Identity and Access Management - Phase 2
Privacy Impact Assessment (PIA) summary – Administration Directorate, Finance and Administration Branch
Overview & PIA Initiation
Government institution
Canada Revenue Agency (CRA)
Government official responsible for the PIA
Mark Perlman
A/ Assistant Commissioner, Finance and Administration Branch
Head of the government institution or Delegate for section 10 of the Privacy Act
Marie-Claude Juneau
ATIP Coordinator
Name and description of program or activity of the government institution
Travel and Other Administrative Services:
- Travel and Other Administrative Services include Government of Canada (GC) travel services, as well as those other internal services that do not smoothly fit with any of the internal services categories.
The Canada Revenue Agency’s (CRA) PAA Internal Services includes sub-sub-program activity 7.6.9.2 Security and Internal Affairs
Description of the class of record and personal information bank
Standard class of record:
Security (Info Source Web Site)
Proposal for a new standard personal information bank:
Identity and Access Management
Legal authority for program or activity
Personal information is collected pursuant to paragraph 30(1)(a) of the Canada Revenue Agency Act, which grants responsibility to CRA for “general administrative policy in the Agency” .
The Canada Revenue Agency Act is supplemented with the Treasury Board Secretariat – Policy of Government Security, Directive on Identity Management, and CRA’s Access Accountability and Authentication to Agency Information Technology Systems Policy and Information Security and Information Technology Security Framework.
Summary of the project / initiative / change
The CRA’s Security and Internal Affairs Directorate is currently establishing an Identity and Access Management (IAM) Program, and concurrently managing a multi-phased, multi-year project to optimize IAM business processes.
Identity and Access Management will standardize and automate enforcement of the rules and business processes used to manage internal access to CRA data. This will improve monitoring, auditing, and reporting of identity and access provisioning to help ensure compliance with relevant legislation, security-related policies, standards, and best practices. The IAM solution will help the Agency address enterprise risks related to the protection of information and more easily satisfy audit, compliance, and legislative requirements for managing data.
The IAM project currently has four planned phases: (1) Information Resourcing: completed; (2) Identity Synchronization: in execution; (3) Password Management in: detailed planning; and (4) Access Management: undefined. As some aspects of the program are still being defined, the scope of the PIA will be limited to Phase 2 however, once other phases are determined, the PIA will be update as required.
Phase 2 - Identity Synchronization is the integration and synchronization of user identities (Authoritative Identity Store) from across all CRA computing infrastructure and applications to lay the foundation for improving the security and integrity of system access. Phase 2 addresses the following:
- the means to link all user identity accounts for the same person using a new Universal Unique Identifier (UUID) generated by the IAM tool
- the means to suspend exception accounts that cannot be linked to an authenticated user
- the ability to generate reports on users, groups of users, and exception accounts
- the means to report accounts that contain or lack criteria mandated by security Policy
Risk identification and categorization
A) Type of program or activity
Administration of Programs / Activity and Services
The Authoritative Identity Store (AIS) will populate an identity record for every CRA system user based on available information from current computing environments. The AIS and related tools will link user accounts to the identity record based on unique identifiers from each computing environment. The AIS will maintain a record of every Agency system user and their associated accounts. The decision to link accounts will be done mostly by automated technology but only when unique identifiers match. All other decisions and linking accounts will be done manually by identifying and confirming an owner.
Level of risk to privacy: 2
B) Type of personal information involved and context
Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program.
The information that will be used was collected directly from the individual by the CRA and is described in the standard personal information bank Employee Personnel Record PSE 901. The use of the personal information for the purpose of confirming the identity of individuals for access to government databases is identified as a consistent use of the information. There are no contextual sensitivities associated with the personal information.
Level of risk to privacy: 1
C) Program or activity partners and private sector involvement
With other federal institutions
Shared Services Canada (SSC) will support CRA infrastructure however, SSC employees will not have access to the AIS Database.
Level of risk to privacy: 2
D) Duration of the program or activity
Long-term program
The CRA is establishing a long-term Identity and Access Management Program to gain efficiencies and bring consistency in the overall management of identities and access to CRA systems. Projects are currently ongoing to make improvements to current processes and technology to enable the Program to attain its objectives.
Level of risk to privacy: 3
E) Program population
The program affects all employees for internal administrative purposes.
In Phase 2 Identity Synchronization, the goal is to positively identify all electronic User IDs with a civil identity. All employees including contractors, external partners and others who have a User ID on CRA systems should be in the AIS (Authoritative Identity Store). All external partners, for example are assigned a CAS User ID and Partner Organization Name within the CAS TEMP TABLE which is part of the CAS extract file which is pulled into AIS.
Level of risk to privacy: 2
F) Technology & privacy
Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy: Yes
Does the new or modified program or activity require any modifications to IT legacy systems and / or services?
Risk to privacy: Yes
The new or modified program or activity involves the implementation of one or more of the following technologies:
Use of Surveillance – The AIS system architecture includes a Log Server. The AIS Historical Log will log information such as user logon ID, date and time of logon, logout, user location, terminal identity, name and ID of client records accessed, including edits or changes made during each user session, etc. The information is used to verify that the User ID or user account is positively linked to an individual. The monitoring of audit trails is limited to random “spot checks” to ensure compliance with policies and standards and on case by case basis in response to an individual’s complaint, in support of an investigation into allegations or suspicion of unauthorized access or in response to an ATIP request. Audit trail reports are considered Protected B information as defined by the Identifying Protected and Classified Information and Assets Policy. Consequently the communication of the request, the audit trail report, and results of its analysis must be restricted to individuals with "a need to know".
Use of automated personal information analysis, personal information matching and knowledge discovery techniques - The AIS and related tools will link user accounts to the identity record based on unique identifiers from each computing environment. The AIS will maintain a record of every CRA system user and their associated accounts. The decision to link accounts will be done mostly by automated technology but only when unique identifiers match. All other decisions and linking accounts will be done manually by identifying and confirming an owner.
G) Personal information transmission
The personal information is transferred to a portable device or is printed.
Select employees within the Information Security Division (ISD) will be able to print out reports from the AIS database. The circulation of these reports will be restricted to employees within ISD with a need to know.
There is no requirement to transfer these reports to removable media at this time.
Level of risk to privacy: 3
H) Risk impact to the individual or employee
Reputation harm, embarrassment.
The employee data stored in IAM phase 2 is classified as Protected “A”. Much of the information exchanged between IAM users and the associated applications is Designated Protected “B”, and has a direct impact on the confidentiality of information; therefore a MEDIUM sensitivity is assigned to the “Confidentiality” of IAM assets.
I) Risk impact to the institution
Reputation harm, embarrassment, loss of credibility.
There could be significant impacts due to a compromise of confidentiality of the data processed on the IAM platform, because of the “Protected” data stored on the servers.
Page details
- Date modified: