Audit of Information Technology Security

July 2008

Report Clearance Steps

Planning phase completedOctober 2007
Report sent for management responseMarch 2008
Management response receivedApril 2008
Report completedApril 2008
Report presented to the External Audit
  Advisory Committee (EAAC)April 2008
Report approved by the Deputy MinisterJuly 2008

Prepared by Audit and Evaluation

Acknowledgments

The Audit and Evaluation Branch Project team, including Larry Rubenstein and Mel Bower and led by Dennis Malchuk under the direction of Jean Leclerc, would like to thank those individuals who contributed to this project and particularly all departmental interviewees who provided insights, and comments crucial to this review.

Original signed by:


Stephen McClellan
Chief Audit Executive

Table of Contents

1.0 INTRODUCTION
2.0 AUDIT BACKGROUND
3.0 AUDIT OBJECTIVES
4.0 AUDIT SCOPE
5.0 KEY AUDIT FINDINGS / RISKS
6.0 AUDIT RECOMMENDATIONS
7.0 MANAGEMENT RESPONSE

1.0 INTRODUCTION

Section 12.11.1 of the new Treasury Board's Secretariat Management of Information Technology Security (MITS) standard specifies that planning for information technology (IT) security audits is a requirement for all internal audit departments and must be incorporated into the departmental internal audit planning process. The Environment Canada Audit of Information Technology Security was undertaken as a result of the risk-based information technology (IT) audit-planning process that took place in 2006-2007. This audit was identified as a high-risk audit to be completed as part of the risk-based 2007-2008 Audit and Evaluation Plan. This plan was approved by the Departmental Audit and Evaluation Committee at its meeting of April 18, 2007.

One of the benefits of the new MITS standard is the establishment of an ongoing IT security program to fulfil Treasury Board Secretariat-mandated requirements beyond 2006 and to support Environment Canada's risk posture under conditions of change (e.g. emerging information and communication technologies). To achieve this, the MITS implementation should assist managers in addressing an explicit shift in emphasis toward continuous security risk management in the federal Government Security Policy.

Back to top

2.0 AUDIT BACKGROUND

The Government Security Policy sets out the baseline requirements for safeguarding employees and assets and assuring the continued delivery of services. In 2005, the Treasury Board Secretariat requested that all departments implement, by December 2006, the Management of Information Technology Security (MITS) operational standards as the baseline requirements for their departmental IT security program.

As of December 2006, the Department still had not met all the new MITS requirements, achieving however a 70% compliance rate, according to a self-assessment done by the Chief Information Officer Branch.

Back to top

3.0 AUDIT OBJECTIVES

The audit objectives were

  1. to assess the level of compliance of the departmental IT security program with the Treasury Board's policy on the Management of Information Technology Security (MITS) operational security standard; and
  2. to assess, using a risk management approach, the level of risk or exposure to the Department for any areas of non-compliance.
Back to top

4.0 AUDIT SCOPE

In January 2007, the Treasury Board changed the format of MITS-status reporting from 144 elements to approximately 50. The audit was largely based upon this new requirement. However, other unreported MITS elements were also included, based upon a risk assessment process. The January 2007 status report submitted by the Department to TBS was used as the benchmark for this audit.

The audit took place in the National Capital Region, plus five regional offices (Toronto, Montréal, Edmonton, Dartmouth and Vancouver). It included visits to Dartmouth, Montréal, Downsview, Burlington, Edmonton and Vancouver. Labs, research centres and storm centres located in these cities were included in the field visits.

Back to top

5.0 KEY AUDIT FINDINGS / RISKS

  1. The draft IT security policy had not been approved.
  2. Certification and accreditation of mission-critical systems had not been completed.
  3. IT security requirements and funding needed to be reviewed.
  4. The Department's Business Continuity Planning (BCP) had not been completed and there were inconsistencies within the Department. Meteorological Services of Canada and the Canadian Meteorological Centre were the only sections that had completed their BCP.
  5. Time constraints for restoring services had not been documented and there were inconsistencies in the backup software and the use of off-site storage.
  6. Anomalies related to security screening of regional coordinators (as of January 2008) were observed.

The audit team concluded that the Department is not yet compliant with MITS standards. The audit team further concluded that the Department has completed 30 of the status items reported instead of the 51 items mentioned in their status update from January 2007 (self-assessment). A plausible explanation for this variance is that the self-assessment process has limited rigour when compared to a formal audit, although this was not validated during the audit.

Back to top

6.0 AUDIT RECOMMENDATIONS

Based upon the audit findings, it is recommended that the Chief Information Officer Branch should

  1. present the draft IT security policy to Departmental Management Services for approval, distribute it to all appropriate staff and post it on the Department's intranet;
  2. strengthen the certification and accreditation (C&A) process by providing additional resources, present the C&A process to senior management for approval, incorporate the C&A process into the Department's systems development life cycle; receive from the Security Director, IT a formal plan for approval; and prepare a plan to implement the ECONET remedial actions;
  3. review, using a risk-based approach, the adequacy and effectiveness of the current level of IT security funding and present the results of the review to the Departmental Management Services Board, as required;
  4. ensure that backup/restore software and procedures for each platform are consistent throughout the Department; and
  5. ensure that all IT security coordinators are screened to the same security level, as dictated by the roles and responsibilities of the position.

    6. Furthermore, the BCP coordinator should

  6. develop a project governance structure including the Chief Information Officer Branch and IT security, document a project plan, establish a completion date and report on the progress of the BCP implementation plan.
Back to top

7.0 MANAGEMENT RESPONSE

The Chief Information Officer Branch finds the report to be a fair description of the status of IT security at Environment Canada. The Branch agrees with all the recommendations and will implement an action plan in as much as its resources allow. In addition, the BCP office has provided a management response to Recommendation 6 and an update on the departmental BCP program.