We would break down the protective measures into three categories: physical, electronic, and procedural.
Physical measures concern all the areas where sensitive information, personal information, is held. They ensure that the access is properly monitored and that drawers and filing cabinets are properly locked.
Second, there are electronic measures. These are all the procedures such as encryption, for example, and solid passwords. If you look at our audit on wireless, for example, of certain federal institutions a few years ago, we found that the passwords were not secure and that threat and risk assessments on the wireless technology were not properly made.
Then the third category is procedural. That includes all the policies surrounding the management of the information, for example, who has access to various information. How do we have audit trails to monitor access?
So we look at the procedures, the structure of protection, through these three lenses to see if, indeed, all the protective measures, the safeguards, are in place.