On August 12, 2019, the Canadian federal government announced “CyberSecure Canada”, a voluntary certification program that aims to raise the cybersecurity baseline among Canadian small and medium enterprises (SMEs). The program requires Canadian SMEs to implement baseline security controls that have been selected to provide the greatest amount of protection with the least amount of burden. SMEs that demonstrates compliance to an accredited certification body will be granted a two-year certification that is intended to provide an easy way for customers, investors, partners and suppliers to know that the certified business has performed the basics to reduce their cyber risk.
The security controls being recommended are from the Canadian Centre for Cyber Security’s guide, “Baseline Cyber Security Controls for Small and Medium Organizations”, which was released on March 26, 2019.
The guide recommends the following thirteen basic controls that every organization should have in place:
1. Develop an Incident Response Plan
2. Automatically Patch Operating Systems and Applications
3. Enable Security Software
4. Securely Configure Devices
5. Use Strong User Authentication
6. Provide Employee Awareness Training
7. Backup and Encrypt Data
8. Secure Mobility
9. Establish Basic Perimeter Defences
10. Secure Cloud and Outsourced IT Services
11. Secure Websites
12. Implement Access Control and Authorization
13. Secure Portable Media
Fortunately, the feds decided to align the CyberSecure Canada framework with existing internationally recognized frameworks such as the Center for Internet Security Controls, the NIST Cybersecurity Framework, and ISO/IEC 27001:2013. This allows organizations to certify to the CyberSecure Canada framework before moving on to more comprehensive frameworks without conflicting advice or duplication of effort.
Now before you go implementing some of the baseline controls, the CyberSecure Canada framework runs organizations through a scoping and risk assessment exercise. I cannot stress how important that these steps are or how often they are overlooked. How can an organization properly protect itself if it doesn’t know what to protect or how critical an asset or service is to an organization? So, this is excellent, but I foresee many organizations struggling with these steps as even some of the large enterprises struggle to get a grasp on the systems on their network and the criticality of them. Another area that might be difficult for organizations is integrating any regulatory or legal requirements.
Always remember that compliance with any cybersecurity framework doesn’t mean that your organization is impervious to cyber attacks. The CyberSecure Canada security controls are well designed to help prevent cyber attacks against an organization and to help it recover should it fall victim to a cyber attack. Don’t forget that compliance is not the finish line but a milestone on the journey and every cybersecurity program will require maintenance to continue to protect the organization as it grows and evolves.
To summarize, the Canadian federal government has released a certification program called CyberSecure Canada for SMEs that ensures organizations implement a baseline of security controls to protect digital assets. The goal is for the CyberSecure Canada certification mark to become a recognized symbol that instills greater confidence that an organization’s cybersecurity program is managing the basic cybersecurity controls.
I would recommend any organization to work towards the CyberSecure Canada certification and then move on to some of the more comprehensive cybersecurity programs mentioned above. Should you require assistance or have questions, please don’t hesitate to reach out to any of us at Keep Secure.