This month comes into force law# 12.846, signed in August
1, 2013, by President Dilma Rousseff, known as Anti-Corruption Law. An
organization, involved in prosecuting corruption situations, will need to have
a good information security Organizational Process to minimize their problems,
whether guilty or not guilty.
All activities of an organization that uses the information, whether in the computing environment and/or in the conventional environment, must have appropriate controls to protect this information.
The 2013 version of NBR ISO/IEC 27002 features
114 basic controls for the existence of information security.
Based on law #12.846, I would highlight three items that
clearly indicate (for those who want to hear) the need for information security
controls. Let's See:
a) 3rd Art.– legal person's liability does
not exclude individual liability of its directors or managers or of any natural
person, author, co-author, or participant of tort.
The innovation of this law is the possibility of penalization
of the legal entity. However, this third article indicates that this fact does
not exclude individual liability. To have recorded individual actions/use of
information requires:
- individual non-transferable identification;
- user authentication which ensures that the user is really himself.
- record of what the user did with the information, with information systems and information resources.
- authorization of the use of the information for another user who has authority and responsibility for such authorization.
- Save this information to allow auditability of what was done.
b) 5th Art. I – promising, offering or giving,
directly or indirectly, undue advantage to public agent, or to a person related
to him; (Harmful Act)
For communication between people e-mail is heavily used, and
sure enough in a situation of investigation, this service will be analyzed. The
organization needs to have Email usage policies, individual use, guard definition
of messages, and clear responsibilities communicated to users. In some
organizations it is common the use (not recommended never through security) of
e-mail accounts where the ID is the post and not a person. This facilitates
some procedures, but complicates accountability and also requires more
complicated rules for the use of the tool of e-mail in these situations.
c) 5th Art.
V – Obstruct investigation activity of supervisory organs, entities or
public agents. (Harmful Act).
If an investigative body requests the Organization to audit
the trail of access to systems or using tools like e-mail, and if this
organization does not have the audit records recorded and stored, with
individual IDs and other controls, it can be interpreted by the judiciary as an
obstacle to investigations. Not having copies and other information security
controls, required by NBR ISO/IEC 27002, could cause a judicial decision not
favorable to the Organization, and have its name framed in black list of organizations
that engage in corruption.
These three items of the law are more explicit in relation
to information security controls. But, surely, an organization that follows the
international regulations that are accepted in Brazil in relation to information
security, will help in a possible problem in this topic or in other alike situations.
BY Prof. Ms. Edison Fontes, CISM, CISA, CRISC
Consultant in Information Security, Risk Management,
Business Continuity.
Author of five books on the topic of information security..
Free translation by Google
Translate