by Cornelis Molenaar, AVeS Cyber Security
Information officers (IOs) and IT managers are urged to comply with the provisions of the Protection of Personal Information Act (POPIA), which was signed into law in 2013.
The warnings come in the wake of the Department of Justice and Constitutional Development receiving a hefty R5-million fine by the Information Regulator for failing to ramp up its cyber security following a 2021 ransomware attack involving personal information records. The fine was levied after the department failed to respond to the notice within the 31 days provided by the Regulator to implement the recommended corrective actions.
There is a misconception that POPIA is just a tick box exercise. Unfortunately, this is a huge misconception because proper compliance requires best practice measures such as regular verification of your information security controls. For example, a minimum requirement would be a yearly assessment to ascertain whether controls that are in place are actually effective or not and whether it can be improved upon.
Constant verification and updating are critical as new threats evolve and new technologies are developed. There is a constant need to reconsider the risks identified and carry out a proper review. Compliance is a journey, not a checklist. The Information Regulator’s latest action sets the tone for future notices and even fines. It is clear the regulator has teeth and is willing to use its powers to enforce compliance to protect personal information.
Any company concerned about their POPIA compliance status is urged to contact a leading solutions provider like AVeS Cyber Security to conduct a cyber security posture assessment. It will look at the procedures in place in order for the IO to deal with any requests from the Information Regulator, and the timeframe for such a response.
Our framework has got all of the required processes built into it already to give our clients the assurance that their cyber security posture is fully compliant. It implies a certain level of cyber security alertness and readiness to be able to deal proactively with any incidents. But what about those companies that do not as yet have any measures in place?
The cyber security posture assessment is the first step to check that you have everything in place and then compare yourself as well with the POPIA compliance assessment. Once you know your gaps, you know what priorities to resolve. We offer a host of remediation services that can be customised. We can baseline any steps taken and then improve upon them. Otherwise, if no steps have been taken, we can assist them on their journey from scratch.
The most important thing to remember is that continuously monitoring your cyber security environment is a mandatory security measure and a legislative obligation. This is clarified in POPIA Section 19 ‘Security measures on integrity and confidentiality of personal information’, paragraphs 1 and 2.
Any private company or public body that needs to comply with POPIA must implement controls and continuously monitor for risks and threats to both personal and confidential data in general.
We recommend a comprehensive, robust information security governance and technology strategy that includes raising awareness and providing proper training. Failure to do so can result in a fine of up to R10-million.