Horizontal Internal Audit of Information Technology Security in Large and Small Departments (Phase 1): Summary of the Audit
Office of the Comptroller General
This summary is a complement to the Final Report for this audit which contains information severed in accordance with the Access to Information Act.
Audit Objectives and Scope
The objectives of this audit were to determine whether:
- Governance frameworks over Information Technology (IT) security were in place within departments as well as across government; and,
- Selected control frameworks were in place in departments to mitigate IT security risks.
The scope of this audit included the governance and control frameworks over IT security for unclassified government networks as at . Classified networks were excluded from the scope of this audit, given their nature, complexities and unique risks.
Why This Is Important
The federal government is entrusted with safeguarding a vast amount of personal and sensitive information in delivering its programs and services to Canadians, and it relies heavily on IT. Federal government systems are part of Canada's critical infrastructure and constitute an attractive target for foreign military and intelligence services, criminals, and terrorist networks.
The widespread use and reliance on IT, coupled with the ever-increasing interconnectedness of IT systems and the pace at which IT is evolving, exposes today's organizations to a wide array of security risks. In the wake of several recent, highly publicized cyber attacks Footnote 1 in the public and private sectors around the world, the World Economic Forum flagged IT security as one of the biggest risks for 2015. The recent massive cyber attack on the United States Office of Personnel Management, which compromised the private information of millions of current, former and prospective government employees and their families, has demonstrated the significance of this risk for government.
As the Government of Canada proceeds with standardizing, consolidating and modernizing its current aging IT infrastructure, it will need to ensure that strong governance and control frameworks are in place to mitigate rapidly evolving IT security risks.
Summary of Key Findings
Governance frameworks over IT security
The audit examined whether governance frameworks over IT security for unclassified government networks were in place. Overall, the audit found that elements of such frameworks were in place but that improvements are needed.
The audit noted that government-wide policy direction for IT security has been established via the Treasury Board policy framework, with more up-to-date technical guidance recently provided in certain areas; however, foundational policy instruments need to be updated to better reflect the government's current operational environment, including clarifying roles and responsibilities. Namely, Treasury Board policy instruments need to address the consolidation of the IT infrastructure for 43 government organizations (referred to in this report as the shared IT infrastructure) under Shared Services Canada. Furthermore, although Shared Services Canada has provided high-level guiding principles to these 43 organizations (referred to in this report as partner organizations), the audit noted a need for Shared Services Canada to further define operational roles, responsibilities and expectations with its partner organizations. Within departments, the audit also noted a need to update existing IT security policies.
In support of security governance, several interdepartmental committees were established to address matters relating to IT security across government; however, the audit found that coordination between interdepartmental committees could be improved. The audit also noted that governance structures were in place in most departments to support the coordination of IT security activities, and that the structures were aligned with government-wide policy requirements.
The audit found opportunities for improving existing risk management processes to better inform strategic planning for securing government systems.
Finally, the audit noted a need to improve IT security monitoring and reporting frameworks at the government-wide, departmental and IT infrastructure levels.
Selected control frameworks
The audit examined selected control frameworks for unclassified government networks as at .
Overall, the audit found opportunities to enhance the control frameworks examined for the IT infrastructure Footnote 2 as well as within most departments.
Overall, the audit noted a need for improvements to both governance frameworks and controls over IT security within departments, as well as across government, to mitigate IT security risks and properly safeguard government systems against rapidly evolving threats.
Recommendations and Management Response
The findings and recommendations of this audit were presented to each of the large departments, lead security agencies (including the Treasury Board of Canada Secretariat), Shared Services Canada, and the small departments included in the scope of the audit.
Management has agreed with the findings included in this report and will take action to address all applicable recommendations.
- Date modified: