Canada Immigration (Quebec 2018)

Canada Immigration (Quebec 2018)

The Canadian province of Quebec has released its Immigration Plan for 2018, with strategies in place to continue welcoming a wide range of skilled workers, businesspeople, family members of Quebec residents, and refugees.

This plan is scheduled to be implemented during a period of transition for Quebec, during which the province intends to formulate a new immigration system based what it calls a ‘declaration of interest’ model, much like the federal government’s Express Entry system, which Quebec does not participate in. It is not yet known when this system might be rolled out, or exactly how it may function.

Two important sets of figures are revealed in the plan: the target number of people to be selected by Quebec and issued a Quebec Selection Certificate (CSQ, or Certificat de sélection du Québec), and the target number of people to be admitted to Quebec as new permanent residents.

The CSQ is a document issued by Quebec declaring that the holder has been selected to settle in Quebec based on criteria set by the province. With a CSQ, the applicant can submit an application for Canadian permanent residence to the federal immigration authorities, which will review the application on medical and criminal admissibility grounds.

Quebec plans to issue up to 29,000 certificates under its skilled worker programs next year; this includes certificates issued under what the province calls the Regular Skilled Worker Program, as well as certificates issued under the Quebec Experience Program (PEQ, or Programme de l’expérience Québécoise).

The Regular Skilled Worker Program is a points-based program, designed to welcome newcomers who satisfy a points threshold based on human capital factors, including: area of training, work experience, age, language proficiency in French and/or English, prior relationship with Quebec (through visits or family), and the human capital factors of the applicant’s spouse or common-law partner (if applicable). Potential applicants should note that although French proficiency is among the factors, it is not an eligibility requirement for the program. Individuals who have little or no knowledge of French, but who have strong credentials in other areas, may be eligible to apply. However, one of the stated goals contained in Quebec’s Immigration Plan for 2018 is for at least 85 percent of adult skilled worker newcomers to know French upon admission to the province.

Potential applicants must accrue enough points for these factors before then satisfying a second points threshold, where points may be awarded for any accompanying dependent children and proof of financial self-sufficiency.

Earlier this year, Quebec announced in the Gazette Officielle du Québec, which lists all the legislative and regulatory decisions taken by the government of Quebec, that the Regular Skilled Worker Program would receive up to 5,000 new applications during an intake period scheduled to occur before March 31, 2018. The exact dates for the upcoming intake period are yet to be announced. Moreover, some temporary residents in Quebec, as well as some individuals with a validated job offer, may be eligible to apply for a CSQ at any time.

The PEQ is a separate program, designed to help foreign workers and international students in the province settle permanently. PEQ applicants are required to prove advanced-intermediate French ability. Certificates issued to PEQ applicants are fast-tracked, with applicants often receiving a decision on their CSQ application within weeks of applying.

Quebec also offers a wide range of business immigration programs for investors, entrepreneurs, and self-employedindividuals. The province expects to issue between 4,000 and 6,000 certificates to business applicants in 2018. The Quebec Immigrant Investor Program (QIIP) is particularly popular, as it offers a passive investment opportunity, guaranteed by a Quebec government entity.

Cyber Security (RISK Management)

Risk

The core duty of cybersecurity is to identify, mitigate and manage cyberrisk to an organization’s digital assets. While most people have an inherent understanding of risk in their day-to-day lives, it is important to understand risk in the context of cybersecurity, which means knowing how to determine, measure and reduce risk effectively.

Assessing risk is one of the most critical functions of a cybersecurity organization. Effective policies, security implementations, resource allocation and incident response preparedness are all dependent on understanding the risk and threats an organization faces. Using a risk-based approach to cybersecurity allows more informed

decision-making to protect the organization and to apply limited budgets and resources effectively. If controls are not implemented based on awareness of actual risk, then valuable organizational assets will not be adequately protected while other assets will be wastefully overprotected.

Yet, too often, cybersecurity controls are implemented with little or no assessment of risk. ISACA’s recent worldwide survey of IT management, auditors and security managers consistently shows that over 80 percent of companies believe “information security risks are either not known or are only partially assessed” and that “IT risk illiteracy and lack of awareness” are major challenges in managing risk.4 Therefore, understanding risk and risk assessments are critical requirements for any security practitioner.

Approaches to Cyber Security

Generally, there are three different approaches to implementing cybersecurity. Each approach is described briefly below.

• Compliance-based—Also known as standards-based security, this approach relies on regulations or standards to determine security implementations. Controls are implemented regardless of their applicability or necessity, which often leads to a “checklist” attitude toward security.

• Risk-based—Risk-based security relies on identifying the unique risk a particular organization faces and designing and implementing security controls to address that risk above and beyond the entity’s risk tolerance and business needs.

• Ad hoc—An ad hoc approach simply implements security with no particular rationale or criteria. Ad hoc implementations may be driven by vendor marketing, or they may reflect insufficient subject matter expertise, knowledge or training when designing and implementing safeguards.

In reality, most organizations with mature security programs use a combination of risk-based and compliance-based approaches. In fact, most standards or regulations such as the Payment Card Industry Data Security Standard (PCIDSS) or the US Health Insurance Portability and Accountability Act (HIPAA) require risk assessments to drive the particular implementation of the required controls.

Key Terms and Definitions

There are many potential definitions of risk—some general and others more technical. Additionally, it is important to distinguish between a risk and a threat. Although many people use the words threat and risk synonymously, they have two very different meanings. As with any key concept, there is some variation in definition from one organization to another. For the purposes of this guide, we will define terms as follows:

Risk—The combination of the probability of an event and its consequence (International Organization for Standardization/International Electrotechnical Commission [ISO/IEC] 73). Risk is mitigated through the use of controls or safeguards.

Threat—Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm. ISO/IEC 13335 defines a threat broadly as a potential cause of an unwanted incident. Some organizations make a further distinction between a threat source and a threat event, classifying a threat source as the actual process or agent attempting to cause harm, and a threat event as the result or outcome of a threat agent’s malicious activity.

Asset—Something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation

Vulnerability—A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events

Although much of cybersecurity is focused on the design, implementation and management of controls to mitigate risk, it is critical for security practitioners to understand that risk can never be completely eliminated. Beyond the general definition of risk provided above, there are other, more specific types of risk that apply to cybersecurity.

Residual risk—Even after safeguards are in place, there will always be residual risk, defined as the remaining risk after management has implemented a risk response.

Inherent risk—The risk level or exposure without taking into account the actions that management has taken or might take (e.g., implementing controls)

Likelihood and Impact

When assessing a threat, cybersecurity professionals often analyze the threat’s likelihood and impact in order to rank and prioritize it among other existing threats.

In some cases where clear, statistically sound data are available, likelihood can be a matter of mathematical probability. This is true with situations such as weather events or natural disasters. However, sometimes accurate data are simply

not available, as is often the case when analyzing human threat agents in cybersecurity environments. There will also be factors that create situations where the likelihood of certain threats is more or less prevalent for a given organization. For example, a connection to the Internet will predispose a system to port scanning. Typically, qualitative rankings such as “High, Medium, Low” or “Certain, Very Likely, Unlikely, Impossible” can be used to rank and prioritize threats stemming from human activity. When using qualitative rankings, however, the most important step is to rigorously define the meaning of each category and use definitions consistently throughout the assessment process.

For each identified threat, the impact or magnitude of harm expected to result should also be determined. The impact of a threat can take many forms, but it often has an operational consequence of some sort, whether financial, reputational or legal. Impacts can be described either qualitatively or quantitatively, but as with likelihoods, qualitative rankings are

most often used in cybersecurity risk assessment. Likewise, each ranking should be well-defined and consistently used. In cybersecurity, impacts are also evaluated in terms of confidentiality, integrity and availability.

Approaches to Risk

There are a number of methodologies available to measure risk. Different industries and professions have adopted various tactics based upon the following criteria:

• Risk tolerance

• Size and scope of the environment in question

• Amount of data available

It is particularly important to understand an organization’s risk tolerance when considering how to measure risk. For example, a general approach to measuring risk is typically sufficient for risk-tolerant organizations such as academic institutions or small businesses. However, more rigorous and in-depth risk assessment is required for entities with

a low tolerance for risk. This is especially relevant for any heavily regulated entity, like a financial institution or an airline reservation system, where any down time would have a significant operational impact.

Third-Party Risk

Cybersecurity can be more difficult to control when third parties are involved, especially when different entities have different security cultures and risk tolerances. No organization exists in a vacuum, and information must be shared with other individuals or organizations, often referred to as third parties. It is important to understand third-party risk, such as information sharing and network access, as it relates to cybersecurity.

SOURCE: ISACA Cyber Security Book