The Program Coordinator will periodically undertake to identify and assess the reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records of the Company that contain personal information. The Program Coordinator will do this at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
This assessment will include but not necessarily be limited to:
• identifying the paper, electronic and other records, computing systems, and storage media, including laptops and portable devices, that the Company uses to store personal information;
• identifying what Personal Information is collected, kept and used, and for what purposes;
• identifying which Company employees have access to Personal Information and for what purposes; and
• assessing the internal and external risks to the security of that information.
Based upon this assessment, the Program Coordinator will evaluate and where necessary improve the effectiveness of the Company’s safeguards for limiting the internal and external risks to the security of that information, including but not limited to:
• developing and implementing security policies and procedures;
• periodic training of relevant employees (including temporary employees and contractors) with respect the Company’s information security policies and procedures;
• ensuring employee awareness of and compliance with this Program and Policy and any other policies and procedures concerning the protection of Personal Information, including but not limited to periodic distribution of this Program and Policy and other relevant policies and procedures;
• implementing means for detecting and preventing security system failures; and
• encouraging timely reporting of information security failures or risks.