Privacy Breach Notification Assessment Tool

The Privacy Breach Notification Assessment Tool, produced jointly by the privacy commissioners of Ontario and British Columbia, is a concise (6 page) document that helps organizations make important decisions about notifying individuals after a privacy breach occurs.

Any organization that collects and holds personal information is responsible for notifying affected individuals when a privacy breach occurs. Furthermore, if the breach occurs at a third-party entity that has been contracted to maintain or process personal information, the breach should be reported to the originating entity, which has primary responsibility for notification.

The assessment tool contains four checklists that will help you decide whether, when and how to notify affected individuals, the information that should be included in the notification, and other organizations that should be contacted.

Click here for a link to this very useful tool

For a model policy dealing with privacy, see chapter GV 1.11 Confidentiality and Privacy in Volume II—Corporate Governance of Finance and Accounting PolicyPro.

<< Top of Page

Planning a Penetration Test or Vulnerability Assessment

Penetration testing is a method of evaluating the security of a computer system or network by simulating an attack by a hacker. In a penetration test, the tester aims to break into a system and access something valuable. Once the tester has found a route to this information, the test is complete, even though there may be other vulnerabilities remaining.

Vulnerability assessment is a broader process of identifying and quantifying all weak points in the environment. Individually, these weaknesses could represent small risks, but when combined, they create a greater vulnerability that could be exploited.

In both kinds of tests, management must define the objectives of the tests, ensure the quality of the testing, and communicate the results within the organization.

Protiviti has recently released a useful overview of penetration testing and vulnerability assessments. For a link to this interesting article, click here.

<< Top of Page

A recent study from Queen’s University in Kingston suggests that Canadian companies are at least as liable to internal control weaknesses as their U.S. counterparts. Professor Steven Salterio compared the Sarbanes-Oxley (SOX) filings of 31 Canadian companies listed on U.S. stock exchanges, and found that six, or 19 per cent, reported internal control weaknesses. This compares to an overall rate of 13 per cent of similar-sized U.S. firms.

For Professor Salterio, these findings raise questions about the decision last March by the Canadian Securities Administrators (CSA) to adopt a weaker set of “made in Canada” rules to govern internal controls, a story we have followed in the PolicyPro Bulletin for the past year.

In the February issue of The Bottom Line, Alex Hutchinson has written a interesting analysis of this study. Click here to read the full text of the article, reprinted with the permission of The Bottom Line.

<< Top of Page

In contrast to the healthy debate about the best way to mitigate Canada’s contribution to climate change, there is a distinct lack of debate on how Canada will adapt to its effects. Should Canada’s ports rebuild infrastructure to accommodate the predicted rise in sea levels? Must Canada’s highways be engineered to higher standards to withstand the effects of greater temperature variability? More fundamentally, who is responsible for developing adaptation strategies and measures? The Conference Board of Canada gathered some of the leading domestic “adaptation” thinkers for the first Private Sector Roundtable on Adaptation to Climate Change. Operationalizing Adaptation to Climate Change reports on the Roundtable, its discussions and its conclusions

Click here to link to the article.

Note: If you are not a registered user of the Conference Board of Canada’s e-Library, you will need to register, as follows:

1. Click Download Document to open the Sign in or Create a New Account page
2. Click Create an Account
3. Follow the directions to complete your registration

<< Top of Page

If you mention internal controls and HR in the same breath, you typically get one of two reactions. First, people assume you’re talking about ethical behaviour and an employee code of conduct. Or they immediately think of compliance issues—following the rules when conducting background checks, or complying with privacy and records retention regulations, for example.

Neither of these responses is wrong, but both suffer from the same problem; people are seeing the trees, not the forest. In fact, if senior executives are telling the truth when they state “we’re only as good as our people,” the way that HR recruits, hires, deploys, trains, develops and rewards (and terminates) employees determines the success of an organization. All that responsibility has a flip side—it becomes a major source of risk. And risk is managed with effective internal controls.

This article examines the relationship between HR and internal control to help you understand why HR must be considered one of the cornerstones of an organization’s internal control processes.

For a link to this article, which first appeared on HRinfodesk.com, click here.

<< Top of Page

We’re pleased to announce that we are adding comprehensive topical indexes to some of the products in our PolicyPro Library. An index to Finance and Accounting PolicyPro will be added with 2007, Release 1, and an index for our newest publication, Information Technology PolicyPro will be added with its first 2007 update release.

<< Top of Page

About the PolicyPro Bulletin

Editor: Colin Braithwaite, Managing Editor – PolicyPro.

Please do not reply to this Email.

PolicyPro Bulletin is a complimentary service published by First Reference Inc. and is sent to you monthly. Each issue of the PolicyPro Bulletin provides headlines and summaries of news that affects internal controls and policies in Canada.

Please forward this Bulletin to your colleagues.

Please send any comments or suggestions about the PolicyPro Bulletin to editor@policypro.ca. For information about the PolicyPro Library, visit www.PolicyPro.ca. For information about First Reference and our HR-related products, visit www.firstreference.com. To read our Terms of Use, Disclaimer, Privacy Policy and other legal matters, visit PolicyPro.ca.

This publication is written for informational purposes only and should NOT be relied upon as legal advice or opinions. The reader should always obtain legal advice from a qualified lawyer or other qualified professional, which will be responsive to the case or circumstance of the individual. Please note that the content provided in this Bulletin or any content contained in or made available through any third party website linked to from this Bulletin, is provided "as is" without representations or warranties of any kind. All representations and warranties in respect of Content or Third Party Content, express or implied, including, without limitation any representations to warranties or conditions regarding accuracy, timeliness, completeness, non-infringement, merchantability or fitness for any particular purpose are hereby disclaimed.

PolicyPro Bulletin ISSN: 1718-5866 Copyright ©2007, First Reference Inc., All Rights Reserved.