The Protection of Personal Information (POPI) Act will soon be enacted into South African law, and the latest draft has already been passed by the National Assembly.
However, many large organisations are not attending to some of the basics of information security, such as applying operating system security patches.
The reason companies are struggling with operating system security patching may be linked to bandwidth, says sustainableIT director, Tim James.
"Security patching, updates and even software deployments are very difficult and often impossible in branch office environments," James explains.
"Large retailers and financial services companies that have significant branch networks are impacted the most, often running on very little bandwidth. Unfortunately, these are the same organisations that hold the personal and financial information that the Act is trying to protect," James continues.
He adds that, although it is unclear when POPI will be promulgated, its arrival is inevitable and companies should particularly take note of Condition 7, relating to security safeguards.
The condition states that "a responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent a) the loss of, damage to or unauthorised destruction of personal information; and b) unlawful access to or processing of personal information".
"The net result is that systems management traffic, the 'stuff' that gets security updates and the like down to branch offices, is either de-prioritised or not catered for at all. This means updates don't happen and point-of-sale, tellers and back-office devices are not patched with the latest security updates," James explains.
"Forget the POPI Act, this is hardly acceptable, even without legislation. It is the elephant in the corner that has been avoided for far too long in many IT departments, " he says.
James explains that POPI calls on responsible parties to identify all reasonably foreseeable internal and external risks to personal information in its possession, to establish and maintain appropriate safeguards against these risks, and to ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
"This means that, if the operating system security is not updated on a continual basis, you are not compliant," James cautions.
"For companies that are found non-compliant, fines can be levied of up to R10 million - which does not preclude civil damages running into millions, as well as the associated reputation risk and the impacts thereof. Any individual convicted of an offence under this Act could face a jail term of 10 years. It makes sense to avoid this by any means necessary," he continues.
James explains that companies that have invested in Microsoft System Centre Configuration Manager (SCCM) can become compliant almost immediately with a simple add-on.
"Programs such as Nomad Enterprise from 1E can be used very effectively. SCCM's native deployment technology (BITS) is not very bandwidth friendly and hence patching is often turned off to remote locations. Nomad replaces BITS as a content provider and is bandwidth friendly, constantly backing off to business traffic to ensure that business operations are not affected," he explains.
"The key point here is that Nomad continually uses spare and available bandwidth to ensure that the business can get what it needs down to its branch sites as quickly as possible without any impact on the business. This is not possible with incumbent toolsets."
James cautions that the POPI Act is going to place tremendous pressure on IT departments from a compliancy perspective. There have been many false starts with this legislation, but companies will only have one year to comply, and the financial consequences and reputational risk could be dire.
"The time to act is now," James concludes.
Share