Management Response and Action Plan: Audit of Information Technology Asset Management

Since 2017, all IT assets that have financial (beyond a nominal low-dollar threshold) or business value (all procured assets that could contain data, including computing and storage devices) are being tagged and tracked.

A new enterprise asset management system is under development with the intent to be made operational in Q3 2022-23. This will put in place additional measures to track the operational use and safeguarding of assets. SAP will remain the authoritative information source for retaining and managing financial information associated with assets. 

While an enterprise asset management system is under development, additional measures will be put into place to track the operational use and safeguarding of assets. Coordination and liaison will include continued engagement with business owners, including those in laboratory environments, to ensure proper handling of all assets.

In addition, technologies are in place that mitigate the risk of information being mishandled. Such technologies include the continued use of Communications Security Establishment capabilities, including host and network-based sensors, as well as internal capabilities, including bitlocker and positive control of USBs.

1.1 Updated IT hardware asset tagging process for assets since 2017.

Completed

DTB-CIO
DGs responsible for lab operations

1.2 Implement an electronic IT Asset Management capability for hardware and software.

Q3 2022-23

DTB-CIO

1.3 Complete a baseline inventory of hardware and software using the ITAM capability and inventory data is updated accordingly.

Q4 2022-23

DTB-CIO
CFOB – DG FOD

1.4 ISC hardware assets transferred out of the SAP inventory.

Completed

DTB-DG FOD

The Health Canada Standard on Asset Management defines IT assets as: “Equipment that is supported by the Information Management and Services Directorate, including computers, monitors, laptops, printers, scanners, external hard drives, projectors, BlackBerry/PDA devices, servers, and server equipment.” It also states that specified labs are responsible for activities related to the acquisition, barcoding, and disposal of laboratory assets. Assets within labs that have digital components do not fit the definition of IT assets and would not be subject to IT asset management. DTB and CFOB will work with DGs responsible for laboratory operations to ensure all assets are accounted for and that the necessary safeguards for information are in place. 

2.1 Review and update definitions of IT and Lab assets and define accountabilities. Present and validate new definitions and processes through existing governance.

Q1 2022-23

CFOB – DG FOD
DTB-CIO
DGs responsible for lab operations

2.2 Revise HC and PHAC corporate level asset policies and standards to enhance clarity regarding associated roles, responsibilities, and accountabilities, including for all low dollar value IT equipment and the treatment of lab IT equipment.

Q1 2022-23

CFOB – DG FOD
DTB-CIO
DGs responsible for lab operations

2.3 Conduct a gap analysis of existing ITAM policies, guidance and SOPs against corporate policy and standards

Q3 2022-23

DTB-CIO

2.4 Implementation and communication of updated ITAM policies, guidance and SOPs on mySource and on relevant systems.

Q4 2022-23

DTB-CIO

There are a number of governance discussions that form part of the overall investment planning and IT planning cycle.  The enterprise architecture team presents Application Portfolio Management (APM) data to individual branches to inform branch operational planning in order to feed the departmental investment planning process.  This culminates in Executive Committee-level investment decisions for capital assets and projects.  The annual IT planning process complements the investment planning process and identifies risks and investment opportunities aligned to support the digital modernization framework.  These are both reviewed through departmental governance bodies and approved by the Deputy Head.

A key aspect of HC departmental IP governance is the role of the DG-level subject-matter expert leads for the four asset classes. One of the four asset classes is the area of IM/IT which oversees IT assets and is led by Health Canada’s CIO. Investments in IM/IT that are material in dollar value and/or higher in risk are brought to IP governance for approval and assigned appropriate capacity and resources.

Starting in July 2021, PHAC has created a VP level committee for Resources and Operations which is responsible for monitoring and oversight of investment planning. This includes Governance and oversight of financial resource allocations, investment decisions, and G&Cs, as well as provision of a challenge function for branch and Agency financial, operational, and resource planning (procurement, IT, accommodations, etc.), and monitoring of ongoing implementation of approved plans to ensure alignment between operations, spending, and results for the overall achievement of Agency priorities and results.

3.1 Continue to ensure IT assets are part of existing HC investment planning process and governance.

Complete

HC-CFO
DTB-ADM

3.2 Ensure IT assets are part of PHAC investment planning process and governance.

Q4 2021-22

PHAC-CFO
DTB-ADM

3.3 Ensure Annual IT plan includes IT asset management component which reports on hardware and software as well as business applications.

Complete

DTB-CIO

DTB provides software management for both Health Canada and PHAC with procurement currently managed in SAP with input derived directly from the Service Gateway: https://servicegateway-passerelledeservice.hc-sc.gc.ca/en/software.html.

SAP does not offer the same functionality as other software asset management tools, and management agrees that a new system is needed to more effectively manage software. It is reassuring, however, that a 2019 KPMG audit on behalf of IBM found compliance in 120 of 125 instances. This provides a reliable indicator that the governance, policies, and processes in place for software asset management for Health Canada and PHAC are in a relatively good state.

DTB will work with CFOB on improving software lifecycle management. A review of existing tools and processes as part of the gap analysis (see Deliverables 2.2 and 2.3) will be considered in the identification of requirements for an integrated SAM solution to digitize the business process to support data integrity in the support of asset management.

4.1 Development of a high-level business requirements document to support an integrated IT solution.

Q4 2021-22

DTB-CIO

4.2 Review policy and process for software assets and publish revised policies and processes on MySource.

Q3 2022-23

DTB-CIO

4.3 Implementation of Software Asset Management capability.

Q3 2022-23

DTB-CIO

A distinction needs to be made between management of business applications, IT hardware and software. Hardware and software will be addressed through the adoption of a new ITAM system.

Enhanced ITAM (software and hardware) capabilities, processes, and data management and integration will be delivered under a new ITAM capability (1.2) where human errors will be minimised through the use of automation capabilities provided by the tool. Data quality will also be improved by the deployment of a Discovery capability which will find and identify IT hardware and software assets on the network, providing real-time asset identification and tracking.

In addition to DTB implementing an independent ITAM solution for tracking and monitoring hardware and software, CFOB will review current (SAP) system entry controls to determine if any further user typing entry errors can be flagged, and initiate a SAP system change request accordingly

As the audit notes, the process for managing and tracking the data for our business applications is good but not consistent, leading to some data quality issues. There is also room for greater engagement with stakeholders, including governance bodies, in the APM tracking and management of business applications. Since its introduction in 2017, however, the APM program has evolved in the management of business applications with HC and PHAC having received favourable MAF scores for our overall level of IT maturity which includes APM as an assessment factor.  

5.1 Updated SOPs and training materials for software and hardware tracking tools.

Q2 2022-23

DTB-CIO

5.2 Enhance system entry error flags.

Q1 2022-23

CFOB-FOD-DG

5.3 Review and refine the data set collected in the APM tool to ensure data collected is relevant and clarity of who is responsible for maintaining each data point across the business owners and functional areas within IM/IT.

Q2 2022-23

DTB-CIO

Increasingly, measures are in place to ensure ongoing maintenance costs are factored into decisions about business applications.  Departmental governance ensures on-going costs as per agreed model in Transition Plans for new business applications. This is a prerequisite for Gate 4 sign off as per the Department Project Management Framework (DPMF). In response to the recommendation that future ongoing maintenance costs are included in the full cost of new business applications, in collaboration with IMSD, CFOB created a departmental IT Project costing tool in 2020 to determine the cost of new business applications, which was approved by departmental governance. This tool includes a component to calculate future ongoing maintenance costs. Once the ongoing maintenance costs are calculated, funding decisions are made. If the business application is part of a request for funding from the fiscal framework, the funding for ongoing maintenance costs is included in the Budget ask and related TB submission.

The IT Project costing tool can also be used to determine ongoing costs for existing business applications. For existing business applications, the source of funds for ongoing maintenance costs has been established. In the circumstance where the source of funds is insufficient, the IT Project costing tool can be used to determine the resource need, and funding requests can be brought to departmental governance to seek additional funding. The Department will continue to examine aging IT business applications as part of the annual reporting to TBS and assess risks associated with ongoing maintenance costs.

The IT Systems Development Management Framework applies to new and changed business applications and includes the completion of a Transition Plan (noted above). The Framework was accepted as a completed deliverable as part of Audit of IT Systems Development MRAP (1.1). The Quality Assurance process to enforce compliance is currently being finalized to close off that MRAP (3.4).

6.1  Review and update the standard costing model.

Complete

DTB-CIO
HC-CFOB-CRIPD
PHAC-OCFO-DG

6.2  Assess the level of risk associated with insufficient funding to address ongoing maintenance costs of existing business applications. Present plan to address funding gaps at the departmental and agency investment governance committees.

Complete

DTB-CIO
HC-CFOB-CRIPD
PHAC-OCFO-DG

The audit highlights a lack of control of assets and the subsequent risk of a possible loss of control of private and public information. It was noted by management, upon review, that the information residing on these low-dollar assets is secure based on the below evidence.

