Technical Guide β IT & CISO
The law requires reasonable and proportionate security measures β not a specific technology. This chapter translates the legal obligations into concrete measures.
Data mapping
You can only protect what you know you have. Build and maintain an inventory:
- What personal data do we hold? (customers, employees, prospects, suppliers)
- Where is it? (servers, workstations, SaaS, backups, email, paper)
- Who has access to it?
- How long do we keep it?
- Where does it flow? (internal flows, outside Quebec)
Access management and MFA
- Least privilege: everyone only accesses what they need for their role
- MFA mandatory for remote access and administrator accounts
- Periodic review of permissions (departures, role changes, external contracts)
- Log access to sensitive data
Encryption β in transit and at rest
- In transit: TLS for every exchange (websites, APIs, sensitive emails)
- At rest: encryption of disks, databases and backups
- Mobile devices and removable media encrypted
Logging and anomaly detection
- Keep access and event logs sufficient to detect and investigate
- Set up monitoring for abnormal access β an EDR or a managed service (MSSP) depending on your resources
3-2-1 backups against ransomware
- 3-2-1 rule: 3 copies, on 2 different media, with 1 offsite or offline
- Regularly test the restore β an untested backup is not a backup
- Immutable or offline copies to withstand ransomware
Cloud provider security
- Check providers' certifications (SOC 2, ISO 27001) and data location
- Configure SaaS services correctly β leaks often come from misconfigurations, not sophisticated hacks
- Enable privacy-by-default settings at the highest level
Secure retention and destruction
- Automate the purging of data that has reached its retention deadline
- Destroy irreversibly: secure erasure (NIST 800-88), paper shredding
- Document destructions as evidence of due diligence
Incident response plan (IRP)
- Defined roles: who decides, who communicates, who remediates
- Escalation and notification procedure (linked to chapter 7)
- Contact information for the CAI, the Privacy Officer, suppliers, cyber insurer
- Periodic tabletop exercises (at least annually)
Staff awareness
Humans remain the most exploited link (phishing, misdirected emails). Provide recurring training and reminders. Our 15 essential modules cover exactly these needs.
NIST CSF 2.0 Β· ISO 27001 Β· CIS Controls
Law 25 doesn't mandate a specific framework, but it requires reasonable measures. Rely on recognized frameworks suited to your size: the NIST Cybersecurity Framework (CSF) 2.0, ISO/IEC 27001, the CIS Controls.
β Technical checklist
- β Is the personal data inventory up to date?
- β Is MFA enabled on all remote and administrator accounts?
- β Encryption in transit (TLS) and at rest?
- β Tested 3-2-1 backups (restore verified)?
- β Written incident response plan, with roles and an annual tabletop exercise?
- β Awareness training deployed to staff?