Internal Audit of IT Security Governance and Risk Management

Internal Audit & Accountability Branch
January 2014

Table of Contents

Executive Summary

The objective of the audit was to provide assurance to senior management on the effectiveness of governance over information technology (IT) security at Citizenship & Immigration (CIC), including IT security risk management and, specifically, CIC’s Certification and Accreditation (C&A) process.

Why This Is Important

IT security governance is an important foundational component in implementing and maintaining an effective IT security management program. Ensuring sound governance is even more critical with the transition of roles and responsibilities to Shared Services Canada (SSC). Effective risk management is critical in IT security to ensure risks are appropriately identified, prioritized, and mitigated.

Key Findings

Although departmental security governance has been established, IT security has not been fully integrated. Roles and responsibilities of the Departmental Security Officer (DSO), Chief Information Officer (CIO) and IT Security Coordinator are outlined in the CIC IT Security Policy and in each position description. Department-wide security planning and IT-specific security requirements are not fully integrated. Security roles and responsibilities have not been formally defined and documented between CIC and SSC.

Departmental security planning does not include a comprehensive assessment of IT security risks. A Corporate Security Risk Register has been developed that integrates security risk information from all areas of the Department; however, it is not updated on an ongoing basis to include risks identified by IT Security. High-level risk snapshots in the Departmental Security Plan summarize key risks to the Department, but do not include IT-specific risks.

Governance and processes for ensuring ongoing security assessments and monitoring at the corporate and system level have not been formally defined. CIC has developed risk assessment procedures for IT systems and applications, but these procedures have been inconsistently implemented; some new systems are assessed, while others which are continually upgraded rely on previous outdated assessments.

Conclusion

Overall, the IT security governance and risk management framework partially met our expectations. Areas for improvement were noted related to integrating IT security into departmental security governance, formally defining and documenting roles and responsibilities between CIC and SSC, and further strengthening the IT security risk assessment process and implementation of mitigation strategies throughout the Department.

Management has accepted the audit findings and developed an action plan to address the audit recommendations.Footnote 1

Statement of Conformance

The conduct of this engagement conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program. We examined sufficient, relevant evidence to support the conclusions reached.

Gibby Armstrong CA, CIA
Chief Audit Executive
Citizenship and Immigration Canada

Background

As a federal department, CIC must adhere to the Treasury Board of Canada’s baseline security requirements as outlined in the Policy on Government Security. The Policy requires each department to establish a security program for the coordination and management of departmental security activities, and the proper management of security requires the continuous assessment of risks, and the implementation, monitoring and maintenance of appropriate internal management controls involving prevention (mitigation), detection, response and recovery. The Directive on Departmental Security Management provides further security requirements, as do various standards and guidance documents such as the IT Security Guidance suite from the Communications Security Establishment Canada.

Accountability for overall security within the Department rests with the DSO, although IT security specifically is managed under the supervision of the CIO within the Solutions and Information Management Branch (SIMB). The Chief of IT Security and Production Services acts as the departmental IT Security Coordinator responsible for the management of the IT security program and associated risk management.

In the summer of 2011, IT infrastructure services that were formerly performed by CIC were transitioned to SSC. This included the transfer to SSC of CIC personnel who had been delivering these services for the Department.

CIC shares IT systems and infrastructure with a number of agencies, including the Canada Border Services Agency, Royal Canadian Mounted Police, the Canadian Security Intelligence Service and the Department of Foreign Affairs, Trade and Development. While most of its data is centralized in Ottawa, the Department has regional operations across Canada and operations that span the globe. Among other systems, the Department operates a highly complex Global Case Management System (GCMS) on which CIC’s partner departments rely for immigration and border control information, and the Department offers extensive and expanding eServices online through the launch of Electronic Applications.

Audit Objectives and Scope

The objective of the audit was to provide assurance to senior management on the effectiveness of governance over IT security at CIC, including IT security risk management and, specifically, CIC’s C&A process.

The audit scope included an assessment of the processes and practices related to IT security planning and governance at CIC; the roles and responsibilities of IT Security, including CIC’s relationship with SSC; the IT security risk management program, including CIC’s C&A process; and compliance with Treasury Board requirements related to IT security. The audit reviewed IT security activities from April 1, 2012 to June 1, 2013.

The audit criteria developed for this audit are included in Appendix A.

Detailed Recommendations and Findings

Finding 1: Governance

Although departmental security governance has been established, IT security has not been fully integrated.

We expected to find that accountability for IT security was well defined and documented within CIC and included an IT security oversight body with a clear mandate that met regularly and reviewed information related to IT Security priorities and plans. We also expected that roles and responsibilities with service providers, such as SSC, were formally defined and documented. Clear accountability and oversight for IT security is important to ensure that IT security issues are identified, prioritized and mitigated.

Governance over IT security has been established.

CIC has a Departmental Security Advisory Committee (DSAC) with the mandate to provide advice and guidance on all departmental security risks and accountabilities, including IT security. DSAC is chaired by the DSO. The CIO is not a designated DSAC participant, as IT is represented by the IT Security Coordinator. DSAC met twice in fiscal year 2012–13; the terms of reference for the committee require that it meet on a quarterly basis or as required.

IT security has on occasion been discussed with other governance bodies, for example, information security was discussed at the Executive Management Committee in March 2013 in response to data loss incidents that had recently occurred within the federal government.

Physical security and IT security responsibilities are not coordinated.

The roles and responsibilities of the DSO, the CIO and the IT Security Coordinator are outlined at a high level in the CIC IT Security Policy and in each position description. From an operational perspective, however, accountabilities and reporting relationships for formally integrating security requirements into the Department’s security plans have not been defined or documented.

CIC’s 2012–13 Departmental Security Plan identifies several priorities, including the need to improve CIC’s security culture by enhancing engagement of DSAC members, and to ensure that the security-related responsibilities of the CIO are clearly defined and that there is clear and formal coordination for the reporting of security related incidents between the CIO and DSO. These priorities were identified as action items to be addressed by end of fiscal year 2012–13, although as of July 2013 they had not yet been completed.

Without fully integrating IT security into departmental security governance processes, including regular governance meetings involving all key stakeholders, there is an increased risk that IT security issues will not be appropriately identified, prioritized or mitigated. A governance body should provide oversight for and approve these activities to ensure that the level of residual risk is acceptable.

Security roles and responsibilities have not been formally defined and documented between CIC and SSC.

With the creation of SSC, many of the functions for IT security have been transferred out of CIC’s area of responsibility. As a preliminary step, CIC has signed a Business Arrangement Document and high-level Memorandum of Understanding with SSC to document the new roles. Operational-level departmental responsibilities that would be required for staff to perform their duties, however, are still under development. The elaboration of processes required to monitor and report against operational requirements also have yet to be developed. As noted in our Audit of Informatics Disaster Recovery Planning, the absence of defined responsibilities and accountabilities results in significant ambiguity for IT staff.

While many of CIC’s former IT staff remained responsible for CIC after the move to SSC, SSC is moving toward a new portfolio model, wherein their staff will be assigned to a group of departments, rather than specific departments. This increases the risk that corporate memory over CIC IT security needs will not be retained and that IT security issues will not be appropriately identified or addressed.

Recommendation 1 (Medium Risk):

CIC should formalize an agreement with Shared Services Canada to establish IT security roles, responsibilities and processes for service delivery.

Finding 2: IT Security Planning

Departmental security planning does not include a comprehensive assessment of IT security risks.

We expected to find that a current security plan that considers IT has been defined and aligns business strategy, business expectations and IT capabilities. We also expected to find that the Security Plan has been translated into tactical operational plans for IT. Finally, we expected to find that the achievement of security plan objectives related to IT security is regularly reviewed and reported, and that the plan is updated on a regular basis.

A Corporate Security Risk Register exists and is updated annually.

There is a Corporate Security Risk Register that underpins the development of the Departmental Security Plan and integrates security risk information from all areas of the Department. The risk registry is updated annually; IT-specific risks are not reviewed or prioritized as they arise.

Based on a Corporate Security Risk Register, the Departmental Security Plan includes four overarching “risk snapshots.” None of the risk snapshots specifically relate to IT security, although Risk Snapshot #2: Compromise of Information includes aspects of IT security. The performance measures to be tracked related to this Risk Snapshot #2 do not include reference to IT Security. Snapshot #4: Partnerships does not include any specific reference to SSC, or risks related to defining roles and responsibilities between CIC and SSC.

Without formal inclusion of IT security risks in the Departmental Security Plan, these risks may not be effectively addressed by the Department in a coordinated fashion.

