Have any memebers from Canada *really* looked into the upcoming "Personal Information Protection and Electronic Documents Act" (PIPEDA) coming into effect Jan 1, 2004?
There are lots of (painfully dry) sites out there, the better of which would probably be
http://www.privcom.gc.ca/information/guide_e.asp
http://www.privacyforbusiness.ic.gc.ca
but even these are extremely vague with regards to things like "stored securely" and "retained only as long as necessary"
I am more interested in the legalities/specifics of electronic data storage.
i.e.
- exactly how long can customer information be kept in a DB?
- if we're using a restored production database in development areas exactly how secure does it need to be?
etc.
Any thoughts or opinions on this?
Latest News: (loading..)
0
1 reply to this topic
#2
Posted 13 November 2003, 19:28
IC - or Industry Canada is alway vague on there specs like this. it is more of a outline.
Only as long as you need it. Typically after a couple of years many people move change address/phone etc... or will not buy for you anyway. But in certain situations you might want to keep it much longer - ie: the 5-20 year warrenties things....
As secure as you can make it without it being unusable - and secure enuf that the typical hacker can't get it or use it.
Some things to keep in mind to secure your data:
Keep server patched and upto date
Use HARD TO BREAK PASSWORDS - like on the MySQL database - don't use easy to get or short user/pass as OSC_ADMIN and OSC_PASSWORD - use: av121mEx and Ms3dHnQ1 or somthing like that- way over a trillion possable combos of each if you use 8 or more charaters.
Give user on your computers/network only access to what they need to use/do.
Keep passwords locked up. I beleve it that you should have a HARD copy of it some where - (in case you die....deposit box/safe/vault/under lock and key) Not on that Post It Note stuck to the BOTTOM of your keyboard.....Opps that is where I keep mine.....
Use a firewall if possable - else turn off ports in your servers that you don't use/need. CHECK SERVER/FIREWALL LOGS from time to time looking for hacked HOLES or problems.
Remove CD-RW or DVD-R/W drivers (and other mass removable storage devices) from people on your networks who DON'T need it or whom you don't trust.
MOST IMPORTANT - phyically LOCK down your servers. Locked rooms with a STEEL door is perfered, Alarmed rooms/restriced access. Many computers and SERVERS (or the discs/data) are stolen (by BOTH employees and by theifs that break and enter) every YEAR!
AND
Anything that leave that could have your DATA on it (say a scratch CD-R backup --- "bad" harddive to be fixed/swaped/warrenty repaired ---- or getting rid of old computers) has all been thoughly whipped clean of data/unreadable ---- or is going via a BONDED carrier to a BONDED company who is authoried by your company to working on your data (like data repair companies -- non-disclosure agreements may have to be signed by one or BOTH sides).
Other than that - just general security stuff...
Quote
Exactly how long?
Quote
How secure does it need to be?
Some things to keep in mind to secure your data:
Keep server patched and upto date
Use HARD TO BREAK PASSWORDS - like on the MySQL database - don't use easy to get or short user/pass as OSC_ADMIN and OSC_PASSWORD - use: av121mEx and Ms3dHnQ1 or somthing like that- way over a trillion possable combos of each if you use 8 or more charaters.
Give user on your computers/network only access to what they need to use/do.
Keep passwords locked up. I beleve it that you should have a HARD copy of it some where - (in case you die....deposit box/safe/vault/under lock and key) Not on that Post It Note stuck to the BOTTOM of your keyboard.....Opps that is where I keep mine.....
Use a firewall if possable - else turn off ports in your servers that you don't use/need. CHECK SERVER/FIREWALL LOGS from time to time looking for hacked HOLES or problems.
Remove CD-RW or DVD-R/W drivers (and other mass removable storage devices) from people on your networks who DON'T need it or whom you don't trust.
MOST IMPORTANT - phyically LOCK down your servers. Locked rooms with a STEEL door is perfered, Alarmed rooms/restriced access. Many computers and SERVERS (or the discs/data) are stolen (by BOTH employees and by theifs that break and enter) every YEAR!
AND
Anything that leave that could have your DATA on it (say a scratch CD-R backup --- "bad" harddive to be fixed/swaped/warrenty repaired ---- or getting rid of old computers) has all been thoughly whipped clean of data/unreadable ---- or is going via a BONDED carrier to a BONDED company who is authoried by your company to working on your data (like data repair companies -- non-disclosure agreements may have to be signed by one or BOTH sides).
Other than that - just general security stuff...
