Interoperability between Information Systems and Information-and-Communication Technology (IS/iCT) in government is mandated in accordance with the following legislation:  
+
+(a) Public Service Act, 1994 (Proclamation 103 of 1994) mandates the Minister of Public Service and Administration ("Minister") to establish norms and standards for Information Management in the Public Service and e-Government respectively;   
+(b) Public Service Regulations as amended in 2016 - (1) Obligates heads of departments to comply with the MIOS. (ii) Mandates the Minister for Public Service and Administration to issue the MIOS.   
+(c) Public Finance Management Act, 1999 (Act 1 of 1999) section 38(1) (b) and (e) holds an accounting officer responsible for the effective, efficient, economical and transparent use of the resources and to comply with audit commitments as required by legislation.  
+
+# 3.PURPOSE AND BENEFITS  
+
+(1)The purpose of the MiOs is to prescribe open system standards that will ensure minimum level of interoperability within and between IS/lCT systems that are utilised in government, industry, citizens and the international community in support of e-Government objectives.  
+
+(2) The benefits that MiOS provides to stakeholders are:  
+
+(a) To government IS/iCT management communities, it provides a framework to ensure compliance with interoperability stipulations as set out in the SITA Act and Public Service Regulations respectively. It further underpins the collective value of IS/ICT as a strategic resource of government that must be valued, shared and used to improve public service delivery.   
+(b) To enterprise architects, solution architects, designers and implementers, it provides a basis for designing, using and implementing open standards based solutions to improve interoperability and reduce duplication across government IS/ICT.   
+(c) To acquirers, it provides the minimum mandatory technical specifications that must form part of all bid documents.   
+(d) To the Certification Authority, it serves as a baseline by which to verify and certify conformance of IS/icT goods and services for use in government.   
+(e) To ICT goods and service providers, it substantiates government's strategic intent towards the adoption of and migration to open standards and that only MIOS compliant products are considered for integration into the Government Information Infrastructure.  
+
+# 4.SCOPE  
+
+4.1 What is included in the MIOS?  
+
+The Minimum Interoperability Standard (MlOS) contains the following:  
+
+a) The management processes and responsibilities for - i) the setting and approval of interoperability standards, and ii) the certification of IS/iCT products and services for compliance with such standards; and   
+b) The set of interoperability standards regardingi) Data format standards to enable exchange of data between government information systems (IS), and ii) Technical standards to interconnect, interoperate, access and exchange data among components of government Information and Communication Technology (lCT) infrastructure.  
+
+4.2 What is excluded in the MIOS?  
+
+(a) The MlOS does not prescribe any standards relating to business processes of Information Systems and Information Communication Technology Services (1S/iCT) services, except for the processes to set the standard and to certify compliance with such standards.  
+
+(b) The IS/lCT business process and service standards, such as ICT Governance practice standards, Enterprise Architecture practice standards, lnformation System Security practice standards, Quality Management practice standards, System Development Life Cycle (SDLC) practice standard, Project Management practice standard and ICT Service Management standards form part of the prevailing and evolving Government IS/iCT Governance Framework.  
+
+# 5.COMPLIANCE  
+
+5.1 To whom does the MiOs apply?  
+
+1. The MlOS is normative (it is prescriptive and compliance is mandatory) to  
+
+a) Heads of National departments   
+b) Heads of Provincial departments   
+c) associated agencies/entities as listed in the Schedules to the Public Service Act  
+
+2.The MlOS is informative, it is descriptive and compliance but is not yet mandatory to the Heads of Local Government.  
+
+5.2 How is Mlos applicable?  
+
+1. According to the Public Service Regulations, 2016, Chapter 6 Information Management and Electronic Government, Regulation 97:  
+
+(2) “The MiOs shall include provision for standards and specifications for - a)   
+Interconnectivity; b) Data integration; and c) Information access.   
+(3) Any new information and communication technology system developed or acquired or   
+any upgrade of any existing information and communication technology system in the public   
+service shall comply with the MIOS.   
+(4) A Head of Department (HOD) shall - (a) Include compliance with the MlOS in the project approval procedure; and (b) Ensure compliance to the MlOs in the acquisition or use of information and communication technology."  
+
+2. In the context of electronic government, the MiOs is applicable to all e-government systems throughout their life-cycle.  
+
+a. e-Government system means “any information system in the public service" and the interoperability of e-Government systems (as illustrated in Figure 2: e-Government information exchange scenarios), is described as - i. Government to Government (G2G) information system - any government information system that interconnects and exchanges information with another government information system (including any two information systems within a department). ii. Government to Business (G2B) information system - any government information system that interconnects and exchanges information with a commercial or non-governmental business entity; and ii. Government to Citizen (G2C) system - any government information system that interconnects and exchanges information with a citizen or community.  
+
+![](images/8286468d1ba2faf799122bc474a35565ff540adbda79e1d018b51d2f92a7e8c7.jpg)  
+Figure 2: e-Government information exchange scenarios  
+
+b. The life-cycle stages and conditions when MlOs is applicable, are for -  
+
+i. A new Government system that is either under development or in acquisition;   
+ii. An Government system that is upgraded in functionality to enable new business processes or that is upgraded in terms of its technology infrastructure (i.e. same business processes and functionality, but new technology infrastructure)   
+ili.  An existing (legacy) Government system in operation.   
+iv. All technology stacks currently in use in government are accommodated in this framework. However, all new technologies/software/systems under consideration from the time this framework is adopted must be able to incorporate these standards while ensuring interoperability with legacy systems to ensure investments are protected.  
+
+# 6.PRINCIPLES UNDERPINNING MIOS  
+
+There are number of definitions of open standards which emphasise different aspects of openness, including of the resulting specification, the openness of the drafting process, and the ownership of rights in the standard.  
+
+The following principles shall apply during the selection of interoperability standards for inclusion or amendment to the MIOS:  
+
+(a) Interoperability: The standard is designed to advance interconnectedness and data exchange within and between systems. (b) Openness: the specifications for the standards is open, which is characterised by:  
+
+(1) The standard should be maintained by a non-commercial organization.   
+(11) The standard development and decision-making processes are inclusive and open to all interested parties.   
+(ii) The standards development outputs, including documents, drafts and completed standards, are accessible to anyone at no cost or at a negligible fee.   
+(iv) The intellectual rights required to implement the standard (e.g. essential patent claims) are irrevocably available, without any royalties attached.   
+(v) The standard must not favour or provide exclusive rights to a particular vendor or product brand.  
+
+(c) Industry support: the standard is widely supported by the industry, and is likely to reduce the cost of and the risk inherent to systems.  
+
+# APPENDIXA-ABBREVIATIONS  
+
+BBBEE Broad Based Black Economic Empowerment   
+BPMN Business Process Modelling Notation   
+EA Enterprise Architecture   
+GCIO Government Chief Information Officer   
+GITO Government Information Technology Officer   
+GITOC Government Information Technology Officers Council   
+GWEA Government Wide Enterprise Architecture   
+ICT Information and Communication Technology   
+IS Information Systems   
+ISO International Organisation for Standardisation   
+MIOS Minimum Interoperability Standards   
+SC-AGC Standing Committee on Architecture, Governance and Compliance   
+SITA State Information Technology Agency   
+OMG Object Management Group   
+TOGAF The Open Group Architecture Framework   
+UML Unified Modelling Language  
+
+In reverse order   
+
+
+<html><body><table><tr><td>Document Name</td><td>Revision Authority</td><td colspan="2">Update</td><td>Revision Date</td></tr><tr><td>MIOS V 6.0</td><td>OGCIO/GITOC/SITA</td><td>Policy Framework MPSA foreword Catalogue of Standards V1</td><td>and and</td><td>Nov 2017</td></tr><tr><td>MIOS V5.0</td><td>OGCIO/GITOC/SITA</td><td>Policy Framework Standards Not submitted to MPSA in Nov 2011</td><td>and</td><td>Nov 2011 Nov 2016</td></tr><tr><td>MIOS V4.1</td><td>OGCIO/GITOC/SITA</td><td colspan="2">Minister's foreword  and Open Standards Revision</td><td>Sept 2007</td></tr><tr><td>MIOS V 4.0</td><td>OGCIO/GITOC/SITA</td><td colspan="2">Further revision</td><td>August 2007</td></tr><tr><td>MIOSV 4</td><td>OGCIO/GITOC/SITA</td><td colspan="2">Included ISO 26300 Open Document Standard format (ODF). Minor maintenance revisions. Reformatted.</td><td>July 2007</td></tr><tr><td>MIOS V 3</td><td>OGCIO(DPSA) /GITOC/SITA</td><td colspan="2">Split MlOS into 2 parts: Part 1 is Technical Policies and Standards Part 2 is</td><td>April 2002</td></tr><tr><td>MIOS V2</td><td>OGCIO (DPSA)/ GITOC/SITA</td><td colspan="2">Implementation Support. Workshopwith inputs from GITOC</td><td>Nov 2001</td></tr><tr><td>MIOS V1</td><td>SITA Services Certification Unit</td><td colspan="2">Customisation of MiOs for SA Government (from UK government)</td><td>Sept.2001</td></tr><tr><td>e-GIF</td><td></td><td colspan="2">Adopted from UK GOV</td><td>July 2001</td></tr></table></body></html>  

dataset/data/docs2/Protection of Information Act 84 of 1982 South African Government_English_Adesemmyk.pdf-0aeaf0b9-0f34-4e8c-a946-.md

@@ -0,0 +1,178 @@
+Please note that most Acts are published in English and another South African official language Currently we only have capacity to publish the English versions.
+This means that this document will only contain even numbered pages as the other language is printed on uneven numbered pages.  
+
+# REPUBLIC OF SOUTH AFRICA  
+# GOVERNMENT GAZETTE  
+[VoL.204]  Cape Town, 16 June 1982 [No. 8248]
+
+
+# OFFICE OF THE PRIME MINISTER  
+
+It is hereby notified that the State President has assented to the following Act which is hereby published for general information:-  
+
+No. 84 of 1982: Protection of Information Act, 1982.  
+# PROTECTION OF INFORMATION ACT, 1982  
+ACT 
+To provide for the protection from disclosure of certain information; and to provide for matters connected therewith.  
+
+RE IT ENACTED by the State President and the House of Assembly of the Republic of South Africa, as follows:-  
+
+[I] Definitions. 
+
+1. 
+(1) In this Act, unless the context otherwise indicates 
+(i) “agent" means any person who is or has been or is reasonably suspected of being or having been directly or indirectly used by or in the name of or on behalf of any foreign State or any hostile organization for the purpose of committing in the Republic or elsewhere an act prejudicial to the security or interests of the Republic, or who has or is reasonably suspected of having committed or attempted to commit such an act in the Republic or elsewhere in the interests of any foreign State or any hostile organization; 
+(ii) “armaments” means armaments as defined in section 1 of the Armaments Development and Production Act, 1968 (Act No.57 of 1968); 
+(iii) “document" means  
+(a）any note or writing, whether produced by hand or by printing, typewriting or any other similar process;   
+(b) any copy, plan, picture, sketch or photographic or other representation of any place or article;   
+(c) any disc, tape, card, perforated roll or other device in or on which sound or any signal has been recorded for reproduction; 
+
+(iv) “foreign State” means any State other than the Republic;  
+(v) “Government” includes the South African Transport Services, the Department of Posts and Telecommunications and any provincial administration;  
+(vi) “hostile organization" means
+(a)any organization declared by or under any Act of Parliament to be an unlawful organization; 
+(b) any association of persons or any movement or institution declared under section 14 to be a hostile organization; 
+(vii) “military” includes army, air force and naval; 
+(viii) “model" includes any design, pattern or specimen; 
+(ix）“prohibited place” means 
+(a) any work of defence belonging to or occupied or used by or on behalf of the Government, including— 
+     (i) any arsenal, military establishment or station, factory, dockyard, camp, ship, vessel or aircraft;   
+     (ii) any telegraph, telephone, radio or signal station or office; and   
+     (iii）any place used for building repairing, making, keeping or obtaining armaments or any model or document relating thereto;  
+(b) any place where armaments or any model or document relating thereto is being built, repaired, made, kept or obtained under contract with or on behalf of the Government or of the government of any foreign State;   
+(c) any place or area declared under section 14 to be a prohibited place; (viii)  
+
+(x) “security matter” includes any matter which is dealt with by the National Intelligence Service or which relates to the functions of that Service or to the relationship existing between any person and that Service.  
+
+(2）In this Act, unless the context otherwise indicates  
+(a) any reference to the disclosing or receiving of anything includes a reference to the disclosing or receiving of any part or the substance, effect or description thereof;   
+(b) any reference to the obtaining or retaining of anything includes a reference to the obtaining or retaining of any part or the copying or causing to be copied of the whole or any part thereof, whether by photography or otherwise; 
+(c) any reference to the disclosing of anything includes a reference to the transmission or transfer thereof; and   
+(d）any reference to any offence or prosecution under any provision of this Act includes a reference to an offence or a prosecution under the provisions of section 18 of the Riotous Assemblies Act,1956（Act No.17 of 1956), read with the relevant provisions of this Act.  
+
+[Prohibition of certain acts in relation o prohibited places]
+2. Any person who approaches, inspects, passes over, is in the neighbourhood of or enters any prohibited place for any purpose prejudicial to the security or interests of the Republic, shall be guilty of an offence and liable on conviction to imprisonment for a period not exceeding 20 years.  
+
+[Prohibition of obtaining and disclosure of certain information]
+3. Any person who, for purposes of the disclosure thereof to any foreign State or to any agent, or to any employee or inhabitant of, or any organization, party, institution, body or movement in, any foreign State, or to any hostile organization or to any office-bearer, officer, member or active supporter of any hostile organization—  
+(a) obtains or receives any secret official code or password or any document, model, article or information used, kept, made or obtained in any prohibited place; or   
+(b) prepares, compiles, makes, obtains or receives any document, model, article or information relating to 
+     (i) any prohibited place or anything in any prohibited place, or to armaments; or 
+     (ii) the defence of the Republic, any military matter, any security matter or the prevention or combating of terrorism; or 
+     (iii) any other matter or article, and which he knows or reasonably should know may directly or indirectly be of use to any foreign State or any hostile organization and which, for considerations of the security or the other interests of the Republic, should not be disclosed to any foreign State or to any hostile organization, 
+shall be guilty of an offence and liable on conviction to the penalty prescribed in section 2.  
+
+[Prohibition of disclosure of certain information.]
+4.(1) Any person who has in his possession or under his control or at his disposal
+(a) any secret official code or password; or 
+(b）any document, model, article or information 
+     (i）which he knows or reasonably should know is kept, used, made or obtained in a prohibited place or relates to a prohibited place, anything in a prohibited place, armaments, the defence of the Republic, a military matter, a security matter or the prevention or combating of terrorism; 
+     (ii) which has been made, obtained or received in contravention of this Act; 
+     (iii) which has been entrusted in confidence to him by any person holding office under the Government;   
+     (iv) which he has obtained or to which he has, had access by virtue of his position as a person who holds or has held office under the Government, or as a person who holds or has held a contract made on behalf of the Government, or a contract the performance of which takes place entirely or partly in a prohibited place, or as a person who is or has been employed under a person who holds or has held such office or contract, and the secrecy of which document, model, article or information he knows or reasonably should know to be required by the security or the other interests of the Republic, or 
+     (v)of which he obtained possession in any manner and which document, model, article or information he knows or reasonably should know has been obtained by any other person in any of the ways referred to in paragraph (iii) or (iv) and the unauthorized disclosure of such document, model, article or information by such other person he knows   
+35 or reasonably should know will be an offence under this Act, and who 
+(aa) discloses such code, password, document, model, article or information to any person other than a person to whom he is authorized to disclose it or to whom it may lawfully be disclosed or to whom, in the interests of the Republic, it is his duty to disclose it; 
+(bb) publishes or uses such code, password, document, model, article or information in any manner or for any   
+45 purpose which is prejudicial to the security or interests of the Republic; 
+(cc) retains such code, password, document, model, article or information when he has no right to retain it or when it is contrary to his duty to retain it, or neglects or fails to comply with any directions issued by lawful authority with regard to the return or disposal thereof; or 
+(dd) neglects or fails to take proper care of such code, password, document, model, article or information, or so to conduct himself as not to endanger the safety thereof, 
+
+shall be guilty of an offence and liable on conviction to a fine not exceeding R10 000 or to imprisonment for a period not exceeding 10 years or to both such fine and such imprisonment, or, if it is proved that the publication or disclosure of such secret official code or password or of such document, model, article or information took place for the purpose of its being disclosed toa foreign State or to a hostile organization, to the penalty prescribed in section 2.  
+
+(2) Any person who receives any secret official code or password or any document, model, article or information, knowing or having reasonable grounds to believe, at the time when he receives it, that such code, password, document, model, article or information is being disclosed to him in contravention of the provisions of this Act, shall, unless he proves that the disclosure thereof to him was against his wish, be guilty of an offence and 5 liable on conviction to a fine not exceeding R10 o00 or to imprisonment for a period not exceeding 10 years or to both such fine and such imprisonment.  
+
+[Prohibition of certain acts prejudicial to security or interests of Republic.]
+5. 
+(1) Any person who, for the purpose of gaining or assisting any other person to gain admission to any prohibited place, or for any other purpose prejudicial to the security or interests of the Republic  
+(a) without lawful authority uses or wears any military, police or other official uniform of the Republic, or any uniform worn by a person employed at or in a prohibited place, or any uniform so closely resembling any of the said uniforms as to be calculated to deceive, or falsely represents himself to be a person who is or has been entitled to use or wear any such uniform;   
+(b) orally or in writing in any declaration or application, or in any document signed by him or on his behalf, knowingly makes any false statement or omits any relevant fact;   
+(c) forges, alters or tampers with any passport or any official pass, permit, certificate, licence or other similar document (hereinafter in this section referred to as an official document), or uses or has in his possession any forged, altered or irregular official document;   
+(d) impersonates or falsely represents himself to be a person holding, or in the employment of a person holding, office under the Government, or to be or not to be a person to whom an official document or a secret official code or password has been duly issued or disclosed, or, with intent to obtain an official document or any secret official code or password, whether for himself or for any other person, knowingly makes any false statement; or   
+(e) uses or has in his possession or under his control, without lawful authority, any official die, seal or stamp of the Republic or any die, seal or stamp so closely resembling any such official die, seal or stamp as to be calculated to deceive, or counterfeits any such official die, seal or stamp, or uses or has in his possession or under his control any such counterfeited die, seal or stamp,  
+
+shall be guilty of an offence and liable on conviction to a fine not exceeding R5000 or to imprisonment for a period not exceeding five years or to both such fine and such imprisonment.  
