IT Continuity Planning Follow-up Audit
Final Report
Corporate Audit and Evaluation Branch
October 2010
Table of Contents
Executive Summary
Background: Information technology (IT) and automated information systems are vital elements in most business processes. Given that these IT resources are so essential to the success of the Canada Revenue Agency (CRA), it is critical that the services provided by these systems are able to operate effectively with minimal disruption. IT Continuity (ITC) planning supports this requirement by establishing thorough plans, procedures, and technical measures that can enable a system to be recovered quickly and effectively following a service disruption or disaster.
The Corporate Audit and Evaluation Branch (CAEB) completed an ITC Planning audit in 2004. The action plans provided by management in the 2004 report were as follows:
- IT Security and Continuity Division (ITSC) in Information Technology Branch (ITB) will prepare annual status reports for senior Agency management.
- ITSC will ensure plans are in place to complete and test Disaster Recovery Plans for all local sites [Footnote 1], national applications and the IT infrastructure by March 2006.
- ITSC will strengthen quality management practices governing IT continuity activities such as centralizing Disaster Recovery Plans and will review and sign-off on all completed plans.
- Finance and Administration Branch (F&A) and ITB will ensure that Threat and Risk Assessments (TRA) are completed and remain current so that they support ITC planning activities.
Objective: The objective of this audit was to assess the CRA's progress on action plans contained in the 2004 report of the IT Continuity Planning audit.
The examination phase of the audit was conducted from February to June 2010.
The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing and the Information Systems Audit and Control Association's Control Objective for Information and Related Technology.
Conclusion: Progress has been made since the 2004 audit to ensure IT service availability remains as stable as possible even during a major outage. The status of the original action plans are as follows:
- Disaster recovery (DR) exercise [Footnote 2] results are reported to the responsible groups in ITB. However, improvements are still required with respect to reporting results to senior Agency management.
- Many improvements have been made with regard to testing of the Disaster Recovery Plans but the identification of Disaster Recovery Plan requirements should be enhanced.
- ITSC has made significant progress in the centralization of the agency Disaster Recovery Plans but local site Disaster Recovery Plans still need to be included. Formal Director sign-off for local site Disaster Recovery Plans is still required.
- F&A-Security and Internal Affairs Directorate has made progress towards meeting TRA completion and review requirements. However, a common and complete list of TRAs should be developed.
Action Plan: ITB and F&A are in agreement with the recommendations and have developed action plans to address them. To ensure consistent information is shared with senior Agency management, ITB will ensure that DR exercise results will be published in the Performance Indicator Quarterly Report. They have also committed to strengthening the IT Director approval process for Disaster Recovery Plans and to continue to work towards centralizing them.
F&A developed action plans to clarify ownership and accountability of the TRA process within FAM policy Chapter 20 and to incorporate TRAs received prior to September 2008 into the annual status review process. F&A and ITB have also agreed to develop a common and complete list of TRAs.
Introduction
The Canada Revenue Agency (CRA) provides services that touch the lives of all Canadians and contribute to the ongoing economic and social well-being of Canadians. In 2009, the CRA processed over 27 million individual returns (of which more than 15 million were filed electronically), distributed more than $16 billion in benefit and credit payments, answered nearly 25 million tax and benefit enquiries, and monitored over 80,000 registered Canadian charities. [Footnote 3]
Information technology (IT) and automated information systems are vital elements in most business processes. Given that these IT resources are essential to the success of the CRA, it is critical that the services provided by these systems are able to operate effectively with minimal interruption. IT Continuity (ITC) planning supports this requirement by establishing thorough Disaster Recovery Plans, procedures, and technical measures that can enable a system to be recovered quickly and effectively following a service disruption or major outage.
One of the first elements to consider in Information Security is a Threat and Risk Assessment (TRA). The purpose of a TRA is to categorize IT assets, examine the different threats that may jeopardize them, and identify and correct the most immediate and obvious security concerns.
The Corporate Audit and Evaluation Branch (CAEB) completed an ITC Planning audit in 2004. The action plans provided by management in the 2004 report were as follows:
- IT Security and Continuity Division (ITSC) in Information Technology Branch (ITB) will prepare annual status reports for senior Agency management.
- ITSC will ensure plans are in place to complete and test Disaster Recovery Plans for all local sites, national applications and the IT infrastructure by March 2006.
- ITSC will strengthen quality management practices governing IT continuity activities such as centralizing Disaster Recovery Plans and will review and sign-off on all completed plans.
- Finance and Administration Branch (F&A) and ITB will ensure that TRAs are completed and remain current so that they support ITC planning activities.
