Management Response and Action Plan - Audit of Information Technology Continuity Planning for Mission Critical Systems/Applications at Health Canada and the Public Health Agency of Canada - September 2016

Management Response and Action Plan
September 2016
Recommendations Management Response and Planned Management Action Deliverables Expected Completion Date Responsibility
Recommendation 1

It is recommended that the Assistant Deputy Minister, Corporate Services Branch, integrate information technology continuity planning into the business continuity planning governance structure, including clearly defining and communicating roles and responsibilities.
Management agrees with this recommendation.
CSB will clearly define roles and responsibilities for IT continuity planning, incorporate them into the governance structure and communicate them to the Health Partnership business continuity management committees. Revised Terms of Reference for relevant committees.
Process was discussed at Partnership Business Continuity Management Committee (PBCMC) meeting on April 5, 2016.
Process to be presented at the Directors General - Investment Planning (DG-IP) Committee (date TBD)
Integration of IT continuity planning into business continuity planning; work under way for delivery at end of April 2016 of a one-page description of an IT continuity plan to assist business owners.
June 2016 Assistant Deputy Minister (ADM), Corporate Services Branch (CSB)
Recommendation 2

It is recommended that the Assistant Deputy Minister, Corporate Services Branch, ensure that risks related to information technology continuity planning be further assessed and included in the information technology plans for HC and PHAC.
Management agrees with this recommendation.
CSB will further assess risks associated with IT continuity planning and record them in the IT plans for HC and PHAC. Annual HC and PHAC IT plans contain this analysis. March 2016 ADM, CSB
Lack of IT continuity plans has been included as a risk in both HC and PHAC IT Plans. Completed March 2016Table 1 - Footnote 1
Recommendation 3

It is recommended that the Assistant Deputy Minister, Corporate Services Branch:
  • Communicate to other branches the requirement for up-to-date threat and risk assessments and action plans for all mission critical systems/applications;
  • Ensure that the Departmental Information Technology Security Coordinator monitor compliance with the requirements and report on the results at least annually; and
  • Ensure that no new mission critical applications be released for production without an authority to operate.
Management agrees with the recommendation.
As part of the annual validation process, CSB will communicate to branches the requirement for up-to-date threat and risk assessments (TRA) for all mission critical systems and applications (MCA). Annual communiqué on updated requirements for TRAs. July 2016 ADM, CSB All owners of MCAs
As part of the process update for Recommendation 1 above, branches have been informed of the requirement to perform TRAs on all MCAs. Completed March 2016Table 1 - Footnote 1
CSB will monitor compliance for all TRAs for MCAs and report the results at least annually to HC and PHAC Executive Committees. Branch ADM owners of MCAs will ensure that an up-to-date TRA is completed for each approved MCA under their responsibility.
  • TRAs for MCAs reported at least annually.
  • TRAs have been initiated for all MCAs.
  • The monthly status capture already exists under the 2013-14 Management Accountability Framework. Reporting to Executive Committees to be scheduled.
September 2016 Branch ADM owners of MCAs ADM, CSB
CSB will implement a process whereby the Chief Information Officer (CIO) approves the Security Assessment and Authorization Report (SAAR) prior to an MCA moving into production. Revised CSB MCA change management process. March 2016 ADM, CSB
The requirement for a CIO-approved SAAR (includes the requirement for the TRA) has been integrated into the Authority to Operate process that is required prior to applications being released to production. Completed March 2016Table 1 - Footnote 1
Recommendation 4

It is recommended that the Assistant Deputy Minister, Corporate Services Branch, document the process for identifying and approving the list of mission critical systems/ applications at HC and PHAC.
Management agrees with the recommendation.
CSB will document a process for identifying and approving MCAs at HC and PHAC. Revised CSB MCA change management process. March 2016 ADM, CSB
New process has been developed by NBCMP, in collaboration with IMSD. Completed March 2016Table 1 - Footnote 1
Recommendation 5

It is recommended that the Assistant Deputy Minister, Corporate Services Branch, in collaboration with the business owners, ensure that a service level agreement or other formal business arrangement be put in place with service providers, describing service levels for the restoration of mission critical systems/applications.
Management agrees with the recommendation.
CSB will work with branches to identify service providers, to ensure that service level agreements (SLAs)or other formal business arrangements are in place for the restoration of MCAs.
  • SLAs or other formal business arrangements for all MCAs.
  • Approval at PHAC-EC on 10 Feb-2016 for PHAC MCA list.
  • Approval at HC-EC to be scheduled for HC MCA list.
  • NBCMP has communicated to business owners the need to identify service providers and negotiate appropriate IT continuity plans.
  • Further work to assist business owners in defining IT continuity plans is under way (refer to Recommendation 1 above).
April 2017 Branch ADM owners of MCAs ADM, CSB
Recommendation 6

It is recommended that the Assistant Deputy Minister, Corporate Services Branch:
  • Communicate to business owners the requirement for a comprehensive IT continuity plan for all mission critical systems/applications; and
  • Monitor compliance with the requirement and report on the results at least annually.
Management agrees with the recommendation
CSB will develop requirements for IT continuity plans for all MCAs, communicate them to business owners, monitor compliance and report on them annually. Revised Terms of Reference for relevant committees. June 2016 ADM, CSB
IT continuity plans for each MCA to be reviewed, updated and exercised on an annual basis by the branch ADM owners of the MCAs. Annual call letter for IT continuity plans. Completed
March 2016Table 1 - Footnote 1
Branch ADM owners of MCAs
ADM, CSB
NBCMP issued a special call-out on March 30, 2016 to meet this objective. Completed
March 2016Table 1 - Footnote 1
Table 1 - Footnote 1

The Office of Audit and Evaluation will assess the implementation of all actions outlined in this document as part of its quarterly follow-up process of the implementation of the internal audit report recommendations.

Return to first Table 1 - Footnote 1 referrer

Download the alternative format
(PDF format, 84 KB, 9 pages)

Organization: Health Canada and Public Health Agency of Canada

Date published: 2016-12-16

Page details

Date modified: