Respecting Cyber Security

Requirements Assessment

• Development and maintenance of a formal Cyber Security Program (CSP), covering risk identification, mitigation, supply‑chain vulnerabilities, incident containment, recovery, governance oversight, and annual review by the Canadian Centre for Cyber Security (CCCS).
• Mandatory rapid reporting of cyber incidents to CCCS under a centralized federal framework.
• Compliance with government-issued cybersecurity directions and strict confidentiality requirements.
• Requirements under the CCSPA to manage organizational cyber risk, maintain detailed records, and report material changes in critical systems or third‑party dependencies.

Detailed Gap Analysis

Review the following areas:

• Policy and governance gaps
• Supply-chain and third‑party risk management gaps
• Incident reporting readiness
• Cyber program maturity
• Regulatory compliance tracking capabilities

Report and Review

• Current state vs. required state under Bill C‑8
• Readiness score and compliance heatmap
• Regulatory compliance tracking capabilities
• Report and Review

Remediation Roadmap

• CSP development and enhancements
• Supply‑chain security uplift
• Incident reporting workflow design
• Governance and oversight improvements
• Documentation and record‑keeping requirements (Canadian data‑residency compliance included)

Executive Briefing

• Key compliance risks
• Required investments
• Organizational impact
• Legislative timelines and anticipated passage path (Bill C‑8 expected to move quickly through Parliament based on momentum of Bill C‑26).

• Bill C‑8/CCSPA ("Critical Cyber Systems Protection Act") obligation set distilled into testable requirement statements (program, incident reporting, supply‑chain, direction compliance, records).
• Normalize CCCS Baseline (13) and ITSG‑33 Annex 3A controls into a reference catalogue.
• NIST CSF 2.0 Incorporate Functions → Categories → Subcategories (including GV governance outcomes).
• Build a bi‑directional mapping: Bill C‑8 ↔ CCCS Baseline / ITSG‑33 ↔ NIST CSF 2.0, with coverage ratings (Full / Partial / None), control ownership, evidence examples, and test cadence.
• Deliver a gap snapshot (top 10 issues) with lightweight remediation suggestions prioritized by risk and implementation effort.
• Incident reporting, supply‑chain material‑change, and governance checklist aligned to CCSPA and NIST CSF 2.0 Govern outcomes.
• Executive review.

• Board‑Ready Briefing Deck (PPTX/PDF) tailored to the firm’s sector mix and client base, covering obligations, risks, and board‑level actions
• Incident Reporting & Supply‑Chain One‑Pagers aligned to CCSPA ("Critical Cyber Systems Protection Act")expectations for speed and completeness.
• Control Anchor Sheet (CCCS Baseline + ITSG‑33 references) to guide questions legal teams should ask CISOs and vendors.
• Talking Points & Board Q‑list referencing NIST CSF 2.0 Govern outcomes for executive clarity.
• Recording (optional) and attendance certificate for eligible internal learning (if the firm’s rules allow).

• Review of the existing Incident Response Plan
• Update the incident response with specific scenarios and alignment to NIST and industry best practices.
• Conduct a detailed table top exercise with documented license learned.