Jun 18 2020

Facebook sues developer over alleged data scraping abuse

Category: Data mining,data securityDISC @ 10:36 am

The lawsuit alleges that a data scraper took login credentials from about 5,500 people and then harvested phone numbers of their friends.

Source: Facebook sues developer over alleged data scraping abuse



What Is Web/Data Scrapping ? How To Scrap Large Data From A Website
httpv://www.youtube.com/watch?v=bp73TqGcY9c



Would like to know more on InfoSec Awareness…

Download a Security Risk Assessment steps paper!

Download a vCISO template

Subscribe to DISC InfoSec blog by Email


May 31 2020

How hoteliers can mitigate data breaches

Category: Data Breach,data securityDISC @ 6:45 pm

As hackers shift tactics, business owners can take steps to prevent attacks and minimize damage.

Source: How hoteliers can mitigate data breaches



The 5 Most Dangerous New Attack Techniques and How to Counter Them
httpv://www.youtube.com/watch?v=xz7IFVJf3Lk



Data Breaches: Crisis and Opportunity

Download a Security Risk Assessment Checklist paper!

Subscribe to DISC InfoSec blog by Email

May 25 2020

Hacker extorts online shops, sells databases if ransom not paid

Category: Data Breach,data security,Security BreachDISC @ 3:05 pm

More than two dozen SQL databases stolen from online shops in various countries are being offered for sale on a public website. In total, the seller provides over 1.5 million rows of records but the damage is likely much larger.

Source: Hacker extorts online shops, sells databases if ransom not paid

More than two dozen SQL databases stolen from online shops in various countries are being offered for sale on a public website. In total, the seller provides over 1.5 million rows of records but the amount of stolen data is much larger.

The attacker is hacking into insecure servers that are reachable over the public web, copies the databases, and leaves a note asking for a ransom in return of the stolen data.

Money made

Victims have 10 days to pay BTC 0.06 ($525 at current price) a wallet provided in the ransom note, else the hacker makes the database public or uses it as they please.

Hacked! What to do with an extortion email
httpv://www.youtube.com/watch?v=CQS-fSsIQbo

Bitcoin Email Blackmail Ransom Scam
httpv://www.youtube.com/watch?v=H40C7Hbpdqw




Download a CyberAware cheat sheet

Tags: hacker blackmail, hacker extortion

Dec 13 2019

Data Security Solutions for Fintech Startups

Category: data securityDISC @ 11:33 am

By Ena Kadribasic on Security

The fintech sector has brought consumers an endless stream of modern offerings that have enabled them to ditch several outdated banking and lending products.

Companies now have advanced B2B payment solutions at their fingertips, and online financial solutions have never been more convenient – largely thanks to the progress made by fintech startups.

But, despite being on the cutting edge of digital financial products, young fintech companies are at a disadvantage in a wildly important arena: data security.

With limited resources, growing compliance regulations around the world, and a constantly-evolving list of increasingly dangerous cyber threats, fintech startups face a uniquely difficult uphill battle.

And, with data breaches continuing to leer as an ever-present security threat, fintech firms are turning to new and advanced approaches to data privacy.

But, first, what do we mean when we talk about data security for startups?

Source: Data Security Solutions for Fintech Startups


Subscribe to DISC InfoSec blog by Email

Tags: Data security solution, Fintech

Oct 16 2019

CyberSecurity for Digital Operations

Category: cyber security,data securityDISC @ 1:09 pm

DigitalSecurity

 
This report examines the general state of security within business today, exploring the hurdles that are preventing companies from an ideal security posture and suggesting the steps that can lead to improved security in the digital economy.

As the technology industry enters the next phase of maturity, there are more questions about the implications of emerging trends operating on a global scale. Aside from social impact ramification, utmost reliance on digital data and the sweeping collection of personal information are highlighting the critical nature of information security and privacy.

