Request Demo
Platform CapabilitiesPolicy Creation and ManagementFile Sharing and CollaborationFile Transfer AutomationFully Governed Email DataData Streaming with Next-gen DRMControlled AI Data AccessSecure Data Intake Via Online Forms
Use CasesControl Data ExchangeMeet Regulatory RequirementsSafeguard Private AI Data
PartnersTechnology PartnersMSP & MSSP PartnersResellers & Channel Partners
ResourcesResource CenterDevelopersCustomers
CompanyAbout UsManagementInvestorsCareersTechnical SupportNewsroomTrust PageVulnerability CenterContact Us
Request Demo
Mouseover to personalize your Kiteworks website experience

Canada ITSG

Protect sensitive government information with Canadian security guidelines covering technical controls, risk management, and cybersecurity best practices.

How Kiteworks Supports Canada ITSG

How Kiteworks Supports Canada ITSG Compliance

The Information Technology Security Guidance (ITSG) framework, published by the Canadian Centre for Cyber Security (CCCS), provides comprehensive security controls and guidelines for protecting sensitive government information systems. ITSG-33, the cornerstone of this framework, establishes a security control catalog that Canadian federal departments and agencies must implement to safeguard information assets. Kiteworks delivers a robust platform that aligns with ITSG requirements, enabling organizations to protect sensitive data while maintaining compliance with Canadian security standards.

ITSG-33 Security Control Catalog

ITSG-33 defines a comprehensive catalog of security controls organized into families that address every aspect of information security. Kiteworks maps directly to these control families, providing built-in capabilities that satisfy technical, operational, and management control requirements.

  • Access Control (AC): Kiteworks enforces role-based access controls (RBAC), least-privilege principles, and separation of duties across all communication channels.
  • Audit and Accountability (AU): Comprehensive audit logging captures every file action, user authentication event, and policy change with tamper-evident records.
  • Security Assessment and Authorization (CA): Kiteworks supports continuous assessment through automated monitoring, vulnerability scanning, and compliance reporting.
  • Configuration Management (CM): Centralized configuration management ensures consistent security settings across all deployment components.

Risk-Based Approach to IT Security

ITSG emphasizes a risk-based approach where security controls are selected and implemented based on the assessed risk level of information assets. Kiteworks supports this methodology by providing:

  • Data Classification Support: Categorize sensitive content based on confidentiality, integrity, and availability requirements aligned with Canadian government classification levels.
  • Adaptive Security Controls: Apply different security policies based on data sensitivity—from Protected A through Protected C and classified information handling.
  • Risk Assessment Integration: Kiteworks' comprehensive logging and monitoring capabilities feed into organizational risk assessment processes, providing the data needed for informed security decisions.
  • Continuous Risk Monitoring: Real-time dashboards and alerts enable organizations to identify and respond to emerging risks before they become incidents.

Security Categorization Methodology

Canadian government organizations must categorize their information systems based on the potential impact of a security breach. Kiteworks facilitates this process through:

  • Support for Protected A, Protected B, and Protected C classification levels
  • Granular access controls that enforce classification-based access restrictions
  • Automated policy enforcement that prevents unauthorized access to higher-classified information
  • Metadata tagging and labeling capabilities for proper information categorization

Safeguard Selection and Implementation

Once information systems are categorized, organizations must select and implement appropriate safeguards. Kiteworks provides pre-built security controls that align with ITSG safeguard requirements:

Safeguard CategoryITSG RequirementKiteworks Capability
TechnicalEncryption, access control, audit loggingAES-256 encryption, RBAC, comprehensive audit trails
OperationalIncident response, configuration managementReal-time alerts, centralized configuration, automated reporting
ManagementRisk assessment, security planningCISO dashboard, compliance reporting, risk analytics

Continuous Monitoring Requirements

ITSG mandates continuous monitoring of security controls to ensure ongoing effectiveness. Kiteworks delivers:

  • Real-Time CISO Dashboard: Centralized visibility into all file movements, user activities, and security events across the organization.
  • SIEM Integration: Feed security event data into existing SIEM solutions for centralized monitoring and correlation.
  • Automated Compliance Reporting: Generate compliance reports on demand to demonstrate adherence to ITSG requirements.
  • Anomaly Detection: Identify unusual access patterns or data movement that may indicate a security incident.

Encryption Standards (CSE-Approved Algorithms)

The Communications Security Establishment (CSE) specifies approved cryptographic algorithms for protecting Canadian government information. Kiteworks implements:

  • AES-256 Encryption at Rest: All stored data is encrypted using CSE-approved AES-256 encryption.
  • TLS 1.2/1.3 in Transit: Data in transit is protected using the latest transport layer security protocols with approved cipher suites.
  • FIPS 140-2/140-3 Validated Modules: Cryptographic modules meet the highest validation standards recognized by Canadian security authorities.
  • Customer-Managed Encryption Keys: Organizations retain full control over their encryption keys, ensuring data sovereignty.

Access Control Frameworks

Kiteworks implements robust access control mechanisms aligned with ITSG requirements:

  • Multi-factor authentication (MFA) for all administrative and user access
  • Role-based access controls with granular permission settings
  • Integration with Government of Canada identity management systems (GCDOCS, GCKey)
  • Automatic session management and configurable timeout policies
  • IP-based access restrictions for geographic enforcement

Audit and Accountability

ITSG requires comprehensive audit capabilities to track all security-relevant events. Kiteworks provides:

  • Immutable Audit Logs: Every file access, transfer, modification, and deletion is logged with timestamps, user identities, and action details.
  • One-Click Compliance Reports: Generate detailed reports for auditors and security assessors demonstrating ITSG control compliance.
  • Tamper-Evident Records: Audit records are protected against unauthorized modification or deletion.
  • Retention Policy Enforcement: Configurable log retention periods that meet Canadian government record-keeping requirements.

Incident Response Capabilities

Kiteworks supports ITSG incident response requirements by providing the tools and data needed for effective incident management:

  • Real-time alerting for security events and policy violations
  • Detailed forensic data for incident investigation and analysis
  • Integration with Government of Canada incident response processes
  • Automated notification capabilities for breach reporting to the Canadian Centre for Cyber Security
  • Containment controls including remote wipe and access revocation

Cross-Border Data Considerations for Canadian Sovereignty

Canadian data sovereignty is a critical concern for ITSG compliance. Kiteworks addresses this through:

  • Canadian Data Residency: Deploy Kiteworks on-premises or in Canadian cloud regions to ensure data never leaves Canadian jurisdiction.
  • Single-Tenant Architecture: Dedicated instances prevent data commingling with other organizations or jurisdictions.
  • Geofencing Controls: Enforce geographic boundaries on data storage and processing to maintain Canadian sovereignty requirements.
  • PIPEDA Compliance: Built-in controls support Personal Information Protection and Electronic Documents Act requirements for handling personal information of Canadian citizens.

By implementing Kiteworks, Canadian government departments and agencies can confidently meet ITSG-33 security control requirements while maintaining the flexibility to adapt to evolving threat landscapes and regulatory changes.