How To Use Governance, Risk and Compliance (GRC) Audits To Meet PIPEDA Requirements

How To Use Governance, Risk and Compliance (GRC) Audits To Meet PIPEDA Requirements

Are you doing business in Canada? If so, you need to know your responsibilities under PIPEDA (Personal Information Protection and Electronic Documents Act), including cybersecurity protections. Companies that fail to live up to PIPEDA requirements face privacy complaints, bad press and worse! This Canadian law imposes requirements on how companies collect, use and disclose personal information. Failing to meet these requirements will cause your customers to lose trust in your company. Fortunately, there are established tools and techniques you can use to stay PIPEDA Compliant.

What Are Governance, Risk and Compliance (GRC) Audits? 

GRC audits are a powerful way to review your organization’s systems, risk profile and compliance. If you operate in multiple jurisdictions, running an effective GRC audit program will take considerable resources. A GRC audit program is helpful because it makes it easier to discover compliance issues internally and fix them rather than reacting to a lawsuit, complaint or external investigation. If your company has an internal audit group, a GRC audit is an excellent way to supplement the work of internal audits.

For now, let’s focus on the IT security aspect of GRC audits. If you ace these audits, you are less likely to encounter PIPEDA compliance. Before we explain how to use GRC audits to PIPEDA, let’s consider what exactly PIPEDA requires.

What IT Security Requirements Does PIPEDA Have?

If you were hoping for a detailed list of IT security requirements, PIPEDA does not provide that. Instead, the Office of the Privacy Commissioner of Canada summarizes PIPEDA’s security expectations as follows: “PIPEDA does not specify particular security safeguards that must be used. Your organization must continually ensure it adequately protects the personal information in its care as technologies evolve and as new risks emerge.” You may still be wondering what to focus on.

Fortunately, the Commissioner provides some further details. For example, security safeguards may cover the following areas: physical measures, technology and organization tools. In addition, the Commissioner recommends regularly review safeguards to make sure they are up to date. In particular, take note that the Commissioner suggests “regular security audits” as a tool to measure the effectiveness of security safeguards. Finally, the Commissioner also suggests providing training to employees on the “importance of maintaining the security and confidentiality of personal information, and hold regular staff training on security safeguards.”

5 Ares of Focus For Your GRC Audits To Achieve PIPEDA Compliance

With a focus on IT security safeguards, let’s develop a simple audit designed to safeguard customer information. The specific details of the GRC audit will need to be customized for your organization’s situation, but this outline will give you a starting point.

1. Security Policy. Review the security policy in place for your organization. Is it up to date, and does it clearly explain roles and responsibilities for protecting personal information? Be aware that using too much technical or legal jargon may make the policy hard for employees to understand.

2. IT Security Safeguards: In modern companies, customer data is stored in dozens or hundreds of different systems. Each system and SaaS application needs security controls, including passwords and ways to limit access. In your GRC audit, look for evidence that access has been reviewed and approved by management.

3. Security Safeguard Selection. Some personal information is more sensitive than others. Therefore, look for enhanced levels of IT security regarding highly sensitive data. For instance, data such as dates of birth, mailing addresses and payment information (e.g. credit card numbers) would typically require a higher level of protection. The selection of security safeguards in terms of technology and process needs to be regularly updated to stay current.

4. Security Safeguard Review. The rise of modern marketing, software as a service and other methods mean companies have more personal information than ever before. That’s why your GRC audit process needs to ask when the company security safeguards were last reviewed and updated.

5. Employee Training. Outside of the IT security department, most employees do not think about security often. Therefore, your GRC audit should examine the effectiveness of employee training. For example, if the company only provides IT security training to new hires, you probably have a gap. An employee who completed onboarding security training several years ago probably has out-of-date knowledge.

At the end of your GRC audit, prepare a summary report for management. In the report, highlight any significant gaps and request management to fix the problems. In the case that you encounter systematic issues, you may need a different approach.

The Easy Win To Simplify PIPEDA Compliance: Identity and Access Management Software

In GRC audits, some problems are more significant than others. For example, an employee training issue could be fixed by making a one-time change to the onboarding process for new hires. In other cases, you discover a deeper problem such as ineffective access management. Supervisors and managers may struggle to keep track of employee access requests and approve them according to policy. In those situations, you need a software solution.

When your GRC audits for PIPEDA compliance identify significant problems, implementing identity and access management software is the right choice. Here are two ideas you can use to make improvements.

  • Improve Password Controls. Passwords are a critical part of IT security safeguards. The days of publishing a password requirements document on your intranet and hoping for the best are over. Instead, use Password Station to systematically manage your passwords for all users and systems.
  • Reduce Inactive User Risk. Employees change jobs over time. Department priorities change. That’s why you need a way to manage user accounts through the lifecycle. Use Identity Enforcer to systematize this process and reduce your security risk. For more insight on the inactive user risk, read our post: Stopping Inactive User Account Risk Fast.

Outline Your GRC Audit Plan Next

If you have identified PIPEDA compliance as a concern, don’t simply sit with your worries. Develop a GRC audit plan to review your company’s safeguards and processes this year. Before you launch the program, discuss it with your executives to explain the benefits and request their support for closing issues promptly.

Written by Nelson Cicchitto