Shared Services Canada: Standing Committee on Government Operations and Estimates—March 22, 2023
Document navigation for "Standing Committee on Government Operations and Estimates: March 22, 2023"
On this page
Cyber security overview
Context
Explaining Shared Services Canada (SSC)’s role in addressing cyber security, which is a shared responsibility with other agencies, such as the Treasury Board of Canada Secretariat—Office of the Chief Information Officer (TBS-OCIO) and the Communications Security Establishment (CSE), which holds the Canadian Centre for Cyber Security (CCCS).
Suggested response
- SSC works diligently to keep networks safe, secure and accessible for Canadians
- SSC applies cyber security measures to identify and prevent malicious actors from gaining access to government networks by using firewalls, network scans, anti-virus, anti-malware, identification and authentication tools and services
- Cyber security is a shared responsibility between SSC, the CSE, Treasury Board Secretariat (TBS) as well as departments and agencies
- When a cybersecurity event occurs, SSC and its partners coordinate to determine root causes, limit impact and undertake recovery
- SSC supports the effective design, delivery and management of IT security initiatives
If pressed on current and future cyber security investments:
- The government is investing $515.8 million over 6 years for SSC, CSE, and Treasury Board of Canada Secretariat (TBS) to address the rapidly evolving cyber threat landscape
- The proposed funding will help:
- support cloud security at SSC
- expand cyber security protection for small departments agencies
- support SSC’s security information and event management system
- modernize the government’s approach to cyber security
- support TBS’s associated efforts to reinforce government cyber security
- SSC responsibilities include government networks, email, data centres, and classified IT infrastructure
If pressed on SSC’s responsibility versus that of CSE:
- Although most security systems used to protect the government’s IT infrastructure are designed and managed by SSC, CSE also uses an array of its own complimentary solutions to supplement the SSC-managed security systems
- While SSC provides IT security infrastructure, CSE monitors government systems and networks for malicious activities and cyber-attacks and leads the government's operational response to cyber security events
If pressed on any particular cyber event (Exchange Vulnerability, Log4j, Print Nightmare, Global Affairs Canada incident, National Research Council incident, etc.):
- SSC has people, technology and processes in place to safeguard systems, and works collaboratively with TBS, CSE and federal departments to detect and respond to cyber threats
- When a cyber security event occurs, SSC and other federal departments coordinate to determine root causes, limit impact and undertake recovery
- The risk of cyberattacks is persistent and requires constant vigilance
Auditor General report on cybersecurity of personal information in the cloud
Context
The Office of the Auditor General of Canada has tabled in parliament a report in November 2022 that includes a chapter on cybersecurity of personal information in the cloud.
Suggested response
- We accept the recommendations made by the Office of the Auditor General. This audit will help SSC strengthen its operating framework for cloud services
- Protecting the government’s systems and information is a shared responsibility across 3 organizations: SSC, the TBS and the CSE through the Canadian Cyber Centre for Security
- SSC enables smart cloud adoption across departments so they can harness the benefits of cloud technology by providing:
- an easy and secure access to cloud services
- a secure network connection between government applications hosted in the cloud and government data centres
- operational guidance and support
- A number of strict security requirements, which includes cloud guardrails, must be met before departments can begin to store data in the cloud
If pressed on cyber event management:
- The government has adopted an operational framework to manage potential cyber security events that could impact, or threaten to impact, its ability to deliver programs and services to Canadians
- Cyber events include cyber threats, vulnerabilities or security incidents
- SSC plays a key supporting role in the Government of Canada Cyber Security Event Management Plan, which is maintained by TBS. For example, SSC is part of the governance, with involvement in event management and event coordination team, and actively participates in yearly tests and practices
If pressed on cloud:
- SSC acts as a centre of excellence for cloud services, providing technical expertise and tools to guide departments on cloud adoption
- SSC provides guidance on security standards to support departments in their secure and agile adoption of cloud services
- SSC is also automating the validation, monitoring, and reporting of the minimum set of controls that departments must implement to prevent and detect cyber threats. SSC is also establishing pilots to test their effective implementation
If pressed on security:
- The protection and privacy of the government data stored and processed in the cloud is a top priority for SSC
- To securely use cloud services, each department must implement and maintain specific security guardrails, which are a minimum set of controls that departments must implement to prevent and detect cyber threats
- SSC is working with departments to ensure the systems are robust, perform the services required of them, and are hosted in modern and secure environments
- SSC continues to work closely with TBS to strengthen security validation and enforcement guardrails
- Measures are also in place to enforce where data resides and how it is controlled
Government of Canada readiness for return to the worksite
Context
There are concerns that when large numbers of public servants return to the worksite, the underlying information technology (IT) infrastructure will not effectively function.
Suggested response
- From the onset of the COVID-19 pandemic, SSC rapidly and effectively responded through enabling remote work for thousands of public servants ensuring continued service delivery to Canadians
- SSC will continue to ensure service delivery to Canadians by public servants, whether it is from their home-based office or Government of Canada worksites, all while following the guidance from the TBS Office of the Chief Human Resources Officer
- SSC has been working with departments to ensure IT networks are supporting their employees as they transition to hybrid work
- SSC is working with departments to prioritize Government of Canada worksites to enable a smooth return for employees
Shared Services Canada 2021 to 2022 Departmental Results Report
Context
The president of the Treasury Board tabled SSC’s 2021 to 2022 Departmental Results Report (DRR) in Parliament on December 2, 2022. This report provides details on SSC’s mandate, commitments and results achieved in 2021 to 2022.
Suggested response
- SSC had many accomplishments in 2021 to 2022, as it played a key role in supporting the shift to a hybrid workplace for employees and equipping them with modern digital tools
- SSC’s enterprise approach ensured that critical programs and benefits continued to be delivered in a secure, fast, and reliable way to Canadians during the pandemic
- SSC’s experience in delivering digital services to its partners helped it to provide quick and agile IT solutions during this time of transition, such as:
- fully enabling Microsoft 365 for 39 partners, and equipping employees with the tools to collaborate internally and roll out programs and benefits
- rapidly improved bandwidth by 66% to ensure there was a reliable network
- increased secure remote access capacity by 111% to support public servants connecting from home
If pressed on further accomplishments:
- SSC’s work with partners across the Government of Canada allowed them to rely on a secure and efficient digital infrastructure to deliver critical online services to Canadians. For example, SSC supported Statistics Canada in the first-ever Canadian digital census by:
- powering 700 servers to support census collection, data processing and dissemination and equipping 22 virtual offices and 6 call centres across the country for census staff
If pressed on expenses and revenues:
- Expenses for 2021 to 2022 were $593 million higher than planned. The 3 major expenses were salaries and employee benefits, representing the largest portion of expenses, followed by telecommunications and rental expenses
- Revenues for 2021 to 2022 were $282 million higher than planned. Of these, the majority are re-spendable revenues related to IT infrastructure services provided to departments and agencies on a cost recoverable basis
If pressed on procurement:
- In 2021 to 2022, SSC developed an agile contracting framework to execute procurement projects that will provide better outcomes, faster delivery, more effective use of private sector expertise and that better meets the needs of the end-user
- SSC is focused on effective IT procurement that drives innovation and economic growth, and advances environmental and socio-economic objectives, including relations with Indigenous peoples
If pressed on human resources and pay system:
- SSC is working with the TBS and Public Services and Procurement Canada (PSPC) to examine the viability of adopting a new government-wide model for human resources (HR) and pay and identify an HR and pay solution that will serve the enterprise and employees
- 3 additional departments were added to the pilot project that will allow SSC to test the software against more complex pay requirements and to assess the accessibility features of the tool and operability in both official languages
- SSC will determine a recommendation based on the results and data gathered from pilot studies with select departments
If pressed on cloud:
- In 2021 to 2022, SSC made continuous upgrades to its client-facing cloud services portal. It added the cloud documentation portal as an enterprise platform to share information with departments and agencies to support their migration to cloud
If pressed on Government of Canada network hubs:
- A Government of Canada network hub provides direct and secure access to network providers, such as the cloud, at sites across the country rather than routing everything through the National Capital Region
- In 2021 to 2022, SSC completed the upgrades to 2 Government of Canada network hubs in Toronto and Montreal, and implemented secure cloud enablement and defence into both hubs
- Through these Government of Canada network hubs, SSC also established a secure cloud to ground connection for 18 departments to provide secure communication between the network and cloud service providers
If pressed on telecommunication tools:
- In 2021 to 2022, the Teams component of M365, which offers conferencing capabilities, has been deployed to all of SSC partners. M365 capabilities have also been fully enabled for 39 out of 45 partners with built-in security requirements
- There are only 13 remaining partners using an in-house email service which will be included in the next migration. All other partners have now been migrated to the M365 enterprise email
- The increased use of mobile devices and desktop communications throughout the government has reduced the need for traditional, wired office desk phones. SSC is retiring all landlines, except for those identified as essential. By the end of 2021 to 2022, SSC vendors disconnected 17,515 fixed lines out of the total 48,586 identified by partners
Document navigation for "Standing Committee on Government Operations and Estimates: March 22, 2023"
Page details
- Date modified: