Identity and Access Management - Phase 3

Multi-institutional Privacy Impact Assessment (PIA) summary – Security and Internal Affairs Directorate, Finance and Administration Branch

Overview & PIA Initiation

Government institution(s)

This is a multi-institutional PIA comprising both Agencies. The CRA is leading the PIA.

Government official responsible for the PIA

Roch Huppé 
Assistant Commissioner and Chief Financial Officer, Finance and Administration Branch, CRA

and

Caroline Weber
Chief Privacy Officer and Vice President, Corporate Affairs Branch, CBSA

Head of the government institution or Delegate for section 10 of the Privacy Act

Marie-Claude Juneau
ATIP Coordinator, CRA

and

Dan Proulx
ATIP Coordinator, CBSA

Name and description of program or activity of the government institution

Travel and Other Administrative Services:

The Canada Revenue Agency’s (CRA) PAA Internal Services includes sub-sub-program activity 7.6.9.2 Security and Internal Affairs

Description of the class of record and personal information bank

Standard or institution specific class of record:
Security (Info Source Web Site)

Standard or institution specific personal information bank:
Identity and Access Management - Internal

Legal authority for program or activity:

Personal information is collected pursuant to paragraph 30(1)(a) of the Canada Revenue Agency Act, which grants responsibility to CRA for “general administrative policy in the Agency”. The Canada Revenue Agency Act is supplemented with Treasury Board Secretariat – Policy of Government Security and - Directive on Identity Management.

Legal Authority for CRA to collect CBSA employee information:

For the administration of user accounts by the Canada Revenue Agency on behalf of the Canada Border Services Agency. The CRA is responsible under paragraph 5(1)(c) of the Canada Revenue Agency Act for implementing agreements or arrangements between the CRA and departments or agencies of the Government of Canada to carry out an activity or administer a program.

Legal Authority for CRA to collect SSC employee information:

CRA has a written collaborative arrangement with SSC that is made pursuant to section 61 of the CRA Act and is supported by the paragraph 5(1)(c) mandate provision of the CRA Act. A written collaborative arrangement to govern this is found in the “SSC-CRA IT Governance Framework For the Provision of Information Technology Services”, and an “Operating Protocol” between SSC and the CRA. The foregoing authorities and the MOU makes the provision by the CRA of support and management of the SSC user accounts an authorized activity or program of the CRA. Collecting the subject personal information from SSC is part of that activity or program of the CRA. 

Summary of the project / initiative / change

The CRA’s Security and Internal Affairs Directorate is currently establishing an Identity and Access Management (IAM) Program, and concurrently managing a multi-phased, multi-year project to optimize IAM business processes.

Identity and Access Management will standardize and automate enforcement of the rules and business processes used to manage internal access to CRA data. This will improve monitoring, auditing, and reporting of identity and access provisioning to help ensure compliance with relevant legislation, security-related policies, standards, and best practices. The IAM solution will help the Agency address enterprise risks related to the protection of information and more easily satisfy audit, compliance, and legislative requirements for managing data.

The IAM project currently has four planned phases: (1) Information Resourcing: completed; (2) Identity Synchronization: completed; (3) Password Management in: in execution; and (4) Access Management: in detailed planning.

Phase 3 – Password Management

Password Management is being delivered in this phase of the IAM project.  Two key deliverables of this phase are password synchronization and self-service password reset.  Password management will develop and enforce security standards and policies for password management across five computing environments. Included in scope are Canada Border Services Agency (CBSA) users and Shared Services Canada (SSC) users that require access to CRA systems. 

CBSA has agreed to participate in the IAM project because the CBSA and the CRA share the information technology (IT) infrastructure; all the CBSA user accounts are on the computing environments administered by the CRA. In addition, much of the infrastructure support is now being carried out by staff within Shared Services Canada (SSC), which was established in August 2011. The SSC support staff that have accounts on the computing environments to carry out maintenance and support are also included in the IAM Project.

Implementation is anticipated to occur at the same time for all Agencies, anticipated to occur in Q4 2015/2016.

Risk identification and categorization

A) Type of program or activity

Administration of Programs / Activity and Services

Leveraging the Authoritative Identity Store (AIS) delivered by IAM Phase 2 – Identity Synchronization, which links five major internal computing environments IAM Phase 3 – Password Management, will enable  centralizing the management of passwords across these computing environments. Self-Service functional scope will cover CRA and CBSA users of these environments and Shared Services Canada (SSC) LAN users that require access to the environments.

Once deployed, it will leverage the existing IAM Phase 2 – AIS to perform self service password resets and/or account unlocks.

Level of risk to privacy: 2

B) Type of personal information involved and context

Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program.

The information that will be used was collected directly from the individual by the CRA and is described in the standard personal information bank Employee Personnel Record PSE 901. This includes CBSA and in scope SSC individuals.  The use of the personal information for the purpose of confirming the identity of individuals for access to government databases is identified as a consistent use of the information. There are no contextual sensitivities associated with the personal information.  Phase 3 will also include new information such as: password, security identification questions selected by the user and answers for user authentication.

Level of risk to privacy: 2

C) Program or activity partners and private sector involvement

With other federal institutions

CRA and CBSA helpdesk staff will have administrative access to support users of the software.  Both CRA and CBSA each have helpdesk staff in their respective agencies; however CRA helpdesk staff are responsible for support of CBSA staff in the regions.  Staff in SSC are responsible for 3rd level support and maintenance of the infrastructure which includes the servers the system operates on.

Level of risk to privacy: 2

D) Duration of the program or activity

Long-term program

The CRA is establishing a long-term Identity and Access Management Program to gain efficiencies and bring consistency in the overall management of identities and access to CRA systems. Projects are currently ongoing to make improvements to current processes and technology to enable the Program to attain its objectives.

Level of risk to privacy: 3

E) Program population

The program affects all employees for internal administrative purposes.

In scope for Password Management are all end users with a standard User ID (3 Alpha + 3 Numeric) who have access to the internal network.  This also includes CBSA users and SSC users supporting the CRA systems, as previously described.   Out of scope will be administrative accounts, generic accounts, system accounts, testing accounts, taxpayers, and vendors.

Level of risk to privacy: 2

F) Technology & privacy

Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy: Yes

Does the new or modified program or activity require any modifications to IT legacy systems and / or services?

Risk to privacy: Yes

The new or modified program or activity involves the implementation of one or more of the following technologies:

Use of Surveillance – Within the system Password Synchronization Agent logging can contain the following: Error messages and Diagnostic (process flow, trace) messages are logged.

Application Server log:
Displays information about all of the components in an Identity Manager installation, and provides details about all operations in Identity Manager.

Directory Server log file:
Contains information about activity that occurs in the user directory.
Authentication success and failure, intruder lockouts and security change requests and approvals, for both users and administrators, are logged by the solution.
All log data is directed to an internal database table (a session log), which includes time, date, event type, target system ID, requester user ID, recipient user ID, administrator ID (if any), results and any error messages.  Passwords are not stored in the log files or revealed by the system.

In cases of allegations of CBSA / SSC employee misconduct, authorized staff in CRA would provide the log files to internal affairs of the respective organization to investigate.

Use of automated personal information analysis, personal information matching and knowledge discovery techniques – In phase 3 there is no additional automated personal information analysis, the Operating System logs on eBCI and Windows servers capture the transactions in logs. These transactions contain several pieces of information, including the user ID and the user device IP address. These logs are then sent to the ArcSight system for analysis if necessary.

G) Personal information transmission

The personal information is transferred to a portable device or is printed.

Currently only the  CRA AIS Support Group has access to the AIS database however, it is anticipated that select security personnel in CBSA will have access to phase 3 reporting functionality. System permissions would be used to facilitate their access requirements. The data will be segregated so that each agency can only see their own data. 

There is no requirement to transfer these reports to removable media at this time.

Level of risk to privacy: 3

H) Risk impact to the individual or employee

Reputation harm, embarrassment.

The employee data, including the security questions and passwords are rated as Protected “B”.

I) Risk impact to the institution

Reputation harm, embarrassment, loss of credibility.

In the event of a privacy or security breach, there could be significant impacts due to a compromise of confidentiality of the data processed on the IAM platform, because of the “Protected” data stored on the servers.  The safeguards and controls in place mitigate these risks.

Page details

Date modified: