As threats to Information Technology security become more sophisticated and continue to pose a significant risk to the Government of Saskatchewan's business, it is important for all of us to realize and accept that information security is everyone's responsibility. To ensure the privacy and accuracy of the information entrusted to us, we must all comply with the security policies and procedures for managing information in a secure manner.
To increase our awareness of information security concepts and learn more about Government's information security resources, policies, standards and specifications, we are all encouraged to review the information available on this site.
Cybersecurity and Risk Management Branch
The Cybersecurity and Risk Management Branch within the Information Technology Division (ITD) of the Ministry of SaskBuilds and Procurement is responsible for managing all things related to IT security including, though not necessarily limited to:
- Providing interpretation and enforcement of the information security policy and standards;
- Providing information security education and awareness;
- Responding to information security Incidents;
- Performing Threat Risk Assessments (TRAs) for IT-related business initiatives throughout Government;
- Providing security assessment and overall security requirements oversight for IT-related Solution and Services Procurements;
- Providing information security advice and guidance for business areas; and
- Evaluating new threats and vulnerabilities.
Information Security Policies are available on the "Information Security Policies" Taskroom page.
Additional information security resources are available under the Related Documents section at the bottom of this page.
You may also jump to information pertaining to specific topics here:
Should you require additional information, have questions regarding any of the information presented on this site, or you have suggestions or requests related to information on this site, please contact the Cybersecurity and Risk Management Branch at SBPITInformationSecurityBranch@gov.sk.ca.
The Cybersecurity and Risk Management Branch maintains and provides interpretation and enforcement of information security policies. The Government of Saskatchewan has established and maintains Information Security Policies based on the ISO/IEC 27001:2013 framework for information security controls. This industry-standard framework specifies the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.
Information security policies are available on the "Information Security Policies" Taskroom page.
In 2025-26, all Government of Saskatchewan employees are required to complete the following mandatory cybersecurity awareness courses:
- Social Engineering training;
- Remote Work training;
- Artificial Intelligence training;
- User Acceptable Usage Policy acknowledgement; and
- Overarching Security Policy acknowledgement.
The courses must be completed by March 31, 2026.
More information can be found in the Key Messages and Questions and Answers document.
If a security-related event or incident is observed, immediately report it to the IT Service Desk by calling 306-787-5000.
Such events may include, though are not necessarily limited to:
- Accidentally opening a malicious or phishing link or attachment;
- Suspecting that a virus or other malicious code has infected your PC;
- Suspecting that your user credentials have been compromised;
- Observing behavior from your PC that could be considered out of the ordinary;
- Discovering print outs of sensitive information left on a printer or fax machine;
- Observing unauthorized disclosure of government information;
- Observing unauthorized access to government information or facilities;
- Discovering that user credentials have been shared with more than just the authorized user of an account;
- Any circumstance in which your instincts tell you something pertaining to the security of information is wrong!
When in doubt, err on the side of caution and report suspicious activity or circumstances to the Ministry Security Officer. A list of Ministry Security Officers is provided in the Security Officers List.
Unfortunately, even with firewalls and other protections in place, spam can get through. Sometimes, spam containing malicious links or attachments is received by employees in their mailboxes. We can all do our part to help prevent viruses or other malware by not opening suspicious links and attachments in emails.
Phishing, the act of trying to obtain confidential information or money from users, has become increasingly common and those using phishing tactics are becoming increasingly sophisticated. These tactics often include an email that appears to be from a legitimate source such as your bank, one of our vendors or other common companies. Tactics will also include utilizing current world or local events to entice users to click on links or open attachments.
In some cases, phishing campaigns may even use a @gov.sk.ca email or other familiar accounts. If you think you may have auspicious email from @gov.sk.ca or other familiar account, try phoning the sender before clicking any links or opening any attachments to confirm it was sent by the sender. If you cannot confirm this, do not open it. Delete the email from your inbox and delete it permanently from the deleted items folder.
Information Classification is used to determine the appropriate classification of data for government information and is an exercise that should be completed by the Information Owner before any IT-related initiative. Information owners should use the Statement of Sensitivity to determine if data is considered Public, Class C, Class B or Class A and whether the integrity and availability are at a High, Medium, or Low level.
Different security measures are required depending on the classification determined by the Information Owner in the Statement of Sensitivity.
Information owners may refer to A Guide for Information Protection Classification for additional guidance pertaining to information classification.
Completing a security assessment is an important component of any project. If you are involved in a new government IT initiative, work on an IT project handling sensitive information or your project involves external hosting of data, you need to think about the confidentiality, integrity, and availability of information and, specifically, how the information will be protected from unauthorized access, loss, or modification.
A TRA is required for all IT projects. A TRA can be initiated by submitting a ServiceNow service request to Security Ops or through the project coordinator.
Security assessments will be presented to project teams and business stakeholders and any risks identified as a result of the assessment must be addressed to the satisfaction of Government’s Security Governance Committee.
Security Officers work closely with the Cybersecurity and Risk Management Branch to assist with matters of Information Security throughout the Government of Saskatchewan. Security Officers are responsible for promoting security awareness and compliance with information security policies and tracking information security risks and mitigation within their ministry or agency.
If you have a question related to the security of your data or electronic information, you may contact your designated Security Officer.
As always, if you observe an information security incident, immediately report it to the IT Service Desk by calling 306-787-5000.
