Canada Life has an Information Security Policy, and a series of supporting standards, in effect to protect our systems and client data. These are subject to scheduled updates dependant on industry and regulatory requirements. Daily risk/threat monitoring is conducted as part of the Information Security Canada office. Assessment, follow up and response are also conducted as part of the process. Additionally, a threat risk assessment methodology is applied in selecting and applying security solutions. The methodology is qualitative and applies a risk matrix for impact and likelihood, modeled after Industry Standard risk templates.

Under the direction of the Information Security Canada, security control measures are formally defined and implemented, based on the CobiT Controls Framework, including, as examples; physical security, centralized security administration, appropriate methods of authentication and reviews, server and infrastructure hardening practices, data protection measures based on information classification standards, intrusion prevention/detection and monitoring mechanisms, and a flow control subsystem that includes fire walled security zones.

A formal Risk and Compliance division together with the Canada Technology Executive Steering Committee (CTESC) provides governance and compliance management for I.S., including Information Security. The Risk and Compliance team reports directly to the EVP, I.S., and is led by the AVP TECHNOLOGY RISK & LIFECO CANADA CISO. An executive business steering committee provides direction for security. A team of Certified Security Officers and Analysts perform Security Office functions.

The Information Security Program is based on a formal security strategy and architecture and comprised of:

• A formal Information Security Canada team of security professionals, under the direction of the CISO
• Threat monitoring (daily risk/threat monitoring is conducted as part of the Information Security Canada discipline)
• Vulnerability assessments, follow up and response (network perimeter, platform and application targeted)
• Incident response (focus on containment and eradication)
• Mandatory security reviews in development and implementation methodologies, including 3rd party vendor reviews.
• Security consulting and formal threat risk assessments, using industry standard risk templates
• Awareness and training
• Best practice security technologies.

Canada Life Group Retirement Services website supports 256-bit encryption on versions of Microsoft Internet Explorer, Google Chrome and Mozilla Firefox.

Canada Life Group Retirement Services (GRS) protects its internal network from the internet using a system known as a firewall. A firewall is a device that controls the connections to and from the internet so that only trusted connections are allowed to its servers. The firewall also logs every connection attempt made (whether successful or not) in order to provide an audit trail should legal action be required against an attempted connection from an un-trusted source.

Once a connection has been made to our server for the purpose of exchanging confidential or personal information, a valid username and password is required in order to continue. This username and password will ensure that only valid users of the service are allowed to obtain access to the information, and will ensure that the user can see only the information to which they should have access. It is important to note that this authentication mechanism relies on the customer to keep their account and password information confidential at all times.

Once a connection has been made and the user has been authenticated, all confidential and personal information that is sent across the internet is transmitted in an encrypted format using an encryption protocol called SSL/TLS. By encrypting the data transmitted between the browser and the server, the integrity of the data can be assured. The customer can verify that they are connected directly to the server, that the information they are sending and receiving cannot be intercepted or changed en-route, and that they cannot be impersonated by another browser on the internet. Canada Life Group Retirement Services only allows 256-bit encryption and customers must deploy 256-bit encryption; the customer requires minimum versions of a web browser supporting 256-bit encryption.

Connections between the web server and any databases that contain customer information are established over a private, secure network that is not accessible through the internet. Access to information is always controlled by the web server and the firewall.