Enable Security Features

CyberSecure Canada 5.4.2.1(c) requires organizations to implement secure configurations by enabling all relevant security features on their devices, ensuring systems are proactively hardened against potential threats.

To meet secure configuration requirements, organizations should enable host-based firewalls, full disk encryption, automatic screen locks, anti-malware protections, and multi-factor authentication (MFA) mechanisms on all endpoints.

Organizations should use centralized management tools like Active Directory GPO for Windows, and Mobile Device Management (MDM) solutions for macOS, Linux, and mobile devices to uniformly enforce a security baseline configuration.

Built-in device security features, such as Windows Defender Firewall or macOS FileVault, perfectly satisfy the compliance requirements for device hardening, provided they are actively enabled and configured correctly.

The CIS Benchmarks provide globally recognized, consensus-driven secure configuration profiles. Adopting a CIS Benchmarks secure configuration profile guarantees that an organization's device hardening checklist meets or exceeds regulatory expectations.

Auditors will expect to see configuration management audit evidence for device hardening, which includes documented internal hardening standards, MDM/GPO policy screenshots showing enforced settings, and endpoint compliance reports. Tools like WatchDog Security's Compliance Center can help map required evidence to this control and centralize collection and review so gaps are easier to spot before an audit.

Secure configuration settings should be reviewed at least annually, or whenever a major system change occurs, to ensure that enabled security features remain effective against newly discovered vulnerabilities.

Disabling unnecessary features reduces the attack surface by removing vulnerabilities, whereas enabling security features adds active defensive layers, like firewalls and encryption, to protect the required system functions.

If a specific security feature breaks a critical business application, the exception must be formally documented in the asset or risk register, approved by management, and mitigated with alternative compensating controls. Tools like WatchDog Security's Risk Register can capture the exception, approval, compensating controls, and review dates, and link it back to the affected assets and control coverage.

Tools such as Microsoft Intune, Jamf, Active Directory GPO, and configuration management tools like Ansible or Chef can continuously enforce secure baseline settings and generate automated compliance reports. Tools like WatchDog Security's Posture Management can complement these by detecting where security features have been disabled or drifted from the baseline and by producing audit-friendly posture reports.

Configuration drift happens when settings change over time (updates, user changes, imaging differences), which can silently disable security features. Tools like WatchDog Security's Posture Management can continuously check devices against hardening expectations, flag where features like firewalls or encryption are disabled, and provide remediation guidance and reporting.

Standardizing baselines requires documented requirements, controlled changes, and clear ownership so teams apply consistent hardening across OS types. Tools like WatchDog Security's Policy Management can help manage baseline policies and hardening checklists with version control and acceptance tracking, while WatchDog Security's Compliance Center can map the baseline to CyberSecure Canada control requirements and highlight gaps.