Focus of the Audit
The objective of the audit was to assess the CRA's progress on action plans in the 2004 report of the IT Continuity Planning audit.
The audit was conducted at Headquarters (HQ) in the Operations Services Directorate of ITB, and the Security and Internal Affairs Directorate (SIAD) of F&A, and in selected offices in the Atlantic and Pacific regions.
The audit examination phase was performed between February and June 2010.
The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing and the Information Systems Audit and Control Association's Control Objective for Information and Related Technology.
Findings, Recommendations and Action Plans
1.0 Monitoring and Reporting
Monitoring and reporting ensure that stakeholders are aware of how quickly and effectively systems can be recovered following a service disruption or major outage.
Disaster Recovery (DR) exercise results are reported to the responsible groups in ITB. However, forums in which results were previously shared with other stakeholders are no longer available since the Data Centre Recovery project [Footnote 4] went into operation. As a result, stakeholders may not be aware of the extent or the results of the DR exercises.
While other agency performance indicators are currently reported to various stakeholders in the performance indicator quarterly report (PIQR) prepared by ITB's Data and Technology Infrastructure Management Directorate (DTIM), DR exercise results are not currently included in the PIQR.
Further, the current reporting process does not communicate the extent nor the results of the DR exercises to senior Agency management.
Recommendation
DR exercise results should be included in the performance indicator quarterly reports prepared by DTIM in order to provide consistent information to senior Agency management.
Action Plan
ITB will publish the exercise results in the Performance Indicator Quarterly Report.
Target date: September 2010
2.0 Disaster Recovery Plans
Since the 2004 IT Continuity Planning audit, ITB has complied with the policies, procedures and guidelines relating to Disaster Recovery Plans. ITSC has created the Continuity Analysis and Recovery Tool (CART) to centralize all agency Disaster Recovery Plans and to review them for completeness of information. In addition, ITB has written a guide, Standard for Creating and Maintaining Disaster Recovery Plans, which is available on the Branch Intranet site.
Disaster Recovery Plans are required for the following: national applications, national IT infrastructure and local sites.As of June 2010, 95.6% of national applications had a Disaster Recovery Plan in CART. As a result, national applications that do not have a Disaster Recovery Plan may not be part of the testing process. At this time, ITB is reviewing the national IT infrastructure Disaster Recovery Plans stored in CART to ensure they are current and complete.
Most local site Disaster Recovery Plans are not stored in CART. As a result, Disaster Recovery Plans for local sites are not centralized, the quality of the Disaster Recovery Plans has not been validated by ITSC and they may not have been tested. The local disaster recovery process requires the regional director's userid and an email from the IT employee completing the Disaster Recovery Plan, as an implicit approval of a Disaster Recovery Plan and does not require formal director sign-off as with TRAs. Consequently, the responsible directors may not be fully aware if their sites Disaster Recovery Plan requirements or if their respective Disaster Recovery Plans are sufficient.
Current ITB processes for identifying Disaster Recovery Plan requirements are not always effective. ITB's Standard for Creating and Maintaining Disaster Recovery Plans states that the RC502 ITB work order process is one way that the requirement for a Disaster Recovery Plan can be identified. Currently, the identification of a requirement for a Disaster Recovery Plan was not formalized within the RC502 process.
ITB conducts infrastructure disaster recovery exercises called CODE ORANGE Exercises. This is a paper walkthrough exercise to ensure all information is current and that stakeholders are aware of the procedures in a timely manner. To ensure readiness, stakeholders are not informed of these exercises prior to conducting them.
Since 2005, ITB has conducted 10 data centre DR exercises to comply with mandated government wide requirements, such as Treasury Board Secretariat's Management of IT Security (MITS) standard. The purpose of the DR exercises is to determine whether the back-up data centre is able to meet the processing needs of the CRA if the main data centre is not in operation. National application Disaster Recovery Plans are also tested during these exercises. The results are compiled and reported after every DR exercise. Each successive DR exercise includes any issues experienced or noted in the previous DR exercise to ensure they have been addressed.
Recommendations
ITB should ensure that all national application and local site Disaster Recovery Plans reside in CART and are tested.
ITB should revise the local disaster recovery process to include the requirement for formal director sign-off on Disaster Recovery Plans.
ITB should modify the RC502 (ITB Work Order) process to include the identification of a requirement for a Disaster Recovery Plan.
Action Plan
ITB - ITSC will develop a schedule with ITB-Solutions to ensure that all national applications in the Solutions Applications Catalogue have a record in the Continuity Analysis and Recovery Tool (CART).
Target date: March 31, 2011
ITB will continue to provide Regional IT Forums information related to the Local Site Disaster Recovery Plans requirements and process as well as the related Local Site DR exercises. ITB will send a reminder to the management representatives of all Local IT Sites to ensure Local Site DRP are completed and centrally located in CART. Progress will be tracked via a DRP Aging report card.
Target date: Q3 2010-2011
ITB will provide a DRP status report to the IT Directors, who will be required to respond indicating receipt and understanding of the current status. As part of the yearly status update process, a communiqué will be sent to the IT Directors to remind them to review and update their DRPs as required. The IT Director will be required to respond within a certain timeframe.
Target date: fiscal year 2011-2012
ITB will risk manage this issue and process and will update the “Standard for Creating and Maintaining Disaster Recovery Plans” to reflect this.
Target date: September 30, 2011
3.0 Threat and Risk Assessments
The Treasury Board Secretariat (TBS) Security Organization and Administration Standard [Footnote 5] requires departments to complete TRAs for sensitive information and assets as part of the risk management approach to security. The TRA process is a part of risk management concerned with defining what requires protection, analyzing and assessing threats, analyzing and assessing risks, and making recommendations for the management of risks.
In the Finance and Administration Manual (FAM) Chapter 20, the Security Risk Management - Information Technology Risk Assessments policy does not clearly identify which CRA organization is accountable for the TRA process. Without defined ownership and accountability over the TRA process, the risk of TRAs not being completed is increased, as clients may not fully understand the process or the importance of preparing TRAs.
TRAs for national IT infrastructure, including the Mainframe, the Corporate Gateway/Firewall, the Corporate Administrative System (CAS), the Electronic Business Commerce Infrastructure (EBCI), the Distributed Computing Environment (DCE) and the Revenue Canada Network (RCNet), have been completed and are expected to be finalized by December 2010.
TRAs have not been completed for all national applications, such as Automated Collections System, Benefit Programs and Online Audit Trail System. Consequently, senior Agency management may not have assurance that risks to these applications are identified and managed.
Currently, Security and Internal Affairs Directorate (SIAD) and ITSC provide ad hoc advice and guidance for completing TRAs. SIAD is currently working on a TRA User's Completion Guide to assist clients with completing their TRAs.
FAM Chapter 20 states that TRAs are to be reviewed and updated annually or when changes to existing systems/applications are contemplated or occurring. As technology evolves, new threats and risks are introduced. TRAs should be reviewed annually to maintain CRA's management of risks.
In 2008, SIAD implemented an automated Annual Status Update (ASU) process that identifies TRAs due for review. However, this process does not apply to TRAs received prior to September 2008. It is unknown exactly how many TRAs were received prior to September 2008 and are not part of the annual review. SIAD is risk managing the issue by relying on application owners to come forward when their application undergoes modification, in which case a TRA will be completed/updated and included in the ASU process.
ITSC and SIAD maintain separate lists of TRAs for national applications, but the lists are inconsistent due to differing naming conventions and historical tracking efforts. Without a common and complete list of TRAs for all national applications, it is difficult to track and report on the status of the TRAs.
Recommendations
F&A should update the FAM policy Chapter 20 to clarify the ownership and accountability for the TRA process in CRA.
F&A-SIAD should incorporate TRAs that were received prior to September 2008 into the ASU process to ensure that they are reviewed annually as required by policy.
F&A, in partnership with ITB, should develop a common and complete list of national application TRAs .
Action Plan
F&A will modify FAM policy Chapter 20 to clarify ownership and accountability of the TRA process within CRA.
Target date: October 29, 2010
F&A will incorporate TRAs that were received prior to September 2008 into the ASU process.
Target date: March 31, 2011
F&A and ITB will develop a common and complete list of TRAs.
Target date: December 31, 2011
Conclusion
Progress has been made since the 2004 audit to ensure IT service availability remains as stable as possible even during a major outage. The status of the original action plans are as follows:
- Disaster recovery (DR) exercise results are reported to the responsible groups in ITB. However, improvements are still required with respect to reporting results to senior Agency management.
- Many improvements have been made with regard to testing of the Disaster Recovery Plans but the identification of Disaster Recovery Plan requirements should be enhanced.
- ITSC has made significant progress in the centralization of the agency Disaster Recovery Plans but local site Disaster Recovery Plans still need to be included. Formal Director sign-off for local site Disaster Recovery Plans is still required.
- F&A-Security and Internal Affairs Directorate has made progress towards meeting TRA completion and review requirements. However, a common and complete list of TRAs should be developed.
Footnotes
Page details
- Date modified: