New regulations will force companies to do their governance homework.
The security industry has always been able to do what it wanted, or what budgets allowed it to do, in its effort to secure people and information. This state of affairs was acceptable in most instances, but there are always those certain few willing to take advantage of a situation for their own benefit.
In recent years, corporate governance has become a central issue in business and compliance has moved from an option to a necessity in the face of new regulations, and more that will still be formulated in the coming months and years. The protection of information is a core component of compliance, especially in a world where hackers seem to have no trouble breaking into databases and stealing sensitive information.
In the South African context, the protection of information is becoming more important as a component of the King III report, the Consumer Protection Act (CPA) and the proposed Protection of Personal Information Act (PoPI). Hi-Tech Security Solutions asked two companies that deal with these issues on a daily basis for their take on the implications for those responsible for governance, risk and compliance (GRC), focusing on the security field.
Will there be an impact?
When getting beyond the hype, it is probably wise to first ask how, or if new regulations such as PoPI and the CPA, as well as corporate governance standards like King III will affect the installation and maintenance of data and intellectual property (IP) security solutions.
Grant Hodgkinson, business development director at Mimecast South Africa, responds: “We are unlikely to see a mandatory implementation of specific processes to safeguard digital assets or IP. Instead, physical adherence to these frameworks will cover digital assets as well, and for this reason, companies will need to consider information security by implication. Even without these regulations, there is a growing groundswell of ‘better governance’ in the world, where companies realise the need to protect their private data and the data held on behalf of customers.
“In response to this, we are likely to see technology solutions being revised. King III places IT and the management of IT information squarely on the board agenda. As more companies embrace this framework, we are likely to see new solutions being considered. King III also pushes companies to either comply or explain non-compliance.”
Andrew Whittaker, senior consultant at Ubusha Technologies expands. “Personal information can be found being collected, stored and processed within almost all corporate business processes. The new draft South African legislation (PoPI) will mandate executives to ensure the right to privacy, and the security of this information, is protected. Ensuring that you know who has access to your customer’s personal information and regular verification of this access will be essential in meeting the requirements of the bill.
“The King commission, in its revised recommendations to business on good governance (King III) has stressed the importance of IT in today’s business world, and therefore the importance of effective IT governance being in place.”
Hodgkinson continues that it is unlikely that all companies will abandon the storage of personal identification information as in many cases it is essential to do multichannel business. “However, certain companies may decide that they no longer have the appetite to risk storage of such data and consider alternatives, but the broad-based abandonment of this is unlikely to take place.”
He goes on to say that when it comes to video surveillance footage in particular, these regulations will not necessarily have an impact, but it “depends on what the footage is of, and what the company decides to do with that footage. This is a question of risk and the company’s appetite for risk.”
Back to access control
While company leaders are concerned with what information they have and how to store it effectively and legally, another question to consider is what happens to that information inside the company. Data is stored for a reason, but failing to ensure only the right people can access and use it for appropriate reasons is another challenge. This brings us back to the old question of access and identity management.
Whittaker comments: “It is well understood that the management of identities in the corporate IT environment is essential to security. But what about managing the access assigned to these identities? Often auditors ask IT organisations the following questions:
* Who works for you?
* Who has access to your systems?
* Should these people have access?
* Do you have the processes to verify this access?
* Do you know how they got their access and who approved it?
“Not only is the ability to answer these questions important to an organisations ability to ensure good IT governance, but there is local and international legislation which may require it to control these risks.”
The CPA and PoPI above are only two local regulations in this regard, with the Sarbanes Oxley act of 2002 (SOX), which applies to US public company boards, management and public accounting firms is the most famous (or infamous) of the international regulations founded in reaction to a number of corporate and accounting scandals – such as those affecting Enron, Tyco International and WorldCom.
The solution for companies, both large and small, is to understand the law as it applies to them and ensure they comply. Not only is this a legal requirement, but more customers are becoming aware of the importance of their privacy and could react negatively to careless or reckless behaviour on the part of organisations. Every company therefore has a responsibility and duty to only store information it requires, as well as its own IP, ensuring that all reasonable effort has been made to ensure the safety and privacy of that information, and that it is only used by authorised employees for legitimate purposes.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version