Who we are
PI Lifecycle Management
The ISDM Society significantly limits risk of a personal Information/personal health information breach by limiting the information available on the ISDM Society website to access.
Personal Information (Member Accounts) – Only the necessary information to contact members is stored in their user accounts (such as name, work organization, work phone number, emails). Once a member is associated with the ISDM Society, the ISDM Society is responsible for de-associating the member when their membership is terminated. The ISDM Society monitors user accounts for inactivity, and at its own discretion may inactivate user accounts at any time.
SSAE 16 Type II Certified Data Centre – The ISDM Society website is hosted in a state-of-the-art data centre that is located in [Country], with highly secure and redundant IT infrastructure. The data centre is TYPE II certified with the standards of SSAE 16 (or equivalent CSAE 3416, and ISAE 3402). This means that the ISDM Society website data centre has undergone independent, in-depth audits of control activities, including how hosting and network technologies are managed.
Facility Access Controls – The data centre holding PI is locked and guarded, and can only be accessed by authorized personnel. Monitored closed circuit television systems and onsite security teams vigilantly protect the data centre around the clock, while military-grade pass card access and biometric finger scan units provide even further security.
Data Centre Stability – Onsite diesel-powered generators and uninterruptible power systems (UPS) deliver redundant power if a critical incident occurs, so that all operations are uninterrupted and servers remain online. Infrastructure is regularly tested to make sure it performs as designed in the event of an emergency. The heating ventilation air condition (HVAC) systems have full particle filtering and humidity control. The climate within the data centre is maintained according to ASHRAE Guidelines. This ensures that our servers are functioning at their best.
Backup – The ISDM Society stores regular backups with copies of the member data, stored locally and at a secondary data centre.
Workstation Use – The ISDM Society employee workstations are access protected with a strong password, automated timeout lock, disk encrypted & loaded with the most recent OS security patches.
Secure Login – Members sign in to a secure, encrypted login page. In the event that a username & password is entered incorrectly, the ISDM Society website uses login attempt delays, three login attempt limits, and Captchas to prevent brute-force login attacks. Stored passwords are encrypted on the website servers (hashed & salted) – to prevent passwords from being accessed even in the event of a data breach.
Passwords – All ISDM Society members that use the website are required to have secure passwords to access the website (a password meter tells the user password strength between weak, medium or strong, and we require every password to be at least medium to login). The ISDM Society employees or executive committee members also use highly secure passwords for accessing the website and all of the website’s supporting technology (such as servers).
Access Based on Least Privilege – Members do not have access to their logs and/or activities. They have access to their account information only.
Audit Controls – The ISDM Society website keeps detailed logs of logged in user activities (such as account modifications and accessing the information on the website). At any time, users can view their own audit logs. Audit logs cannot be modified.
Automatic Logoff – The ISDM Society website automatically logs users off of the system after a determined period of inactivity (240 hours).
Secure Data Transmission – The ISDM Society website uses SSL 256-bit encryption when transmitting data. This is the strongest, most secure form of encryption that is generally available in Internet browsers on the market in North America today.
Firewalls – Restrictive firewall policies ensure that only approved traffic is allowed access to our servers.
Vulnerability Scans – The server administrator performs regular web applications scans to ensure that there are no vulnerabilities.
Security Software Patching – The server administrator ensures that all supporting software used in the website (e.g., operating system) has the latest security updates at all times.
Secure Data Storage – In addition to the various safeguards in place to prevent access to data stored in the ISDM Society website, all personal information is encrypted so that in the unlikely event that the servers are accessed, any stolen data is useless without encryption keys.
Vulnerability Management – The server administrator performs regular vulnerability management scans to ensure that its IT system components (OS, software, etc…) are not vulnerable to attack.
Web Application Scanning – The server administrator performs regular web application scans which examine the website code for vulnerabilities (such as SQL Injection, XSS, CSRF, URL redirection, etc.). The ISDM Society performs a Web Application Scan on any new development code before it is released to its live website.
Malware Scanning – The server administrator performs regular Malware scans to ensure its servers are clean of infected files.
Code Repository – The ISDM Society website uses a sophisticated software code management system to store and track a complete history of all code used with the website. This provides many benefits such as a) an ability to roll-back software code to a previous version in the event that a problem is found after a go-live, b) an audit trail of the website functionality at any point in time, c) continuity of code access and availability in the event of a disaster with the ISDM Society.
Breach Management – In the case that personal information or personal health information is accessed in an unauthorized manner, the server administrator investigates the event, resolves the root cause of the issue, and notifies the affected persons as per the Privacy Incident & Breach Management policy.