ARCHIVED - Management Response and Action Plan (MRAP) - Audit of Information Technology (IT) Security

Audit of Information Technology (IT) Security
March 2011

Audit of Information Technology ( IT) Security
Recommendations Management Response Planned Management Actions Deliverables Expected Completion Date Responsibility
1. It is recommended that the Assistant Deputy Minister (ADM), Corporate Services Branch (CSB), as the functional authority for IT Security, work with the Branches to [Exempted pursuant to sections 16(2)(c), 21(1)(a), 21(1)(b)] meets Health Canada’s security requirements. Management agrees with the recommendation.

[Exempted pursuant to sections 16(2)(c), 21(1)(a), 21(1)(b)].
[Exempted pursuant to sections 16(2)(c), 21(1)(a), 21(1)(b)]. [Exempted pursuant to sections 16(2)(c), 21(1)(a), 21(1)(b)]. June  2011 ADM, CSB, ADM, Regions, Departmental Information Technology Security Coordinator (DITSC)
[Exempted pursuant to sections 16(2)(c), 21(1)(a), 21(1)(b)]. July  2011
[Exempted pursuant to sections 16(2)(c), 21(1)(a), 21(1)(b)]. July  2011
[Exempted pursuant to sections 16(2)(c), 21(1)(a), 21(1)(b)]. December  2011
2. It is recommended that the Assistant Deputy Minister, Corporate Services Branch develop and document an IT security program in line with the Health Canada IT Security Policy. Management agrees with the recommendation. 

[Exempted pursuant to sections 16(2)(c), 21(1)(a), 21(1)(b)].
[Exempted pursuant to sections 16(2)(c), 21(1)(a), 21(1)(b)]. [Exempted pursuant to sections 16(2)(c), 21(1)(a), 21(1)(b)]. September 2011 ADM, CSB, DITSC
[Exempted pursuant to sections 16(2)(c), 21(1)(a), 21(1)(b)]. August 2011
3. It is recommended that the Assistant Deputy Minister, Corporate Services Branch work with all other Assistant Deputy Ministers to comply with system development lifecycle controls designed to remove and/or mitigate IT security risk exposure. Management agrees with the recommendation.

[Exempted pursuant to sections 16(2)(c), 21(1)(a), 21(1)(b)].
[Exempted pursuant to sections 16(2)(c), 21(1)(a), 21(1)(b)]. [Exempted pursuant to sections 16(2)(c), 21(1)(a), 21(1)(b)]. July 2011 ADM, CSB, DITSC
4. It is recommended that the Assistant Deputy Minister, Corporate Services Branch work with all other Assistant Deputy Ministers to develop compensating controls aimed at enforcing the conditional nature and acceptance of IT security recommendations granted by an interim authority to operate for new or enhanced application development. Management agrees with the recommendation.

[Exempted pursuant to sections 16(2)(c), 21(1)(a), 21(1)(b)].
[Exempted pursuant to sections 16(2)(c), 21(1)(a), 21(1)(b)]. [Exempted pursuant to sections 16(2)(c), 21(1)(a), 21(1)(b)]. July  2011

November 2011
ADM, CSB, DITSC
5. It is recommended that the Assistant Deputy Minister, Corporate Services Branch review and revise the IT critical asset identification and categorization to meet security standards. Management agrees with the recommendation.

Health Canada has made a significant effort to identify the Department’s 12 Priority Critical Assets based on Treasury Board of Canada Secretariat and Public Safety Canada criteria.  This was necessary to meet its MITS compliance requirements in 2008.  Due to new mandates (e.g. H1N1), changes to existing applications and technologies, and the changing departmental IT infrastructure, it is necessary to review existing and potential new Critical IT Assets, identify common components, and ensure these assets can meet their Confidentiality, Integrity and Availability requirements.  To better ensure departmental consistency and inclusion, the creation of this list will require the participation of all.  The new list, presently in draft form, will require also the approval of all Health Canada Assistant Deputy Ministers.
Redevelop and enforce a governance structure to identify, verify, and approve Critical IT Assets for the Department.

Conduct / Update Security Assessments on all Critical IT Assets.

Audit a random selection of critical IT assets to ensure they meet security standards.
IM/IT Critical IT Asset Approval Governance March  2011 ADM, CSB, DITSC
TRAs / Security Assessments on Critical IT Assets January  2012
Summary of audit findings March 2012
6. It is recommended that the Assistant Deputy Minister, Corporate Services Branch complete risk assessments [Exempted pursuant to sections 16(2)(c), 21(1)(a), 21(1)(b)]. Management agrees with this recommendation.

[Exempted pursuant to sections 16(2)(c), 21(1)(a), 21(1)(b)].
[Exempted pursuant to sections 16(2)(c), 21(1)(a), 21(1)(b)]. [Exempted pursuant to sections 16(2)(c), 21(1)(a), 21(1)(b)]. December 2012 ADM, CSB, DITSC
[Exempted pursuant to sections 16(2)(c), 21(1)(a), 21(1)(b)]. February 2012
7.  It is recommended that the Assistant Deputy Minister, Corporate Services Branch strengthen the operational and technical safeguards around workstation intrusion detection, account management, remote access, and change management requests. Management accepts this recommendation.

[Exempted pursuant to sections 16(2)(c), 21(1)(a), 21(1)(b)].
[Exempted pursuant to sections 16(2)(c), 21(1)(a), 21(1)(b)]. [Exempted pursuant to sections 16(2)(c), 21(1)(a), 21(1)(b)]. January  2012

February 2012
ADM, CSB, DITSC

Page details

Date modified: