IT Security & Compliance · Vancouver, BC
IT security is the assessment, governance, and compliance side of cyber risk. Hexafusion delivers risk assessments, security audits, written policy, and readiness work for PIPEDA, BC PIPA, PCI DSS, and SOC 2 across Vancouver. Led by a former PCI DSS Internal Security Assessor, the work produces evidence your auditor, your cyber insurer, and your enterprise customers will actually accept. Our office at 250 to 997 Seymour Street puts an ISA-led assessor a short walk from Downtown, Gastown, Yaletown, and Coal Harbour.
Initial Assessment
Documented written report within 10 to 15 business days.
Frameworks Used
NIST CSF 2.0, CIS Critical Security Controls, CCCS Baseline.
Compliance Scope
PIPEDA, BC PIPA, PCI DSS, SOC 2 Type I & II readiness.
Coverage Areas
Downtown, Gastown, Yaletown, Coal Harbour, West End, Mount Pleasant, Kitsilano, Commercial Drive, South Van, Marpole
IT security is the work that produces evidence: written reports, signed policies, completed questionnaires, and tested procedures. It is the part of the security program that auditors, regulators, and your enterprise customers actually want to see, and it sits underneath every operational control on the cybersecurity side.
A written report of your current posture against the CIS Critical Security Controls and the Canadian Centre for Cyber Security baseline. Risk register, scored gaps, prioritised remediation, and a phased plan tied to budget your CFO will accept.
Targeted audits against a specific framework: PCI DSS, SOC 2, ISO 27001 readiness, or a customer-driven questionnaire. We test the controls that exist, document the ones that do not, and rank fixes by effort and effect.
Acceptable Use, Access Control, Incident Response, Data Classification, Vendor Management, Business Continuity. We draft the policies, leadership signs them, and they live in a version-controlled repository, not a shared drive folder no one can find.
Mapping your data flows, documenting consent and retention, building the breach-notification procedure, and producing the safeguards documentation the Office of the Privacy Commissioner of Canada and the BC OIPC look for in recent breach decisions.
Cardholder-data-environment scoping, network segmentation review, vulnerability scanning, and evidence collection led by a former PCI DSS Internal Security Assessor. We work alongside your QSA, not in place of them, and we keep the audit scope as small as defensible.
Trust Service Criteria mapping, control design, evidence collection, and auditor liaison for Yaletown and Mount Pleasant SaaS vendors. SOC 2 Type I prep typically takes 3 to 6 months; Type II adds 6 to 12 months of operating-effectiveness evidence on top.
Vancouver hosts industries with very different regulatory pressure. A clinic near St. Paul's has BC PIPA obligations from day one. A Yaletown SaaS vendor will see SOC 2 questionnaires from its first enterprise prospect. A Coal Harbour mining HQ has TSX disclosure obligations. We tune the assessment to your reality.
Yaletown, Mount Pleasant, and Gastown SaaS vendors, gaming studios, and ecommerce platforms need SOC 2 Type II to close enterprise deals. We do the controls work and evidence collection alongside your audit firm.
Production offices and post-production houses face MPA-aligned content-security questionnaires from studios. We document content security, access control, and the audit trail for in-progress assets.
Coal Harbour mining headquarters, asset managers, and family offices face TSX disclosure pressure, audit committee oversight, and material-information leak risk. The assessment is framed for board reporting.
Clinics near Vancouver General Hospital, St. Paul's, and BC Children's carry BC PIPA obligations for personal health information. We document role-based access, audit logging, and the breach-notification path.
Robson Street retail, Gastown hospitality groups, and tourism operators handling card data fall under PCI DSS. Scoping the cardholder-data environment is the first lever to reduce audit cost.
Accounting, legal, and consulting firms across Downtown carry PIPEDA obligations and client confidentiality expectations. Training providers near UBC Robson Square and BCIT Downtown handle FIPPA-adjacent data.
Every Vancouver business we onboard receives a documented security baseline aligned to the Canadian Centre for Cyber Security baseline controls and the requirements your cyber insurance carrier is asking about on renewal questionnaires. This is the same baseline we apply to our own infrastructure, not a stripped-down small-business version.
Hexafusion operates as a Dell authorized reseller and full-service IT supplier for Vancouver businesses, with access to authorized Canadian distribution channels for Lenovo, Apple, Microsoft Surface, and networking gear from Cisco Meraki, Fortinet, SonicWall, Ubiquiti, Aruba, and Juniper. Secure procurement is part of the security program, not a sales transaction. Every laptop arrives at the user pre-imaged with the security baseline above, enrolled in Microsoft Autopilot, and ready to power on.
At end-of-life we handle decommissioning to a standard your auditor will accept. Drive sanitisation follows NIST Special Publication 800-88 guidelines (cryptographic erasure for SSDs, multi-pass wipe for spinning drives), every retired device generates a serial-numbered certificate of destruction for your PIPEDA breach-notification record-keeping, and devices beyond economic refurbishment are recycled through programs accredited by the Electronic Products Recycling Association (EPRA Canada).
Hexafusion is led by founder Alex Barari, a former PCI DSS Internal Security Assessor (ISA) with 15+ years in enterprise IT and cybersecurity. Risk assessments and compliance engagements are led by someone who has sat on both sides of an audit. We do not subcontract policy work to a template generator. Every Vancouver client gets an assessment written for their environment, signed off by leadership who can answer follow-up questions from auditors, regulators, and underwriters.
Our quarterly business review (QBR) is a real strategic report, not a generic newsletter: engagement health score, financial recap, onboarding progress, renewal calendar, and an AI-summarised executive paragraph delivered as a PDF to every client at the end of every calendar quarter. See the QBR page for a worked example.
We also serve: See all service areas →
Tell us about your environment, your regulatory exposure, and what is driving the timing. We respond within one business day with a scoped quote and timeline.
Assessment delivery times are targets and depend on the speed of data collection from your team and any third-party vendors. Policy templates are starting points; final adoption requires leadership review and sign-off. Statement-of-controls timing aligns with your cyber-insurance renewal date. Tabletop exercises are documented and stored in your governance repository for auditor and regulator review.
Sibling Vancouver pages and deep-dive cluster pages on assessment, governance, and compliance topics referenced above.