Digital Transformation: From AI and IoT to Cloud, Blockchain, and Cybersecurity | MIT PE
httpv://www.youtube.com/watch?v=NwwazhND9BA

Inside the CenturyLink Security Operations Center: Securing Your Digital Business
httpv://www.youtube.com/watch?v=_UyhYPOnNcY

The Convergence (and Divergence) of IT and OT Cyber Security


Subscribe to DISC InfoSec blog by Email

Aug 15 2019

Data Loss Prevention: Protect Yourself, Your Family, and Your Business

Category: data security,Security AwarenessDISC @ 2:30 pm

photo courtesy of Unsplash

By Jasmine Dyoco

Another day, another data breach. Lately, it seems like we can’t go more than a few days without hearing about another cyber attack. Data breaches have recently occurred at health insurance providers like Anthem, banks like Capital One, and even the Equifax credit bureau. If there’s anything these recent hacks have shown us, it’s that no industry is safe.
Social Security numbers, credit cards, and passwords are just some of the types of compromised data. Given the number of recent attacks, Bloomberg reports that some cybersecurity professionals now make millions of dollars per year.
Massive amounts of information have been stolen. According to The Week, “virtually everyone in the U.S. has been affected by a data breach in some way — even those who never go online.” If you’re worried a hacker might have your data, here’s how you can protect yourself and your family:

Malware and Viruses

Malware and computer viruses are common ways that scammers get sensitive information. Contrary to popular belief, Macs (and smartphones and tablets) can get viruses. Whether you use Mac, Windows, Linux, or an iPad, protecting your computer against viruses also protects your information.

According to Secure Data Recovery, proactive actions can help keep hackers and viruses from accessing your data. Use strong passwords that are hard to guess. A sentence or phrase is stronger than a single word, for example. You should also install a firewall and antivirus software. Save backups of your files to a device like an external hard drive. Alternatively, you could also save data to the cloud using Google Drive or similar.

Security and Compliance

Cyber threats are continually evolving. By having an information security (InfoSec) plan in place, you can protect data from falling into the wrong hands. InfoSec helps organizations maintain confidentiality while complying with industry regulations.  DISC help the organization to succeed in infosec and Privacy program by building and assessing Information Security Management System (ISMS) and Privacy Information Management System (PIMS) based on various standards and regulations.

For instance, Deura Information Security Consulting (DISC) can perform a risk assessment to identify the security risks. Based on those gaps, they’ll help you create a “safe, secure, and resilient cyber environment.” Additionally, they’ll help your organization comply with regional cyber laws. Those laws include Europe’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).

 

Protect Your Teens 

Nobody is safe from online attacks. Unfortunately, that includes children and teenagers. Some scams specifically target teens and young adults. One example is phishing, which tricks teens into revealing their social media passwords. Teens are also susceptible to phishing scams that include “urgent” subject lines. These scams often trick people into clicking a link to avoid missing a once-in-a-lifetime opportunity.

To protect your children, the InfoSec Institute advises telling them to keep their login information private and to never click on social media links via email. Teach them red flags, like email scams claiming they’ve won money or website URLs that have misspellings or extra letters. Your whole family can learn what to look for by practicing with a phishing simulator.

 

Credit Freezes and Monitoring

Many people believe cybercriminals only steal money. The reality is that many of them are interested in stealing data, identities, or intellectual property. In the event that you do experience data loss, whether due to a virus, malware, or online scam, it’s essential to take action.

According to the IRS, you should report identity theft to the FTC, your bank, and each of the credit bureaus. You might want to freeze your credit and place a one-year alert on your credit report. Credit monitoring companies can help you protect your credit score by alerting you of any fraudulent activity. If you follow the tips listed above, you can recover your data and protect yourself from future attacks.

How to report and protect yourself from credit card fraud

How to prevent credit card fraud amid coronavirus pandemic

The Secret to Cybersecurity: A Simple Plan to Protect Your Family and Business from Cybercrime



May 20 2019

Millions of Instagram influencers had their private contact data scraped and exposed

Category: data security,Security BreachDISC @ 4:04 pm

Millions of Instagram influencers had their private contact data scraped and exposed

A massive database containing contact information of millions of Instagram influencers, celebrities and brand accounts has been found online. The database, hosted by Amazon Web Services, was left exposed and without a password allowing anyone to look inside. At the time of writing, the database had over 49 million records — but was growing by […]

Source: Millions of Instagram influencers had their private contact data scraped and exposed – TechCrunch


 Subscribe in a reader

May 06 2019

Unsecured SkyMed Database Exposed PII Data Of 137K Individuals

Category: data security,GDPR,Security BreachDISC @ 9:29 pm

Unsecured SkyMed Database Exposed PII Data Of 137K Individuals

Reportedly, the unsecured SkyMed database exposed huge records having medical and personal information of US citizens online.

