This newsletter shares the latest cybersecurity news, trends and events to help you spark ideas on tightening up the security of your organization.
Cybersecure Canada Certification
Security framework audits are no different, and the value is in the journey with the gathering of observations and insights along the way. Cybersecure Canada certification is divided into 5 Organizational Controls and 13 Baseline Controls to address various aspects of cybersecurity best practices.
Cybersecure Canada encourages organizations to implement as many of these baseline controls as possible, and they understand that not every organization can implement every control. If the majority of Canadian organizations implement these controls your organization will be more resilient and cyber-secure.
“The journey of a thousand miles begins with one step.”
— Lao Tzu
In their journey, many companies learn how well staff are aware of security practices (email and banking), inventory is catalogued (including asset value), processes are refined (system update schedule), and availability of contact information (internal, external and resources) while developing an Incident Response Plan (IRP). Ideally this plan is continually improved by reviewing and participating in an annual cyber security simulation.
Many start-ups and high-tech companies grow so quickly that they lose track of their assets and who has access to them. You can’t protect what you don’t know about. The CSC highlights some of the keys in building a sustainable, scalable, and preferably automated infrastructure. An example would be an inventory and patch management system.
CyberSecure Canada is a cybersecurity certification program for small and medium-sized organizations. Cyber Security Canada is accredited by the Standards Council of Canada (SCC) to verify that businesses have implemented all the security controls required for CyberSecure certification, according to the audit criteria established by ISED and the Canadian Cyber Centre. Certification can be seen as an end goal. Companies can use this framework as a base to improve their cybersecurity posture without going through the accreditation process. By taking steps to improve an organization’s cyber security posture companies will (link):
- limit the impacts of a cyber incident
- enhance your competitive advantage and attract new business
- reassure your customers and investors that their information is protected
- improve your cybersecurity knowledge
Prepare for certification
Se préparer à la certification
There are many resources available to assist in beginning the journey to certification including eLearning modules, how-to guides, and templates. Companies may also choose to hire a security consulting firm to assess and provide recommendations on what security measures to prioritize. Some available options are:
- Free eLearning series: Self-paced modules (link)
- Certification tools: Templates, examples and how-to guides (link)
The certification process
In simple terms there are 4 steps to get certified; however, these steps require varying levels of time, resources and commitment to implement.
- Review and implement security control areas (link)
- Register on the CyberSecure Canada portal or for IRAP clients contact your ITA (link)
- Select an accredited certification body (link)
- Submit completed documentation and remediate as required.
- Recertification is required every 2 years.
The ask from firms is often very considerable. We have found that IRAP clients need ballpark 50 hours guidance (from a cyber security firm) in order to pass CyberSecure Canada. The work the firm needs to do in addition is well over 50 hours on average. An example would be “Automatically patch operating systems and applications”.
A good start is to prioritize each of the CyberSecure Canada controls and estimate time and the resources to implement. There are several how-to guides on the CyberSecure Canada portal. Implementation, depending on the size of the organization, can take anywhere from a few hours to several days. Also, choosing a provider would reduce time to implement, but naturally increase cost.
For firms that work with NRC-IRAP (National Research Council – Industrial Research Assistance Program), advisory support assistance may be available for firms wishing to pursue CyberSecure Canada certification. Depending on budget availability, IRAP may be able to support a 25 hour expert advisory on CyberSecure Canada by an IRAP approved cyber security firm, as well as the IRAP client’s first CyberSecure Canada audit. IRAP firms should contact their IRAP ITA (Industrial Technology Advisor) for further information.
Support is also available to Quebec companies through the financial help from Canada Economic Development for Quebec Regions through In-Sec-M (cybersecure@insecm.ca)
A stepping stone to other certification
CyberSecure Canada is a good starting point that, with additional effort, may lead to other industry recognized certifications such as CIS, CMMC, SOC 2, ISO or PCI DSS. The controls of these frameworks overlap in whole or in part. As an example CSC BC3.1 describes having an Incident Response Plan (IRP) as does CIS 19.1, SOC 2 CC7.4, and PCI DSS 12.10. CyberSecure Canada Certification is recognized by the Canadian Government.
Once a company has travelled through one certification process, they will have an idea on the time and resource commitments required to complete. SOC 2, ISO, and PCI DSS are on the more arduous end of the effort spectrum. Depending on the size of the organization, it is recommended to have a full-time resource assigned to “audit and compliance” and even consider hiring a third party to assist in the compliance readiness as they often have templates available to use and can test the efficacy of the controls.
Every organization should embark on the journey of achieving a certification that is most applicable to their business.
There are many aspects that are often overlooked, and a security framework attempts to highlight key areas.
The CyberSecure Canada certification does this.
