For the purposes of this Library, sources are defined as:
-
Authoritative Source: a privacy or cyber-security organization dedicated to establishing standards and best practices
- Informed Source: a news source, blog or information from a commercial vendor that provides informed privacy and data security advice
Disclaimer: Click here for important information to consider when reviewing information on this site.
Cybersecurity and Privacy Breach Emergency Planning
Summary of contents
-
How to create a “call first or act first” checklist
-
How to create a “get out of bed” checklist and notification matrix
-
Emergency indicators and associated confidence levels
-
Suggestions vs. decisions: what is appropriate in a given situation?
-
Response expectations and approved actions that have been coordinated with key stakeholders
Authoritative Source: Information System Audit and Control Association (ISACA)
A printable template to help document and report a suspected or confirmed privacy breach
Authoritative Source: Office of the Information and Privacy Commissioner BC (OIPC)
A resource guide to help respond to a privacy breach in accordance with BC privacy legislation.
- complements the above checklist
- designed to be printed and kept on hand as part of emergency preparedness planning
Authoritative Source: Office of the Information and Privacy Commissioner BC (OIPC)
Ransomware Risk Mitigation
Summary of Contents
- Practical steps on protecting against the threat
- Recovering from ransomware attacks
Authoritative Source: NIST National Institute of Standards and Technology
Summary of contents
Short, straight-forward advice on
- Securing Networks and Systems
- Securing the End User
- Responding to a Compromise/Attack
Authoritative Source: Center for Internet Security
COVID-19 cybersecurity guidance
Summary of contents
Practical recommendations for staff. Examples:
- Don’t click on links from sources you don’t know.
- Watch for emails claiming to be from the Centers for Disease Control and Prevention (CDC) or experts saying that have information about the virus.
- Ignore online offers for vaccinations.
- Do your homework when it comes to donations
- Be alert to “investment opportunities.”
Authoritative Source: US Federal Trade Commission
Summary of contents
Protect against fakes
- Against Malicious Emails
- Against Malicious Attachments
- Against Malicious Websites
Authoritative Source: Canadian Centre for Cybersecurity
Summary of contents
Recommendations from a lawyer specializing in cybersecurity on managing COVID-19 cybersecurity risks from a people, process and technology perspective. Includes an extensive list of best practice guidance documents from authoritative sources in Canada, the United States, UK, Europe and Australia.
Informed Source: BLG (Borden Ladner Gervais LLP)
Summary of contents
- Practical recommendations to create a secure remote environment.
- Ensure that your staff and stakeholders are informed and educated in cyber security practices, such as detecting socially-engineered messages.
- Ensure that staff working from home have physical security measures in place. This minimises the risk that information may be accessed, used, modified or removed from the premises without authorisation.
Authoritative Source: Australian Cyber Security Centre
Summary of contents
A brief summary for executives with suggestions on how to address physical, supply chain, and cybersecurity issues that may arise from the spread of Novel Coronavirus, or COVID-19.
Working from home and outside the office
Summary of Contents
Practical advice for securing home networks. This brief, easy to understand guide includes recommendations for:
- securing routing devices
- implementing wireless network segmentation
- and ensuring confidentiality while working from home remotely
- and more
Authoritative source: National Security Agency
Summary of contents
- Use a secure wireless network
- Be aware of Phishing and Social Engineering
- Protect the information in your care
- Lock your mobile device when not in use.
- Store any documents securely
- Protect against shoulder surfing
- Lock your screen before you leave
- Maintain a clean work area
- Make phone or video calls in private
- Keep your device secured/tethered
- Keep your device updated
- Immediately report a lost or stolen device
Authoritative Source: BC Office of the Information and Privacy Protection Commissioner (OIPC)
Summary of contents
- Asking your staff to work from home
- Setting up new accounts and accesses
- Preparing your staff for home working
- chat rooms
- video teleconferencing (VTC)
- document sharing.
- NCSC guidance on implementing Software as a Service (SaaS) applications can help you choose and roll out a range of popular services.
- General recommendations with practical tips
Authoritative Source: National Cyber Security Centre
Summary of contents
- Password management
- Security Patches and updates
- Phishing
- On-line Social Distancing
- Developed with challenges of COVID-19 in mind
- Includes a shareable PDF
Authoritative Source: Cyber Readiness Institute
Summary of contents
A shareable PDF with practical guidance for working outside of the office.
Authoritative Source: National Cyber Security Alliance
Summary of contents
Practical advice designed to be shared with teleworking home and remote office users.
Authoritative Source: National Institute of Standards and Technology (NIST)
Videoconferencing products and services
Summary of contents
- Mitigations and general guidance
- Product-specific guidance
- Google Hangouts
- Slack
- Microsoft Teams
- Zoom
- GoTo Meeting
Authoritative Source: Canadian Centre for Cybersecurity
A publication by Zoom subtitled “Everything you need to keep your video meetings safe and secure”.
- Turn on Your Waiting Room
- View and Admit Participants
- Message the Waiting Room
- Remove Participants
- Customizations and additional help information
Informed Source: Zoom Communications
Secure Email for small to medium sized organizations
Summary of contents
- Why You Need Your Emails Encrypted
- 1. ProtonMail – The Most Well-Known Email Service Provider
- 2. Mailfence – End-to-End Encryption + Digital Signatures
- 3. Hushmail – Oldest Secure Email Service
- FAQs
Informed Source: Privacy Canada
Summary of contents
A technical reference for small to medium organizations.
Authoritative Source: National Institute of Standards and Technology (NIST)
Cloud services and cybersecurity
Summary of contents
Guidance from a lawyer in Vancouver specializing in cybersecurity. Recommendations are based on controls published by the Canadian Centre for Cybersecurity, with specific suggestions on:
- performing a risk/benefit assessment
- cloud services contracts
- oversight/monitoring
Informed Source: BLG (Borden Ladner Gervais LLP)
Cybersecurity risk assessment standards and best practices
Baseline Cyber Security Controls for Small and Medium Organizations
These controls are the ones that are used when evaluating Partner Agencies through the SCsIP Cybersecurity Assessment project.
For a downloadable PDF version of these standards, click here.
Summary of contents
Clear, easy to understand recommendations designed specifically for small and medium sized organizations by the Canadian Government. Systematically reviews an organization’s cyber security profile on the following topics:
- Develop an Incident Response Plan
- Automatically Patch Operating Systems and Applications
- Enable Security Software
- Securely Configure Devices
- Use Strong User Authentication
- Provide Employee with Awareness Training
- Back Up and Encrypt Data
- Secure Mobility
- Establish Basic Perimeter Defences
- Secure Cloud and Outsourced IT Services
- Secure Websites
- Implement Access Control and Authorization
- Secure Portable Media
Authoritative Source: Canadian Centre for Cyber Security
Summary of contentsAn easy to understand security self-assessment designed for businesses in BC, with simple yes/no questions. Includes questions that are considered by OIPC to be a minimum requirement.
Authoritative Source: BC Office of the Information and Privacy Protection Commissioner (OIPC)
References supporting standards cited in the CCCS Baseline Controls
Note: Some references cited below are identified as originating from informed sources, rather than authoritative ones. Discretion should be used when reviewing information from informed sources, including the potential for author bias.
For the purposes of this Library, sources are defined as:
- Authoritative Source: a privacy or cyber-security organization dedicated to establishing standards and best practices
- Informed Source: a news source, blog or information from a commercial vendor that provides informed privacy and data security advice.
BC.9.2
Informed source
BC.9.4
Authoritative source
BC.9.6
Payment Card Industry Data Security Standard (PCI DSS)
Authoritative source
BC.9.7
Configuring with GSuite systems:
Configuring Microsoft 365
Informed source
BC.10.1
AICPA SSAE 18 SOC 3 report: Trust Service Principles compliance
Authoritative source
BC.11.1
Authoritative source
BC.11.2
ASVS levels
- https://owasp.org/www-pdf-archive//OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf
- ASVS Level 1 is for low assurance levels, and is completely penetration testable
- ASVS Level 2 is for applications that contain sensitive data, which requires protection and is the recommended level for most apps
- ASVS Level 3 is for the most critical applications - applications that perform high value transactions, contain sensitive medical data, or any application that requires the highest level of trust
Authoritative source
Funding is generously provided through the Ronald S. Roadburg Foundation.
