What we did
Implemented new, more secure ways to communicate and exchange confidential documents with IIROC-regulated firms.
How we did it
On September 1, 2014, completed implementation of a new encryption e-mail exchange service for the transmission of confidential, private or sensitive information between IIROC and regulated firms.
Why it matters
Protection of personal information is critical to investor protection and confidentiality is required due to the sensitive nature of regulatory information.
Continued to strengthen security environment and protocols, especially in light of the evolving cyber-security environment.
Continued information security vigilance employing a strong security governance structure, aligning our information management and security framework to the International Organization for Standardization (ISO) 27001 security standard and utilizing artifacts from the National Institute of Standards and Technology (NIST) and the SANS Institute.
Developed and implemented new policies and enhanced existing policies, and put in place corresponding supports and controls.
Completed audits of targeted IT operating environments to ensure compliance with policies and procedures.
Completed mapping and classification of data by department.
Enhanced staff capabilities by strengthening security awareness including mandatory training, phishing tests and distribution of “quick reference” cards to all staff.
Selected and implemented new advanced malware protection software, USB port lockdown, reporting tools and a 24x7 Managed Security Services agreement to enhance security posture.
Proactive measures strengthen the security and protection of IIROC assets and data entrusted to us.
Improved enterprise risk management (ERM) processes.
Implemented improvements including enhanced verification of mitigation controls, formal semi-annual reviews, increased ERM training and updated risk categories.
Identifying and mitigating potential risks is key to ensuring IIROC operates efficiently and effectively in discharging our mandate.
Implemented an internal audit function.
Executed the full audit plan for the first year of the internal audit function with all initial recommendations addressed or with implementation underway. Four internal audits were conducted examining processes, policies and controls.
Serves as a valuable tool to ensure our healthy evolution as an organization. By looking at how we do things, internal audits help strengthen internal controls and improve efficiency.