Several of Canada’s top privacy watch dogs have teamed up to release a free security and privacy assessment tool it hopes will help prevent breaches of personal information.
The in-depth questionnaire is a joint effort between the federal Privacy Commissioner’s Office, and the Alberta and British Columbia Privacy Commissioners. The tool is launched just as the industry absorbs the news of Sony’s PlayStation Network data breach that exposed the personal details, possibly including credit cards, of more than an estimated 77 million users. It is designed for mid-sized and up organizations to see if they are meeting compliance standards under Canada’s private-sector privacy law on both federal and provincial levels.
The tool involves answering dozens of yes or no questions in an online form that’s divided up into 17 sections, each a deep dive into of security policy areas including network security, access control, incident management, and database security. Organizations can opt to do a complete assessment, or dive into a subset of questions that addresses specific needs.
The target audience for the tool is mostly small- to medium-sized enterprises (SMEs) says Anne-Marie Hayden, a spokesperson with the Office of the Privacy Commissioner of Canada (OPC). It’s being promoted via speeches, media, and associations such as the Retail Council of Canada.
Still, pushing some businesses to voluntarily apply the comprehensive evaluation of their internal policies might not be easy.
“It might not find so many users,” says to Brian Bourne, co-founder of security education conference Sector, and the security member of ITBusiness.ca’s editorial advisory board. “I don’t know who will end up going through it.”
The assessment might be over the heads of most smaller businesses, he adds. “They probably need help with the definitions of these page titles. Sadly, they handle much of the same information as the big enterprises, just not the same volume.”
Questions asked under the assessment tool’s “Risk Management” opening section indicate an IT expert may be needed to properly use the tool. One question asks if an organization has analyzed, evaluated and documented “the likelihood of security failures occurring, considering possible threats and vulnerabilities.”
Mid-sized firms will likely find it a valuable checklist, Bourne says, as would larger firms wanting to avoid Sony’s current dilemma. But there are similar tools already available for free from vendors such as Microsoft. The Microsoft Security Assessment Tool is also designed to help find weaknesses in an IT security environment, and also offers a download that takes a snap shot of a business’ current security state.
But the new tool from Canada’s privacy commissioners has more of a focus on privacy, and protecting personal information versus the more common security paradigm of protecting intellectual property.
“The three offices felt it would be important and helpful to develop,” Hayden says in an e-mail. “We consulted with business on the tool.”
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) applies to private commercial activities across the country, except in provinces where similar legislation has been enacted. Alberta and B.C. are among those provinces, as is Ontario. In 2012, PIPEDA will be up for its five-year mandatory review.
Related Story: Privacy amendments lack teeth, critics say
Hayden wouldn’t hint at whether the assessment tool is a hint at what sort of compliance might be expected in that new legislations, but did say more information about those proposals could be expected this week.
The questionnaire features some questions shaded in blue, and a legend describes those as being “the minimum requirements.”
PIPEDA does say that adequate safeguards must be applied to protect personal information, Bourne says. “This is one of their steps in helping people to understand what adequate safeguards are.”
The OPC is expected to release a consultation report later this week, that could contain more details about proposed changes to PIPEDA.