Build a Security Compliance Program Aligned to NPSNet Policy With ITSG-33
Bridge the gap between policy and practice while accelerating NCACR readiness.
- Agencies must comply with the NPSNet Secured Communication Policy but lack clear, actionable guidance to operationalize its expectations across diverse environments.
- Fragmented systems, limited internal capacity, and unclear accountability hinder coordination across departments, vendors, and jurisdictions.
- Teams face mounting pressure to modernize infrastructure and meet NCACR requirements without compromising security, timelines, or compliance integrity.
Our Advice
Critical Insight
- Agencies that use ITSG-33 as a structured compliance foundation gain clarity, consistency, and auditability across their environments. With a strong NPSNet Policy compliance posture in place, they are better positioned to prepare and submit NCACR requests efficiently and confidently.
- A standardized control framework is essential for eliminating interpretation gaps. It allows agencies to validate security controls and apply them across multiple NPSNet Policy obligations, simplifying compliance and reducing duplication.
- Compliance risk under NPSNet Policy stems from delayed implementation, poor governance, and weak documentation. Security risk rises when policies are misapplied, and NCACR submissions are unclear or incomplete. Our approach helps agencies mitigate both by embedding secure, compliant practices across the environment.
Impact and Result
- Agencies strengthen audit readiness for compliance management and streamline NCACR approval timelines through structured assessments, prioritized gap closure, and continuous compliance tracking.
- Cross-functional collaboration improves through clearly defined roles, shared guidance, and centralized tools that promote accountability and transparency across departments and partners.
- The compliance program empowers IT, operations, and leadership teams to proactively manage NCACR requirements, reduce delays, and sustain long-term alignment with NPSNet Policy compliance expectations.
Build a Security Compliance Program Aligned to NPSNet Policy With ITSG-33
Bridge the gap between policy and practice while accelerating NCACR readiness.
Analyst perspective
From uncertainty to clarity: Strengthening security compliance and NCACR acceleration
As Canadian law enforcement and justice agencies continue to digitize their operations, the pressure to comply with the NPSNet Secured Communication Policy, which is Canada's CJIS equivalent, is increasing. However, the classified nature of the policy, along with fragmented systems, siloed governance, and inconsistent guidance, has left agencies without a clear path to demonstrate compliance or prepare for NPSNet Connection Authorization Change/Request (NCACR) approvals.
Instead of waiting for top-down clarity, agencies require a reliable, publicly available, and actionable framework to build their security programs today. ITSG-33 provides that foundation.
By using ITSG-33 as a reference example, we aim to empower agencies to overcome ambiguity and establish a compliance program that is transparent, repeatable, and aligned with federal-level expectations. Our goal is to provide a shared structure that simplifies the interpretation of the NPSNet Policy requirements, improves risk management, and strengthens NCACR readiness.
This approach helps agencies move from being reactive to proactive. With access to auditable controls, clear governance structures, and practical tools, they can align with policy, accelerate modernization efforts, reduce delays in the NCACR process, and build cross-jurisdictional trust.
Vidhi Trivedi
Research Analyst, Government Industry
Info-Tech Research Group
Executive summary
| Your Challenge | Common Obstacles | Info-Tech's Approach |
|
|
|
Info-Tech Insight
Agencies that use ITSG-33 as a structured compliance foundation gain clarity, consistency, and auditability across their compliance environments. With a strong NPSNet Policy compliance posture in place, they are better positioned to prepare and submit NCACR requests efficiently and confidently.
Your challenge
Structural gaps in implementation, capacity, and coordination hinder NPSNet Policy compliance.
- You are expected to comply but not equipped with a roadmap. The NPSNet Policy outlines what must be achieved, but it does not explain how to get there. Without an operational framework, each agency is left to interpret and apply controls such as VPNs, encryption, and identity federation in its own way. This creates inconsistency, weakens audit confidence, and makes it difficult to prove compliance across jurisdictions.
- Your teams are stretched, and compliance is not their only job. Many agencies do not have the capacity to appoint dedicated compliance roles or structured processes to track progress. Responsibility often falls on busy IT staff who are focused on daily operations. Without the right people or support systems, activities such as NCACR preparation, documentation, and internal reviews are delayed or missed altogether.
- You are not doing this alone, but it can feel like you are. NPSNet Policy compliance is a shared responsibility across police agencies, municipalities, justice departments, and vendors. Yet many of these partners are excluded from early planning. When they are not involved, gaps emerge in shared infrastructure and critical projects stall, even if your core systems are ready.
Common obstacles
Execution challenges reduce audit readiness and delay NCACR progress.
- You are left guessing how to configure key controls. Without clear guidance, each team sets up controls differently. This lack of standardization can lead to technical vulnerabilities and makes it harder to align configurations with NPSNet Policy and NCACR expectations.
- You cannot track what you cannot measure. Most agencies do not have the right tools to monitor compliance status in real time. This means teams scramble to pull documentation when reviews are triggered instead of having a clear view of what is complete and what is still pending.
- You spend too much time finding answers that should already be clear. Especially in hybrid environments, agencies are left to interpret generalized compliance requirements with little operational guidance, which slows NPSNet Policy implementation and introduces NCACR inconsistency.
Info-Tech's approach
Move from reactive security compliance to structured readiness.
- Start with a clear example of what "compliant" looks like. We provide a security compliance foundation example based on the Information Technology Security Guidance (ITSG-33) - Annex 3A published by the Communications Security Establishment (CSE) by the Government of Canada. This helps your agency align with NPSNet Policy expectations using a publicly available and trusted security framework. It removes guesswork and promotes consistent implementation across environments.
- Track your readiness with guided tools and structured workflows. Our Compliance Management and NCACR Readiness Tool allows you to assess your current state, identify control gaps, and manage implementation across hybrid, cloud, and legacy systems. You gain a centralized and transparent view of your compliance posture with real-time updates.
- Turn daily tasks into audit-ready actions. Key controls such as MFA, encryption, and identity federation are embedded directly into operational workflows. This shifts your team's efforts from reactive remediation to continuous and measurable compliance.
Is this research right for you?
Consider whether you should use a governance, risk, and compliance (GRC) tool or an Excel tool.
- This research offers Excel-based tools to help organizations manage their security compliance obligations.
- Excel spreadsheets are an excellent way of managing compliance data, up to a point.
- Organizations that have more complex structures and greater numbers of compliance requirements should consider the use of a special GRC tool.
- In these cases, this research product may still help you establish your security compliance program even if you opt to use a GRC tool rather than the Excel tools provided.
Operational Environments
Organizations with more than five separate operational environments should consider a GRC tool.
Compliance Obligations
Organizations with more than ten security and privacy/data protection compliance obligations should consider a GRC tool.
Blueprint deliverables
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
Security Compliance Management and NCACR Readiness Tool
A structured template that helps organizations establish, implement, and track security compliance to meet policy and business needs.
Information Security Gap Analysis Tool
A template that helps organizations assess control maturity and identify compliance gaps.
Identify the Best Framework for Your Security Policies
A tool that guides framework selection and provides ISO 27002-based policy templates.
Key deliverable
Security Compliance Process Template
The Security Compliance Management and NCACR Readiness Tool is a compact governance, risk, and compliance (GRC) system and a NCACR readiness tracking tool in a convenient spreadsheet.
Info-Tech's methodology to build a compliance program
| 1. Establish program | 2. Identify obligations | 3. Implement compliance strategy | 4. Finalize NCACR Readiness | |
|---|---|---|---|---|
| Phase Steps | 1.1 Review framework 1.2 Assign roles 1.3 Identify environments |
2.1 Identify compliance obligations 2.2 Document conformance levels 2.3 Map requirements |
3.1 Update policies 3.2 Develop a strategy and roadmap |
4.1 Confirm organizational readiness 4.2 Assess control gaps and maturity 4.3 Plan strategic initiatives 4.4 Track and execute remediation tasks |
| Phase Outcomes |
|
|
|
|
About Info-Tech
Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.
We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.
What Is a Blueprint?
A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.
Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.
Need Extra Help?
Speak With An Analyst
Get the help you need in this 4-phase advisory process. You'll receive 7 touchpoints with our researchers, all included in your membership.
Guided Implementation 1: Establish program
- Call 1: Scope requirements, objectives, and your specific challenges.
Guided Implementation 2: Identify obligations
- Call 1: Establish framework and roles.
- Call 2: Identify operational environments.
Guided Implementation 3: Implement compliance strategy
- Call 1: Identify compliance obligations and conformance levels.
- Call 2: Map obligations into control framework.
Guided Implementation 4: Finalize NCACR readiness
- Call 1: Review policies and compliance strategy.
- Call 2: Conduct a gap analysis for NCACR readiness.
Contributors
- Doug Ross, Chief Superintendent, Canadian Police Information Centre
- Marco Novielli, Systems and Information Security Supervisor, Peel Regional Police
- Aaron Sheard, Section Manager, Information Technology, Medicine Hat Police Services
- Jennifer Mulligan, Acting Manager, NPSNet Connection Authorization Change/Request, Royal Canadian Mounted Police (RCMP)
- Kimberly Huntley, Technical Advisor, Royal Canadian Mounted Police (RCMP)
- Kirolos Mattar, Technical Advisor, Royal Canadian Mounted Police (RCMP)
- Cole Cioran, Managing Partner, Global Services, Info-Tech Research Group
- Hendra Hendrawan, Technical Counselor, Info-Tech Research Group
- Nitin Varshney, Technical Counselor, Info-Tech Research Group