CAN/DGSI 100-8:2023

This Standard aims to specify the minimum requirements for Organizations to protect data assets in their custody from jurisdictional risks, while taking advantage of the global technology ecosystem. The Standard is not intended to prescribe how an Organization should implement specific security controls. Instead, the standard will guide Organizations using jurisdictional and technology-agnostic approaches that can be adapted to address specific business requirements. Considerations are given to: ? Identification and categorization of data assets; ? Development of an appropriate threat model; ? Identification of potential risks, including from laws in foreign jurisdictions; and ? Options to mitigate associated risks. This Standard applies to all sectors, including public and private companies, government entities, and not-for-profit Organizations. This Standard assumes that the Organization implementing the following requirements has existing risk management policies and procedures. Note: For those applying the standard, where personally identifiable information (PII) is used in the standard, local jurisdictional, legal and/or regulatory definitions shall apply.