As threats to information security become more sophisticated and continue to expose the Government of Saskatchewan to cybersecurity risks, it is important for all of us to accept that information security is everyone's responsibility. To ensure the privacy and accuracy of the information entrusted to us, we must all comply with the security policies and procedures for managing information in a secure manner.
To increase our awareness of information security concepts and learn more about Government's information security policies, standards and resources, we are all encouraged to review the information available on this site.
You may want to become familiar with the content in the Information Security Glossary. It defines the terms and phrases you will encounter in cybersecurity communications and documentation
Cybersecurity and Risk Management Branch
The Cybersecurity and Risk Management (CSRM) Branch, within the Information Technology Division (ITD) of the Ministry of SaskBuilds and Procurement (SBP), is responsible for managing all things related to information security including, though not necessarily limited to:
- Evaluating new threats and vulnerabilities.
- Providing interpretation and enforcement of information security policy and standards;
- Facilitating information security education and awareness;
- Responding to information security Incidents;
- Performing Threat Risk Assessments (TRAs) for IT-related business initiatives;
- Providing security assessment and overall security requirements oversight for IT-related solution and services procurements;
- Providing information security advice and guidance for business areas; and
Information Security Policies are available on the Information Security Policies Taskroom page.
Additional information security resources are available under the Related Documents section at the bottom of this page.
You may also jump to information pertaining to specific topics here:
If you require additional information or have questions regarding any of the information presented on this site, contact the Cybersecurity and Risk Management Branch via email at SBPITInformationSecurityBranch@gov.sk.ca.
The Cybersecurity and Risk Management (CSRM) Branch maintains and provides interpretation and enforcement of information security policies and standards. The Government of Saskatchewan has established and maintains its policies and standards based on the industry standard ISO/IEC 27001:2022 framework for information security management.
Information security policies are available on the "Information Security Policies" Taskroom page.
In 2026-27, all Government of Saskatchewan employees are required to complete the following mandatory cybersecurity awareness courses:
- Supply Chain Risk Management;
-
Deepfake Awareness;
-
Insider Threat Awareness;
-
Overarching Security Policy; and
-
User Acceptable Use Policy.
The courses must be completed by March 31, 2027.
More information can be found in the Key Messages and Questions and Answers document.
If a security-related event or incident is observed, immediately report it to the IT Service Desk by calling 306-787-5000.
Such events may include, though are not necessarily limited to:
- Accidentally opening a malicious or phishing link or attachment;
- Suspecting that a virus or other malicious code has infected your PC;
- Suspecting that your user credentials have been compromised;
- Observing behavior from your PC that could be considered out of the ordinary;
- Discovering print outs of sensitive information left on a printer or fax machine;
- Observing unauthorized disclosure of government information;
- Observing unauthorized access to government information or facilities;
- Discovering that user credentials have been shared with more than just the authorized user of an account;
- Any circumstance in which your instincts tell you something pertaining to the security of information is wrong!
When in doubt, err on the side of caution and report suspicious activity or circumstances to the IT Service Desk by calling 306-787-5000. You should also inform your designated Ministry Security Officer.
Unfortunately, even with firewalls and other protections in place, spam containing malicious links or attachments can get through. We can all do our part to help prevent malware by not opening suspicious links and attachments in emails.
Phishing, the act of trying to obtain personal or confidential information or money from users, has become more common and those using phishing tactics are becoming increasingly sophisticated. These tactics often include email that appears to be from a legitimate source such as your bank, one of our vendors, a colleague or other familiar sources. Tactics also include a sense of urgency and utilizing current world or local events to entice users to click on links or open attachments.
If you think you may have a suspicious email from a @gov.sk.ca address or other familiar account, try phoning the sender before clicking any links or opening any attachments to verify it was sent by them. If you cannot verify this, report the email as malware by clicking on the Phish Mail button in Outlook.
If you suspect you have clicked on a malicious link or opened a malicious attachment, immediately report it to the IT Service Desk by calling 306-787-5000. You should also inform your designated Ministry Security Officer.
Information Protection Classification is used to determine the appropriate classification of information. It is an exercise that should be completed by the Information Owner (those in possession and/or control of the information) before any IT-related initiative. Information owners should use the Statement of Sensitivity to help them determine the appropriate information classification level – Public, Class C, Class B or Class A.
Those working on Information Protection Classification should refer to A Guide for Information Protection Classification.
Different security measures and controls are required depending on the classification determined by the Information Owner in the Statement of Sensitivity. The appropriate security measures and controls will be communicated to the Information Owner and/or project team by the Cybersecurity and Risk Management Branch.
Completing a Threat Risk Assessment (TRA) is an important component of any IT initiative at the Government of Saskatchewan. If you are involved in a new IT initiative, you need to think about the confidentiality, integrity and availability of information. Specifically, you need to consider how the information will be protected from unauthorized access, loss or modification.
A TRA is required for all IT projects and can be initiated by submitting a service request to Security Ops or through the project coordinator.
When a TRA has been completed, it will be presented to project teams and other stakeholders. Any risks identified within the assessment must be addressed to the satisfaction of the Government of Saskatchewan Security Governance Committee.
Security Officers work closely with the Cybersecurity and Risk Management Branch to assist with matters of information security throughout the Government of Saskatchewan. Security Officers are responsible for promoting security awareness and compliance with information security policies and tracking information security risks and risk mitigations within their ministry or agency.
If you have a question related to the security of information, you may contact your designated Ministry Security Officer.
As always, if you observe an information security incident, immediately report it to the IT Service Desk by calling 306-787-5000.
