03.14.01
Flaw remediation
Identify, report, prioritize, and fix software and firmware flaws within defined timelines.
CPCSC Level 1 Control
03.14.02System and information integrity
CPCSC 03.14.02: Malicious code protection
Deploy, update, scan, monitor, and respond to malicious-code protections across endpoints, servers, email, and other relevant entry points. This guide separates the formal control language from practical implementation, evidence, auditor questions, and related controls.
Formal Control Language
Official CPCSC Level 1 wording for 03.14.02. Use the Government of Canada page as the source of truth for certification or procurement submissions.
- The frequency to conduct periodic scans of the system is defined.
- Malicious code protection mechanisms are implemented at system entry and exit points to detect and eradicate malicious code.
- Malicious code protection mechanisms are updated as new releases are available in accordance with configuration management policy and procedures.
- Malicious code protection mechanisms are configured to perform periodic scans of the system at the defined frequency.
- Malicious code protection mechanisms are configured to perform real-time scans of files from external sources at endpoints, and/or network entry and exit points, as the files are downloaded, opened, or executed.
- Malicious code protection mechanisms are configured to block or quarantine malicious code, and/or send an alert to administrator, and/or take organization-defined mitigation action in response to malicious code detection.
Contains information sourced from Government of Canada material used under the Open Government Licence - Canada.
What This Means In Plain English
Antivirus or endpoint detection has to be installed, current, scanning, and producing alerts that someone reviews.
The control is not only about installing software. It is about proving coverage, updates, scan behavior, alert handling, and response when malware is found.
For CPCSC Level 1, the useful test is not whether a policy mentions the control. The useful test is whether an owner can show the system setting, record, ticket, review output, or operating routine that proves the answer is true today and can be repeated when the next contract, customer, or assessment request arrives.
How To Implement It
1
Deploy endpoint protection to company laptops, servers, and other in-scope endpoints. Confirm coverage from a central dashboard.
2
Configure real-time scanning, scheduled scans, automatic updates, quarantine or block actions, and alerting to an accountable owner.
3
Include email security, web filtering, cloud storage scanning, and server workload protection where those are relevant entry points.
4
Review alerts on a defined cadence and document investigations, false positives, and remediation actions.
5
Integrate malicious-code events with incident response so detections are triaged, escalated, and closed.
Evidence Normally Gathered
Endpoint protection coverage report.
Scan frequency and real-time protection settings.
Update status report.
Recent alert review or investigation tickets.
Quarantine or block action records.
Email security or web filtering configuration.
Incident response notes for malware events.
Common Auditor Questions
Which systems are covered by malicious-code protection?
How often do scans run, and is real-time scanning enabled?
How do signatures, engines, or detection rules stay current?
Who reviews alerts and what happens when malware is detected?
Can you show a recent detection, false positive, or alert review?