Audit of Information Technology General Controls - Phase II Report
- Audit findings and recommendations
- Appendix A: Management response and action plan
- Appendix B: References (non-exhaustive)
1. On April 1, 2018 the newly updated Treasury Board Policy on Management of Information Technology came into effect. The role of information technology (IT) as a key enabler in transforming the business of government was highlighted in addition to the role that IT can play in enhancing productivity and client service. The role of the Chief Information Officer is described and includes a provision for the Chief Information Officer to have direct access to the deputy head on a periodic basis. The objective is to have robust IT management practices in place to ensure the efficient and effective use of IT in support of federal government priorities, program delivery, innovation, productivity and services to the public.
2. It is important to note that in August 2011, Shared Services Canada was created to transform the delivery of IT infrastructure services for the Government of Canada through an enterprise approach. Shared Services Canada delivers email, data centre, network and workplace technology device services in a consolidated and standardized manner. The business arrangements that Shared Services Canada has in place with departments and agencies are based on the premise of collaboration. Shared Services Canada and partner organizations also have shared responsibilities for cyber and IT security. Partner organizations bilaterally manage IT security risks with Shared Services Canada and immediately report user incidents and/or system incidents to the Consolidated Helpdesk.
3. Within this context, there have been numerous changes related to the provision of IT services at the Public Service Commission of Canada (the Agency) over the past 2 fiscal years. Hired in 2015, a new Chief Information Officer has led significant changes within the Information Technology Services Directorate (ITSD). This includes a number of staffing actions at all levels, including supervisors, managers and executives. In addition, the directorate was recently re-located within the Agency. On November 1, 2017, ITSD was moved from the Services and Innovation Branch to the Corporate Affairs Sector as part of an overall governance shift to better align resources to deliver on the Agency’s mandate. And with the introduction of the new Treasury Board Policy that came into effect on April 1, 2018, the Chief Information Officer is working with senior management to determine how it will be implemented at the Agency.
4. ITSD officials work with, and support, Agency senior management in carrying out their respective mandates and adjusting to an ever-changing operating and IT environment. The Directorate’s vision is to be “an agile professional organization that is a strategic partner in the delivery of innovate business solutions.” ITSD plays a leading role by providing and supporting an IT infrastructure that is responsive, modern, adaptable, flexible and secure. The directorate also provides the full range of information management services to the Agency. Finally, the Chief Information Officer and ITSD staff make significant contributions to broader Government of Canada IT initiatives and innovations.
5. Phase I of this audit, which was approved by the Agency President on March 27, 2018, focused on IT governance. The Phase II report focuses on IT general controls and activities established by ITSD, namely systems development and change management, IT business continuity and physical protection, IT operations, and IT security.
6. IT is defined as any equipment or system that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. It includes all matters concerned with the design, development, installation and implementation of information systems and applications to meet business requirements. IT general controls relate to operating systems, applications and databases supporting the operation of information systems, and form the foundation of the IT control environment. Examples of IT general controls include system access controls, change management controls, and backup and recovery controls. These controls apply to all system components, processes and data within the Agency’s operating environment. In addition, they are designed and established to ensure the proper development and implementation of applications, as well as to safeguard the integrity of programs, data files and computer operations.
7. While this audit is focused on the IT general controls within ITSD, it should be noted that, in December 2017, the Vice-President, Corporate Affairs Sector issued an email to all Agency staff highlighting the risks of using unauthorized Web applications and software that store information on third-party cloud services where the information is not held on Government of Canada premises. This is generally described as using shadow IT, which refers to any application or transmission of data, relied upon for business processes, which is not under the jurisdiction of the Chief Information Officer. In these cases, the Chief Information Officer has not been part of the development of these items, may not be aware of all of them, and is not in a position to assume responsibility for supporting them. It is important for the Agency to avoid using shadow IT, particularly as business lines may try to find workarounds to implement requirements that may not have been funded in the project prioritization process. Cloud infrastructure, when not properly architected, designed, developed and implemented, can increase costs and privacy risks and reduce opportunities for system optimization in the longer term.
