A Framework for the Comparison of Best Practice Recommendations and Legal Requirements for South African Banks

South African home users of the Internet use it to perform various everyday functions. These functions include, but are not limited to, online shopping, online gaming, social networking and online banking. Home users of online banking face multiple threats, such as phishing and social engineering. These threats come from hackers attempting to obtain confidential information, such as online banking authentication credentials, from home users. It is, thus, essential that home users of online banking be made aware of these threats, how to identify them and what countermeasures to implement to protect themselves from hackers. In this respect, information security awareness (ISA) programmes are an effective way of making the home users of online banking aware of both the threats they face and the countermeasures available to protect themselves from these threats. South African banks have to comply with certain legal requirements when implementing information security awareness initiatives. Noncompliance or failure to demonstrate due care and due diligence, should a security incident occur, will result in financial penalties for the bank as well as possible brand damage and loss of customers. Banks implement international best practice recommendations in an effort to comply with legislation. These include recommendations for information security awareness. This research proposes a framework which, predominantly, can be applied when determining and comparing information security best practice recommendations and information security legal requirements for online banking. The primarily aim of this paper is to investigate whether the implementation of best practices are sufficient to comply with legal requirements. A selected list of information security best practices was investigated for best practice recommendations while a selected list of information security legislation was also investigated for legal requirements imposed on South African banks. A gap analysis was performed on both these recommendations and requirements to determine whether the implementation of best practice recommendations results in compliance with legal requirements. The gap analysis found that the implementation of best practice recommendations does not result in compliance with legal requirements. Accordingly, the outcome of this research highlights the importance of applying such a framework in a comprehensive fashion to understand the legal requirements imposed and ensure that adequate controls are in place for achieving compliance.