The CIO Strategy Council is inviting comments from the public on a proposed new edition to Canada’s national standard governing how organizations share data with third parties.
With the rapid growth of cloud-based platforms providing everything from email to payroll, organizations now share vast quantities of data with networks of vendors and suppliers. The standard, CAN/CIOSC 100-2:2020, sets out safeguards that organizations should follow to ensure third parties with access to their data have adequate security and privacy controls in place.
The CIO Strategy Council conducts maintenance on its standards annually to ensure they keep pace with rapidly evolving digital technologies. The Council’s Technical Committee on Data Governance, a cross-sectoral body of more than 100 experts, has approved several updates in the new version of the standard, which was first published in 2020.
“As a National Standard of Canada, CAN/CIOSC 100-2:2020 influences how organizations throughout the country in the public, private, and non-profit sectors control their data,” said Matthew MacNeil, the Council’s Director of Standards and Technology. “The proposed updates aim to ensure these protections reflect the latest developments in technology and the risks and benefits to sharing data with third parties.”
The proposed revisions align the standard with the globally recognized AICPA Trust Criteria.
Why It Matters
Organizations are increasingly receiving data inputs from multiple sources and using many software and cloud storage platforms that need access to their data. This increases their exposure to the growing threat of supply chain attacks that target enterprise technology companies whose systems are used by hundreds of other organizations. With large amounts of information being exchanged, the risk of accidental privacy breaches also grows.
Paul Vallée, CEO of cloud-based virtual workspace provider Tehama, says that concerns about cybersecurity and access to data have reached the highest levels.
“President Biden’s recent Executive Order addressing cybersecurity coincides with the critical work that the CIO Strategy Council is doing,” he said. “This update to the CAN/CIOSC 100-2 standard outlines robust requirements related to privacy controls for third-party access to data. These standards should be adopted by every organization that cares about protecting their data and the organizations, clients, and partners they serve. I urge everyone to read the proposed new edition and provide their feedback.”
The Council welcomes comments on the proposed draft from any interested party. Leave your comments before Nov. 29.