Best practice tips for strengthening your data privacy system: 

Real-time visibility hits manufacturing’s big time
14th Sep 2023
First aid training becomes more accessible to South Africans thanks to new learning project
18th Sep 2023

Best practice tips for strengthening your data privacy system: 

Standardisation expert provides insight that could go a long way in driving efficacy as cybercriminals target South African organisations

Johannesburg, 19 September 2023 – South Africa has become a fertile hunting ground for international cybercriminals.

Research by security company Kaspersky indicates that more than half of South African companies were targeted in the past year while spyware attacks increased by 18.8% between the last quarter of 2022 and first quarter of 2023. In respect of the latter, it is mostly government systems that are under siege.

Phishing, business e-mail “spoofing” and malware attacks are among the most common cybercrimes, though Internet of Things vulnerabilities are increasingly being exploited as well. Unsecured smart devices often do not have adequate protective controls in place to detect, isolate and mitigate these cyber onslaughts.

According to Kgotso Masenya, Head of Information Technology at World Wide Industrial and Systems Engineers (WWISE), it has become crucial for organisations to build secure data privacy systems able to mitigate any possible attack.

Masenya has compiled a checklist of requirements for such systems. This includes:

  • Compliance with regulations: The company should comply with any applicable data privacy laws, such as POPIA in South Africa.
  • Data inventory and classification: A company’s data should be broken down into categories based on significance and sensitivity.
  • Access control: Access restrictions need to be put in place to guarantee that only people with permission may access sensitive information.
  • Encryption: Encryption safeguards data both at rest and while it is being sent
  • Data lifespan management: A plan for managing data throughout its lifespan, including rules for data destruction and retention.
  • Secure data storage: Use of compliant and secure data storage options for data to protect against known vulnerabilities.
  • Data masking and anonymisation: Anonymise or pseudonymise sensitive data wherever it is practical.
  • Data transfer security: Secure data transmissions are made possible by employing encryption protocols like SSL/TLS. Secure communication routes should be used, especially when sharing data with other parties.
  • Audit trails and monitoring: Implement reliable auditing and monitoring mechanisms to keep track of data access and modifications.
  • Incident response plan: Develop a thorough incident response strategy to deal with data breaches or privacy problems right away.
  • Regular security audits and penetration testing: Periodic security audits and penetration testing.

A further course of action, Masenya says, is the implementation of ISO/IEC 27001:2022, a standard developed by the International Organisation for Standardisation (ISO).

The tool speaks directly to information security, cybersecurity and privacy in terms of information security management systems.

“This standard gives an organisation the ability to implement a framework of controls that ensures there are sufficient redundancies and guidelines to conform to a school of international guidelines/standards that embodies governance, statutory and regulatory requirements, and cyber and information security,” Masenya says.

Enlisting the services of the right ISO specialist is just as important as the implementation itself, and companies should always look at aspects like reputation and experience, competence, conformance to industry standards and laws, proof of concept and the quality of gap analysis reports.

“Once implemented, the key people in managing the data privacy system are usually your chief information security officer, data protection officer, chief information officer, IT department and data owners and custodians,” Masenya says.

“What you want from them is to explain the importance of privacy and data management obligations and emphasise how crucial it is to follow data protection rules. They should also provide guidance on impact analyses, and act as a point of contact for data subjects.”

In addition, staffers in these positions should be responsible for implementing access restrictions, encryption and other strong security measures, he adds.

ENDS
Word Count: 575

About WWISE

Launched in 2009, Centurion-headquartered WWISE employs 35 fulltime consultants who specialise in more than 40 industries, both locally and abroad, training, and implementing ISO standards and programmes for a broad range of small, medium and large-scale business and organisations. The company has a solid local and international client base, with 590 clients in 16 countries, implementing more than 30 standards and achieving a 100% record when clients are certified. Its training programmes are accredited with SETA and various international bodies, and it offers an e-Learning portal through which 12 000 people in 40 countries have been trained so far.

The 70-year-old International Organization for Standardization (ISO) is an independent, non-governmental international body that develops business management standards to ensure the quality, safety and efficiency of products, services and systems across a multitude of industries. It aims to uphold consistency and quality in an increasingly globalised marketplace.

Comments are closed.