Canadian Anti-Spam legislation (Including software instalation) (Part II)

This blog is a continuation of a previous post concerning the new Canadian Anti-Spam Legislation (CASL). Part I can be found here.

This part will deal with how to prepare for this new legislation.

First of all, the question comes to mind on what should we do to prepare for this law. One must first understand that this law deals with ALL commercial electronic communication from companies, organizations, non-profits, individuals etc, that send out email and install software programs.

Lets take an example or three.

Your company has a booth at a trade show. You have a fish bowl at your booth for a prize draw. After the show, you take all the names of those people who entered the draw and add them to a mailing list. Then as you prospect these potential clients you send out an email soliciting for their business. Unless they have specifically 'signed' permission to allow you to do this (OPT-IN), your company can be found in contradiction of the law and be fined up to $5 million dollars.

Another example:

You have a web site where potential customers can download marketing material on the goods or services you provide. However, you require these web surfers to register before that material would be made available for download. At the bottom of the webpage you have a check box (which is already pre-checked for the user) allowing the company in question to email further updates. This case could be interpreted as being an OPT-OUT option because the check box is already prefilled. This would satisfy the CAN-SPAM Act (US) but would not be deemed complaint with the new Canadian law that requires an explicit OPT-IN option. And once again the company could be liable for millions of dollars in fines.

And one final example:

You bought a software application to be installed on your Smart Phone (or PC or IPAD or Mac or Tablet). When you start installing the package, there is no explicit consent to allow for the installation, therefore the software company would be liable. Also note that an End User License (EUL) acceptance may not be enough to satisfy the requirements.

Find below a few suggestions that, I believe, would help to start planning for compliance.

1) Take an inventory of all commercial messages that your organization is currently, or planning on sending out. This includes text messaging, Facebook campaigns, emails etc.

2) Discuss and create policies and guidelines that define what a Commercial Electronic Message (CEM) (as per CASL) is within your organization. If there are any exceptions that are applicable these should also be noted within the new policy.

3) Create an all-encompassing list of computer programs that your company directly, or indirectly installs on any electronic device.

4) If applicable, create a list of all computer products (and services) that your organization is involved with. This includes not only the initial software installation but any updates/upgrades that are part of your business process.

5) Discuss and create policies and guidelines that determine when your organization needs to obtain consent for installation of some software. Also note, while there are some exceptions (which should also be documented), all the information will need to be retained for review at a later date.

6) Review current consent that has been collected and see if it complies with the new legislation. If not, a process may need to be created to obtain consent using the new polices. This is further complicated because of the three year transition period mentioned within the law.

7) Document, create, clarify, create a process where the end user can agree to enter into a commercial arrangement, yet withhold consent to CEM.

8) Retain documentation/proof that a written consent was obtained. This includes date, time and manner of consent. Further consideration may also be needed if your organization allows for verbal consent rather than written. Given the strong penalties that can be doled out, every type of consent must be tracked.

9) Update the avenues of interaction between the organization and the end user to reflect the new polices (see above). This includes templates that are used to send out CEM, websites, social media etc. Also be aware that mandatory identity and contact information must be included in any future CEM.

10) Create a process so that the end user can rescind any previous consent. Remember that the withdrawal of consent must then also be forwarded to any third parties and associated companies, if applicable.

Consider the above as only a guideline on how to proceed. Again, I emphasize that this is not legal advice nor is it intended to be all encompassing. Every situation is different.

If you have any questions, concerns  feel free in contacting me.

Canadian Anti-Spam legislation (Including software instalation) A world wide concern (Part I)

 

 & Software Installation

 On July 1 2014 the new Canadian Anti-Spam legislation (CASL) will begin to be enforced(first of three phases). Why should I care if I live outside Canada, or what does it mean if I am a Canadian Business, or should I care if I am a SMB, as this is only  for spammers/the 'bad' guys?

Well you will be very surprised at the answers to these questions. So let’s get started.

One of the first things that most experts agree with is that the 'new' Canadian legislation/regulations is one of the strongest invoked anywhere in the world that is concerning commercial messaging.

