Government of Canada’s Enterprise Cyber Security Strategy

May 22, 2024 – Ottawa, Ontario – Treasury Board of Canada Secretariat

The Government of Canada’s Enterprise Cyber Security Strategy is a forward-looking plan to improve cyber security across government departments and agencies to continue to provide secure and reliable digital government services. It serves as a framework to move the government even more from a defensive position to a proactive cyber security approach by improving training, applications, policy, and monitoring.

Over the past decade, the government has taken steps to improve its cyber security posture by standardizing IT infrastructure and integrating cyber defense services, establishing the Canadian Centre for Cyber Security, and putting in place clear governance, policies, and tools to support cyber security. Despite this progress, gaps still remain. The Enterprise Cyber Security Strategy aims to address these gaps and ensure the government is well positioned to address future cyber threats.

The strategy is built on 4 strategic objectives to help federal organizations take a broader, enterprise-wide approach to protect their systems against cyber risks:

1. Articulate cyber risk and its business impacts meaningfully for effective, action oriented, and accountable decision-making
2. Prevent and resist cyber-attacks more effectively towards a greater protection of GC information and assets
3. Strengthen capabilities and resilience across the GC to proactively prepare for, respond to, and recover from cyber events
4. Foster a diverse GC workforce with the right cyber security skills, knowledge and culture

Each of the objectives listed above has corresponding key actions to ensure the goal is met. Examples of key actions include:

• ensuring federal departments and agencies have yearly risk management processes and accountabilities in place, which will help the government to be more efficient and proactive in identifying and managing cyber risks from an enterprise-wide perspective
• building up cyber talent within the government through cross-functional training programs to leverage a variety of learning solutions
• promoting a talent management culture to recruit and retain candidates with required cyber skills, as well as
•  enhancing third-party risk management through measures like standardizing clauses and conditions in contracts and perform routine verification that suppliers are meeting the clauses​

The first phase of implementation will begin immediately and support:

• Establishing a centralized evaluation system with independent assessments and thorough reviews of departments' cybersecurity to identify and prioritize risks.
• Creating a federated integrated risk management platform to enable prioritization and data-driven reporting as a key part of a broader enterprise portfolio management system.
• Creating a government-wide vulnerability management program for a coordinated vulnerability disclosure process and will focus on people, processes, policies, and technology.
• Forming a new Purple Team that will emulate techniques used by malicious threat actors against government systems to proactively test and audit any security gaps.

Cyber security of the GC is not an end state, but rather a journey of continuous improvement. To ensure that the GC is constantly advancing and achieving its vision and strategic objectives, monitoring and evaluation of the overall strategy will be conducted on a yearly basis through key performance indicators (KPI) and results will be posted on Canada.ca.