The Cyber Security and Risk Management Branch, within the Information Technology Division of the Ministry of SaskBuilds and Procurement, maintains and provides interpretation and enforcement of information security policies. The Government of Saskatchewan Information Security Policies are based on the ISO/IEC 27001:2022 framework for information security controls and have been reviewed by an independent third-party. This industry-standard framework specifies the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.
Each policy document references the corresponding ISO domain to which it aligns. Further, we have referenced the corresponding National Institute of Standards and Technology (NIST) framework as well.
Should you have questions or feedback related to these policy documents, you may engage the Cyber Security and Risk Management Branch via email at SBPITInformationSecurityBranch@gov.sk.ca.
Additional information and resources regarding information security including reporting incidents, protection from spam and phishing, information/data classification, security assessments, and related documentation can be found on the IT Security Services Taskroom page.
Executive Government Security Policy
The purpose of this policy is to provide a framework to manage information security for all Government of Saskatchewan (GoS) information systems (including but not limited to all computers, mobile devices, networking equipment, software and data) and information users.
Policies
This policy establishes a framework to initiate and control the implementation and operation of information security within the Government of Saskatchewan.
This policy is to identify and safeguard government information assets in accordance with their sensitivity and value.
This policy is to ensure proper and effective use of logical and physical access controls to safeguard access to GoS networks, application, and information.
This policy is to ensure proper and effective use of cryptography to protect the confidentiality and integrity of government information.
This policy is to prevent unauthorized physical access, loss, damage, theft, compromise or interference to the government’s information, assets, and operations.
This policy is to ensure correct and secure operations of information systems.
This policy is to ensure the protection of information in networks and its supporting information processing facilities, and to maintain the security of information transferred within an organization and with any external entity.
This policy is to ensure that security is an integral part of information systems across their entire lifecycle.
This policy is to ensure protection of government information assets that are accessible by suppliers and to maintain an agreed level of information security in line with supplier agreements.
This policy is to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
This policy is to embed information security continuity in the government’s business continuity management systems and to ensure availability of the government’s information systems.
This policy is to ensure compliance with all relevant legal, statutory, regulatory, and contractual information security obligations and requirements.
Internal Security Governance Policy
The purpose of this policy is to ensure that a governance strategy and process is in place for all Internal Security Policies to follow as part of their lifecycle. This policy follows ISO 27000 industry standards for controls and the governance elements required.
Acceptable Use
The Government of Saskatchewan requires that GoS Assets be used in a responsible way, ethically, and in compliance with all legislation and other government policies and contracts. This policy does not attempt to anticipate every situation that may arise and does not relieve anyone accessing the system of their obligation to use common sense and good judgment.