8. Finally, in February 2016, ITSD’s budget allocation was approved by the Executive Management Committee for a three-year increase to address technical/IT debt and to introduce a culture of innovation into the Agency. In fiscal year 2017-18, the Agency allocated approximately $12.5M to ITSD to support IT program management and service delivery. For 2018-19, the funding was increased to $15 million. On April 1, 2018, there were approximately 100 employees (excluding students and casuals) working at ITSD to manage and deliver IT services to the Agency.
Audit objective and scope
9. The audit objective was to determine the existence and effectiveness of IT general controls within ITSD.
10. The audit was conducted in 2 phases. Phase I focused on IT governance and Phase II focused on IT general controls in place over IT systems development and change management, IT business continuity and physical protection, IT operations, and IT security. The Phase II scope included controls that were in place in fiscal years 2016-17 and 2017-18. The scope did not include any activities which were not under the control of ITSD. Internally, these exclusions consist of Web-related activities performed by the Communications and Parliamentary Affairs Directorate, and operations under the purview of the Business Development and Services Directorate, such as prototyping activities in the replacement of the Public Service Resourcing System and Priority Information Management System. Externally, these exclusions cover infrastructure and related operations managed by Shared Services Canada.
11. In addition, the scope of this audit excluded the Agency’s information management processes, as an information management audit was conducted in 2014. The scope of the audit also did not include IT controls relating to financial reporting systems, since these were included in an external review completed at the end of fiscal year 2016-17.
12. The following audit procedures were performed:
- interviews with Agency management, selected IT governance committee members and staff;
- walk-throughs of key processes;
- reviews and analyses of documents; and
- process mapping.
13. For the purpose of this audit, key control objectives were adopted from the Committee of Sponsoring Organizations 2013 Framework developed by the Committee of Sponsoring Organizations of the Treadway Commission, from the Control Objectives for Information and Related Technology 5 framework, which was developed by the Institute of Information Systems Audit and Control Association, and from the Institute of Internal Auditors Global Technology Audit Guides. The audit team also consulted Treasury Board and other federal government sources of IT policies, guidance and directives.
Statement of conformance
14. The audit is in conformance with the Internal Audit Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.
Audit findings and recommendations
IT systems development and change management
15. Criterion. It was expected that controls over systems development adequately outlined specific phases, documentation requirements, change management processes, approvals and checkpoints to control the development and implementation process.
16. Conclusion. Systems development and change management controls are in place and are working as intended. A systems development life cycle management process is established that uses a gated governance approach. Quality control and unit testing are performed by the systems development function to support effective application development. Prior to the introduction of new systems and applications, user acceptance testing is performed and approval is obtained from the appropriate governance body. An opportunity for improvement was identified for ITSD to ensure that the processes and controls in place which produce system documentation, user guides, user training and usability testing are properly designed and implemented, in support of ongoing system use and maintenance.
17. It was expected that the systems development life cycle methodology incorporated controls that accommodated design, development and maintenance, and ensured that new or revised software was properly implemented. The following presents the main findings by sub-criteria.
18. Agile. The Government of Canada Information Technology Strategic Plan 2016-20 sets out that application development teams should adopt a modern agile approach where a customized or in-house solution is the only IT system choice. ITSD software development teams are implementing agile methodology to manage adjustments by using sprints to complete smaller application components so that clients may see early results, which serve to guide further development work. Some interviewees indicated that there is a risk that code developed during these sprints may not have sufficient quality to reduce future maintenance costs. These types of risks are being mitigated by ITSD through supervisor and manager reviews of work performed.
19. Commercial off-the-shelf software. Commercial off-the-shelf software that is purchased by ITSD is subject to the same controls as customized, in-house solutions in order to minimize the potential risks to the IT operating environment. As a result, all software that is to be supported goes through an extensive approval and procurement process. In addition, to reduce and eventually eliminate shadow IT, any new cloud application must be vetted by the appropriate governance bodies and approved by the Chief Information Officer or Vice-President, Corporate Affairs Sector before it can be installed.
20. For both customized and commercial off-the-shelf solutions, a defined project review and approval process exists with gates that are clearly understood and implemented. Specifically, ITSD has put in place a well-documented, seven-gate governance system for full projects that starts with a business case and concludes with a project close-out review and report.
21. Source code control. Source code is a collection of computer instructions written in a programming language. Source code controls are designed and implemented to manage version control during the software development phase. Within ITSD, integration and version control tools are in place and are applied to source code. Most source code is currently being stored in a secure GIT repository. Releases are tested in a pre-production environment, and suitable integration tools and version control methods are being implemented. The exception is source code developed for financial systems, which is stored in a legacy, unsupported system (Visual Source Safe). This legacy system will no longer be used at the Agency when the new financial system (Systems, Applications and Products) is implemented. It should be noted that the infrastructure for version control and code release is currently being re-assessed by ITSD in light of current Shared Services Canada priorities.
22. Risk management. Since software development projects contain uncertain elements, project managers and software development team members must have controls in place to identify, assess and prioritize risks and mitigation strategies. ITSD has put controls in place to ensure that software development risks are documented and managed on a per project basis. Identified project risks are reviewed through the IT governance framework in place within the Agency.
23. System documentation. The software development cycle includes the production of documentation that supports end users, the Helpdesk and software maintenance. Within the Agency, there is a general concern that systems have not had sufficient documentation to support their ongoing maintenance and use. This is particularly the case for legacy systems currently in use. In general, there is a small comprehensive knowledge base outside the systems development team members, which has made it challenging for the Helpdesk to support these systems. This lack of knowledge capture is further compounded when developers leave the Agency. It should be noted that ITSD is not directly involved in the development of user guides and training, which are considered to be the responsibility of the business client. Overall, system documentation is an historical issue for the Agency that the Chief Information Officer is aiming to correct in the development and implementation of new systems.
24. Quality control during coding. All code is reviewed and tested during systems development to ensure that it is free from errors, easy to maintain and efficient and that it conforms to standards. The System Engineering Division database team writes scripts and performs peer reviews of these scripts within their section. In addition, all coding changes performed by the Application Services Division are formally peer-reviewed by the project team and tested for errors using various tools. To facilitate system maintenance as modules are developed, domain of control is limited for each module. To assist with this modularization, a software architect has recently been hired, which is a role that is new for the Agency.
25. Quality assurance and user acceptance testing. Operational and functional quality is assured by 2 levels of independent, post-development testing: quality assurance and user acceptance. There is an independent quality assurance function in ITSD that executes and monitors the bug resolution life cycle. Tests performed begin with requirements testing against usage scenarios, but also include sophisticated technical tests. These are followed by a post-release sanity check. User acceptance testing is the responsibility of business owner groups and is performed by business analysts who are members of the client team and/or working groups. These 2 levels of independent, post-development testing are performed only with the Public Service Resourcing System and Priority Information Management System. In other projects, such as those involving Finance and the Personnel Psychology Centre, business user requirements are insufficiently defined to enable a clear distinction between quality assurance and user acceptance testing. A process to address this situation has been initiated within the Application Services Division.
26. Recommendation 1. It is recommended that the Chief Information Officer ensure that the processes and controls in place to produce system documentation, user guides, user training and usability testing are properly designed and implemented to support ongoing use and maintenance.
27. Change management framework. A documented, defined change request and approval process exists and is understood by Agency staff that were interviewed as part of this audit. There is a control in place to ensure that system and software maintenance issues come through the ITSD Helpdesk before they are handed over to Application Services Division developers for assessment and prioritization. Developers do not accept change requests directly and refer clients to the Helpdesk, which is the general process control. The fixes that are applied to existing systems are considered changes and generally follow the same documented seven-gate governance process as projects. IT governance bodies within the Agency examine all modifications made to ensure that the change has been validated, tested and approved before being introduced.
