G-1.03, r. 1 - Regulation respecting the terms and conditions of application of sections 12.2 to 12.4 of the Act respecting the governance and management of the information resources of public bodies and government enterprises

Full text
Updated to 29 June 2022
This document has official status.
not in force
chapter G-1.03, r. 1
Regulation respecting the terms and conditions of application of sections 12.2 to 12.4 of the Act respecting the governance and management of the information resources of public bodies and government enterprises
Act respecting the governance and management of the information resources of public bodies and government enterprises
(chapter G-1.03, s. 22.1.1).
DIVISION I
INTRODUCTORY
O.C. 1296-2022, Div. I.
1. In this Regulation,
(1)  security event means any form of breach, present or apprehended, such as a cyber attack or a threat to the confidentiality, integrity or availability of information or an information resource under the responsibility of a public body;
(2)  cybersecurity practitioner means the government chief information security officer, the deputy chief information security officer or a public body’s personnel member assigned to functions in the field of cybersecurity;
(3)  Act means the Act respecting the governance and management of the information resources of public bodies and government enterprises (chapter G-1.03);
(4)  Minister means the Minister of Cybersecurity and Digital Technology;
(5)  administrative unit specialized in information security means the Centre gouvernemental de cyberdéfense referred to in section 12.5 of the Act or a cyber defence operations center referred to in section 9 of the Directive gouvernementale sur la sécurité de l’information (D. 1514-2021, 2021-12-08).
O.C. 1296-2022, s. 1.
2. This Regulation applies to the public bodies listed in section 2 of the Act.
O.C. 1296-2022, s. 2.
DIVISION II
INFORMATION SECURITY OBLIGATIONS
O.C. 1296-2022, Div. II.
3. A public body must manage effectively the security of information resources and information it holds, in particular by putting in place cybersecurity measures, including cyber defence mechanisms, to ensure the diligent taking charge of security events.
A public body must also follow good practices in information security in order to reduce risks of a breach to an acceptable level.
O.C. 1296-2022, s. 3.
4. A proactive cyber defence team must be established and maintained within an administrative unit specialized in information security. Such a team is charged with testing applicable cybersecurity measures, including cyber defence mechanisms, and seeing to the handling of security events related to cybersecurity.
O.C. 1296-2022, s. 4.
5. The Centre gouvernemental de cyberdéfense referred to in section 12.5 of the Act may provide its services to another administrative unit specialized in information security or a public body to carry out cybersecurity activities, such as penetration tests.
O.C. 1296-2022, s. 5.
6. A public body must, during each security event, assess the risk of such an event by taking into consideration the sensitivity of the information resource or information concerned, the apprehended consequences of its use and the probability that it be used in particular for harmful purposes.
O.C. 1296-2022, s. 6.
DIVISION III
COMMUNICATIONS BETWEEN CYBERSECURITY PRACTITIONERS
O.C. 1296-2022, Div. III.
7. The communications provided for in the third paragraph of section 12.2 and section 12.3 of the Act must be made by any means that provides proper protection. They may be made using automated systems in the form, for example, of bulletins or warnings.
Where a security event is related to cybersecurity, the activities allowing the communications referred to in the first paragraph are carried out by cybersecurity practitioners as part of their respective responsibilities.
For such an event, the communications referred to in the first paragraph must be based on the obligation to take cybersecurity measures to follow good practices generally recognized by international benchmarks, such as ISO standards or the National Institute of Standards and Technology (NIST) benchmark.
O.C. 1296-2022, s. 7.
8. The information that is the subject of the communications referred to in section 7 may include personal information.
Where personal information may be communicated in a form that does not allow the direct identification of the person concerned, it must be communicated in that form.
The second paragraph does not apply where there are grounds to believe that there is urgency to act in a matter of cybersecurity or that there is a risk that irreparable harm may be caused to an information resource or information under the responsibility of a public body. In that case, public bodies share the personal information concerned through their cybersecurity practitioners, by applying measures that ensure the confidentiality of such information.
There is urgency where the impact of a security event must be corrected or risks due in particular to the severity of the apprehended consequences must be reduced. A malicious software, phishing or an information leak may be a cause of the urgency.
O.C. 1296-2022, s. 8.
9. The communications referred to in this Division are for the benefit of the public body responsible for ensuring the security of its information resources and information it holds or for the benefit of the person concerned by the personal information that is the subject of a breach or a risk of a breach.
O.C. 1296-2022, s. 9.
DIVISION IV
COMMUNICATIONS OUTSIDE QUÉBEC
O.C. 1296-2022, Div. IV.
10. An agreement referred to in section 12.4 of the Act, concerning the communication of information outside Québec, must
(1)  identify the representatives authorized to make the communications between the parties;
(2)  limit access to the information only to authorized representatives, where the information is necessary in the performance of their duties;
(3)  include protection and security measures to ensure the protection of the information to be communicated;
(4)  provide for obligations related to the preservation and destruction of the information;
(5)  provide that the Minister is to be immediately notified of any violation of or attempt to violate any of the obligations set out in the agreement by any person and of any event likely to affect the confidentiality of the information.
O.C. 1296-2022, s. 10.
DIVISION V
MISCELLANEOUS AND FINAL
O.C. 1296-2022, Div. V.
11. Any agreement referred to in section 12.4 of the Act, entered into with any person or body in Canada or abroad before 28 July 2022 and approved by an order in council made under the first paragraph of section 3.8 of the Act respecting the Ministère du Conseil exécutif (chapter M-30), is deemed to fulfil the conditions set out in section 10.
O.C. 1296-2022, s. 11.
12. (Omitted).
O.C. 1296-2022, s. 12.
REFERENCES
O.C. 1296-2022, 2022 G.O. 2, 2529