A crucial aspect of the Protection of Personal Information Act (POPIA) is the notification of security compromises—unauthorized exposures of personal data—to the authorities and the data subjects in concern. Notification of data breaches is mandated by several data protection regulations around the world—from the EU (the GDPR) to the United States (the CCPA), Brazil, the Philippines, and Australia; the objective is to make organizations accountable for the protection of personal data and liable for lax data protection measures. Therefore, failure to comply with POPIA can result in hefty fines up to R10 million.
What are organizations expected to do?
According to Section 22 of POPIA, which deals with notification of security compromises, organizations must immediately notify stakeholders about unauthorized accesses or acquisitions of personal data. Depending on the exact case, the notification would have to be either physically or electronically mailed to the data subject, published on the organization’s website, or announced to the media. What is important to note is that the notification is not merely letting stakeholders know about the security compromise. The notification must also compile the important details of the breach, such as:
Possible consequences or dangers that may arise from the compromise.
Measures taken to address the breach.
Recommendations on how data subjects can protect themselves.
The identity of the perpetrator who carried out the attack (if discovered).
Refer to the official page for more details. To achieve these requirements, organizations must implement technical measures—security solutions and processes—to safeguard personal data during its collection, processing, and storage.
Protecting your network against breaches using security monitoring techniques
First and foremost, organizations must reduce the chance of being hit with a breach by deploying preventive security controls, such as patching their systems regularly, configuring firewall policies, and whitelisting applications. However, preventive security solutions do not guarantee 100 percent security, and organizations must be prepared to detect and mitigate security incidents that inevitably bypass preventive measures. Here is where security monitoring comes into the picture.
Monitoring your network enables you to swiftly identify an attack at an early stage, helping you thwart the breach attempt before it is too late. Even in the worst-case scenario of a data breach, you will be able to do damage control and gather crucial forensic evidence that must be furnished while reporting the security compromise.
Remember, the notification of the security compromise must contain important details about the incident, including remediation measures taken. Therefore, network logs and security information and event management (SIEM) are crucial considering POPIA. Here are four aspects you can start monitoring right away to boost your security:
Data accesses and modifications: Augment this with data leak prevention measures by tracking unauthorized USB, printer, and email activities.
Active Directory change auditing: Track changes made to users, computers, groups, OUs, and GPOs.
Network perimeter monitoring: Audit incoming and outbound traffic and watch out for malicious communications.
User activity monitoring: Keep track of actions such as logons and file accesses performed by users, especially those with privileges to access key resources. Watch out for anomalous patterns of events.
The importance of centralized monitoring
A SIEM solution can help you gain visibility into crucial security events occurring in your network. This way, you can identify a potential security incident at an early stage, quickly investigate the incident, and resolve the case before it is too late.
Consider the below use cases:
The domain privileges of an employee were escalated by adding that user to the Enterprise Admin group in Active Directory. Such an event might provide unauthorized access that may jeopardize your security systems.
Multiple failed logons occurred across several accounts during non-business hours. This could be a possible password attack.
A compromised host in your network is communicating with a call-back server. Sensitive data might be getting stolen from your corporate network.
Are you in a position to tackle such cases in your organization? Such cases must be identified and thwarted immediately. With the implementation of POPIA, now is a good time to assess your security posture and enhance your monitoring measures.
Must-have SIEM features
A SIEM solution is the ideal way to implement end-to-end security monitoring in your organization. To help you get started, here is a list of SIEM features you must implement:
Log aggregation: Centralize logs from servers, applications, firewalls, databases, and every other important component in your network.
Log archival: Securely store logs so that you can conduct a forensic investigation if a breach is discovered.
Audit report generation: Schedule daily reports to review security events of interest and spot suspicious events.
Alerting: Set up alerts for indicators of compromise to instantly spot security threats.
File integrity monitoring: Track every change—accesses, creations, deletions, modifications, and renaming of files and folders.
Behaviour analytics: Analyse user and system behaviours to spot anomalous activities that are tell-tale signs of attacks.
Threat intelligence: Sync up with threat intelligence feeds to detect network communications with blacklisted IPs, domains, and URLs.
Incident management: Streamline the process of investigating, managing, and responding to incidents by leveraging technologies such as automated workflows.
Mitigate data breaches with ManageEngine Log360
Log360 is a comprehensive SIEM solution that can analyse logs from your entire network to help your organization stay secure and compliant with POPIA. The solution comes with all the above features and more!
Interested in exploring Log360?
Get started by booking a demo now