While many of the story headlines around information security failures involve cyber-related technology threats, the truth about a range of potential scenarios for the loss of personal information is much more complex. No wonder then that condition 7 (“Security Safeguards”) of the Protection of Personal Information Act (POPIA) requires organisations to take “appropriate, reasonable technical and organisational measures” to prevent “loss of, damage to or unauthorised destruction” and “unlawful access to or processing” when processing personal information. How? By taking “reasonable measures” to do four things, which will be explored in more detail in this article:
- Identify reasonably foreseeable internal and external risks
- Establish and maintain appropriate safeguards against these risks
- Regularly verify the safeguards are implemented
- Ensure the safeguards are continually updated in response to new risks or previously identified deficiencies
Whether the identification of risks happens as part of the use of a broad Enterprise Risk Management Framework (such as that from www.coso.org) or a narrower focus on POPIA compliance, you should have a formal, structured approach which will typically involve a team effort to achieve. Risks may be found in the physical security environment, such as access control to business premises, theft or loss of digital devices and accidental or intentional disclosure or theft of personal information. Technology risks covers a wide range of possibilities, including action by cyber criminals in a ransomware attack, corruption or loss of data through a malware attack, hacking of your network or individual digital devices, phishing, spoofing and other techniques (see www.whatis.com for a useful set of definitions of these terms). Identifying the risk is not enough: each risk needs to be assessed for the potential impact (damage) and likelihood (probability) of occurring so that informed decisions can be made about what preventive and remedial action to take. Importantly, the POPIA puts emphasis on “prevent”, suggesting that failure to put in place appropriate measures will be viewed with little sympathy by the new Information Regulator (South Africa) – IRSA - (see http://www.justice.gov.za/inforeg/ for more on the IRSA) should a “security compromise” (as discussed in section 22 of the POPIA) occur – commonly called a data breach in other jurisdictions.
Establish and maintain safeguards
Once informed decisions have been made about how to address the risks identified, appropriate safety measures can be implemented. In line with the risk profile, these may include physical access control and restraints (including “locking down” vulnerable information); technical measures aimed at addressing accidental and malicious cyber threats (such as sophisticated data loss prevention and end-point protection systems); training of staff to raise awareness of the threats and appropriate prevention measures; policy amendments or updates as part of an effective governance regime; and an ongoing commitment to maintain these safeguards. The more ambitious and mature you become, the more likely will be the ability to achieve recognition for your efforts, such as through certification against international standards (such as the ISO27000 family of standards found at https://www.iso.org/isoiec-27001-information-security.html )
These verification steps can be as simple as conducting a “clean desk” sweep to check that staff behaviour conforms to the approved policy for personal information protection; or more sophisticated including simulated attacks (such as ethical hacking and social phishing); checks conducted by internal and external auditors or verification agencies. It is important to maintain records of this verification process, such as training and audit logs as these will contribute to satisfying interested stakeholders (such as the IRSA, media, customers and governing bodies) that compliance can be demonstrated that appropriate actions have been taken. Other monitoring records such as incident logs and error reports also play their role here.
Threats to information security are continually evolving in line with the technologies themselves. Do you remember a time before flash drives (USB memory sticks)? Back then the risk of losing a 16gb stick the size of your thumb nail just didn’t exist; now it’s an obvious risk that needs to be addressed through prevention measures as varied as device or data encryption, policies and staff training, even technically disabling their use. Another example of evolving threats includes the wide use of BYOD (Bring Your Own Device) in the workplace and the challenges of securing personal information for which the organisation is responsible on a multiplicity of smartphones, tablets and other home-based devices. As the use of cloud computing expands, so adoption of new standards such as ISO27018 will become more widely demanded and delivered.
What steps you take in terms of personal information security should be reflected in your POPIA compliant privacy notice and Promotion of Access to Information Act (PAIA) manual, if you are required to have one. As always you can contact me at firstname.lastname@example.org for particular queries about the POPIA.
Acknowledgement: This is a revised version of the article that previously appeared in the April 2017 edition of My Office Magazine under the title “Use it, don’t lose it: security and the POPI Act”. Reproduced here with the permission of the author.
Copyright © IACT-Africa 2016 -
Author and contact details:
Dr Peter Tobin, BA(Hons), MBA, DPhil, CGEIT, PMIITPSA, PMP, is a Senior Consultant with IACT-Africa. For more information please email: email@example.com