Follow-up to Information Technology Security Audit

Transcription

1 Follow-up to Information Technology Security Audit July 2004

2 Report Clearance Steps Follow-up process initiated September 2003 Report completed March 2004 Follow-up report approved by Departmental Audit and July 22, 2004 Evaluation Committee Acronyms used in the report AEB DAEC EC IM IT NCR Audit and Evaluation Branch Departmental Audit and Evaluation Committee Information Management Information Technology National Capital Region i

3 New Follow-up Process As of the May 23, 2003, meeting of the Departmental Audit and Evaluation Committee (DAEC) a new approach to follow-ups is being taken. While the practice in the past had been for the Audit and Evaluation Branch (AEB) to conduct them, it is now the responsibility of the relevant program managers to conduct follow-ups to recommendations resulting from audits or evaluations of their own programs. This information is provided in table format in Appendix 1 of this report. The information provided by program managers has been reviewed by the AEB and a brief context is provided below. Context This follow-up to the Information Technology Security Audit completed in the Spring of 2001 is being done to determine the adequacy, effectiveness and timeliness of management action taken to implement the recommendations and management proposed actions made in the initial Review. Follow-ups are important, as they give senior management a crucial indicator as to the implementation rate of recommendations and adjustments made in relation to the management responses. The Treasury Board Secretariat requires departments to audit their Information Technology Security. At the time the initial audit was to be conducted, the department was also to embark on the development of an IM/IT Strategy and had to assess the level of its IT security. Therefore, the Audit took a broader approach that included several areas of IT security including: organization and administration of IT security, personnel security, physical security, hardware and software, communications security and operations security. Furthermore, EC has a Government-wide Mission Critical level A system for the Meteorological Services of Canada requiring 24hour/7day operations. The initial audit concluded that EC has a well managed IT Security system as demonstrated by the Y2K preparedness exercise, the 1998 ice storm and the I luv you virus. It was also found that the MSC maintains high value information and the department generally uses many best practices. However, it was also indicated that as the level of awareness of IT management improves, there will be an increased need for training. The report also found that those involved in the development of secret or sensitive documents did not have secure tools to conduct department wide consultations, and the Government On Line initiative will add higher demands on the system. The Report made five recommendations to address areas of concerns. IM/IT Management agreed with the recommendations and provided responses including a plan of action. Current Status Recommendations made in the initial audit and responses from IM/IT management are provided in Appendix 1. Also included in the Appendix are measures taken or planned to address the proposed actions. The follow-up audit has concluded that program managers have implemented or are implementing all proposed actions. 1

4 Based on the recommendations made in the initial audit and the management response in Appendix 1, AEB has not identified any unacceptable risks. Future Actions Since all agreed actions have been implemented, AEB recommends no further action is required. 2

5 Appendix 1 FOLLOW-UP AUDIT OF INFORMATION TECHNOLOGY SECURITY - TABLE OF RECOMMENDATIONS - Prepared by Director General Information Management and Technology Services Human Resources and Service Innovations as of October 23, 2003 Note: this document contains references to the Systems and Informatics Directorate (SID). SID was integrated into the Information Management and Information Technology Directorate (IM-ITD) in June IM-ITD is now responsible for the implementation of the recommendations contained in this follow-up audit. 3

6 APPENDIX 1 PROGRAM RESPONSE: FOLLOW-UP TO AUDIT OF INFORMATION TECHNOLOGY SECURITY RECOMMENDATION 1: MANAGEMENT Addressed X Partially Addressed Not Addressed INITIAL CONTEXT & RECOMMENDATION INITIAL MANAGEMENT RESPONSE ACTIONS TAKEN TO DATE ACTION PLAN The Department has in place the decision-making infrastructure, namely the business tables and ITAC, to improve the management and administration of Information Technology Security as well as to ensure consistency in policy and procedures application and monitoring across the Department. The business tables are the key decision points of the Department and ITAC is composed of the most senior informatics advisors, experts and managers. However, currently ITAC is not currently aligned with reporting to Management, Administration and Policy (MAP) table. Given that CMC/MSC plays an important role network s structure, a realignment of its role on ITAC should be considered. The adjustment of the reporting relationship has already been noted in the Review of Office Technology conducted AGREE SID is working with representatives from the Services/Regions in evaluating the role of all groups reporting to the e-government Integration Committee (EGIC). ITAC is being addressed as part of this exercise. We recognize the importance of having all players involved in Information Technology Security (Information Technology Security) and all program/table interests addressed through this exercise. The resulting realignment of roles and reporting relationships will, hopefully, allow us to address the concerns that you have identified in this area. Timeline: June 2001 Proposed Action: Complete EGIC EGIC review of committees was initiated and the membership, role and responsibilities of ITAC were included. Before the renewed ITAC could be put in place, the roles of EGIC and MAP were reviewed as well. This is now completed and a revised ITAC can now be implemented. Two committees will be put in place The first one will deal with Information technology (IT) and the second with Information Management (IM). Governance processes for the committees are under development. Implementation is expected before the end of FY 03/04. The committees mandate will be closely integrated with the revised EGIC and MAP committee to ensure synergy and maximized program participation. Memorandum of Understanding and/or Service Level Agreement will be developed between MAP and MSC for the management of the departmental network. These will include the management if Information Technology Security 4

7 by the Review Branch in It is recommended that the ADM of Corporate Services in consultation with the ADM of MSC review the role of ITAC. This review should include: 1. a revised mandate for the committee and its subcommittees; 2. a change in the reporting relationship of the committee; and 3. an examination of membership and roles to ensure all stakeholders are appropriately represented. Review of Reporting Sub- Committees, under responsibility of DG/SID. This recommendation should be implemented in with minimal costs. 5

8 RECOMMENDATION 2: MANAGEMENT Addressed X Partially Addressed Not Addressed INITIAL CONTEXT & RECOMMENDATION INITIAL MANAGEMENT RESPONSE ACTIONS TAKEN TO DATE ACTION PLAN Although roles and responsibilities between SID and MSC are defined and being updated, the dispersion of responsibilities across the Department has led to fragmentation in the management and administration of Information Technology Security across the Department and as a result departmental policies and procedures are inconsistently applied. A review and redefinition of roles and detailed responsibilities would be beneficial to increase policy compliance and improve efficiency. The accountability structure between the following positions and organizations should be included in this review: Information Technology Security I Headquarters and the Regions; Business lines within Headquarters, SID and the Regions; Government On-Line secretariat; and SID and the Departmental Security Officer (DSO). It was found that some programs AGREE SID has, as part of the IM/IT Strategy development process, been examining the roles and responsibilities relating to the Information Technology Security management framework. We recognize that there are numerous shortcomings relating to functional and operational activities in this domain and have requested and will be receiving funding through Program Integrity II to address them. However, this supplementary funding is only available for the next two years. Timeline: March 2002 Proposed Action: We will take steps to clarify roles, improve policy application consistency; improve Information Technology Security planning/reporting. Specific actions will include: 1) strengthening the Information Technology Security team by creating more positions to support the program in the NCR; 2) developing/updating departmental guidelines/policies in the role of 1) Two positions were staffed in the NCR and funded through program integrity to the end of ) Incident response procedures were developed for the IT security coordinators. A process was put in place to distribute information on required software patches to guard against the rapidly growing virus threats. 3) Internet monitoring tools and tools to automatically update the desktop virus scan software were purchased. Additional support was added to existing contracts for antivirus software giving IT security coordinators an additional mechanism for obtaining assistance. Funding for was received for IT security. This will be used to fund the positions in the NCR and regions and purchase of the ongoing software licenses. Ongoing funding is required for the NCR and regional IT security officer positions and the ongoing software licences. Licence costs have increased with the increase in virus threats. A proposal for funding for IT security will be included in the long term IM/IT funding plan. Since these recommendations were made, the number, complexity and severity of virus attacks and hacking has increased dramatically and substantial amounts of time are being spent in this area across the country. Additional security measures and a redesigned IT infrastructure will be implemented over the next 4-6 months to protect EC s critical infrastructure. 6

9 or regions employ excellent practices while others partially meet policy requirements. If all the best practices currently employed in parts of the department (outlined in Annex 2) were to be come universal, there would be much progress to improving Information Technology Security as well as increase departmental compliance with TB Policy. national Information Technology Security Coordinator, and; 3) by acquiring tools to maintain operations. Actions will be under the responsibility of DG/SID. It is recommended that the DG of SID undertake to strengthen the management framework for Information Technology Security in the department. This would include: 1. greater clarification of roles and responsibilities of Information Technology Security; 2. improved coordination and consistency in policy application and procedures; 3. enhanced Information Technology Security planning; and, reporting. This recommendation should be implemented in with minimal costs. 7

10 RECOMMENDATION 3: COMMUNICATION AND TRAINING Addressed X Partially Addressed Not Addressed INITIAL CONTEXT & RECOMMENDATION INITIAL MANAGEMENT RESPONSE ACTIONS TAKEN TO DATE ACTION PLAN Within the Department one key to achieving good Information Technology Security practices is the user community. With the exception of a few select areas, user awareness was identified as a key factor in improving Information Technology Security. Users tend to have little or no Information Technology Security training and awareness about potential threats is also generally low. In addition, the existing policies and procedures have, in many instances, a low impact on the user community. This is mainly due to a lack of communication/ marketing strategy of. Information Technology Security A comprehensive Department-wide IT awareness program tied to a communication / marketing strategy should include the following attributes: one website with all Information Technology Security policies & procedures; improved information packaging and messaging to increase the impact on users AGREE We are very supportive of an Information Technology Security awareness campaign. We have, to date, taken some limited measures (regular notices to staff, special messages when particularly notable threats have been identified, etc.) and ITAC has asked that we do more. We will be promulgating more substantive products on this in the coming months. Timeline: March 2002 Proposed Action: We will be taking steps to improve information packaging and messaging to improve impact and prepare training material for delivery to staff on an as-andwhen required basis. National and Regional Information Technology Security Coordinators are assembling a communications plan to inform users on the role of Information Technology Security and why certain measures are necessary to secure the network infrastructure. This plan will Improved security information is available on the IM-IT Central web site and on the HR Orientation web site. Regular message are sent to staff informing them of virus threats. A brochure on security was created and distributed during security awareness week. A poster campaign was conducted in FY 03/04 to ensure continued attention to Information Technology Security The Use of Networks Policy has recently been approved by MAP and a communications plan for the policy will include: a log on screen, brochures, posters, Qs and As and roles and responsibilities for implementation. As part of the ITAC communications plan, improved communications materials for IT security will continue to be developed. 8

11 and ensure a consistent message across the Department (e.g., periodic refreshers; regular updates to cover new technology done in conjunction with other training; and potential for computerbased module on on-line training); and mandatory training for all employees; (e.g., a specialized package for visiting scientist/students; an orientation session). Any actions should be linked to the development of the existing commitment for the DSO launch of a department-wide security awareness program at EC. Given the wide range of responsibilities, it would be prudent that all appropriate parties be consulted in the preparation stages. combine NCR and Regional office activities to increase national consistency. Actions will be under the responsibility of DG/SID. It is recommended that the DG of SID, in consultation with the Director of Informatics at MSC, the DG, HR and the Departmental Security Office (DSO), develop an Information Technology Security awareness/ communication/marketing strategy. This recommendation should be implemented in ; the cost should be assessed by SID DG including the DSO. 9

