How many digital devices does you have in use in your business which could represent a risk for loss of personal information? This question is a lot tougher to answer than you might at first think and in this article we will find out why that’s the case.
The most obvious place to start is by looking at the fixed assets register where you record all of the information and communications technology (ICT) devices which you own, manage and depreciate in line with the rules issued by SARS. In times past this would capture most if not all the ICT items a company used: tech used to relatively high value, centrally procured and tightly managed.
That’s no longer the case for several reasons. First, the emergence of the “throw away” tech era. Items are now so low cost that they fall below the minimum limit to be classified as an asset for depreciation purposes and so they never make it on to the fixed assets register in the first place. Second the extensive use in business today of outsourcing or service agreements. Now we can find that the use of service providers may see our fixed assets register entries drop to zero as we no longer acquire assets in the name of our own organisation.
One of the more recent contributors to this is cloud computing, where entire layers of tech can simply disappear (think traditional server rooms) as they are replaced with a service (think offerings from Microsoft, Google, Amazon, Dropbox and other home-grown cloud service providers). Having said that, most organisations are still holding a significant inventory of desktop/tower PCs, laptops, servers and so on.
Outside of the corporate asset register the next place to look for digital devices which might represent a risk of personal information security compromises taking place covered under the POPI Act (POPIA) (see Condition 7, Security Safeguards for details) are your service agreements. This is where we need to think broadly, as so much of what we do in business today is digital without being a part of our core operations or production or accounting systems.
Examples are physical security systems such as access control – including biometric-based recognition and authorisation systems – whether used for staff or visitors or service providers. Coupled to tracking physical access through digital logging systems are digital monitoring systems, such as CCTV. Where this used to mean a network of fixed location cameras this is fast evolving as more companies start to use drone-based technology to complement their wired land-based platforms. Then there are the specialist tracking systems using a variety of technologies such as WiFi, Bluetooth and RFID to track people as they go about their work, particularly in high hazard job roles as are found in mining and other similar industries.
This can also apply in specialist applications such as health care where bedside monitoring systems track some of the most personal of data relating to health and wellness. Common other examples include multi-function devices such as the print/copy/scan/fax machines or digital switchboard you have on a lease agreement.
One of the largest areas that needs attention has nothing to do with what your organisation manages or pays for, directly or indirectly. It’s what’s become known as BYOD – Bring Your Own Device. As tech has moved into the hands of the consumer and out of the narrow control of the IT/ICT community the use of personally owned and funded devices has mushroomed.
Laptops, tablets, smartphones and smart watches are just some of the devices typically deployed to support directors, management and employees as they go about their daily business. In truth this list is much longer and should include home-based desktop PCs and servers, USB memory sticks (flash drives), CD/DVD disks, digital cameras, external hard drives and digital memory cards and no doubt more that you are probably thinking of right now. Every one of these BYOD devices represents a potential carrier of and therefore potential source of loss of personal information.
Just identifying all these devices can represent a major challenge if not tackled in a formal, structured and consistent way. Remember, POPIA requires (section 19) that the responsible party (the organisation doing the processing, or services providers – called operators in POPIA) takes “reasonable measures” to “identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control”.
Clearly in today’s digitally diverse world that must go beyond consulting the fixed assets register. Look at your service agreements. Run a staff survey. Be inquisitive about where the risks are and how to address them. What to do once you have found those devices will be the subject of my next article.
By Dr Peter Tobin, www.popisolutions.co.za