ISACA Vancouver SUPPORTS Information and Privacy Commissioner’s Submission on PIPA Modernization

ISACA Vancouver, an organization of nearly 500 IT security, IT audit, governance and risk professionals throughout the BC mainland agrees in principle with the recommendations pertaining to the modernization of the Personal Information Protection Act (PIPA)  proposed by Elizabeth Denham, Information and Privacy Commissioner for British Columbia. In particular, amendments to harmonize PIPA to other existing and forthcoming privacy legislation in Canada and abroad is useful and would be productive for our members who work in the area of IT compliance.

In addition, ISACA Vancouver also agrees with the Commissioner that mandatory customer notification of breach of private information within a reasonable time period makes sense for society as a whole. Breaches are now ubiquitous, and going public to both customers and the Commissioner, in itself, no longer spells reputation disaster, but rather, demonstrates proper corporate governance, and prudent damage mitigation on behalf of the victims whose data have been breached. Further, such a provision would also bring PIPA more in line with customer notification laws currently present in 47 US states, and with existing or forthcoming privacy legislation in Albertan and Canadian federal jurisdictions.

Six WISE Ways to Stop Identity Theft

by Michael Argast, TELUS

Criminals steal billions of dollars from people and businesses every year – identity theft is a key tool in their arsenal. By stealing personal information from your mail, online accounts or directly through scams, they are able to impersonate you to open up new credit card accounts in your name, steal money from your bank account or even take over your identity. Following a few simple steps will help reduce the risk of your money and life being stolen – learn these tricks and teach them to your friends and family.

1.      Protect your mobile phones, tablets and computers with strong passwords.

Your mobile devices often have a plethora of personal data – contacts, address books, banking information, private notes. If your phone or computer is stolen, and not password protected, it is easy for a criminal to go through these devices and steal your information. Worse, they can use your phone to impersonate you and attack your friends and families with scams. Unfortunately, device theft and loss is very common – it is estimated that one in three people will lose a mobile phone, computer or tablet this year. Locking your devices with passwords, encrypting them and using remote wipe software if lost or stolen can dramatically reduce the risk.

2.      Check your credit report, bank statements and credit card statements regularly.

If criminals have managed to steal your identity, they will still need to open credit accounts in your name to cash in. Regularly checking credit reports will help spot these before the situation gets out of hand. Also, regularly check your credit cards and bank statements for erroneous charges – often criminals will try to place small charges (less than $10) in order to verify an account is active and to avoid raising suspicion.

3.      Shred your financial paperwork or other documents with your name, address and personal information.

Examples include preapproved credit card offers, bank or investment statements, loan applications, government correspondence. Shredding these before disposal will help prevent ‘dumpster diving’ – criminals who go through garbage to steal information. Also – make sure your mailbox is secure – criminals love easy pickings like externally attached mailboxes. Instead, get a mailslot that allows the mail carrier to push your mail into your home beyond the reach of criminals. If you have a post office box which is outside and out of view, consider getting as much mail through secure online correspondence instead of paper correspondence to reduce the risk of theft.

4.      Be cautious when shopping online.

Don’t follow links in emails, and stick to well known, reputable online stores. Make sure that when browsing to these sites that you are using a HTTPS connection – look for the ‘lock’ icon. Avoid shopping on public wifi networks where it is easier to sniff your traffic and intercept your credentials. Use different, strong usernames and passwords for different websites, and when possible, avoid having your credit card stored online on these sites.

5.      Don’t give your information out over the phone.

Scammers regularly use phone calls as a way of getting your credit card or other private details. They can call up with convincing stories – your computer being infected, being a relative traveling and needing assistance, even your phone company or credit card company. The elderly are particularly susceptible to these forms of attacks, and attackers can collect information online from social networks to seem more plausible. If you need to deal with a service provider, hang up when you get called and call them back – at a number on your bill or on their website, rather than one provided by an attacker on the phone.

6.      Share these tips with friends and family.

People don’t like talking about money, but it is important to talk about how to keep your money safe. Take the time to share these and other tips with your friends and family, so they don’t fall victim to scams. It will help you all sleep better at night.

