EZ COMPLY

Compliance Consulting & Training

POPIA | GDPR | FRAUD PREVENTION | RISK MANAGEMENT

Compliance Training

Training presentation is offered in Afrikaans/English via Powerpoint Presentation on different employee or awareness levels and with variable time allocations to accommodate any unique requirements of individual organisations. To supplement the presentations, printed handouts of the total presentation are provided to make notes during the sessions for later referral or revision and Certificates of Attendance for Compliance Audit purposes are available on request. The application of the PAIA legislation is also covered in the presentation content. The following basic categories of training are available (In-House, Online or Public):

01

Standard Awareness Training

Senior Management/EXCO level - High-level content presentations can be tailored for sessions from 90 minutes to 3 hours, depending on preferences and can be presented in-house or online if required;
Operational Management - High-level content presentations of 3 hours to more intensive content 6 hour sessions, or anything in between can be tailored to suit different requirements and can also be presented in-house or online if required;
Employee level - Compacted basic presentations of 90 minutes to more comprehensive content 3 hour sessions can be tailored to enable more than one session per day in order to minimise disruption of business processes and unavailability of personnel during the sessions. (*NOTE:This training can also be presented in-house or online to prevent the unnecessary transport or movement of personnel, depending on in-house facilities and capacity to accommodate a larger number of attendees).   

02

Specialised Awareness Training

More comprehensive two-day training can be tailored to fit different requirements and awareness levels which is pitched towards practical processes and implementation of policies and security controls that will be ideally suited to more specialised units in organisations, like I/T, H/R, Legal, Operations, etc. and which can also be presented in-house or online if facilities permits.

Overview of training content:
In general terms, the "footprint" of the total training content should ideally cover all the relevant components of the different legislative requirements, but in reality, the timeframe available for training and the assumed current awareness level of individual attendees on each attendee training level will eventually dictate the concentration and intensity inserted into the topics covered in the different training presentations.  The standard content is displayed as follows:

POPIA-Standard 3 hour sessions

Employees & operational management levels
Presentation Content:

  • Information “X” factor in other legislation
  • Application & Impact Areas of the Act
  • 18 Basic things everyone should know
  • Information Officer role & Key definitions under the Act
  • Permissible grounds for processing of PI & “Consent”
  • Rights of Data Subjects & Conditions for lawful processing of PI
  • Relationship with PAIA & Access to Information requirements
  • Threats to Information Security & Employee responsibilities
  • Information Security Breach Events & reporting
  • Examples of Security Breaches
  • Protected Disclosures and “Whistle Blowing”
  • E-Mail use, risks and guidelines
  • Acceptable Use of assets & other related policies
  • Passwords, encryption and mobile devices (BYOD practice)
  • Handling & disposal of redundant information
  • Summary

POPIA-Standard 6 hour sessions

Employees & operational management levels

Presentation content:

Purpose of the Act
Information- the “X” factor in other legislation
Interaction with other legislation
Interaction with other legislation (cont.)
Application of the Act
Juristic Persons
Who must comply?
Impact areas of the POPI Act
18 Basic things you need to know
Commencement date
Personal Information (PI)
Role players
Key Definitions
What is “processing” of PI? 
What needs to be complied with 

Permissible grounds for processing PI
What is “consent”?
Rights of data subjects
Conditions for lawful PI processing
Regulator authorisation requirements
Prior authorisation notification to Regulator
Failure to notify for authorization
Impacts on Direct Marketing
Restrictions on Directories
Confidentiality
Role of the Information Officer
Establishing the Information Officer & Deputies/IMC 

Typical IMC reporting structure
Delegation to Information Officer if not CEO
Delegation process flow
The POPIA team within the Body
Management and Control Areas
Management and Control actions
Enforcement process-initiation
Enforcement process-overview
Powers of the Regulator
Matters exempt from search and seizure
Appeals
Consequences of non-compliance

Access to Information & the application of PAIA
Educating employees
Protected Disclosures Act & “Whistle Blowing”
“CLEAR SCREEN, CLEAR DESK” principle
Handling & disposal of redundant information
Data breach statistics
GRC failures predicted
Summary of “Do Not’s”
Finding answers to your questions
POPIA-adding value to the Company
What you should be doing now

POPIA-Specialised "Deep Dive" two-day training sessions

(Specialist/Higher level Information Security Management levels).

 (*NOTE: The second day session of this training can also be presented as a separate one-day session also, but on assumption that attendees will already be on an acceptable prior awareness level as a necessary pre-requisite to gain maximum value from the second session).

