Risk Management Policy

1. Purpose

This Risk Management Policy establishes a structured and consistent approach for identifying, assessing, managing, and monitoring cybersecurity risks that may impact the confidentiality, integrity, and availability of the organisation’s information assets and systems. This policy is tailored to the South African regulatory environment and aligns with recognised standards including ISO/IEC 27001, ISO/IEC 27005, the NIST Cybersecurity Framework, and South African legislative and regulatory requirements.

2. Scope

This policy applies to:
  • The organisation’s PHP-based membership and administrative web portals.
  • Databases, APIs, and backend services (e.g. MySQL).
  • Authentication, authorisation, and session management components.
  • Hosting environments (cloud, on‑premise, or managed hosting).
  • All employees, contractors, and third parties with access to systems or data.

3. Regulatory and Legal Context (South Africa)

This policy supports compliance with applicable South African laws and guidance, including:
  • Protection of Personal Information Act (POPIA).
  • Electronic Communications and Transactions Act (ECTA).
  • Cybercrimes Act, 2020.
  • King IV Report on Corporate Governance.
  • Guidance from the Information Regulator (South Africa).

4. Definitions

Cybersecurity Risk: The potential for loss or harm arising from cyber threats to systems or data.
Personal Information: Information as defined under POPIA.
Risk Owner: The individual accountable for managing a specific risk.

5. Governance and Responsibilities

  • 5.1 Board and Executive Management.

    • Approve this policy and the organisation’s risk appetite
    • Ensure cybersecurity risk management is integrated into enterprise risk management
    • Provide oversight in line with King IV principles

  • 5.2 Information Security / IT Management

    • Implement and maintain cybersecurity risk controls
    • Conduct regular risk assessments and vulnerability testing
    • Monitor compliance with POPIA-related security safeguards

  • 5.3 Employees and Contractors

    • Comply with cybersecurity and data protection policies
    • Report suspected incidents or vulnerabilities promptly
    • Complete mandatory security awareness training

6. Cybersecurity Risk Management Framework

The organisation follows a continuous risk management lifecycle:
  • 6.1 Risk Identification

    • Risks are identified through asset inventories, threat intelligence, vulnerability scanning, audits, and incident analysis.

  • 6.2 Risk Assessment

    • Risks are assessed based on likelihood and impact, including:
      • Impact to personal information under POPIA
      • Legal, financial, operational, and reputational impact

  • 6.3 Risk Treatment

    • Risks may be mitigated, transferred, avoided, or formally accepted within approved risk appetite.

7. Security Controls (PHP Portal Environment)

  • 7.1 Application Security

    • Secure PHP coding standards aligned to OWASP Top 10
    • Input validation and output encoding
    • Prepared statements for all database access
    • Secure session handling and timeout controls
    • CSRF protection for authenticated functions

  • 7.2 Authentication and Access Control

    • Role‑based access control for members and administrators
    • Strong password policies with hashing (bcrypt or Argon2)
    • Multi‑factor authentication for administrative access
    • Account lockout for repeated failed login attempts

  • 7.3 Data Protection

    • Encryption of sensitive and personal information at rest
    • TLS encryption for all data in transit
    • Secure storage and processing of personal information in accordance with POPIA

  • 7.4 Infrastructure and Hosting

    • Web application firewall (WAF) protection
    • Regular patching of PHP, frameworks, and servers
    • Separation of development, testing, and production environments
    • Secure backup, retention, and recovery processes

  • 7.5 Logging and Monitoring

    • Logging of login attempts, privilege changes, and administrative actions
    • Monitoring for unauthorised access and anomalous behaviour
    • Log retention aligned to business and legal requirements

8. Incident Management and Breach Notification

Cybersecurity incidents are detected, recorded, and responded to promptly.
Personal information breaches are assessed for notification obligations under POPIA.
Where required, the Information Regulator and affected data subjects are notified.

9. Third‑Party and Supply Chain Risk

Third parties are subject to cybersecurity and POPIA risk assessment.
Contracts include security and data protection clauses.
Third‑party access is limited to least privilege.

10. Training and Awareness

Mandatory cybersecurity and POPIA awareness training.
Role‑based training for privileged and development roles.

11. Compliance and Enforcement

Compliance with this policy is mandatory,
Breaches may result in disciplinary action.
Audits may be conducted to assess effectiveness and compliance.

12. Review and Approval

This policy is reviewed at least annually or following significant changes to systems, threats, or legislation.