Government of Canada

Foreign Affairs, Trade and Development Canada

www.international.gc.ca

ARCHIVED - IM/IT Security and Related Processes, Practices and Controls

Warning This Web page has been archived on the Web.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats by contacting us.

Summary Report

Background
Audit Objective
Observations
Audit Conclusion
Statement of Assurance
Appendix 1 Audit Criteria
Appendix 2 Management Action Plan


Background


In 2007, the Chief Information Officer (CIO) requested an audit of the Information Management/Information Technology (IM/IT) Strategy, and an assessment of the maturity of Information Management and Technology Branch (IMTB) capability, based on the IT Governance Institute's Control Objectives for Information and related Technology (COBIT®). As COBIT provides a framework for assessing IM/IT security, this subject was examined also as part of the work.

The IM/IT security governance in the Agency is based on the roles and responsibilities of the Agency Security Officer (ASO), the Chief Information Officer (CIO), and the Access to Information and Privacy (ATIP) Coordinator as follows:
  • The ASO has delegated responsibility from the President for IM/IT security policy, awareness and guidance as required by the Treasury Board Policy on Information Management and the Policy on Government Security (the ASO function is performed by CIDA's CFO);

  • The CIO has the responsibility to operationalize IM/IT security policies, provide guidance, and manage security risks related to IM/IT services, as well as to support IM/IT operations on a day-to-day basis; and

  • The ATIP Coordinator (reporting to the Corporate Secretary) has delegated responsibility from the President for compliance with the Access to Information and Privacy Acts.


Audit Objective


The objective of this audit is to provide reasonable assurance that IM/IT Security, and related IM/IT processes, practices, and controls, comply with the Control Objectives for Information and related Technology (COBIT 4.1) framework, the Treasury Board Operational Security Standard: Management of Information Technology Security (MITS), the Policy on Government Security, and the Treasury Board Policy on Information Management.



Observations


Since 2006, demonstrable progress has been made in a number of areas, including:
  • The ASO has employed an IT Security Coordinator to develop policy and guidance. Draft policies and guidance have been produced. A high level CIDA Organizational Information Statement of Sensitivity and an Enterprise Asset Analysis were completed.

  • The CIO has employed an IT Security Manager and provided two trained staff analysts. Recently the CIO has authorized an increase to four IT security analysts.

  • A number of security measures have been implemented to protect the network and servers from internal and external threats, including viruses and malicious software, and equipment has been acquired and installed to prevent and detect intrusions from the Internet.

  • A Certification and Accreditation program (CAP) has been implemented for new applications and a program to address legacy applications based on priority is underway.

  • Business process and application owners are now completing Statements of Sensitivity (SoSs), Privacy Impact Assessments (PIAs) and Threat and Risk Assessments (TRAs) for new projects, demonstrating the beginning of a culture shift toward recognition of security requirements.

  • Up-to-date equipment and software is used to scan all email and files for viruses and other malicious software.

  • The architecture of the network has been modified to place key servers behind firewalls to better protect CIDA information from outside attack and workstations are protected from direct access to the Internet.

  • Internet websites are filtered so as to block access by CIDA personnel to inappropriate and malicious websites.

  • Self-assessments have been carried out using the Management of IT Security (MITS) standard to ascertain levels of compliance.

  • IMTB has implemented and refined the End-to-End process including release and change management, architecture reviews, pre-production environments and Quality Assurance. Linkages are made to IT Security processes as appropriate.
The ASO and CIO are pursuing projects such as the Secure Architecture (SA) project and initiatives such as the Certification and Accreditation program (CAP) that recognize that improvements are still required in the following areas:
  • Creating, approving and implementing an IM/IT Security Framework and Policy Suite

  • Establishing effective governance for IM/IT security, including an IM/IT security strategy that ensures a systematic approach to IM/IT security governance, and that is integrated with general IM/IT and Agency governance and strategies

  • Defining IM/IT security roles and responsibilities clearly, communicating them throughout the Agency, and ensuring the performance of each role on an ongoing basis

  • Identifying, defining, standardizing and classifying information according to its value, sensitivity and criticality

  • Mitigating IM/IT security risks cost-effectively, and formally accepting residual risks after IM/IT security measures have been certified

  • Implementing network security based on the action items identified in Threat and Risk Assessments

  • Implementing and maintaining appropriate physical security measures and controls for servers, computers, peripherals and mobile devices

  • Maintaining business continuity, resumption and disaster planning Delivering general awareness programs regarding IM/IT security policies and guidance
Management has prepared a detailed action plan (Appendix 2) that addresses the recommendations made as a result of the audit.