Presentation Content:

1St session: POPIA basics – High level alignment for practical applications

Purpose of the Act
Information- the “X” factor in other legislation
Interaction with other legislation
Interaction with other legislation (cont.)
Application of the Act
Juristic Persons
Who must comply?
Impact areas of the POPI Act
18 Basic things you need to know
Commencement date
Personal Information (PI)
Role players
Key Definitions
What is “processing” of PI? 
What needs to be complied with 

Permissible grounds for processing PI
What is “consent”?
Rights of data subjects
Conditions for lawful PI processing
Regulator authorisation requirements
Prior authorisation notification to Regulator
Failure to notify for authorization
Impacts on Direct Marketing
Restrictions on Directories
Confidentiality
Role of the Information Officer 

Establishing the Information Officer & Deputies/IMC
Typical IMC reporting structure
Delegation to Information Officer if not CEO
Delegation process flow
The POPI team within the Body
Management and Control Areas
Management and Control actions
Enforcement process-initiation
Enforcement process-overview
Powers of the Regulator

Matters exempt from search and seizure 
Appeals
Consequences of non-compliance
Educating employees
Protected Disclosures Act & “Whistle Blowing”
“CLEAR SCREEN, CLEAR DESK” principle
Data breach statistics
GRC failures predicted
Summary of “Do Not’s”
Finding answers to your questions
POPIA-adding value to the Company
What you should be doing now

 2nd session: POPIA - Risk mitigation & practical applications for compliance requirements

Compliance approaches
POPIA Sec.19 & the “Rule of Reasonability”*
POPIA in the context of IT-GRC
POPIA related Rules, Codes and Standards
Threats to Information Security
Threat Types
Trans border transfers of PI
Storage of PI & the “CLOUD”
CLOUD storage risks
Access to information process requirements
Information Security Breaches
Notification of security compromises
Passwords
Disposal of Redundant Info
Implementing POPIA into Policies & Procedures
Summary of policies that may be relevant
Acceptable Use of Assets

Acceptable Use guidelines & Policy
E-Mail use guidelines
Internet usage
Mobile Devices & "BYOD"
Personnel Policies
Affected Personnel Documentation
Employment procedures & contracts
Root causes of Data Breaches
Information “Security Chain” weaknesses
Components for a compliance program for your company
"Vulnerabilities" & “Threat” vs “Risk” in Information Security
Privacy Impact Assessments (PIA)
POPIA - the “Risk Cornerstones”
Risk relationships
Mitigation of identified PI risks
Implementing Risk Assessments & quick wins
Risk assessment components

Risk Treatment process & ISO 31000
Risk treatment options
The “Russian Roulette Rule” & “Murphy’s Law”
“Russian Roulette” & “Risk Assessment”
Assessing compliance needs
Implementation strategies & policies
Positioning of IT in the compliance process
IT-GRC
IT Governance vs IT Management
IT Governance & Management Frameworks
Framework Coverage Areas
Sarbanes Oxley Standards
Generally Accepted Privacy Principles (GAPP)
Generally Accepted Information Security Principles (GAISP)
KING IV Code of Governance
Cobit 5
ITIL

ISO 38500
ISO 27002
COBIT 5 vs. IS0 38500
Basic implementation process
Compact compliance process overview
Implementation process cycle
Role of the ISO 27001/2 Standard
Statement of Applicability (SOA)
ISMS scope
ISMS Process & “Plan-Do-Check-Act”
Identification & classification of PI
Monitoring and Surveillance
Encryption
Third Party management & control under POPIA Sec.21
POPIA and the use of “Operators”
Business Continuation Planning & Disaster Recovery (ISO 22301)
Compliance best practices
Winning strategies for the Company
Some relevant POPIA Q & A
Final message 

POPIA High-level (3hrs)

For Senior Management Structures
Presentation Content: 

18 Basic things you need to know
High Level Focus Areas 
IT Governance vs. IT Management 
Difference between Privacy & Security definition 
Purpose of the Act 
Application of the Act 
Commencement date
Impact areas of the POPI Act 
Personal Information (PI) 
Rights of data subjects
What is “processing” of PI? 
Permissible grounds for processing PI 
What is “consent”? 
Conditions for lawful PI processing
Role of the Information Officer 

Establishing the Information Officer& Deputies/IMC 
Delegation to Information Officer if not CEO 
Delegation process flow 
Typical IMC Reporting structure 
Compliance approaches
POPIA - the “Risk Cornerstones” 
Compact compliance process overview 
Implementation strategies & policies 
POPIA Sec.19 & the “Rule of Reasonability” 
Information Security “Chain” weaknesses
Threats to Information Security 
“Threat” vs “Risk”
Mitigation of identified PI risks 

Risk Assessment Components 
Implementing Risk Assessments & quick wins 
Risk Treatment Process 
Risk Treatment Options 
Management and Control Areas 
Personnel Policies 
Employment procedures & contracts 
Educating employees 
Protected Disclosures or “Whistle Blowing” 
Consequences of non-compliance 
Powers of the Regulator
Trans border transfers of PI
Third Party management & control

POPIA and the use of “Operators” 
Storage of PI & the “CLOUD”  
Notification of security compromises 
Disposal of Redundant Info 
Access to information process requirements (PAIA) 
Business Continuation Planning & Disaster Recovery 
Summary of policies that may be relevant 
Compliance Best Practices 
What you should be doing now 
Data Breach Statistics 
GRC Failures predicted 
Some relevant POPIA Q & A’s  
Final message

Is your business POPIA/GDPR/FICA compliant?

Does your business adhere to the latest compliance acts and legislations?

We specialise in the areas of Data Privacy and Information Security Consultation, related Awareness/Specialist Training, Risk Assessment & management/training, Anti-Money Laundering (FICA) and Fraud Prevention and also facilitate the "End-to-End" processes required to comply with the requirements of the Acts in an external "Supportive" or internal "Hands-On" manner, whichever method may be applicable or required. Public or online seminars and training workshops are also conducted independently, or in conjunction with accredited training event facilitators and can be offered in-house when required.

GDPR High-level (1 Day)

For Senior Management Structures 

What is the GDPR?
POPIA/GDPR Relationship
Scopes of Jurisdiction
The GDPR/POPIA debate- Flavours of the same thing?
GDPR vs. POPIA comparison
POPIA alignment with the GDPR
Effective date of the GDPR & POPIA
Compliance Timeframes
Drivers for introducing the GDPR
3 High priority imperatives for GDPR
Why is the GDPR important
GDPR Application in RSA
GDPR application “test” [Art.23 & 24]
GDPR Non-compliance penalties [Art.83]
20 GDPR Essential Requirements 
Collection and process requirements
Perform a Risk Assessment

Minimize the amount of Personal Data processed [Art.5(c)]
Legal basis for controlling and processing Personal Data [Art.6]
Meet Standard of Consent [Art.7]
Processing Special Data [Art.9(2)]
Data Subject requests [Art.15]
Quality of Personal Data [Art.16]
Erasure of Personal Data [Art.17]
Restriction of Data processing [Art.18]
Data portability [Art.20]
Alternative decision making [Art.22]
Protection of Data [Art.25]
Be able to demonstrate compliance with the GDPR Article 25
Data processing activities documentation maintenance [Art.30]
Data Breach Notification [Art.33]
Data Protection Impact Assessment (DPIA) [Art.35]

Appoint a Data Protection Officer [Art.37]
Personal Data of children [Art.38]
Data transfer outside the EU [Art.44]
Prominent GDPR definitions [Art.4]
Data Subjects rights under GDPR [Art.15 -22]
Article 15- Right of access by the data subject;
Article 16- Right to rectification;
Article 17- Right to erasure(“Right to be forgotten”);
Article 18- Right to restriction of processing;
Article 19- Right to notification by controller of rectification, erasure or restriction to process personal data outside recipients;
Article 20-Right to data portability;
Article 21- Right to object ;
Article 22- Right not to be subjected to automated individual decision-making, including profiling.

What is GDPR “Personal Data”[Art.4]
Key test for use of Personal Data
“Consent” [Art.7]
Transparency and modalities [Art.12]
Information and access to personal data [Art.13]
Requirements if Data not collected from Data Subject [Art.14]
Data protection by “design” and by “default” [Art.25]
Records of processing activities [Art.30]
Breach notification [Art.33]
Data Protection Impact Assessments [Art.35]
Mandatory Designation of DPO [WP29]
“Public Authority or Body”
“Core Activities”
“Large Scale processing”
“Third party processors” [Art.28]
Tips on starting GDPR compliance

Is your business POPIA/GDPR/FICA compliant?

Does your business adhere to the latest compliance acts and legislations?

EZ Comply is based on a very simplistic business model with a flat operational structure that incorporates and facilitates other subject-matter expertise on an "As-and-When necessary"method from a large, established contact base in order to stay totally operationally independent and to minimise overhead costs to enable the most favourable service delivery rates to existing and new potential customers.

ENTERPRISE FRAUD PREVENTION AND MANAGEMENT TRAINING OUTLINE

PART 1 - FRAUD AND CORRUPTION IN CONTEXT

Regulatory Environment
Governing Legislation
Fraud and Corruption in concept
Fraud awareness
Internal Control weaknesses that contributed to Fraud
Fraud Principles Overview
Components of the “Fraud Triangle”
Overview of Fraud Impact
Why Internal Controls may not prevent Fraud
-Characteristics of Fraud
-Characteristics and opportunity
-Who Commits Fraud?
-Occupational Fraud
-Types of Business Fraud
Fraud Indicators and Alerts
-Warning signs
-Business Risk
-Financial Risk
-Environmental Risk
-IT & Data Risk
Fraud alerts

PART 2 - THE ANTI-FRAUD AND CORRUPTION PROGRAM

THE ANTI-FRAUD PROGRAM
9 ELEMENTS OF AN “EFFECTIVE” ANTI-FRAUD PROGRAM
THE FRAUD RISK ASSESSMENT PROCESS
ASSESSING THE FRAUD RISKS
-Planning
-Identify
-Assess
-Prioritise
-Communicate
-Implement
-Monitor

PART 3 - THE FRAUD PREVENTION PLAN

Fraud Detection Methods
Fraud Prevention Plan
-Purpose
-Approach guidelines
-Components of the Plan
-Objectives of the Plan
-Code of Conduct
-Systems, policies, procedures, rules and regulations
-Disciplinary code
-Internal controls
-Physical & Information Security
-Internal Audit
-Risk assessment
-Reporting & Monitoring
-Protected Disclosures or “Whistle Blowing”
-The Fraud Response Plan
-Creating awareness
-Communication
-Maintenance and review

PART 4 - THE FRAUD INVESTIGATION PROCESS

Establishing an investigation team
Formulate a response
Physical evidence
Electronic evidence – 4 principles
Interviews
Statements from witnesses
Objectives with respect to dealing with Fraud
Preservation of evidence
THE FRAUD INVESTIGATING OVERVIEW

PART 5 - FRAUD RESPONSE PLAN & FOLLOW-UP ACTIONS

Purpose of the Fraud Response Plan
Lessons learned
Follow-up actions
-Management response
-Implement changes
-Annual report
-Enforcement policies

PART 6 - BEST PRACTICE FRAUD PREVENTION SUMMARY

“Tone from the Top”
Code of Ethics
Internal Controls
Risk Assessments
Know Who You Hire
-Criminal Background Checks
-Financial Reviews
-Education and Employment
-Reporting Known or Suspected Suspicious Activity
-Proactive Reviews
-Ongoing Management Reviews
-Shortlist of Red Flags
AFTERTHOUGHT

Is your business POPIA/GDPR/FICA compliant?

Does your business adhere to the latest compliance acts and legislations?

If you are looking for someone with a wide range of capabilities and depth of insight into Data Privacy and Information Security Compliance against the relevant POPIA/GDPR, PAIA, FICA and Prevention of Fraud and Corruption Acts, Risk and Information Technology management, Awareness Training and also how to deal with all these challenges in practical terms, please contact us today for more information.

Risk Management Training 

Part 1 - Basic Concepts and Role Players for Effective Risk Management

Roadmap for Enterprise Risk Management - Core components

Managing Risk - Basic meaning of Risk Management

Business Principles Approach - Risk management should

The “Pivotal” Risk Definition - Risk: “Effect of uncertainty on objectives”

Governance / Risk Relationship - Definition of Governance / Risk concept

Vulnerability & Threat vs. Risk - Definition of “Vulnerability”, Definition of “Threat”, Definition of “Risk”
Conclusion

Basic Definitions - “Risk Owner”, “Control Measure”, “Accountability”, “Responsibility”, “Risk Appetite”, “Risk Response”

Accountability Concept - Accountability vs. Responsibilities, Governance & Management Intersection

Enterprise Risk Management
- The concept of Enterprise, Risk Management (ERM)

Enterprise Risk Management Plan - Consists of the following components

Operational Risk Framework - Consists of the following components

Reputation Risk Management - Potential threats, Impact Areas

Role Players in Risk Management - Executive Management (EXCO), Chief Risk Officer (CRO), The Accounting Officer, The Audit and Risk Management Committee (ARMC), Manage-ment, Other Officials, Internal Auditor

