A. Personal Privacy Protection

PIPEDA Background

In 2000, the Federal government enacted the Personal Information Protection of Electronic Documents Act (PIPEDA) to set standards for how organizations protect personal information collected, stored, or transmitted electronically.

Initially the legislation applied only to federally regulated industries but effective January 1, 2004 the PIPEDA (and equivalent provincial legislation) has been extended to all Canadian commercial organizations and will govern the collection, use and disclosure of personal information and requires that business assess their network risks and implement security controls to protect personal data.

Every transaction involving the handling of personal data (collection, use, transfer, disclosure, storage, accessing, processing, etc.) will have to be conducted in accordance with the legislation.

CIM-Data Ltd. is also governed by the provisions of PIPEDA and is required to implement a Privacy Policy in accordance with PIPEDA and provide Privacy Protection that extends to staff, customers, and customers clients.
 

CIM-Data Privacy Protection Policy

CIM-Data Ltd. has always been and will continue to be committed to protecting privacy. This means ensuring personal information remains confidential.  CIM-Data implements its Privacy Policy in the following six ways:

1. Privacy practices are part of a commitment to respect individuals, from customers and affiliated associations/companies, to employees. As a long-standing partner and participant in the insurance industry, we have always worked to ensure that our business practices prevent any breach of confidentiality and we work to maintain the highest code of conduct.

2. Every effort is made to ensure that information collected is protected against loss and unauthorized access, regardless of media type.

3. Computer Systems have Security Levels applied and are managed in such a way as to prevent unauthorized access and to track unauthorized access attempts.

4. Each employee must sign a Non-Disclosure and Confidentiality Agreement and is asked to review and acknowledge this agreement annually.

5. Customer personal information is kept only as long as it is needed to research and test an issue etc.  Policies are in place to securely delete, physically destroy, or promptly return personal information when it is no longer needed.

The confidentiality of personal information is protected and measures are in place to help prevent personal information from being inadvertently or accidentally passed on to third parties.

 

B. CIM-Data Information and Systems Security Policy

Overview

Information and information systems are critical and important assets. Accordingly, CIM-Data has a duty to our customers, affiliated associations, and companies to protect the information and information systems in our possession from a variety of threats such as error, fraud, embezzlement, privacy violation, and disaster. Security measures shall be employed, to protect all information, regardless of the media on which the information is stored, the systems that process it, or the methods by which it is transmitted. Such protection includes restricting access to information based on the need-to-know.
 

All employees, consultants, and contractors shall fully understand that they may be expected to agree in writing to comply with and to perform their work according to the CIM-Data Information and Systems Security Policy. To support this effort, management shall provide policy and procedures, and reference materials. Guidance, direction, and authority for information and systems security activities is managed by the president and senior members who are responsible for establishing and maintaining the Information and Systems Security Policy.
 

Information Confidentiality & Privacy

Information and systems owned and managed by CIM-Data may contain matter related to a variety of important subjects including individuals, associations, vendors, financial, systems, rating pricing and criteria, hardware configuration, passwords, ID’s, and others. Such information is considered confidential. Disclosure of confidential information to third parties must not take place unless required by law or permitted by explicit consent of the information owner.  In addition, confidential information provided to CIM-Data from a third party will be kept confidential using the same guidelines that CIM-Data uses to keep its own information confidential. 
 

Since CIM-Data is the owner, and custodian of all information residing on its systems, information that individuals store in or send through these systems must be strictly business related and is subject to review by management or its designated representatives.
 

Information Protection Standards

Information shall be protected, regardless of the media on which it is stored, the systems that process it or the methods by which it is moved.
 

Information and systems security control measures are to be consistently applied to all individuals, computer systems, communications systems, and all types of data throughout CIM-Data.
 

The following Information Protection Standards shall be implemented on a daily basis:

• Protection of Confidential Information

Appropriate measures shall be taken with regards to confidential information to prevent its unauthorized disclosure, modification or destruction. All information storage media such as hard disk drives, floppy disks, magnetic tapes, and CD-ROM containing confidential information shall be physically secured when not in use. Customer media is kept locked in a secure media safe.

• Life Cycle and Disposal of Confidential Information

Confidential information will be protected from unauthorized use or disclosure from the time it is received or created until it is properly deleted or destroyed. At the established destruction date, all confidential information in hard copy form will be shredded. Computer files will be deleted from catalogs or directories and, if deemed necessary, the data will be overwritten.

• Computer Systems have Restricted Access

Information about computer systems, programs, passwords, or related control measures used at CIM-Data is confidential and shall not be given to outside parties or unauthorized individuals. Third Party Support to CIM-Data may be given temporary, restricted access permission by the President.

• Controls Related to Protection of Confidential Information

Customer information loaded onto CIM-Data equipment will be protected consistently regardless of whether the information is the original or a copy.  Access to systems containing confidential information shall be restricted based on a need-to-know basis.

• Restricted Physical Access

Physical access to areas (such as Servers, Hardware Service, and Storage rooms) on CIM-Data premises containing confidential information is restricted to staff only whose job responsibilities require access.
 

Individuals, who are neither CIM-Data employees, nor authorized contractors, nor authorized consultants, shall be supervised whenever they are in an area containing confidential information. Visitors will not be left unattended in restricted areas at CIM-Data.

• Monitoring of Access Requirements

Staff and management are all responsible for reviewing the access activities of third parties for compliance with established policies. Non-compliance issues must be immediately communicated to senior management.

 

C. CIM-Data Security Measures Defined

CIM-Data Password Policy

Staff within CIM-Data are given accounts and passwords with which to access one or more systems within CIM-Data and may be given passwords to accounts on customer systems. All passwords are kept confidential and are not to be disclosed to others including other staff or third parties unless given specific authorization do so by CIM-Data management.
 

Support Passwords for Customer Equipment will be kept confidential and be chosen according to strong password rules.
 

No password to CIM-Data equipment or CIM-Data Customer equipment will be stored in any electronic form on any computer, PDA, tape, disk, etc. Any paper copies of passwords will be locked up physically at the end of each business day.
 

Upon any suspicion of a password being obtained by or given to inappropriate parties, the password shall be immediately changed.
 

The President will be provided a copy of all passwords to CIM-Data equipment and be provided with any changes. There will be no passwords set up restricting management access to any programs. CIM-Data equipment is provided solely for the purpose of carrying out the business of CIM-Data and for no other purpose. Senior CIM-Data management will have access to all CIM-Data equipment at all times. Employees will not store their own personal information within CIM-Data equipment, desks, binders, etc.
 

Passwords to customer equipment will not be divulged to third parties, or to customer staff. In an emergency, a password may be provided to customer senior management by CIM-Data senior management.
 

Firewall Protection of Internal Networks

At all times, CIM-Data internal LANs will be isolated from the open internet by a NAT box with all ports closed. The passwords for the NAT box will be held by the president and for the president’s use only.  The President may authorize ports to be made open for remote access by designated staff to specific equipment only.
 

Network Protection

All systems in CIM-Data that contain personal or confidential information will be protected at all times against virus, worm, Trojan horses, and spy software using current commercially available products. These include:

• Antivirus detection

• Windows Security Updates

Customer Access Connections

CIM-Data Support Staff require access to customer equipment from time to time. Reverse access to CIM-Data equipment will be prevented as follows:

• Modems will be powered on only for the length of time needed to access a customer’s site.  All modems will be checked every night to confirm they are powered down.  Modems will not be configured for auto answer except in cases when customers require the use of call-back security. Auto answer will be disabled at the end of such calls.

• VPN connections to customer’s machines will be disconnected at the end of a support session.

Support personnel are trained on how to prevent reverse access to support systems during a modem or VPN connection.
 

Customer Media

Any media sent or provided to CIM-Data will be kept confidential and stored in locked areas. To further safeguard customer data, all media will be erased/information overridden before returned to customers. No media will be returned with customer information in tack, unless the media includes the authorized CIM-Data MEMO form with the alternative option selected or written authorization requested media be returned in the same format as received.
 

Any data file transmitted via insecure means (such as email) that may contain confidential or personal information, will be encrypted using a strong encryption key. The encryption key will be transmitted separately from the data.
 

Offsite Access and Backups

In general, CIM-Data Staff may not gain access to CIM-Data equipment remotely, nor remove or take off premises any CIM-Data or Customer files.
 

Specific staff members may be authorized to deliver CIM-Data information and files only, on suitable backup media, to be stored in a company operated safety deposit box to be archived off-site.