Management Response and Action Plan - Audit of Information Technology Continuity Planning for Mission Critical Systems/Applications at Health Canada and the Public Health Agency of Canada - September 2016
| Recommendations | Management Response and Planned Management Action | Deliverables | Expected Completion Date | Responsibility |
|---|---|---|---|---|
| Recommendation 1 It is recommended that the Assistant Deputy Minister, Corporate Services Branch, integrate information technology continuity planning into the business continuity planning governance structure, including clearly defining and communicating roles and responsibilities. |
Management agrees with this recommendation. | |||
| CSB will clearly define roles and responsibilities for IT continuity planning, incorporate them into the governance structure and communicate them to the Health Partnership business continuity management committees. | Revised Terms of Reference for relevant committees. Process was discussed at Partnership Business Continuity Management Committee (PBCMC) meeting on April 5, 2016. Process to be presented at the Directors General - Investment Planning (DG-IP) Committee (date TBD) Integration of IT continuity planning into business continuity planning; work under way for delivery at end of April 2016 of a one-page description of an IT continuity plan to assist business owners. |
June 2016 | Assistant Deputy Minister (ADM), Corporate Services Branch (CSB) | |
| Recommendation 2 It is recommended that the Assistant Deputy Minister, Corporate Services Branch, ensure that risks related to information technology continuity planning be further assessed and included in the information technology plans for HC and PHAC. |
Management agrees with this recommendation. | |||
| CSB will further assess risks associated with IT continuity planning and record them in the IT plans for HC and PHAC. | Annual HC and PHAC IT plans contain this analysis. | March 2016 | ADM, CSB | |
| Lack of IT continuity plans has been included as a risk in both HC and PHAC IT Plans. | Completed March 2016Table 1 - Footnote 1 | |||
| Recommendation 3 It is recommended that the Assistant Deputy Minister, Corporate Services Branch:
|
Management agrees with the recommendation. | |||
| As part of the annual validation process, CSB will communicate to branches the requirement for up-to-date threat and risk assessments (TRA) for all mission critical systems and applications (MCA). | Annual communiqué on updated requirements for TRAs. | July 2016 | ADM, CSB All owners of MCAs | |
| As part of the process update for Recommendation 1 above, branches have been informed of the requirement to perform TRAs on all MCAs. | Completed March 2016Table 1 - Footnote 1 | |||
| CSB will monitor compliance for all TRAs for MCAs and report the results at least annually to HC and PHAC Executive Committees. Branch ADM owners of MCAs will ensure that an up-to-date TRA is completed for each approved MCA under their responsibility. |
|
September 2016 | Branch ADM owners of MCAs ADM, CSB | |
| CSB will implement a process whereby the Chief Information Officer (CIO) approves the Security Assessment and Authorization Report (SAAR) prior to an MCA moving into production. | Revised CSB MCA change management process. | March 2016 | ADM, CSB | |
| The requirement for a CIO-approved SAAR (includes the requirement for the TRA) has been integrated into the Authority to Operate process that is required prior to applications being released to production. | Completed March 2016Table 1 - Footnote 1 | |||
| Recommendation 4 It is recommended that the Assistant Deputy Minister, Corporate Services Branch, document the process for identifying and approving the list of mission critical systems/ applications at HC and PHAC. |
Management agrees with the recommendation. | |||
| CSB will document a process for identifying and approving MCAs at HC and PHAC. | Revised CSB MCA change management process. | March 2016 | ADM, CSB | |
| New process has been developed by NBCMP, in collaboration with IMSD. | Completed March 2016Table 1 - Footnote 1 | |||
| Recommendation 5 It is recommended that the Assistant Deputy Minister, Corporate Services Branch, in collaboration with the business owners, ensure that a service level agreement or other formal business arrangement be put in place with service providers, describing service levels for the restoration of mission critical systems/applications. |
Management agrees with the recommendation. | |||
| CSB will work with branches to identify service providers, to ensure that service level agreements (SLAs)or other formal business arrangements are in place for the restoration of MCAs. |
|
April 2017 | Branch ADM owners of MCAs ADM, CSB | |
| Recommendation 6 It is recommended that the Assistant Deputy Minister, Corporate Services Branch:
|
Management agrees with the recommendation | |||
| CSB will develop requirements for IT continuity plans for all MCAs, communicate them to business owners, monitor compliance and report on them annually. | Revised Terms of Reference for relevant committees. | June 2016 | ADM, CSB | |
| IT continuity plans for each MCA to be reviewed, updated and exercised on an annual basis by the branch ADM owners of the MCAs. | Annual call letter for IT continuity plans. | Completed March 2016Table 1 - Footnote 1 |
Branch ADM owners of MCAs ADM, CSB |
|
| NBCMP issued a special call-out on March 30, 2016 to meet this objective. | Completed March 2016Table 1 - Footnote 1 |
|||
|
||||
Download the alternative format
(PDF format, 84 KB, 9 pages)
Organization: Health Canada and Public Health Agency of Canada
Date published: 2016-12-16
Page details
- Date modified: