In lieu of the Protection of Personal Information Act, 4 of 2013, (POPIA) taking effect from the 1st July 2021, many businesses are implementing procedures to safeguard their customers’ and suppliers’ personal information.
We at nVisionIT (Pty) Ltd have always valued the confidentiality of our customers’ and suppliers’ personal information and therefore voluntarily introduced several measures to ensure compliance with POPIA.
We will continue to manage your personal information in the same confidential way we always have.
We do however wish to take this opportunity to highlight and inform you of our policies as well as your rights in terms of POPIA:
- All personal information under our care is processed ensuring that our employees and the company as a whole are accountable, information is processed lawfully in order to achieve the purpose for which the information is obtained.
- “Processed” is broadly defined as:
- “[an]y operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—
- the collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation or use.
- dissemination by means of transmission, distribution or making available in any other form; or
- merging, linking, as well as restriction, degradation, erasure or destruction of information.”
- Personal information” is widely defined in POPIA and means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:
- information relating to the race, gender, sex, pregnancy, marital status, national, ethnic, or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person.
- information relating to the education or the medical, financial, criminal or employment history of the person.
- any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier, or other assignment to the person.
- the biometric information of the person.
- the personal opinions, views, or preferences of the person.
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence.
- the views or opinions of another individual about the person.
- the name of the person if it appears with other personal information; and
- relating to the person or if the disclosure of the name itself would reveal information about the person.
When collecting your information, we will take all reasonable steps to ensure that information is complete, accurate, not misleading and updated where necessary.
You may at any time, request a record of all information, relating to you, which we hold.
Should you believe that any information which we have recorded is not complete, accurate or is misleading you have the right to request, in writing, that such information be updated. Should you object to our processing of your personal information you may object to this, however, we may in such circumstances be unable to continue our business relationship.
We do not retain any personal information longer than is required and will at all times take all reasonable steps to ensure that your information is secure. In this regard we regularly undertake an assessment of internal and external risks and where necessary have implemented steps to mitigate these risks.
In the unlikely event that we experience a data breach we will as soon as reasonably possible, inform you in writing at the most recent email address which you have provided to us, of the data breach as well as providing you with the necessary information for you to protect your information.
By continuing your business relationship with us you consent to the collection and processing of your personal information as set out above.
SCHEDULE 1 – TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
People, awareness, and training:
- Employees with access to the Personal Information are bound to non-disclosure of information as part of their employment contract.
- Regular awareness training on POPIA for all employees with access to the Personal Information.
Organisation control:
- Internal data privacy policies and procedures which comply with requirements of POPIA.
- Data privacy is implemented and audited on compliance on an annual basis.
Physical Security to Personal Information:
- Access control and visitor management systems implemented for all visitors/guests.
- Access control and CCTV surveillance to protect restricted areas.
- Locked cabinets for where paper files / parcels are stored.
Electronic Security to Personal Information:
- Encryption
- 2 Factor Authentication
- Anti-virus protection
- E-mails are automatically scanned by anti-virus and anti-spam software.
- Firewalls
Access Control to Personal Information:
- Employees are given access on a limited and controlled basis.
- Access logging and control to Personal Information.
- Logical access control – e.g., password protection.
Documenting of Processing Operations:
- Creation, updating and monitoring of standard operating procedures relating to and governing the processing of Personal Information.
Data Loss Prevention Strategy:
- Adoption of tools and technologies to ensure that Personal Information is not lost, misused, or accessed by unauthorised persons.
SCHEDULE 2 – PROCESSING LIMITATIONS
nVisionIT may process personal information as:
SCHEDULE 3 – HOW DO WE PROTECT YOUR DATA IN AZURE
Achieving a 79.31 % Secure Score mean that we follow requirements set out by Microsoft to improve security such as:
- Enable MFA (multi-factor authentication) for administrative roles:
Requiring multi-factor authentication (MFA) for all administrative roles makes it harder for attackers to access accounts. Administrative roles have higher permissions than your typical users therefore if those accounts are compromised, critical devices and data is open for attacks. - Enable MFA (multi-factor authentication) for all users:
Requiring multi-factor authentication (MFA) for all users help protect devices and data that are accessible by these users. By adding more authentication methods such as Microsoft Authenticator or a phone number, increases the level of protection if one factor is compromised. - Enable policy that blocks legacy authentication:
Most compromising sign-in attempts come from legacy authentication. Older office clients such as Office 2010 don’t support modern authentication and use legacy protocols such as IMAP, SMTP and POP3. Legacy authentication does not support MFA. - Do not expire passwords:
Research found that when periodic password resets are enforced, passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. - Enable self-service password resets:
With self-service password reset in Azure Active Directory, users no longer need to engage helpdesk to reset their passwords. This feature also works well with Azure AD dynamically banned passwords, which prevents easily guessable passwords from being used. - Turn on Customer Lockbox feature:
Turning on the customer lockbox feature requires that approval is obtained for datacentre operations that grants a Microsoft employee direct access to your content. Access may be needed by Microsoft support engineers if an issue arises. There’s an expiration time on the request and content access is removed after the support engineer has fixed the issue.
These are only but a few features that we leverage to ensure that your data is secure when hosted in Azure.
SCHEDULE 4 – HOW WE PROTECT YOUR DATA WITH INTUNE
nVisionIT has enrolled Microsoft Endpoint Manager, also known as Microsoft Intune in the organization. This is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). With Microsoft Endpoint Manager we control how the organization’s devices are used and how they gain access to company resources and data. We deploy restrictive policies to all our devices such as mobile phones, tablets, desktops and laptops to control access to company applications and access to company resources, both in the cloud and on-premises.
Microsoft Endpoint Manager is also part of the Microsoft’s Enterprise Mobility + Security (EMS) suite. It integrates with Azure Active Directory (Azure AD) to control who has access and what can be accessed. It also integrates with Azure Information Protection for data protection and integrated seamlessly with Microsoft Office 365 products such as Microsoft Teams and other Microsoft 365 Apps to devices. These features allow our employees to be more productive on their devices while keeping our organization’s data and information protected.
With Microsoft Endpoint Manager we fully control all our devices from the cloud ensuring that personal and organizational devices adhere to specific security standards, in other words, all devices are ‘safe and clean’ before accessing company or client data in the cloud and on-premises. By using Conditional Access, we also control the devices that have access to your data, ensuring that they adhere to certain conditions before obtaining access to data. As an example, no device will gain access to data if there is no antivirus software present on the device or if the device is not encrypted (disk encryption by Bitlocker). Access is blocked immediately if the devices are in non-compliance. With Microsoft Endpoint Manager we also ensure that all devices (personally or company owned) have the latest updates and features deployed as per Microsoft’s best practise.
Schedule 5 – How we protect your data in our on-premises network
nVisionIT have a specialised security team who constantly review, improve, and ensure the implementation of appropriate, reasonable technical and organisational measures to protect your personal information from unauthorised access, accidental loss, disclosure, or destruction. We are required in terms of POPIA to notify you and the Information Regulator, if any of your personal information has been compromised.
Our network environments are segregated into several VLAN’s as illustrated in the diagram below. As a client we separate our client environments from the rest of our network. Access to resources and data are closely monitored and audited to prevent unauthorised access. All client environments are isolated, meaning that any inbound and outbound traffic flow from the environment is controlled through our firewall. Internet access is granted only if needed and services published only when required. Our approach – Least access. We only grant user specific access to the client environments as and when required. Once work has been completed, all access is revoked.
Having the right security infrastructure in place is particularly important. That doesn’t just mean having the right security software either. While security measures such as encryption, O/S updates, firewalls, anti-virus, backups, disk encryption for mobile hard drives, and devices are all important, they aren’t enough by themselves. You also need to ensure you have adequate physical security measures. Having the right access control measures for on-site premises is also important. These all need to be in accordance with internationally accepted standards. Not only does the building have an alarm system that is linked to an armed response company but access to the physical office building is controlled with biometric scanning and CCTV surveillance. Biometric scanning and CCTV also control access to restricted parts of our environments such as the server room and other restricted areas.