12 RECOMMENDATION 4: TOOLS Addressed X Partially Addressed Not Addressed INITIAL CONTEXT & RECOMMENDATION INITIAL MANAGEMENT RESPONSE ACTIONS TAKEN TO DATE ACTION PLAN Monitoring is required in order to ensure processes and procedures are adhered to and implemented consistently on a departmental level in order to facilitate the detection of Information Technology Security breaches. To achieve an increased degree of assurance, stronger monitoring is required in the following areas: Information Technology Security logs built-in mechanisms related to the implementation of policies and procedures such as sign off sheets for Threat and Risk assessments. The need for external audits (RCMP) should be assessed by ITAC and the decision made at the MAP table. AGREE This recommendation has raised some technical issues that we will be addressing with regional and service IT staff (required hardware, software, technical skills, personnel required, etc.) in the coming weeks. We will provide further feedback following our discussions with these groups. Timeline: June 2001 Proposed Action: Review recommendation with technical staff and provide a formal response to Review Branch under direction of DG/SID. Funding for IT security for was obtained and is being used to improve the staffing levels and training in the NCR and regions. Monitoring and logging procedures were reviewed and enhanced. Active monitoring of network is performed on an on-going basis, in addition to log monitoring Software was acquired to enhance monitoring capacity Software is being acquired to improve Information Technology Security capacity. Long term funding is required in order to train and staff positions at the necessary levels. Acquired software and implement new processes. This will be included in the IM-IT long term plan. It is recommended that the DG of SID, in consultation with ITAC members, review options to implement appropriate software to monitor Information Technology Security logs on a departmental level. 10

13 This assessment should be conducted every two years, starting in , thus giving sufficient time to implement the recommendations of this audit. The costs should be evaluated by the DG of SID. 11

14 RECOMMENDATION 5: TOOLS Addressed X Partially Addressed Not Addressed INITIAL CONTEXT & RECOMMENDATION INITIAL MANAGEMENT RESPONSE ACTIONS TAKEN TO DATE ACTION PLAN The Department lacks efficient and effective digital tools for handling sensitive information. Personnel handling sensitive information may not be aware of alternate communications methods available and may not have adequate information to make an informed decision when electronically transmitting sensitive information. Additionally, alternate communication tools, such as secure fax machines have only recently been made operational. This has led to a situation where sensitive information is not consistently transmitted in a secure manner. Staff needs secure and efficient tools to consult rapidly their colleagues across the Department and meet the short deadlines of senior management. Staff should have tools to allow them to communicate sensitive information as efficiently as they do with regular documents. The pilot project to implement secure messaging by 2001 using PKI is certainly one step to a longer term solution. However, steps towards AGREE We are presently involved in planning for a secure messaging pilot. As you may be aware, the government-wide efforts in this area will only allow for transmission of documents up to the Secure B level. The results from our pilot should provide us with a better understanding of the relative costs and benefits of implementing the tools and processes needed to transmit at the B level. Timeline: September 2001 Proposed Action: SID to work with regions on pilot project to exchange encrypted and/or digitally signed messages up to Protected B level. Other decisions with respect to feasibility/implementation to follow. Actions will be under the responsibility of DG/SID. The pilot of PKI was successfully completed. Implementation is on hold pending the identification of EC business requirements and the related funding for the initiative. The TBS initiative for the electronic transmission of secret information was cancelled and no mechanism other than the secure fax machines has been approved for secret information in the short term. Required funding for PKI implementation will be included in the IM-IT long term plan, once departmental needs are identified. Requirements for secure communications for program related applications should be included in the development and ongoing funding for those initiatives as these requirements have not been included in the IM-IT long term plan. 12

15 improved security by examining OGDs as well as educating users of risk avoidance options may, in shorter term, result in tangible improvements. It is recommended that the DG of SID, in consultation with the Director of Informatics at MSC and the Departmental Security Office, identify and make available improved electronic tools to facilitate the transmission of secure communication. This recommendation should be implemented in ; the cost should be assessed by the DG, SID and the DSO. 13