Buildings, Compliance, compliance software, Engineering, HIRA, OHS Culture & Climate, SHEQ, Work Smart

Information And Data Security

Information and Data Security | SRMC

Information and Data Security

We seem to be inundated with stories of cyber attacks, data breaches, hacking, malware, viruses, and they like Customers and employees could have lost highly sensitive personal information such as credit card details, home addresses and contact numbers, which will significantly impact and inconvenience them whilst dragging the name of the Organisation holding the data into disrepute.

This presents a significant risk to most Organisations, as customers will be evaluating whether to do business with you or not, based on how you manage their personal information, and not just your product or service offering.

So what can you do about information security?

Like many organisations looking to manage various forms of business risk, they have looked to international or best practice standards, such as ISO 9001 for Quality Management, ISO 14001 for Environmental Management, or ISO 45001 Health & Safety Management. ISO’s best practice option for Information Security is ISO 27001.

If you are already certified to any of the other ISO standards, ISO 27001 will seamlessly integrate with them.

I order to assist our clients to decide on mechanisms to manage data security, over the next few weeks, we will be providing an overview of the principles of ISO 27001:2013.

Principle 1 – Assessing how your information is protected

Organisations would not leave money confidential recipes or product specifications lying around, for good reason, it is critical business information, which if in the hands of the wrong people could result in the loss of market share and business closure.  Information is a valuable asset.

Ask any military tacticians about the power of information, forewarned is forearmed. Information, how it is identified, handled, processed and protected through the various interactions, is an essential business process.

Information could be business process information, employee information, customer and supplier information to name but a few, all of which needs to be protected. The Protection of Personal Information Act (POPI Act) creates the duty for Organisations to ensure that personal information is obtained, processed, stored and removed in a secure manner.

Failure to do so can result in hefty fines and incur reputational damage. So if we want to take information security seriously, where do we start? We need to look at a structured best practice approach such as ISO 27001, including the development of an Information Security Management System (ISMS).

So we’ve decided on a framework, what’s next?

Many of you will be familiar with a risk assessment process, whereby you identify various activities or processes, and hazards (what could go wrong and how), estimate risks involved and determine what controls are in place as well as their effectiveness.

Well, the kick-off point for ISO 27001 is no different. We need to identify all the Information Assets, how it is stored and the means where information can be transmitted

Information can be stored in different ways:

  • Digital (stored electronically)
  • Material form (hard copy documents)
  • Organisational Knowledge (know-how retained by people)

Information can be transmitted:

  • Digitally (email or SMS)
  • Physically (post or courier)
  • Verbally (during meetings with employees, customers or suppliers)

Once you’ve identified the information, how it’s stored and transmitted you can assess the risks of the information being compromised. This process can be extremely illuminating at identifying gaps That said, it then gives you the opportunity to do something about it, such as ensuring more suitable controls of your data assets.

Additional controls could take the form of malware protection (for hardware), locks on cabinets and doors (for hard copy protection), or even 24/7 alarm systems on your buildings, to prevent intruder access.

Once these controls are in place, your will need to monitor, maintain and improve the effectiveness of these controls. Information and technology are continually evolving, so monitoring and maintenance of controls are absolutely essential. So, now that we have taken some of the 1st initial steps required to develop an ISMS, join us for the next steps, when we discuss Principle 2 – Awareness of the need for information security.

DETERMINATION: EARNINGS THRESHOLD

Basic Conditions of Employment Act and Regulations (75/1997)

The Minister of Employment and Labour has in terms of Section 6 (3) of the Basic Conditions of Employment Act, No. 75 of 1997, (the Act), determined that all employees earning in excess of R211 596.30 (two hundred and eleven thousand, five hundred and ninety-six rand, thirty cents) per annum be excluded from sections 9, 10, 11, 12, 14, 15, 16, 17(2) and 18(3) of this Act with effect from 1 March 2021.

R.77 of 2021

 

INCORPORATION OF HEALTH AND SAFETY STANDARD – CODE OF PRACTICE: ZIP LINES

Occupational Health and Safety Act and Regulations (85/1993)

The Chief Inspector in terms of section 27(1) of the Occupational Health and Safety Act 1993, acting in terms of the powers vested in him by regulation 17 of the Driven Machinery Regulation 2015, after consultation with the Advisory Council for Occupational Health and Safety has incorporated a Code of Practice for commercial Zipline and Aerial Adventure Parks.

R.1399 of 2020

 

NATIONAL WASTE MANAGEMENT STRATEGY 2020

National Environmental Management: Waste Act and Regulations (59/2008)

The Minister of Fisheries, Forestry and the Environment has published the National Waste Management Strategy 2020 in terms of Section 6 of the National Environmental Management Waste Act 2008 (Act No. 59 of 2009) for implementation.

R.56 of 2021

INVITATION FOR NOMINATIONS OF PERSONS TO SERVE AS MEMBERS OF THE AARTO APPEALS TRIBUNAL

Administrative Adjudication of Road Traffic Offenses Act and Regulations (46/1998)

Nominations have been invited for members of the Administrative Adjudication of Road Traffic Offenses (AARTO) Appeals Tribunal.

Nominations must be submitted within four (4) weeks from the date of publication of this Notice in the Government Gazette. Nominations received after the closing date will not be considered.

R.37 of 2021

 

AMENDMENT OF REGULATIONS REGARDING EXTENDED PRODUCER RESPONSIBILITY

National Environmental Management: Waste Act and Regulations (59/2008)

The Minister of Forestry, Fisheries and the Environment, has in terms of section 69(1)(b), (g), (i), (I), (o), (dd) and (ee) of the National Environmental Management: Waste Act, 2008, made the Regulations regarding extended producer responsibility, as set out in the Schedule.

R.20 of 2021

THE BORDER MANAGEMENT AUTHORITY ACT

Border Management Authority Act (2/2020)

The new Border Management Authority Act has been promulgated.

Act 2/2020 

Use SHEQ software for your Process Approach

An essential part of any process approach is your management system, and software is a great solution to deliver on your requirements.  SRM and many of our clients use Mango Compliance Software – www.mangolive.com.  Mango makes it easier to get ISO 9001:2015 certification.

SRM is ISO 9001: 2015: ISO 14001:2015 and ISO 45001:2018 certified.  Let us know if we can help you with the development and implementation of your Quality Management System.  Contact our consultants today

Related Posts

Leave a Reply