28. Emergency change requests. A control process has been designed and is working as intended to address emergency change requests. The controls in this process include documented processes to request an emergency change, grant approval and record the change. All emergency changes must be evaluated and approved by the appropriate committee. There is a process in place for this committee to review emergency change requests outside of regularly scheduled meetings. Testing occurs in order to validate changes before they are put into production.
IT business continuity and physical protection
29. Criterion. It was expected that effective processes and controls were in place to ensure IT functioned during normal business operations and continued following a disaster or system failure. It was also expected that physical protection of assets was in place.
30. Conclusion. Processes and controls have been designed and are working as intended to allow IT to function during normal business operations and to continue following a disaster or system failure. The IT component of the business continuity plan has been appropriately designed to meet Government of Canada Security Policy requirements. The audit also found that data and application back-ups are sufficient, thereby meeting the Agency’s requirements. There was an opportunity for improvement regarding testing the IT component of the business continuity plan on a regular basis to ensure that it functions as intended during emergencies. A second identified opportunity for improvement concerned improving IT asset inventory management record-keeping practices.
IT functioning during normal and emergency situations
31. During normal business operations, ITSD works with Shared Services Canada to ensure that Agency IT systems and operations are functioning in support of program management and delivery. Data and application back-ups are the responsibility of Shared Services Canada and are monitored by ITSD officials. The audit found that during normal business operations, data and applications are backed up and periodic restoration is performed.
32. An Agency Emergency Management Business Continuity Program and Business Resumption Plan are in place that meet the design requirements of the Government of Canada Operational Security Standard – Business Continuity Planning Program. IT business continuity planning is an element of an organization’s overall Business Continuity Program and includes the development of plans, measures, procedures and arrangements to ensure minimal or no interruption to the availability of critical IT services and assets. The IT component of the Agency Business Continuity Program, as designed, meets expectations, and ITSD is responsible for managing the IT service response. The Agency Business Continuity Program was updated in August 2016 and again in August 2017 to ensure that the names related to the roles and responsibilities were up to date. This is an effective manner of ensuring that the Business Continuity Program is up to date and ready to be used when required.
33. The non-IT components of the Business Continuity Program were activated in spring 2017 during the Ottawa and Gatineau river valley floods, which saw the closure of federal government buildings in Gatineau, on the Quebec side of the Ottawa River, for a number of days. The IT component of the Business Continuity Program was not required to be activated at that time; as a result, it was last substantially tested in fall 2015. The COBIT 5 framework recommends that Business Continuity Program testing occur at least annually. Regular testing of the Business Continuity Program in general, and of the IT component of the Business Continuity Program in particular, ensures that it is current, identifies unanticipated challenges and provides assurance of an organization’s ability to execute the plan.
34. Recommendation 2. It is recommended that the Vice-President, Corporate Affairs Sector ensure that all components of the Business Continuity Program (including the IT components) are tested and exercised on a regular basis and that lessons learned are documented and used to inform changes to the Business Continuity Program as required.
Safeguarding of IT assets
35. The Agency is responsible for safeguarding IT assets that are primarily end user computing devices: personal computers, laptops, monitors and tablets. The audit found that all assets reviewed were appropriately secured in locked spaces or with cable locks.
36. In order to evaluate IT inventory management practices, the audit team reviewed a sample of IT assets that were included in the inventory management system (Basset Pro) and determined whether the assets were in the location specified in the system. The audit found that 47 of the 134 items tested (35%) were not in the location identified in the system when the audit test was performed. It is important from a safeguarding of IT assets and security perspective to ensure that the inventory management system lists items in the proper location so that the maintenance of assets and security of access to the Agency network can be assured.
