Cybersecurity & compliance, in plain English.

NIST CSF 2.0

NIST Cybersecurity Framework 2.0 is the U.S. National Institute of Standards and Technology's voluntary cybersecurity framework, released February 26, 2024. It organizes cybersecurity outcomes into six core Functions: Govern, Identify, Protect, Detect, Respond, and Recover. CSF 2.0 is the first major revision in a decade and the first version explicitly designed for organizations of every size and sector.

CIS Controls

The Center for Internet Security Controls (formerly the SANS Top 20) are a prioritized set of cybersecurity safeguards organized into 18 control categories, each with three Implementation Groups for organizations of different sizes and capabilities. Widely used as a complement to NIST CSF.

CyberSecure Canada

A voluntary federal cybersecurity certification programme for small and medium-sized enterprises, administered by the Standards Council of Canada. Certification is based on National Standard CAN/CIOSC 104:2021 and the 13 baseline cybersecurity controls developed by the Canadian Centre for Cyber Security.

ISO/IEC 27001

An international standard for information security management systems (ISMS). 27001 is more rigorous than CSF 2.0 or CyberSecure Canada and requires third-party audit. Common in larger organizations and as a procurement requirement for enterprise vendors.

SOC 2

A reporting framework developed by the AICPA covering controls related to security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports come in two types: Type I (controls in place at a point in time) and Type II (operating effectiveness over a period). Common in B2B SaaS procurement.

PIPEDA

The Personal Information Protection and Electronic Documents Act is Canada's federal privacy law for the private sector. It governs how organizations collect, use, and disclose personal information in the course of commercial activities. Enforced by the Office of the Privacy Commissioner of Canada.

Quebec Law 25

Quebec's modernized private-sector privacy regime (formerly Bill 64), enacted September 2021 and rolled out in three phases between 2022 and 2024. Introduces GDPR-style obligations including mandatory privacy officers, privacy impact assessments, enhanced consent, and data subject rights. Penalties can reach C$25 million or 4% of worldwide turnover.

PHIPA

Ontario's Personal Health Information Protection Act governs how health information custodians handle personal health information. Imposes specific consent, breach notification, and record-keeping requirements beyond general privacy law.

Privacy Officer

An individual designated by an organization as responsible for privacy compliance. Required under Quebec Law 25 (defaults to the CEO unless delegated in writing). Best practice for any in-scope Canadian organization regardless of jurisdiction.

Privacy Impact Assessment (PIA)

A structured assessment of the privacy implications of a new system, service, or data practice. Required under Quebec Law 25 before transferring personal information outside Quebec or deploying new technology that handles personal information.

Multi-Factor Authentication (MFA)

Requires users to present two or more verification factors to access a system. Factors are categorized as something you know (password), something you have (security key, phone), or something you are (biometric). Phishing-resistant MFA using FIDO2 or WebAuthn is current best practice for high-value accounts.

EDR — Endpoint Detection & Response

Security software that continuously monitors endpoint devices for suspicious activity, records detailed telemetry, and provides response capabilities including automated isolation and forensic investigation. Replaces or supplements traditional antivirus.

MDR — Managed Detection & Response

A service model in which a third-party provider operates EDR tooling on behalf of a client, providing 24/7 monitoring, threat hunting, and incident response. Often preferred by organizations without internal security operations teams.

SIEM — Security Information & Event Management

Software that aggregates, correlates, and analyzes log data from across an organization's IT infrastructure. Supports compliance reporting, incident detection, and forensic investigation.

vCISO — Virtual Chief Information Security Officer

A senior security leader engaged on a fractional or retainer basis rather than as a full-time employee. Common for organizations of 50–250 staff that need executive-grade security strategy without the cost of a full-time CISO hire.

Tabletop Exercise

A discussion-based simulation in which incident response stakeholders walk through a hypothetical security scenario to test plans, decision-making, and communication procedures. Typically run annually and a low-cost way to identify gaps before a real incident.

Zero Trust

A security architecture principle that treats every access request as untrusted by default, regardless of network location. "Never trust, always verify." Implemented through identity-based access, micro-segmentation, and continuous validation.

SPF — Sender Policy Framework

An email authentication mechanism that lets domain owners specify which mail servers are authorized to send email on behalf of their domain. SPF records are published in DNS as TXT records.

DKIM — DomainKeys Identified Mail

Adds a cryptographic signature to outgoing messages, allowing receivers to verify that the message was authorized by the domain owner and was not modified in transit. Works alongside SPF and DMARC.

DMARC — Domain-based Message Authentication, Reporting and Conformance

Built on top of SPF and DKIM. Tells receiving mail servers what to do with messages that fail authentication and provides reporting on email abuse of your domain. Properly configured DMARC is one of the highest-ROI security controls for any organization.

DNSSEC — DNS Security Extensions

Adds cryptographic signatures to DNS records, enabling resolvers to verify that responses have not been tampered with in transit. Protects against DNS spoofing and cache poisoning attacks.

BIMI — Brand Indicators for Message Identification

An emerging email standard that lets domain owners display verified brand logos in supported mail clients. Requires DMARC at p=quarantine or p=reject and a Verified Mark Certificate.