To continue to learn more about wise Internet and smartphone use, take a minute to register on the TELUS WISE virtual community:

  • Go to
  • Select [Register] at the top right hand of the screen
  • Enter your email address as your user name
  • You will receive an email to confirm your registration
  • Click on the link provided in the email

You will be prompted to create a password.

You now have access to TELUS WISE: a secure site that provides you and your family with ongoing access to helpful media articles, resources, courses and discussion forums. If you have any questions don’t hesitate to contact us at

Securing our Critical Infrastructure – Protecting Society, What’s My Role?

by Jim Attridge, Manager, Cybersecurity BC Hydro and Power Authority

Security and privacy are two areas that have faced an immense challenge in the face of continued technological advancement over the last thirty years. The pace of change and the rate at which we develop amazing new ideas to communicate and share information seems to stay constantly ahead of our ability to control it very well. When the Internet became prevalent, most companies chose simply to block it. Business needs prevailed and soon adjusted to allow filtered access, controlled and monitored centrally.

Today, we face an array of new challenges: Smart phones that serve the purpose of both corporate and personal use; and companies that provide cloud storage and services associated with user identities that are used for both corporate and personal use, such as Google Docs and Apple iCloud; and, an ever-growing expectation that companies will not just tolerate these new ways of sharing but embrace them and integrate them with existing corporate services.

The controls we look at need to be nimble, mature and effective. These three elements can be daunting to combine to fully meet business requirements. Whenever it is done well by organizations, it is because security and privacy are brought in as core requirements of communication platforms, not as an addendum. There are four broad elements that need to be brought to the table for security and privacy to be properly treated:

  1. Governance and Policy – clear ownership and stewardship by senior levels in the organization around what is permitted and what is not, backed by a solid foundation of legal, technical, acceptable use, financial, and service level policy and process.
  2. Data Classification – An organization cannot protect data without knowing what data it possesses, where it exists and its importance to the organization that holds it and its customers. Personally identifiable information and critical infrastructure data are both equally sensitive but have completely unique requirements around access – in terms of risk, legal and compliance. Until data is properly classified it cannot be effectively protected.
  3. Technical Controls – Ensuring your data is protected according to your policy is a wonderfully complex problem to solve. Encryption of data at rest and in transit is just the start. Just as important are robust access controls and process around the data, effective authentication methods that are appropriate to the degree of risk, and tools to detect unauthorized access or misuse of data – just to name a few.
  4. Monitoring and Follow up – One control that needs special focus is the ability to monitor access to the data and the systems that interface with the data. Having the right tools and processes to effectively maintain your policies though monitoring is key. Having people that know what to do with the monitoring data is even more important. Too often monitoring controls are not effectively coupled with a cohesive strategy to manage your data access policies.

For companies to successfully deploy these new services in a way that satisfies the workforce as well as meeting security and privacy needs, it is ever important that security be brought in as a legitimate stakeholder in these initiatives. This is the only way these four key tenets can be effectively integrated into an overall business solution that meets everyone’s needs.

9 WISE Tips on How to Use Your Smartphones Securely!

by Michael Argast, TELUS  

Today, people use smartphones for everything – banking, social networks, games and shopping lists. It is critical to protect your devices which when lost or stolen can provide a wealth of information to identity thieves or those who would do us harm. Here are a few quick tips from TELUS on how to use these devices securely.

1. Choose a strong password Many people use a weak password, or no password at all, on their smartphones. Stealing your smartphone yields data from your address books to email, but also provides unfettered access to any commonly used apps including your social networks, banking sites and more. A thief can not only steal your information but also impersonate you, posing a risk to your friends and family. Always use a strong, complex password and ensure that your device auto-locks after a short period of time. * A tip for parents – ensure that your children understand that passwords are not to be shared – while parents have a good reason to know their children’s passwords, others do not.

2. List your emergency contacts Take advantage of favourite lists to ensure that emergency contacts are easily reachable, on your phone and the phones of your children. Make sure your kids phones have your number and the number of another trusted adult if they can’t reach you in case of an emergency. You can also put an alternate number on your lockscreen so that if you misplace your phone, it is easy for someone to locate you and return it.

3. Install or activate remote lock/wipe/locate software on your phone Most current phone software supports features that enable you to easily, and remotely, lock, locate and delete/wipe your phone if lost or stolen. While many people think it won’t happen to them, the unfortunate truth is that one in three smartphone owners will lose or misplace a phone this year. Criminals are increasingly targeting valuable phones for theft. Making sure that your phone is easy to wipe ensures that you only lose your phone and not your identity.

4. Turn off geotagging/location awareness where not needed Geotagging uses the GPS on your phone to insert location information into photos or other content you share on social networks and with friends. Turning on and off geotagging only takes a few taps of the finger. Many apps and games will continue tracking your location even when not in use, leaking your whereabouts whether you want them to or not. Geotagged photos can reveal where you live or where your children are unintentionally – turning the tagging feature off on your camera when not necessary helps keep your location private.

5. Be cautious in using wi-fi Many applications on your phone will send passwords and sensitive information in the clear, and on wi-fi networks, anyone with a little expertise can pick that information right off the air. Make sure you don’t share personal or private information over public wi-fi networks. Check your phone settings to ensure that it doesn’t connect to wi-fi networks automatically, and turn off wi-fi on your phone when not needed. Many smartphones will automatically join networks without you being aware of it, leaking information accidentally. Restricting this will save your data and also save your battery. * Pro-tip – consider using a VPN (virtual private network) client on your phone, which will ensure that your communications never cross a wi-fi network in the clear.

6. Choose applications carefully Often free applications pay for themselves with ads, or sometimes even by grabbing and selling your data to third parties. Buying from your phone manufacturers or service providers app store will help provide a little protection from these insidious apps, but be selective and cautious regardless. Also, be aware that many free games will use techniques to trick your children into making in-app purchases – look at your settings carefully to prevent these purchases and unexpected charges.

7. Be aware of the risk of using Bluetooth Similar to wi-fi, phones can often be unwittingly hijacked using Bluetooth. Disabling Bluetooth when not needed or in use, and restricting Bluetooth to pre-defined devices, will secure your data and also save your battery.

8. Back up your phone, often You might have copies of your home computer’s hard drive, but do you have your phone backed up? Photos, notes, important memories are all stored on a pocket sized device – don’t lose these memories when you lose your phone. Back it up, and check to ensure your back-up is working.

9. Erase and/or reset your device when upgrading Before you donate your old phone, ensure you wipe the data. Erasing is one simple step to ensuring the next owner of that hand-me-down doesn’t end up with all your personal information. Resetting the device can be a more thorough method than erasing – check your phone manufacturer’s support site for recommended steps to ensure all your data is permanently removed.

TELUS WISE To continue to learn more about wise Internet and smartphone use, take a minute to register on the TELUS WISE virtual community:

  • Go to
  • Select [Register] at the top right hand of the screen
  • Enter your email address as your user name
  • You will receive an email to confirm your registration
  • Click on the link provided in the email

You will be prompted to create a password. You now have access to TELUS WISE: a secure site that provides you and your family with ongoing access to helpful media articles, resources, courses and discussion forums. If you have any questions don’t hesitate to contact us at

BC Privacy & Security Awareness Day – Social Media: How can I possibly protect my personally identifiable information?

by Jesse Miller, Mediated Reality


With the increase of social media websites and mobile applications, the Internet introduces the use of online communications to a world of youth, adults, communities, and corporations creating a continuing archive of our everyday lives. Youth use social media to connect the events of their daily lives and in turn make the experience of identity formation a public series of documented photographs and online dialogue – this content can be viewed by friends, community members, employers, family, and various forms of media who may choose to optimise the content to facilitate front-page news.

The trends become dialogues about the impacts of online events and the value of online privacy is one where the majority of users, who have had a moment where they feel that privacy has been violated via social media, tend to reflect reactively compared to proactively as it applies to online sharing. Communications via social media become a juggling act as many users maintain multiple social media accounts on various platforms. Our dialogues as it applies to social media awareness focuses on the primary normative forms of online sharing and the websites and trends that become popular and widely known tend to be the platforms most discussed. With the frequency of negative online events heard via media and community dialogues, these platforms become the most feared by parents and educators when applied to how youth use mobile technology and social media sharing. The online sharing of mundane and seemingly benign events of a day (meals, a coffee break, new outfits etc.) the conversations around privacy should extend the necessity of social media sharing.

Many people would not invest an economic value into social media sharing – specifically to social media that involves trivial events. When surveyed, those users of social media who would not commit a dollar everyday to a social media platform to share “selfies” or pictures of food to a list of friends and followers tend to equate that the sharing of excessive personal information online may have larger end costs compared to a dollar a day. When prompting conversations about the value of privacy, especially with youth in mind, the conversation about values of privacy as it applies to online sharing can become a conflict for parents and teachers. If the same adults who wish to guard youth from over-sharing online are inclined to motivate youth to establish a value of privacy, the introduction of the values of appropriate and acceptable online sharing as it applies to schools, family, and the expectation of parents should be of primary concern.

In application to real life situations, many parents should consider equating real-life events to the mediated social media world – if an individual at a bus stop began to ask questions to your child, commenting on their appearance, or even asking to follow your child, what would reactions from parents be? As it applies to youth online, many have numerous unknown followers and connections where there is a constant threat to negative influence and guidance. These students willingly connect due to an inflated sense of value in allowing others to follow you – popularity is equated to the attention or number of likes and even with private content online, the ability for others to share your content via social media becomes an uncontrollable variable.

The value of privacy on social media should become a conversation with parents, educators, and community leaders with these leaders all playing roles in dialogues with youth – focusing on learning how to deal with the potential misuse of personal information. Our current response is complete with advocates, politicians, and groups vying to claim protection of children from predators, when over the past few years, we have seen a number of events where youth become their own worst enemies in over-sharing essentially targeting each other and distributing inappropriate content online sourced from their peer group.

Within Canada we are starting to see legal response where government and advocates tend to focus on the issue of predators and this focus distracts from the actual privacy issue as it applies to the online behaviours of youth on the Internet and the use and abuse of private information. As a society, we can address the social media issues related to teens and privacy but awareness is key to solving the larger problems. As parents, educators, and as users of social media ourselves, we need to be more proactive about educating each other and protecting our privacy on the Internet as it applies to sharing, with a focus of not resting our laurels on privacy settings alone.

Industry Experts and Political Leaders are Meeting in BC’s Beautiful Capital City of Victoria to Discuss Issues Relating to Privacy & Security on February 5, 2014

Join us on Facebook or Twitter to get the scope from our panel of experts.

Welcome Addresses are offered by:

 Edward Pereira President ISACA Vancouver

Edward Pereira President ISACA Vancouver

 Marianne Alto Acting Mayor, City of Victoria & Director, Capital Regional District

Marianne Alto Acting Mayor, City of Victoria & Director, Capital Regional District

 Honourable Andrew Wilkinson Minister of Technology, Innovation and Citizens’ Services

Honourable Andrew Wilkinson Minister of Technology, Innovation and Citizens’ Services

 Elizabeth Denham Information & Privacy Commissioner British Columbia

Elizabeth Denham Information & Privacy Commissioner British Columbia

 John Proctor Vice President Global Cyber Security CGI

John Proctor Vice President Global Cyber Security CGI

 Erwin Martinez Chief Information Officer Coast Capital Savings

Erwin Martinez Chief Information Officer Coast Capital Savings


There will be a panel discussion to provide the media with materials they can use to inform the public with regard to the privacy and security challenges each of us face as the lines are blurred between the personal and public realm and our world becomes increasingly entangled with the digital realm. The British Columbia Privacy & Security Awareness Day Panel will be comprised of the following participants who will also make themselves available at a press conference from 3-4pm at the Victoria Conference Centre on February 5, 2014. Biographies of each member of the panel can be viewed at the ISACA Vancouver web site.

Moderator: Michael Argast, Director of TELUS Security Solutions Western Canada

Michael is the Director of TELUS Security Solutions practice for Western Canada, joining in May 2011. As Western Canada’s largest security organization, TELUS’ fast growing security team provides wide ranging solutions from governance, risk and compliance consulting, PCI auditing, security technology acquisition and implementation, managed security services and security outsourcing.As the moderator, Michael will ask each panelist to explain to the audience:

Who are you? Who do you work for? What do you do? What is your privacy and/or security issue/realm? Why you are here today and why is this BCPSAD is initiative important to you?

Panelist: Jesse Miller, Mediated Reality

Panel Topic: Social Media + Cyberbullying: How can I possibly protect my personally identifiable information?

Privacy awareness as it applies to social media has become so much more than a user settings protocol or private account comfort blanket. Privacy awareness on social media requires the user to become aware of their network, to mitigate risks by sharing minimal content openly, learning about the platforms they use and how those platforms use provided information. The importance for British Columbians as it applies to personal privacy online today, is to learn how far their message can be shared online, who’s using the content shared (and for what purpose) and to begin to recognize that the value of personal and private information online is just as significant to others who might exploit the content as it is to the user who has yet to have a social media incident or moment where they have felt violated.The  importance for adult users is to recognize the value of the content we are sharing online, especially if that content involves our children.

Panelist: Pierre McConnell, International Association of Financial Crimes Investigators (Western Canada Pacific, IAFCI) President & Senior Investigator with the Financial Crimes & Fraud Management Group, TD Bank Pacific Region

Panel Topic: Financial Crimes – How bad is it and what can anyone do?

In my role as Financial Crimes investigator, I have seen first-hand the abhorrent damage & devastation caused to so many victims who have suffered, and continue to suffer at the hands of crafty criminals. In my fast approaching 35 years in the field, the loss size & number of victims has never been so great due largely to offenders’ fast, easy and anonymous access to un-protected cyber space. The current electronic threat cannot be fought alone; individual & corporate privacy & security awareness of such threats is the cornerstone to any ground breaking successes against social engineers who prey on victims.

Panelist: Jim Attridge, Manager, Cybersecurity BC Hydro and Power Authority

Panel Topic: Securing our Critical Infrastructure – Protecting Society, what’s my role?

The defense of mission-critical infrastructure like British Columbia’s power grid is key to maintaining our quality and life and keeping the economic engine of the province running for all British Columbians. Jim will highlight the importance for employees of all organizations to be on guard and ever vigilant in an age when the lines between home and work have become so blurred.

Panelist: Sharon Polsky, President Privacy & Access Council of Canada Panel

Panel Topic: Privacy Law & Balancing Privacy & Security Concerns

Traditional information risk management strategies typically approach security and privacy as separate and distinct domains. Organizations are realizing that they are integrally interconnected and interdependent. Indeed, security and privacy can only be fully effective when they are in proper balance.Sharon will explore the ways in which data protection and privacy intersect through emerging laws, technologies and global trends.

Panelist: Carlos Gil, Director of Security Architecture and Security Compliance at TELUS

Panel Topic: Mobile Security

As one of Canada’s three major wireless service providers, TELUS has a unique perspective when it comes to the proliferation of wireless devices both from a customer and service provider perspective.In recent years, TELUS has embraced a flexible work styles strategy which would never have been possible without a highly efficient mobile workforce. As many other organizations seek to gain efficiencies and remain competitive by extending their reach over wireless networks, there are many issues around privacy and security that must be considered. An empowered and efficient work force that enjoys work/life balance is one thing, but delivering unfettered wireless access in a way that protects the company and its employees data from both a privacy and security perspective is another.Carlos will highlight some of the implications for both businesses and employees as society seeks to embrace mobile technologies both at home and at work.

Panelist: Naima Salemohamed, UVIC Student

Panel Topic: How do young people feel about privacy?

Youth today understand how to set up and control their privacy, but do not understand the ramifications and potential implications of not controlling one’s privacy. They need to understand and see examples of privacy intrusion and how it can have a direct impact on them and society at large.