SECURITY COMPROMISES POLICY ENERGY MOBILITY EDUCATION TRUST (“THE TRUST”)

1. OVERVIEW 

1.1. Security compromises require centralised and swift management and this Security Compromises Policy (this policy) outlines a framework for responding to such incidents.
1.2. It is essential for all staff to comply with this policy – security compromises must be notified to the Regulator and to the affected data subjects.
 

2. APPLICATION AND CONSEQUENCES OF NON-COMPLIANCE WITH THIS POLICY

2.1. This policy applies to all staff of THE TRUST, which include all permanent and temporary staff, contractors and agency workers who are subject to the conditions and scope of this policy. Failure to comply may lead to disciplinary action, including summary dismissal (without notice or a payment in lieu of notice) or termination of contract or engagement (as appropriate) for serious or repeated breaches of this policy. 
2.2. It may also be the case that your conduct and/or action(s) may be unlawful and THE TRUST reserves the right to inform the appropriate authorities. Action(s) may result in civil or criminal proceedings. Staff should note that in some cases they may be personally liable for their actions and/or conduct.
 

3. KEY CONSIDERATIONS 

3.1. THE TRUST must comply with the Protection of Personal Information Act 4 of 2013 (POPIA) to ensure that measures are taken to keep personal information secure, including specific legal obligations around dealing with a security compromise. Such legal requirements must be observed in addition to the approach set out in this policy. 
3.2. THE TRUST is also required to comply with POPIA’s mandatory security compromise notification requirements, immediately where it acts as operator, or as soon as reasonably possible where it is the responsible party, where there are reasonable grounds to believe that the personal information of any data subject has been accessed or acquired by any unauthorised person/s.
 

4. SECURITY COMPROMISE GUIDELINES

4.1. This policy includes guidelines on how to deal with security compromises, including:
4.1.1. Initial identification, assessment and containment of any security compromise (5);
4.1.2. Risk evaluation and risk rating (6);
4.1.3. Incident response and remedial action (7); and
4.1.4. Security compromise notification (8).
 

5. INITIAL IDENTIFICATION, ASSESSMENT AND CONTAINMENT OF ANY SECURITY COMPROMISE

5.1. An important starting point with any security compromise is to consider what steps are required in order to contain it.  For example, if the incident involves a form of intrusion (via either internal or external threats) into THE TRUST’s systems then containment action could include: 
5.1.1. identification of where the intrusion itself is occurring on the systems; 
5.1.2. closing down such weak points to contain the incident; and
5.1.3. prevention of further impact on personal information through the compromised systems.
5.2. As part of the investigation team’s role, they will need to establish exactly what information has been compromised and whether or not the incident took place within the control of THE TRUST or whether the risk materialised within the control of its third parties. In the case of third parties, the team will need to assess what obligations and responsibilities may flow under POPIA and also any contracts between THE TRUST and third parties.
5.3. Informing Stakeholders: The investigation team should consider which other internal stakeholders should be informed of the incident and at what stage in the investigation process they should be informed (bearing in mind confidentiality and legal professional privilege considerations).
5.4. Regulatory reporting: The investigation will require consideration of the reporting requirements under POPIA and other South African ancillary rules. For that, the IO should be involved from the outset.
5.5. Confidentiality: The investigation team should also consider keeping the investigation confidential from those (internally or externally) that do not need to be made aware of the investigation (either wholly or in part). This will allow the investigation to continue unhindered particularly with regard to further scoping of the incident and any activity around it.  This may include, for example, notifying an appropriate law enforcement authority.
5.6. Legal professional privilege: Care should be taken to ensure that any investigation into the security compromise is carried out utilising, to the maximum extent possible, the protection of legal professional privilege. This is particularly imperative where external service providers are procured to carry out containment or investigation. 
5.7. Insurance notification: The IO and/or the investigation team should immediately, upon becoming aware of a security compromise, notify the Board of Trustees and insurer, under any applicable cyber insurance policy (or similar policy).
5.8. Team authority and scope: The team should have appropriate: 
5.8.1. internal representation – from the IO and key departments such as, IT, information security, PR/Marketing, legal and should also have sufficient authority within THE TRUST to investigate and address the incident in accordance with this policy; and
5.8.2. external representation – to the extent that THE TRUST does not have sufficient capacity internally to address the security compromise in accordance with this policy, THE TRUST should appoint necessary external IT/forensic service providers and/or PR (in conjunction with their insurers to the extent that these costs are indemnified under any relevant cyber insurance policy).
5.9. Internal incident reporting
5.9.1. Any individual who suspects that a Security Compromise has occurred, whether via an intentional act or accidental exposure, must immediately report and provide a description of what occurred via e-mail to the IO or directly to the I&E Manager in case of a cybersecurity incident. 
5.9.2. The following events, which do not constitute the only instances of Security Compromises, must be reported immediately via e-mail to the above mailbox:

Security event Description of security event for clarification

External Breach Defined as a breach where unauthorised individual/s gain access to the internal network of THE TRUST and/or steal, modify or delete sensitive personal information, from outside the organisation.  This type of breach can be performed by utilising sophisticated cyber-attacks or simple attacks such as a successful phishing email
 
Internal Breach Defined as a breach where malicious TRUST employee/s or staff member/s of a service provider access THE TRUST network and/or steal, modify or delete sensitive personal information, from inside the organisation. This type of breach can be achieved by ill-intentioned or aggrieved employees or service provider staff abusing their existing system credentials or installing malicious software onto THE TRUST network
 
Cloud service provider breach Defined as a breach where a cloud service provider or THE TRUST cloud-based platform is breached.  Examples of such attacks are very similar in nature to an external breach except that it could also originate at the cloud service provider, directly or indirectly affecting THE TRUST
 
Payment Card Industry Data Security Standard (PCI DSS) breach Defined as a breach achieved by any of the above means, specifically of payment card-related data (e.g. card number, CVV number, etc.). The PCI DSS has its own card security compromise policies which requires notifying the card brands such as Mastercard, VISA, American Express of the breach in a timely manner, as well as informing the acquiring bank and relevant payment brands
 
Personally Identifiable Information (PII) breach Defined as a breach achieved by any of the above means as well as procedural failures involving PII-related data. This type of breach must also be considered against the requirements defined in the POPIA (Protection of Personal Information Act) as it may require notification to the South African Information Regulator and THE TRUST IO must be consulted in this regard
 
Ransomware 
Defined as a breach where a specialised form of malware is installed on our network or a THE TRUST-owned device which completely encrypts computer systems into an unusable format. This form of encryption cannot be decrypted without a special key which only the attacker has in their possession and for which a ransom is demanded to decrypt the data. This is usually linked to a defined time period in which to pay the ransom
 
Device theft / loss Defined as a security compromise as a result of the loss or theft of data or equipment on which such data/personal information is stored (e.g. loss of laptop, USB stick, iPad / tablet device or paper record)
 
5.9.3. The Security Compromise notification mailbox must be monitored by at least one member of the Incident Response Team at all times, to ensure that Security Compromises are not missed. 
 

5.10. Initial containment and assessment

5.10.1. Do not do anything to the suspected computer/s or other systems equipment, including turning on or off, or shut down the network unless instructed to do so by THE TRUST’s Incident Response Team. 
5.10.2. In practice the investigation may have a particular insight into the risk level from addressing the security compromise containment and the initial stages of the assessment (see 6 below).  
5.10.3. An initial assessment will require the Incident Response Team to focus on determining factors such as the following (non-exhaustive):
5.10.3.1. What information:
5.10.3.1.1. was impacted by the security compromise (risk materialised therefore high risk); or 
5.10.3.1.2. could have been subject to impact (risk could have materialised therefore medium risk) as a result of the security compromise?
5.10.3.1.3. Who is affected and what is the likelihood of any harm as a result of the incident?
5.10.3.1.4. Where was the information being processed and handled?
5.10.3.1.5. Which THE TRUST department / area / business / subsidiary / office is responsible for such processing and handling?
5.10.3.1.6. What was determined to be the cause of the security compromise?
5.10.3.1.7. What was determined to be the extent or reach of the security compromise?
 

6. Risk Evaluation and Incident Classification

6.1. All security compromises or suspected security compromises must be treated seriously.
6.2. The investigation team should assess the risks arising from the security compromise.  The key driver behind identifying the risk is to assess and mitigate any potential adverse consequences, for example to:
6.2.1. data subjects;
6.2.2. clients / reputation; and/or 
6.2.3. employees of THE TRUST.
6.3. Security compromise incidents should be classified according to severity of risk (High, Medium or Low Risk), considering Risk Rating Table below and the following:
6.3.1. harm to data subjects whose personal information has been breached;
6.3.2. reputation damage, loss of profit/clients, devaluation of share price and the like to THE TRUST; or
6.3.3. risk of legal action from data subjects or Regulator.
6.4. Protective Measures: Other factors of the investigation will focus around whether or not the personal information involved in the incident was subject to specific protective measures. For example:
6.4.1.1. Was encryption used?
6.4.1.2. What levels of encryption were used?
6.4.1.3. Was the encryption technology and the standard used sufficient to safeguard the data subjects against any risks as a result of the breach incident?
6.5. Security compromise incident classification will depend on THE TRUST’s policies on the level of sensitivity ascribed to the personal or other types of information. Sensitivity of information will also depend on the personal circumstances of the data subjects concerned.
6.6. THE TRUST should define at the outset what information it considers to be of high sensitivity and ensure all staff members are aware of it, taking into account POPIA’s provisions on special categories of personal information.
6.7. Risk Rating
Formula for Assessing Security Compromise Severity, risks levels of security compromise are as follows:
 
Severity Definition
Level 1
R ≥ 4 A security compromise in which the involved personal information which may have a severe impact on data subjects, cause media, the public or the Regulator’s doubts on THE TRUST’s privacy protection and lead to severe negative consequences. For example, beneficiaries’ ID numbers, parents’ payslips, etc

Level 2
4 > R ≥ 3 A security compromise that leaks the data subjects’ personal information and greatly affects the data subjects, while the risks can be reduced or even removed by taking some measures or means. For example, …
 
Level 3
3 > R A security compromise in which personal information may be leaked while the leak has no impact or only a slight impact on the data subject. For example…
 

7. Incident response and remedial action

7.1. All Security Compromises must be treated as strictly confidential and not communicated to any internal staff or external parties without authorisation.
7.2. All evidence must be preserved, handled carefully and not compromised. 
7.3. All Security Compromises must be evaluated and classified in terms of the above table (6.7). The security compromise event/incident level can be reviewed and adjusted appropriately according to the development of the security compromise.
7.4. If the security compromise needs to be notified, refer to the notification requirements set out in 8 below. 
7.5. Remedial action
7.5.1. ensure that the risk register for THE TRUST is updated with all incidents and suspected incidents (near-misses);
7.5.2. update policies and procedures to ensure there will be measures in place to prevent future breach incidents of this type;
7.5.3. review any issues raised around service delivery/third party partners;
7.5.4. test the revised incident and response plan; and
7.5.5. finalise and implement the revised plan and conduct appropriate training.
7.6. Security compromise event/incident Closure and Record
7.6.1. Documentation and records of security compromises must be compiled by the Incident Response Team and retained centrally for historical, trend and legal purposes.
7.6.2. Documentation must detail the security compromise impact, root cause (if known) and any implemented or future activities to be performed which aim to prevent future occurrences of similar incidents.
7.7. Evaluation: It is clearly essential for THE TRUST to conduct an appropriate investigation. THE TRUST must then analyse the risks arising from a security compromise and the effectiveness of the systems and controls within THE TRUST questioning why the particular weaknesses or failure points led to the incident arising.  For example, if the security compromise was caused entirely by or even in part attributed to a systemic problem within THE TRUST, then simply containing the security compromise and then continuing on a “business as usual” approach would not be acceptable in the eyes of the Regulator.  
7.8. Response and implementation: The investigation team should ensure that the lessons learned from the incident should be incorporated into strengthening the existing controls and procedures around data management and security.
 

8. Security Compromise Notification 

8.1. Key Considerations 
8.1.1. As a result of the investigations carried out above by THE TRUST, in the event that it is reasonably established that there has been unauthorised access or acquisition of personal information of any data subject, THE TRUST:
8.1.1.1. is obligated in terms of POPIA to report the security compromise to the Regulator and the data subjects as soon as reasonably possible after the discovery of the security compromise, taking into account the time it takes to spend on the initial containment, and the legitimate needs of law enforcement;  
8.1.1.2. should report to its insurers, in terms of any applicable insurance policy as soon as reasonably possible;
8.1.1.3. must take into account any reporting obligations to other entities or organisations if required by specific legislation – for example, the South African Police Service, the National Intelligence Agency; and
8.1.1.4. must consider its reporting obligations to other entities or organisations, on an optional basis or if required by any contractual obligation – for example customers or clients, if deemed appropriate by the public relations department, senior management and the IO.
8.2. The team should consider seeking appropriate expert legal advice on the notification requirements.
8.3. Notification to Regulator and Data Subjects in terms of POPIA:
8.3.1. The Regulator must be notified of all unauthorised access or acquisition of personal information of any data subject, as soon as reasonably possible, which notification must include:
8.3.1.1. a description of the possible consequences of the security compromise;
8.3.1.2. a description of the measures that THE TRUST has taken and intends on taking, to address the security compromise;
8.3.1.3. the identity of the unauthorised person/s (if known); and
8.3.1.4. a recommendation with regards to possible measures that should be taken by affected data subjects to mitigate any possible adverse effects of the security compromise. 
8.3.2. Affected data subjects
8.3.2.1. All data subjects whose personal information was accessed or acquired in the security compromise (unless their identity cannot be established), must be notified as soon as reasonably possible, or as directed by the Regulator, after the security compromise incident in terms of POPIA.
8.3.2.2. Notification to the data subjects may only be delayed if the South African Police Service, the National Intelligence Agency or the Regulator determines that notification will harm a criminal investigation. 
8.3.2.3. As such, the notifications to the South African Police Service, the National Intelligence Agency or the Regulator will have to be submitted before the affected data subjects and must include a specific question on whether the notification to the affected data subjects should be delayed.
8.3.2.4. The notification to the affected data subjects must be in writing and communicated to the data subjects in at least one of the following ways: 
8.3.2.4.1. mail; 
8.3.2.4.2. e-mail; 
8.3.2.4.3. placement on the website of THE TRUST; 
8.3.2.4.4. publication in the news media; or 
8.3.2.4.5. as may be directed by the Regulator.
8.3.2.5. The notification must provide sufficient information to allow the affected data subjects to take protective measures against the potential consequences of the compromise. This may include, if known, the identity of the unauthorised person who may have accessed or acquired the personal information.
 

1. CONSEQUENCES OF NON-COMPLIANCE

It is essential that all staff comply with all relevant parts of this policy. Any failure to comply with this policy could have serious consequences for THE TRUST and its employees. Failure to comply may lead to: disciplinary action, including summary dismissal (without notice or a payment in lieu of notice) for serious or repeated breaches; civil or criminal proceedings; and/or personal liability for those responsible.
 

2. POLICY REVISION

This policy has been reviewed and approved by the IO and is subject to change without prior notice. 
 

9. CONTACT DETAILS OF THE IO

9.1. Name: Vuyo Mwase
9.2. Address: 199 Oxford Parks, Oxford Road, Dunkeld, 2196
9.3. E-mail address: info@emeducationtrust.com