+
+(2) Any person who
+(a) retains for any purpose prejudicial to the security or interests of the Republic any official document, whether or not completed or issued for use, when he has no right to retain it or when it is contrary to his duty to retain it, or neglects or fails to comply with any directions issued by lawful authority with regard to the return or disposal thereof; 
+(b) allows any other person to have possession of any official document issued for his use alone, or without lawful authority or excuse has in his possession any official document or secret official code or password issued for the use of some person other than himself, or, on obtaining possession of any official document, whether by finding or otherwise, neglects or fails to hand it over to the person or authority by whom or for whose use it was issued or to a member of the South African Police or the South African Railway Police Force; or 
+(c) without lawful authority or excuse manufactures or sells, or has in his possession for sale, any die, seal or stamp referred to in paragraph (e) of subsection (1), shall be guilty of an offence and liable on conviction to the penalties prescribed in subsection (1).  
+
+[Obstructing persons on guard at prohibited places.  ]
+6. Any person who obstructs, knowingly misleads or otherwise interferes with any person engaged on guard, sentry, patrol or other similar duty in relation to any prohibited place shall be guilty of an offence and liable on conviction to a fine not exceeding R1000 or to imprisonment for a period not exceeding 12 months or to both such fine and such imprisonment.  
+
+
+[Harbouring or concealing certain persons and failing to report information relating to agents.  
+7. Any person who—  
+(a) knowingly harbours or conceals any person whom he knows or has reason to believe to be a person who is about to commit or who has committed an offence under this Act, or knowingly permits any such persons to meet or assemble in any premises in his occupation or under his control;  
+(b) having harboured or concealed any such person, or permitted such persons to meet or assemble in any premises in his occupation or under his control, wilfully omits or refuses to disclose to any member of the South African Police or the South African Railway Police Force any information it is in his power to give in relation to any such person; or  
+(c) knowing that any agent or any person who has been or is in communication with an agent, whether in the Re  
+30 public or elsewhere, is in the Republic, fails forthwith to report to any member of the South African Police or the South African Railway Police Force the presence of or any information it is in his power to give in relation to any such agent or person, 
+
+shall be guilty of an offence and liable on conviction to a fine not exceeding R1000 or to imprisonment for a period not exceeding 12 months or to both such fine and such imprisonment.  
+
+
+[Communication with agent proof of certain facts.]  
+8. 
+(1) If in any prosecution upon a charge under section 3, or upon a charge under section 4 (1) in connection with the publi40 cation or disclosure of a secret official code or password or a document, model, article or information as referred to in that section, it is proved that the accused  
+(a) has been in communication, or has attempted to communicate, with an agent in the Republic or elsewhere; or   
+(b) is an agent or is being or has been or is reasonably suspected of being or having been directly or indirectly used by a foreign or international body or institution, or has entered or is within the Republic in contravention of any law    
+
+it shall, unless the contrary is proved, be presumed that the document, model, article or information referred to in section 3 has been prepared, compiled, made, obtained or received, or the secret official code or password or the model, article, document or information referred to in section 4 (1) has been published or disclosed, as the case may be, for purposes of the disclosure thereof to a foreign State or to a hostile organization.  
+
+(2) For the purposes of subsection (1)-  
+(a) a person shall, unless he proves the contrary, be pre60 sumed to have been in communication with an agent if  
+(i) he has, in the Republic or elsewhere, visited the address of an agent or associated with an agent; or  
+(ii) in the Republic or elsewhere, the name or address of or any other information regarding an agent has been found in his possession or under his control, or has been supplied by him to any other person or has been obtained by him from any other person;  
+
+(b) any address, in the Republic or elsewhere, reasonably suspected to be an address used for the receipt of communications intended for an agent, or at which an agent resides, or to which he resorts for the purpose of giving or receiving communications, or at which he carries on any business, shall be deemed to be the address of an agent, and any person who addresses communications to such address shall be deemed to have been in communication with an agent.  
+
+[Proof that certain information may directly or indirectly be of use to foreign State or hostile organization.]  
+9. 
+If in any prosecution against any person for an offence under section 3 it is proved that he is an agent or that he is or has been or is reasonably suspected of being or having been directly or indirectly used by or on behalf of any foreign or international body or institution or that he has entered or is within the Republic in contravention of any law and that he has prepared, compiled, made, obtained or received any document, model, article or information other than that referred to in section 3 (a), or any document, model, article or information relating to a place, article or matter other than that referred to in section 3 (b) (i) or (ii),   
+
+it shall, unless the contrary is proved, be presumed that such document, model, article or information may directly or indirectly be of use to a foreign State or a hostile organization.  
+
+[Proof of purpose prejudicial to security or interests of Republic.  ]
+10. 
+(1) In any prosecution under this Act upon a charge of committing an act for a purpose prejudicial to the security or interests of the Republic, it shall, if, from the circumstances of the case or the conduct of the accused, it appears that his purpose was a purpose prejudicial to the security or interests of the Republic, be presumed, unless the contrary is proved, that the purpose for which that act has been committed, is a purpose prejudicial to the security or interests of the Republic.  
+
+(2) If in any prosecution under this Act upon a charge of publishing or disclosing any secret official code or password or any document, model, article or information for a purpose prejudicial to the security or interests of the Republic, it is proved that. 
+it was published or disclosed by any person other than a person acting under lawful authority, or by an agent or by a person who is or has been or is reasonably suspected of being or having been directly or indirectly used by any foreign or international body or institution or who has entered or is within the Republic in contravention of any law,  
+it shall, unless the contrary is proved, be presumed that the purpose for which it was published or disclosed is a purpose prejudicial to the security or interests of the Republic.  
+
+
+[Extra-territorial application of Act, and jurisdiction.  ]
+11. 
+(1) Any act constituting an offence under this Act and   
+50 which is committed outside the Republic by any South African citizen or any person domiciled in the Republic shall be deemed to have been committed also in the Republic. 
+(2) Any offence under this Act shall, for the purposes of determining the jurisdiction of a court to try the offence, be deemed to have been committed at the place where it actually was committed and also at any place where the accused happens to be.  
+
+
+[Authority of attorney-genera; required for institution of criminal proceedings.]
+12. No trial or preparatory examination in respect of any offence under this Act, except any contravention of section 6, shall be instituted without the written authority of the attorney-general having jurisdiction in the area concerned. 
+
+[Criminal proceedings may take place behind closed doors.]  
+13. Any court may, if it appears to that court to be necessary for considerations of the security or the other interests of the Republic, direct that any trial or preparatory examination in respect of an offence under this Act, shall take place behind closed doors or that the general public or any section thereof shall not be present thereat, and if the court issues any such direction, the court shall have the same powers as those conferred upon a court by section 154 (1) of the Criminal Procedure Act, 1977 (Act No. 51 of 1977)，and the provisions of subsections (1),(4) L0 and (5) of the said section 154 shall apply *mutatis mutandis*.  
+
+
+[Prohibited places and hostile organizations.]  
+14. The State President may, for the purposes of this Act, by proclamation in the *Gazette* declare-—  
+(a) any place or area to be a prohibited place if he is satisfied that information with respect to that place or area, or the loss, damage, disruption or immobilization thereof could be of use to a foreign State or a hostile organization; or  
+(b) any association of persons, movement or institution outside the Republic to be a hostile organization if he is satisfied that that association of persons, movement or institution incites, instigates, commands, aids, advises, encourages or procures any person in the Republic or elsewhere to commit in the Republic an act of violence for any purpose prejudicial to the security or interests of the Republic,  
+
+and may in like manner at any time repeal or amend any such proclamation.  
+
+[Repeal of laws.]  
+15. The laws specified in the Schedule are hereby repealed to 1 the extent set out in the third column of the Schedule.  
+
+
+[Short title.]  
+16. This Act shall be called the Protection of Information Act, 1982.  
+
+
+# Schedule  
+
+LAWS REPEALED   
+<html><body><table><tr><td>No. and year of law</td><td>Title</td><td>Extent of repeal</td></tr><tr><td>Act No. 16 of 1956...</td><td>Official Secrets Act, 1956</td><td>The whole.</td></tr><tr><td>Act No. 65 of 1956.</td><td>Official Secrets Amendment Act, 1956.</td><td>The whole.</td></tr><tr><td>Act No. 7 of 1958</td><td>Police Act, 1958</td><td>Section 27C.</td></tr><tr><td>Act No. 101 of 1969.</td><td>General Law Amendment Act, 1969</td><td>Sections 10, 11 and 12.</td></tr><tr><td>Act No. 102 of 1972.</td><td>General Law Amendment Act, 1972</td><td>Section 10.</td></tr></table></body></html>  

dataset/data/docs2/south-africa-government_2015_National Cybersecurity Policy Framework.pdf-dde97d67-d3fd-41b3-b.md

@@ -0,0 +1,524 @@
+# STATESECURITYAGENCY  
+
+NO.609  
+
+04DECEMBER2015  
+
+# THE NATIONAL CYBERSECURITY POLICY FRAMEWORK (NCPF)  
+
+![](images/dc9adfb78de629c217b47fe40b74549738f01af07a8be30159a9ca688f98a94e.jpg)  
+
+![](images/45d938bdb87226ba4442bccd7837bd539f5b1c54da64a2231df77d0ba976ebff.jpg)  
+
+NATIONALCYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA  
+
+# Table of Contents  
+
+ABBREVIATIONS P EXECUTIVE SUMMARY 5 DEFINITIONS 8  
+
+1. Introduction 10   
+2. The South African Context .12   
+3. Purpose of the NCPF .14   
+4. Key Objectives of the NCPF. .15   
+5. Capacity to Respond to Cybersecurity lmperatives .15   
+6. Cybersecurity Hub and Additional CSiRTs. .18   
+7. Verification of Information Security Products and Systems .19   
+8. NCII Protection.. .20   
+9. Cryptography .21   
+10. Online E-ldentity Management in Cyberspace. .21   
+11. Promote and Strengthen Local and International Cooperation.. .23   
+12. Capacity Development, Research and Development .24   
+13. Cyber-warfare. .24   
+14. Promotion of a Cybersecurity Culture. .25   
+15. Technical and Operational Standards Compliance. .25   
+16. The Role and Responsibility of the State .26   
+17. The role and Responsibility of the Private Sector .. .29   
+18. The Role and Responsibility of Civil Society .29   
+19. Conclusion. 30  
+
+# ABBREVIATIONS  
+
+CII Critical Information Infrastructure   
+CRC Cybersecurity Response Committee   
+CSIR Council for the Scientific and Industrial Research   
+CSIRT Computer Security Incident Response Team   
+DOJ&CD Department of Justice and Constitutional Development   
+DOD&MV Department of Defence and Military Veterans   
+DST Department of Science and Technology   
+DTPS Department of Telecommunications and Postal Services   
+ECS Electronic Communications Security   
+ECT Electronic Communications and Transactions   
+FIRST Forum for Incident Response and Security Teams   
+GCA Global Cybersecurity Agenda   
+GRC Governance, Risk Management and Compliance   
+HLEG High-Level Experts Group   
+ICT Information and Communications Technology   
+ICASA Independent Communications Authority of South Africa   
+IPR Intellectual Property Rights   
+ISP Internet Service Provider   
+ITU International Telecommunication Union   
+JCPS Justice, Crime Prevention and Security (Cluster)   
+MOU Memorandum of Understanding   
+NCAC National Cybersecurity Advisory Council   
+NCII National Critical Information Infrastructure   
+NCPF National Cybersecurity Policy Framework   
+NPA National Prosecuting Agency   
+PKI Public Key Infrastructure   
+SAPS South African Police Service   
+SIEM Security Information and Event Management   
+SITA State Information Technology Agency   
+SOE State Owned Entity   
+SSA State Security Agency   
+UNODC United Nations Office on Drugs and Crime   
+WSIS World Summit on the Information Society  
+
+# EXECUTIVESUMMARY  
+
+1. Information and Communications Technologies (lCTs) are indispensable in modern society.The interconnectivity of computer networks contributes significantly to economic growth, education, citizens' participation in social media and many others.   
+2. This new electronic environment is commonly known as cyberspace. The dependence of the daily functioning of society on information communication technology solutions has led to a concomitant need for the development of adequate security measures. This is because the danger that Cybersecurity threats pose, is real.   
+3.The numerous cyber-attacks launched in recent years against advanced information societies aimed at undermining the functioning of public and private sector information systems have placed the abuse of cyberspace high on the list of international and also local security threats. Given the seriousness of cyber threats and of the interests at stake, it is therefore imperative that the comprehensive use of information communication technology solutions be supported by a high level of security measures and be embedded in a broad and sophisticated Cybersecurity culture. For this reason, the cyber threats need to be addressed at both the global and national levels.   
+4. National Cybersecurity is a broad term encompassing the many aspects of electronic information, data and media services that affect a country's security, economy and welbeing. Ensuring the security of a country's cyberspace therefore comprises a range of activities at different levels.   
+5.World-wide Cybersecurity strategies are being developed and are aimed at setting policy goals, measures and institutional responsibilities in a succinct manner. Generally, the primary concern is to ensure the confidentiality, integrity and availability (C-I-A) of computer data and systems and to protect against or prevent intentional and non-intentional incidents and attacks. Priority is also given to critical information infrastructure protection (CIIP).   
+6. These strategies normally also contain measures against or reference to cybercrime. Measures against cybercrime provide a criminal justice response to C-l-A attacks against computers and thus complement technical and procedural Cybersecurity responses. However, cybercrime comprises also offences committed by means of computer data and systems, ranging from the sexual exploitation of children to fraud, hate speech, intellectual property rights (IPR) infringements and many other offences. Furthermore, any crime may involve electronic evidence in one way or the other. While this may not be labelled “cybercrime", a cybercrime strategy would nevertheless need to ensure that the forensic capabilities be created that are necessary to analyse electronic  
+
+# NATIONAL CYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA  
+
+evidence in relation to any crime, or that all law enforcement officers, prosecutors and judges are provided at least with basic skills in this respect.[1]  
+
+7.This South African National Cybersecurity PolicyFramework is aligned to these goals and is necessitated to ensure a focussed and an all-embracing safety and security response in respect of the Cybersecurity environment and establishes and addresses the following:  
+
+a) The development and implementation of a Government led, coherent and integrated Cybersecurity approach to address Cybersecurity threats;   
+b) Establishing a dedicated policy, strategy and decision making body to be known as the JCPS Cybersecurity Response Committee,to identify and prioritise areas of intervention and focussed attention regarding Cybersecurity related threats. The Cybersecurity Response Committee will be chaired by the State Security Agency (SSA) and will be supported operationally by a Cybersecurity Centresituated at the SSA   
+c) The capability to effectively coordinate departmental resources in the achievement of common Cybersecurity safety and security objectives (including the planning， response coordination and monitoring and evaluation);   
+d) Fighting cybercrime effectively through the promotion of coordinated approaches and planning and the creation of required staffing and infrastructure;   
+e) Coordination of the promotion of Cybersecurity measures by all role players (State, public, private sector, and civil society and special interest groups) in relation to Cybersecurity threats, through interaction with and in conjunction with the Cybersecurity Hub (to be established within the Department of Telecommunications and Postal Services);   
+f) Strengthening of intelligence collection, investigation, prosecution and judicial processes, in respect of preventing and addressing cybercrime, cyber terrorism and cyber warfare;   
+g) Ensuring of the protection of national critical information infrastructure;  
+
+# NATIONAL CYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA  
+
+h) The promotion of a Cybersecurity culture and compliance with minimum security standards;   
+i) The establishment of public-private partnerships for national and action plans in line with the NCPF; and   
+j) Ensuring a comprehensive legal framework governing cyberspace.  
+
+8. The National Cybersecurity Policy Framework (NCPF) is aligned with and dealt within the JCPS Cluster's mandate and obligations under Outcome $_{3:}$ All people are and feel safe in South Africa. In this regard, Output 8 of Outcome 3 requires the development and implementation of a Cybersecurity policy and the development of capacity to combat and investigate cybercrime that seeks to promote thefollowing  
+
+a) Measures to address national security threats in terms of cyberspace;   
+b) Measures to promote the combating of cybercrime;   
+c) Measures to build confidence and trust in the secure use of ICT; and   
+d) The development, review and update of existing substantive and procedural laws to ensure alignment.  
+
+9.The NCPF is intended to provide a holistic approach pertaining to the promotion of Cybersecurity measures by all role players and will be supported by a National Cybersecurity Implementation Plan which will be developed by the JCPS Cluster in consultation with relevant stakeholders, identifying roles and responsibilities, timeframes, specific performance indicators, and monitoring and evaluation mechanisms. The development and large-scale implementation of a system of security measures as implemented elsewhere in the world will form part of the National Cybersecurity Implementation Plan.  
+
+# NATIONALCYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA  
+
+# DEFINITIONS  
+
+# In the context of this policy,  
+
+"National Critical Information Infrastructure" means all ICT systems, data systems, data bases,networks (including people, buildings,facilities and processes), that are fundamental to the effective operation of the Republic1;  
+
+"Computer Security Incident Response Team (CsiRT)" is a team of dedicated information security specialists that prepares for and responds to Cybersecurity breaches (Cybersecurity incidents);  
+
+"Cybersecurity" is the practice of making the networks that constitute cyberspace secure against intrusions,maintaining confidentiality, availability and integrity of information, detecting intrusions and incidents that do occur, and responding to and recovering from them.  
+
+"Cybersecurity Hub" means a CSiRT established to pool public and private sector threat information for the purposes of processing and disseminating such information to relevant stakeholders including the Cybersecurity centre.  
+
+"Cyberspace" means a physical and non-physical terrain created by and/or composed of some or all of the following:  
+
+computers, computer systems, networks and their computer programs, computer data, content data, traffic data, and users;  
+
+"Cyber warfare" means actions by a nation/state to penetrate another nation's computers and networks for purposes of causing damage or disruption²;  
+
+"Cyber espionage" means the act or practice of obtaining secrets without the permission of the holder of the information (personal, sensitive, proprietary or of classified nature),from individuals, competitors, rivals, groups, Governments and enemies for personal, economic, political or military advantage3;  
+
+# NATIONALCYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA  
+
+"Cyber terrorism" means use of Internet based attacks in terrorist activities by individuals and groups, including acts of deliberate large scale disruptions of computer networks, especially computers attached to the Internet, by the means of tools such as computer viruses4;  
+
+"Cybercrime" means illegal acts, the commission of which involves the use of information and communication technologies;  
+
+"ICT"(Information and Communication Technologies) mean any communications device or application including radio, television, cellular phones, satellite systems, computers, network hardware and software and other services such as videoconferencing :  
+
+"Information society” means people-centred, inclusive and development-oriented information, where everyone can create, access, utilise and share information and knowledge, enabling individuals, communities and people to achieve their full potential in promoting their sustainable development and improving the quality of their life.  
+
+"JCPS CRC" means Justice, Crime Prevention and Security Cluster's Cybersecurity Response Committee.  
+
+"Malware” means malicious software, and is programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behaviour. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or dangerous software or program code. Malware's most common pathway from criminals to users is through the Internet: primarily by e-mail and the World Wide Web.(Symantec published a report in 2oo8 indicating that "the release rate of malicious code and other unwanted programs may be exceeding that of legitimate software applications.“According to F-Secure,"As much malware [was] produced in 20o7 as in the previous 20 years altogether." $^5)$  
+
+"Organisation and user's assets” include connected computing devices, personnel, infrastructure,applications, services, telecommunication systems, and a totality of transmitted and/or stored information in the cyber environment.  
+
+"Organ of State" means an Organ of the State as defined in section 239 of the Constitution.  
+
+"Phishing" indicates, as an example, the fraudulent way of attempting to acquire sensitive information such as usernames, passwords and credit card details by someone masquerading as a trustworthy entity in an electronic communication,to lure the unsuspecting public.These modus  
+
+# NATIONAL CYBERSECURITY POLICY FRAMEWORK FOR SOUTH AFRICA  
+
+operandi are constantly evolving and is included here as typical examples of Cybersecurity / cybercrime threats that many people will encounter when using computers and information communication technology. Phishing is typically carried out by e-mail or instant messaging and it often directs users to enterdetails at a fakewebsitewhose look andfeelare almost identical to the legitimate one.  
+
+# 1. Introduction  
+
+1.1 A number of strategic interventions and tactical interventions have been successfully implemented over the past few years and other interventions are in the process of being implemented within the Justice, Crime Prevention and Security (JCPS) Cluster in the fight against crime with the objective of making South Africa Safe. As part of Government's Outcome based priorities, the JCPS Cluster signed on 24 October 2010, the JCPS Delivery Agreement, relating to Outcome 3: “All People in South Africa Are and Feel Safe". This Outcome focuses on certain areas and activities, clustered around specific Outputs,where interventions will make a substantial and a positive impact on the safety of the people of South Africa. One such area relates to Output 8: which requires the development and implementation of a Cybersecurity Policy and the development of capacity to combat and investigate cybercrime. In line herewith, this document therefore sets out a National Cybersecurity Policy Framework (NCPF) for South Africa.  
+
+1.2 It is generally accepted that Information and Communications Technologies (ICTs) have become indispensable in modern society. The increased interconnectivity of computer networks and the expansion of broadband including mobility are contributing significantly to economic growth, digital integration, education, electronic governance, citizens' participation in governance and many others. This new electronic environment is commonly known as cyberspace. It has created a “global village” with instantaneous communication possible between persons on the opposite sides of the world. The NCPF Policy Framework therefore recognises that Cybersecurity threats and the combating thereof have a personal, national and international context.  
+
+1.3Cyberspace comes with new types of challenges to the governments of the world and it therefore introduces a further dimension to National Security. It is a borderless platform that enables more sophisticated threats such as cybercrime, cyber terrorism, cyber war and cyber espionage. The numerous cyber-attacks launched in recent years against advanced information societies aimed at undermining the functioning of public and private sector information systems have placed the abuse of cyberspace high on the list of security threats. The acknowledgment that such attacks pose a threat to international security reached new heights in 2007 owing to the first-ever co-ordinated cyber-attack against an entire country and also because of large-scale cyber-attacks against information systems in many other countries as well. The co-ordinated cyber-attacks against government agencies, banks,  
+
+# NATIONALCYBERSECURITY POLICYFRAMEWORKFOR SOUTHAFRICA  
+
+media and telecommunications companies in Estonia demonstrated the vulnerability of a society's information infrastructure as an aspect of national security that needs attention in all countries. There are views that Internet is becoming more and more militarized.The problem is very specific to malware being distributed through terror groups.  
+
+1.4The recurrence and growing incidence of cyber-attacks indicate the start of a new era in which the security of cyberspace requires a global dimension and the protection of National Critical Information Infrastructure must be elevated, in terms of national security, on par with traditional defence interests.  
+
+1.5National Cybersecurity is a broad term encompassing many aspects of electronic information, data, and media services that affect a country's security, economy and welbeing. Ensuring the security of a country's cyberspace thus comprises of a range of activities at different levels.Towards this end, the most important policy domains include reducing the vulnerability of cyberspace, preventing cyber threats and attacks in the first instance and,in the event of an attack, ensuring a swift recovery of the functioning of critical information systems.  
+
+1.6 Thus, a Cybersecurity strategy must appraise the vulnerability of a country's critical information infrastructure, devise a system of preventative measures against cyber-attacks, and decide upon the alocation of tasks relating to Cybersecurity management at the national level. Moreover, it is also important to improve the legal framework against cyber-attacks, to enhance international and institutional co-operation, and to raise public awareness and develop training and research programmes on Cybersecurity.  
+
+1.7 The above threats necessitate a comprehensive and all-encompassing approach in dealing with cyber threats.In short, a Cybersecurity culture, driven in main by the State, is critical to ensure that citizens take advantage of the information age, whilst remaining conscious of the threats and vulnerabilities of cyberspace. The NCPF recognises the need to balance, on the one hand, the risks associated with the use of information systems and, on the other hand, the indispensability of extensive and free use of information technology to the functioning of open and modern societies. The growing threats to Cybersecurity should not hinder the crucial role of information and communications technology in stimulating the growth of economies and societies.  
+
+1.8In response to the above challenges, Governments worldwide have established policies and structures that govern interaction and collaboration between Government, private sector, academia and civil society in an effort to prevent, react to, combat and mitigate Cybersecurity vulnerabilities and attacks.  
+
+1.9 The NCPF recognises that the State is charged with implementing a Government led, coherent and integrated Cybersecurity approach which, amongst others,will:  
+
+# NATIONAL CYBERSECURITY POLICYFRAMEWORK FOR SOUTHAFRICA  
+
+a) Promote a Cybersecurity culture and demand compliance with minimum security standards;   
+b) Strengthen intelligence collection, investigation, prosecution and judicial processes, in respect of preventing and addressing cybercrime,cyber terrorism and cyber warfare and other cyber ills;   
+c) Establish public-private partnerships for national and international action plans;   
+d) Ensure the protection of National Critical Information Infrastructure; and   
+e) Promote and ensure a comprehensive legal framework governing cyberspace.  
+
+1.10 This framework is intended to implement an allencompassing approach pertaining to allthe role players (State, public, private sector, civil society and special interest groups) in relation to Cybersecurity. This framework will be supported by a National Cybersecurity Implementation Plan which will be developed by the SSA in consultation with relevant stakeholders, identifying roles and responsibilities, timeframes, specific performance indicators, and monitoring and evaluation mechanisms.  
+
+# 2. The South African Context  
+
+2.1 South Africa like many other countries has become dependent on the Internet to govern, to conduct business and for other social purposes. The Internet has become indispensable to many South Africans and will continue to be, as more people access the information highway. Taking into consideration the increase in national and international bandwidth in South Africa, cybercrimes and threats are and will continue to increase. These cybercrimes and threats have the potential to impact on our national security and economy.  
+
+2.2 Currently there are various pieces of legislation, some with overlapping mandates administered by different Government Departments and whose implementation is not coordinated. Furthermore, the legislation when viewed collectively does not adequately address South Africa's Cybersecurity challenges.  
+
+2.3 The absence of an aligned legal and regulatory framework, and the challenge of uncoordinated Cybersecurity eforts is not unique to South Africa, other jurisdictions arefaced with the same challenges.  
+
+2.4Statistics in 2011 indicate that South Africa was in the top three countries that are targeted for phishing purposes, the other countries are the USA and the UK. In addition to phishing, other e-Crime incidents in the RSA have increased to the value of millions of rands. The banking sector is especially vulnerable to cybercrime. In light of the above and many more unreported incidents, there is a need to combat cybercrime.  
+
+2.5 The borderless nature of cybercrimes introduces a further dimension to National Security. Numerous cyber-attacks have been launched against a number of countries,such as the attack on Estonia in 2007, which crippled the country's electronic systems. South Africa is not immune to such atacks. The protection of South Africa's critical information infrastructure and the coordination thereof is therefore essential. South Africa needs to develop mechanisms that will ensure proactive and coordinated national response to cyber threats and incidents including combating cybercrime. The Government's leadership role in this regard is important, whilst acknowledging that Cybersecurity is everyone's responsibility, public sector, private sector and civil society.  
+
+2.6 The role of the ICTs in social and economic development of a country has been widely acknowledged; however the full potential of ICTs cannot be realized unless there is confidence and trust in the secure use of ICTs. Government should take responsibility to ensure that theprivate sector and civil society are not only aware of the dangers of operating in cyberspace but also take necessary measures not to become victims of cybercrime. It is thus prudent to develop within South Africa a culture of Cybersecurity that will address the needs of the public sector, private sector and civil society.  
+
+2.7 Opportunities of ICT and the challenges of Cybersecurity are fuelled by advances in technology. Consequently, there is a need to develop the requisite skills to exploit the opportunities of an information economy and meet the dynamic challenges of Cybersecurity. South Africa will always lag behind or be vulnerableunless we develop requisite skills. There is a need to create an enabling environment for Cybersecurity training, education,research and development and skills development programmes in South Africa.  
+
+2.8 South Africa is a consumer of ICTs and depends on overseas manufactured technologies to secure its cyberspace.The downside of this, is that our critical information infrastructure will continue to have some degree of vulnerability. Thus it is important to develop indigenous Cybersecurity technologies. Unless we develop Research and Development capabilities to address this, we will continue to rely of foreign technologies for this purpose. The absence of stringent compliance monitoring to ensure that technologies used comply to international and national Cybersecurity standards.  
+
+2.9 South Africa will in the promotion and development of Cybersecurity measures in relation to this NCPF bear in mind the international instruments and measures that may be relevant such  
+
+# NATIONAL CYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA  
+
+as the work of the various agencies of the United Nations.° In 2011, the International Telecommunications Union (ITU) and the UN Office on Drugs and Crime (UNODC) signed a memorandum of understanding (MOU) to help secure cyberspace for consumers, businesses, and children and to mitigate the risks posed by cybercrime. The MOU will enable the parties to avail the necessary expertise and resources to establish legal measures and legislativeframeworks atnational level,forthebenefit of allinterestedcountries.This initiative is a major milestone in implementing a co-ordinated global approach to an increasingly serious global problem.'  
+
+# 3. Purpose of the NCPF  
+
+3.1The purpose of the NCPF is to create a secure, dependable,reliable and trustworthy cyber environment that facilitates the protection of critical information infrastructure whilst strengthening shared human values and understanding of Cybersecurity in support of national security imperatives and the economy. This will enable the development of an information society which takes into account the fundamental rights of every South African citizen to privacy, security, dignity, access to information, the right to communication and freedom of expression.  
+
+3.2 The NCPF seeks to ensure that Government, business and civil society are able to enjoy the full benefits of a safe and secure cyberspace. To this end, the public sector, private sector and civil society willneed to work together tounderstand and address the risks,reduce the benefits to criminals and seize opportunities in cyberspace to enhance South Africa's overall security and safety including its economic well-being.  
+
+3.3 This NCPF therefore provides for:  
+
+a) Measures to address national security in terms of cyberspace; b) Measures to combat cyber warfare, cybercrime and other cyber ills; c) The development, review and updating existing substantive and procedural laws to ensure alignment; and d) Measures to build confidence and trust in the secure use of ICT.  
+
+# NATIONAL CYBERSECURITY POLICYFRAMEWORKFORSOUTHAFRICA  
+
+# 4. Key Objectives of the NCPF  
+
+4.1The NCPF articulates the overall aim and objectives of the South African Government and sets out strategic priorities that will be pursued to achieve these objectives. In order to achieve the strategic visionset out in thispolicy, it is expected that this National Cybersecurity Policy Framework will:  
+
+4.1.1 Centralise coordination of Cybersecurity activities,by facilitating the establishment of relevant structures, policy frameworks and strategies in support of Cybersecurity in order to combat cybercrime, address national security imperatives and to enhance the information society and knowledge based economy;   
+4.1.2 Foster cooperation and coordination between Government, the private sector and civil society by stimulating and fostering a strong interplay between policy, legislation, societal acceptance and technology;   
+4.1.3 Promote international cooperation;   
+4.1.4 Develop requisite skills, research and development capacity;   
+4.1.5 Promote a culture of Cybersecurity; and   
+4.1.6 Promote compliance with appropriate technical and operational Cybersecurity standards.  
+
+# 5. Capacity to Respond to Cybersecurity lmperatives  
+
+5.1The Justice Crime Prevention and Security Cluster (JCPS),working in consultation with other Government Clusters , will oversee the implementation of this policy framework, with the aim to ensure centralized coordination of Cybersecurity issues.  
+
+5.2Adedicated JCPSCybersecurity Response Committee will be established within the JCPS Cluster to coordinate Cybersecurity activities, drive the implementation of the NCPF and manage the implementation of Output 8. The Cybersecurity Response Committee will be chaired by the State Security Agency (SSA) and it will be supported operationally by a CybersecurityCentresituated at the SSA.All relevant JCPS departments willberepresented on the Cybersecurity Response Committee.  
+
+5.3 The role of the JCPS Cybersecurity Response Committee will, amongst others, be to:  
+
+# NATIONALCYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA  
+
+5.3.2 Coordinate Cybersecurity activities and be a central point of contact on all Cybersecurity matters pertinent to national security (national defence, national intelligence and cybercrime);  
+
+.3 Identify and prioritise areas of intervention and promote focussed attention and guidance where required regarding Cybersecurity related threats and incidents;  
+
+5.3.4 Promote, guide and coordinate activities aimed at improving Cybersecurity measures by all role players, which would include amongst others, the strengthening of intelligence collection and improved State capacity to investigate, prosecute and combat:  
+
+a) Cybercrime,   
+b) Cyber terrorism,   
+c) Cyber espionange,   
+d) Cyber warfare and   
+e) Any other cyber related threats;  
+
+5.3.5 Oversee and guide the functioning of the Cybersecurity Centre, Cybersecurity Hub, RSA Government Electronic Communications Security Computer Security Incident Response Team (ECS -CSiRT) and any other CSiRT established in SA.  
+
+5.3.6 Promote and provide guidance to the process of the development and implementation of:  
+
+a) The protection of national critical information infrastructure Plan;   
+b) Situational analysis and awareness campaign concerning the risk environment of South African cyberspace;   
+c) Cybersecurity culture and compliance with minimum security standards;   
+d) Public-private partnerships for national and action plans in line with the NCPF;   
+e) Compliance with appropriate technical and operational Cybersecurity standards;   
+f) Cybersecurity training, education, research and development and skills development programmes;   
+g) International cooperation;   
+h) Facilitation of interaction, both nationally and internationally, including through international memberships to organisations such as the Forum for Incident Response and Security Teams (FiRST); and develop policy guidelines to inform such interaction;  
+
+# NATIONALCYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA  
+
+i) Establishment of sector, regional and continental CSiRTs; and j) Comprehensive legal framework governing cyberspace.  
+
+5.4 The role of the Cybersecurity Centre will be to:   
+5.4.1 Facilitate the operational coordination of Cybersecurity incident response activities regarding national intelligence, national defence and cybercrime;   
+5.4.2 Develop measures to deal with Cybersecurity matters impacting on national security;   
+5.4.3 Facilitate the analysis of Cybersecurity incidents, trends, vulnerabilities, information sharing, technology exchange on national security and threats to improve technical response coordination;   
+5.4.4 Provide guidance to and facilitate the identification, protection and securing of National Critical Information Infrastructure (NCIl);   
+5.4.5 Ensure regular assessment and testing of National Critical Information Infrastructures, including vulnerability assessments, threat and risk assessment and penetration testing;   
+5.4.6 Provide coordination and guidance regarding Corporate Security and Policy Development; Governance, Risk Management, and Compliance (GRC); ldentity and Security Management; Security Information and Event Management (SiEM), and Digital Forensics as it pertains to Cybersecurity matters within Organs of State;   
+5.4.7 Develop response protocols to guide coordinated responses to Cybersecurity incidents and interaction with the various stakeholders;   
+5.4.8 Ensure the conducting of Cybersecurity audits, assessments and readiness exercises and provide advice on the development of national response plans;   
+5.4.9 Provide the Secretariat services required in relation to the JCPS Cybersecurity Committee, and   
+5.4.10 Perform any other function consistent with the strategic and policy objectives set out herein.  
+
+# 6. Cybersecurity Hub and Additional CSlRTs  
+
+6.1 Notwithstanding the envisaged JCPS Cybersecurity Response Committee, the Cybersecurity Centre and the existing ECS-CSiRT, there is also a need to ensure appropriate consultation between the JCPS cluster departments, the private sector and civil society regarding Cybersecurity matters.   
+6.2 To deal with the above stated, this policy recognises that the crucial need for the facilitation of interaction between the key role players in the public sector, private sector and the broader civil society. The NCPF therefore promotes the coordination and consultation between the JCPS cluster departments, the private sector and civil society regarding Cybersecurity matters through the establishment of a Cybersecurity Hub within the Department of Telecommunications and Postal Services (DOC). The Cybersecurity Hub will be operated within the DOC in accordance with national security guidelines and standards issued by the JCPS Cybersecurity Response Committee.   
+6.3 To enhance interaction, consultations and to promote a coordinated aproach regarding engagements with the private sector and civil society, Cybersecurity Hub will amongst others, have the responsibility to:   
+6.3.1 Coordinate general Cybersecurity activities, in consultation with JCPS CRC as well as including identifying stakeholders and developing public-private relationships and collaborating with any sector CSiRTs that may be established;   
+6.3.2 Disseminate relevant information to othersector CSiRTs, vendors, technology experts on Cybersecurity developments;   
+6.3.3 Provide best practice guidance on ICT security for Government, business and civil society;   
+6.3.4 Initiate Cybersecurity awareness campaigns;   
+6.3.5 Promote compliance with standards, procedures and policy developed by the JCPS Cybersecurity Response Committee regarding Cybersecurity matters with a bearing on national security.   
+6.3.6 Encourage and facilitate the development of appropriate additional sector CSiRTs. The sector CSIRTs will:   
+6.3.6.1 Be a point of contact for that specific sector on Cybersecurity matters;   
+6.3.6.2 Coordinate Cybersecurity incident response activities within that sector;  
+
+NATIONALCYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA   
+
+
+<html><body><table><tr><td></td><td></td></tr><tr><td>6.3.6.3</td><td>Facilitate information and technology sharing within the sector;</td></tr><tr><td>6.3.6.4</td><td>Facilitate information sharing and technology exchange with other sector CSIRTs;</td></tr><tr><td>6.3.6.5</td><td>Establish national security standards and best practices for the sector in consultation with the Cybersecurity Centre and the JCPS Cybersecurity Response Committee which are consistent with guidelines, standards and best practices</td></tr><tr><td>6.3.6.6</td><td>Develop agreed upon measures;</td></tr><tr><td>6.3.6.7</td><td>Conduct Cybersecurity audits, assessments and readiness exercises for the sector; and</td></tr><tr><td>6.3.6.8</td><td>Provide sector entities with best practice guidance on ICT security.</td></tr></table></body></html>  
+
+# 7. Verification of Information Security Products and Systems  
+
+7.1 South Africa needs to independently assess and certify products and systems that are used to process or store information that can have an impact on national security. The NCPF therefore promotes the facilitation by the JCPS Cybersecurity Response Committee and the National Cybersecurity Hub of the development of a National Information Security Verification Framework that will enable the achievement of this objective by executing the following:  
+
+a) Facilitating effective partnerships between the Republic of South Africa and countries with established capacity to perform information security assessments and certifications.   
+b) Facilitating effective partnerships between the Government of South Africa, the private sector, academic and research institutions to ensure that there is always capacity to perform information security assessments and certifications within the borders of the Republic.   
+c) Developing National regulations for verification of products and systems with applications in Information Security.   
+d) Facilitating effective partnerships among government institutions, e.g. those tasked with technical assessments, and those whose responsibility is licensing, and those  
+
+# NATIONAL CYBERSECURITYPOLICY FRAMEWORKFOR SOUTH AFRICA  
+
+who monitor, (e.g. the Auditor General), to ensure that solutions are implemented in accordance with certification conditions and legislation.  
+
+e) Establishing a body that will centrally coordinate the required national verification functions.  
+
+# 8. NCll Protection  
+
+8.1 The NCPF recognises the need to provide a mechanism to ensure that South Africa's critical information infrastructure is protected and secured against cyber related crimes. It is also noted that a more secured critical information infrastructure will help to achieve the continued provision of essential services and support national security, economic prosperity and social well-being of the Republic. The policy framework recognises that a significant proportion of SA's national critical information infrastructure (NCll) is privately owned or operated on a commercial basis.  
+
+8.2 The NCPF therefore seeks to ensure that appropriate steps are taken to ascertain that all National Critical Information Infrastructure (NCll) are identified and properly protected from a variety of threats. For continued availability of the critical information infrastructure, the NCPF thus promotes the development of a National Critical Information Infrastructure (NCIl) Strategy that will address the identification and protection of NCll by:  
+
+a) Developing National Critical Information Infrastructure regulations, relating,inter alia, to:  
+
+i. Information Classification and Information Security Policy and Procedures;   
+ii. Third Party Access to NCII;   
+1i1. Access to and authentication on NCll;   
+iv. Storage and archiving of critical databases;   
+V. Incident management and business continuity; and vi. Physical and technical protection of all NCll.  
+
+b) Facilitate an effective business - government partnership relating to the implementation of the Cll Protection Plan. To this end, the private sector, State Owned Enterprises (SOE's), and other government agencies and institutions such as the State Information Technology Agency (SiTA) will play a critical role in ensuring the implementation of NCIl protection plan.  
+
+# 9. Cryptography  
+
+9.1 There are an ever-increasing numbers of cryptographic devices, crypto graphic software and users requiring secure communications and the geographic spread of locations of these devices. The NCPF therefore provides for the regulation of cryptography given the critical role it plays in ensuring improved secure communications.  
+
+9.2 The NCPF notes that various attempts at regulating cryptography were initiated as a way of developing a coherent and integrated approach to this matter. These strategies are found in various laws such as:  
+
+a) National Convention Arms Control Act (Act 41 of 2002)   
+b) Electronic Communications and Transactions Act (Act 25 of 2002)   
+c) Electronic Communications Security (Pty) Ltd Act (Act 68 of 2002)   
+d) Regulation of Interception of Communications and Provision of Communications Related Information Act (Act 70 of 2002)   
+e) State Information Technology Agency Act (Act 88 of 1998)   
+f) Conventional Arms Control Regulations (R7969 of 2004)   
+g) Cryptographic regulations (R8418 of 2006)  
+
+9.3Taking into consideration the above-mentioned legislation,the NCPF recognises that there is a need to:  
+
+a) Review the existing legislation and regulations thereof; and b) Develop an integrated regulatory framework for Cryptography for the country.  
+
+# 10.Online E-ldentity Management in Cyberspace  
+
+10.1 It is noted that the Electronic Communications and Transactions Act, 20o2 (Act 25 of 2002) (ECT Act) provides for the establishment of the South African Accreditation Authority to facilitate the accreditation and regulation of authentication services and products. It further provides for advanced electronic signatures and facilitates the recognition of electronic documents as legal and binding.  
+
+10.2 The NCPF notes that the South African Post Offce (which in terms of the ECT Act, 2002 is a preferred service provider for advanced electronic signatures) has developed a Public Key Infrastructure (PKl) to support advanced electronic signatures (e-identity) and the Department of Public Service and Administration pursuant to its mandate in E--Government willdevelop a  
+
+# NATIONALCYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA  
+
+PKI Strategy. The Department of Telecommunications and Postal Services (DOC), pursuant to its mandate established the South African Accreditation Authority to accredit and regulate authentication services and products.  
+
+10.3The issue of identity management in cyberspace is central to building confidence and trust in the secure use of ICTs. The NCPF seeks to address the fragmented approach by promoting the development of an integrated National E-identity and PKl strategy. Such a strategy and implementation thereof will be critical inproviding inter alia e-government services as well as to ensure security, confidentiality and integrity. Uptake and usage of e-identity in e government services will stimulate other sectors as well.  
+
+10.4 The NCPF acknowledges that transmission of information over the Internet for trading and communication purposes presents new and sophisticated threats for both the senders and recipients of information. Therefore to ensure online transaction security, the NCPF provides for the development of a holistic National E-ldentity and PKl Strategy. The strategy will, amongst others, assist to address:  
+
+a) Authentication and securing of the identities of the parties to an e-transaction;   
+b) Confidentiality, ensuring information is kept private;   
+c) Integrity issues, by ensuring the information or process has not been modified or corrupted;   
+d) Non-repudiation issues, by ensuring that neither party can refute that the transaction occurred (i.e. the trans action is binding); and   
+e) The structure and regulatory framework for E-ldentity and a Public Key Infrastructure.  
+
+10.5 The NCPF also requires that the development of a holistic National E-ldentity and PKI Strategy should be aligned to the broader objectives set out herein and in particular the roles and the responsibilities of the critical stakeholders in the implementation of the NCPF.  
+
+# 11. Promote and Strengthen Local and International Cooperation  
+
+11.1 In terms of this policy framework, the Cybersecurity Hub will foster cooperation and coordination between the public sector, private sector and civil society.  
+
+# 11.2 Local cooperation  
+
+11.2.1 The NCPF promotes the Public-Private-Civil sector collaboration and the use of industry perspectives, equities and knowledge to enhance Cybersecurity. The Public-PrivateCivil sector partnership is based on the understanding that Cybersecurity is everyone's responsibility and there is a need to leverage on joint knowledge and perspectives, to combat cybercrime.  
+
+11.2.2 The NCPF thus promotes the establishment of collaboration with local stakeholders, with a focus on the following aspects:  
+
+(a) Inclusion of the industry and creating an enabling environment for a successful partnership;   
+(b) Encouraging private sector groups to address common security interests and collaborate with government including encouraging cooperation among groups from interdependent industries;   
+(c) Bringing private sector and government together in trusted forums; and   
+(d) Creating a common understanding of the threats and vulnerabilities that the country faces and the responses required.  
+
+# 11.3 International Cooperation  
+
+11.3.1 Internet as a form of media can in essence not be regulated in total by an authority or government. Given the borderless nature of the Internet and the challenges it poses in terms of jurisdiction, it is important that countries learn and collaborate with each other in order to combat cybercrimes.  
+
+11.3.2 Therefore, international collaboration is critical in securing cyberspaces nationally and globally. Recognising the need for global collaboration on matters regarding Cybersecurity, South Africa is required to collaborate with relevant and appropriate international organisations and governments, in line with the Constitution, national security imperatives, foreign policy and existing international agreements. To this end, South Africa will:  
+
+# NATIONAL CYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA  
+
+(a) Participate in regional, African Union and international fora on matters pertinent to Cybersecurity in order to advance South Africa's views in the definition and elaboration of the global Cybersecurity agenda in combating cybercrime and building confidence and trust in the secure use of ICTs.   
+(b) Forge bilateral and multilateral partnerships in our national interest through various instruments inter alia Memorandum of Understanding, Convention, Treaty, etc.   
+(c) Afiliate to relevant international organisations in order to promote a coordinated global response to threats and vulnerabilities and to keep abreast of developments in the Cybersecurity front.  
+
+# 12. Capacity Development, Research and Development  
+
+12.1 The dynamic nature of Cybersecurity challenges necessitates the continuous development of capabilities and requisite skills.  
+
+# 12.2 The NCPF therefore promotes:  
+
+a) Development of capacity building strategies to address South Africa's, specific skills requirements to meet the ever increasing challenges of addressing Cybersecurity threats;   
+b) Development of recruitment and retention strategies aimed at ensuring a sufficient level of technical expertise is developed and maintained within the Republic; and   
+c) Development of a Cybersecurity research and development agenda and enhancement of Cybersecurity research within South African Universities, industry and the Department of Science and Technology.   
+d) Enterprise development so as to grow the information security sector in terms of skills and growing enterprises that produce technology that protect cyberspace.  
+
+# 13.Cyber-warfare  
+
+13.1 In order to protect its interests in the event of a cyber-war, a cyber defence capacity has to be built. The NCPF thus promotes that a Cyber Defence Strategy, that is informed by the National Security Strategy of South Africa, be developed, guided by the JCPS Cybersecurity Response Committee.  
+
+# 14. Promotion of a Cybersecurity Culture  
+
+14.1 T0 effectively deal with Cybersecurity, it is prudent that civil society, government and the private sector play their part in ensuring South Africa has a culture of Cybersecurity. Critical to this is the development of a culture of Cybersecurity, in whichrole players understand the risks of surfing in cyberspace. To facilitate the building of a Cybersecurity culture, the NCPF provides for inter alia:  
+
+14.1.1 Implementing Cybersecurity awareness programs for private sector, public sector and   
+civil society users;   
+14.1.2 Encouraging business to develop a positive culture for Cybersecurity;   
+14.1.3 Supporting outreach to civil society, children and individual users;   
+14.1.4 Promoting a comprehensive national awareness program and guidelines;   
+14.1.5 Reviewing and updating existing privacy regime;   
+14.1.6 Develop awareness of cyber risks and available solutions;   
+14.1.7 Continuously review cyber applications and the impact from a Cybersecurity   
+perspective.   
+14.1.8 Compliment the culture of Cybersecurity with online support mechanisms.  
+
+# 15. Technical and Operational Standards Compliance  
+
+15.1 The NCPF also promotes:  
+
+a) The recognition of and compliance with appropriate international and local technical andoperational Cybersecurity standards. The Ministerof Communications shall enforce compliance with such standards where appropriate and in consultation with the National Cybersecurity Advisory Council;   
+b) The continuous monitoring, review and assessment of regulatory frameworks that support Cybersecurity ; and  
+
+# NATIONALCYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA  
+
+c) The development and/or adoption of standards by the South African Bureau of Standards in consultation with relevant Government Departments, ICASA and industry. This will ensure a safe and secure cyberspace environment that will enable the growth of e-commerce and an inclusive information society.  
+
+# 16.The Role and Responsibility of the State  
+
+This policy recognizes that there are a number of Organs of State that play a critical role in the implementation of Cybersecurity measures. For effective implementation of this policy framework, the role of some of the main relevant Organs of State are set out below. Inclusive of the various roles and responsibilities set out, all other governmental priorities such as the protection of vulnerable groups,promotion of job creation and general protection of Constitutional values and principles are endorsed and should be promoted in the development of implementation plans and activities. Liaison with other clusters such as the economic cluster will be essential in the development of the various implementation plans guided by the NCPF.  
+
+16.1 The Department of Justice and Constitutional Development (DOJ&CD) and the National Prosecuting Authority (NPA) have an overall responsibility for facilitating cybercrime prosecution and court processes in accordance with the applicable laws.  
+
+a) The NCPF also requires the DOJ&CD to develop an implementation plan for the review and alignment of all Cybersecurity laws with the policy objectives and mandates of the State institutions as set out herein. In this regard, the DOJ&CD will be required to lead a process, in consultation with other JCPS Cluster Departments, for the review and alignment of Cybersecurity laws and will be required to submit progress reports to the JCPS Cluster Cybersecurity implementation team on a continuous basis in accordance with the approved JCPS implementation plan.  
+
+b) The process for the review of the Cybersecurity laws seeks to ensure that all relevant laws are aligned to this policy framework, and create a coherent and integrated cybercrime legal framework and prosecution approach in the Republic. This would require initiation of processes to effect necessary amendments to relevant legislation in order to make cybercrime or related crimes punishable in law.  
+
+# NATIONAL CYBERSECURITY POLICY FRAMEWORKFOR SOUTH AFRICA  
+
+16.2The Ministry of State Security and the State Security Agency (SSA) has overall responsibility and accountability for coordination, development and implementation of Cybersecurity measures in the Republic as an integral part of its National Security mandate.  
+
+16.2.1 The Ministry of State Security and SSA shall, amongst others, be required to perform the following key roles and responsibilities in relation to cybersecutity in the Republic:  
+
+(a) Ensure that the JCPS cluster is properly capacitated and is able to perform its function as set out in this Policy framework including ensuring that the JCPS cluster has the the necessary capacity to monitor, promote and guide the implementation of the NCPF.  
+
+(b) Ensure, in consultation with the relevant stakeholders, the establishment of the Cybersecurity Response Committee, Cybersecurity Centre and proper function of the existing RSA Government CSiRT in line with the approved JCPS implementation plan.  
+
+(c) Initiate and lead a process within the JCPS cluster for the development and approval of guidelines and National security norms for the establsihment of varioussector CSiRTs asprovidedfor inthepolicyframework.  
+
+(d) Have an overall responsibility for the development and formulation of National Cybersecurity in Republic and in consultation with stakeholders. This includes reviewing and amending existing Cybersecurity policies as well as prescribing regulations on information and communications technology security for the Republic in order to advance the National Security interests of the Republic  
+
+(e) Provide information assurance and secure information and communications technology infrastructure of National importance in support of national security; This should include the development of State capacity to provide threat monitoring, alerting, co-ordination and response for information communications technology related incidents pertaining to National Critical Information Infrastructure of the State;  
+
+(f) Prescribe a regulatory frameworkfor the control by the State of the provision and application of cryptographic solutions, development of National strategy and regulations for the protection of National Critical Information Infrastructure, and prescribe information communications technology security technical standards to which the electronic communications security products and services of organs of State must comply;  
+
+# NATIONAL CYBERSECURITY POLICY FRAMEWORKFOR SOUTH AFRICA  
+
+16.2.2 The implementation of these responsibilities by SSA shall include aspects of developing and implementing regulations, collecting intelligence both locally and internationally, conducting necessary Cybersecurity investigations and reporting on South Africa's Cybersecurity situation.  
+
+16.3 The Department of Police and the SAPS shall, in terms of the NCPF, be responsible for the prevention, investigation and combating of cybercrime in the Republic, which includes development of cybercrime policies and strategies, and providing for specialized investigative capacity and interaction with national and international stakeholders. Development of the anticybercrime policy and implementation plans should include operational priorities pertaining to:  
+
+(a) The fight against child sexual/physical abuse material on the Internet;   
+(b) Actions to counter massive attacks against information systems such as“denial-ofservice attacks (such as those affecting the banking sector);   
+(c) Actions combating identity fraud;   
+(d) The development of cross-border law enforcement cooperation;   
+(e) Public-private cooperation to fight cybercrime (in particular between law enforcement authorities and private companies); and   
+(f) Promote enhanced international cooperation to fight cybercrime by taking part in various international initiatives such the UN High Level Expert Group on Cybersecurity and the International Telecommunication Union.  
+
+16.4 The Department of Telecommunications and Postal Services (DTPS) has the responsibility for:  
+
+(a) Developing and implementing policies, regulations and industry standards regarding ICT aspects in general and to assist in the provision of strategic direction and coordination on local and international Cybersecurity matters pursuant to building an information economy and building confidence and trust in the secure use of ICTs. This includes building trust and confidence in the secure use of ICTs and to advise the Minister of Telecommunications and Postal Services on policy and technical issues and other matters pertinent to Cybersecurity;  
+
+# NATIONALCYBERSECURITYPOLICYFRAMEWORKFORSOUTHAFRICA  
+
+Establishing the National Cybersecurity Advisory Council (NCAC) to advise the Minister of Telecommunications and Postal Services on policy and technical issues, and other matters pertinent to Cybersecurity pursuant to building confidence and trust in the secure use of ICTs; (c) Establishing the Cybersecurity Hub and to facilitate the establishment of any other sector CSIRTs.  
+
+16.5 The Department of Defence and Military Veterans (DOD&MV) has overall responsibility for coordination， accountability and implementation of cyber defence measures in the Republic as an integral part of its National defence mandate. To this end, the Department will develop policies and strategies pursuant to its core mandate.  
+
+16.6 The Department of Science and Technology (DsT) has the responsibility for the development, coordination and implementation of national capacity development program. Furthermore, the Department shall be responsible for developing and facilitating the implementation of a national Cybersecurity research and development agenda for South Africa.  
+
+16.7 All other Organs of State are required to align their ICT policies and practices with this NCPF in so far as it relates to Cybersecurity.  
+
+# 17.The role and Responsibility of the Private Sector  
+
+17.1 The private sector is responsible for implementing information security measures at least equivalent to those that are implemented by Government. The NCPF therefore promotes cooperation between the information security bodies that predominantly represent the private sector with equivalent bodies in Government. The Department of Telecommunications and Postal Services (DTPS) and the National Cybersecurity Hub will help facilitate such cooperation.  
+
+# 18. The Role and Responsibility of Civil Society  
+
+18.1 Each person has a responsibility to ensure that his or her computer, mobile phone or any ICT infrastructure at his or her disposal that links to the cyberspace has updated malware protection. Each person also has a responsibility to report information security incidents to the police or the most accessible CSiRT. DTPS will help facilitate campaigns to raise awareness in this regard.  
+
+# NATIONAL CYBERSECURITY POLICYFRAMEWORKFORSOUTHAFRICA  
+
+# 19. Conclusion  
+
+19.1 It is envisaged that the NCPF will achieve the following benefits:  
+
+a) A safer and more secure cyberspace that underpins national security priorities;   
+b) The establishment of institutional structures to support a coordinated approach to addressing Cybersecurity;   
+c) The identification and protection of national critical information infrastructure;   
+d) A secure e-environment that stimulates economic growth and competitiveness of South Africa;   
+e) Promotion of a national research and development agenda relating to Cybersecurity;   
+f) The effective prevention, combating and prosecution of cybercrime; and   
+g) The enhanced management of Cybersecurity.  

requirements.txt

@@ -0,0 +1,10 @@
+lightrag-hku>=1.3.6
+gradio>=4.0.0
+networkx
+pyvis
+python-dotenv
+openai
+ollama
+plotly
+tiktoken 
+graspologic>=3.4.1  ## networkx: utilities and algorithms for processing and analysis of graphs

troubleshoot.py

@@ -0,0 +1,4 @@
+import torch
+torch.cuda.is_available()
+torch_staus = torch.cuda.is_available()
+print(f'torch available: {torch_staus}')