Resources
Cybersecurity and Information Protection
General Reference Documents
This library of reference materials contain documents published by authoritative and informed sources that can assist your organization with practical, helpful guidance towards reducing cybersecurity risks and protecting personal information.
For the purposes of this Library, sources are defined as:
- Authoritative Source: a privacy or cyber-security organization dedicated to establishing standards and best practices
- Informed Source: a news source, blog or information from a commercial vendor that provides informed privacy and data security advice.
Ransomware risk mitigation
Summary of contents
Short, straight-forward advice on Securing Networks and SystemsSecuring the End UserResponding to a Compromise/AttackAuthoritative Source: Center for Internet Security
COVID-19 cybersecurity guidance
Summary of contents
A brief summary for executives with suggestions on how to address physical, supply chain, and cybersecurity issues that may arise from the spread of Novel Coronavirus, or COVID-19.Summary of contents
Recommendations from a lawyer specializing in cybersecurity on managing COVID-19 cybersecurity risks from a people, process and technology perspective. Includes an extensive list of best practice guidance documents from authoritative sources in Canada, the United States, UK, Europe and Australia.Informed Source: BLG (Borden Ladner Gervais LLP)
Summary of contents
Protect against fakes- Against Malicious Emails- Against Malicious Attachments- Against Malicious WebsitesAuthoritative Source: Canadian Centre for Cybersecurity
Summary of contents
- Practical recommendations to create a secure remote environment.
- Ensure that your staff and stakeholders are informed and educated in cyber security practices, such as detecting socially-engineered messages.
- Ensure that staff working from home have physical security measures in place. This minimises the risk that information may be accessed, used, modified or removed from the premises without authorisation.
Authoritative Source: Australian Cyber Security Centre
Summary of contents
Practical recommendations for staff. Examples:- Don’t click on links from sources you don’t know.
- Watch for emails claiming to be from the Centers for Disease Control and Prevention (CDC) or experts saying that have information about the virus.
- Ignore online offers for vaccinations.
- Do your homework when it comes to donations
- Be alert to “investment opportunities.”
Authoritative Source: US Federal Trade Commission
Working from home and outside the office
Summary of contents
- Asking your staff to work from home
- Setting up new accounts and accesses
- Preparing your staff for home working
- chat rooms
- video teleconferencing (VTC)
- document sharing.
- NCSC guidance on implementing Software as a Service (SaaS) applications can help you choose and roll out a range of popular services.
- General recommendations with practical tips
Authoritative Source: National Cyber Security Centre
Summary of contents
- Password management
- Security Patches and updates
- Phishing
- On-line Social Distancing
- Developed with challenges of COVID-19 in mind
- Includes a shareable PDF
Authoritative Source: Cyber Readiness Institute
Summary of contents
Practical advice designed to be shared with teleworking home and remote office users.Authoritative Source: National Institute of Standards and Technology (NIST)
Summary of contents
A shareable PDF with practical guidance for working outside of the office.
Authoritative Source: National Cyber Security Alliance
Summary of contents
- Use a secure wireless network
- Be aware of Phishing and Social Engineering
- Protect the information in your care
- Lock your mobile device when not in use.
- Store any documents securely
- Protect against shoulder surfing
- Lock your screen before you leave
- Maintain a clean work area
- Make phone or video calls in private
- Keep your device secured/tethered
- Keep your device updated
- Immediately report a lost or stolen device
Authoritative Source: BC Office of the Information and Privacy Protection Commissioner (OIPC)
Videoconferencing products and services
Summary of contents
- Mitigations and general guidance
- Product-specific guidance
- Google Hangouts
- Slack
- Microsoft Teams
- Zoom
- GoTo Meeting
Authoritative Source: Canadian Centre for Cybersecurity
Secure Email for small to medium sized organizations
NIST Special Publication 800-177 Revision 1 February 2019
Summary of contents
A technical reference for small to medium organizations.Authoritative Source: National Institute of Standards and Technology (NIST)
Summary of contents
Why You Need Your Emails Encrypted1. ProtonMail – The Most Well-Known Email Service Provider2. Mailfence – End-to-End Encryption + Digital Signatures3. Hushmail – Oldest Secure Email ServiceFAQsInformed Source: Privacy Canada
Cloud services and cybersecurity
Summary of contents
Guidance from a lawyer in Vancouver specializing in cybersecurity. Recommendations are based on controls published by the Canadian Centre for Cybersecurity, with specific suggestions on:- performing a risk/benefit assessment
- cloud services contracts
- oversight/monitoring
Informed Source: BLG (Borden Ladner Gervais LLP)
Cybersecurity risk assessment standards and best practices
Summary of contentsAn easy to understand security self-assessment designed for businesses in BC, with simple yes/no questions. Includes questions that are considered by OIPC to be a minimum requirement.
Authoritative Source: BC Office of the Information and Privacy Protection Commissioner (OIPC)
These controls are the ones that are used when evaluating Partner Agencies through the SCsIP Cybersecurity Assessment project.
For a downloadable PDF version of these standards, click here.
Summary of contents
Clear, easy to understand recommendations designed specifically for small and medium sized organizations by the Canadian Government. Systematically reviews an organization’s cyber security profile on the following topics:- Develop an Incident Response Plan
- Automatically Patch Operating Systems and Applications
- Enable Security Software
- Securely Configure Devices
- Use Strong User Authentication
- Provide Employee with Awareness Training
- Back Up and Encrypt Data
- Secure Mobility
- Establish Basic Perimeter Defences
- Secure Cloud and Outsourced IT Services
- Secure Websites
- Implement Access Control and Authorization
- Secure Portable Media
Authoritative Source: Canadian Centre for Cyber Security
References supporting standards cited in the CCCS Baseline Controls
- Authoritative Source: a privacy or cyber-security organization dedicated to establishing standards and best practices
- Informed Source: a news source, blog or information from a commercial vendor that provides informed privacy and data security advice.
BC.9.2
Suggested DNS firewall service:
Informed sourceBC.9.7
Configuring with GSuite systems:
Configuring Microsoft 365
Informed sourceBC.11.2
ASVS levels
- https://owasp.org/www-pdf-archive//OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf
- ASVS Level 1 is for low assurance levels, and is completely penetration testable
- ASVS Level 2 is for applications that contain sensitive data, which requires protection and is the recommended level for most apps
- ASVS Level 3 is for the most critical applications - applications that perform high value transactions, contain sensitive medical data, or any application that requires the highest level of trust
Templates for additional resources
<Insert Title, link URL
Summary of contents
Authoritative Source: <Insert source, Linked URL>