All projects are assigned one of three levels of information security: standard, enhanced, or obsessive. Once the security level is assigned, team members review the policies and procedures they are expected to follow. At minimum, all projects have the standard level of security. When personal information is involved, we add layers: like use of an encryption tool. Scroll down to review the three information security levels, and their corresponding processes.
We use these documents and tools to support our data security policy:
- Statement of Adherence: on a regular basis (every 3 months) each team member is asked to review and sign this statement
- Research Agreement: for projects that handle personal information, the principal researcher will review and sign this agreement
- Encryption Tool: for projects that require data encryption, we rely on nCrypted Cloud.
Effective January 1, 2015
LogicalOutcomes often works with personal and confidential data that is protected under Canadian privacy legislation (e.g., PIPEDA). LogicalOutcomes hires consultants from many different countries, working independently on their own computers and in their own offices. Therefore it is most important to consider confidentiality and information security as a core process for the organization. LogicalOutcomes has developed the following information confidentiality and information security procedures. The written procedures will be made available to clients, who will make their own determination as to whether it will meet their requirements. In this fashion, clients will have the responsibility of deciding their level of security.
LogicalOutcomes has developed and adopted three levels of information security: Standard, Enhanced and Obsessive. The level of information security is determined based on individual project requirements. The level of security that will be employed is based on clients’ information security preferences as well as Canadian legislation.
LogicalOutcomes will assure the Standard level of security on all projects. Enhanced or Obsessive security procedures are added on top of Standard level security procedures to achieve the desired level of information security. The procedures in Enhanced and Obsessive levels may be customized by LogicalOutcomes to meet the information security needs of specific projects.
- ENHANCED LEVEL OF INFORMATION SECURITY For higher security projects, LogicalOutcomes provides Microsoft Office365 accounts for project team members, more rigorous management of confidential documents, and extra training on security. We will randomly audit projects for compliance with security procedures.
- OBSESSIVE LEVEL OF INFORMATION SECURITY For confidential data on vulnerable individuals (including service users) we ensure compliance with the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and go through an annual audit by an internal auditor or security consultant.
Process: Establish effective data security environment
Process control: Policies and procedures for the administration of security are documented, approved and communicated
LogicalOutcomes has implemented data security requirements and procedures to ensure safeguarding of personal and sensitive information. Data security requirements and procedures are communicated to all contractors via this manual, referenced in the Independent Contractor Agreement and reminded via periodic statement of adherence to data security. LogicalOutcomes also provides ongoing instruction to its contractors for sharing and management of information, to ensure that security is not compromised.
To ensure effective data security environment LogicalOutcomes has taken the following measures for data security:
- Use of reputable cloud service providers
- Password protection (log-in and documents)
- Multi-factor authentication
- Using tools for safe sharing
- Managing access rights
A proper mix of security procedures are applied depending on the sensitivity of information, desired level of security and client’s requirements. LogicalOutcomes manages, stores and communicates information primarily in Office 365, relying on the security procedures adopted by the service provider and employing additional security tools to ensure information safety. The use of other communication, sharing or management tools is preapproved and communicated with the contractors prior to exposing any information.
- Statement of confidentiality;
- All Independent Contractor Agreements are signed by the contractor and the President of LogicalOutcomes and stored within Corporate files for future reference.
Process: Use Office 365 to manage project information
Process control: All confidential documents are stored and managed on OneDrive for Business
To ensure proper data management and reduce the risk of exposing sensitive information while being exchanged, LogicalOutcomes requires information to be stored, managed and edited in OneDrive for Business as much as possible. By doing this, LogicalOutcomes reduces the exposure of information to external threat at times of transferring between team members. The information is accessible to team members only and any exchange via emails, Skype, or other instruments is unnecessary.
Process control: Access to OneDrive for Business and Sharepoint is assigned as necessary
This control procedure ensures that only project owners and contractors involved in the project have access to specific documents and/or Sharepoint team sites, as deemed necessary for each project. Thus, users having access to view, manage and alter documents/project information are limited.
The control is performed as follows:
- Project Owner identifies the project team.
- The System Administrator receives a list of users to be granted access to OneDrive for Business folders or files, and/or Sharepoint team site(s).
- System Administrator grants permissions, and confirms via e-mail to the Project Owners this has been done.
Process Control: Monitoring of access rights
Management periodically assesses IT security vulnerability through supervision and review of user accounts, permissions and access rights. The System Administrator is primarily responsible to manage permissions, and is responsible for periodic assessment of each project. The System Administrator will notify the Project Owner in case of change of permission status of team member and inclusion or exclusion of a team member to the project or team site.
Process Control: Restrict access of contractors after project completion
When a project has been completed, the System Administrator will mark the project as closed, and will remove the access rights of all members except for Global Administrators and Project Owner. Reducing the access to historical project information to a small number of individuals significantly reduces the risk of information misappropriation due to identity theft or change of intentions of team members. The proper management of members’ access rights is part of the project closure procedures. Confidential documents and key documents, such as contracts, proposals and deliverables, will be archived in Corporate files, within LogicalOutcomes’ OneDrive for Business. Tools and documents that do not contain confidential information may be shared with contractors and others if permitted by the terms of the project contract.
Process: Encourage contractors to use personal data security tools
Process control: Contractors use up to date antivirus software and strong passwords for logging into Office 365 and tools used for sharing information
Periodically all contractors sign a statement of adherence to data security. The statement requires contractors to confirm they use up to date antivirus software and strong passwords for access to LogicalOutcomes information.
Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.
For all work related to LogicalOutcomes, passwords should be:
- At least 10 characters
- Use upper and lower case and numerals, without sequences like “ab”
- Include special characters
LogicalOutcomes encourages the use of Password Meter for testing password strength. When testing strength, contractors should ensure that all passwords used for LogicalOutcomes rate at least “Sufficient” in the Password Meter. Everyone working with LogicalOutcomes should test their passwords for related work using the Password Meter. Contractors must not use the same password for non-LogicalOutcomes work.
Two mandatory rules for LogicalOutcomes passwords are:
- Never use the “remember me” option to save your passwords on your computer (see LastPass for secure storage of passwords)
- Use a different password for different applications
Enhanced level of information security is employed when clients have stronger requirements for information security and confidentiality. This level of security is enabled at the discretion of the President of LogicalOutcomes or the Project Owner. Enhanced level of information security includes all processes and controls applied in Standard level of information security and the additional processes and controls described in this section. Its purpose is to employ additional security to the standard tools for securing data.
Process: Multi-factor authentication in Office 365
Process control: System Administrator enables Multi-factor authentication for all project members
Multi-factor authentication (MFA) is a security system that requires more than one form of authentication to verify the credentials of the user. Multifactor authentication combines two or more independent credentials: what the user knows (password), what the user has (security token) and what the user is (biometric verification). LogicalOutcomes has accepted to use the first two independent credentials. When multifactor-authentication is enabled, every time a contractor logs in to Office 365 he/she is asked to provide his/her password (first credential) and a unique code sent to his/her mobile phone or landline or authentication app (second credential). This creates a layered defense and makes it more difficult for an unauthorized person to access information through compromising log in credentials.
Process: Confidential project documents are stored in Onedrive for Business
Process control: Ensure that all confidential project documents are uploaded to a project site that has Office 365’s at-rest encryption
Office 365’s Onedrive for Business and SharePoint has built-in data security tools: Encryption at rest protects your data on Office 365 servers Encryption in transit with SSL/TLS, which protects data transmitted between personal computers and Microsoft. In combination with multi-factor authentication, this protects documents against online theft and hackers. It also enables auditing using Office 365’s Data Loss Protection tools (see the Office 365 Trust Center).
Process: Provide appropriate training to users (contractors and clients) on the use of data security techniques and tools
Process control: An appropriate training plan is built into individual projects
In order to provide personal information security, LogicalOutcomes will ensure that all participants understand the security needs of the project and have sufficient knowledge to use the data security tools described in this manual. LogicalOutcomes will tailor an appropriate training plan prior to beginning of the project and also will ensure that all participants receive data security guidance throughout the project.
Obsessive level of information security is the most complex level of security employed at LogicalOutcomes. It is based on the requirements of the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA).
The Obsessive level of information security includes all processes and controls, described in the standard and enhanced levels of information security, with the following processes and controls added.
Process: Policy and procedures for management of personal survey information are documented, approved and communicated
- The purpose of collection of personal information is identified at or before the time of collection;
- Consent of the individual be obtained prior to collection, use or disclosure of personal information;
- The collection of personal information be limited to that which is necessary for the purposes identified by the organization;
- Personal information be used and/or disclosed only for the purposes for which it was collected, except with the consent of the individual or as required by law;
- Personal information is retained only as long as necessary.
Process: Survey information, containing sensitive personal information is accessible only by contractors with training in research ethics and/or Canadian citizens or residents, or members of professional organizations.
Process control: Access to sensitive survey information is available to LogicalOutcomes contractors who have (1) completed training in research ethics or data security processes and (2) are Canadian citizens or residents OR are registered members in good standing of an internationally credible professional organization with an established code of ethics and complaint procedures
Research ethics training addresses issues such as misuse of information, ethical responsibility maintained towards the participants, duty to protect the rights of people in the study as well as their privacy and sensitivity. LogicalOutcomes considers members that have been engaged in research ethics trainings are less likely to put into risk the confidentiality of sensitive information. The President of LogicalOutcomes performs a research on the credibility of the professional organization and approves the contractor inclusion to the research team.
Process control: Perform training in research ethics and data security
In certain cases, LogicalOutcomes recommends training programs on research ethics and data security to promote ethical behavior in its contractors and ensure that sensitive research information is properly protected.
Process: Protection of survey data during storage and transfer
Process Control: Use of FluidSurveys in combination with ncrypted cloud for protection during storage and transfer
LogicalOutcomes has selected Fluidsurveys as its survey tool because of its security practices and the fact that data is stored on Canadian servers. LogicalOutcomes maintains two Fluidsurveys accounts; a development account which is used for designing and testing surveys, and a production account, which is used to collect actual survey data. LogicalOutcomes provides limited access to the production as further described in this policy.
When data is transferred from Fluidsurveys to Dropbox (i.e. through an automation), it is secured by Secure Socket Layer (SSL) encryption. The data must be downloaded to a folder that is encrypted using ncrypted cloud. Encrypted folders, containing downloaded FluidSurveys information must only be shared securely with other users who have nCrypted cloud installed.
Process: Confidential project documents are encrypted using a key that is not accessible by Microsoft
Process Control: Use nCryptedCloud to secure documents stored and shared via OneDrive for Business and Dropbox
nCryptedCloud is a program that adds a layer of encryption security on top of Cloud Storage providers like Dropbox and OneDrive for Business. Document owners control who has access. nCryptedCloud also provides secure sharing of files and folders, with options for setting passwords when sharing, setting rights to view or edit files, setting an expiration time to access, and other security features. LogicalOutcomes contractors will use nCryptedCloud when storing, sharing or downloading sensitive information via OneDrive for Business and Dropbox.
Process control: Use the at-risk encryption provided by Office 365 to encrypt fields in SharePoint lists
Encrypted list application allows encryption and decryption of selected fields of SharePoint lists. SharePoint lists are used to summarize important data (e.g. survey results). By encrypting fields containing sensitive information, the SharePoint list will be accessible only to the users that possess the decryption key.
Process: Passwords and encryption keys are securely shared
Process Control: Use LastPass to securely share passwords and encryption keys
Passwords and encryption keys are used when encrypting and decrypting password protected documents. Passwords and encryption key security is an important part of the data security process. An appropriate tool for sharing passwords and encryption keys, approved by LogicalOutcomes, is LastPass. Contractors can download the free version at LastPass.com.
Once installed LastPass settings must be updated so that a password prompt is made every time the contractor’s browser is opened and every time the contractor’s computer goes idle. This is done following these steps:
- Click the LastPass icon (top right) > Preferences > General
- Enable ‘Automatically Logoff when all browsers are closed and Chrome has been closed for  mins’
- Enable ‘Automatically Logoff after idle  mins’
All LastPass users must ensure these settings are updated, to protect against theft or loss of computer, and other people using a contractor’s computer (like friends or family).
Process: Proper receipt of sensitive information
Process Control: Contractor(s) respond promptly to encrypt information and delete e-mail
Contractors of LogicalOutcomes may not forward or send sensitive information via e-mail. Any forwarding or sending of personal information covered under PIPEDA is a violation of LogicalOutcomes policy.
In certain cases, it may occur that sensitive information is received by email (e.g. forwarded from a client).
If personal information is received via e-mail the measures to be taken to secure the data are as follows:
- The file must be added to an encrypted folder immediately: OneDrive for Business, or Dropbox. The folder can then be shared with team members as appropriate.
- The e-mail must be deleted immediately.