Légis Québec

Ministère de l'Emploi et de la Solidarité sociale

Lois et règlements codifiés Lois codifiées Règlements codifiés Lois et règlements annuels Lois annuelles Règlements annuels Information complémentaire L’Éditeur officiel du Québec Quoi de neuf? Note d’information Politique du ministre de la Justice Lois : Modifications Lois : Dispositions non en vigueur Lois : Entrées en vigueur Lois annuelles : Versions PDF depuis 1996 Règlements : Modifications Règlements annuels : Versions PDF depuis 1996 Décisions des tribunaux

G-1.03, r. 1 - Regulation respecting the terms and conditions of application of sections 12.2 to 12.4 of the Act respecting the governance and management of the information resources of public bodies and government enterprises

Table des matières

Version courante

Texte complet

À jour au 29 juin 2022

Ce document a valeur officielle.

not in force

chapter G-1.03, r. 1

Regulation respecting the terms and conditions of application of sections 12.2 to 12.4 of the Act respecting the governance and management of the information resources of public bodies and government enterprises

GOVERNANCE AND MANAGEMENT — SECTIONS 12.2 TO 12.4

Act respecting the governance and management of the information resources of public bodies and government enterprises

(chapter G-1.03, s. 22.1.1).

G-1.03

06June 29 202207July 28 2022

DIVISION I

INTRODUCTORY

1296-2022, Div. IO.C. 1296-2022, Div. I.

1. In this Regulation,

(1) “security event” means any form of breach, present or apprehended, such as a cyber attack or a threat to the confidentiality, integrity or availability of information or an information resource under the responsibility of a public body;

(2) “cybersecurity practitioner” means the government chief information security officer, the deputy chief information security officer or a public body’s personnel member assigned to functions in the field of cybersecurity;

(3) “Act” means the Act respecting the governance and management of the information resources of public bodies and government enterprises (chapter G-1.03);

(4) “Minister” means the Minister of Cybersecurity and Digital Technology;

(5) “administrative unit specialized in information security” means the Centre gouvernemental de cyberdéfense referred to in section 12.5 of the Act or a cyber defence operations center referred to in section 9 of the Directive gouvernementale sur la sécurité de l’information (D. 1514-2021, 2021-12-08).

1296-2022O.C. 1296-2022, s. 1.

2. This Regulation applies to the public bodies listed in section 2 of the Act.

1296-2022O.C. 1296-2022, s. 2.

DIVISION II

INFORMATION SECURITY OBLIGATIONS

1296-2022, Div. IIO.C. 1296-2022, Div. II.

3. A public body must manage effectively the security of information resources and information it holds, in particular by putting in place cybersecurity measures, including cyber defence mechanisms, to ensure the diligent taking charge of security events.

A public body must also follow good practices in information security in order to reduce risks of a breach to an acceptable level.

1296-2022O.C. 1296-2022, s. 3.

4. A proactive cyber defence team must be established and maintained within an administrative unit specialized in information security. Such a team is charged with testing applicable cybersecurity measures, including cyber defence mechanisms, and seeing to the handling of security events related to cybersecurity.

1296-2022O.C. 1296-2022, s. 4.

5. The Centre gouvernemental de cyberdéfense referred to in section 12.5 of the Act may provide its services to another administrative unit specialized in information security or a public body to carry out cybersecurity activities, such as penetration tests.

1296-2022O.C. 1296-2022, s. 5.

6. A public body must, during each security event, assess the risk of such an event by taking into consideration the sensitivity of the information resource or information concerned, the apprehended consequences of its use and the probability that it be used in particular for harmful purposes.

1296-2022O.C. 1296-2022, s. 6.

DIVISION III

COMMUNICATIONS BETWEEN CYBERSECURITY PRACTITIONERS

1296-2022, Div. IIIO.C. 1296-2022, Div. III.

7. The communications provided for in the third paragraph of section 12.2 and section 12.3 of the Act must be made by any means that provides proper protection. They may be made using automated systems in the form, for example, of bulletins or warnings.

Where a security event is related to cybersecurity, the activities allowing the communications referred to in the first paragraph are carried out by cybersecurity practitioners as part of their respective responsibilities.

For such an event, the communications referred to in the first paragraph must be based on the obligation to take cybersecurity measures to follow good practices generally recognized by international benchmarks, such as ISO standards or the National Institute of Standards and Technology (NIST) benchmark.

1296-2022O.C. 1296-2022, s. 7.

8. The information that is the subject of the communications referred to in section 7 may include personal information.

Where personal information may be communicated in a form that does not allow the direct identification of the person concerned, it must be communicated in that form.

The second paragraph does not apply where there are grounds to believe that there is urgency to act in a matter of cybersecurity or that there is a risk that irreparable harm may be caused to an information resource or information under the responsibility of a public body. In that case, public bodies share the personal information concerned through their cybersecurity practitioners, by applying measures that ensure the confidentiality of such information.

There is urgency where the impact of a security event must be corrected or risks due in particular to the severity of the apprehended consequences must be reduced. A malicious software, phishing or an information leak may be a cause of the urgency.

1296-2022O.C. 1296-2022, s. 8.

9. The communications referred to in this Division are for the benefit of the public body responsible for ensuring the security of its information resources and information it holds or for the benefit of the person concerned by the personal information that is the subject of a breach or a risk of a breach.

1296-2022O.C. 1296-2022, s. 9.

DIVISION IV

COMMUNICATIONS OUTSIDE QUÉBEC

1296-2022, Div. IVO.C. 1296-2022, Div. IV.

10. An agreement referred to in section 12.4 of the Act, concerning the communication of information outside Québec, must

(1) identify the representatives authorized to make the communications between the parties;

(2) limit access to the information only to authorized representatives, where the information is necessary in the performance of their duties;

(3) include protection and security measures to ensure the protection of the information to be communicated;

(4) provide for obligations related to the preservation and destruction of the information;

(5) provide that the Minister is to be immediately notified of any violation of or attempt to violate any of the obligations set out in the agreement by any person and of any event likely to affect the confidentiality of the information.

1296-2022O.C. 1296-2022, s. 10.

DIVISION V

MISCELLANEOUS AND FINAL

1296-2022, Div. VO.C. 1296-2022, Div. V.

11. Any agreement referred to in section 12.4 of the Act, entered into with any person or body in Canada or abroad before 28 July 2022 and approved by an order in council made under the first paragraph of section 3.8 of the Act respecting the Ministère du Conseil exécutif (chapter M-30), is deemed to fulfil the conditions set out in section 10.

1296-2022O.C. 1296-2022, s. 11.

12. (Omitted).

1296-2022O.C. 1296-2022, s. 12.

REFERENCES

O.C. 1296-2022, 2022 G.O. 2, 2529

G-1.03, r. 1 - Regulation respecting the terms and conditions of application of sections 12.2 to 12.4 of the Act respecting the governance and management of the information resources of public bodies and government enterprises

Copier vers le presse-papier