Security Safeguards – an essential part of compliance
Security Safeguards are an essential part of compliance. The majority of privacy and data protection laws, including POPIA and the EU GDPR, incorporate requirements for protecting the personal information under the control of organisations. These requirements are not prescriptive or detailed which raises the question of: What is Security and what security safeguards are required?
Security safeguards are not only an essential part of privacy and data protection compliance, they are also an essential capability in all organisations today. This raises a further question, what are security safeguards in terms of POPIA?
POPIA requires all originations to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent:
- The loss of, damage to or unauthorised destruction of personal information; and
- The unlawful access to or processing of personal information
This raises a further question: what are appropriate, reasonable technical and organisational measures? POPIA requires organisations to identify all reasonably foreseeable risks to personal information and to establish measures to reduce and manage the identified risks. POPIA further requires organisations to give due regard to generally accepted information security practices and procedures.
In considering the above, organisations should give consideration to the following in order to address the requirements listed above:
- A personal information risk assessment should be conducted;
- A suitable generally accepted information security practice i.e. one which is based on standards and frameworks for information security and cyber security should be identified.
Information Security Risk Assessment and Management
As already mentioned, Condition 7 in POPIA requires organisations to do the following:
- Section 19: The Responsible Party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent—
(a) loss of, damage to or unauthorised destruction of personal information; and
(b) unlawful access to or processing of personal information.
In order to give effect to subsection (1), the responsible party must take reasonable measures to—
(a) identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control.
More importantly, section 109 (3) (g) in POPIA tells us that where there is no evidence of risk assessments having been conducted and no evidence of risk treatment practices being in place, fines will be higher than if such practices are in place.
Our risk assessment tools and experienced consultants will help you to conduct an appropriate personal information risk assessment for your organisation with you.
Please click here to read more about the Personal information Risk Assessment and Management services.
Implementing Security Measures
Once you have identified your risks, it will be important to implement appropriate security measures which are in line with generally accepted practices. Popular standards or frameworks include:
- UK ICO SME Security Assessment (suitable for small to medium sized organisations);
- NIST Cybersecurity Framework Assessment (suitable for medium to large organisations);
- ISO 27001 and 27002 (suitable for organsiations who need to demonstrate their commitment to information security practices to stakeholders through optional certification).
Security Assessment Services
We offer security assessment services for all of the above using our comprehensive assessment tools and the services of our experienced consultants.
The assessment tools enable the identification of the state of alignment with each of the requirements contained in the chosen framework. This enables shortfalls to be identified, remediation tasks and responsibilities for establishing these these to be defined.
In addition to the framework and standards based assessments, we also offer technical assessments such as penetration tests and operational infrastructure scans.
Please click here to read more about the Security Assessment Services we offer.
Security Measures
Privacy and data protection laws require organisations to implement appropriate, reasonable, organisational technical measures. These include:
Organisational Measures
Typical organisation measures include:
- Roles and responsibilities for security management
- Policies, procedures and contracts which guide the operational aspects of security
- Management processes e. g. risk and vulnerability processes
Technical Measures
Typical technical measures include:
- Technology solutions such as firewalls, antivirus, antimalware, file encryption and data loss prevention solutions
- Operational monitoring of the environment including intrusion detection systems.
Security Measures Services
We offer security measures planning and monitoring services for the following:
Organisational Measures
Organisational Measures services include the following:
- Developing a Security strategy with your security management team.
- Developing a Security plan based on the agreed strategy.
- Where we have provided assessment services to you we will build on the outputs from these.
- Provision of guidance for implementing the Security plan.
Technical Measures
- Technical Measures services include the following:
- Technology solutions such as firewalls, antivirus, antimalware, file encryption and data loss prevention solutions
- Operational monitoring of the environment including intrusion detection systems.
Please click here to read more about the Security Measures Services we offer.
Please contact us for more information about the products and services we offer for addressing Security Safeguards.
Information Security Risk Assessment Security Measures Services Contact Us