Canada should follow U.S. cybersecurity framework, says expert

Canadian enterprises and governments should adopt a just-released American government framework for tightening IT security of critical infrastructure, says a security consultant.

“I don’t think we should re-invent the wheel,” Kevvie Fowler, a partner in the forensic advisory services at KMPG Canada, said of the guidelines released this week by the federal National Information Technology Laboratory (NIST). “If you look at what has been done, it already leverages concepts from internationally-adopted standards like ISO  27001/2 and a few others.”

In 2010 the Harper government announced a national strategy  to better protect critical infrastructure calling for the public and private sectors to work on addressing risks. But two years later the Auditor General released a report complaining the strategy still didn’t have an action plan. That plan has since been completed.

Public Safety Canada has released a guideline of best practices for incident response. However, Fowler said the NIST document goes further.

Meanwhile, as part of its effort to work on an infrastructure security plan the Canadian government is holding an invitation-only conference in New York at the end of the month.

Called a Framework for Improving Critical Infrastructure Cybersecurity,  it’s aimed at organizations, regulators and consumers to create or improve cybersecurity programs.

(click here to download the document)

The document provides a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory requirements on businesses, NIST says.

“The framework provides a consensus description of what’s needed for a comprehensive cybersecurity program,” Under Secretary of Commerce for Standards and Technology and NIST director Patrick Gallagher said in a statement. “It reflects the efforts of a broad range of industries that see the value of and need for improving cybersecurity and lowering risk. It will help companies prove to themselves and their stakeholders that good cybersecurity is good business.”

In short, it’s a series of best practices.

NIST says organizations can use the framework to determine their current level of  IT security, set goals and establish a plan for improving or maintaining their cybersecurity. It also offers a methodology to protect privacy and civil liberties (according to U.S. law) to help organizations incorporate those protections into a comprehensive cybersecurity program.

Within the framework – which will be updated periodically there are three main elements: the core, tiers and profiles. The core presents five functions—identify, protect, detect, respond and recover—that taken together allow any organization to understand and shape its cybersecurity program. The tiers describe the degree to which an organization’s cybersecurity risk management meets goals set out in the framework. The profiles help organizations move from a current level of cybersecurity sophistication to a target improved state that meets business needs.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now