Resources

Cybersecurity and Information Protection

General Reference Documents

This library of reference materials contain documents published by authoritative and informed sources that can assist your organization with practical, helpful guidance towards reducing cybersecurity risks and protecting personal information.

For the purposes of this Library, sources are defined as:

  • Authoritative Source: a privacy or cyber-security organization dedicated to establishing standards and best practices
  • Informed Source: a news source, blog or information from a commercial vendor that provides informed privacy and data security advice.

Ransomware risk mitigation

Summary of contents

Short, straight-forward advice on Securing Networks and SystemsSecuring the End UserResponding to a Compromise/Attack

Authoritative Source: Center for Internet Security

COVID-19 cybersecurity guidance

Summary of contents

A brief summary for executives with suggestions on how to address physical, supply chain, and cybersecurity issues that may arise from the spread of Novel Coronavirus, or COVID-19.

Summary of contents

Recommendations from a lawyer specializing in cybersecurity on managing COVID-19 cybersecurity risks from a people, process and technology perspective. Includes an extensive list of best practice guidance documents from authoritative sources in Canada, the United States, UK, Europe and Australia.

Summary of contents

Protect against fakes- Against Malicious Emails- Against Malicious Attachments- Against Malicious Websites

Authoritative Source: Canadian Centre for Cybersecurity

Summary of contents

  • Practical recommendations to create a secure remote environment.
  • Ensure that your staff and stakeholders are informed and educated in cyber security practices, such as detecting socially-engineered messages.
  • Ensure that staff working from home have physical security measures in place. This minimises the risk that information may be accessed, used, modified or removed from the premises without authorisation.


Authoritative Source: Australian Cyber Security Centre

Summary of contents

Practical recommendations for staff. Examples:
  • Don’t click on links from sources you don’t know.
  • Watch for emails claiming to be from the Centers for Disease Control and Prevention (CDC) or experts saying that have information about the virus.
  • Ignore online offers for vaccinations.
  • Do your homework when it comes to donations
  • Be alert to “investment opportunities.”


Authoritative Source: US Federal Trade Commission

Working from home and outside the office

Summary of contents

  • Asking your staff to work from home
  • Setting up new accounts and accesses
  • Preparing your staff for home working
    • chat rooms
    • video teleconferencing (VTC)
    • document sharing.
  • NCSC guidance on implementing Software as a Service (SaaS) applications can help you choose and roll out a range of popular services.
  • General recommendations with practical tips

Authoritative Source: National Cyber Security Centre

Summary of contents

  • Password management
  • Security Patches and updates
  • Phishing
  • On-line Social Distancing
  • Developed with challenges of COVID-19 in mind
  • Includes a shareable PDF

Authoritative Source: Cyber Readiness Institute

Summary of contents

Practical advice designed to be shared with teleworking home and remote office users.

Authoritative Source: National Institute of Standards and Technology (NIST)

Summary of contents

A shareable PDF with practical guidance for working outside of the office.

Authoritative Source: National Cyber Security Alliance

Summary of contents

  • Use a secure wireless network
  • Be aware of Phishing and Social Engineering
  • Protect the information in your care
  • Lock your mobile device when not in use.
  • Store any documents securely
  • Protect against shoulder surfing
  • Lock your screen before you leave
  • Maintain a clean work area
  • Make phone or video calls in private
  • Keep your device secured/tethered
  • Keep your device updated
  • Immediately report a lost or stolen device


Authoritative Source: BC Office of the Information and Privacy Protection Commissioner (OIPC)

Videoconferencing products and services

Summary of contents

  • Mitigations and general guidance
  • Product-specific guidance
    • Google Hangouts
    • Slack
    • Microsoft Teams
    • Zoom
    • GoTo Meeting

Authoritative Source: Canadian Centre for Cybersecurity

Secure Email for small to medium sized organizations

NIST Special Publication 800-177 Revision 1 February 2019

Summary of contents

A technical reference for small to medium organizations.

Authoritative Source: National Institute of Standards and Technology (NIST)

Summary of contents

Why You Need Your Emails Encrypted1. ProtonMail – The Most Well-Known Email Service Provider2. Mailfence – End-to-End Encryption + Digital Signatures3. Hushmail – Oldest Secure Email ServiceFAQs

Informed Source: Privacy Canada

Cloud services and cybersecurity

Summary of contents

Guidance from a lawyer in Vancouver specializing in cybersecurity. Recommendations are based on controls published by the Canadian Centre for Cybersecurity, with specific suggestions on:
  • performing a risk/benefit assessment
  • cloud services contracts
  • oversight/monitoring

Informed Source: BLG (Borden Ladner Gervais LLP)

Cybersecurity risk assessment standards and best practices

Summary of contentsAn easy to understand security self-assessment designed for businesses in BC, with simple yes/no questions. Includes questions that are considered by OIPC to be a minimum requirement.


Authoritative Source: BC Office of the Information and Privacy Protection Commissioner (OIPC)

These controls are the ones that are used when evaluating Partner Agencies through the SCsIP Cybersecurity Assessment project.

For a downloadable PDF version of these standards, click here.

Summary of contents

Clear, easy to understand recommendations designed specifically for small and medium sized organizations by the Canadian Government. Systematically reviews an organization’s cyber security profile on the following topics:


Authoritative Source: Canadian Centre for Cyber Security

References supporting standards cited in the CCCS Baseline Controls


Note: Some references cited below are identified as originating from informed sources, rather than authoritative ones. Discretion should be used when reviewing information from informed sources, including the potential for author bias.For the purposes of this Library, sources are defined as:
  • Authoritative Source: a privacy or cyber-security organization dedicated to establishing standards and best practices
  • Informed Source: a news source, blog or information from a commercial vendor that provides informed privacy and data security advice.

BC.9.6


Payment Card Industry Data Security Standard (PCI DSS)

Authoritative source


BC.10.1


AICPA SSAE 18 SOC 3 report: Trust Service Principles compliance

Authoritative source


BC.11.1


OWASP top 10 vulnerabilities

Authoritative source


BC.11.2


ASVS levels

  • https://owasp.org/www-pdf-archive//OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf
  • ASVS Level 1 is for low assurance levels, and is completely penetration testable
  • ASVS Level 2 is for applications that contain sensitive data, which requires protection and is the recommended level for most apps
  • ASVS Level 3 is for the most critical applications - applications that perform high value transactions, contain sensitive medical data, or any application that requires the highest level of trust
Authoritative source









Templates for additional resources

<Insert Title, link URL

Summary of contents


Authoritative Source: <Insert source, Linked URL>