Do you know what data you hold and how secure it is?
Do you know what data you hold? Do you know that all data isn't equal and that it is important that organisations understand the different types of data and their specific requirements? If not, according to Nerushka Bowan, you may be falling foul of certain legal and regulatory requirements or spending money securing data unnecessarily. Her presentation will look at some of the considerations, including legal and regulatory, that all organisations that hold data need to consider when deciding where to store what data.
ITWeb Events: What are the three most important aspects of the current legal framework that need to be remembered when managing a data centre?
Bowan: Firstly, data security - taking steps to mitigate against the risk of unauthorised access to information by third parties (including physical access). This is especially important in industries that have client confidentiality obligations, for example, financial services, legal and healthcare.
Secondly, database management - there must be processes in place to ensure that information is kept accurate and up to date, and not kept for periods longer than you are legally allowed to do so. Old databases of information are an unnecessary risk and should be deleted, and then destroyed when possible.
And lastly, backup and disaster recovery - incidents of cyber extortion are on the rise. Companies regularly face intrusions where malware is placed on a server and data on that server becomes encrypted and inaccessible until a ransom in Bitcoin is paid to the anonymous cybercriminals.
If there are regular backups being made to a secure alternate data centre, companies will not be tempted to pay these ransom amounts as they will be able to restore their systems from the latest backup. There is also no guarantee of data recovery when payment is made and it also encourages the cybercriminals to continue extorting Bitcoin in this manner.
ITWeb Events: Where does POPIA fit in, if in fact it does, to the data centre environment?
Bowan: The Protection of Personal Information Act (POPIA) is about protecting personal information. These days most of our information is stored in a data format (as opposed to physical). It could be on our mobile devices, computers, hard drives and in our data centres.
The term 'personal information' is given a very wide meaning in the Act and many categories of information falls within its protection. Personal information includes any information that can identify a living person or existing juristic person (i.e. company), for example, names, contact details, employment history, personal opinions and health information. Most categories of information stored in a data centre would need to be processed in accordance with the requirements of POPIA.
Processing is also given a very wide meaning and includes almost anything you do with information, including receiving, sharing, storing and even destroying information.
It also prescribes certain data security standards that need to be met to protect personal information: data centres would need to be audited to ensure an adequate level of security and any unauthorised access to the information in a data centre would also need to be reported to the Information Regulator for investigation.
ITWeb Events: What other pieces of legislation/regulation are valid in this environment?
Bowan: The Cybercrimes and Cybersecurity Bill; certain financial regulations if you are in financial services environment and global data protection regulations if you operate in a cross border environment.
ITWeb Events: How has the cloud affected the data centre and the security of the data in them?
Bowan: Your agreement with your cloud provider amounts to an operator agreement and POPIA requires certain clauses to be inserted into this agreement, especially around data security. You need to contractually ensure that the cloud provider is taking all the steps that you would have taken to protect the information, including notifying you when the data has been accessed by unauthorised third parties. In the Regulator's eyes, you will always remain responsible for the protection of personal information, even where you have outsourced the storage of that information to a cloud provider, and could be liable to investigations and administrative fines of up to R10 million.