Part 2 - Risk Management Components 

Security Cycle - Elements of the cycle

Responses to Identified Risks
Risk Management Strategy

Considerations for managing Strategic, Operational and Project Risks
 Consider the following

Application and Implementation
The process

Risk Management Implementation Components for Risk Management Implementation

Risk Incident Management Components for Risk Incident Management

Reporting on the status of Risk Management Compliance
Regular reporting on the status of compliance process

Assurance on the Compliance Process Assurance process

Internal Audit Monitoring and the reviewing of Risks, Controls and Treatments 

Part 3 - Risk Management Methodology and Processes

Risk Management Methodology
Purpose of the Risk Management, Methodology,
Inputs into an Entity, Enterprise Risk Management Methodology (ERM), Scope and Application of the Methodology components

Enterprise Risk Management Process Enterprise Risk Management Process structuring, ERM process for conducting Risk Assessments activators

Part 4 - RISK REPORTING, MONITOR & REVIEW

Enterprise Risk Reporting, Monitor & Review - Monitoring and Review process, Key Risk Indicators (KRI’s), Monthly Reporting requirements

Part 5 - Risk Management, Identification and Assessment Methodology 

Risk Management Framework
Risk Management Process steps - Step 1: Risk identification, Step 2: Risk analysis, Step 3: Risk evaluation or Ranking, Step 4: Risk treatment, Step 5: Risk Monitor and Review, The objective of rating Risks, Risks rating types, Inherent Risk Rating Table, Residual Risk Rating, Risk Matrix, Risk Assessment Criteria, Impact ratings, Pobability (Likelihood) Ratings, The “Russian Roulette” Rule & “Murphy’s Law”, Russian Roulette” & “Risk Assessment”

Part 6 - Risk Appetite and Tolerance

Risk Appetite
Basic types of Risk Appetite
- Maximisation
- Maximax
- Risk Seeking
- Risk Neutral
- Pareto Risk
- Risk Adverse
- Minimax
- Minimization 

Benefits of Articulating Risk
Appetite
Purpose of the Risk Appetite and Tolerance Policy Statement
Drivers of Risk Appetite and Tolerance
Risk Bearing Capacity Concept
Scope of Risk Appetite and Tolerance
Approach to determining Risk Appetite and Tolerance
Risk Appetite and Tolerance (RAT) framework

PART 7 - RISK TREATMENT PROCESS (RTP)

The Risk Register
Purpose

Register Contents
Risk Register Tem-plate,
Example of Risk Register entry
Risk Treatment Response
Risk Treatment Process
Risk Treatment Options (The 4 “T’s”), Risk Treatment Review 

Part 8 - Internal Control Frameworks and Guidelines
ISO 31000 Risk Standard


Application of the Standard
Addressing Risk changes in the marketplace 

Supporting RM at Enterprise Board Level Important considera-tions
Risk Management Matrix
The ISO 31000 guide-lines on 8 Risk Mana-gement principles
Principles application

The COSO Enterprise Risk Management Framework
“Committee Of Sponsoring Organi-sations of the Tread-way Commission”
COSO in context,

ISO/IEC 27002:2013
Application and coverage area

PART 9 - INTERNAL CONTROL ENVIRON-MENT

Definition of “Internal Control”,
Broader Definition of Internal Controls in practice
Definition of Internal Controls application
Five Components of Internal Control
Internal Control Risk focus 

Benefits of Internal Controls
Internal Control limitations
Characteristics of Effective Control
Control Environment Elements
The three types of Controls
Examples of Preventive Control activities
Examples of Detective Control activities
Examples of Corrective Controls

Five components of Internal Control (CRICM)
- Control environment
- Risk Assessment
- Information and Communication
- Control Activities
- Monitoring

Control Assessments management

The three levels of Internal Control monitoring
- Internal Audit
- Control Assessment
- In practice

Control effectiveness concept
Risk Control Effectiveness
Risk Control Effectiveness definition
Risk Control Adequacy,
Overall Risk Control Rating

Why take the rocky road if you can walk on paving?

We are paving the way to easier compliance with POPIA/GDPR, PAIA, FICA, RISK MANAGEMENT & FRAUD PREVENTION

Contact us today and let us help you on your path to regulatory compliance and risk management.

EZ Comply

© Copyright 2021 - EZ Comply - All Rights Reserved. Website design and maintenance by Mojotech.

Get in Touch

082-444-8735
info@ezcomply.co.za

Newsletter