Canada Life has an Information Security Policy, and a series of supporting standards, in
effect to
protect our systems and client data. These are subject to scheduled updates dependant on
industry and
regulatory requirements. Daily risk/threat monitoring is conducted as part of the
Information Security
Canada office. Assessment, follow up and response are also conducted as part of the process.
Additionally, a threat risk assessment methodology is applied in selecting and applying
security
solutions. The methodology is qualitative and applies a risk matrix for impact and
likelihood, modeled
after Industry Standard risk templates.
Under the direction of the Information Security Canada, security control measures are
formally defined
and implemented, based on the CobiT Controls Framework, including, as examples; physical
security,
centralized security administration, appropriate methods of authentication and reviews,
server and
infrastructure hardening practices, data protection measures based on information
classification
standards, intrusion prevention/detection and monitoring mechanisms, and a flow control
subsystem that
includes fire walled security zones.
A formal Risk and Compliance division together with the Canada Technology Executive Steering
Committee
(CTESC) provides governance and compliance management for I.S., including Information
Security. The Risk
and Compliance team reports directly to the EVP, I.S., and is led by the AVP TECHNOLOGY RISK
& LIFECO
CANADA CISO. An executive business steering committee provides direction for security. A
team of
Certified Security Officers and Analysts perform Security Office functions.
The Information Security Program is based on a formal security strategy and architecture and
comprised
of:
- A formal Information Security Canada team of security professionals, under the direction
of the
CISO
- Threat monitoring (daily risk/threat monitoring is conducted as part of the Information
Security
Canada discipline)
- Vulnerability assessments, follow up and response (network perimeter, platform and
application
targeted)
- Incident response (focus on containment and eradication)
- Mandatory security reviews in development and implementation methodologies, including
3rd party
vendor reviews.
- Security consulting and formal threat risk assessments, using industry standard risk
templates
- Awareness and training
- Best practice security technologies.
Canada Life Group Retirement Services website supports 256-bit encryption on versions of
Microsoft
Internet Explorer, Google Chrome and Mozilla Firefox.
Web Security Overview
Canada Life Group Retirement Services (GRS) protects its internal network from the
internet using a
system known as a firewall. A firewall is a device that controls the connections to and from
the
internet so that only trusted connections are allowed to its servers. The firewall also logs
every
connection attempt made (whether successful or not) in order to provide an audit trail
should legal
action be required against an attempted connection from an un-trusted source.
Once a connection has been made to our server for the purpose of exchanging confidential or
personal
information, a valid username and password is required in order to continue. This username
and password
will ensure that only valid users of the service are allowed to obtain access to the
information, and
will ensure that the user can see only the information to which they should have access. It
is important
to note that this authentication mechanism relies on the customer to keep their account and
password
information confidential at all times.
Once a connection has been made and the user has been authenticated, all confidential and
personal
information that is sent across the internet is transmitted in an encrypted format using an
encryption
protocol called SSL/TLS. By encrypting the data transmitted between the browser and the
server, the
integrity of the data can be assured. The customer can verify that they are connected
directly to the
server, that the information they are sending and receiving cannot be intercepted or changed
en-route,
and that they cannot be impersonated by another browser on the internet. Canada Life
Group
Retirement Services only allows 256-bit encryption and customers must deploy 256-bit
encryption; the
customer requires minimum versions of a web browser supporting 256-bit encryption.
Connections between the web server and any databases that contain customer information are
established
over a private, secure network that is not accessible through the internet. Access to
information is
always controlled by the web server and the firewall.
|