Privacy and Security Policies

Security Commitment

As enterprise software engineers and architects, Inovex has built a large number of applications across many verticals, all with unique security needs. We remain committed to delivering solutions that exceed those security needs. We maintain high quality software solutions by working closely with our clients and following our polished SDLC. We believe that effective requirements gathering and documentation at the design stage is the key to producing a quality application that truly meets the client's security and privacy needs. Currently Inovex has applications in highly data sensitive verticals, such as healthcare and government, where security and integrity of data is of paramount importance.

To ensure that each piece of software we produce is completed with security best practices in mind, we employ seasoned security consultants. Our consultants inspect all software architecture and design prior to the development and implementation stages. Having CISSP and CISA certifications, they are qualified to complete security reviews or security audits of our design documents based on a set of security requirements or criteria as deemed important to our clients, or based on industry standards such as ISO 17799 or PIPEDA. The consultants complete a detailed security review report, identifying findings and/or gaps and making recommendations as to how such gaps can be rectified and the associated risks can be mitigated.

Privacy Principles

Inovex abides by the national and provincial legislation for the collection of data in the health sector as specified by the PIPEDA and PHIPA acts. We employ seasoned consultants with years of experience ensuring systems adhere to governmental privacy regulations. Below is a summary of the Privacy Principles based on legislative requirements that Inovex abides by:

I Accountability:
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the

II Identifying Purposes:
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

III Consent:
The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except when inappropriate.

IV Limiting Collection:
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

V Limiting Use, Disclosure, and Retention:
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by the law. Personal information shall be retained only as long as necessary for fulfillment of those purposes.

VI Accuracy: Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

 VII Safeguards: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

VIII Openness: An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

IX Individual Access: Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

X Challenging Compliance: An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals for the organization's compliance

Policies and/or protocols respecting the protection of the data from a privacy breach

Inovex has tools, infrastructure and processes to ensure that any attempted or actual breach of privacy is handled in a very specific way in accordance with its own internal management procedures aligned with the ISO 27001 standard.

ISO/IEC 27001 requires that management:

• Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities and impacts;
• Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
• Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.

Processes in place in the event of privacy breach

In the event of a privacy breach, the client is immediately notified and full disclosure of the incident is provided in a written report which is then supplied to the client.  ISO 27001 defines an overarching set of processes; Inovex takes these processes and customizes them for each individual client based upon their industry. For example PIPEDA & HL7 for the healthcare industry have some very specific wording around control and transmission of data outside of borders. We must understand how we ensure encryption to standards and what is to be done if we suspect a breach, in terms of process and ensuring total transparency with the client regarding an attempted attack or breach.