Public Services and Procurement Canada
Follow-up to the audit of information technology security: Summary

On this page

• Introduction
• Audit objective
• Audit scope
• Observations
• Management response
• Audit methodology

Introduction

1. This engagement was included in the Public Services and Procurement Canada (PSPC) 2020 to 2021 Risk-Based Audit Plan.

2. PSPC supports the Government of Canada’s daily operations as provider of common services for federal departments and agencies. Many of these services are enabled by information technology (IT), which in a fast-evolving global technology environment is an increasing source of risk to the confidentiality, integrity and availability of information and systems upon which the department depends to operate.

3. As a federal department, PSPC must adhere to the Treasury Board Secretariat’s baseline security requirements, as outlined in the Policy on Government Security and associated Directive on Security Management, which came into effect on July 1, 2019. The policy’s objectives are to effectively manage government security controls in support of the trusted delivery of Government of Canada programs and services and in support of the protection of information, individuals and assets, and to provide assurance to Canadians, partners, oversight bodies and other stakeholders regarding security management in the Government of Canada. It also requires each department to establish a security program for the coordination and management of departmental security activities, which includes 8 defined security control areas, 1 of which is cyber security (IT Security).

Audit objective

4. The objective of this engagement was to provide assurance that appropriate mechanisms were in place to adequately manage cyber security risks. This included assurance that program management controls of the Departmental Cyber Security Program were in place and operating as intended, that PSPC business applications were patched in a timely manner, and that PSPC effectively managed emerging cyber security risks in its operations during COVID-19.

Audit scope

5. The audit scope period covered the timeframe from August 1, 2019 to November 30, 2020. Relevant information obtained subsequent to our examination phase was considered.

6. The audit assessed the processes and controls in place over Cyber Security for the following key control areas:

• Cyber Security Program Management
• Patch and Vulnerability Management
• management of emerging cyber security risks due to COVID-19

7. This audit did not assess areas identified in the Audit of IT Security completed in October 2019.

8. The audit also excluded an examination of human resources and pay systems.

Observations

9. Audit observations were developed through a process of comparing criteria (the correct state) with condition (the current state). Audit observations noted satisfactory performance, where the condition meets the criteria, or they may note areas for improvement, where there was a difference between the condition and the criteria. Where applicable, recommendations were made toward conditions that were noted as areas of improvement. An overall audit conclusion was also made against the audit objective.

10. The observations, recommendations, and conclusion of this internal audit engagement were reported to the senior management and the PSPC Departmental Audit Committee.

Management response

11. Management agrees with the findings and accepts the recommendations of this internal audit. Where applicable, the Digital Services and Departmental Oversight branches have developed action plans to address findings and recommendations, the implementation of which will be monitored by the Office of the Chief Audit, Evaluation and Risk Executive.

12. PSPC is committed to ensuring that the key control activities to mitigate IT security risks are designed, implemented and operating as intended.

Audit methodology

13. The internal audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing, as supported by the results of the quality assurance and improvement program.