Management Response and Action Plan: Audit of Information Technology Asset Management

Office of Audit and Evaluation – Health Canada and the Public Health Agency of Canada

January 2022

Recommendations Management Response and Planned Actions Deliverable Completion Date Accountability/ ResponsibilityFootnote *

Recommendation 1

The Assistant Deputy Minister, Digital Transformation Branch (DTB) and the Chief Financial Officer (CFO) should ensure that all Information Technology (IT) assets are appropriately tagged for inventory purposes, that a baseline inventory count of IT assets is conducted, and that the Systems Applications and Products (SAP) IT inventory data is updated accordingly, including the removal and transfer of the Indigenous Service Canada assets from HC inventory. These actions will ensure that HC and PHACs complete inventory of IT assets can be accurately accounted for and properly safeguarded.

Management agrees with the recommendation.

Since 2017, all IT assets that have financial (beyond a nominal low-dollar threshold) or business value (all procured assets that could contain data, including computing and storage devices) are being tagged and tracked.

A new enterprise asset management system is under development with the intent to be made operational in Q3 2022-23. This will put in place additional measures to track the operational use and safeguarding of assets. SAP will remain the authoritative information source for retaining and managing financial information associated with assets. 

While an enterprise asset management system is under development, additional measures will be put into place to track the operational use and safeguarding of assets. Coordination and liaison will include continued engagement with business owners, including those in laboratory environments, to ensure proper handling of all assets.

In addition, technologies are in place that mitigate the risk of information being mishandled. Such technologies include the continued use of Communications Security Establishment capabilities, including host and network-based sensors, as well as internal capabilities, including bitlocker and positive control of USBs.

1.1 Updated IT hardware asset tagging process for assets since 2017.

Completed

DTB-CIO
DGs responsible for lab operations

1.2 Implement an electronic IT Asset Management capability for hardware and software.

Q3 2022-23

DTB-CIO

1.3 Complete a baseline inventory of hardware and software using the ITAM capability and inventory data is updated accordingly.

Q4 2022-23

DTB-CIO
CFOB – DG FOD

1.4 ISC hardware assets transferred out of the SAP inventory.

Completed

DTB-DG FOD

Recommendation 2

The ADM-DTB and HC CFO should update Department and Agency Information Technology Asset Management (ITAM) policies, guidance and standard operating procedures, including a definition of IT assets and Lab equipment, to reflect current practices and systems, and to comply with Treasury Board policies for IT hardware, software and business applications. At a minimum, the objectives of ITAM, the authorities of stakeholders, and roles and responsibilities of key players, should be specified, to ensure sufficient engagement of stakeholders to effectively manage IT assets.

Management agrees with the recommendation.

The Health Canada Standard on Asset Management defines IT assets as: “Equipment that is supported by the Information Management and Services Directorate, including computers, monitors, laptops, printers, scanners, external hard drives, projectors, BlackBerry/PDA devices, servers, and server equipment.” It also states that specified labs are responsible for activities related to the acquisition, barcoding, and disposal of laboratory assets. Assets within labs that have digital components do not fit the definition of IT assets and would not be subject to IT asset management. DTB and CFOB will work with DGs responsible for laboratory operations to ensure all assets are accounted for and that the necessary safeguards for information are in place. 

2.1 Review and update definitions of IT and Lab assets and define accountabilities. Present and validate new definitions and processes through existing governance.

Q1 2022-23

CFOB – DG FOD
DTB-CIO
DGs responsible for lab operations

2.2 Revise HC and PHAC corporate level asset policies and standards to enhance clarity regarding associated roles, responsibilities, and accountabilities, including for all low dollar value IT equipment and the treatment of lab IT equipment.

Q1 2022-23

CFOB – DG FOD
DTB-CIO
DGs responsible for lab operations

 

 

2.3 Conduct a gap analysis of existing ITAM policies, guidance and SOPs against corporate policy and standards

Q3 2022-23

DTB-CIO

2.4 Implementation and communication of updated ITAM policies, guidance and SOPs on mySource and on relevant systems.

Q4 2022-23

DTB-CIO

Recommendation 3

The ADM-DTB should integrate ITAM governance and planning into HC and PHACs current governance framework and enterprise planning cycle and framework to ensure that IT assets get the attention, resources, and decisive action required to be managed effectively.

Management agrees with the recommendation.

There are a number of governance discussions that form part of the overall investment planning and IT planning cycle.  The enterprise architecture team presents Application Portfolio Management (APM) data to individual branches to inform branch operational planning in order to feed the departmental investment planning process.  This culminates in Executive Committee-level investment decisions for capital assets and projects.  The annual IT planning process complements the investment planning process and identifies risks and investment opportunities aligned to support the digital modernization framework.  These are both reviewed through departmental governance bodies and approved by the Deputy Head.

A key aspect of HC departmental IP governance is the role of the DG-level subject-matter expert leads for the four asset classes. One of the four asset classes is the area of IM/IT which oversees IT assets and is led by Health Canada’s CIO. Investments in IM/IT that are material in dollar value and/or higher in risk are brought to IP governance for approval and assigned appropriate capacity and resources.

Starting in July 2021, PHAC has created a VP level committee for Resources and Operations which is responsible for monitoring and oversight of investment planning. This includes Governance and oversight of financial resource allocations, investment decisions, and G&Cs, as well as provision of a challenge function for branch and Agency financial, operational, and resource planning (procurement, IT, accommodations, etc.), and monitoring of ongoing implementation of approved plans to ensure alignment between operations, spending, and results for the overall achievement of Agency priorities and results.

3.1 Continue to ensure IT assets are part of existing HC investment planning process and governance.

Complete

HC-CFO
DTB-ADM

3.2 Ensure IT assets are part of PHAC investment planning process and governance.

Q4 2021-22

PHAC-CFO
DTB-ADM

3.3 Ensure Annual IT plan includes IT asset management component which reports on hardware and software as well as business applications.

Complete

DTB-CIO

Recommendation 4

The ADM-DTB and the HC CFO should re-assess the current software asset tracking processes and systems and establish an integrated solution. The integrated solution should support effective management of software assets throughout their lifecycle,  eliminate the need for duplicate entry of software asset data into the various tracking systems, provide an automated discovery functionality, and enable linkages to other supporting information, such as purchasing documentation, software licenses, and maintenance costs.

Management agrees with the recommendation.

DTB provides software management for both Health Canada and PHAC with procurement currently managed in SAP with input derived directly from the Service Gateway: https://servicegateway-passerelledeservice.hc-sc.gc.ca/en/software.html.

SAP does not offer the same functionality as other software asset management tools, and management agrees that a new system is needed to more effectively manage software. It is reassuring, however, that a 2019 KPMG audit on behalf of IBM found compliance in 120 of 125 instances. This provides a reliable indicator that the governance, policies, and processes in place for software asset management for Health Canada and PHAC are in a relatively good state.

DTB will work with CFOB on improving software lifecycle management. A review of existing tools and processes as part of the gap analysis (see Deliverables 2.2 and 2.3) will be considered in the identification of requirements for an integrated SAM solution to digitize the business process to support data integrity in the support of asset management.

4.1 Development of a high-level business requirements document to support an integrated IT solution.

Q4 2021-22

DTB-CIO

4.2 Review policy and process for software assets and publish revised policies and processes on MySource.

Q3 2022-23

DTB-CIO

4.3 Implementation of Software Asset Management capability.

Q3 2022-23

DTB-CIO

Recommendation 5

The HC CFO and ADM-CSB should ensure that sufficient business process and application controls are implemented within the asset tracking and monitoring systems for IT hardware, software, and business applications in order to reduce data entry errors and ensure the completeness, reliability, and relevance of IT asset data. (EAM SAP, SAM, and APM)

Management agrees with the recommendation.

A distinction needs to be made between management of business applications, IT hardware and software. Hardware and software will be addressed through the adoption of a new ITAM system.

Enhanced ITAM (software and hardware) capabilities, processes, and data management and integration will be delivered under a new ITAM capability (1.2) where human errors will be minimised through the use of automation capabilities provided by the tool. Data quality will also be improved by the deployment of a Discovery capability which will find and identify IT hardware and software assets on the network, providing real-time asset identification and tracking.

In addition to DTB implementing an independent ITAM solution for tracking and monitoring hardware and software, CFOB will review current (SAP) system entry controls to determine if any further user typing entry errors can be flagged, and initiate a SAP system change request accordingly

As the audit notes, the process for managing and tracking the data for our business applications is good but not consistent, leading to some data quality issues. There is also room for greater engagement with stakeholders, including governance bodies, in the APM tracking and management of business applications. Since its introduction in 2017, however, the APM program has evolved in the management of business applications with HC and PHAC having received favourable MAF scores for our overall level of IT maturity which includes APM as an assessment factor.  

5.1 Updated SOPs and training materials for software and hardware tracking tools.

Q2 2022-23

DTB-CIO

5.2 Enhance system entry error flags.

Q1 2022-23

CFOB-FOD-DG

5.3 Review and refine the data set collected in the APM tool to ensure data collected is relevant and clarity of who is responsible for maintaining each data point across the business owners and functional areas within IM/IT.

Q2 2022-23

DTB-CIO

Recommendation 6

The HC CFO, PHAC CFO, and ADM-DTB should ensure that a funding formula for support and maintenance costs of existing business applications is established, that future ongoing maintenance costs are included in the full cost of new business applications, and that required funds are budgeted accordingly. These actions will support well-informed decision making for the ongoing health of the business application portfolio.

Management agrees with the recommendation.

Increasingly, measures are in place to ensure ongoing maintenance costs are factored into decisions about business applications.  Departmental governance ensures on-going costs as per agreed model in Transition Plans for new business applications. This is a prerequisite for Gate 4 sign off as per the Department Project Management Framework (DPMF). In response to the recommendation that future ongoing maintenance costs are included in the full cost of new business applications, in collaboration with IMSD, CFOB created a departmental IT Project costing tool in 2020 to determine the cost of new business applications, which was approved by departmental governance. This tool includes a component to calculate future ongoing maintenance costs. Once the ongoing maintenance costs are calculated, funding decisions are made. If the business application is part of a request for funding from the fiscal framework, the funding for ongoing maintenance costs is included in the Budget ask and related TB submission.

The IT Project costing tool can also be used to determine ongoing costs for existing business applications. For existing business applications, the source of funds for ongoing maintenance costs has been established. In the circumstance where the source of funds is insufficient, the IT Project costing tool can be used to determine the resource need, and funding requests can be brought to departmental governance to seek additional funding. The Department will continue to examine aging IT business applications as part of the annual reporting to TBS and assess risks associated with ongoing maintenance costs.

The IT Systems Development Management Framework applies to new and changed business applications and includes the completion of a Transition Plan (noted above). The Framework was accepted as a completed deliverable as part of Audit of IT Systems Development MRAP (1.1). The Quality Assurance process to enforce compliance is currently being finalized to close off that MRAP (3.4).

6.1  Review and update the standard costing model.

Complete

DTB-CIO
HC-CFOB-CRIPD
PHAC-OCFO-DG

6.2  Assess the level of risk associated with insufficient funding to address ongoing maintenance costs of existing business applications. Present plan to address funding gaps at the departmental and agency investment governance committees.

Complete

DTB-CIO
HC-CFOB-CRIPD
PHAC-OCFO-DG

Recommendation 7

The CFO, in collaboration with the ADM-DTB, should ensure that monitoring activities for low-dollar value IT assets follow the updated guidance in order to safeguard private and public information contained therein.

Management agrees with the recommendation.

The audit highlights a lack of control of assets and the subsequent risk of a possible loss of control of private and public information. It was noted by management, upon review, that the information residing on these low-dollar assets is secure based on the below evidence.

Information on USB keys is secure:

  • Loss of control of USB keys and information stored on USB keys was specified as a potential risk.  Since 2014 only secure USB keys have been able to connect to departmental devices.  Information on a secure USB key would not be accessible if the device were lost or stolen as it could not be accessed without the PKI credentials of the owner. It is also not possible to use a non-issued USB key on government computing devices.
  • All other USB mass storage devices are prohibited, unless approved for whitelisting by IT Security. A Broadcast News was sent on April 22, 2014 (see evidence record R7-1).

All Health Canada and PHAC devices are encrypted to protect information if a device is lost, stolen or other inappropriate access:

  • Bitlocker encryption was introduced to HC/PHAC computers as part of the Windows 7 upgrade in 2014-15 and continues to be in place. Bitlocker protects data on computing devices by preventing unauthorized access to the hard disk drive and the information therein (evidence record R1-1).

All Health Canada and PHAC computers have Communications Security Establishment (CSE) sensors installed to allow monitoring of devices against theft, unintentional or intentional access attempts:

  • CSE implemented Host Based Sensor (HBS) capabilities in Q1, 2015 (evidence record R1-2). These sensors exist on computing devices and detect any unintended / malicious / unapproved attempted accesses if connected to any network.  HBS capabilities were further enhanced with the implementation of Network and Cloud-based sensors in subsequent years to protect other back-end implements of HC/PHAC IT Infrastructure.

CFOB will review the current ITAM policy on attractive and trackable low-dollar assets. Accountabilities for ADMs and other stakeholders will be clearly articulated in any revised policies and directives.

7.1  Review and update the current ITAM policy for low dollar value IT assets to clarify the degree of risk-based monitoring required and include consideration of information security risks.

Q1 2022-23

CFOB-DG-FOD
DTB-CIO

7.2 Accountabilities for ADMs and other stakeholders will be clearly articulated in the revised asset management policies and directives.

Q2 2022-23

CFOB-DG-FOD
DTB-CIO

Recommendation 8

The ADM-DTB should ensure that the following steps are taken in order to meet TBS targets, and to address the 80% of business applications deemed to be aging, in an efficient and fully informed manner:

  • Ensure branch business application owners take immediate action on business applications deemed as ‘needing attention’ and or ‘critical’, and develop detailed maintenance plans for remaining business applications for integration into the IT plan, and into the enterprise planning and budgeting cycle;
  • Incorporate aging IT as a regular governance agenda item;
  • Clarify roles and responsibilities for aging IT systems;
  • Establish performance measures to oversee and report on progress; and
  • Establish a project with requirements and direction for modernizing the portfolio of business applications.

Management agrees with the recommendation.

Governance related to application management is more mature than represented. The audit report highlights the Application Portfolio Management (APM) of IMSD as having a lack of engagement with clients at governance bodies.  It must be noted that there are a number of discrete governance discussions that form part of the overall investment planning and IT planning cycle. 

  • The APM team presents APM data to individual branches to inform branch operational planning in order to feed the departmental investment planning process (see evidence record R8-1). This culminates in Executive Committee-level investment decisions for capital assets, IPs and targeted vulnerabilities or DM reserve requests (see evidence at R3).
  • The annual IT planning process complements the investment planning process and identifies risks and investment opportunities aligned to support the digital modernization framework.  These are both reviewed through departmental governance bodies and approved by the Deputy Head. (See evidence at R-3)

8.1  Continued engagement through governance bodies to monitor and upgrade aging IT.

ongoing

DTB-ADM
HC-CFOB-CRIPD
PHAC-OCFO-DG

8.2 Implement the GC Cloud Strategy and Financial Model commitment to migrate 40% of HC and PHAC applications at the Protected B, medium integrity, and medium availability (PBMM) level and below in public cloud.

Q3 2028-29

Note: The timing aligns with what is currently set out at the Government of Canada level.  Discussions are still underway, but this is the current timing for completion of migration of 40 percent of these applications.

DTB-CIO
HC-CFO
PHAC-CFO

Recommendation 9

The ADM-DTB, in collaboration with senior management, should define a strategy to address aging IT hardware issues proactively, which may include the establishment of an IT hardware evergreening program, and should include the establishment of performance measures and targets to monitor and report on HC and PHACs progress in addressing aging IT risks, in making informed IT disposal decision, and in ensuring the continued achievement of operational objectives and program delivery.

Management agrees with the recommendation.

In fiscal year 2020-21 CSB implemented an IT hardware evergreening program for computers based on a five-year amortization cycle for HC and PHAC. DTB will continue to engage stakeholders and evolve the evergreening strategy as this develops with SSC as part of Enterprise IT.

9.1 CSB implemented an IT hardware evergreening program for computers based on a five-year amortization cycle for HC and PHAC

Completed

DTB-CIO

9.2 Work with SSC to mature ever greening strategy to manage aging IT Hardware.

Q4 2021-22

DTB-CIO

Recommendation 10

The ADM DTB should identify a business process owner with appropriate authority to oversee and enforce compliance of the decommissioning process for business applications. This action will reduce the risk of important data residing in business applications from being mishandled or lost.

Management agrees with the recommendation.

Enterprise Architecture (EA) within DTB is the business process owner for application decommissioning. 

EA already has an application decommissioning strategy that was developed in consultation with groups within and outside of IMSD, followed by Business Owner engagement through various pilots in 2019-20. More formal implementation of that strategy began in 2020-21, with a written description of the decommissioning process and associated client form being available on GCPedia.

Direct stakeholder engagement to communicate the decommissioning process and underlying expectations is still needed, including socialization and integration into IT investment projects through the various governance tables.

10.1 Enterprise Architecture (EA) within DTB is designated as the business process owner for application decommissioning.  

Completed

DTB-CIO

10.2 Improved stakeholder communications and reporting on application decommissioning for all IT investment projects at formal investment governance tables.

Q1 2022-23

DTB-CIO
HC-CFO
PHAC-CFO

Footnote *

Bold denotes lead organization

Return to footnote * referrer

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: