News and events

Quebec's new Law 25 on protecting personal information will reach a new implementation stage on September 22, 2023.

As a brief reminder, this law requires all organizations and businesses to protect the personal information of Quebecers and report any theft of personal information to the information access commission.

As a customer, we'd like to suggest a few key questions to help you understand the potential work project to be implemented and the technological adjustments that may be required.

First of all, what is sensitive information?

Any personal information of an employee, customer, supplier or partner with whom you exchange information.

More specifically, personal information is any information that unambiguously identifies a specific individual.

If you store and manage this information on your internal or hosted servers, you must ensure that this data is adequately protected against theft through cybersecurity intrusion or unauthorized dissemination.

What steps should I take to structure my in-house intervention project?

Briefly, here are the steps to be covered by your project:

1. Draw up an inventory of all the data stored by your company. It's essential to understand which data are sensitive and less critical.
2. Identify your company's points of vulnerability. Points of vulnerability include insecure access points, open ports on firewalls, entry points for phishing attacks, etc.
3. Establish clear and precise internal security policies. These policies should include guidelines on the use of strong passwords, restrictions on access to sensitive data, rules for the automatic deletion of old sensitive data, etc.
4. Implement appropriate security measures. Security measures can include firewalls, intrusion detection systems, antivirus software, encryption systems and regular backup protocols, etc.
5. Train your employees in good security practices. Employees need to understand the importance of data security and how to act in the event of a security incident.
6. Implement a security incident response plan to manage security situations, including malicious intrusions, data loss and security breaches.

Why is the CTRL Group a strategic partner for you?

Firstly, from a software point of view, the CTRL Management Solutions application platform already includes advanced functional and information security functionalities, enabling you to control access to and sharing of all sensitive information.

This same platform also offers an audit trail that enables you, if necessary, to quickly identify the source (who, when, what) of any unauthorized information sharing, so you can assess its level of severity and take appropriate action in relation to the information access commission.

Secondly, in terms of equipment, our IT Technologies division offers you all the technical services you need to fully support your efforts to overhaul and upgrade your IT infrastructure to meet the requirements of the Law 25. These services include the following:

• Identify and list your current access vulnerabilities.
• Present you with recommendations for technological adjustments and a game plan in the form of a clear and precise business proposal.
• Support and advise you in the development of your internal policies and best practices concerning the management of your sensitive data.
• Act as a trainer for your employee groups in applying the policies and best practices you have established.
• Support and advise you in the development of your cybersecurity incident action plan.

Be ready for the second milestone of the Law 25. Don't hesitate to contact us for more information.