Breach notification requirements of POPIA: The importance of SIEM
A crucial aspect of the Protection of Personal Information Act (POPIA) is the notification of security compromises – unauthorised exposures of personal data – to the authorities and the data subjects in concern. Notification of data breaches is mandated by several data protection regulations around the world – from the EU (the GDPR) to the United States (the CCPA), Brazil, the Philippines and Australia; the objective is to make organisations accountable for the protection of personal data and liable for lax data protection measures. This is why failure to comply with POPIA can result in hefty fines of up to R10 million.
What are organisations expected to do?
According to Section 22 of POPIA, which deals with notification of security compromises, organisations must immediately notify stakeholders about unauthorised accesses or acquisitions of personal data. Depending on the exact case, the notification would have to be either physically or electronically mailed to the data subject, published on the organisation’s Web site, or announced to the media. What is important to note is that the notification is not merely letting stakeholders know about the security compromise. The notification must also compile the important details of the breach, such as:
- Possible consequences or dangers that may arise from the compromise;
- Measures taken to address the breach;
- Recommendations on how data subjects can protect themselves; and
- The identity of the perpetrator who carried out the attack (if discovered).
Refer to the official page for more details. To achieve these requirements, organisations must implement technical measures – security solutions and processes – to safeguard personal data during its collection, processing and storage.
Protecting your network against breaches using security monitoring techniques
First and foremost, organisations must reduce the chance of being hit with a breach by deploying preventive security controls, such as patching their systems regularly, configuring firewall policies and whitelisting applications. However, preventive security solutions do not guarantee 100% security and organisations must be prepared to detect and mitigate security incidents that inevitably bypass preventive measures. Here is where security monitoring comes into the picture.
Monitoring your network enables you to swiftly identify an attack at an early stage, helping you thwart the breach attempt before it’s too late. Even in the worst case scenario of a data breach, you will be able to do damage control and gather crucial forensic evidence that must be furnished while reporting the security compromise.
Remember, the notification of the security compromise must contain important details about the incident, including remediation measures taken. This is why network logs and security information and event management (SIEM) are crucial in light of POPIA. Here are four aspects you can start monitoring right away to boost your security:
- Data accesses and modifications: Augment this with data leak prevention measures by tracking unauthorised USB, printer and e-mail activities.
- Active Directory change auditing: Track changes made to users, computers, groups, OUs and GPOs.
- Network perimeter monitoring: Audit incoming and outbound traffic, and watch out for malicious communications.
- User activity monitoring: Keep track of actions such as logons and file accesses performed by users, especially those with privileges to access key resources. Watch out for anomalous patterns of events.
The importance of centralised monitoring
A SIEM solution can help you gain visibility into crucial security events occurring in your network. This way, you can identify a potential security incident at an early stage, quickly investigate the incident and resolve the case before it’s too late.
Consider the below use cases:
The domain privileges of an employee were escalated by adding that user to the Enterprise Admin group in Active Directory. Such an event might provide unauthorised access that may jeopardise your security systems.
Multiple failed logons occurred across several accounts during non-business hours. This could be a possible password attack.
A compromised host in your network is communicating with a callback server. Sensitive data might be getting stolen from your corporate network.
Are you in a position to tackle such cases in your organisation? Such cases must be identified and thwarted immediately. With the implementation of POPIA, now is a good time to assess your security posture and enhance your monitoring measures.
Must-have SIEM features
A SIEM solution is the ideal way to implement end-to-end security monitoring in your organisation. To help you get started, here is a list of SIEM features you must implement:
Log aggregation: Centralise logs from servers, applications, firewalls, databases and every other important component in your network.
Log archival: Securely store logs so that you can conduct a forensic investigation if a breach is discovered.
Audit report generation: Schedule daily reports to review security events of interest and spot suspicious events.
Alerting: Set up alerts for indicators of compromise to instantly spot security threats.
File integrity monitoring: Track every change – accesses, creations, deletions, modifications and renaming of files and folders.
Behaviour analytics: Analyse user and system behaviours to spot anomalous activities that are tell-tale signs of attacks.
Threat intelligence: Sync up with threat intelligence feeds to detect network communications with blacklisted IPs, domains and URLs.
Incident management: Streamline the process of investigating, managing and responding to incidents by leveraging technologies such as automated workflows.
Mitigate data breaches with ManageEngine Log360
Log360 is a comprehensive SIEM solution that can analyse logs from your entire network to help your organisation stay secure and compliant with POPIA. The solution comes with all of the above features and more!
Interested in exploring Log360?
ManageEngine is the enterprise IT management division of Zoho Corporation. 60 percent of the Fortune 500 - rely on our real-time IT management tools to ensure optimal performance of their IT infrastructure, including networks, servers, applications, desktops and more.
ITR Technology have been the sole distributers of ManageEngine software in South Africa for over 19 years. With certified support engineers, a dedicated sales team and a newly constructed ManageEngine training centre, ITR Technology values making a difference in the lives of South African IT professionals