As threats to Information Technology security become more sophisticated and continue to pose a significant risk to the Government of Saskatchewan's business, it is important for all of us to realize and accept that information security is everyone's responsibility. To ensure the privacy and accuracy of the information entrusted to us, we must all comply with the security policies and procedures for managing information in a secure manner.
To increase our awareness of information security concepts and learn more about Government's information security resources, policies, standards, and specifications, we are all encouraged to review the information available on this site. A good starting point for all of us is the IT Security Handbook.
Information Security Branch
The Information Security branch within the IT Division (ITD) of the Ministry of SaskBuilds and Procurement is responsible for managing all things related to IT security including, though not necessarily limited to:
- Providing interpretation and enforcement of the information security policy and standards;
- Providing information security education and awareness;
- Responding to information security Incidents;
- Performing Threat Risk Assessments (TRAs) for
IT-related business initiatives throughout Government;
- Providing security assessment and overall security requirements oversight for IT-related Solution and Services Procurements;
- Providing information security advice and guidance for business areas;
- Evaluating new threats and vulnerabilities.
Additional information security resources are available under the "Related Documents " section at the bottom of this page.
You may also jump to information pertaining to specific topics here:
Should you require additional information, have questions regarding any of the information presented on this site, or you have suggestions or requests related to information on this site, please contact Information Security Branch at CSITInformationSecurityBranch@gov.sk.ca.
The Information Security Branch maintains and provides interpretation and enforcement of information security policies. The Government of Saskatchewan has established and maintains Information Security Policies based on the ISO/IEC 27001:2013 framework for information security controls. This industry-standard framework specifies the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.
If a security-related event or incident is
observed, immediately report it to the IT Service Desk.
ITD Service Desk
*Please note that this number requires 10-digit dialing.
Such events may include, though are not necessarily limited to:
- Accidentally opening a malicious or phishing link or attachment;
- Suspecting that a virus or other malicious code has infected your PC;
- Suspecting that your user credentials have been compromised;
- Observing behavior from your PC that could be considered out of the ordinary;
- Discovering print outs of sensitive information left on a printer or fax machine;
- Observing unauthorized disclosure of government information;
- Observing unauthorized access to government information or facilities;
- Discovering that user credentials have been shared with more than just the authorized user of an account;
- Any circumstance in which your instincts tell you something pertaining to the security of information is wrong!
When in doubt, err on the side of caution
and report suspicious activity or circumstances to the Ministry Security
Officer. A list of Ministry Security Officers is provided in the Security
Unfortunately, even with firewalls and
other protections in place, spam can get through. Sometimes, spam containing
malicious links or attachments is received by employees in their mailboxes. We
can all do our part to help prevent viruses or other malware by not opening
suspicious links and attachments in emails.
Phishing, the act of trying to obtain
confidential information or money from users, has become increasingly common
and those using phishing tactics are becoming increasingly sophisticated. These
tactics often include an email that appears to be from a legitimate source such
as your bank, one of our vendors, or other common companies. Tactics will also
include utilizing current world or local events to entice users to click on
links or open attachments.
In some cases, phishing campaigns may even
use a @gov.sk.ca email or other familiar accounts. If you think you may have a
suspicious email from @gov.sk.ca or other familiar account, try phoning the
sender before clicking any links or opening any attachments to confirm it was sent
by the sender. If you cannot confirm this, do not open it. Delete the email
from your inbox and delete it permanently from the deleted items folder.
There is additional information in the IT Security Handbook pertaining to identifying and reporting suspicious email.
Information Classification is used to determine the appropriate classification of data for government information and is an exercise that should be completed by the Information Owner before any IT-related initiative. Information Owners should be familiar with A Guide for Information Protection Classification and use the Statement of Sensitivity to determine if data is considered Public, Class C, Class B or Class A and whether the integrity and availability are at a High, Medium, or Low level.
Different security measures are required depending on the classification determined by the Information Owner in the Statement of Sensitivity.
Completing a security assessment is an important component of any project. If you are involved in a new government IT initiative, work on an IT project handling sensitive information, or your project involves external hosting of data, you need to think about the Confidentiality, Integrity, and Availability of information and, specifically, how the information will be protected from unauthorized access, loss, or modification.
A Threat Risk Assessment (TRA) is required for all IT projects. A TRA can be initiated by submitting a ServiceNow service request to Security Ops or through the project coordinator.
Security assessments will be presented to
project teams and business stakeholders and any risks identified as a result of
the assessment must be addressed to the satisfaction of Government’s Security
Security Officers work closely with the
Information Security Branch to assist with matters of Information Security
throughout the Government of Saskatchewan. Security Officers are responsible
for promoting security awareness and compliance with information security
policies and tracking information security risks and mitigation within their
ministry or agency.
If you have a question related to the security of your data or electronic information, you may contact your designated Security Officer. A list of Security Officers is provided in Security Officers List.
As always, if you observe an information security incident, immediately report it to the IT Service Desk.
ITD Service Desk
*Please note that this number requires 10-digit dialing.