Security

It is essential for PII to define its Security Policy and disseminate it to all people concerned: PII organization, partners, customers, PII personnel, sub-contractors.
 
The Security Policy should preferably be detailed in a specific document entitled “PII Security Policy” which must be approved, periodically reviewed and updated by the PII Office.

The ISO 17799: 2005 Standard may be a reference, as a framework, for the establishment of the “PII Security policy” document.

A Security Policy gives all stakeholders the assurance that important assets and exchanged information are correctly protected against any intentional or accidental threats from the inside or from the outside of the PII Federation.

Availability: Guaranteeing access to a service, data or resources (as stated in a contract).

• Availability: Guaranteeing access to a service, data or resources (as stated in a contract).
• Confidentiality: Protection of data whose disclosure to unauthorized third parties could be harmful; non-disclosure of data of a confidential nature.
• Integrity: Guaranteeing that no operating errors or unauthorized users have impaired the accuracy and exhaustiveness of the data; no corruption of the information.

Other principles can also be addressed, as for example:

• Authentication: Consists in confirming a user's identity, i.e. guaranteeing for each party that their partners are truly who they think they are. An access control (e.g. an encrypted password) grants access to resources only to authorized individuals.
• Access control: Insuring that users access only those resources and services that they are untitled to access.
• Non-repudiation: The non-repudiation of information is the guarantee that none of the parties involved can deny an operation at a later date.
• Privacy: Insuring that individuals maintain the right to control what information is collected about them, how it is used, who has used it and what purpose it is used for