Less vulnerabilities, stronger compliance
Security Assessment-a leader in compliance services-has designed its vulnerability assessment methodology to maximize the effectiveness of its clients' compliance programs. To help its clients conform to the latest laws and regulations, Security Assessment developed an extensive knowledge base on thousands of compliance rules derived from laws and regulations, governance requirements and codes of ethics such as the PIPEDA, PHIPA, HIPAA, Sarbanes-Oxley. and ASA Code. Each deliverable produced as part of a vulnerability assessment explicitly contributes to one-or more-of the compliance requirements applicable to a client's business. With Security Assessment, an organization can identify with confidence any security vulnerabilities lurking in its information systems and, at the same time, immediately determine how these vulnerabilities impact the organization's compliance status.

How serious is today's compliance environment?
Compliance rules make both a service provider and its clients responsible for the protection of an individual's personal information. This means that your clients can be liable for a compliance violation on your part .
Furthermore, an official complaint lodged against your business by just ONE unhappy customer may cause you to fall under the scrutiny of the Privacy Commissioner . and the public. Bad things can-and, in time, will-happen to your business. Lack of readiness will only make things worst for you. There are many tragic tales from companies that were not prepared. Here is one typical example:

Medical Records put on a Toronto real estate flyer The flyers, with pictures of houses for sale on one side and a woman's mammogram and pelvic exam results on the other, were among a batch of 10,000 that were put in Toronto mailboxes. The printer's staff used scrap paper to do a test run. The medical results that were contained in recycled paper bought in bulk got mixed up in the final run by mistake. Ontario privacy commissioner Ann Cavoukian called the incident a wake-up call for all companies: "If I were on the board of directors of any firm and heard this type of story, I would immediately call my CEO and ask, `Are we at risk? What procedures do we have in place?'" - The Toronto Star, February 21, 2003.

What you need to do to comply with current privacy laws
You must start and maintain a compliance program for your business that, at a minimum,
1. Recognizes which laws and regulations are applicable to your business
2. Contains a comprehensive set of compliance policies and procedures
3. Provides ongoing compliance training for your staff
4. Communicates your compliance practices to interested parties
5. Includes quarterly reviews and annual compliance audits.

How you can initiate the right compliance program for your business
There are seven essential phases:
Phase 1: Assess the impact of applicable laws and regulation on your organization.
Phase 2: Appoint a Compliance Officer and establish a Compliance Team.
Phase 3: Execute compliance agreements with employees and third parties; obtain consent from individuals.
Phase 4: Develop standard operating procedures and implement controls to ensure they are followed.
Phase 5: Draft privacy/security policies and prepare communication materials.
Phase 6: Conduct employee training sessions on compliance policies and procedures.
Phase 7: Conduct quarterly compliance reviews; respond to complaints; monitor new legislation.

You feel overwhelmed? Here is the solution you are looking for: .The C3P^TM: Connect-Collaborate-Comply Program^TM
Security Assessment 's C3P is a proven program designed to relieve Canadian businesses of the burden of compliance. With C3P's extensive content, flexibility, and single, low price, your organization builds its compliance framework on a high quality, easily customized, and cost-effective foundation. The C3P resides on the Security Assessment's Connect-Collaborate-Comply platform (or the C3^TM System ), a full-featured infrastructure designed to supports the compliance needs of Canadian enterprises. There are no technical requirements to use the system, since it can be accessed via any Web browser through a secure connection. The C3 System will allow any organization the flexibility to choose the level of participation as well as the option to upgrade plans at any time without penalty.