Ducore Expertise Inc. is a medical assessment services company. It provides rapid access to medical expertise and consulting services for corporations, government agencies, insurance providers and the forensic community. The nature of its services requires it to handle confidential information. The level of sensitivity (or perception of sensitivity) associated with the information generally exchanged makes it essential for its team to properly understand and define relevant data as well as potential risks to the company’s operations.
The primary purpose of this policy is therefore to maximize the security of Ducore Expertise’s information assets. This policy has a direct impact on resulting security controls and on the organization’s sound management of operations, customer service and data.
This policy includes privacy, availability and integrity strategies for information assets, as well as the company’s ability to manage personal data.
Keeping this policy up to date is essential, as is proper implementation and follow-up on an annual basis or during a significant change as it might have an impact on it.
Information assets: A set of data contained in a physical medium or technology solution. A patient’s file, a database and a web page are all good examples of information assets.
Confidentiality: Protecting information assets from being accessed by unauthorized parties. This control is generally controlled by access management mechanisms based on recognized governance frameworks such as HIIPA, ISO or NIST.
Integrity: Maintaining and ensuring the accuracy and completeness of information assets over its entire lifecycle. An informational asset with integrity must be kept on a medium that provides stability and sustainability.
Availability: Enforcing an information asset remains accessible to an authorized person in a timely and required manner. Availability is generally based on contractual agreements with suppliers.
Information Lifecycle: A set of steps that information assets take, from their creation to their preservation or destruction, registration, transfer, consultation, processing and transmission.
3. Legal Framework
Ducore Expertise builds on the strategic data security management and safety rules found at Health Canada and the Quebec Secrétariat du Conseil du trésor.
The purpose of this policy is to formalize Ducore Expertise’s commitment to its information security obligations. It is limited to information assets found in our environments and under our control.
More specifically, it maximizes the understanding of strategic security rules throughout an information asset’s lifecycle, including its availability, integrity and confidentiality.
This security policy provides a strategic direction and is not a technical document. Additional technical details are available in our technical directives.
This policy applies to all Ducore Expertise’s staff, regardless of their status. Managers, employees, consultants, partners and suppliers who consult or use information assets or data (held for performing our duties) are covered by this policy.
6. General principles
6.1 Information protection
a) Ducore Expertise adheres to our governments strategic information security policies and objectives. We remain committed to ensuring that our information security practices are, where possible, consistent with recognized secure practices, both domestically and internationally.
b) Ducore Expertise recognizes that the information held is essential for its day-to-day operations and, as a result, must be subject to constant evaluation, appropriate use and adequate protection. The level of protection is generally established to simplify operations, but in some specific cases it is based on their importance, confidentiality and the potential risk of incidents.
c) The security of our information assets is supported by an ethical approach to ensuring individual control and accountability.
6.2 Protecting personal information
a) Ducore Expertise only collects personal information directly related to our services and activities.
b) Ducore Expertise is required to inform individuals (from whom it collects personal information) about the purposes for which it will be used.
c) Personal information is only used for administrative purposes and will be retained long enough to allow an individual to exercise his right of access to that specific information.
d) Ultimately, personal data not necessary for sound management of our services will be destroyed on a predetermined schedule and based on sensitivity of projects, clients or needs; these calendars may vary.
6.3 Protecting confidential information
a) All confidential information must be protected from inappropriate or unauthorized disclosure, access or use.
b) This includes all personal information and any information that would affect clients and operations.
6.4 Technology equipment
a) Equipment used by Ducore Expertise when receiving, transmitting or backing up data are secured to an acceptable level.
b) Equipment verification includes communication systems such as e-mails, databases and telecommunications equipment necessary for the sound management of the organization.
c) The equipment will be kept up to date within a reasonable time and according to the availability of updates provided by the manufacturers of these equipment and solutions.
6.5 Security awareness and training
a) Ducore Expertise has the responsibility, on a regular basis, to educate and train its users on the safety of information assets, the consequences of an information attack and on their personal role and obligations.
6.6 Right to examine
a) Ducore Expertise exercises, in accordance with applicable legislation and regulations, a right of review over all use of its information assets.
7. Key stakeholder obligations
This policy sets out the obligations assigned, among other things, to the President, managers and users.
a) President: The organization’s chief of security assists stakeholders in defining strategic directions and responses to priorities, especially during incidents.
b) Managers: Responsible for implementing the principles of this policy with staff under their authority.
c) Technology experts: Responsible for implementing security controls supporting this policy and our technical directives.
d) Users: Must comply with this policy and the rules that apply to their activities by signing a commitment.
Other roles and responsibilities can be assigned depending on particular projects and situations. Regardless of their status and role, concerned stakeholders have the same responsibilities to this policy.
8. User obligations
Every user has an obligation to protect information assets made available to them by Ducore Expertise. They minimally must:
a) Be aware of, adhere to, and commit to complying with this policy and other standards of conduct by signing this policy;
b) Only use available information assets within their formal access rights and for performing their duties;
c) Comply with security measures implemented on workstations and any other equipment utilized and not to change or disable configuration elements;
d) Conform with legal requirements for the use of products and for which intellectual property rights may exist;
e) Immediately report to his superior any act that may constitute a real or suspected breach of security and any anomalies that could adversely affect the protection of information assets.
a) The President approves and ensures the implementation of this policy.
b) This policy comes into effect on September 1, 2020 and will be revised at least once a year.