Source: Unsecured SkyMed Database Exposed PII Data Of 137K Individuals



ISO/IEC 27018:2014, 1st Edition: Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors



NIST Special Publication 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

 Subscribe in a reader

Mar 12 2019

Firefox Send’s free encrypted file transfers are now available to all

Category: data securityDISC @ 10:26 am

Source: Firefox Send’s free encrypted file transfers are now available to all


Feb 15 2019

3 data leaks that could be undermining your online privacy

Category: data securityDISC @ 1:02 pm

Protecting your online privacy is important. There has been a lot of discussion in recent years about how to stay safe online, and an increasing number of people are turning to Virtual Private Netw…

Source: 3 data leaks that could be undermining your online privacy

DISC InfoSec 🔒 securing the business 🔒  Data Security

 


Jan 31 2019

The biggest ever data dump just hit a colossal 2.2 billion accounts

Category: data security,Security BreachDISC @ 11:12 am

  • Data Security

    • Thought Collection #1 was big? Collection #2-5 just dwarfed it

    Source: The biggest ever data dump just hit a colossal 2.2 billion accounts


    Tags: Data dump, data privacy, data security

    Sep 20 2018

    Equifax fined by ICO over data breach that hit Britons

    Category: Cyber Insurance,data security,GDPR,Security BreachDISC @ 10:02 am

    Equifax

    Credit rating agency Equifax is to be fined £500,000 by the Information Commissioner’s Office (ICO) after it failed to protect the personal data of 15 million Britons.

    A 2017 cyber-attack exposed information belonging to 146 million people around the world, mostly in the US.

    The compromised systems were also US-based.

    But the ICO ruled Equifax’s UK branch had “failed to take appropriate steps” to protect UK citizens’ data.

    It added that “multiple failures” meant personal information had been kept longer than necessary and left vulnerable.

    Originally, Equifax reported that fewer than 400,000 Britons had had sensitive data exposed in the breach – but it later revealed that the number was nearly 700,000.

    A further 14.5 million British records exposed would not have put people at risk, the company added last October.

    The ICO, which joined forces with the Financial Conduct Authority to investigate the breach, found that it affected three distinct groups in the following ways:

    • 19,993 UK data subjects had names, dates of birth, telephone numbers and driving licence numbers exposed
    • 637,430 UK data subjects had names, dates of birth and telephone numbers exposed
    • Up to 15 million UK data subjects had names and dates of birth exposed

     

    Guard let down

    Equifax had also been warned about a critical vulnerability in its systems by the US Department of Homeland Security in March 2017, the ICO revealed.

    And appropriate steps to fix the vulnerability were not taken, according to the ICO.

    Because the breach happened before the launch of the EU’s General Data Protection Regulation (GDPR) in May this year, the investigation took place under the UK’s Data Protection Act 1998 instead.

    And the fine of £500,000 is the highest possible under that law.

    “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” said information commissioner Elizabeth Denham.

    “This is compounded when the company is a global firm whose business relies on personal data.”

    An Equifax spokesperson said the firm was “disappointed in the findings and the penalty”.

    “As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.

    “The criminal cyber-attack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.”

    By BBC.com


    Aug 23 2018

    Secure File Sharing from any device

    Category: Access Control,App Security,data securityDISC @ 4:36 pm

    Easy Desktop Access to Cloud Files

    Ditch Email Attachments. With your files in the cloud, you can easily share them with anyone — even if they’re outside your company firewall — with a simple link via email or straight from Box.

    Keep Everybody on the Same Page. Easily share files and folders, and add, move or edit files while always having the latest file version on hand.

    Preview Files Without Download. With Box, you can view 120+ types of files, including Word, Excel, PDF, AI, EPS, PSD, photos and more—without downloading a single file.

    Easily Share Your Workspace. Right click any folder to share instantly or open on box.com and invite your team to view, edit and upload files, turning folders into collaborative workspaces.

    Never Lose Files. A stolen laptop or hard drive crash doesn’t mean you lose your files. Safely store all of your work documents and projects in Box Drive.

     

    Box enables secure file sharing and collaboration so you can get real work done with anyone, from any device.

     

    • Secure File Sharing. Easily and securely share files—even sensitive or confidential ones—without worry.
    • Hassle-Free File Sharing. Ditch email attachments! Share any file with a simple link or straight from Box, with anyone you want.



    An Introduction to Box: The Modern Content Management Platform

    Discover how Box can solve simple and complex challenges, from sharing and accessing files on mobile devices to sophisticated business processes like data governance and retention.


    Apr 20 2018

    Nine Things That Are Poised To Impact Cybersecurity

    Category: cyber security,data securityDISC @ 6:18 pm

    Read Forbes Technology Council list nine things that can impact cybersecurity on Forbes :

    From the Equifax breach this past September to the recent hack of MyFitnessPal data through Under Armour, the number of high-profile cyberattacks has continued to climb in recent months. Every company, regardless of size, must be prepared for the possibility that they may be the next victim.

    Read the full article here.

    Tags: Business Insider Intelligence, data breach, equifax

    Dec 13 2017

    Top 5 Programming Languages In 2018

    Category: App Security,data securityDISC @ 6:14 pm
    English: A selection of programming language t...

    English: A selection of programming language textbooks on a shelf. Levels and colors adjusted in the GIMP. Français : Une étagère en bois de houx naturel lacqué : Prgrammé en java pour avoir l’AIR réel. Ainsi que quelques livres (Photo credit: Wikipedia)

    Top 5 Programming Languages In 2018

     Eslam Medhat 

    Programming world is rising exponentially with every passing year. With over 600 unique programming languages. The main question which comes to everyone’s thought is which language is most appropriate given the current and future market needs.

    Let’s see which programming languages are popular enough today to deserve your attention:

    1. Java:
    There is no doubt that Java is keeping its place as the most popular language from long time. It is still the most favored language for building the backends for modern applications.

    2. Python:
    One of the main reasons as to why python became so common is the tons of frameworks available for actually anything ranging from web applications to text mining.

    3. JavaScript:
    Every web browser supports JavaScript, it’s used by over 80% of developers and by 95% of all websites. With the ability of node.js, even the backend can also be developed using JavaScript.

    4. C++:
    This language is regularly used for application software, game development, drivers, client-server apps and embedded firmware. According to Coding Dojo, C++ continues in use in several legacy systems at large enterprises,

    5. C#:
    An object-oriented language from Microsoft designed to run on the .NET platform, This language is designed for use in developing software and it is also massively used in video game development.


    Tags: C++, Java, JavaScript, Python

    Oct 18 2017

    GDPR essentials and how to achieve compliance

    Category: data security,GDPRDISC @ 9:51 am

    gdpr

    The GDPR will replace these with a pan-European regulatory framework effective from 25 May 2018.  The GDPR applies to all EU organizations – whether commercial business or public authority – that collect, store or process the personal data (PII) of EU individuals.

    Organizations based outside the EU that monitor or offer goods and services to individuals in the EU will have to observe the new European rules and adhere to the same level of protection of personal data. This potentially includes organizations everywhere in the world, regardless of how difficult it may be to enforce the Regulation. Compliance consultant must know the following 9 tenants of the GDPR.

     

    • Supervisory Authority – A one-stop shop provision means that organizations will only have to deal with a single supervisory authority, not one for each of the EU’s 28 member states, making it simpler and cheaper for companies to do business in the EU.

     

    • Breach Disclosure – Organizations must disclose and document the causes of breaches, effects of breaches, and actions taken to address them.

     

    • Processor must be able to provide “sufficient guarantees to implement appropriate technical and organizational measures” to ensure that processing will comply with the GDPR and that data subjects’ rights are protected. This requirement flows down the supply chain, so a processor cannot subcontract work to a second processor without the controller’s explicit authorization. If requested by subject you must cease processing and using his or her data for some limited period of time.

     

    • Data Consent – The Regulation imposes stricter requirements on obtaining valid consent from individuals to justify the processing of their personal data. Consent must be “freely given, specific, informed and unambiguous indication of the individual’s wishes”. The organization must also keep records so it can demonstrate that consent has been given by the relevant individual. Data can only be used for the purposes that data subject originally explicitly consented. You must obtain and document consent for only one specific purpose at a time.

     

    • Right to be forgotten – Individuals have a right to require the data controller to erase all personal data held about them in certain circumstances, such as where the data is no longer necessary for the purposes for which it was collected. If requested by subject, you must erase their data on premises, in apps and on devices.

     

    • Data portability – Individuals will have the right to transfer personal data from one data controller to another where processing is based on consent or necessity for the performance of a contract, or where processing is carried out by automated means

     

    • Documentation – The Regulation requires quite a bit of documentation. In addition to the explicit and implicit requirements for specific records (especially including proof of consent from data subjects), you should also ensure that you have documented how you comply with the GDPR so that you have some evidence to support your claims if the supervisory authority has any cause to investigate.