But I am getting ahead of myself.  In the 1st part what is exactly CASL? In the best non-legal verbiage, CASL establishes the rules concerning commercial electronic messages (CEM). ALL  CEM, with exceptions (see below for some examples), must have explicit consent (OPT-IN) before the CEM is sent. It also deals with installation of software programs just to make things more interesting. (This last part is something that should worry software development companies. In fact I would hazard a guess that most software developers are not aware of this implication (more on this later)).

Now let’s try to address some of the not so obvious parts of this quagmire.

1) 'Well, this legislation deals with spamming, which we don't do' !!

Very wrong. It covers everyone, individuals, corporations, unincorporated businesses not-for profit organizations, and everyone else who sends messages for commercial purposes. And CEM is not only email, but Instant Messages, Facebook, Instagram, Twitter, SMS to name just a few. OH, by the way, it could also apply to telephone calls.

2) I am not located in Canada,why should I care?

The answer may surprise you. As long as either the sender or the RECEIVER of any CEM,  'lands' on a computer that is located in Canada,  is covered under the act. In the atmosphere of globalization, extraterritorial laws are becoming more and more prevalent. Examples abound in today's society. Just look at the EU Data Protection Directive. It has been argued as long as the information (PII) concerns a citizen of an EU country, the EU privacy legislation will apply, even though the company in question has no presence within the Europe Union. In fact the new regulation, EU's General Data Protection Regulation, that has been proposed and awaiting passing, explicitly mentions this. But I transgress. So being located outside Canada does not exempt you from the regulations.

3) Let’s dispel another issue. 

The US anti-spam legislation (CAN-SPAM ACT) replies on an OPT-OUT consent (it is assumed you want commercial email unless you say otherwise), CASL requires an OPT-IN consent. In fact, not only that, but sender information, consent requirements and contact info must also be listed as part of the notice/consent request. So even though your commercial email is designed to comply with the US rules, it will not be compliant with the Canadian regulations.

4) Provisions concerning installation of software programs in Canada. 

The legislation also covers consent concerning software programs that are installed in Canada, whether the person installing the program is located in Canada or Not (remote control of sites as an example). Even more about this later.

5) There are exceptions to the OPT-IN consent requirements. 

They are some exceptions for example, if the CEM concerns a requested quote or estimate for a service or product, help/confirm/complete a commercial transaction or provide warranty information. But be forewarned, the law does not have a very extensive exception list. There are some rules concerning implied consent as well. They include: if there is a business relationship within a period of time, if there is a written contract and is only valid for  a couple of years following termination of the contract or if there has been an inquiry made by the recipient in the prior six months.

6)  So can a check box fulfill the requirements of the legislation?

This actual gets a little sticky. There is no mention within either the legislation, or the regulations that were published in Dec 2013, that a check box OPT-IN would suffice. HOWEVER in a non-binding enforcement guideline, issued by the CRTC (Canadian Radio-Television Telecommunication Commission), it was suggested that a check box is not enough to comply with the requirement.

7) Additional Computer 'stuff'.

Previously I mentioned needing consent to install software on to a computer. The definition of a computer is more all encompassing that you may think. It includes smart phones, tablets, or in fact any computer based device. Now there are some exceptions to this. Certain classes of programs are exempt. The list includes cookies, operating systems, java scripts, sub-routines, HTML code, etc. Also I would be remiss if I did not mention that installation of programs like anti-virus software can also be an exception to the regulation requirments, but only if it was done by, or for,  a telecommunication service provider[1]. Also, a one shot program to fix an issue may be an exemption.

8) EUL (End user License).

There is nothing about EUL within either the legislation or regulation concerning CASL However, the CRTC issued an non binding guideline, that accepting a EUR is in itself can not to be considered explicit consent. Rather a separate agreement dealing with consent needs to be created for review and acceptance by the end user. In that way the consumer can refuse or give informed consent.

In my next blog, I will be dealing with additional items to consider and what should companies do to prepare for CASL.

In the mean time, if there are issues (non legal advice) you may want me to address, questions you may have feel free in contacting me

I also invite you to review my other blog posts concerning Data, Security and Privacy.

Please note, do not consider this  legal advice, nor does it address individual circumstances. These blog entries are solely for the purpose to address generalized questions concerning the subject. I STRONGLY suggest that you do your due diligence concerning this matter.

[1] A service, or a feature of a service, that is provided by means of telecommunications facilities, whether the telecommunications service provider owns, leases or has any other interest or right respecting the telecommunications facilities and any related equipment used to provide the service.

Small/Medium Business and Security/Privacy exploration

In this blog entry I want to explore the effects and the threats surrounding the small business realm and how it is effected by concerns of security and of course indirectly privacy.

But first some numbers.

1) Targeted attacks destined for Small  Business (1 to 250 (employees) accounted for 31 percent of all attacks, compared with 18 percent in 2011, an increase of 13 percent [1]

2) According to the National Federation of Independent Businesses, as many as 30% of an average company's employees do steal, and another 60% will steal if given a motive and opportunity.[2]

3) Almost three-quarters (72%) of data breaches investigated by Verizon Communications’ forensic analysis unit were focused on companies with less than 100 employees.[3]

And the list goes on. But I hope you get the idea.

In fact, depending on the source of data, there is no difference between the security issues of large organizations and small & medium business (SMB) (under 1000 employees).

Both types of businesses rely on computerize ‘everything’, to support their ongoing commercial and not for profit endeavors, never mind using social media for commercial marketing etc.. Both (large and SMB), for the most part, have web sites, use email, store information within databases containing commercial/proprietary information, financial positions (bookkeeping) etc. The employees also have access to various types of data (including those mentioned above), and can carry around that information on smartphones (bring your own device (BYOD)), etc.  Yet, except for some superficial attempt to secure the endeavor’s information, most SMB are vulnerable to threats like those that are mentioned above. The reason is because not enough is done to protect that sensitive information.

Let’s just investigate some best practices for organizations today.

All organizations, whether big or small, should have a Disaster Recovery (DR)/Business Continuity Plan (BCP) to enable them to still function and continue to be in business if an issue presents itself. How many small businesses do have a fully tested, functional BCP? Yet a disaster does not care if the company in question has 100 employees or 5,000.

All organizations should have and enforce internet/email usage policies. This should reduce any blatant misuse and potentially harmful activities of employees (or at least enable employers to take action if need be).

And the list of items that need addressing goes on and on. Many large organizations have specialist(s) whose entire responsibilities are just to ensure the day-to-day operation of the business.

While all organizations have to address critical issues, SMB have a number of strong disadvantages. The obvious one that comes to mind is their lack of resources. Namely most small business cannot afford a full time security/privacy professional. If money is not the issue (ever heard of a company where it wasn’t?) then a lack of expertise would be another major factor (and handicap). It takes time and experience to protect and recover from security concerns. And the basic human thought, ‘it will never happen to us, is something all personnel have to deal with.

So let’s take look at an realistic example of what can  happen to a $5,000,000 dollar a year SMB business.

11)    They have a major system failure and their systems were completely down for 4 days, and only partially in order for another six days. Total loss approx. $175,000

22) Cost to hire professionals to bring their system back on line $12,000

33)  Lost of a number important documents (payroll information, orders, A/R etc) that would be difficult to recreate. Cost unknown.

Total cost $187,000 +

Now lets take a look on the cost of setting up a relatively simple BCP/DR Etc

11)   Set up a working and tested DR/backup plan as part of a BCP $10,000

22)   Set up a commercial firewall, configured to help enforce the companies policies $10,000

33) Set up endpoint security (Anti-malware, Data Loss Prevention etc.) $5,000

44) Administration, training $5,000

Total cost $30,000

For a savings of  about $157,000 and with a big reduction of risk to the organization it then becomes obvious which of the two is the better option.

You can see by the numbers, the company in question would agree, it was a costly oversight not to do the due diligence, to say the least.

So we have all these organizations that are liable to have security/compliance/privacy etc issues, yet money is a huge concern. So what can be done?

There are a number of independent consultants whose specialty is to work with SMB. These consultants can plan and implement the best practices that are needed for an organization. They bring expertise, certifications, etc. that a small organization could ill afford to develop in-house due to the costs involved. For most SMB, once a comprehensive plan is developed and deployed, only a small additional cost would be needed moving forward to make sure everything is tested/working (maintenance/review changes etc) on an ongoing bases .

However, I would be remiss if I did not highlight the importance of finding a competent resource. There are a lot of consultants that have hung their shingle out to find business. So due diligence is in order. Ask for references, preferably with companies of a similar nature. Ask for any professional certifications that are concerned with this domain/realm. Ask for an estimate for the work needed. Get a Statement of Work (SOW) which should also include an established procedure for cost escalation and/or additional work requests. In other words try to make sure you are getting value for your money.

At then end it comes down to that, in our electronic world we work/live in, cutting corners will end up biting you on your bottom line. Ignoring the issues does not make it go away. But there is a reasonable way of mitigating those very real risks.

As the saying goes, ‘an ounce of prevention is worth a pound of cure’, and the sooner the better.

---

[1] http://www.symantec.com/about/news/release/article.jsp?prid=20130415_01

[2] www.nfib.com/business-resources/business-resources-item?cmsid=29624

[3] http://www.verizonenterprise.com/DBIR/2013/

Robert's Law of security and technology progress

Robert's law of privacy & security.

"The number of advances in capabilities within the online world is proportional to the number of issues with privacy and security."

 A strong statement, some would gather, and something that would seem counterintuative. Would not technology improve security, or as some would say build a better mouse trap?

Let’s delve into this a little further.

We now have a number of cloud computing capabilities that improve the ability to share resources, DropBox, Google Drive, Dump Truck to name but three. These types of software/hardware allows us to share files among our peers within the 'Cloud', thus allowing a more seamless experience when trying to share presentations, school projects etc. Yet this year alone Drop Box (and I only use this as an example as some other cloud suppliers have had security concerns expressed about them as well) had a security issue. In a four(4) hour period, accounts were unlocked and accessible to the general public.

Let’s take another example.

Social media. It is in the forefront of most peoples minds right now. And, as we see, a lot of companies are embracing this new market place with vigor. It is seen, by some, to better connect or re-connect, with friends and family. I for one, keep in touch with relatives from Australia, Hungary and Michigan using a combination of Twitter, Facebook and LinkedIn. Companies are jumping on board as well,  seeing the opportunity to have another marketing vehicle in their arsenal,  providing enhanced customer service and differentiating themselves from the competition. Yet there have been a multitude of security and privacy issues with the social media suppliers. For example, there was the time a that a certain number of users  potentially exposed their personal identifiable information within Facebook. Twitter, another social media darling  had a number of issues concerning security as well.

And another

RFID = Radio Frequency IDentification.. We all use it. But what is it? It actually encompasses a lot of different devices and uses. They include the NEXIS card, issued by the US and Canadian governments to allow pre-screened passengers, speedier border crossings. It allows Jane Smith to tap her credit card on the gas pump reader to pay. it can be used to track merchandise in warehouses etc. Yet within a very short period of time after general deployment in the public arena security issues started to be asked/exploited in both the public as well as informed experts hands.

And finally within the last month (as of this is being written) the fingerprint recognition capability within the new iOS 7 had it’s security questioned. The new capability allows anyone with a new Iphone 5Sc  to buy songs etc., using their fingerprint, in the ITUNE store (more to follow I am sure). Yet within a very short period of time, concerns about the security of this capability surfaced.

So what does this all mean? Should we ban all new technology? While I am sure there maybe some people who would say yes (as there are still some people who believe the world is flat and Elvis is alive) that is not going to happen. If we would have banned technology then, no computers? Or if we waited and implemented the ban when transistors came about. or when the Arpnet/Internet was created, or when the WWW (world wide web) etc. where would we be now?

In reality as the human race continues to explore and innovate, technology will move forward.

So Am I advocating we just plow ahead full steam? Well.....

I think we need to recognize that with each innovation, invention etc the security privacy landscape changes. That when we embrace the new mouse trap, we should also realize that it brings with it potential security privacy issues that need to be addressed.

Let’s take the last example I used.  Apple introduced the new capability stating that Iphone 5S is an innovative way to simply and securely unlock your iPhone with just the touch of a finger. However, noticeably absent was any further discussion about the security component.  While I don't expect a detailed discussion, I do expect a phrase or two addressing the obvious concerns.

Why is it that security (and indirectly privacy) is such  an afterthought.  We introduce new ways to build a better mouse trap1 yet we do not look at what the implications for this new technology are and what changes need to be so it is implemented safely and securely. Companies jump on bandwagons all the time without fully engaging in a analysis of the various issues of concern. Apple introduces a finger scanner, yet a hack was published within the month. Banks introduced 'chip and pin' credit cards and then tried to deny any reimbursement for fraudulently used cards.

So what does this all mean? In all our dealings, whether it is building a new web site (Privacy by Design) or a new technology, we should be advocating Security by Design in what ever we do. It should not be an afterthought. We should expect that there will be issues and not wait for some smart hacker to point out the problems. We should take the bull by the tail and face the situation. Be proactive rather then reactive as we seem to be most of the time. If we do this, then we will hear less and less press releases on how some new technology was hacked and broken. And as a result, a fix had to be  developed and deployed. Never mind the PR issues that raise their head during this event.

FOOTNOTE

1 The actual saying goes like this 'If a man has good corn or wood, or boards, or pigs, to sell, or can make better chairs or knives, crucibles or church organs, than anybody else, you will find a broad hard-beaten road to his house, though it be in the woods' Ralph Waldo Emerson. I prefer the modern version for brevity, if for no other reason.

Security/Privacy Personnel, should they be the same?

-->

I have been on the peripheral of the discussion about Privacy and Security for awhile. The debate is concerning how Privacy personnel are not familiar with IT security process. And I believe its time to take the bull by the tail and face the situation, so to speak.

My thesis is that there needs to be a concerted effort to develop  a liaison group involving people that feel comfortable in both areas of Privacy and IT Security. These people should understand how data is used within the IT, and what expectations Privacy places on the organization.

SO let’s explore

In the vast majority of enterprises, (those that have a IT department and also are concerned by privacy, as all companies should be) there are Privacy officers that deal solely in the Privacy realm (Privacy policy, governance etc) and the IT personnel whose function it  is to enhance/maintain/deploy process to Secure the network assets from the 'bad guy'

But before we delve into this much further, let’s explore some of the foundations of these two organizations.

Privacy requirements come from various requirements, regulations, laws. They are formulated/created, either by gov't or professional organizations. Examples include: the PCI DSS, SOX, GLBA, PIPEDA,  EU Directive, to name but a few.

These regulations/laws, for the most part are drafted by lawyers, civil servants, professional committees. I transgress with a quick joke. What is a camel? A horse designed by a committee.
The point is that, as written, these regulations are not written for the 'common man'.  They deal with the legal aspects of privacy and as such, written in 'legalize'. So to be able to interpret them, create processes to address them, and ensure compliance with the same, it requires individuals that can understand those same rules. That is, one with expertise in the legal and/or regulator profession.

Security comes from the technical world, the idea of what kind of security appliances are needed to monitor/secure the systems/network/infrastructure that are in place within the organization. The understanding of networking protocols, threats and vulnerabilities etc. needs someone who understands the technical complicated the Security realm

So far so good.

We also understand that to have Privacy, one must have Security, or otherwise the organization’s public reputation, never mind its ability to function under gov't rules  and industry regulation oversight may be in jeopardy. (IE data breaches etc).

However, how many Privacy officers know anything about a 'DMZ' or DLP appliance (to name but two Technical Security phases/gobbledygook). That is the Security guy’s responsibility, right?

How many security personnel understand the ramifications of a stolen laptop with an encrypted disk, with PII from Customers in the US, or if the PII is from those customers that are located within the EU. That is the privacy department issue?

So that is the dilemma. Each department’s needs to 'use' the other’s expertise. But is there is no common language? One group doesn't know what it does not know and the other assumes that everything is addressed. This scenario is a problem waiting to happen.

So let’s take an example. But please note that the following example is only being used to highlight my point. It is an over simplification of the issues.

A new network is being developed to support an application that is being rolled out shortly. This application contains PII/PHI information. In one of the meetings the CPO makes it clear that this type of information needs to be protected/secured.  The Security guys go to the back room and incant some magic spells over a rack of computers/servers (sorry I could not help myself) and POOF, out comes a Security policy/procedure etc. plan for the roll out.

The plan contains the proper role based security rules(RBAC), checks, logs etc. The Security guys go out for a drink to celebrate the culmination of designing a 'fool proof' Security envelope (as  if there was such a thing).

The Privacy person figures out that the proposed process meets the needs and regulations and goes home with a smile on his/her face. The only people who are authorized to see the information will have the ability to view the PII/PHI info.

However, did anyone look at how support is going to done for this application? The Privacy professional is not a techie and does not know what the 'normal' infrastructure for support/maintenance development for an application is. And why should he/she? Right?


WRONG

The CPO has no idea that during the development and support phases of the project, that copies of the real data may be created to provide a more realistic test bed  for QA/ regression testing.(see my previous blog entry for a  further discussion concerning this issue).

Did anyone look at the possibility that there may be data leakage within the test/regression system? (PII info that can be emailed in the clear from a developer workstation)?  Did the person responsible for Privacy understand the need for a possible Security hardware deployment within the test environment to prevent data leakage. And where should that hardware be deployed?  How do third parties access the data for testing? Should they be able to see the test (or Production data)? Should this be considered with a BCP (business contingency planning) document?

The people responsible for Security understand the basic Security 'triad' (CIA. Confidentiality, Integrity and Availability) and have created a process that addresses these requirements. In this case the Security personnel, and may be the network administrator, have designed a comprehensive plan to secure the network where the new application will live on.

But what do they understand about issues like: if a disk drive goes missing, even if it is encrypted, they may still need to notify gov't authorities (EU directive)? And this must be detailed in any contingency planning.

Do they know that they need to talk to the Privacy department to look at how test data is used and abused?

The above mentioned questions are rather over simplified. And of course during the normal working day, the Security department and the Privacy department would talk to each other. BUT

The old adage is very relevant here. 'I don't know what I don't know' or in the case of the Security personnel they don’t know enough of the Privacy realm to make sure everything is addressed. And the Privacy officer does not know how the data is used, to the point that she/he would not know to look into areas that are not obvious IE Test Bed, Third party issues etc..

So what is the answer? Cross train personnel. (Easier said then done).

Have the security department take a course like the CIPP, offered by the International Association of Privacy Professionals. This will allow for the same individuals some insight into the issues pertaining to privacy.
 
Have the Privacy personnel take a certification course like the SECURITY+ offered by CompTIA. However this may be more problematic because there is an assumption that the person taking this course (or one that is similar) has some basic knowledge in networking and IT in general.

Failing that, Have the people in the CPO office at least try to get the basis of Security down, so the next time the two groups meet they can at least talk a common language. And this would help in reducing the chance of something being missed, and projects coming in on time.

Robert Galambos's Updated Resume

Robert Galambos Mobile: 416-876-2979 · Email: rgalambos@gmail.com
Career Profile: Over seventeen years of experience as presales engineer and consultant in the software industry, combining high-level sales and marketing knowledge with deep operational experience, technical savvy and cross-functional communication abilities. Extensive experience supporting sales initiatives, managing customer relationships, handling customer service calls and consultations, and maximizing client ROI on software solutions.
Areas of Strength
Data Privacy Client Relations Market Analysis Industry Research Security	Client & C-Level Presentations Executive Communications Staff Training & Development Data Optimization & Management Oracle/SQLServer/DB2	Solution Selling Customer Service Product Demonstrations Technical Consulting DB2/IMS/VSAM
Professional Experience

COMPUWARE                                                                                                                    1996 to 2013

Leading provider of IT software, services and best practices to deliver peak performance for technologies worldwide.

Sales Engineer & Consultant

• Provided technical analysis concerning Data Privacy to facilitate completion of RFI and RFP responses for various clients, with 85 percent success ratio.
• Delivered high-impact presentations to clients leveraging strong technical skills.
• Managed interoperability and alliance between software solutions and customers’ strategic business plans.
• Helped potential clients understand, compare and contrast several IT solutions.
• Collaborated with sales to develop cost justifications, business proposals and responses to RFI/RFPs.
• Engaged and coordinated post-sales implementation engagements.
• Helped close a minimum $2 million dollar sales 13 years in a row.
• Anointed to learn, support and sell two entire product lines, due to the unique requirement of both English and French support and sales.
• Contributed to a team that achieved a minimum 97 percent maintenance renewal.
• Liaised with Product Development and Marketing departments, perform client sales management, and report on industry/market trends, competition, and needs.
• Maintained extensive and specialized knowledge of COMPUWARE’s products, customers and competition, to enhance customer service ability and stay current on company offerings.
• Produced detailed phone support, personal product demonstrations and on-site evaluations of clients’ current software solutions.
• Responded to requests for information or pricing in an efficient manner and prepared sales package proposals.
• Trained and lectured clients, staff and executives on various solutions, including Data Privacy and Application Auditing.
• Facilitated customers and partners, as well as on-site professional services support such as installations and configurations upon deployment of software.
• Created, updated and disseminated training materials for 10 different software products on both mainframe and mid-tier/distributed environments.

• Served as Project Manager/Team Lead developing and updating training material with a specific timeline and with the participation of 10 team members.
• Gained proficiency in MS Windows, MS Office, Salesforce.com, and Data Privacy Solution Mainframe.
• Was one out of two people chosen (out of 24) to be a mentor for the Professional Development Program, training non-IT professionals to be support personnel.
• Worked in various realms, including ETL, Data Privacy in the testing space, Data Management and Data Optimization for both short-term and long-term sales cycles.

MONTREAL TRUST / BANK OF NOVA SCOTIA                                                  1984 to 1996

Premier financial institution providing personal, commercial, corporate and investment banking services to individuals, small and medium-sized businesses, corporations and governments.

Principal Analyst & Team Lead

• Oversaw the team responsible for financial systems, including general ledgers, accounts receivable and accounts payable within the Trust Unit.
• Apprised management of more efficient methodologies to ensure better business decisions.
• Provided guidance, instruction, direction and leadership to the team to achieve key results for clients.
• Coached and matured the skill level of direct reports in order to continue their long-term development and ensure solid succession planning and departmental success.
• Liaised with Payroll, HR and Executive Offices as a subject matter expert.
• Gained proficiency in COBOL, IDMS, and IBM Multiple Virtual Storage
• Created “What if” scenarios and provided support for non-technical end-users.
• Designed major conversion project for Pension Plan Changes/Acquisition (BNS).
• Worked with the Finance Team to determine the ongoing business needs and requirements for the reporting of all assets, sales, redemptions, management fees, trailer fees, and advisory fees.

Certifications

Security+                                                                                                                                                   

• Knowledge of security concepts, tools, and procedures to react to security incidents, to ensure that security personnel are anticipating security risks and guarding against them.

CIPP/C: Certified Information Privacy Professional/Canada                                 

• Demonstrates understanding and application of Canadian information privacy laws, principles and practices at the federal, provincial and territorial levels.
• Requires completion of Certification Foundation Exam and CIPP/C Exam.

CIPP/IT: Certified Information Privacy Professional/IT                                                    

• Entails understanding privacy and data protection practices in the development, engineering, deployment and auditing of IT products and services.
• Necessitates completion of Certification Foundation Exam and CIPP/IT Exam.

IBM Certified Database Administrator – DB2 9 DBA for z/OS                                           

• Validates capability of performing intermediate to advanced tasks related to database design and implementation, operation and recovery, security and auditing, performance, and installation and migration/updates specific to the z/OS operating system.

Education

Concordia University, Montreal, Québec

Bachelor of Commerce, Accounting (1979)