Information on USB keys is secure:

• Loss of control of USB keys and information stored on USB keys was specified as a potential risk.  Since 2014 only secure USB keys have been able to connect to departmental devices.  Information on a secure USB key would not be accessible if the device were lost or stolen as it could not be accessed without the PKI credentials of the owner. It is also not possible to use a non-issued USB key on government computing devices.
• All other USB mass storage devices are prohibited, unless approved for whitelisting by IT Security. A Broadcast News was sent on April 22, 2014 (see evidence record R7-1).

All Health Canada and PHAC devices are encrypted to protect information if a device is lost, stolen or other inappropriate access:

• Bitlocker encryption was introduced to HC/PHAC computers as part of the Windows 7 upgrade in 2014-15 and continues to be in place. Bitlocker protects data on computing devices by preventing unauthorized access to the hard disk drive and the information therein (evidence record R1-1).

All Health Canada and PHAC computers have Communications Security Establishment (CSE) sensors installed to allow monitoring of devices against theft, unintentional or intentional access attempts:

• CSE implemented Host Based Sensor (HBS) capabilities in Q1, 2015 (evidence record R1-2). These sensors exist on computing devices and detect any unintended / malicious / unapproved attempted accesses if connected to any network.  HBS capabilities were further enhanced with the implementation of Network and Cloud-based sensors in subsequent years to protect other back-end implements of HC/PHAC IT Infrastructure.

CFOB will review the current ITAM policy on attractive and trackable low-dollar assets. Accountabilities for ADMs and other stakeholders will be clearly articulated in any revised policies and directives.

7.1  Review and update the current ITAM policy for low dollar value IT assets to clarify the degree of risk-based monitoring required and include consideration of information security risks.

Q1 2022-23

CFOB-DG-FOD
DTB-CIO

7.2 Accountabilities for ADMs and other stakeholders will be clearly articulated in the revised asset management policies and directives.

Q2 2022-23

CFOB-DG-FOD
DTB-CIO

Governance related to application management is more mature than represented. The audit report highlights the Application Portfolio Management (APM) of IMSD as having a lack of engagement with clients at governance bodies.  It must be noted that there are a number of discrete governance discussions that form part of the overall investment planning and IT planning cycle. 

• The APM team presents APM data to individual branches to inform branch operational planning in order to feed the departmental investment planning process (see evidence record R8-1). This culminates in Executive Committee-level investment decisions for capital assets, IPs and targeted vulnerabilities or DM reserve requests (see evidence at R3).
• The annual IT planning process complements the investment planning process and identifies risks and investment opportunities aligned to support the digital modernization framework.  These are both reviewed through departmental governance bodies and approved by the Deputy Head. (See evidence at R-3)

8.1  Continued engagement through governance bodies to monitor and upgrade aging IT.

ongoing

DTB-ADM
HC-CFOB-CRIPD
PHAC-OCFO-DG

8.2 Implement the GC Cloud Strategy and Financial Model commitment to migrate 40% of HC and PHAC applications at the Protected B, medium integrity, and medium availability (PBMM) level and below in public cloud.

Q3 2028-29

Note: The timing aligns with what is currently set out at the Government of Canada level.  Discussions are still underway, but this is the current timing for completion of migration of 40 percent of these applications.

DTB-CIO
HC-CFO
PHAC-CFO

In fiscal year 2020-21 CSB implemented an IT hardware evergreening program for computers based on a five-year amortization cycle for HC and PHAC. DTB will continue to engage stakeholders and evolve the evergreening strategy as this develops with SSC as part of Enterprise IT.

9.1 CSB implemented an IT hardware evergreening program for computers based on a five-year amortization cycle for HC and PHAC

Completed

DTB-CIO

9.2 Work with SSC to mature ever greening strategy to manage aging IT Hardware.

Q4 2021-22

DTB-CIO

Enterprise Architecture (EA) within DTB is the business process owner for application decommissioning. 

EA already has an application decommissioning strategy that was developed in consultation with groups within and outside of IMSD, followed by Business Owner engagement through various pilots in 2019-20. More formal implementation of that strategy began in 2020-21, with a written description of the decommissioning process and associated client form being available on GCPedia.

Direct stakeholder engagement to communicate the decommissioning process and underlying expectations is still needed, including socialization and integration into IT investment projects through the various governance tables.

10.1 Enterprise Architecture (EA) within DTB is designated as the business process owner for application decommissioning.  

Completed

DTB-CIO

10.2 Improved stakeholder communications and reporting on application decommissioning for all IT investment projects at formal investment governance tables.

Q1 2022-23

DTB-CIO
HC-CFO
PHAC-CFO