What is CAN/DGSI 104:2021 Rev 1 2024?

CAN/DGSI 104:2021 Rev 1 2024 (formerly CAN/CIOSC 104: 2021) is a cyber security certification framework. It outlines basic cyber security controls for small to medium-sized organizations with fewer than 500 employees in Canada.

As this framework is revised occasionally, please refer to this link via the Digital Governance Council for the most up to date versions of the framework.

The security controls aim to provide businesses with maximum protection with the least amount of burden. This framework addresses the growing need for effective cyber and information security measures in an increasingly digital landscape.

Purpose and Scope of CAN/DGSI 104:2021 Rev 1 2024

The primary aim of CAN/DGSI 104:2021 Rev 1 2024 is to provide organizations with a minimum set of cyber security controls tailored to their specific needs and capacities. It also recognizes that many SMEs often lack the resources, expertise, and financial means to develop comprehensive cyber security strategies. Therefore, this framework acts as a foundational guide, enabling businesses to assess their current practices as well as identify gaps that need addressing (even if not right away).

A few key notes:

  • Organizations with more than 500 employees may also find value in using this framework as a foundation for enhancing their cyber security practices, but they should assess their specific circumstances to determine if additional investments are necessary.
  • Organizations that manage personally identifiable information (PII records), financial data, sensitive or private information, have high availability needs, or operate in high-risk sectors (such as critical infrastructure or military) may require further cyber security measures beyond what this document covers. Each organization should evaluate its own needs.
  • Although organizations prioritize physical security as an essential part of their overall information security strategy, due to the complexity and resources involved, it falls outside the scope of this framework.

Why achieve certification in CAN/DGSI 104:2021 Rev 1 2024?

Customers, partners, investors, and suppliers offer Canadian businesses crucial information and expect that it will be securely protected. Without robust cyber security measures, this data and the information entrusted to them may be vulnerable to:

  • Theft of personal and/or confidential information
  • Theft of credit card and/or financial and banking information
  • Ransomware attacks resulting in significant business data loss and disruption of services
  • Unauthorized alteration of information
  • Fiduciary liability and potential litigation

Key Components

CAN/DGSI 104:2021 Rev 1 2024 comprises several critical components, each designed to build a comprehensive cyber security framework. A few include:

Risk Assessments

A cornerstone of the framework is the emphasis on risk assessments. Organizations are encouraged to conduct regular evaluations of their cyber security landscape to identify vulnerabilities and potential threats. This proactive approach is vital in today’s rapidly evolving cyber threat environment.

The risk assessment process typically involves:

  • Identifying Assets: Cataloging all information systems, data, and resources that need protection.
  • Assessing Vulnerabilities: Evaluating the existing security measures to identify weaknesses.
  • Analyzing Threats: Understanding the potential threats that could exploit these vulnerabilities.
  • Evaluating Risks: Determining the likelihood and impact of different threats on organizational assets.

How do businesses handle their cyber risks?

Following an assessment, organizations are given a cyber score outlining vulnerabilities identified. They then are provided recommendations on how to strategically respond to each of those risks, through:

  • Avoiding the risk:  Completely eliminate the risk.
  • Mitigating the risk: Reduce the probability or impact of the risk.
  • Transferring the risk: Shift the risk to a third party, typically through Cyber Liability Insurance.
  • Accepting the risk: Acknowledge the risk and choose not to address, transfer, or mitigate it.
When it comes to cyber risk levels, risk severity is calculated by multiplying the likelihood of something happening by the impact it would have on the organization.

How are cyber risks calculated?

How can you determine where to invest in information security? In other words, how do you identify high-risk?

Risk severity can be determined using the following calculation:

Something with a high likelihood and a high impact is considered high-risk. Therefore, you should invest in either avoiding, transferring or mitigating it; whereas a low-risk might be something you simply accept.

Therefore, by regularly performing risk assessments, businesses can prioritize their cyber security efforts based on the most pressing vulnerabilities. This ensures that resources are allocated effectively. You can even find preliminary, self-guided assessments online for free – here’s an example.

Incident Response Planning

In addition to prevention, the CAN/DGSI 104:2021 Rev 1 2024 framework underscores the importance of having a well-defined incident response plan. Cyber incidents are inevitable, and how an organization responds can significantly impact its recovery.

Key elements of an effective incident response plan include:

  • Preparation: Establishing a dedicated incident response team and defining roles and responsibilities.
  • Detection and Analysis: Implementing monitoring tools to identify potential security incidents and conducting thorough analysis to understand the nature of the threat.
  • Containment, Eradication, and Recovery: Developing procedures to contain incidents, eliminate threats, and restore normal operations.
  • Post-Incident Review: After an incident, conducting a review to analyze the response effectiveness and to update policies and procedures accordingly.

A robust incident response capability not only minimizes the impact of a breach but also fosters a culture of continuous improvement in cyber security practices.

Employee Training and Awareness

Human error remains one of the leading causes of cyber security incidents. Consequently, the CAN/DGSI 104:2021 Rev 1 2024 framework emphasizes the necessity of ongoing employee training and awareness programs. Employees must be equipped with the knowledge to recognize potential threats, such as phishing attempts or fraudulent A/R activities.

Training should cover:

  • Best Practices: Teaching employees about password management, secure browsing, and the importance of reporting suspicious activities.
  • Simulation Exercises: Conducting regular drills to simulate cyber incidents, allowing employees to practice their response in a controlled environment.
  • Updates on Emerging Threats: Providing continuous education on the evolving landscape of cyber threats, ensuring employees are aware of new tactics and techniques used by cybercriminals.

By creating a culture of security through cyber security awareness, organizations can significantly reduce their risk of falling victim to cyber attacks.

Website Security

This section of the framework can be particularly challenging for small businesses, where it requires organizations to be aware of and test for the top 10 vulnerabilities identified by OWASP (Open Worldwide Application Security Project). This is the international standard for making secure websites, as well as highlights the 10 most common vulnerabilities (AKA – the top 10 common ways that websites get hacked). The framework requires that an organization’s website must be free of these outlined vulnerabilities.

Importance of Cyber Security

The relevance of cyber security cannot be overstated in Canada’s digital world. With the heavy dependence that businesses have on technology as well as internet connectivity, the attack surface has expanded, making organizations more vulnerable.

The potential consequences of a cyber incident can be devastating:

  • Financial Loss: The direct costs associated with data breaches can be substantial, including remediation expenses, legal fees, and potential fines.
  • Reputational Damage: An incident can severely damage an organization’s reputation, leading to loss of customer trust and potential business opportunities.
  • Legal Repercussions: Organizations may face lawsuits or regulatory actions if they fail to protect sensitive information adequately.

The CAN/DGSI 104 framework provides practical and foundational guidance to strengthen defenses against potential threats, helping organizations protect their assets and maintain stakeholder trust.

Implementation and Evaluation of CAN/DGSI 104:2021 Rev 1 2024

Implementing the CAN/DGSI 104 standard involves a systematic approach:

  • Regular Reviews and Updates: Cyber security is not a one-time effort – it’s a journey. Organizations should establish a schedule for regular reviews and updates to their security practices, ensuring they remain effective in the face of evolving threats.
  • Gap Analysis: Organizations should begin by conducting a gap analysis to assess their current cyber security practices against the framework’s requirements.
  • Action Plan Development: Based on the findings of the gap analysis, organizations can develop a tailored action plan to address identified weaknesses and implement necessary controls.
  • Resource Allocation: Ensuring adequate resources—financial, human, and technological—are allocated to implement and maintain the required security measures.

CAN/DGSI 104 – Is It Worth It?

The CAN/DGSI 104:2021 Rev 1 2024 standard represents a crucial initiative in fortifying the cyber and information security for Canadian businesses. By providing clear, actionable guidelines, it empowers organizations—especially SMEs—to enhance their security posture, protect sensitive information, and maintain the trust of customers, partners, and stakeholders.

As cyber threats continue to evolve in complexity and frequency, adherence to this framework will be essential for businesses aiming to navigate today’s digital environment safely and effectively. Ultimately, implementing the CAN/DGSI 104 standard not only mitigates risk but also fosters a proactive culture of cyber security, enabling organizations to thrive in an increasingly connected world.

Birmingham Consulting is your source for cyber security expertise and can help identify where your business’ cyber security needs attention. If you are not 100% confident in your security systems, make Birmingham your first choice for a second opinion.