POPIA Security Blueprint
By: Simeon Tassev, managing director and qualified security assessor at Galix
The Protection of Personal Information Act, 2013 (PoPI Act) is an important step in protecting data privacy, as it stipulates that personal information must be protected and can only be collected or handled where there’s lawful justification for doing so. In layman’s terms, POPIA governs when and how organisations collect, use, store, delete and otherwise handle personal information.
For organisation, it poses quite a daunting task, and while there is still almost a year to become compliant, it will be no easy feat. The major challenge is that POPIA requires the analysis of all personal information, where it came from and what organisations intend to do with it – meaning a massive amount of data needs to be secured and analysed.
The good news is there is already a mature standard in place that will provide organisations with tried and tested guidance on achieving POPIA compliance and securing data: the Payment Card Industry Data Security Standard (PCI DSS), which consists of 12 high-level requirements across six goals.
PCI DSS applies to all businesses that accept credit and debit cards, providing myriad standards and supporting materials such as specification frameworks, tools and measurements. Ultimately, it presents a necessary framework for developing a complete, sensitive data-security process that encompasses prevention, detection and appropriate reaction to security incidents.
PCI DSS can also enable organisations to meet POPIA compliance regulations such as vulnerability management, which is the process of systematically and continuously finding weaknesses in an entity’s payment card infrastructure system. This includes security procedures, system design, implementation, and internal controls that could be exploited to violate system security policy.
PCI DSS offers extremely specific parameters and controls; in the case of POPIA, the definition of cardholder data will fall under personal information, and security will be extended to include all this sensitive information.
The PCI DSS Self-Assessment Questionnaires also provide organisations with relevant self-assessment on whether or not their customers data is safe and secure. The relevant questionnaires can take you one step closer to preventing data breaches and minimising liability.
Toward a secure IT environment
The reality is a lot of the measures included in PCI DSS pertain to protecting IT networks and systems. Firewalls, antivirus, and security testing of system and security policies – these disciplines can be leveraged to move all personal information into a secure environment.
The local industry already has a number of PCI DSS experts that have assisted South African companies in meeting the requirements set by the standard. These organisations are proficient and will become invaluable partners in helping organisations navigate the move towards POPIA compliance.
More about POPI Act – https://popia.co.za/
Tel: 086 124 2549