Aboriginal Affairs and Northern Development Canada. Internal Audit Report Summary. Audit of Information Technology Security.

Similar documents
Public Safety Canada. Audit of the Business Continuity Planning Program

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

Audit of Information Technology Security: Roadmap Implementation

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

Follow-up on Audit of Security for Sensitive Inventories

REPORT: Audit of Information Technology (IT) Security. AAFC Office of Audit and Evaluation CFIA Audit and Evaluation Branch

Follow-up to Information Technology Security Audit

NERC Staff Organization Chart Budget 2019

NERC Staff Organization Chart Budget 2019

Audit of the Departmental Control Framework for the Management of Personal Information (Privacy)

REPORT 2015/149 INTERNAL AUDIT DIVISION

REPORT 2015/010 INTERNAL AUDIT DIVISION

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY

Qualification Specification. Level 2 Award in Cyber Security Awareness For Business

Status of Cyber Security Implementation at Canadian NPPs

NERC Staff Organization Chart Budget 2018

The Office of Infrastructure Protection

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Information Security Continuous Monitoring (ISCM) Program Evaluation

Avanade s Approach to Client Data Protection

Security and Privacy Governance Program Guidelines

REPORT 2015/186 INTERNAL AUDIT DIVISION

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

WECC Internal Controls Evaluation Process WECC Compliance Oversight Effective date: October 15, 2017

SERVICE DESCRIPTION ISO Lex. Certifications

The Texas A&M University System Internal Audit Department MONTHLY AUDIT REPORT

An Overview of ISO/IEC family of Information Security Management System Standards

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Archived Content. This content was archived on June 24, 2013.

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Postal Inspection Service Mail Covers Program

UNIVERSITY OF NORTH CAROLINA CHARLOTTE

NERC Staff Organization Chart Budget 2017

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Tools & Techniques I: New Internal Auditor

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Policy. Business Resilience MB2010.P.119

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

manner. IOPA conducts its reviews in conformance with Government Auditing Standards issued by the Comptroller General of the United States.

NERC Staff Organization Chart Budget 2017

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

Cyber Security Program

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

John Snare Chair Standards Australia Committee IT/12/4

Protecting information across government

EUROPEAN ICT PROFESSIONAL ROLE PROFILES VERSION 2 CWA 16458:2018 LOGFILE

Convergence of BCM and Information Security at Direct Energy

Information for entity management. April 2018

FISMA Cybersecurity Performance Metrics and Scoring

Cybersecurity for Health Care Providers

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Achilles System Certification (ASC) from GE Digital

Threat and Vulnerability Assessment Tool

Qualification Specification. Level 2 Award in Cyber Security Awareness For Business

Texas A&M University: Learning Management System General & Application Controls Review

April Appendix 3. IA System Security. Sida 1 (8)

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Safeguarding unclassified controlled technical information (UCTI)

Government of Canada Information Technology Incident Management Plan

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

The Common Controls Framework BY ADOBE

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

IT Audit Process Prof. Liang Yao Week Six IT Audit Planning

General Information Technology Controls Follow-up Review

Operational Risk Management: Major Processes and Assignments

Checklist: Credit Union Information Security and Privacy Policies

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Management s Response to the Auditor General s Review of Management and Oversight of the Integrated Business Management System (IBMS)

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

IT Attestation in the Cloud Era

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Canada Life Cyber Security Statement 2018

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

An Introduction to the ISO Security Standards

Information Security Program Audit Introduction and Survival Guide

DOD Medical Device Cybersecurity Considerations

Objectives of the Security Policy Project for the University of Cyprus

National Policy On Classified Information Spillage

Cyber Security Summit 2014 USCENTCOM Cybersecurity Cooperation

Information Security Policy

ENISA s Position on the NIS Directive

Information Security Incident Response and Reporting

Putting It All Together:

AUDIT OF ICT STRATEGY IMPLEMENTATION

Internet of Things Toolkit for Small and Medium Businesses

Cyber Security Standards Drafting Team Update

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

Asda. Privacy and Electronic Communications Regulations audit report

The NIST Cybersecurity Framework

Standard CIP Cyber Security Critical Cyber Asset Identification

Critical Infrastructure Protection Version 5

Infosec Europe 2009 Business Strategy Theatre. Giving Executives the Security Management Information that they Really Need

Privacy Breach Policy

Transcription:

Aboriginal Affairs and Northern Development Canada Internal Audit Report Summary Audit of Information Technology Security Prepared by: Audit and Assurance Services Branch April 2015 NCR#7367040 - NCR#7358318 - v10 Audit Working PaperNCR#7358318 v5

TABLE OF CONTENTS Acronyms... 2 Background... 3 Audit Objective... 3 Audit Scope... 4 Observed Strengths... 4 Findings... 4 Conclusion... 5 Statement of Conformance... 5 Summary of Audit Criteria... 5 Audit of Information Technology Security Audit Report Summary 1

Acronyms AANDC DSO DSP IT ITSC MITS Aboriginal Affairs and Northern Development Canada Departmental Security Officer Departmental Security Plan Information Technology Information Technology Security Coordinator Operational Security Standard: Management of Information Technology Security Audit of Information Technology Security Audit Report Summary 2

Background As a federal government department, Aboriginal Affairs and Northern Development Canada (AANDC) is governed by the Treasury Board of Canada Secretariat s (TBS s) Policy on Government Security. Government security, in this overarching policy, refers to the assurance that information, assets and services are protected against compromise and individuals are protected against workplace violence. Elaborating on the information and information technology (IT) security aspect is the Treasury Board s Operational Security Standard: Management of Information Technology Security (MITS), which defines the baseline security requirements that federal departments must fulfill to ensure the security of information and information technology assets under their control. According to MITS, IT security is defined as the safeguards to preserve the confidentiality, integrity, availability, intended use and value of electronically stored, processed or transmitted information and, for the purposes of the standard, the safeguards applied to the assets used to gather, process, receive, display, transmit, reconfigure, scan, store or destroy information electronically. An effective security program combines tools and technologies to protect information and systems, and the coordination of a variety of stakeholders. At AANDC, two key roles with responsibility for IT security are the Departmental Security Officer (DSO), a Director of Security and Occupational Health and Safety, within the Human Resources and Workplace Services Branch, and the IT Security Coordinator (ITSC), a Manager of IT Security, within the Information Management Branch headed by the Chief Information Officer. The ITSC reports functionally to the DSO on security-related matters. In 2011, Shared Services Canada was established and has assumed responsibility for the delivery, and related security, of some IT services including email, data centres (with related hardware and systems software), telecommunication networks services and aspects of cyber security formerly provided by AANDC. The risks associated with the use of information technologies evolve as technologies continue to become more interconnected. AANDC s reliance on IT to process, store and transmit information in support of continuous program delivery combined with the Department s need to safeguard that information underscore the necessity of sound IT security controls and practices. This audit was added to the Department s 2014-15 to 2016-17 Risk-Based Audit Plan at the request of the Deputy Minister of AANDC. Audit Objective The objective of the audit was to determine the adequacy and effectiveness of: the governance framework in place over IT security to protect the security of departmental information, and help to ensure compliance with the Policy on Government Security and the Operational Security Standard: Management of Information Technology Security; and, selected control frameworks in place to mitigate IT security risks. Audit of Information Technology Security Audit Report Summary 3

Audit Scope The scope included an examination of governance, risk management and key IT security controls designed to protect the security of information and information assets, and to help ensure compliance with the Policy on Government Security and the Operational Security Standard: Management of Information Technology Security. In addition to the governance framework for all aspects of IT security, specific testing considered IT security controls over a selection of applications and network folders, as well as the controls implemented to protect desktops/laptops and removable media. In particular, the audit work included: An examination of the IT security governance and risk management processes in place to manage the IT security program in the Department. This area focused on the IT security policy framework; IT security governance, roles and responsibilities; IT security planning and risk management; human resources planning; and compliance with federal government requirements. An examination of controls for a selection of areas where data is stored electronically within the Department, namely within applications and, if data is downloaded, on desktops/laptops or removable storage devices. The period from July 2013 to December 2014 was included in scope, with most emphasis on more recent activities. The audit excluded the assessment of business continuity planning and IT security activities under the responsibility of Shared Services Canada. Audit fieldwork was mostly conducted at Headquarters but regional input was obtained with the help of a questionnaire sent to all regions. Observed Strengths The following strengths were identified during the audit: Governance - Key roles with responsibility for IT security, namely the DSO and the ITSC, have been clearly assigned and a departmental Security Committee facilitates the working relationship. Awareness - IT security is integrated into the security awareness program. Findings Based on a combination of the evidence gathered through the examination of documentation, analysis, interviews and process walk-throughs, each audit criterion was assessed. Where a significant difference between the audit criterion and the observed practice was found, the risk of the gap was evaluated and used to develop a conclusion and to document recommendations for improvement. Audit of Information Technology Security Audit Report Summary 4

Observations were noted in the following areas during the audit: IT security awareness IT security incident management Policy framework Governance Planning and risk management Compliance Internal reporting Access to applications and data Conclusion The audit found that, while some of the elements that would be expected of an IT security program are in place, opportunities to improve the governance framework exist in the areas of IT security policy requirements, responsibility for IT security in the regions, risk management and proactive planning, on-going monitoring of compliance with federal government requirements. Opportunities also exist to improve some access controls relating to applications and data. The audit resulted in seven recommendations. Statement of Conformance The Audit of Information Technology Security conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program. Summary of Audit Criteria 1. Governance over IT Security 1.1 IT security policies aligned with the government s IT security policy framework have been developed and communicated across the Department. 1.2 Departmental oversight bodies for the management of IT security have been established. 1.3 A current IT security plan exists and is aligned with government-wide priorities. 1.4 An HR Plan for IT security staff exists and is aligned with priorities and plans. 1.5 A Departmental approach to managing IT security risks has been implemented. 1.6 Reporting on compliance and IT Security performance informs decision-making. 2. IT Security Practices over Departmental Data 2.1 Controls are in place to restrict access to applications and network shares. 2.2 Controls are in place to restrict access to privileged accounts. 2.3 A security awareness program is in place. 2.4 A process exists to effectively manage IT security incidents that includes identification, detection, response and recovery procedures. Audit of Information Technology Security Audit Report Summary 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback