Among the principals lessons to be learned from the Target security breach post mortem, is that an organisation should include an assessment of third party service providers information security posture in the course of their due diligence efforts, stipulate contractual security requirements and audit compliance therewith in the course of performance of the agreement. There is no good reason why we should be aware of Fazio Mechanical Services...1
Assessing the adequacy, sufficiency and robustness of security measures and controls can require significant efforts and resources, which is why organisations seek to benefit from certifications and third party audit reports.
A recent initiative of the federal government will provide a new alternative to businesses on both side of the client/service-provider relationship. Launched on August 12, 2019, CyberSecure Canada is a federal cyber security certification program (the "Program") administered by Innovation, Science and Economic Development Canada ("ISED").
The Program aims to:
- set a national cyber security baseline among Canadian businesses,
- increase consumer confidence in the digital economy,
- promote international standardization and better position Canadian businesses to compete globally.
Although tailored for small and medium organizations ("SMO"), any organization can apply for certification.
Under the Program, an organization must demonstrate their compliance to certain baseline security controls to a certification body. Once an accredited certification body certifies a business, ISED will register it and it will be entitled to represent itself as "CyberSecure Canada certified" by displaying a federal government issued certification mark. Certified businesses will also be listed in a public registry. Certification is valid for two years.
The Program is currently in its pilot phase pending the establishment of the "National Standard of Canada" ("NSC"), which will be based on the current version of the "Baseline Cyber Security Controls for Small and Medium Organizations" (the "Baseline Controls") developed by the Canadian Centre for Cyber Security. The pilot phase is expected to last between 18 to 24 months.
The CyberSecure Canada team indicates that it is working closely with interested businesses to help fully develop and refine the processes and steps required for certification. To enrol in the pilot phase, a business must contact the CyberSecure Canada team at ISED.
The Baseline Controls deal with both non-technical (e.g., security policies and response plans) and technical, whether internal (e.g., perimeter defences) or outsourced (e.g., secure cloud services), security issues.
To become a Certification Body for the purposes of the Program, the Standards Council of Canada (SCC) must accredit an organization. So far, there are six accredited organisations.
There are a number of steps involved in the accreditation process and requirements vary depending on the scope of work for which the accreditation is being pursued. Organizations wishing to apply for accreditation as a CB under the Program must contact SCC Accreditation Services to obtain further information, including an accreditation application package.
The province of New Brunswick had previously set up Cyber Essentials Canada ("CEC"), a program administered by CyberNB, an agency of the government of the province of New Brunswick, which also offers a cybersecurity certification framework for organizations. It is expected that CEC will be folded into the CyberSecure Canada under the sole supervision of ISED following the Program's pilot phase.2
Footnotes
1. Fazio Mechanical Services was a service provider of Target. The Target hack was initiated through the use of the compromised credentials of one of its employees.
2. See e.g. https://cyberessentialscanada.ca/blog/cybersecure-canada.htm and https://www.itbusiness.ca/news/federal-government-launches-cybersecurity-certification-program-for-smbs/111888.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
