This content is provided for informational purposes and does not constitute legal advice. For any decision with legal or regulatory implications, consult a lawyer or the Commission d'accès à l'information (CAI).

βš–οΈ
Legal information β€” not legal advice This content is educational and general. It does not constitute legal advice and does not assess your particular situation. Consult a lawyer or the CAI for any decision.
CHAPTER 10

Technical Guide β€” IT & CISO

The law requires reasonable and proportionate security measures β€” not a specific technology. This chapter translates the legal obligations into concrete measures.

10.1 Β· Foundation

Data mapping

You can only protect what you know you have. Build and maintain an inventory:

  • What personal data do we hold? (customers, employees, prospects, suppliers)
  • Where is it? (servers, workstations, SaaS, backups, email, paper)
  • Who has access to it?
  • How long do we keep it?
  • Where does it flow? (internal flows, outside Quebec)
10.2 Β· Access control

Access management and MFA

  • Least privilege: everyone only accesses what they need for their role
  • MFA mandatory for remote access and administrator accounts
  • Periodic review of permissions (departures, role changes, external contracts)
  • Log access to sensitive data
10.3 Β· Data protection

Encryption β€” in transit and at rest

  • In transit: TLS for every exchange (websites, APIs, sensitive emails)
  • At rest: encryption of disks, databases and backups
  • Mobile devices and removable media encrypted
Clinical case: a stolen encrypted laptop generally does not trigger a CAI notification β€” the risk of serious harm is low if the data is inaccessible without the key.
10.4 Β· Detection

Logging and anomaly detection

  • Keep access and event logs sufficient to detect and investigate
  • Set up monitoring for abnormal access β€” an EDR or a managed service (MSSP) depending on your resources
10.5 Β· Resilience

3-2-1 backups against ransomware

  • 3-2-1 rule: 3 copies, on 2 different media, with 1 offsite or offline
  • Regularly test the restore β€” an untested backup is not a backup
  • Immutable or offline copies to withstand ransomware
10.6 Β· SaaS

Cloud provider security

  • Check providers' certifications (SOC 2, ISO 27001) and data location
  • Configure SaaS services correctly β€” leaks often come from misconfigurations, not sophisticated hacks
  • Enable privacy-by-default settings at the highest level
10.7 Β· End of life

Secure retention and destruction

  • Automate the purging of data that has reached its retention deadline
  • Destroy irreversibly: secure erasure (NIST 800-88), paper shredding
  • Document destructions as evidence of due diligence
10.8 Β· Preparedness

Incident response plan (IRP)

  • Defined roles: who decides, who communicates, who remediates
  • Escalation and notification procedure (linked to chapter 7)
  • Contact information for the CAI, the Privacy Officer, suppliers, cyber insurer
  • Periodic tabletop exercises (at least annually)
10.9 Β· The human link

Staff awareness

Humans remain the most exploited link (phishing, misdirected emails). Provide recurring training and reminders. Our 15 essential modules cover exactly these needs.

10.10 Β· Reference frameworks

NIST CSF 2.0 Β· ISO 27001 Β· CIS Controls

Law 25 doesn't mandate a specific framework, but it requires reasonable measures. Rely on recognized frameworks suited to your size: the NIST Cybersecurity Framework (CSF) 2.0, ISO/IEC 27001, the CIS Controls.

βœ“ Technical checklist

  • ☐ Is the personal data inventory up to date?
  • ☐ Is MFA enabled on all remote and administrator accounts?
  • ☐ Encryption in transit (TLS) and at rest?
  • ☐ Tested 3-2-1 backups (restore verified)?
  • ☐ Written incident response plan, with roles and an annual tabletop exercise?
  • ☐ Awareness training deployed to staff?