Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Chasing Regulatory and Legislative Compliance
It’s challenging to keep up with regulatory and compliance changes. It’s important to keep up with new legislation, as well as track potential changes in the future. Planning and preparation are key to maintaining smooth operations. Here are a few tips on how to stay current with these ever-changing areas:
- monitor regulatory agency websites and press releases
- monitor news in other jurisdictions for changes and trends
- subscribe to blogs and newsletters
- join industry associations and peer groups
- attend conferences and events to network and learn more
- consider dedicated staff and compliance software
- follow best practices and “compliance by design” even in the absence of formal regulation
- engage expert assistance to advise and consult on change
University of Waterloo investigating ransomware attack
On May 30, the University of Waterloo (UW) experienced a suspected ransomware attack on its network. The RCMP discovered the attack while it was still in progress, then notified Waterloo Regional Police and the university’s Special Constable Services.
According to Rebecca Elming, UW’s Director, Media Relations and Issues Management, “We know that our on-premises email server was compromised. Fortunately, 99.9 per cent of our email users are not affected because their email services are hosted in the cloud.” She advised that only 12 users were using the affected in-house Exchange server, none of whom are students.
The university’s IT team, who interrupted the attack by shutting down the server, is continuing to assess whether any other systems were affected. The university sent a broadcast email to everyone who accesses their systems, advising that they must reset their passwords by June 8 as a precautionary response to the incident. “After this date, you will be locked out of your account and will need to contact IST [Information Systems & Technology] to unlock it for you,” according to the email.
In their June 1 bulletin and their latest update on the incident, UW also advised that the university’s “WatIAM” access system is being temporarily disabled to prevent any new accounts from being set up.
Canadian government announces certification requirements for some defence contracts
In a May 31 press release, the Honourable Anita Anand, Minister of National Defence (on behalf of the Honourable Helena Jaczek, Minister of Public Services and Procurement) announced that the Government of Canada will be introducing mandatory certification requirements for selected federal defence contracts as early as winter 2024. The government has allocated $25 million (CDN) over three years for the creation of the new program, referred to as the Canadian Program for Cyber Security Certification.
“Public Services and Procurement Canada (PSPC), in partnership with National Defence and the Standards Council of Canada, will lead the Government of Canada’s efforts to establish this new program. Engagement sessions with the defence industry and other key stakeholders are expected to begin in late 2023,” according to the statement.
“Without certification, Canadian suppliers risk being excluded from future international defence procurement opportunities. The new program will aim to reduce industry burden by pursuing mutual recognition between Canada and the U.S., allowing certified Canadian suppliers to be recognized in both jurisdictions.”
In the statement, Minister Jaczek explained the drivers behind the new program: “Threats to cyber security are complex and rapidly evolving, and in the world of defence procurement, cyber incidents pose a threat to the protection of unclassified federal information. That’s why we are taking action to protect our defence supply chain by establishing a Canadian Program for Cyber Security Certification to protect Canadians and Canadian businesses.”
The Department of Defense (DoD) in the United States introduced minimum cybersecurity standards for defence contractors in 2020 with its Cybersecurity Maturity Model Certification (CMMC). Version 2.0 of the CMMC, announced in November 2021, is still under review. However, CMMC 2.0 requirements started appearing in DoD contracts in May 2023, and are expected to be incorporated into all contracts by fall 2025.
Privacy commissioners announces updated workplace privacy guidance
On May 29, the Office of the Privacy Commissioner of Canada (OPC) announced updated guidance on workplace privacy for employers that are subject to federal privacy legislation. The guidance was added to the “Privacy in the Workplace” materials on the OPC website.
According to a press release introducing the changes, “employers need to be aware of how the Privacy Act (for federal government institutions) and the Personal Information and Protection of Electronic Documents Act (PIPEDA) (for businesses governed by federal legislation) apply to them, and should ensure that employees know their rights under those laws.”
The additions to the guidance outline key privacy considerations for employers managing employees’ personal information, discuss topical issues such as the monitoring of employees, and offer practical tips for things that employers can build into their privacy policies and procedures “regardless of whether they are governed by federal or provincial privacy laws.”
Canadian incident response conference attracting global audience
Over 900 specialists from over 90 countries are meeting at the 35th annual Forum of Incident Response and Security Teams (FIRST) conference in Montreal this week. The conference, entitled “Empowering Communities”, fosters global coordination and cooperation among computer security and incident response teams.
Experts from around the world, representing national agencies, regulatory bodies, industry, critical infrastructure concerns, cyber insurance carriers, and academia are scheduled to attend and present.
Edward Norminton, FIRST Annual Conference Program Chair and Operational Relationships team manager for the Canadian Centre for Cyber Security (CCCS), observed that “this conference is critical for the global community of incident responders and security teams. The never-ending changes in technology and how we do business, from AI to remote working, bring new threats that must be addressed. [We] must learn from each other to address common challenges, but solutions must be tailored to the needs of cities, countries, critical infrastructure sectors, product development and so many other unique communities.”