Support
 
Phone Live Chat
 
Support
 
US: +1 888 720 9500
US: +1 800 443 6694
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9393

 
 
 
 
 
Compliance Reports
 

POPIA

Compliance regulations are crucial for developing a strong cybersecurity plan in organizations. Regulations are often established to protect data and ensure that other security policies are in place. With cyberattacks rising steadily over the past few years, different regulations, like the GDPR, SOX, and PCI DSS, have been brought forth by governments. The Protection of Personal Information Act (POPIA) is one such regulation mandated by the South African government. It is similar to the EU's GDPR in the way it protects personal data. POPIA regulates how organizations work with personal data and holds them accountable for their use and misuse of data.

Why is POPIA compliance important?

Your organization must comply if it operates in South Africa.

POPIA applies to organizations operating in South Africa; it also pertains to organizations that process personal data in South Africa but are not actually domiciled there.

Compliance is mandatory for organizations that hold or process data about South African citizens.

The scope of POPIA is very comprehensive and applies to any personal information that can be used to identify a person, including full name, address, phone number, and religious or political views.

Non-compliance can result in legal action against your organization.

Legal actions include fines up to R10 million or prison terms.

POPIA makes disclosure of breaches in your organization mandatory.

As soon as a data breach is discovered, it must be reported to the Information Regulator and the concerned individuals.

Facets of POPIA

The POPIA framework has a few core principles that pertain to the processing of personal information. The important points for IT administrators of any organization to focus on include:

Processing limitation

Personal information should be processed lawfully. The information collected should be minimal and justifiable based on the purpose of collection; individuals must give their consent.

Accountability

The organization must appoint an Information Officer who?s responsible for ensuring that the information protection principles of POPIA are being complied with.

Purpose of collecting information

The personal information collected should be purpose-specific, and the person who?s data is being collected should be informed of the purpose while giving their consent.

Accuracy of information collected

The collected information should always be complete, lawfully collected and processed, and updated whenever necessary.

Security safeguards

The organization that collects the personal information is accountable for controlling, securing, and maintaining the integrity of the personal information in its control through organization-wide protocols and controls for data access and processing.

Data subject participation

Organizations have to adopt a process that allows data subjects to verify whether the organization holds personal information about them, request a description of such information, and request that the organization delete their information on account of consent withdrawal or data inaccuracy.

A three-step approach to ensure that the major POPIA requirements are met

A unified approach to information security compliance ensures organizations not only address identified risks but also comply with the law. Further, having a solution like ADManager Plus, which allows you to manage access to data and offers prepackaged compliance-specific reports, enables you to stay compliant with not just POPIA but also other regulations like HIPAA, SOX, the GDPR, and PCI DSS.

The following steps explain how ADManager Plus makes it easy for your organization to become POPIA-compliant.

  • 1. Identify the provisions of POPIA that apply to your company.

    The first step in the process is to determine the sections of POPIA that apply to your organization. This depends on factors like the nature of your company, the type of business your company participates in, and the information that you store and process.

    ADManager Plus can help you:

    • Provide access permissions based on a user?s role so data is processed only by those authorized to do so. In other words, provision access to sensitive data based on RBAC using user provisioning templates.
    • Add additional details to user accounts in Active Directory (AD), like the source of employee details as well as the purpose of this information, by adding custom attributes to employees' AD records.
    • Remove all sensitive user information instantly when a user is disabled or deleted through customizable disable and delete policies in ADManager Plus.
  • 2. Establish protocols for user data processing.

    The next step is to develop protocols for how data is processed in your organization, including who does the processing. It?s important to secure personal data from unauthorized processing and accessæand not just from cyberattacks but also from insiders.

    ADManager Plus can help you set up an approval workflow to:

    • Grant or modify access to shares and servers containing sensitive data after the request for access has been reviewed and approved by the authorized/appropriate users.
    • Provision or elevate access to sensitive data for a user or group only after the request for access has been scrutinized and approved by authorized users.
  • 3. Keep an eye on the data being processed, and the people involved in the processing, for sustained conformance with POPIA.

    Maintaining compliance requires focused monitoring of the established protocols and data. Organizations that are accustomed to traditional approaches of information security compliance may focus on annual audits and find it difficult to build in the processes necessary to support sustained compliance.

    With ADManager Plus, you can:

    • Access built-in reports in one click to:
        • Identify the users and groups with access to sensitive data using the file server permissions and group membership reports.
        • Identify the source and purpose of collected user information through reports on custom attributes.
        • Identify changes made to users? and groups? permissionsæfor instance, users being added to or removed from groups with access to sensitive dataæwith real-time SMS and email notifications about changes made in AD.
        • Review audit trails of technicians who are delegated tasks that require access to user details, like user provisioning and password resets.
    • Orchestrate automation for tasks to:
        • Provide time-bound access permissions for employees and data.
        • Send reports on users to stakeholders and the designated compliance regulatory team?s mailbox for constant monitoring. Report on users who have access to folders/servers that contain sensitive data, who belong to a group that has access to user data, and more.
        • Periodically identify and remove stale accounts and all their associated user information.
    • Enable quick search and data retrieval based on attribute values to support data access requests for audits or investigations.
Why ADManager Plus?

ManageEngine ADManager Plus is a web-based Windows AD management and reporting solution that helps AD administrators and help desk technicians accomplish their day-to-day activities. With an intuitive interface, ADManager Plus handles a variety of complex tasks and generates an exhaustive list of AD reports, some of which are essential requirements to satisfy compliance audits. It also helps administrators manage and report on their Exchange Server, Office 365, and Google Workspace environments, in addition to AD, all from a single console.

ADManager Plus Trusted By

The one-stop solution to Active Directory Management and Reporting