STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

Similar documents
Information Technology Branch Organization of Cyber Security Technical Standard

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

01.0 Policy Responsibilities and Oversight

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets.

Security and Privacy Governance Program Guidelines

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Policy. Business Resilience MB2010.P.119

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

TEL2813/IS2820 Security Management

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Information Technology General Control Review

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Information Security Policy

REPORT 2015/010 INTERNAL AUDIT DIVISION

Security Management Models And Practices Feb 5, 2008

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

The City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.

General Information System Controls Review

REPORT 2015/149 INTERNAL AUDIT DIVISION

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

Information Security Policy

ITG. Information Security Management System Manual

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Managing Cybersecurity Risk

Information Security Controls Policy

SECURITY & PRIVACY DOCUMENTATION

Wye Valley NHS Trust. Data protection audit report. Executive summary June 2017

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

POSITION DESCRIPTION

SAVANNAH LAKES VILLAGE PROPERTY OWNERS ASSOCIATION, INC. JOB DESCRIPTION

Cyber Security Program

PROCEDURE POLICY DEFINITIONS AD DATA GOVERNANCE PROCEDURE. Administration (AD) APPROVED: President and CEO

CASA External Peer Review Program Guidelines. Table of Contents

Manchester Metropolitan University Information Security Strategy

General Information Technology Controls Follow-up Review

The Honest Advantage

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Public Safety Canada. Audit of the Business Continuity Planning Program

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

Information Security Continuous Monitoring (ISCM) Program Evaluation

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

APF!submission!!draft!Mandatory!data!breach!notification! in!the!ehealth!record!system!guide.!

Protecting your data. EY s approach to data privacy and information security

Business Continuity Policy

Community Development and Recreation Committee

Management s Response to the Auditor General s Review of Management and Oversight of the Integrated Business Management System (IBMS)

FOLLOW-UP REPORT Industrial Control Systems Audit

INTERNAL AUDIT DIVISION REPORT 2017/138

Subject: University Information Technology Resource Security Policy: OUTDATED

Access to University Data Policy

External Supplier Control Obligations. Cyber Security

ITG. Information Security Management System Manual

A Global Look at IT Audit Best Practices

Seven Requirements for Successfully Implementing Information Security Policies and Standards

DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:

<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager.

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

SOC for cybersecurity

Threat and Vulnerability Assessment Tool

PeopleSoft Finance Access and Security Audit

EU General Data Protection Regulation (GDPR) Achieving compliance

Information Security Strategy

Information for entity management. April 2018

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

ISO/IEC INTERNATIONAL STANDARD

Apex Information Security Policy

_isms_27001_fnd_en_sample_set01_v2, Group A

UNCONTROLLED IF PRINTED

Audit and Compliance Committee - Agenda

1997 Minna Laws Chap. February 1, The Honorable Jesse Ventura Governor 130 State Capitol Building

Policy Summary: This guidance outlines ACAOM s policy and procedures for managing documents. Table of Contents

Information Security Controls Policy

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

ISO/IEC Information technology Security techniques Code of practice for information security management

Personnel Certification Program

Effective COBIT Learning Solutions Information package Corporate customers

Sage Data Security Services Directory

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

The University of Queensland

The next generation of knowledge and expertise

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

TEL2813/IS2820 Security Management

Tools & Techniques I: New Internal Auditor

CYBER INSIDER RISK MITIGATION MATURITY MATRIX

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Complaints and Compliments Policy. Date Approved: 28 September Approved By: Governing Body. Ownership: Corporate Development

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

STATE OF NORTH CAROLINA

Manager, Infrastructure Services. Position Number Community Division/Region Yellowknife Technology Service Centre

TAN Jenny Partner PwC Singapore

Transcription:

STAFF REPORT January 26, 2001 To: From: Subject: Audit Committee City Auditor Information Security Framework Purpose: To review the adequacy of the Information Security Framework governing the security practices within the City of Toronto in protecting the City's services, privacy and sensitive security information and to report on deficiencies, along with recommendations for corrective action. Financial Implications and Impact Statement: While there are no financial implications resulting from the adoption of this report, the implementation of the recommendations in this report could improve the efficient and effective enforcement of security practices throughout the City and may result in additional costs which are unknown at this time. Recommendations: It is recommended that: (1) the Commissioner of Corporate Services, prepare a report outlining options available to the City to implement an Information Security Program designed to ensure: (a) (b) information security accountability and responsibility is clearly defined and acknowledged; all parties with a need to know, including but not limited to, information owners and information security practitioners, have access to documented principles, standards, conventions or mechanisms for the security of information and information systems, and are informed of applicable threats to the security of information;

- 2 - (c) (d) (e) (f) (g) and information systems addresses the considerations and viewpoints of all interested parties; information security controls are proportionate to the risks of modification, denial of use, or disclosure of the information; are co-ordinated and integrated with each other and with the City s policies and procedures to create and maintain security throughout an information system; all accountable parties act in a timely, co-ordinated manner to prevent or respond to breaches of and threats to the security of information and information systems; and the risks to information and information systems are assessed periodically; (2) the Commissioner of Corporate Services, take a leadership role in ensuring a risk assessment exercise is conducted as a prerequisite to the formulation of effective information security policies and procedures. The results of the risk assessment performed for the Year 2000 project and existing policies from former municipalities be reviewed in connection with completing this task; and (3) the Commissioner of Corporate Services, implement a user security awareness program which promotes security awareness through regular communications, and as part of the orientation program for new employees. The awareness program be reviewed on an annual basis, at a minimum, to ensure it is up to date and relevant. Background: The need for information security is intuitive. Information security, based on effective policies, is quickly becoming a critical business enabler, driven by e-business trends. The recent approval of the Electronic Service Delivery project demonstrates the City s direction to incorporate e- business in its service delivery model. This project will provide a common service delivery window for departmental applications to be made available through the internet. Vulnerabilities can lead to security breach events which expose an organization, such as the City of Toronto, to reputation damage, at a minimum, and potentially serious financial losses. The challenge for the City is to ensure that the policies, procedures and processes in effect to mitigate information security risks are commensurate with the associated business risks. A review of the Information Security Framework for the City was identified as a priority project within Audit Services 2000 Work Plan. This report contains our observations and recommendations arising from the review.

- 3 - Comments: An effective information security program is considered essential for an organization the size of the City of Toronto with all of its different work locations, extended network and the service objective to provide the ratepayer and City clients with the opportunity to interact with the City electronically. Prior to amalgamation, the former municipalities varied greatly in the extent of their security related policy and procedures, the mechanism for administering the desired level of their security, and the degree of resources and energy allocated to develop, implement, maintain and enforce sound security principles and practices. To complete this review, an examination of the City s current Information Security Framework was performed. The primary objective for the review was to evaluate the effectiveness with which the City is managing information security. It should be noted that our review of the overall information security framework, in effect, did not encompass a review of specific control techniques, nor represent a compliance check with existing policy and established procedure. Rather, our review focused on evidence for the attributes and qualities of an overall security program such as; senior management commitment, cost effective information security risk management practices, defined security roles and responsibilities, a mechanism for the development and implementation of security related policy and procedures, a security awareness program and the infrastructure to monitor compliance and to ensure enforcement of approved policies and procedures. Our approach was to evaluate the City s Information Security Framework in the context of best practices that govern this area, along with general guidelines which address the following properties of information: confidentiality, integrity and availability. Accountability/Responsibility In the City s environment, best practices suggest that Council is the level of management that must initiate the call for assurance that effective information security risk management principles are followed. Executive and operational management must assure that effective information security risk management practices are in place and that compliance with policies and procedures is actively monitored. Security is a necessary cost of carrying out business and should be viewed as a component of information management that needs to be managed from a corporate perspective. Although we did not have an opportunity to examine historic documents for each former municipality, it is worth noting that, in June 1994, Council for the former Municipality of Metropolitan Toronto approved a report on Information Security Strategy, which recommended that: 1. the Security Strategy, as set out in the document, entitled Policies and Principles for the Management of Records, Data and Information Technology Security be adopted;

- 4-2. guidelines be established by the Commissioner of Corporate Services that embody the Security Strategy and serve as the basis for ensuring information security throughout the Metropolitan Corporation; 3. a team leader for the Information Security Strategy be named as the Corporate Records and Data Security Administrator to implement the strategy; and 4. the appropriate Metropolitan Officials be authorized to take the necessary action to give effect thereto. The intent of the above recommendations is in line with best practices. By approving the report, Council endorsed the establishment of effective information security risk management practices. The report also indicated management s commitment as evident by the establishment of a funded position to implement an Information Security Strategy. We found the City does not currently operate with a corporate wide Information Security Program which is centrally administered and supported with the infrastructure that such a program demands. There is no one area or employee charged with responsibility to ensure effective security policies are circulated and promoted across the City. There is no accountability for directing, co-ordinating, monitoring, communicating and reviewing the information security needs of the City. Although some job descriptions include security related duties, these responsibilities are often assigned low priority given the conflicting demands on the time of employees. Many security policies from the former municipalities exist, however, there is no clear indication which policies apply to the new City of Toronto. Further, there is no central repository for approved information security policies available to the employee, nor is there an effective employee awareness program in effect. In addition, few Business Continuity Plans exist. We believe the absence of a specific function charged with responsibility for effective security policies is a significant contributor to the City s lack of coordinated information security policies. The assignment of accountability and responsibility is key to addressing the information security needs of the City. Recommendation: 1. The Commissioner of Corporate Services, prepare a report outlining options available to the City to implement an Information Security Program designed to ensure: (a) (b) information security accountability and responsibility is clearly defined and acknowledged; all parties with a need to know, including but not limited to, information owners and information security practitioners, have access to documented principles, standards, conventions or mechanisms for the security of information and information systems, and are informed of applicable threats to the security of information;

