THE EMERGENT THEORY
5.5. DEMONSTRATION OF HOW THE INTEGRATED DEVELOPMENT CYBER-SECURITY THEORY WORKS
there is compliance with pertinent legislation, regulations and policies.
there are collaborations amongst interested parties within and external to the organisation – collaborations provide platforms to share information on the protection of information infrastructures; and
appropriate culture of cyber-security is implemented across the organisation.
5.5. DEMONSTRATION OF HOW THE INTEGRATED DEVELOPMENT
policy to the cyber-security governance structure for official sign-off and to make the policy an official municipal document. To implement the cyber-security policy, the integrated development cyber-security structure formulates the cyber-security strategy that is aligned to the municipal IDP strategy. The strategy is also submitted to the cyber-security governance structure for approval, and to commit resources to achieve the strategy.
The cyber-security governance category mainly sets the right tone at the top because the role players in this category are the executive management who are driving the implementa t io n of the municipal IDP. The cyber-security governance domain ensures that cyber-security is in the strategic risk management agenda. Cyber-security affects municipal business continuity which is a strategic priority. Cyber-security governance ensures that there are adequate resources to drive the implementation of the cyber-security programme by the integrated development cyber-security structure. Aligning cyber-security to the munic ipa l IDP elevates the cyber-security agenda in the municipality, and therefore the buy-in from executive management in order to commit resources for cyber-security activities. Amongst other important roles of the cyber-security domain, is setting up the oversight structures that can hold management at all levels accountable for the control deficiencies in cyber-security and the information infrastructure environment. The cyber-security governance domain sets the cyber-security culture through the resources that drive the agenda of the informa t io n infrastructure protection against cyber-security threats.
The functions of the cyber-security technical operations domain take place in the various business units that are operating or working on information infrastructures. This category aligns the duties of pertinent employees to the cyber-security policy. The business units buy the information infrastructures with the intention of achieving their business objectives. The technical functioning of the controls implemented to secure the information infrastruc t ure takes place in this domain. For example, the Finance unit implements a revenue manage me nt system to collect revenue from customers such as rate payers, and other municipal services that are paid for by the citizens. Access control to the revenue systems is implemented by the integrated development cyber-security domain, but monitored by the Finance unit. It is the cyber-security technical operations domain that determines if the cyber-security controls that have been implemented are assisting the business unit to achieve the business objectives.
It is this domain that determines the risk appetite when it comes to information infrastruc t ure protection. Cyber-security risk appetite determines how the integrated development cyber-
security should drive the cyber-security programme for various information infrastructures.
The business units employ people to use the information infrastructure in pursuit of business objectives. Technology can be implemented, but without people to operate it, it will not achieve the intended objectives. People who are employed within the business there are the first line of defence for securing the information infrastructures. Employees’ knowledge, behaviour, and attitudes play an essential role in securing the information infrastruc t ure against cyber-security threats. Business units employ people with minimum requirements to perform their duties while operating the information infrastructures. Due to the pace of changes in the cyber-security environment, and the information infrastructure environme nt, employees need to constantly keep pace with the innovation in these areas. Therefore, in order to address employees’ issues in dealing with cyber-security, the human issues in the cyber-security domain are regarded as key issues.
The human issues in the cyber-security category involve individual employees that operate the information infrastructure in the municipality. The cyber-security governance domain sets the legislative and regulatory framework that includes, amongst others, the Labour Relations Act. The Municipal Systems Act requires the municipality to imple me nt performance management systems. There is varied legislation that regulates how employees must be engaged and treated in the municipality. Within the ambits of the regulator y framework, human issues in the cyber-security category relate to ensuring that users are trained to work on the information infrastructure so as to minimise opportunity to commit errors when conducting their duties. This category ensures that employees/users, through the cyber-security awareness programme, are continuously made aware of the current trends of cyber-security threats and their impact on the information infrastructures that employees/users operate. The integrated development cyber-security domain drives the implementation of these cyber-security trainings and awareness programmes. It is for this reason that the integrated development cyber-security core category is the main driver to successfully implement cyber-security in the municipality. The integrated developme nt cyber-security structure implements, facilitates, and co-ordinates the activities of the cyber- security programme.
5.6. INTEGRATED DEVELOPMENT CYBER-SECURITY THEORY (IDCT)