G-7 Guidelines for Cybersecurity Assessment

Éloïse Gratton October 27, 2017

On October 13, 2017, the Group of Seven countries, including Canada, the United Kingdom and the United States (the “G-7”), issued a report titled G-7 Fundamental Elements for Effective Assessment of Cybersecurity in the Financial Sector (the “G7FEA”) to provide guidance for effective cybersecurity assessments by financial sector organizations. The G7FEA supplements the G-7’s 2016 report titled G7 Fundamental Elements of Cybersecurity for the Financial Sector (the “G7FEC”). The guidance is useful for organizations of all kinds and sizes.

G-7 Fundamental Elements of Cybersecurity

The G7FEC describe the following basic building blocks for the design and implementation of a cybersecurity strategy and operating framework for financial sector organizations: (1) strategy and framework; (2) governance; (3) risk and control assessment; (4) monitoring; (5) response; (6) recovery; (7) information sharing; and (8) continuous learning. For more information, see BLG bulletin Cyber Risk Management – G7 Cybersecurity Guidelines for the Financial Sector.

G-7 Fundamental Elements for Effective Assessment

The G7FEA is designed to promote the cybersecurity practices outlined in the G7FEC by specifying desirable cybersecurity outcomes and components of effective cybersecurity assessments.

The desirable outcomes are the following broad, demonstrable characteristics of a mature cybersecurity program: (1) the Fundamental Elements are in place; (2) cybersecurity influences organizational decision-making; (3) there is an understanding that disruption will occur; (4) an adaptive cybersecurity approach is adopted; and (5) there is a culture that drives secure behaviors.

The assessment components are designed to promote the quality of cybersecurity assessments and facilitate continuous improvement. The components are as follows: (1) establish clear assessment objectives; (2) set and communicate methodology and expectations; (3) maintain a diverse toolkit and process for tool selection; (4) report clear findings and concrete remedial actions; and (5) ensure assessments are reliable and fair.

To read our bulletin on this topic, click here.

This content has been updated on October 27, 2017 at 17 h 31 min.

Éloïse Gratton

Privacy & Data Protection Law

G-7 Guidelines for Cybersecurity Assessment

G-7 Fundamental Elements of Cybersecurity

G-7 Fundamental Elements for Effective Assessment

Data governance and privacy risks in Canada: A checklist for boards and c-suite

An Update on New Québec Confidentiality Incidents and Record-Keeping Requirements

The inside scoop on how to become a privacy lawyer: 10 tips from the top

Preparing for the Privacy Reform in Canada

Getting Ready for Québec’s New Privacy Law in 2023 (Part 1): Using what we know so far

Getting Ready for Quebec’s New Privacy Law in 2023 (Part 2): Navigating uncertainty in the Law

Une fugitive recherchée depuis 30 ans, capturée à Berlin grâce à la reconnaissance faciale

CBC Windsor Morning Radio Show

La Cour suprême vient compliquer les cyberenquêtes

Une fugitive capturée à Berlin grâce à la reconnaissance faciale

Aide-mémoire en matière de protection de la vie privée et de sécurité des renseignements personnels

Lucky 7 data privacy and security cheat sheet