APEGA
APEGA Strengthens Information Procedures Non-staff volunteers have made their recom- mendations to APEGA to improve the way the organization handles sensitive information, in the follow-up to a release of Member informa- tion last fall to an unauthorized third party. The recommendations point to a need for improvements in four areas: • staff training • management systems • data inventory processing • risk assessment The independent investigation was APEGA responded immediately to ensure the security of Member information. These actions included: • suspending access to the Member Self- Service Centre and the Company Self- Service Centre
“I’d like to thank the investigative team for the thorough work. I’m confident that they’ve come up with sound recommenda- tions, which we plan to implement to improve our organizational effectiveness,” said Ms. Yang. The following volunteers made up the external investigative team: Keith Shillington, P.Eng. (Chair) Senior Vice President, Canada Prairies Stantec John Cocchio, P.Eng., MBA Industrial Professor David and Joan Lynch School of Engineering Safety and Risk Management Faculty of Engineering University of Alberta Wendy Gerber, CHRP Vice President, Human Resources/Privacy Officer DynaLIFE DX Hani Mansi, CISSP, CISM, CRISC Director, Risk and Information Security ATCO Ltd. and Canadian Utilities Ltd. Gordon Winkel, P.Eng., M.Sc. Chair, Industrial Professor David and Joan Lynch School of Engineering Safety and Risk Management Faculty of Engineering University of Alberta Frank Mannarino, P.Eng., MBA Senior Vice President, Electricity Operations EPCOR
• communicating to employees the best practices and procedures for handling sensitive and confidential information • communicating to employees that only senior leaders are permitted to approve the release of information • requiring annual security training for all employees • requiring password resets for the Member Self-Service Centre and the Company Self-Service Centre (after lifting the suspension of access) Improvements planned for the medium- to-long term include: • developing a data ownership model • simplifying policies and procedures for handling sensitive and confidential information • instituting employee training on handling sensitive and confidential information • implementing a quality management system • training senior leadership and Council on an enterprise risk management framework The investigators conducted a root-cause analysis, which involved reviewing APEGA policies, guidelines, training approaches, organizational charts, governance information, and risk analysis information, as well as interviewing staff and senior leaders.
charged with determining what happened and why, and recommending corrective actions. “Protecting our Members’ private information is very important to us. We accept the investigators’ report, and we are implementing the recommendations to strengthen our information management procedures and policies,” said Interim CEO Heidi Yang, P.Eng., FEC, FGC (Hon.) “This includes the development of new policies and procedures, and enhanced cyber-security training for staff.” On September 21, 2015, the first and last names, email addresses, and Member identification numbers of about 75,000 Members listed in the APEGA database were emailed to an unknown party after what’s known as a phishing attack — an illegitimate email request for information. One employee provided the information. No credit card information or passwords were released, and fortunately, APEGA’s information technology infrastructure was never actually breached or hacked.
THE DISCIPLINE FILE
If names are ordered not to be published, they are represented generically, such as Professional Engineer A.
DC Case #15-005-SO: Unprofessional Conduct of [Professional Engineer A] and [Company A] DC Case #15-006-SO: Unskilled Practice of [Professional Engineer A] DC Case #15-008-SO: Unprofessional Conduct of [Professional Engineer A] DC Case #16-002-RDO: Unprofessional Conduct of Mr. Arup Goswami To read these and other decisions, visit apega.ca
Recent Recommended Discipline Orders DC Case #15-002-SO: Unprofessional Conduct of [Professional Engineer A] and [Company A] DC Case #15-003-SO: Unprofessional Conduct of Mr. Michael Richards and Richards Consulting and Associates Ltd. DC Case #15-004-SO: Unprofessional Conduct of [Professional Engineer A] and [Company A]
With the launch of our new website, we’re posting some of the content traditionally pub- lished in The PEG online instead, at apega.ca. In that category are discipline decisions, the most recent of which are listed below. Also available online are the last five years of decisions as they appeared in The PEG.
Recent Formal Hearing Decisions No Recent Decisions
48 | PEG SUMMER 2016
Made with FlippingBook flipbook maker