Previous Page  29 / 32 Next Page
Information
Show Menu
Previous Page 29 / 32 Next Page
Page Background

September 2016 //

Canadian Government Executive /

29

fected individuals and the Office of the

Privacy Commissioner of Canada (Com-

missioner) if the breach creates a “real

risk of significant harm to the individual.”

This would include incidents such as the

highly-publicized theft from the Canada

Revenue Agency of almost 1,000 social

insurance numbers in 2014.

It is important to note the act applies

to all public sector organizations. Ulti-

mately, any organization that collects,

uses or discloses personal information is

responsible to protect that information

and to mitigate damage should a breach

of privacy occur.

The following four-step approach will

help you to reduce the risk of and prepare

your organization to respond to a breach,

while ensuring resources are used where

they will make the most impact.

Reduce Liability – Know the

Rules

Protecting your organization and execu-

tives who could be held liable starts with

understanding the relevant legislation.

It will tell you what you are required to

do and suggest safeguards that should

be put in place. Depending on the leg-

islation, it may cover risk management,

security policies, human resources se-

curity, physical security, technical secu-

rity, incident management and business

continuity planning. A full cyber security

review should take into account all these

facets.

The Digital Privacy Act details specific

safeguards related to privacy breaches

including:

• Determining if the breach presents a

significant risk or harm to an individual.

• Notifying affected individuals of the

breach.

• Reporting the breach to the Commis-

sioner.

By having a clear understanding of your

cyber security risks, assets and your re-

sponsibilities in the event of a breach,

you increase protection, not only of

your organization’s data, but of your

constituents.

Take Your Cyber Security’s

Temperature

In the cyber security world, we talk

about how well protected an organi-

zation is by referring to its maturity: a

mature organization is well protected.

Determining maturity is much like con-

ducting a cyber security health check

and involves three primary activities:

• Evaluating how efficient your cyber

security controls are using a cyber se-

curity framework

• Determining which areas present the

highest risk if breached— risk to the

executive who is liable, to the individ-

uals affected by the breach and to the

organization

• Analyzing cyber attacks trends im-

pacting government agencies and the

frequency at which they are happening

Conducting a cyber health check en-

ables organizations to determine li-

ability and risks, understand the con-

trols they have and how to effectively

update their strategies and programs.

They provide clear direction on where

to focus their cyber security budget and

resources most effectively.

Engage Hired Guns to Test

Resiliency

Once step two is concluded, a trusted

third party should be hired to test how

difficult it is to attack areas deemed high

risk loss. Examples of such areas for the

public sector include perimeter protec-

tion - applications that store sensitive

data and mobiles that contain sensitive

information.

Prepare an Incident

Response Plan

All public sector organizations need to

determine what steps must be taken

if a breach occurs, regardless of which

piece of legislation they are accountable

to. The incident response plan should be

extensive and cover how you will:

• Notify the affected individuals

• Report the breach to the Commissioner

• Report the breach to your business

partners

• Contain the breach

• Mitigate the damage

A rapid, established response to breach-

es will help your organization resolve

the incident swiftly and with minimum

impact.

Privacy is a high-risk loss for govern-

ments of any kind, in terms of liabil-

ity, cost and loss of trust. Following the

above steps will help limit your expo-

sure, and help you enact an effective

incident response plan when a breach

occurs.

Danny Timmons,

CISSP, is MNP’s

National Cyber Security Leader

with more than 20 years of

experience leading highly skilled

cyber security teams.

By having a clear understanding of your cyber

security risks, assets and your responsibilities

in the event of a breach, you increase protection,

not only of your organization’s data, but of

your constituents.

1 21 22 23 24 25 26 27 28 29 30 31 32  FlippingBook