“You can be held personally liable if you do not have information security in your company. While the buck stops at the board, before the director loses his holiday home he is going to fire you,” warns Verine Etsebeth, lecturer at Wits Law School.
Etsebeth was speaking at the ITWeb IT Governance, Risk and Compliance event held at the Forum in Bryanston this week.
Discussing information security governance in the corporate environment, Etsebeth identified the components of information security as physical security, technological security, and procedural security.
Physical security involves company security guards, cameras, and so on, she explained, and technological security involves the deployment of security software. However, argued Etsebeth, procedural security poses the biggest threat.
“Employees are your biggest threat because they may react out of stupidity, spite, ignorance or negligence,” opined Etsebeth. “As a company, you can be held accountable for your employees' actions within the scope of their employment,” she continued.
To safeguard against these risks, Etsebeth advised companies to identify applicable legislation, safeguard corporate information assets, and implement data privacy protection.
Being proactive
The Constitution (1996 s14); the Electronic Communications and Transaction Act (2002); the Protection of Personal Information Bill (2005); the Promotion of Access to Information Act (2000); and the Regulation of Interception of Information Act (2002) are all laws that apply to information security today, offered Etsebeth. She advised companies to familiarise themselves with these laws and ensure full compliance.
In order to safeguard corporate information assets, Etsebeth explained that policies, procedures, standards, and guidelines must be in place.
“Policies should be short, concise, and to the point; they must be easy to understand and to read, enforceable, unambiguous and must not leave room for interpretation,” she advised. Etsebeth stated that policies should cover the retention of data as well as the destruction of data.
To secure the company's data privacy and protection, Etsebeth urged businesses to develop a risk management process that includes risk assessment and risk mitigation.
She also suggested that companies allocate resources to data protection and develop awareness and training around compliance. “Benchmark your efforts against that of industry leaders and monitor and maintain your compliance,” she concluded.
Share