Ф franciscronje.com

  • Home
  • Services
  • POPIA
  • About
  • POPIA WORKSHOPS
  • Blog
  • Referrals
  • Contact
  • Terms of Use

February 07th, 2014

2/7/2014

0 Comments

 
Most companies, corporates and large organisations will tell you that they have a bullet proof system when it comes to IT Security, or will at least lay claim to the fact that they have reasonable physical and technological measures to protect the confidentiality, integrity and accessibility of information under their control.

This might be true, anyway, for as far as it might relate to their own in-house systems. But not many will tell you whether the third parties they contract with, have been subjected to the same rigid information security process.

Take for instance the large insurance houses. They utilise panel beaters
, glass repairers and loads of other service providers that might log onto their systems, or maybe have access to their systems for various reasons, being it invoicing, customer processing or call centre access.

The recent Target data breach (one of the biggest in recent history) is a prime example of what can go wrong when your third parties are not subjected to proper due diligencies.

In a media article by ITWorld, the following was revealed:

A contractor for Target said Thursday it was also a victim of a cyberattack, supporting the retailer's (Target) claim that hackers gained entry to its network via a third party.

The contractor, Fazio Mechanical Services of Sharpsburg, Pennsylvania, issued a statement after the business was mentioned in several media reports as the possible weak link that allowed attackers to eventually steal 40 million payment card details.

"Like Target, we are a victim of a sophisticated cyberattack operation," according to astatement attributed to Fazio's president and owner, Ross E. Fazio.

The company specializes in designing and installing supermarket refrigeration systems, according to its website. A spokesman said Fazio provided refrigeration services to Target.

The company revealed it had a "data connection" with Target, which was used for submitting electronic bills, contracts and project management material.


Condition 7 of POPI clearly puts the onus on Responsible Parties (as defined in the Act).

It states that a responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures as referred to in section 19 .

The security meaures referred to in POPI's section 19 states:

A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent--

(a) loss of, damage to or unauthorised destruction of personal information; and
(b) unlawful access to or processing of personal information.


One of the first things we concentrate on when conducting POPI remediation, is the identification of third party relationships.

We then subject such relationships to:

Proper due diligence;
Contractual clauses; and
Audit provision.

The biggest threats to the succesful proptection of personal information are:

Lack of awareness amongst employees;
Disgruntled employees; and
Third Parties.



0 Comments

    Author

    Francis Cronje is an Information Governance specialist and provides insight from a legal and governance perspective on a wide range of topics in the Information and ICT sphere, including matters pertaining to the Protection of Personal Information (POPI) / Data Protection / Privacy, Information Security and other related topics.

    View my profile on LinkedIn
    Follow @franciscronje

    Archives

    September 2017
    January 2016
    September 2015
    July 2015
    May 2014
    February 2014
    November 2013
    August 2013
    July 2013
    June 2013
    May 2013
    March 2013
    January 2013
    November 2012
    September 2012
    August 2012
    June 2012
    April 2012
    March 2012
    February 2012
    January 2012
    September 2011

    Categories

    All
    Corporate Governance
    Data Protection
    Developing Countries
    Ict
    Information Security
    Ncop
    Popi
    Privacy
    Protection Of Personal Information
    South Africa
    Zuma

    RSS Feed

  • Home
  • Services
  • POPIA
  • About
  • POPIA WORKSHOPS
  • Blog
  • Referrals
  • Contact
  • Terms of Use