Introduction
ThreatLocker's tools can assist your organization when you are working towards becoming PIPEDA (Personal Information Protection and Electronic Documents Act) compliant. ThreatLocker can be used to satisfy specific Principles and can assist in meeting other Principles by providing supporting tools and information.
Summary
PIPEDA’s 10 fair information principles form the ground rules for the collection, use and disclosure of personal information, as well as for providing access to personal information. They give individuals control over how their personal information is handled in the private sector.
How ThreatLocker Can Assist
4.7 Principle 7 — Safeguards
“Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.”
- ThreatLocker can be used to satisfy this requirement. Allowlisting, Ringfencing™, Elevation Control, Storage Control, and Network Control work together to protect data and systems through the implementation of a zero-trust security environment.
4.7.1
“The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.”
- ThreatLocker meets this requirement as Storage Control limits what files may be accessed by which users, and what actions may be permitted. Additionally, Storage Control prevents unauthorized duplication and/or transmission of data as specified by the organization.
4.7.2
“The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection.”
- ThreatLocker allows configuration of policies governing each file, directory, user, system, network, and/or resource. A user’s access to files, systems, and applications will be restricted or authorized based on the permissions assigned to each element, ensuring that only authorized users have access to appropriate resources, and that this access will only be permitted within the organization’s prescribed manner. An application's access to data can be specified, and you can configure that only specific applications can access specific data locations (e.g., permit access to backup files only to your backup application).
4.7.3 (b)
"The methods of protection should include:
organizational measures, for example, security clearances and limiting access on a “need-to-know” basis"
- ThreatLocker helps establish a Least Privilege data access policy by starting with a zero-trust model, and then allowing only required access and modes of use/operation appropriate to each user, file, or application.
4.7.3 (c)
"Technological measures, for example, the use of passwords and encryption."
- ThreatLocker meets this requirement as Storage Control limits what files may be accessed by which users, and what actions may be permitted. Additionally, Storage Control prevents unauthorized duplication and/or transmission of data as specified by the organization. Storage Control can be used to enforce encryption on removable media. ThreatLocker Configuration Manager can be used to enforce password complexity requirements, including length and age on ThreatLocker protected devices.
4.7.5
"Care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information."
- ThreatLocker can assist in meeting this requirement as the Unified Audit creates an audit log of all actions made by users, the SYSTEM account, or applications in your environment, including those concerning file access, alteration, and deletion. ThreatLocker does not have visiblity of file contents to further protect data privacy.
Updated 4/24/23