Recommendation 2 (Medium Risk):

CIC should establish a formal process to ensure that IT security risks and priorities are included in the Corporate Security Risk Register as part of the Departmental Security Plan.

Finding 3: IT Security Assessment and Monitoring

Governance and processes for ensuring ongoing security assessments and monitoring at the corporate and system level have not been formally defined.

C&A procedures ensure that security requirements are addressed in IT systems as they are developed, implemented and upgraded to newer versions. We expected to find that IT systems were formally certified and accredited in compliance with a defined and documented departmental C&A process, and that IT security issues were appropriately identified and addressed prior to system implementation. We expected to see documented evidence of these C&A procedures applied to a sample of IT systems selected for the audit: GCMS, GCDocs and iCare. Finally, we expected to see continuous monitoring of IT security, which would help CIC to ensure that IT security risks are identified and addressed in a timely manner.

CIC has developed C&A procedures.

CIC has documented C&A procedures, updated in February 2013. The requirement to conduct C&A activities is outlined in section 6.1 of the CIC IT Security Policy. The C&A procedures include key components required of a comprehensive security assessment process, including defining specific C&A roles and responsibilities, developing a security requirements traceability matrix, and performing functional testing of security controls. The C&A procedures do not take a security controls-based approach, however, as recommended in government-wide IT security guidance (IT Security Guidance-33, issued by the Communications Security Establishment Canada). In addition, the C&A procedure does not specifically outline the requirements to complete Privacy Impact Assessments on systems that manage personal information, nor the methodology to perform them.

The Department has recently updated its system development lifecycle, and the current version includes security considerations related to C&A activities and deliverables throughout the process.

Implementation of the C&A procedures has not been consistent.

Systems that were initiated prior to the development of these C&A procedures and the updated system development lifecycle have not systematically considered security as part of the system development. In addition, for systems that have already been implemented, there is no formal process to determine what further assessment activity should be conducted. For instance, Threat and Risk Assessments (TRA) have been conducted for most releases to GCMS; for some assessments that did occur, there is no formal documentation or approval of the activity.

A specific GCMS Certification Plan, which is similar in nature to the new C&A procedures for the Department finalized in February 2013, was developed in 2008. Although baseline security requirements were developed for GCMS, the assessment was high level, and no system-specific security requirements were developed or implemented; nor were these requirements mapped to security controls. With the exception of access control and interface testing, no security controls have been formally tested for GCMS as part of the C&A process.

GCDocs is a system that has already been implemented for the management of documents related to GCMS (although in the near term, capabilities will be expanded to serve as a document management system for all CIC operations), and by the fall of 2013, CIC will also be hosting separate instances of GCDocs for other departments/agencies; some of these departments/agencies are already testing/piloting GCDocs. While GCDocs has already been partially implemented, C&A activities related to GCDocs have only recently begun, and no TRA has been performed.

C&A assessments for specific systems are not being consistently approved.

A risk management document serves as the C&A approval, outlining current risks (taken from previous TRAs) and planned mitigation measures. For GCMS, despite a significant amount of IT security assessment activity on GCMS extensions and changes to functionality, the last signed version of a risk management document is from March 2010. Furthermore, risks outlined in the risk management documents may remain risks over subsequent assessments and many years: for example, the lack of segregation of the CIC network has been a risk within GCMS risk management documents since at least 2006.

As the C&A process has only begun for GCDocs, there are no risk management documents for the application. A risk management document – as well as a TRA – has been developed for iCARE; however, the risk management document has not been formally approved. Without formal approval of C&A assessments, CIC cannot be sure that the risk mitigation strategies for IT systems meet the needs of senior management.

Continuous monitoring is not considered as part of C&A procedures, nor is a formal continuous monitoring plan/process documented elsewhere. IT systems can evolve continuously, changing the dynamics of the previous risk assessments. As well, the global IT environment presents new risks on a daily basis that could present cumulative threats to CIC’s IT infrastructure and systems. Without ensuring security is monitored in a continuous fashion, there is an increased risk that IT security issues will not be appropriately identified and addressed for specific systems, nor escalated to departmental attention.

