This is the risk that is inherent to a specific
function and sub process and is measured before taking control measures into
account.
If Personal Identifiable Information (PII) were to be lost in that
specific sub process it might have a Critical, High, Medium or Low
impact.
Where the volume of PII is low and the type of personal information is
not sensitive or special personal information the Inherent risk might be
low.
Where the volumes of the PII is high in a sub process and there is
sensitive and special personal information in that sub process the Inherent
Risk might be Critical.
The
residual risk is the risk that remains after the control measures have
been taking into account.
If there
are no control measures in place the Residual Risk will be the same as the
Inherent Risk. If there
are adequate control measures in place it will reduce the Inherent Risk.
Access management is the umbrella term for tools and technologies
controlling user access to critical information within a company.
Access
Management aims to grant authorised users the right to use a service,
while preventing access to non-authorised users.
The General Data Protection Regulation (GDPR) is a legal
framework that sets guidelines for the collection and processing of personal
information from individuals who live in the European Union (EU).
POPIA designates the head of the business as the Information
Officer. Depending on the type of business, the Information Officer will be the
sole trader, a partner in a partnership or CEO (or equivalent) in a company or
CC. The head of the business can delegate their responsibilities as Information
Officer to any other duly authorised person. It is important to note that
whoever “determines the purpose of and means for processing personal
information” remains ultimately responsible for ensuring that the processing of
personal information is done in a lawful manner. The Information Officer may
also appoint (in writing) as many Deputy Information Officers as necessary.
Logical controls mean the authentication and authorisation
of users to a company system or program. Logical access controls use advanced
password programs and advanced biometric security features. These features
identify the employee. The system then determines whether the employee has
appropriate authorization to access data.
Personal information may only be processed, if the purpose
for which it is processed is:
- Adequate
- Relevant
- Not excessive
Physical controls means the restriction of access to a
physical space within the company. This type of access control limits access to
rooms or buildings and may include server rooms. In addition, physical access
control keeps track of who is coming and going in high risk areas.
Retention periods are different for any data that a company
collects.
It is vital that a Retention and Destruction Policy and Procedure
be implemented in your business to document these periods.