Government of Canada’s Enterprise Cyber Security Strategy

Government of Canada’s Enterprise Cyber Security Strategy: The Government of Canada (GC) acknowledges the critical importance of its services to citizens and the increasing risk posed by cyber threats due to its extensive digital presence.

Executive Summary

The Government of Canada (GC) acknowledges the critical importance of its services to citizens and the increasing risk posed by cyber threats due to its extensive digital presence. The Enterprise Cyber Security Strategy aims to enhance resilience and protect sensitive information by defining strategic objectives and promoting a whole-of-government approach. Key challenges include a shortage of cyber talent and gaps in awareness and security practices. To address these challenges, the strategy emphasizes collective action, agile policies, and strategic investments. It outlines specific objectives, actions, and the Target Security Operating Model (TSOM) to guide cyber security operations across departments and agencies, focusing on prevention, capabilities strengthening, workforce diversity, and incident response enhancement. The strategy also emphasizes governance, oversight, and collaboration among critical stakeholders to ensure effective cyber security management and coordination.

The Strategy

The Government of Canada (GC) recognizes the critical nature of its services to Canadians, emphasizing its role as a key infrastructure sector. With an increasing digital presence and reliance on information technologies, the GC becomes an attractive target for cyber attacks due to its holdings of sensitive information. Cyber security events can significantly impact government operations, risking disruptions to critical services and exposure of classified or personal data, which could erode public trust and harm the Canadian economy and society. Acknowledging the rising sophistication and frequency of cyber threats, the GC emphasizes the need for vigilance and continuous improvement of cyber defenses to enhance resilience. Ensuring the confidentiality, integrity, and availability of GC information and networks is paramount for delivering secure, reliable, and trusted digital services to Canadians. The strategy aims to define the vision and strategic objectives for the GC to address the evolving cyber security risk landscape while improving cyber security maturity and optimizing investments.

The scope of the strategy encompasses departments and agencies under Treasury Board authorities, specifically focusing on Designated and Classified information systems. However, it encourages all government entities to adopt its objectives and goals to bolster cyber security posture across the entire government. The strategy contextualizes current challenges within the evolving digital landscape, highlighting drivers such as Canada’s Digital Ambition Statement, digital service delivery, and technological advancements. It acknowledges progress made in improving cyber security posture, yet identifies gaps in cyber maturity levels, awareness of cyber risks, and security management practices.

Specific challenges facing the GC include the shortage of cyber talent, the need for cyber security training, and modernization of security screening processes to mitigate insider threats effectively. The strategy underscores the importance of collective action, agile policies, and strategic investments to address gaps and ensure the protection of Canadians’ data and the continuity of critical services. Ongoing efforts to enhance cyber security resilience and adaptability are critical in confronting evolving cyber threats. Enabling a whole-of-government approach for the cyber security of government operations is essential to support the delivery of government services in the digital age for all Canadians. Cyber security, as a foundational component, ensures simple, secure, and efficient delivery of government services and benefits. The Government of Canada prioritizes efforts to meet its overall vision of building a world-class, sustainable, and resilient GC to reduce cyber security risks. This entails reducing cyber security risks across departments and agencies to maximize the benefits of digital technology. The strategy emphasizes optimizing resources and leveraging common solutions to improve consistency and reduce misconfiguration risks.

To achieve this vision, the GC requires the right policy, people, process, and technology to identify and manage known and emerging cyber security risks effectively. This involves shifting from a reactive to a proactive approach in addressing security vulnerabilities and keeping pace with the evolving threat landscape. Emphasis is placed on safeguarding sensitive government data and ensuring the protection and security of information systems, regardless of their environments. Privacy and security are integrated from the outset, supporting reliable services and granting access to trusted users, devices, and services on a need-to-know basis. Critical stakeholders within the federal government collaborate to ensure effective cyber security management and coordination. Strengthened governance and oversight are necessary to align with departments and agencies managing cyber security. The Information Technology Security Tripartite (Tripartite) plays a pivotal role in providing advice, guidance, and oversight to address GC-wide security initiatives and support departments and agencies under Treasury Board authorities.

Strategic objectives aim to articulate cyber security risks, prevent cyber attacks, strengthen capabilities and resilience, and foster a diverse cyber workforce. These objectives are supported by key actions such as improving security monitoring, accelerating the implementation of modern cyber security architectures, and enhancing incident response capabilities. Additionally, efforts are directed towards developing cyber security skills, attracting diverse talent, and modernizing personnel security screening processes.

To achieve the vision and meet the strategic objectives outlined in the cyber security strategy, a target security operating model (TSOM) is essential. This model is instrumental in establishing an effective and efficient approach to conducting cyber security operations that enable the delivery of digital services. The TSOM considers dimensions such as policy, people, process, and technology, aligning with the GC’s cyber security management approach. This approach encompasses security functions such as identify, protect, detect, respond, and recover, forming the primary pillars of a holistic cyber security program. It offers guidance to departments and agencies to better understand, manage, reduce, and communicate cyber security risks, complementing existing practices outlined under the Framework for the Management of Risk and the Cyber Centre’s IT Security Risk Management.

The TSOM serves as an enabling tool to support the operationalization of the Strategy, providing a blueprint for successful cyber security operations. It illustrates the range of security processes and activities necessary for a comprehensive security capability, while delineating stakeholders accountable for or supporting each process and activity. Additionally, the TSOM clarifies accountabilities and identifies the need for additional authorities to meet the target state for the cyber security of government operations. TBS, SSC, CSE, and departments and agencies will utilize the TSOM to guide the development of respective departmental plans aligned with the Strategy. These plans are expected to integrate investment planning, prioritize the use of common solutions and enterprise services, and establish departmental roadmaps. Monitoring and evaluation mechanisms will ensure the Strategy’s vision and objectives are met. The Tripartite will continue to play a key role in governance and oversight, with broader governance necessary to oversee and enhance assurances related to cyber investments.

Improved digital and technology assurances will enable holistic operation, promoting the reuse of common solutions and technology, improving interoperability, and enhancing asset utilization efficiency. This approach benefits the government by delivering savings, efficiencies, increased delivery confidence, reduced risk, capability improvements, and improved outcomes for the GC. In conclusion, while the GC has made strides in cyber security, the evolving threat environment and technological advancements necessitate renewed commitment across departments and agencies. A strong cyber risk culture is essential, striking the right balance between security, cost, and end-user experience. Security controls must be implemented cost-effectively with minimal impact on users, ensuring the delivery of secure and reliable digital services that maintain and improve trust among Canadians.

Keep Up to Date With Trending News

How can we help support your Organization working with Government?

Looking to work or sell to government? Or want to stay up-to-date with all of the constant changes with government? Let's find some time to chat and see if we can help you reach your goals and desired outcomes.

This website uses cookies to ensure you get the best experience on our website visit.

CHG Logo.