Audit Conclusion


Progress has been made to introduce and operate IM/IT security processes, practices and controls that meet government standards, but an effective IM/IT security framework and governance structure must still be developed, including measures to identify, manage and protect information, and to promote a culture of security awareness and compliance throughout the Agency.



Statement of Assurance


In my professional judgment as Chief Audit Executive, the audit procedures followed and the evidence collected are sufficient and appropriate to support the opinion stated in this report. This opinion is based on a comparison of the circumstances, as they existed at the time, with pre-established audit criteria approved by management. This opinion is only applicable to the subject examined. The evidence was gathered in compliance with the Treasury Board's internal audit policy, instructions and procedures, and is sufficient to corroborate the findings and conclusions of this internal audit report.

Chief Audit Executive


Appendix 1 - Audit Criteria



COBIT Domains and Related Criteria Substantially Met Partially Met Not Met
1. Plan and Organize
Information Architecture Defined
Quality Managed
IT Risks Assessed and Managed


2. Acquire and Implement
Application Software Acquired and Maintained
3. Deliver and Support
Continuous Service Ensured
System Security Ensured


4. Monitor and Evaluate
Internal Control Monitored and Evaluated
Compliance With External Requirements Ensured
IT Governance Provided





Appendix 2 - Recommendations and Management Action Plan


No. Recommendations Responsibility Proposed Action Plans Target Date
1. The Agency Security Officer (ASO) should establish an IM/IT security framework, and a complete suite of policies, directives and guidance that would define and assign IM/IT security roles, responsibilities, accountabilities and compliance measures that meet the MITS standard fully. Agency Security Officer The ASO will undertake to establish an IT security framework that will guide further development and maintenance of a comprehensive security program. The ASO will continue to finalize the policies that have already been developed and are identified as critical to the Agency. This includes an Agency IT Security Policy, Acceptable Use Policy, and other standards and guidelines, such as a Password Standard. Other policies, directives and guidelines will be developed as the framework is implemented so as to address remaining issues, for example Classification and Protection of Information. December 31, 2009
Other policies, directives and guidelines will be developed during fiscal year 2010-11. March 31, 2011
2. The ASO, with the support of senior Agency management, should provide, for Management Board review and approval, a suggested governance framework for IM/IT security to ensure:
  • Compliance with government legal, policy, and procedural requirements
  • Appropriate priority for IM/IT security action plans, respecting the critical nature of Agency information to the mandate and strategic objectives
  • Clarity of roles and responsibilities regarding IM/IT security
  • Monitoring of IM/IT security performance and results
  • Accurate and timely reporting
  • Preparation and maintenance of IM/IT security instruments such as Statements of Sensitivity, Business Impact Assessments, TRAs and PIAs as required, by business process owners,
  • Accepting residual risk after risk mitigation action plans have been completed, and
  • Updated and ongoing IM/IT security training and awareness for all managers and staff
Agency Security Officer The ASO will work in collaboration with IM/IT to propose a governance framework for IM/IT security. The governance will clearly define roles and responsibilities, accountabilities, and provide a reporting framework for the security program. The proposed governance will be presented to Management Board for formal approval. January 31, 2010
3. IMTB should implement a division of roles and responsibilities that reduces the possibility for a single individual or their backup to compromise the security of a critical process or information asset, or to change data without appropriate monitoring and supervision. Chief Information Officer Current processes for Change Management ensure that all changes to IT applications and infrastructure are authorized and approved. Completed
Tripwire Configuration Management System (currently being implemented) will further assist with tracking changes made to systems. October 31, 2009
Processes to review/revoke access when there are role changes within IMTB will be reviewed and assured. December 31, 2009
A centralized logging system where all logs will be copied and stored (currently being implemented) will provide auditability of system logs. November 30, 2009
The use of generic administrator accounts will be reviewed with processes put in place to prevent generic account use where possible. March 31, 2010
Privileged account access and use will be assigned and monitored using a Password Vaulting Appliance (currently being implemented). November 30, 2009
4. IMTB should maintain and promote awareness of, and ensure compliance with, an enterprise data dictionary that incorporates the Agency's data syntax rules and that enables the sharing of data elements amongst applications and systems and supports the consistency and security of data used for analysis, decision-making and reporting. Chief Information Officer IT data architecture exists. As part of the Business Modernization project over next several years, the application of this architecture and associated governance within Agency processes and systems will be established. March 31, 2011
5. The ASO should collaborate with Agency business managers to implement and actively enforce an information security classification scheme based on the Policy on Government Security requirements throughout the Agency, based on the criticality and sensitivity of the data. Agency Security Officer The ASO will work in collaboration with IM group to develop a security classification scheme for use by the Agency. June 30, 2010
6. IMTB should develop and implement a formal IM/IT Risk Management Framework that aligns with the Agency's overall risk management framework, including identification of potential consequences, mitigation strategies, and residual risks. Chief Information Officer The Certification and Accreditation Program that has been implemented includes Threat Risk Assessments, Interim Authority to Operate and Privacy assessments. Plans that respond to risks identified through this program are developed and implemented with Business Process Owners (BPOs). BPOs must accept residual risk, as required. Completed
IMTB will establish a Risk Management Registry which it will use to inform the Agency Risk Management Framework March 31, 2010
7. IMTB should develop, resource and execute a Quality Assurance plan, including:
  • Appropriate development and test environments to verify the quality requirements specified for new and changed applications and infrastructure components,
  • Testing procedures for internal control, security, compatibility and auditability measures,
  • Procedures verifying that actions identified in SoSs, TRAs, PPIAs and PIAs to protect resources and ensure availability and integrity have been completed.
  • Assuring reliability and security of programming by including code review for all in-house development.
Chief Information Officer Preproduction and QA environments exist within the Agency. Refinement of process and procedures to fully mature the environment are ongoing. Completed
Test processes and procedures exist. Improvements and refinement are continually completed within process Completed
Certification and Accreditation Program (CAP) is in place to track completion and occurrence of SOS, TRA, etc for all applications/business solutions. Completed
Base level security training is required for application developers. Automated code review of development will be investigated to determine operational and cost feasibility. March 31, 2010
8. IMTB should establish a physical inventory of portable devices and their owners, develop and implement security standards for portable devices (including personal portable devices such as cell phones and Personal Digital Assistants (PDAs), Universal Serial Bus (USB) flash memory devices or BlackBerries with camera and/or data storage functionality) and ensure that users have been trained and made aware of the safe and secure use of portable devices. Chief Information Officer Establishment of a service to centrally control and administer laptops and other portable devices will be proposed to Corporate Management Committee, and if approved, implemented. March 31, 2010
Blackberry devices have security measures in place (password standard, Websense filtering, encryption, auto lock, etc). Refinements ongoing. Other PDA devices are not supported within the Agency. Completed
Secure USB device inventory to be created and maintained by IMTB. A directive will be issued to the Agency to advice that secure USB devices be used. December 31, 2009
9. IMTB should periodically perform penetration tests of CIDA networks, applications and equipment, and test IM/IT backup and recovery procedures. Chief Information Officer Regular scheduled scans of all server, desktop and infrastructure components are completed monthly. Scan results are analysed for actions needed and results are reported to IMTB Management. Completed
Request for Penetration testing was made to CSE in 2007 (Dependant on CSE priorities). IMTB is conducting vulnerability assessments on a regular basis. Completed
Testing of current infrastructure Backup/Recovery procedures will be completed after Enterprise Business Impact Assessment completed. September 30, 2010
10. The ASO should establish and maintain a plan for providing those IM/IT services that support critical business processes and functions identified in Agency business continuity planning, inclusive of equipment, services, applications, databases and personnel deemed necessary by business process owners within pre-agreed timeframes. Agency Security Officer The ASO will work with IMTB to ensure that IM/IT services that support the day-to-day activities are included in the Business Continuity Plan that will be presented to Management Board for approval. The ASO also commits to reviewing with IMTB the results of the recent business impact analysis and to present business impacts/disaster recovery options to management for their approval. April 30, 2010
11. The ASO should implement an ongoing communication and training program including annual staff updates to articulate the IM/IT service policies, directives, practices and guidance with an appropriate emphasis on government security and privacy requirements. Agency Security Officer Subject to budget constraints, the ASO will work with Communications branch to determine communications activities that will generate awareness for IM/IT security matters. In parallel, the ASO will also work in consultation with the Continuous Learning Campus to propose a cost effective security awareness/training program for CIDA employees to inform and regularly remind personnel of IT security responsibilities, concerns and issues. A training proposal will be developed by June 2010. June 30, 2010
Communications activities will be planned during fiscal year 2010-11. March 31, 2011
12. IMTB should implement processes to report and classify problems that have been identified as part of IM/IT security incident management and should implement audit trails that allow tracking, analyzing and determining the root cause of all reported problems considering:
  • All associated configuration items
  • Outstanding problems and security incidents
  • Known and suspected errors
  • Tracking of problem trends.
Chief Information Officer IT Security Operations currently uses Treasury Board guidelines and procedures for IT Security incident handling and investigations. In concert with ASO, procedures and processes will be developed and documented for specialists involved in incident handling, forensic processes, governance and team engagements. March 31, 2010



Alternate Formats


Note: If you cannot access the alternate format, refer to the Help page.

IM/IT Security and Related Processes, Practices and Controls (PDF 181 KB, 14 pages)