- Identified purposes. App developers must identify the exact purposes for which information is collected, used, and disclosed, and they must be open and transparent with users about these purposes. They must ensure that the information is not collected, used, or disclosed for any other purpose.
- Meaningful consent. Every app must have a way of capturing meaningful consent (i.e. not a long, multi page, legal speak form with an “I agree” button at the end). The consent should be written in plain language and the consent process should be completed before any personal information is collected.
- Data minimization. The app should only collect, use, and disclose the minimum amount of data needed for the identified purposes. Features, such as cameras, voice recorders, and location trackers, should be disabled unless they are required for the identified purpose of the app.
- Data encryption. All personal information associated with the should be encrypted at all times using a strong encryption algorithm. This includes data at rest in the device, data in transit, and any backend system and database.
- Access control. Rigorous access control processes must be in place to manage access to the app and its associated data. This includes end-user roles (i.e. customer/patients) and admin roles (i.e. app developers and support personnel).
- Identification and authentication. Robust identification and authentication methods must be applied. This includes strong passwords and multi-factor authentication where appropriate.
- Monitoring and audit. Audit-logging capability must be built into the app to track access to personal information and to enable detection, investigation, and response to private and security breaches.
Certification preparation is a significant undertaking. Working with our certification team will save your team a lot of time because we compile all of the necessary documents for you and create a customized information security management system framework that meets the unique needs of your business. Our team of privacy and security experts have experience helping many other businesses achieve their certifications, so we can anticipate what will be reviewed and what evidence auditors will be looking for. Certification preparation can take approximately 80% of an individual’s work hours in a year if they are not experienced at preparing for an information security management system certification or accreditation. This is a costly time commitment for organizations that do not have a team of dedicated privacy and security professionals on staff.
- The certification process will help your team identify gaps and risks. We will help you implement the necessary information controls to manage risks and/or to help eliminate them. It will help you secure all of your data more effectively, minimizing the risk of a cybersecurity data breach.
- Our certification team will work with your team to develop a customized solution, giving you the flexibility to adapt information and security controls to some or all areas of your organization to ensure that the resulting information security management system meets the specific needs of your business.
- Achieving a certification helps demonstrate your business’ commitment to global best practice. By demonstrating your business’ commitment to security, you can help your business gain trust from your clients, stakeholders, and partners, demonstrating due diligence and excellence in data protection.
- By demonstrating compliance and achieving certification status, your business is set apart for its excellence in information and security management, which will give your business a competitive advantage and may help you gain status as a preferred vendor or supplier.
ISO/IEC 27001 is the international standard for information security management.
ISO/IEC 27001 certification demonstrates a business’ commitment to global best practice and their commitment to security. The certification standard helps organizations establish and implement a certified information security management system, helping organizations secure their data more effectively and minimizing the risk of a cybersecurity data breach.
- ISO/IEC 27001 Certification
- SOC 2 Certification
- CyberSecure Canada
More than 90% of privacy breaches are caused by human error. Privacy and security awareness training reduce security related risks by 60%. Privacy and security awareness training helps make your team your first line of defense by teaching them how to avoid common errors, like phishing scams, weak passwords, and careless behaviour online. Privacy and security awareness training is also important because privacy laws mandate that organizations handling personal health information provide regular privacy and security awareness training to all of their employees and contractors.
A security threat and risk assessment (TRA) is the process of identifying and mitigating threats and risks to the confidentiality, integrity, and/or availability of information. A TRA involves identifying what information is at risk, determining the relative magnitude of the risk, and decoding what to do about the risk. The goal of risk management is to ensure that risks remain within acceptable limits and that the cost of countermeasures is affordable. A TRA is a collaborative process where representatives of various groups within the organization develop a shared understanding of threat and risk requirements and options. TRAs provide evidence to customers and regulators that your business has applied the appropriate security due diligence to its products and services.
We conduct security threat and risk assessments (TRAs) for our clients’ products and services. We can also update a past TRA.
A Privacy Impact Assessment (PIA) is a structured risk management methodology that looks at the environment in which your app or device will operate, how it is used, and how data flows through the technical and business processes. A PIA will help you understand the privacy risks associated with your products and services. You do not want to over-engineer your app or device. A PIA will help identify real hotspots where privacy and security countermeasures may be needed. A PIA is also an important marketing tool because it quickly communicates your privacy safeguards to your customers and demonstrates that you prioritize privacy.
We conduct privacy impact assessments (PIAs) for our client’s products and services. We can also update a past PIA.
The first thing you need to know when developing a privacy program for your start-up or small company is what privacy laws apply to you and your customers. Start-ups face a bewildering array of privacy legislation, especially if you are selling your products and services across Canada and/or internationally. In Canada alone, there are more than 30 separate federal, provincial, and territorial privacy laws in effect. Depending on the location of your business and who you are selling to, different privacy laws apply to your business.
For example, if you are selling directly to consumers or private businesses, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) may apply to you. If you are selling to healthcare providers in Canada, as many as 12 provincial and territorial health privacy laws may apply to you and your customers.
Privacy laws set the ground rules for information management. If you’re setting up a privacy and security program for your start-up or enterprise for the first time, we’re here to help guide you through each step of the process.
You must publish a Statement or Notice of Information Handling Practices to comply with notice requirements in privacy legislation. A Privacy Notice or Statement informs customers and individuals about your organization’s information handling practices.
Our team of privacy and security experts can help you develop a suitable Privacy Notice or Statement for your website.