1. Background
Information technology (IT) is a strategic asset and an essential tool enabling the Government of Canada to deliver on its commitment to provide seamless and easily accessible services to Canadians while ensuring that internal administrative operations are managed effectively and efficiently. The Treasury Board (TB) Policy on Security defines information technology (IT) security as “the safeguards designed to preserve the confidentiality, integrity, availability, intended use and value information stored, processed or transmitted electronically”.
In 2005, the Treasury Board Secretariat (TBS) directed all departments to implement the Management of Information Technology Security Standard (NGSTI) by December 2006. This standard is the gold standard for IT security that all Government of Canada departments must follow.
In 2011-2012, the IT environment across the federal government underwent significant changes in the delivery of IT services. Shared Services Canada (SSC) was created to be the vehicle for network, server infrastructure, telecommunications, teleconferencing and videoconferencing services for the forty-three departments and agencies with in the Government of Canada’s highest level of IT. Formal operational agreements have been put in place with each department; they underscore the fact that departmental service levels will continue to be met.
2. Roles and responsibilities
In accordance with the TB Policy on Government Security, issued under Section 7 of the Financial Administration Act (FAA), Deputy Heads are responsible for the implementation and effective administration of security and identity management within their department, and they share responsibility for ensuring the security of the government as a whole.
The NGSTI outlines the roles and responsibilities of key positions, including the position of Chief Information Officer (CIO), who is responsible for ensuring the effective management of departmental information and IT assets.
Currently, IT security roles and responsibilities are delineated between SSC, CIOB and the Departmental Security Officer (DSO). The latter two are part of the Corporate Management Sector (CMS).
3. Significance
During the audit planning cycle, the Department identified the risk of non-compliance with certain aspects of IT security as well as certain requirements of the Policy on Management of Information Technology and the Policy on government security, both of which are TB policies. Furthermore, given that no similar audit had been performed in the past at Public Safety Canada (PS), it was necessary to ensure that the internal controls relating to the management of IT security at PS were adequate. and efficient.
We also note that 2012-2013 is the first fiscal year in which SSC was responsible for IT security services, while CIOB retained responsibility for the stewardship of all IT security resources and the delivery effective and efficient IT security services. Although a formal operational agreement has been reached between PS and SSC, which outlines that departmental service levels will continue to be met, PS’s original service levels have not been clearly established.
4. Objective and scope of the audit
The objective of the audit was to assess the Department’s compliance with the Policy on the Management of Information Technology and the Policy on Government Security with a focus on requirements and security aspects of IT. In particular, the audit consisted of ensuring that the internal controls relating to the management of IT security were adequate and effective.
The audit covered the period from January 1 to June 30, 2012.
The scope of the audit encompassed the following key areas:
Problem and incident management
1.4 Opinion of the verification team
According to the audit team, adequate and effective mechanisms to ensure proper management of IT security are in place, although management needs to review some important areas to manage exposure to some residual risks.
5. Statement of Assurance
In the professional judgment of the Chief Audit Executive (CAE), sufficient and appropriate audit procedures have been performed and audit evidence has been gathered, which supports the opinion expressed in this report, to provide reasonable assurance to senior executives. The opinion applies only to the audited entity.
6 . Summary of Audit Findings
During its work, the audit team noted numerous examples demonstrating the sound design of controls and the effectiveness of their implementation. This audit allowed us to observe several strengths among the audit areas.
The auditors found that a set of IT security policies, guidelines and standards were in place and aligned with government and industry frameworks, policies and best practices. What’s more, there are various documents outlining IT security priorities and projects. The Departmental Security Plan establishes a formal governance structure that is integrated into the departmental governance structure.
