POPI won't spare govt departments
The Protection of Personal Information (POPI) Act will not spare government departments; and they must ensure that citizen information is secure.
That was the word from Ugan Naidoo, MD for security at CA Southern Africa, speaking during the CA IT Management Symposium at Vodaworld yesterday.
The POPI Act was signed into law by president Jacob Zuma in November last year, but a commencement date is yet to be announced. First mooted back in 2005, POPI is SA's first consolidated piece of legislation detailing how companies must deal with people's - and entities' - information. It brings the country in line with international laws on privacy.
Naidoo pointed out that government - as the biggest service provider and employer - needs to ensure security in regards to the processing and handling of personal information.
"Citizen information, in most instances, is personal information," said Naidoo. "The maximum penalty for contravening the POPI Act is a R10 million fine or 10 years in prison; and government is not exempt from this."
Thus, he noted, protecting citizen information is an imperative, more now than ever before.
"Government's responsibility is to ensure that citizen information is not inappropriately accessed, copied and disseminated between government departments and external organisations," he stressed.
According to Naidoo, the key issues in government affecting citizen information include securely managing BYOD and teleworking; reducing costs by improving delivery of government apps/services; embracing new routes to government information through APIs; engaging citizens more fully across Web and mobile; as well as securely consume and provide services from the cloud.
To ensure that citizens' personal information is secure, Naidoo suggested that government must restrict access to citizen information to certain roles within the organisation.
Government must also attest and certify these access levels on a periodic basis, resulting in better monitoring what users are doing, he added.
It is also critical to manage orphaned accounts, as these can be targeted and used to access information, said Naidoo, adding that it is also essential to terminate user access once the user has left.
Describing the technology building blocks for protecting citizen information, Naidoo also pointed out that government must also secure citizen login and critical internal systems using strong authentication. A single strong authentication into the environment, instead of multiple weak entry points into government networks is also vital, he noted.
Government must also manage what users can do with the information they access across desktops to tablets and smartphones, he urged.
He is of the view that government must move away from the "security of no" stance, whereby it controls users, thereby limiting the effectiveness of government operations. Security must control access and enable workforce productivity by knowing users, patterns, and needs, he noted.