Government Cybersecurity

ITSG-33 is the Government of Canada's IT security risk management framework, published by the Canadian Centre for Cyber Security. It defines security control profiles based on the confidentiality, integrity and availability requirements of the information system. Federal departments must implement ITSG-33 controls. Contractors handling government data are typically required to meet the same standards through their contract security clauses.

We assess your systems against the applicable ITSG-33 control profile. The assessment identifies which controls are implemented, which are partially implemented and which are missing entirely. Our report maps each finding to the specific ITSG-33 control identifier so your team can prioritize remediation. We also test whether implemented controls actually work as intended, not just whether they exist on paper.

Treasury Board Secretariat (TBS) policies set the governance framework for IT security across the Government of Canada. The Policy on Government Security and the Directive on Security Management require departments to implement security programs that protect government information and assets. These policies mandate security assessments, vulnerability management and incident reporting.

Key TBS requirements we assess:

Security Assessment and Authorization (SA&A)

Formal evaluation of a system's security controls before it is authorized to operate.

Vulnerability Management

Ongoing identification and remediation of security vulnerabilities in government systems.

Incident Management

Processes for detecting, responding to and recovering from security incidents.

Supply Chain Security

Controls ensuring that third-party products and services do not introduce unacceptable risk.

Protected B is the Government of Canada classification for information that could cause serious injury if compromised. This includes personal tax records, medical files, immigration records, financial data and law enforcement information. Systems processing Protected B data require a specific set of security controls covering encryption, access control, audit logging, network segmentation and physical security.

Our Protected B assessment verifies that your systems meet the required security posture. We test encryption implementation (both at rest and in transit), access control configurations, audit log completeness, network segmentation effectiveness and administrative access procedures. For cloud-hosted systems, we assess against the Canadian Centre for Cyber Security's cloud security guidance and the applicable Protected B cloud security profile.

Government contractors are increasingly required to demonstrate security compliance as a condition of procurement. The Industrial Security Program, managed by Public Services and Procurement Canada (PSPC), sets baseline security requirements. Many Request for Proposals (RFPs) now include specific cybersecurity requirements including penetration testing, vulnerability assessment and security control implementation evidence.

We help contractors prepare for government security requirements before they become barriers to winning or retaining contracts. Our assessment identifies gaps between your current security posture and the requirements specified in government contracts. We provide a prioritized remediation plan and a formal assessment report that can be submitted as evidence of due diligence during procurement processes.

Government organizations face unique constraints during security incidents. Public accountability, mandatory reporting to the Canadian Centre for Cyber Security, privacy breach notification obligations and the potential impact on public services all add complexity. Our incident response process accounts for these requirements from the first call. We coordinate with your internal teams, legal counsel and any mandatory reporting bodies.

Municipal governments are frequent targets of ransomware attacks. City systems, utility SCADA networks, public transit operations and citizen-facing services all present attack surfaces. We have responded to incidents across municipal infrastructure including compromised email systems, encrypted file servers, breached citizen databases and ransomware affecting public-facing services. Our priority is always restoring operations while preserving forensic evidence for investigation and potential prosecution.