37. Inventory record-keeping for portable storage devices could also be improved. According to a Treasury Board 2014 Information Technology Policy Implementation Notice, departments and agencies must maintain records of the portable storage devices issued within their organization. At a minimum, the record should contain a unique identifier such as a serial number of the portable storage device, security level of the device, and other tombstone data about the individual. The information related to portable storage devices in the Agency IT inventory management system does not include the security classification of the devices.
38. Recommendation 3. It is recommended that the Chief Information Officer review IT asset inventory management practices within ITSD to ensure that the system used to store location information is complete, accurate, reliable and up to date.
39. Criterion. It was expected that ITSD had adequate processes in place to deliver IT services, specifically, that operational service standards for managing client requests were adequate and met. It was also expected that processes and controls for managing service requests and incidents were in place and were working as intended.
40. Conclusion. Adequate processes have been put in place by ITSD to deliver IT services for the Agency. Established plans and service standards have been documented. An opportunity for improvement was identified for the Chief Information Officer to review and update the internal controls, tools, processes and performance measurement strategies in place to manage and report on the delivery of IT service and IT Helpdesk requests.
41. The Agency IT Plan is updated annually and describes ITSD’s objectives and planned resource allocation strategies to support ongoing IT needs and approved projects. The plan is approved annually by the Executive Management Committee. Furthermore, the Chief Information Officer has assessed human resources requirements and staffing needs to implement the IT plan. A human resources plan was developed to increase the staffing level and create the skills mix necessary to implement the Agency IT Plan. ITSD is in the process of implementing its plans, which have been impacted by relatively high turnover in the past few fiscal years.
42. ITSD has developed service standards and standard operating procedures to manage most IT service delivery and client requests. There are a small number of services that do not have well documented standard operating procedures. Performance metrics to monitor the service standards of ITSD operations for the delivery of IT services to Agency employees have not been fully developed. In addition, ITSD is using an outdated ticketing system (Remedy) that neither captures all key service data nor supports the analysis required for ITSD management to properly assess service delivery. The lack of fully developed performance metrics and of a tool to capture, monitor and report on service delivery means that performance must be monitored through informal means. The current system makes it challenging for the Chief Information Officer to know whether ITSD is meeting service delivery goals in an efficient and effective manner.
43. The processes and controls in place for managing Helpdesk requests and incidents are in place and are documented. Performance measures have not been fully developed to monitor and report on compliance with Helpdesk service delivery standards. With the absence of fully developed measures or a proper system to capture data (as mentioned in paragraph 42), the Chief Information Officer is unable to formally determine whether the Helpdesk is achieving its goals. Furthermore, the inability to capture and report on this type of information does not allow for the Chief Information Officer to know whether certain issues are recurring or whether there is a pattern of Helpdesk issues that could be addressed in a systemic manner.
44. The audit team was informed that a project to address process, standard and documentation gaps in ITSD was not approved by the Executive Management Committee in fiscal year 2017-18. A limited scope version of the project was approved for 2018-19; however, the purchase and implementation of a modern service management tool was not approved by the Executive Management Committee. The Chief Information Officer informed the audit team that the limited scope decision will have to be revisited in light of the audit results in this report.
45. Recommendation 4. It is recommended that the Chief Information Officer review and update the internal controls, tools, processes and performance measurement strategies in place to manage and report on the delivery of IT service and IT Helpdesk requests.
46. Criterion. It was expected that the Agency’s information was protected and maintained in accordance with security policies, and that measures were in place to prevent unauthorized access to resources, programs and data.
47. Conclusion. The Agency’s information was protected and maintained in accordance with IT security policies, and measures are in place to prevent unauthorized access to resources, programs and data.
Policies and procedures
48. ITSD assumes its IT security responsibilities in accordance with Treasury Board and broader Government of Canada guidance. In 2011, a decision was made that the Agency would no longer produce or update Agency-specific IT security policies. This included the Agency Security Governance Framework. Since 2011, ITSD has updated, revised and developed standards and directives as needed in accordance with overall Government of Canada IT security requirements. The Chief Information Officer identified a project to review essential documentation related to Agency IT security requirements; however, it has not been fully implemented due to resource and capacity constraints. One mitigating control is the fact that the Chief Information Officer reports regularly to the Internal Audit Committee and Executive Management Committee on the state of IT security within the Agency.
49. The Agency meets the Treasury Board Operational Security Standard: Management of Information Technology Security obligation to ensure that project IT security requirements are being addressed through the development and implementation of technical security specifications. The IT Security group works on security assessment and authorizations for new projects and for projects related to maintaining or improving legacy IT systems. Project managers use the results of these reviews for decision-making.
50. The Chief Information Officer and other Corporate Affairs Sector officials participate in Government of Canada-wide IT security initiatives. For example, ITSD has a representative on the Treasury Board Secretariat (Secretariat) led Government of Canada Enterprise Security Architecture Committee, and the Security Officer from the Corporate Affairs Sector participates in the Secretariat Departmental Security Officers’ forum. Information provided in this forum helps ensure that the Agency is in compliance with the Treasury Board Directive on Departmental Security Management
Protecting access to Agency data and programs
51. System access. Effective access controls are critical to ensuring that information and data contained in Agency systems are safeguarded from unauthorized access. These systems are used at Agency headquarters and at regional offices across Canada. The requirements for the establishment of system access controls are outlined in the Management of Information Technology Security.
52. The audit found that ITSD has controls in place to ensure that access to IT systems is provided to new Agency employees and that access is removed from those who leave the Agency or are away from the office for extended periods. The audit team reviewed the processes used to grant user access to systems and tested the controls in place to provide a local area network accounts to employees. The audit test found that all user access accounts had creation requests stored in the ticket tracking system (Remedy). When accounts are created, there is a control in place for the official who grants user access to cross-reference the new user’s application form with their security clearance.
53. The audit also found that ITSD performs monthly checks of the system in order to identify accounts that have not been used since the previous check. If ITSD officials find an unused account, a message is sent to the employee’s supervisor to find out why the user has not accessed the system. If it is found that the employee will be away for an extended period or has left the Agency, the account is deleted. In addition, once Security service receives an employee identification card of a person who is leaving the Agency, security officials send an email to ITSD to deactivate or delete the person’s system access.
Monitoring processes to identify and respond to security issues and incidents
54. Government of Canada Cyber Security Event Management Plan. The Government of Canada Cyber Security Event Management Plan provides an operational framework for the management of IT security incidents and events that could have, or have had, an impact on Government of Canada computer networks. With a view to meeting the requirements of the Government of Canada Cyber Security Event Management Plan, the Agency Incident Response Plan provides guidance to technical and managerial staff on dealing with spontaneous incidents or changes that may affect the security of ITSD applications or infrastructure.
55. Agency Security Governance Framework. The roles and responsibilities of the Security Committee regarding Agency response to security issues are documented, and activities are reviewed on a monthly basis. There is a team within ITSD that monitors IT environment security risks, responds to incidents and tracks resolutions. Consequently, an operational framework intended to identify and respond to security issues and incidents is in place and is working as intended.
56. Monitoring Agency systems. As mentioned earlier in this report, the Agency works collaboratively with Shared Services Canada to manage IT security risks and must ensure that incidents are reported in a timely manner. The audit found that ITSD does not have tools in place to monitor log files and must obtain these from Shared Services Canada. As a result, the Agency has entered into an agreement with Shared Services Canada to automatically review its log files starting in fiscal year 2018-19. ITSD officials have access to antivirus log files, but given capacity constraints, they only review the files on an ad hoc basis. Essentially, ITSD relies on Shared Services Canada to monitor the network and provide incident notifications. Furthermore, ITSD does not systematically scan desktop computers. However, Shared Services Canada monitors Agency network traffic and alerts ITSD when an Agency computer has picked up a virus and is trying to communicate with a known malicious website. ITSD immediately removes the affected computer from the network and reformats it. Finally, Shared Services Canada has deployed an intrusion prevention system on all desktop and mobile devices used by Agency employees.
Controls to minimize exposure to threats to data or network security
57. ITSD has developed and implemented IT security controls to reduce the exposure to network threats. A key element is patch management. Patch requirements are monitored closely by ITSD and patches are prioritized based on risk. ITSD has also designed and implemented a number of controls that support the minimization of exposures to threats to Agency data or network security. These are described below.
58. Applying patches. The ability to quickly and systematically apply patches to operating systems, applications and devices is critical to removing vulnerabilities and reducing risks to IT systems and infrastructure. The audit found that patches to key business assets and productivity tools are managed by ITSD using the Shared Services Canada Cyber and Information Technology Security process. For assets not considered key to Agency business, owners are responsible for registering on vendor websites and forwarding security notifications to the IT Security Group mailbox for processing. However, it is unknown how many asset owners have registered for security notifications and if they are monitoring for and forwarding them. In-house applications such as the Public Service Resourcing System use open source code, which may require patches. Though some teams monitor for open source patching notifications, there is no explicit Agency policy requiring this monitoring. Furthermore, the Agency does not scan desktops for missed patches; hence, a number of desktops may remain vulnerable even after patches have been applied in the desktop domain.
59. Employee awareness and training. Sufficient training and information to promote IT security awareness is provided to Agency employees to highlight potential IT security threats and how they may be avoided. The main efforts to prevent such attacks are emails to enhance user awareness and security updates posted on the Agency intranet site. These provide general and specific information when a security threat is active or imminent. Furthermore, all employees are required to take an IT security course at the Canada School of the Public Service (A230), which presents general information on security, including cybersecurity. The IT security team, which participates in all IT projects, also takes specialized courses.
60. Legacy systems. The audit found that all major applications such as the Public Service Resourcing System and Priority Information Management System have been assessed for security and are fully authorized to operate in the production environment. Other applications are currently being evaluated as part of an Agency applications rationalization project, or will be assessed under an ongoing security assessment and authorization project.
61. Webmail. Adequate controls are in place to protect the Agency against confidentiality risks inherent in the use of webmail. The audit found that a filter (WebSense), which is under Shared Services Canada control, blocks employee access to webmail but not certain social media sites. It is to be noted that the filter currently in use is no longer supported, and Shared Services Canada is planning to upgrade this tool.
62. Scanning for vulnerabilities. For various reasons such as a virus, system exploit or failed update, a system may have or develop an unexpected vulnerability; hence, there is a need to scan for known vulnerabilities. The audit found that once a week, the Agency Security group scans Agency desktops using a vulnerability identification tool (Nessus). Shared Services Canada also performs a weekly scan of Agency servers and web applications using this tool. It is expected that Shared Services Canada will replace this tool in fiscal year 2018-19.
63. System hardening. System hardening is essential for systems that are accessible via the Internet. The audit found that recommended security controls have been applied to secure (harden) Agency operating systems. It is noted that fully up-to-date hardening, including the blocking of non-secure media from desktop USB ports, requires the implementation of Windows 10. As Windows 10 has not been fully implemented at the Agency, software restrictions have been put in place as a mitigating control to decrease exposure to potential threats.
64. In conclusion, the results of this audit provide reasonable assurance that ITSD has designed and implemented IT controls that are generally working as intended. Systems development and change management controls are in place that employ a gating governance approach. Quality control and unit testing are performed prior to the introduction of new systems and applications, user acceptance testing is performed and approval is obtained from the appropriate governance body. Processes and controls have been designed and put in place to allow IT to function during normal business operations and to continue following a disaster or system failure. The audit also found data and applications are backed up in a sufficient manner to meet the Agency’s requirements. Established plans and service standards have been documented and adequate processes have been put in place by ITSD to deliver IT services. Finally, the Agency’s information was protected and maintained in accordance with IT security policies, and measures are in place to prevent unauthorized access to resources, programs and data.
65. The following opportunities for improvement within the ITSD IT control environment were identified:
- The Chief Information Officer should ensure that the processes and controls in place to produce system documentation, user guides, user training, and usability testing are properly designed and implemented to support ongoing use and maintenance;
- The Vice-President, Corporate Affairs Sector should ensure that the IT component of the business continuity plan is tested on a regular basis to ensure that it functions as intended during emergencies;
- The Chief Information Officer should review IT asset inventory management practices within ITSD to ensure that the system used to store location information is complete, accurate, reliable and up to date; and
- The Chief Information Officer should review and update the internal controls, tools, processes and performance measurement strategies in place to manage and report on the delivery of IT service and IT Helpdesk requests.
Appendix A: Management response and action plan
Senior management agrees with the recommendations and has planned the following actions:
It is recommended that the Chief Information Officer ensure that the processes and controls in place to produce system documentation, user guides, user training and usability testing are properly designed and implemented to support ongoing use and maintenance.
Management response and planned action
The Vice-President, Corporate Affairs Sector agrees with this recommendation. Although the project to address ITSD processes and controls was not approved in 2017-18, a smaller scale project was approved for 2018-19.
To fully address the audit findings, ITSD will submit a change request through governance to approve a higher scope initiative to address all of the findings from this audit. The impact will be assessed through the change management process.
The deliverables for user guides, usability testing and user training will be added in the Project Management Framework 2.0.
System documentation is included in all ITSD employee performance objectives for CS-1 (entry level) to CS-4 (manager) for 2018-19 (GCDocs # 5674600).
It is recommended that the Vice-President, Corporate Affairs Sector ensure that all components of the Business Continuity Program (including the IT components) are tested and exercised on a regular basis and that lessons learned are documented and used to inform changes to the Business Continuity Program as required.
Management response and planned action
The Vice-President, Corporate Affairs Sector agrees with this recommendation. Business Continuity Program activities were tested when Shared Services Canada moved all of the Agency’s server infrastructure from Borden to Barrie in August 2017. It was an effective test of the Agency’s Business Continuity Program .
The next tabletop Business Continuity Program exercise is scheduled for fall 2018. The Agency will perform a simulation every 2 years starting in 2019-20.
It is recommended that the Chief Information Officer review IT asset inventory management practices within ITSD to ensure that the system used to store location information is complete, accurate, reliable and up to date.
Management response and planned action
The Vice-President, Corporate Affairs Sector agrees with this recommendation.
Consultants were hired to catch-up on service desk work. The service desk supervisor will perform a floor by floor exercise to tag/update the asset database.
It is recommended that the Chief Information Officer review and update the internal controls, tools, processes and performance measurement strategies in place to manage and report on the delivery of IT service and IT Helpdesk requests.
Management response and planned action
The Vice-President, Corporate Affairs Sector agrees with this recommendation. Although the project to address ITSD internal controls, tools, processes and performance measurement strategies was not approved for 2017-18, a smaller scale project was approved for 2018-19.
As per recommendation 1, to fully address the audit findings, ITSD will submit a change request through governance to approve a higher scope initiative to address all of the findings from this audit. The impact will be assessed through the change management process.
Appendix B: References (non-exhaustive)
- COBIT 5 Framework, Information Systems Audit and Control Association
- Global Technology Audit Guides, Institute of Internal Auditors'
- Policy Framework for Information and Technology, Treasury Board of Canada
- Policy on Internal Control, Treasury Board of Canada
- Policy on Government Security, Treasury Board of Canada
- Policy on Management of Information Technology, Treasury Board of Canada
- Directive on Management of IT, Treasury Board of Canada
- Operational Security Standard Management of Information Technology Security, Treasury Board of Canada
- Standard on Web Interoperability, Treasury Board of Canada
- CSE - Top 10 IT Security Actions to Protect Government of Canada Internet-Connected Networks and Information, Security Establishment Canada
Report a problem or mistake on this page
- Date modified: