×

Warning message

The installed version of the browser you are using is outdated and no longer supported by Konveio. Please upgrade your browser to the latest release.

CAN/DGSI 104:2021 / Rev 1: 2024, Baseline cyber security controls for small and medium organizations

Periodic Maintenance Review
File name:

-

File size:

-

Title:

-

Author:

-

Subject:

-

Keywords:

-

Creation Date:

-

Modification Date:

-

Creator:

-

PDF Producer:

-

PDF Version:

-

Page Count:

-

Page Size:

-

Fast Web View:

-
Choose an option Alt text (alternative text) helps when people can’t see the image or when it doesn’t load.
Aim for 1-2 sentences that describe the subject, setting, or actions.
This is used for ornamental images, like borders or watermarks.
Preparing document for printing…
0%

Click anywhere in the document to add a comment. Select a bubble to view comments.
Document is loading Loading Glossary…
Powered by Konveio

Comments

View all Cancel

Add comment

in reply to Jacques Sauve's comment

Jacques Sauve Feb 2 2026 at 9:41AM on page 25

Editorial
Actually, disregard my "Disregard!".
I noticed that ENGLISH version of the document mentions all three items, but the FRENCH version still only mentions DMARC.
So I WASN'T crazy!!
in reply to Jacques Sauve's comment

Jacques Sauve Jan 16 2026 at 11:57AM on page 25

Technical
Disregard! Just noticed that the last revision said "The organization shall ensure the implementation of DMARC, DKIM and SPF on all organization
email services."

Jacques Sauve Jan 16 2026 at 11:55AM on page 25

Technical
Why just DMARC?? For DMARC to work properly, SPF and DKIM normally have to be configured as well.

Jacques Sauve Dec 30 2025 at 2:45PM on page 25

Technical
5.7.3.9 is fundamentally broken.

“The organization should ensure that their users join a separate network that is independent of the home network (e.g. guest network)…”

This fails on three levels: technical, operational, and auditability.
1. It assumes control the organization does not have: most organizations do not own or manage employee home routers.

2.“Ensure” implies enforcement, not guidance.

3. You cannot verify compliance without invading privacy.

This is unenforceable for SMBs, especially with a WFH setup.

Modern best practice assumes:
- networks are hostile
- security lives on:
- the endpoint
- identity
- encrypted access

This control is trying to fix endpoint risk with network topology, which is backward.

Jacques Sauve Dec 30 2025 at 2:39PM on page 25

Editorial
The real security objective is to prevent public, customer, or third-party access from having implicit or lateral access to internal corporate resources. Segmentation is one method, not the requirement itself.

This control is not about employee home networks at all. It’s about:
- trust boundaries
- exposure surfaces
- preventing pivot paths

Jacques Sauve Dec 30 2025 at 2:01PM on page 25

Editorial
Same as my comment for 5.7.3.1: what about WFH businesses?

Wi-Fi is no longer the right boundary: in a remote model, the “Wi-Fi control” is not the core control — the endpoint is.

You cannot guarantee home Wi-Fi security. Even if Wi-Fi is secure, compromise can still happen. A managed device with strong endpoint controls survives insecure networks much better than an unmanaged device on “secure” Wi-Fi.

The control must distinguish between corporate-managed Wi-Fi and remote employee Wi-Fi.

Home routers should not be assumed compliant unless the organization provides and manages them.

For remote work, the right approach is:
- publish minimum Wi-Fi requirements,
- enforce strong device and access controls (VPN/ZTNA, endpoint protections and compliance, DNS filtering),
- optionally use device posture checks to restrict access if the device is unsafe.

Jacques Sauve Dec 30 2025 at 1:35PM on page 24

Technical
What's the expectation for SMBs that have no office, where everyone works from home? They all have their ISP router, so does that address this control? What "proof" would an auditor be looking for?

don waugh Dec 15 2025 at 4:05PM on page 25

define basic lifecycle procedures

don waugh Dec 15 2025 at 4:04PM on page 28

phishing-resistant f

don waugh Dec 15 2025 at 4:03PM on page 24

phishing-resistant

don waugh Dec 15 2025 at 4:02PM on page 23

phishing-resistant

don waugh Dec 15 2025 at 4:01PM on page 22

Editorial
phishing resistant

don waugh Dec 15 2025 at 4:00PM on page 22

Technical
“phishing-resistant authentication

don waugh Dec 15 2025 at 3:57PM on page 18

Technical
“b. Identification of malicious communications and phishing including AI-enabled social engineering (e.g., deepfake voice/video, synthetic email style, and ‘CEO fraud’ impersonation);”

don waugh Dec 15 2025 at 3:55PM on page 11

Technical
“NOTE 4: Where an organization supports consequential services (see 3 Terms and definitions) or administers digital credentials, remote identity proofing, or high-risk transactions, the organization should consider adopting authentication controls that are resistant to phishing and impersonation, and applying stronger credential lifecycle controls (issuance, recovery, revocation) appropriate to the risk.”

Jacques Sauve Dec 10 2025 at 2:27PM on page 20

Editorial
I never understood why this was a "control". It's just a suggestion that the template provided could be used. When working with customers, I provide my own template, so we never use this. I always set this control to "Not applicable". Perhaps just mention this in the "Context" section?
View all