     

    • Fines – Major noncompliance of the law will be punishable by fines of up to either 4% or €20 million of group annual worldwide turnover.

     

    Data protection by design – Organization must ensure data security and data privacy across cloud and endpoints as well as design their system and processes that protects from unauthorized data access and malware.  Specifically, organizations must take appropriate technical and organizational measures before data processing begin to ensure that it meets the requirements of the Regulation. Data privacy risks must be properly assessed, and controllers may use adherence to approved codes of conduct or management system certifications, such as ISO 27001, to demonstrate their compliance.

     

    How to improve information security under the GDPR

    Although many businesses understand the importance of implementing the right procedures for detection, report and investigate a data breach, but not many are aware of how to go about this effectively, especially during implementation phase.

     

    Seven steps that can help you prevent a data breach:

    1. Find out where your personal information resides and prioritize your data.
    2. Identify all the risks that could cause a breach of your personal data.
    3. Apply the most appropriate measures (controls) to mitigate those risks.
    4. Implement the necessary policies and procedures to support the controls.
    5. Conduct regular tests and audits to make sure the controls are working as intended.
    6. Review, report and update your plans regularly.
    7. Implement comprehensive and robust ISMS.

     

    ISO 27001, the international information security standard, can help you achieve all of the above and protect all your other confidential company information, too. To achieve GDPR compliance, feel free to contact us for more detail on implementation.

    Related articles on GDPR and ISO 27k

    The GDPR and Personal Data…HELP! from Cloud Security Alliance

    Tags: gdpr, gdpr compliance

    Sep 27 2017

    Data flow mapping under the EU GDPR

    Category: data security,GDPR,Security ComplianceDISC @ 8:56 am

    As part of an EU General Data Protection Regulation (GDPR) compliance project, organisations will need to map their data and information flows in order to assess their privacy risks. This is also an essential first step for completing a data protection impact assessment (DPIA), which is mandatory for certain types of processing.

    The key elements of data mapping

    To effectively map your data, you need to understand the information flow, describe it and identify its key elements.

    1. Understand the information flow

    An information flow is a transfer of information from one location to another, for example:

    • From inside to outside the European Union; or
    • From suppliers and sub-suppliers through to customers.

    2. Describe the information flow

    • Walk through the information lifecycle to identify unforeseen or unintended uses of data. This also helps to minimise what data is collected.
    • Make sure the people who will be using the information are consulted on the practical implications.
    • Consider the potential future uses of the information collected, even if it is not immediately necessary.

    3. Identify its key elements

    Data items

    • What kind of data is being processed (name, email, address, etc.) and what category does it fall into (health data, criminal records, location data, etc.)?

    Formats

    • In what format do you store data (hardcopy, digital, database, bring your own device, mobile phones, etc.)?

    Transfer method

    • How do you collect data (post, telephone, social media) and how do you share it internally (within your organisation) and externally (with third parties)?

    Location

    • What locations are involved within the data flow (offices, the Cloud, third parties, etc.)?

    Accountability

    • Who is accountable for the personal data? Often this changes as the data moves throughout the organisation.

    Access

    • Who has access to the data in question?

     

    The key challenges of data mapping

    • Identifying personal data Personal data can reside in a number of locations and be stored in a number of formats, such as paper, electronic and audio. Your first challenge is deciding what information you need to record and in what format.
    • Identifying appropriate technical and organizational safeguards The second challenge is likely to be identifying the appropriate technology – and the policy and procedures for its use – to protect information while also determining who controls access to it.
    • Understanding legal and regulatory obligations Your final challenge is determining what your organisation’s legal and regulatory obligations are. As well as the GDPR, this can include other compliance standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and ISO 27001.Once you’ve completed these three challenges, you’ll be in a position to move forward, gaining the trust and confidence of your key stakeholders.

     

    Data flow mapping

    To help you gather the above information and consolidate it into one area, Vigilant Software, a subsidiary of IT Governance, has developed a data flow mapping tool with a specific focus on the GDPR.

     

    Order Today

     


    Tags: data flow mapping, data privacy, data security, gdpr

    Mar 06 2017

    Secure usb flash drive – password protected and Encrypted

    Category: data securityDISC @ 2:01 pm

    Encrypted Flash Drives

    Top Rated
    Kingston Digital 8GB Data Traveler AES Encrypted

    Tags: encrypted usb drive, password protected usb, protected flash drive, USB flash drive

    Nov 15 2016

    Encryption keeps you safe from malware

    Category: data securityDISC @ 1:02 pm

     

    Cryptographically secure pseudorandom number g...

    Cryptographically secure pseudorandom number generator (Photo credit: Wikipedia)

    The Electronic Frontier Foundation aims to protect Web traffic by encrypting the entire Internet using HTTPS. Chrome now puts a little warning marker in the Address Bar next to any non-secure HTTP address. Encryption is important, and not only for Web surfing. If you encrypt all of the sensitive documents on your desktop or laptop, a hacker or laptop thief won’t be able to steal your identity, or takeover your bank account, or perhaps steal your credit card information. To help you select an encryption product that’s right for your situation, we’ve rounded up a collection of current products.

     

    Available Encryption Software to protect your information assets:

     

    Folder Lock can lock access to files for quick, easy protection, and also keep them in encrypted lockers for serious protection. It combines a wide range of features with a bright, easy-to-use interface. Read the full review ››

     

    Cypherix PC creates encrypted volumes for storing your sensitive files. Lock the volume and nobody can access the files. It does the job, though it lacks secure deletion. Read the full review ››

     

    Cypherix SecureIT  handles the basic task of encrypting and decrypting files and folders in a workmanlike fashion, but it lacks advanced features offered by the competition.  Read the full review ››

     


    Tags: data encryption, disk encryption and file encryption, encryption, Identity Theft, Information Privacy, privacy

    Mar 30 2014

    The Protection of Personal Information Act (POPI) in South Africa – Benefits and Challenges

    Category: data security,Security and privacy Law,Security BreachDISC @ 10:14 pm

    POPI

    by Ilenia Vidili

    In South Africa the Protection of Personal information Act (POPI) aims to regulate how companies secure the integrity and confidentiality of their data assets by taking technical and organisational measures to prevent the loss of, and damage and unauthorised access to, personal information. POPI was signed into law on 26th November 2013 but the commencement date is yet to be announced; companies have been given a year to achieve compliance with the Act. Penalties for failing to comply with the Act include prosecution, with possible prison terms of up to 12 months, and fines of up to R10 million. I believe that POPI will make life easier for IT organisations in South Africa.

    Why is it so important for organizations to keep personal information safe?

    Data breaches, and the resultant loss of information assets, can lead to huge financial losses for companies as well as the reputational damage and a loss of customer trust.  The lack of robust Information Security Management Systems (ISMS) can leave organisations of any size and sector open to data breaches. POPI’s objective is to regulate the way personal information is collected and stored by organizations, which will in turn increase customer confidence in the organizations. The Act will apply to all organizations, regardless of size or sector, whether public or private, including the Government. As a reminder of the importance of data security, the City of Johannesburg suffered a massive data breach in August 2013 which allowed anyone to read citizens’ personal billing information on the Council’s website, including full names, account numbers, addresses, and contact details. Anything could have happened to that information, including targeted phishing attacks, and the production of fake ID books and proof of residence, which could have been used for terrorist purposes.

    POPI’s challenges

    The major challenge of POPI is that companies will have to change the way they collect and store customer information as soon as possible: organizations have been given only a year to be compliant before the Act is enforced. Given the extent of changing business processes and employees’ attitudes it will be a serious challenge to reach compliance in only a year.

    PwC’s “journey of implementation” report found that the majority of organizations in South Africa believe it will take several years to achieve compliance with POPI.

    55

    Source: PwC “The journey to implementation”

    One way for South African organizations to make compliance with POPI easier would be to implement the international information security standard ISO27001, which sets out the requirements against which an organization’s information security management system can be independently audited and certified. Implementing the standard will help South African businesses fulfil the compliance requirements of any related legislation (including the Protection of Personal Information Act). Moreover, by implementing ISO27001, businesses ensure that they have effective controls in place to manage risk and protect personal information.

    How to prepare for POPI

    IT Governance SA has developed a wide range of ISO27001 books, training and tools to help organisations with weak information security management system, and recommends that companies look at the useful information about ISO27001 available on the company’s website.

    Related articles

    Tags: Information Security Management System, isms, POPI, Protection of Personal information Act, South Africa

    « Previous PageNext Page »