What is Information Security?
The basic components of information security are most often summed up by the so-called CIA triad: confidentiality, integrity, and availability. Let us unpack these different elements and link them to POPIA.
Confidentiality:
This principle addresses the need to protect sensitive, private information from unauthorised access.
To protect the confidentiality of your organisation’s data, you must segregate data based on the criticality of the information and set parameters to limit who can access certain types of information. This may also involve actively preventing unauthorised users from obtaining access by access control lists, role-based access control, volume/file encryption, file permissions, encryption of data in process, in transit and in storage, remote wipe capabilities, and education and training for all individuals with access to protected data.
What POPIA says about confidentiality?
A Responsible Party must take measures to prevent the unlawful access to or processing of Personal Information. Unlawful access happens when people who should not have access to Personal Information are given access due to an error or oversight, or if they gain access by evil means. [see section 19(1)(b)].
An Operator (person who processes personal information for a responsible party in terms of a contract or mandate) or anyone processing Personal Information on behalf of a Responsible Party or an Operator, must treat Personal Information which comes to their knowledge as confidential and must not disclose it [see section 20(b)].
Integrity:
This component of the CIA triad ensures the data is correct, authentic and reliable. In other words, it ensures that the data has not been tampered with and therefore can be trusted. Data must be protected while it is in use, in transit and when it is stored, regardless of whether it resides in a laptop, storage device, data center or in the cloud.
You must ensure your data is protected from both deletion and modification by an unauthorised party, and in such a way that when an authorised individual makes changes in error, those changes can be reversed.
Data integrity can be preserved through encryption, hashing, digital signature, digital certificate, intrusion detection systems, auditing, version control, authentication and access controls.
What POPIA says about integrity?
A Responsible Party must take measures to prevent damage to Personal Information [see section 19(1)(a)].
A Responsible Party must take reasonable practicable steps to ensure that the Personal Information is complete accurate, not misleading and updated where necessary. What is necessary will depend on the purpose for which the Personal Information is collected or further processed [see section 16].
Data Subjects have the right to request a Responsible Party to correct any Personal Information that is inaccurate, out of date, incomplete or misleading [see section 24(1)].
Availibility:
This principle ensures systems, applications and data are available and accessible to authorized users when they need them. Networks, systems and applications must be constantly up and running to ensure critical business processes are uninterrupted.
Availability of your data systems can be impacted by human error, hardware failure, software failure, network failure, power outages, natural disasters and cyberattacks.
Some of the methods used to ensure data and application availability include redundancy (servers, networks, applications and services), fault tolerance (hardware), regular software patching and system upgrades, maintaining backups and backup copies, and disaster recovery.
What POPIA says about availibility?
A Responsible Party must take measures to prevent the loss of or unauthorised destruction of Personal Information [see section 19(1)(a)].
Availibility of Personal Information is usually addressed by redundancy (servers, networks, applications and services), fault tolerance (hardware), regular software patching and system upgrades, maintaining backups and backup copies, and disaster recovery.
What Personal Information Responsible Parties must protect?
In this paragraph, we break down seven of the most common ways that data breaches occur.
1. Human error
Something as simple as including the wrong person in the Cc field of an email or attaching the wrong document to an email could cause a data breach.
We’re all liable to make mistakes – it’s human nature – but employees need to understand the most important elements of information security. Meanwhile, all staff, technical or not, need to familiarise themselves with the organisation’s security policies and procedures.
2. Malicious insiders
A core part of an organisation’s security practices are access controls. These limit the information that’s available to employees, ensuring that they can only access records that are relevant to their job.
Meanwhile, strict controls should be placed on highly sensitive information to ensure that only trusted, top-level employees can access the information.
Doing so reduces the risk of an employee deliberately breaching information, whether they’re doing that for personal or financial reasons.
3. Physical theft
Most discussions of security focus on digital data, but many organisations need to be equally concerned about the protection of physical records. This could be files stored on the organisation’s premises, records that employees print out or the devices on which information is stored.
With hybrid working becoming the norm, organisations must address the risks associated with employees keeping company laptops in their homes. Likewise, data breaches can occur if removeable devices or company phones are lost or stolen.
4. Ransomware
Ransomware is one of the fastest-growing threats that organisations face.
Attacks works by infecting an organisation with malware that worms through an organisation’s systems, encrypting data and forcing the victim to halt operations that require those systems.
The criminals then issue a ransom demand to the organisation, requesting a payment in exchange for the decryption key.
Cyber security experts urge victims not to pay up, because there is no guarantee that the attackers will keep their word, but many take the risk anyway – which is why ransomware attacks remain so prolific.
5. Phishing
Emails are a common part of our daily lives, making them a popular attack vector for cyber criminals.
Crooks might adopt the seemingly legitimate credentials of such organisations as insurers, banks, etc. to gain access to your personal information by encouraging you to click an unsafe link or download a malicious attachment.
6. Social Engineering
Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software – that will give them access to your passwords and bank information as well as giving them control over your computer.
7. Data loss
Sometimes organisations just lost data. Data lost prevention is a part of business continuity management and is comprised of sets of practices and tools that prevent accidental data destruction.
You might also want to look at
Physical Security Safeguards
The goal of the physical safeguards is to create policies and procedures to help protect electronic patient information and buildings where the information is stored from natural hazards, environmental hazards, and unauthorized intrusion.
Administrative Security Safeguards
The goal is to implement administrative actions, policies, and procedures to manage security measures to protect and to manage the conduct of the organisation’s workforce in relation to the protection of that information