PoPI compliance requires improved security posture and incident handling skills to avoid potential fines of up to 10 million Rand
“It has been a long journey but South Africa’s first comprehensive information security and privacy legislation is at the final stages of becoming law,” comments Craig Rosewarne, Director EMEA - Africa region for the SANS Institute. “However, it is still not certain that many of the organisations that need to understand the ramifications of compliance with PoPI, in my opinion, are probably not yet ready.”
State law advisors have presented the 9th Draft of the Protection of Personal Information bill to the Committee to deliberate on a clause-by-clause basis. In short order, a potentially ‘final’ 10th version is likely to be referred to the National Assembly for a final vote then referral to the NCOP for that House’s approval.
“We are starting to have some interesting discussions with government departments, large private enterprises and consultants as to what they need to do to prepare themselves for PoPI which is probably less than a year away,” comments Rosewarne. “Information privacy is not just a regulatory issue but the arrival of the new law has accelerated the demand for training and certification and our upcoming event is in part a reaction to these specific drivers.”
SANS will be running its first full training conference in South Africa this October at the Radisson Blu Gautrain Hotel in Johannesburg that will include courses covering essential security best practice, incident handling and computer forensics.
Of particular interest in relation to PoPI is the SANS Security 504: Hacker Techniques, Exploits & Incident Handling course. Taught by highly experienced SANS Certified Instructor James Tarala, an expert practitioner who has dealt with high profile incidents across the world, the six day course is aimed at helping information security professionals understand attackers' tactics and design a comprehensive incident handling plan. This plan includes the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence.
“We have negotiated a discount for government employees and members of the Information Security Group of Africa who wish to attend any of the courses as a further incentive to kick start the process,” explains Rosewarne. “PoPI is coming and organisations need to get ready sooner rather than later as the potential reputation damage and fines for breaches are significant.”