- 5 - (c) (d) (e) (f) (g) and information systems addresses the considerations and viewpoints of all interested parties; information security controls are proportionate to the risks of modification, denial of use, or disclosure of the information; are co-ordinated and integrated with each other and with the City s policies and procedures to create and maintain security throughout an information system; all accountable parties act in a timely, co-ordinated manner to prevent or respond to breaches of and threats to the security of information and information systems; and the risks to information and information systems are assessed periodically. Policies and Procedures Policies and procedures are the building blocks for a strong Information Security Framework. Putting policy into place requires a special effort by the information security team, with the support of management. Similarly, updating, reviewing and revising information policies take considerable work. Maintenance of current and effective security policies would allow the City to state its information security objectives, thereby, providing guidance to in-house staff who are selecting, developing and implementing systems. A written policy can change attitudes and perspective toward security throughout the City. It also demonstrates that the City has diligently addressed information security matters which may become a significant factor should the City be challenged in this area. In the 2000 Operating Budget highlights, the program description of the Chief Administrative Officer s Office states, The CAO is accountable to Council for the policy direction and program delivery of all departments and programs. However, there is a need to more clearly define the responsibility for formulating policy governing the security of the City s information; the policy approval process; communication of approved policy to members of the organization; and the custodial requirements of approved information security policies. In the past, information policies applied only to the data-processing department. Perhaps this is the reason that ownership over the formulation and development of policy for information security gravitates to the Information Technology Division. However, today s distributed processing systems require that the scope of these policies encompass the entire organization. In fact, with the continued movement to electronic services, one could argue that the scope should include the City s customers and clients as well.

- 6 - With the exception of the recent project initiated by the Information Technology Division to review existing Corporate IT Standards Policies and Guidelines, the City has not undertaken an exercise to examine the various information security policies created by the former municipalities. Consequently we have a variety of policies but no official policy to support what we are doing in practice. As mentioned, the Information Technology Division has initiated a review of Corporate IT Standards Policies and Guidelines. Twenty eight documents are under examination and the review should be completed in the first quarter of 2001. The documents under review cover several areas, and in many cases, include standards and procedures which deal more with outlining a technical strategy to address a particular item. It should be noted that these documents are tailored for the Information Technology group and do not represent an attempt to formulate city-wide policies. A key element missing from this exercise is the risk assessment step. Ideally, the City should initiate its policy development effort after conducting a comprehensive information security risk assessment. This risk assessment should indicate the value of the information in question, the risks to which this information is subjected and the control vulnerabilities associated with the current method of handling this information. The results of the risk assessment drive the tone and rigour of the policies. Recommendation: 2. The Commissioner of Corporate Services, take a leadership role in ensuring a risk assessment exercise is conducted as a prerequisite to the formulation of effective information security policies and procedures. The results of the risk assessment performed for the Year 2000 project and existing policies from former municipalities be reviewed in connection with completing this task. User Security Awareness Program Data and information systems are important resources and when they are misused or mismanaged, those actions would put the City at risk. It is therefore important that each City employee is educated and continually advised through a user security awareness program of the best procedures for using information assets. The awareness program sets the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure. There is currently no formal, documented security awareness program in the City. Recommendation: 3. The Commissioner of Corporate Services, implement a user security awareness program which promotes security awareness through regular communications, and as part of the orientation program for new employees. The awareness program be reviewed on an annual basis, at a minimum, to ensure it is up to date and relevant.

- 7 - Conclusion: There is a need for a management group, with a security mandate and authority, to ensure that effective and appropriate security policies and procedures are implemented. In addition to an effective organization structure, other key elements for a good security infrastructure should be addressed including, a risk assessment process, a business continuity plan and a user security awareness program. Contact: Jeffrey Griffiths, City Auditor, Tel: (416) 392-8461; Fax: (416) 392-3754 E-mail: Jeff.Griffiths@city.toronto.on.ca Jeffrey Griffiths City Auditor dl/cg C:\DATA\Audit\Reports\2001\Department\Corp Svcs\I T\Information Security Framework Jan 26 01.doc

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback