June 2021

Securicom IT Solutions’ regulatory frameworks:

Regulation 4(1) of the Regulations in terms of the POPI Act stipulates that an Information Officer must ensure that –

(a) a compliance framework is developed, implemented, monitored and maintained;

(b) a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;

(c) a manual is developed, monitored, maintained and made available as prescribed in sections 14 and 51 of the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000);

(d) internal measures are developed together with adequate systems to process requests for information or access thereto; and

(e) internal awareness sessions are conducted regarding the provisions of the Act, regulations made in terms of the Act, codes of conduct, or information obtained from the Regulator.

Securicom IT Solutions subscribe to an annual Cyber Risk Assessment. It is a thorough business cyber security assessment and not just an IT security assessment. The cyber risk assessment evaluates Securicom’s cyber risks across our business practices, creating a cyber risk profile of our business operations including detailed IT requirements.

To be effective across all potential cyber weaknesses, a cyber risk assessment must be based upon a recognized cyber security standard. Our audit is based on the National Institute of Standards and Technology (NIST) cyber security framework (NIST Cyber Security Framework, n.d.) and covers local cyber security standards in the region. This includes GDPR, POPIA and PCI DSS.

In addition, Securicom subscribes to monthly external Vulnerability Assessments (VA) on all our services. This tests the integrity of our systems from a hacker’s viewpoint. By including the VA as part of our monthly audit, we are assured all vulnerabilities will be identified and appropriate mitigation strategies engaged to remove them.

Securicom IT Solutions’ policy:

(a) It is the policy of Securicom that information, as defined hereinafter, in all its forms -written, spoken, recorded electronically, or printed – will be protected from accidental or intentional unauthorized modification, destruction or disclosure throughout its life cycle. This protection includes an appropriate level of security over the equipment and software used to process, store, and transmit that information.

(b) All policies and procedures are documented and made available to all individuals responsible for their implementation and compliance. All activities identified by the policies and procedures are also documented. All the documentation, which may be in electronic form, must be retained for at least 10 (ten) years after initial creation, or, pertaining to policies and procedures, after changes are made. All documentation must be periodically reviewed for appropriateness and currency, a period to be determined by each entity within Securicom.

(c) At each entity and / or department level, additional policies, standards, and procedures are developed detailing the implementation of this policy and set of standards and addressing any additional information systems functionality in such entity and / or department. All departmental policies are to be consistent with this policy. All systems implemented after the effective date of these policies are expected to comply with the provisions of this policy where possible. Existing systems are brought into compliance where possible and as soon as practical.