Recommendation 3 (Medium Risk):

CIC should update its C&A and system development lifecycle processes to include:

  1. a formal process to determine what IT security assessment activity should be conducted for systems that are modified or undergo revisions, and ensure they are implemented;
  2. reference to the security controls as outlined in government-wide IT security guidance (IT Security Guidance-33);
  3. reference to the completion of Privacy Impact Assessments on systems that manage personal information; and
  4. a formal monitoring process to ensure security requirements are continually addressed.

Recommendation 4 (Medium Risk):

CIC should ensure that all systems adhere to the designed C&A process for the Department.

Appendix A – Detailed Audit Criteria

The objective of the audit was to provide assurance to senior management on the effectiveness of governance over IT security at CIC, including IT security risk management and, specifically, CIC’s C&A process.

Lines of Enquiry Audit Criteria Footnote 2
A governance structure for IT Security has been established and supported through the CIC IT Security Policy. 1 – Accountabilities, delegations, reporting relationships, and roles and responsibilities of IT Security are defined, documented and communicated to relevant persons.
2 – Those charged with governance have clearly communicated mandates, are actively involved, have a significant level of influence, and exercise oversight of management processes.
3 – The oversight body meets regularly and reviews information related to IT security priorities and plans, provides advice on issues, reviews performance of the IT security function, and communicates its decisions to the organization in a timely manner.
4 – IT security roles and responsibilities of service providers such as SSC have been formally defined, documented, and communicated.
A current security plan that considers IT has been defined, aligns business strategy, business expectations, and IT capabilities, and has been translated into tactical plans. 5 – A current security plan that considers IT has been defined and aligns business strategy, business expectations and IT capabilities.
6 – The security plan has been translated into tactical operation plans for IT, with clear delineation between activities that are the responsibility of CIC and activities that are the responsibility of service providers such as SSC.
7 – Achievement of security plan objectives related to IT security is regularly reviewed and reported. The plan is updated on a regular basis.
A C&A process has been defined and implemented as part of a comprehensive IT Security Risk Management Program. 8 – The C&A process has been defined, documented and communicated, including roles and responsibilities.
9 – IT systems have been formally accredited and certified.
10 – IT system design/architecture is documented and implemented based on appropriate security controls.
11 – Comprehensive operations security documentation has been developed that is applicable to the IT system.
12 – Continuous monitoring, assessment and authorization maintenance activities have been implemented, and appropriate actions taken based on the results of these activities.

Appendix B – Management Action Plan

Recommendation Risk Ranking Action Plan Responsibility Target Date
1. CIC should formalize an agreement with Shared Services Canada to establish IT security roles, responsibilities and processes for service delivery. Medium

Management Response:
CIC has a business arrangement with SSC to establish IT security roles, responsibilities and processes for service delivery. The document was signed on January 27, 2012. The CIC – SSC business arrangement will be the foundation for the more detailed Memorandum of Understanding (MOU).

Action Plan:
The MOU will be developed in collaboration with SIMB and SSC to better define roles and responsibilities. It will be signed by CIC's CIO and SSC’s Director General, Social Portfolio or equivalent. Interim mitigation measures will be used until the agreement is signed.

  • Initial document (Q4 2013–14)
  • Final draft for CIC review (Q1 2014–15)
  • Draft for SSC review (Q2 2014–15)
  • Final signoff by CIC and SSC ( Q3 2014–15)
SIMB Q3 2014–15
2. CIC should establish a formal process to ensure IT security risks and priorities are included in the Security Risk Register as part of the Departmental Security Plan. Medium

Management Response:
SIMB uses information from government security lead agencies to identify IT security threats and determine risk level. Layered defence at the perimeter provides the technical controls to mitigate risks. In addition, a suite of policy instruments are in place to assess and mitigate risk. A process will be established to include IT security risks in CIC’s Corporate Security Risk Register.

Action Plan:
SIMB will work with Corporate Security and the DSO to ensure IT security risks and priorities are included in the Corporate Security Risk Register as part of the Departmental Security Plan.

  • Corporate Security and IT Security met in September 2013 to update the Departmental Security Plan with IT Security input. (Q3 2013–14 – Status: In progress)
  • Recurring meetings are scheduled to provide input on the Corporate Security Risk Register. (Q3 2013–14)
  • Updates will be provided for the DSAC meeting in March 2014. (Q4 2013–14)
  • A formal process will be developed (Q1 2014–15)
  • A formal process, which includes DSAC oversight, will be adopted/implemented. (Q2 2014–15)
  • SIMB will develop a comprehensive IT Security Plan. The IT Security Plan will address governance and monitoring requirements to ensure the Plan is followed by all branches as required. Senior management approval of the IT Security Plan will be sought before the end of fiscal year 2013–14. Monitoring approaches will ensure senior management is made aware of compliance issues. (Q4 2013–14)
SIMB (with Corporate Security) Q2 2014–15

3. CIC should update its C&A and system development lifecycle processes to include:

  1. a formal process to determine what IT security assessment activity should be conducted for systems that are modified or undergo revisions and ensure they are implemented;
  2. reference to the security controls as outlined in government-wide IT security guidance (IT Security Guidance-33);
  3. reference to the completion of Privacy Impact Assessments on systems that manage personal information; and
  4. a formal monitoring process to ensure security requirements are continually addressed.
Medium

Management Response:
CIC currently follows the C&A process. This is a government- and industry wide accepted process. CIC tailors the process in order to make it relevant to CIC and scalable to the requirement under review. The last update was made in February 2013. When new IT enabled requirements are identified, IT Security determines the degree to which this process is invoked and what type of IT security assessments are required.

The system development lifecycle was replaced by the System Development Methodology (SDM) in March 2013. The SDM represents a process for creating or altering information systems, and the models and methodologies that people use to develop these systems The SDM is an accepted IT development guideline. IT Security activities are addressed in each phase of CIC’s SDM.

IT Security Guidance-33 was introduced in November 2012 by the Communications Security Establishment Canada as a guideline for managing risk in the areas of personnel, physical and IT security. CIC follows a suite of policy instruments and security best practices issued by Government of Canada lead agencies. The instruments include policies, standards, procedures and guidelines to manage security. Until IT Security Guidance-33 is implemented, CIC’s current practice will remain in place for managing security risks.

At the time of this audit, CIC was following the C&A process and the SDM. To comply with the recently published IT Security Guidance-33 , the following responses/action plans will indicate how CIC intends to comply with the new IT Security Guidance-33 requirements.

3 a):
Action Plan:
SIMB will engage DSAC and propose that the Terms of Reference be amended to include a standing IT Security Review item to ensure that IT security assessment activities are considered and implemented. The results of the IT security assessments for projects will be presented as part of the IT Security Review. The DSO is in agreement with this approach. The next DSAC meeting will be held in December 2013.

3 b):
Action Plan:
SIMB will develop a comprehensive IT Security Plan that will include a strategy for CIC to become compliant with IT Security Guidance-33. The IT Security Plan will address governance and monitoring requirements to ensure the Plan is followed by all branches as required. Senior management approval of the IT Security Plan will be sought before the end of fiscal year 2013–14. Monitoring approaches will ensure that senior management is made aware of compliance issues. (Q4 2013–14)

This aligns with action plan for item #4, below.

3 c):
Action Plan:
The Access to Information and Privacy Act identifies requirements for PIAs. Where a PIA is required and exists, it is used as input into the C&A process.

The PIA is included in the SDM as part of the Requirements Gathering Phase. The SDM will become mandatory for all CIC branches, and the governance and monitoring requirements established in the IT Security Plan will ensure that PIA requirements are met by all CIC branches as needed.

3 d):
Action Plan:
SIMB will develop a comprehensive IT Security Plan that will include a strategy for implementing continuous monitoring. (Q4 2013–14).

This aligns with action plan for item #4, below.

SIMB (with Corporate Security) Q3 2014–15
4. CIC should ensure that all systems adhere to the designed C&A process for the Department. Medium

Management Response:
CIC currently follows the C&A process, which will remain in place for managing security risks until IT Security Guidance-33 is implemented.

Action Plan:
As referenced above, CIC will develop a Comprehensive IT Security Plan to address priorities. The Comprehensive IT Security Plan will be presented to the Executive Committee for approval in Q4 2013–14.

SIMB will ensure that all systems adhere to the designed process for the Department by adopting a CIC-approved version of the SDM process by Q4 2013–14. The SDM process will be mandatory, and the IT Security Plan will address governance and monitoring requirements to ensure that this mandatory process is followed.

SIMB Q4 2013–14

Appendix C – Links to Applicable Legislation, Frameworks, Policies, Directives and Guidance

Page details

Date modified: