CAN/CIOSC 104:2021 Compliance Support

Your company aspires to exemplary compliance with cybersecurity standards, in particular the new CAN/CIOSC 104:2021, but you feel disoriented in this process? Opt for the expertise of MicroSecure, your trusted partner, to guide you through this process with complete peace of mind!

What is CAN/CIOSC 104:2021?

CAN/CIOSC 104:2021 is a Canadian national standard that establishes baseline cybersecurity controls specifically designed for small and medium-sized businesses (SMEs). It aims to provide SMEs with a solid basis for strengthening their IT security.

This standard defines two levels of security controls: Level 1 and Level 2.

Level 1 requirements

Tier 1 requirements are intended for small organizations approaching cybersecurity for the first time. These companies typically have limited resources to invest in information technology and are only just beginning to explore the field of cybersecurity.

Level 2 requirements

Tier 2 requirements are in addition to Tier 1 as an organization matures and strengthens its cybersecurity. To adopt Level 2 requirements, an organization must have already implemented Level 1 requirements, have acquired basic cybersecurity knowledge and be aware of the risks related to its sector of activity, while seeking continuous improvement in this domain.
In summary, CAN/CIOSC 104:2021 provides SMEs with a clear roadmap to improve their cybersecurity, taking into account their maturity level and available resources. It constitutes an essential tool to strengthen the protection of data and computer systems of small and medium-sized businesses in Canada.

Small and medium-sized organizations are most likely to be targets of cyberthreats and cybercrime, often resulting in immediate financial or privacy consequences.
National Cyberthreat Assessment 2018

What are the cybersecurity controls in the CAN/CIOSC 104:2021 standard

Basic controls

Incident response plan

The entity must develop an action plan in the event of an cybersecurity incident, while also providing a strategy for incidents that it cannot manage independently.

Automatically patching applications and operating systems

You must make sure to activate automatic updates on your various computer systems in order to correct vulnerabilities.

Enabling security software

Implementation of antivirus, firewall and anti-malware software on all connected devices, wherever possible, to ensure security.

Configuring devices to ensure security

Avoid using administrator passwords generated by default

Access control and authorization

By adhering to the principle of minimal access, i.e. limiting use to essential functions, the organization strengthens its cybersecurity.

Using robust user authentication

The organization must, among other things, implement multi-factor authentication. For level 2 requirements, a password manager must be implemented.

Data backups and encryption

Backup is also useful when access to systems becomes impossible or in the event of a risk of falsification of data or information. It is essential that the company periodically renews backups and stores them securely in a protected external location.

Establishing base defenses on the perimeter

Internet networks must be secured with a firewall, software or hardware, to monitor traffic and repel intrusions. DNS firewall blocks known malicious domains. Solutions exist for all devices in an organization.

In addition to the basic checkpoints, there are also controls specific to the operating environment

Secure mobile devices

We all use cell phones, this checkpoint ensures to strengthen the security of these devices according to the needs of your business.

Security of cloud services and outsourced IT services

We must evaluate the implication of our data in relation to these services and ensure that these suppliers respect certain cybersecurity criteria.

Website security

It is possible to ensure the security of your websites by taking into account the 10 main vulnerabilities identified by the Open Web Application Security Project (OWASP).

Removable media security

Removable media (hard drives, USB drives, memory cards) are convenient for transferring files between devices, but their portability puts them at risk of loss or theft, putting the organization’s data and network at risk.

Point of sale systems and financial systems

At a minimum, any organization using point-of-sale and financial systems must comply with Payment Card Industry Data Security Standards (PCI DSS) and maintain isolation of those systems from the Internet.

Management of cybersecurity logs

Collecting, analyzing and managing logs is essential in IT to secure and manage incidents. All organizations, regardless of size, should have a suitable log management policy.

Any incident must be reported to the Commission d’access à l’information du Québec, or to the Office of the Privacy Commissioner of Canada if the company is outside of Quebec.

Are you able to detect when an incident occurs? Contact us to receive the best support in terms of compliance and cybersecurity!

How can MicroSecure help you optimize your compliance?

MicroSecure offers a complete range of solutions and services to support companies in their efforts to comply with cybersecurity standards. From securing networks to complying with the principle of least access, through log management and data protection, we offer in-depth expertise to strengthen the cybersecurity of our customers. Our tailored approach ensures that every business, regardless of size, has the tools and strategies needed to prevent digital threats and effectively manage incidents, contributing to strong and reliable cybersecurity.