Blog / CYBERSECURE CANADA Part V: Final Thoughts.
Even though my first four installments went into plenty of detail, there are still a few key reminders that we need to consider:
1) This Certification is new!
Officially, the Certification is in its “Pilot Stage.” This means it’s a work in progress, so the specific requirements may change, as it matures.
2) It’s hard to tell which aspects of it are requirements and which are suggestions.
Many regulations (PCI-DSS, PIPEDA, Etc.) have developed tools / checklists, to help outfits implement requirements. The simplest form of this is a PDF with all these listed, and a note saying which ones are required and which are nice to have. No such list exists for this quite yet, so I’m working-off the written language. Thus, I may be a bit off on which items are required and which ones are recommended.
3) There currently seems to be a conflict between PCI-DSS, PIPEDA and CYBERSECURE CANADA.
It has to do with password rules. There may not be a conflict, if what is stated in this regulation isn’t an actual strict requirement. At the same time, these rules are based on research and experience. The rules in PCI-DSS, PIPEDA and other regulations are not. I’m not certain how the conflict will be resolved when applying for this certification, but maybe that will become clear over time.
4) Regarding SOC 16 SAE 3 Reports for Cloud Services:
This report is simply one where a third-party auditor will verify that a Cloud Service Provider has upheld their contractual obligations, as part of a service they provide. Since this must be done by a third party, reports like this are not cheap, due to the work involved. As such, it only makes sense to have a report done, if your business generates enough income to warrant one. Estimates vary, but $10,000-$20,000 seems to be the average cost for one of these reports. So, it wouldn’t make sense to ask for this from a small Cloud Service Supplier.
Most of the large Cloud Service Providers (Microsoft, Amazon, Etc.) seem to have been doing this for the past few years. You can easily find their reports online. It looks like they only produce SOC 16 Reports for services that have to do with file storage. This seems to be supported by the wording in this regulation, as they talk about Cloud Services in relation to sensitive information. However, the exact nature of this isn’t entirely clear, since SOC 16 Auditing is not Public Domain.
5) Regarding OWASP ASVS Testing/Certification:
The testing set-up within the framework put forward by the OWASP outfit is very good. However, I couldn’t find any official moniker or emblem going along with it: something they could use as a simple way to indicate this testing method has been complied with.
Thus, it seems the only way to find this information is to ask. At the same time, I couldn’t find any sort of Registry, so if an organization makes the claim that their software has passed OWASP ASVS lvl 1/2/3/4 Certification, there doesn’t seem to be a way to verify it. In short, I’m not sure how someone would go about certifying a claim of Compliance, so I’m uncertain as to how useful this really is.
6) Regarding PCI-DSS Compliance:
The wording for this regulation says that you “should” follow their rules if they apply. PCI-DSS Compliance is not optional for any organization, according to the rules set down by the payment card industry. If you accept plastic for payment in ANY way, then PCI-DSS rules apply to you. It used to be the case that small organizations were exempt, but this is no longer true. Also, being caught in a non-Compliant state can result in large fines and loss of the privilege to accept plastic for payment.
The wording is a little misleading, since failure to comply with PCI-DSS rules can result in monetary losses for any outfit. If PCI-DSS is a requirement, it seems more like the wording could say you should be Compliant with PCI-DSS rules, since (unlike the Certification) those aren’t optional. So, if you must follow PCI-DSS rules, then that should logically be considered a Certification requirement.
Overall, I have to say that the Security Controls in this Certification are incredibly useful. Even if your organization isn’t intending to pursue it, using some of them would be a good thing to help improve your outfit’s Security. For example, having a fully-fleshed-out Incident Response plan that includes the realistic possibility of a situation escalating beyond your abilities, would benefit any grouping.
If you should have any questions about CYBERSECURE CANADA Certification, you can always reach out to your TRINUS Account Manager, for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-man.