IT departments in large organisations are not even doing the basics to protect sensitive information

Are you ready for POPI?

December 12, 2012

Are you ready for POPI?

The Protection of Personal Information Act (POPI) will soon be enacted into South African law and the latest draft has already been passed by the national assembly. However, many large and well known organisations are not even attending to some of the basics of information security, namely applying operating system security patches. This means that they are not compliant with pending regulations.

The reason companies are struggling with operating system security patching may be linked to bandwidth, according to sustainableIT director Tim James. “Security patching, updates and even software deployments are very difficult and often impossible in branch office environments,” James has said. “Large retailers and financial services companies that all have significant branch networks are impacted the most, often running on very little bandwidth. Unfortunately these are the very same organisations that hold the personal and financial information that the act is trying to protect. Are all of these companies doing the basics? The answer is absolutely not.”

The reason for this is that business traffic, line of business applications and any revenue generating activity is seen as sacrosanct and rightly so, particularly in tough economic times.

“The net result is that systems management traffic, the ‘stuff’ that gets security updates and the like down to branch offices is either de-prioritised – or not catered for at all. This means that updates don’t happen and point of sale, tellers and back office devices are not patched with the latest security updates,” James explains. “Forget the POPI act, this is hardly acceptable even without legislation. It is the elephant in the corner that has been avoided for far too long in many IT departments.”

Although it is unclear when POPI will be promulgated, its arrival is inevitable. Companies should particularly take note of Condition 7, relating to security safeguards. The condition states that “a responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organizational measures to prevent a) the loss of, damage to or unauthorized destruction of personal information; and b) unlawful access to or processing of personal information”.

It also calls on responsible parties to identify “all reasonably forseeable internal and external risks to personal information in its possession”, to establish and maintain appropriate safeguards against these risks and to “ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards”.

“This means that if you are not updating your operating system security on a continual basis, you are not compliant,” James warns. “For companies that are found non-compliant, fines can be levied of up to R10 Million – which does not preclude civil damages running into millions, as well as the associated reputational risk and the impacts thereof. Any individual convicted of an offense under this act could face a jail term of 10 years. It makes sense to avoid this by any means necessary!”

But James goes on to say that company who have invested in the Microsoft System Centre Configuration Manager (SCCM), can become compliant almost immediately (in terms of patching) with a simple add on.

“Programs such as Nomad Enterprise from 1E can be used very effectively. SCCM’s native deployment technology (BITS) is not very bandwidth friendly and hence patching is often turned off to remote locations. Nomad replaces BITS as a content provider and is very bandwidth friendly, constantly backing off to business traffic to ensure that business operations are not affected,” he explains. “The key point here is that Nomad continually uses spare and available bandwidth to ensure that you can get what you need down to your branch sites as quickly as possible without any impact on the business. This is not possible with incumbent toolsets.”

In the United States, one of the largest retailers recently deployed Nomad for very similar reasons. For compliance purposes, they had to ensure that devices were constantly patched. This however was having a negative impact on their “just in time” business application and the net effect was that trucks in their distribution channel were leaving half empty, largely because business data was not arriving in time. By deploying Nomad, business traffic still takes priority but Nomad traffic ramps up dynamically when the business traffic ramps down, allowing systems management traffic to flow without any business impact.

The POPI act is going to place tremendous pressure on IT departments from a compliancy perspective. There have been many false starts with this legislation – but companies will only have one year to comply and the financial consequences and reputational risk could be dire. “ The time to act is now,” James concludes.