Communications and Network Security Policy

Last revised: April 2021

Last reviewed: April 2021
Next review: April 2022
Ministry of SaskBuilds and Procurement
Information Technology Division, Information Security Branch

Purpose
The purpose of this policy is to ensure security is a key consideration in network management and the transfer of
information in and out of the organization.

Scope
This Communications Security Policy applies to all business processes and data, information systems and components,
personnel, and physical areas of The Government of Saskatchewan.

Definitions
This section intentionally left blank.

Governing Laws, Regulations, and Standards

Guidance Section
ISO27001: 2013 A.13, A.13.1, A.13.2
NIST SP 800-53 v4 XX-1 controls, SA-5, CM-2~CM-9, AC-5, SA-9, SA-10, AU-4, AU-5, CP-2, SA-
2, SC-5, CA-2, CA-6, SA-4, SA-11, AC-19, AT-2, AT-3, IR-2, IR-8, MA-3, MP-7,
SC-42, SI-1, SI-3, SI-5, SI-7, SA-8, SC-2, SC-3, SC-7, SC-18, CP-9, AC-3, AC-17,
AC-18, AC-20, SC-8, SC-15, CA-3, MP-5, AU-10, IA-2, IA-8, SC-7, SC-8, SC-
13, AC-3, AC-22, SI-4, SI-7, SI-10, AU-2, AU-3, AU-8, AU-11, AU-12, AU-14,
AU-6, AU-7, AU-12, CM-6, CM-11, PE-6, PE-8, SC-7, SI-4, SI-6, SI-7,

Policy Statements
Network Security Management:
• Network segregation must be implemented. Groups of information services, users, and information systems
must be separated from one another.
• The Government of Saskatchewan should implement limitations and controls of network ports, protocols, and
services.
• Controls should be implemented to ensure the security of information in networks and the protection of
connected services from unauthorized access. In particular, the following items should be considered:
o Responsibilities and procedures for the management of networking equipment should be established.
o Special controls should be established to safeguard the confidentiality and integrity of data passing over
public networks or wireless networks.
o Appropriate logging and monitoring should be applied to enable the recording and detection of actions
that may affect, or are relevant to, information security.
o Management activities should be closely coordinated both to optimize the service to The Government of
Saskatchewan and to ensure that controls are consistently applied across the information processing
infrastructure.
• The following will be identified and listed within network services’ agreements – both in-house and outsourced
agreements:
o Security mechanisms.

1
 o Service levels.
o Management requirements.
Segregation in Networks:
• Network Segregation must be based on the management of risk, and the security principles of “segregation of
duties” and “least privilege”.
• Network traffic flow controls points such as firewalls, routers, switches, security gateways, VPN gateways or
proxy servers must be implemented at multiple points throughout the network to provide the required level of
control.
• Techniques and technologies selected for network segregation must be based on the findings of a Threat and
Risk Assessment, with the following considerations:
o The sensitivity of the information and system
o The trustworthiness of the network is revealed by the amount of uncontrolled malicious traffic, the level
of device, identification and authentication and the sensitivity to eavesdropping.
o Transparency, usability, and management costs of network segregation technologies
o Privileged networks (networks with unrestricted or a higher level of access to other networks) must be
on a separate network segment separated by a firewall.
o The availability of compensating controls for detection, prevention and correction of malicious network
traffic and unauthorized access attempts.
Information Transfer:
• Users of electronic communication Services must comply with the following policies and standards:
o Asset Management
o Communications & Network Security
o Security Compliance
• Appropriate policies, procedures, and controls must be established around the protection of information being
transferred through various types of facilities.
• External parties must agree to the secure transfer of business data with The Government of Saskatchewan.
• All information transferred in electronic messaging must be properly protected.
• Any confidentiality or non-disclosure agreements of the organization must be acknowledged, reviewed often,
and documented.
• Information Owners and Service Owners must implement the following controls to further safeguard electronic
communications:
o Protect information from interception, copying, modification, misrouting and destruction.
o Apply protection against malware that may be transmitted using electronic communication services.
o Protect sensitive information that is in the form of an attachment.
o Encrypt information to protect confidentiality and integrity.
Electronic Messaging:
• Service Owners must approve implementation and/or modification to electronic messaging systems. To
safeguard the integrity of the government messages, the electronic messaging services must:
o Protect messages from unauthorized access, modification, or denial of service.

2
 o Ensure correct addressing and transportation of messages.
o Providing reliable and available messaging infrastructure
o Conforming with legislative and regulatory requirements
• Users must:
o Use only government-approved electronic messaging services.
o Use authorized systems for remote access to government messaging systems.
o Use only authorized encryption for email or attachments when required.
o Safeguard sensitive information transmitted via electronic messages.
• Email and other electronic messages may qualify as government records and are thus subject to the Archives
and Public Records Management Act, and other legislation, standards, and policies. Refer to the Provincial
Archives of Saskatchewan.
Confidentiality or Non-Disclosure Agreements:
• All employees of the executive government must sign the Oath or Declaration of Office. The oath includes a
statement that employees will not disclose sensitive information.
• Individuals other than employees must accept and sign an agreement to not disclose sensitive government
information. These agreements must contain the following provisions:
o A description of the information to be protected.
o The expected duration of the agreement
o The required actions when the agreement is terminated.
o Responsibilities and actions of signatories to avoid unauthorized disclosure of sensitive information.
o The permitted use of sensitive information and the rights of the signatory to use it.
o The right of the Government to audit and monitor activities.
o The terms for information to be returned or destroyed when the agreement is terminated.
o The expected actions to be taken in case of a breach of the agreement.

Relevant Procedures
This section intentionally left blank.

Non-Compliance
In cases where it is determined that a breach or violation of Government of Saskatchewan policies has occurred, the
Information Security Branch, under the direction of the Chief Information Officer and the respective Ministry, will
initiate corrective measures including restricting access to services or initiating disciplinary action up to and including
dismissal, or in the case of contractors, vendors, or agents, the termination of a contract or agreement with the
contractor, vendor, or agent.

Exceptions
In certain circumstances, exceptions to this policy may be allowed based a review and acceptance of risk by the Security
Governance Committee. Exceptions to this policy must be formally documented and approved by the Chief Information
Officer, under the guidance of the Information Security Branch. Policy exceptions will be reviewed periodically for
appropriateness.

3
Revision History
Version ID Date of Change Author Rationale