This page contains a Flash digital edition of a book.
government organizations. There are also
PIPEDA – KEY CONCEPTS
keys, cell phones and PDAs, optical and
various pieces of provincial legislation, and magnetic media, such as CDs, DVDs and
alert watchdog groups, such as CIPPIC, computer drives, and any other electronic
based at the University of Ottawa, keeping
PIPEDA specifies how private
equipment with magnetic storage in-
an eye on things.
sector organizations may collect,
cluded (e.g., photocopiers).
Yet, says Claudiu Popa, president of
use or disclose personal
And, he adds, the first question a cus-
Toronto-based security firm Informatica information in the course of tomer should ask when shopping for an
Corporation and author of The Canadian commercial activities. Under the information destruction service provider is:
Privacy and Data Security Toolkit for Small
act, under most circumstances:
Is this facility NAID AAA certified?
and Medium Enterprises, “the great things
Personal information must be
NAID stands for the National Associa-
about our privacy legislation are also the
collected for a specific
tion for Information Destruction and is an
root of our data protection woes: data pro-
purpose and cannot be used
international, non-profit trade association
tection is the articulated goal of the legis- of the information destruction industry. It
lation, in particular, personal information
for other purposes.
sets standards and audits certified ven-
protection. However, all the underlying se-
The information cannot be
dors to make sure security standards are
curity controls necessary to make this
collected unless the person
met. It also has a compliance toolkit to
happen are implied and left up to the or- that the information belongs help companies design their own destruc-
ganization.”
to has been informed and has
tion policies. Because, believe it or not, se-
Consequently, he says, Canadian busi-
provided consent.
cure destruction isn’t as easy as it sounds.
nesses tend to be reactive, not proactive,
The information can only be
You should, says Backman, be able to
when it comes to information security.
kept for a specified amount of
see the shredding equipment and verify
that the particle size renders the media
GETTING PRACTICAL
time, and must be destroyed
unreadable. (If not, it could lead to a se-
Writing a security policy need not be an
when it is no longer needed to
rious data breach.) Companies should
onerous task. Organizations such as the
fulfill its original purpose.
also ask about the average time it takes
SANS Institute and WindowsSecurity.com for material to be destroyed from the time
offer advice and templates that can be payroll data is extremely confidential, and it is delivered, and the vendor should
customized to serve virtually any organi- a limited number of people are allowed ac- supply a list of references where the work
zation’s needs. cess, while product sell sheets that are dis- is substantially similar to the work you
For Canadian companies, one aspect tributed to customers could be classified need done.
of information security is knowing what as public documents. “The effectiveness of a data protection
they are securing, and that means infor- Even if businesses diligently protect program depends on how it is imple-
mation classification. data while it’s in the office, its treatment mented and managed,” adds Infor-
“Companies should pay particular at- when documents or electronic media are matica’s Popa. “The gaps that are left due
tention to the development of their data disposed of may compromise security too. to improper implementation and enforce-
classification policy because it is funda- Paper in the trash is fair game to dump- ment are often enough to drive trucks
mental to the security program and all ster divers, and a recent study by Kessler through, and the only way to address
standards and procedures depend on it,” International, a forensics organization, these challenges is using end-to-end,
says Popa. “Quite simply, no organization found that 40 per cent of the hard drives high-level strategy that drives policy en-
can afford to protect all information and it purchased over a six month period on forcement and ensures proper control
treat it as confidential. eBay contained retrievable, confidential management. Without such controls, or-
“The costs of security controls and data, indicating deliberate or inadvertent ganizations will continue to experience
management would be prohibitive and im- neglect of basic data protection precau- unauthorized information disclosures,
possible to scale,” he adds. “At the other tions on decommissioned systems. Can data theft, website compromises and busi-
end of the spectrum, organizations that do anyone say “disaster?” ness continuity issues.”
not protect their data, essentially treating it “When your company is being investi-
as public or shared information clearly gated for data loss, the first question is, Lynn Greiner is a freelance writer in
would find themselves compromising sen- does your company have a written policy – Newmarket, Ont.
sitive corporate information assets, be they so you should have one,” says Kristjan
financial/accounting information, trade se- Backman, president of Winnipeg-based
SOURCES
crets/intellectual property, or worst of all, Phoenix Recycling. “All companies should
Blue-Pencil Mobile Shredding Solutions
personally identifiable information be- have a policy regarding all information-
www.blue-pencil.ca
longing to individual customers.” containing media and the approved
Information classifications should also methods of destruction.”
Informatica www.informationsecuritycanada.com
influence and reflect who is permitted to The destruction policy should not only
NAID www.naidcanada.org
access it within the company. For example, cover paper, but micro media like USB
Phoenix Recyling www.phoenixrecycling.com
WWW.SECURITYMATTERSMAG.COM JANUARY/FEBRUARY 2010 SECURITY MATTERS 19
Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32
Produced with Yudu - www.yudu.com