Quebec Law 25 regulates how companies operating in Quebec manage people's data. Read here on the law's key requirements and how to comply.
Data Security Controls
Data security controls are any parameters used to prevent and safeguard data within your company. You can use them on an individual level (to protect personnel files) or at a larger scale (to protect sensitive corporate information). Such controls can be in the form of policies, rules, systems, or any other for the sake of guaranteeing compliance. Controls conducted outside of a system are called manual controls whereas controls configured within a system that are used to detect, prevent, or correct problems are referred to as application controls.
Examples of data security controls
Data security controls can come in a wide variety of control sets and types. A few to mention would be data leak prevention or also known as data loss prevention. This is usually a software or hardware device that performs scanning of live packets coming into and out of your environment. However, this control type has several drawbacks including the use of SSL decryption in some instances. However, with newer cloud service offerings provided by AWS and Google Cloud, SSL decryption does not always have to occur.
Data security compliance
Data security controls often reference and refer to the “CIA” triad. This refers to Confidentiality, Integrity, and Availability of the data. Let’s look at each one.
This refers to data being made available only to authorized personnel. Think about access controls (described in detail below).
This refers to data being correct and free of any manipulation or tampering. Think about an employment contract that needs to be signed. This is sensitive information and you would need to ensure the integrity of it, to have assurance that it has not been manipulated or tampered with in any way (think about the possible fraud risk associated with something like this).
“I need it, and I need it NOW.” This is the availability concept. When you need information, it is available readily. Think about possible disruptions to a system. Availability addresses that there would be a possible contingency plan for this, to ensure uninterrupted service delivery.
Some security practitioners will also refer to these types of controls as IT security controls. Depending on who you are speaking with, that is also the case. As most of these controls are implemented by an IT security team or a Dev SecOps team. One of the most well-known IT security controls is “Access Controls,” ensuring that only people who need access to a certain piece of data, or environment, have access to it. Access controls can include a variety of sub-control types. In a typical environment, this includes both physical access (access to an actual office space) and virtual access – access to systems, tools, and software used by the organization. Access controls includes the process that governs access provisioning (i.e. how a new user gets permission to a system – which would be by means of completing a checklist, obtaining approval, and having an IT head/ Security manager provision this access), as well as additional security layers for existing users – such as ensuring MFA is enabled and enforced for all environments.