STAFF REPORT January 26, 2001 To: From: Subject: Audit Committee City Auditor Information Security Framework Purpose: To review the adequacy of the Information Security Framework governing the security practices within the City of Toronto in protecting the City's services, privacy and sensitive security information and to report on deficiencies, along with recommendations for corrective action. Financial Implications and Impact Statement: While there are no financial implications resulting from the adoption of this report, the implementation of the recommendations in this report could improve the efficient and effective enforcement of security practices throughout the City and may result in additional costs which are unknown at this time. Recommendations: It is recommended that: (1) the Commissioner of Corporate Services, prepare a report outlining options available to the City to implement an Information Security Program designed to ensure: (a) (b) information security accountability and responsibility is clearly defined and acknowledged; all parties with a need to know, including but not limited to, information owners and information security practitioners, have access to documented principles, standards, conventions or mechanisms for the security of information and information systems, and are informed of applicable threats to the security of information;
- 2 - (c) (d) (e) (f) (g) and information systems addresses the considerations and viewpoints of all interested parties; information security controls are proportionate to the risks of modification, denial of use, or disclosure of the information; are co-ordinated and integrated with each other and with the City s policies and procedures to create and maintain security throughout an information system; all accountable parties act in a timely, co-ordinated manner to prevent or respond to breaches of and threats to the security of information and information systems; and the risks to information and information systems are assessed periodically; (2) the Commissioner of Corporate Services, take a leadership role in ensuring a risk assessment exercise is conducted as a prerequisite to the formulation of effective information security policies and procedures. The results of the risk assessment performed for the Year 2000 project and existing policies from former municipalities be reviewed in connection with completing this task; and (3) the Commissioner of Corporate Services, implement a user security awareness program which promotes security awareness through regular communications, and as part of the orientation program for new employees. The awareness program be reviewed on an annual basis, at a minimum, to ensure it is up to date and relevant. Background: The need for information security is intuitive. Information security, based on effective policies, is quickly becoming a critical business enabler, driven by e-business trends. The recent approval of the Electronic Service Delivery project demonstrates the City s direction to incorporate e- business in its service delivery model. This project will provide a common service delivery window for departmental applications to be made available through the internet. Vulnerabilities can lead to security breach events which expose an organization, such as the City of Toronto, to reputation damage, at a minimum, and potentially serious financial losses. The challenge for the City is to ensure that the policies, procedures and processes in effect to mitigate information security risks are commensurate with the associated business risks. A review of the Information Security Framework for the City was identified as a priority project within Audit Services 2000 Work Plan. This report contains our observations and recommendations arising from the review.
- 3 - Comments: An effective information security program is considered essential for an organization the size of the City of Toronto with all of its different work locations, extended network and the service objective to provide the ratepayer and City clients with the opportunity to interact with the City electronically. Prior to amalgamation, the former municipalities varied greatly in the extent of their security related policy and procedures, the mechanism for administering the desired level of their security, and the degree of resources and energy allocated to develop, implement, maintain and enforce sound security principles and practices. To complete this review, an examination of the City s current Information Security Framework was performed. The primary objective for the review was to evaluate the effectiveness with which the City is managing information security. It should be noted that our review of the overall information security framework, in effect, did not encompass a review of specific control techniques, nor represent a compliance check with existing policy and established procedure. Rather, our review focused on evidence for the attributes and qualities of an overall security program such as; senior management commitment, cost effective information security risk management practices, defined security roles and responsibilities, a mechanism for the development and implementation of security related policy and procedures, a security awareness program and the infrastructure to monitor compliance and to ensure enforcement of approved policies and procedures. Our approach was to evaluate the City s Information Security Framework in the context of best practices that govern this area, along with general guidelines which address the following properties of information: confidentiality, integrity and availability. Accountability/Responsibility In the City s environment, best practices suggest that Council is the level of management that must initiate the call for assurance that effective information security risk management principles are followed. Executive and operational management must assure that effective information security risk management practices are in place and that compliance with policies and procedures is actively monitored. Security is a necessary cost of carrying out business and should be viewed as a component of information management that needs to be managed from a corporate perspective. Although we did not have an opportunity to examine historic documents for each former municipality, it is worth noting that, in June 1994, Council for the former Municipality of Metropolitan Toronto approved a report on Information Security Strategy, which recommended that: 1. the Security Strategy, as set out in the document, entitled Policies and Principles for the Management of Records, Data and Information Technology Security be adopted;
- 4-2. guidelines be established by the Commissioner of Corporate Services that embody the Security Strategy and serve as the basis for ensuring information security throughout the Metropolitan Corporation; 3. a team leader for the Information Security Strategy be named as the Corporate Records and Data Security Administrator to implement the strategy; and 4. the appropriate Metropolitan Officials be authorized to take the necessary action to give effect thereto. The intent of the above recommendations is in line with best practices. By approving the report, Council endorsed the establishment of effective information security risk management practices. The report also indicated management s commitment as evident by the establishment of a funded position to implement an Information Security Strategy. We found the City does not currently operate with a corporate wide Information Security Program which is centrally administered and supported with the infrastructure that such a program demands. There is no one area or employee charged with responsibility to ensure effective security policies are circulated and promoted across the City. There is no accountability for directing, co-ordinating, monitoring, communicating and reviewing the information security needs of the City. Although some job descriptions include security related duties, these responsibilities are often assigned low priority given the conflicting demands on the time of employees. Many security policies from the former municipalities exist, however, there is no clear indication which policies apply to the new City of Toronto. Further, there is no central repository for approved information security policies available to the employee, nor is there an effective employee awareness program in effect. In addition, few Business Continuity Plans exist. We believe the absence of a specific function charged with responsibility for effective security policies is a significant contributor to the City s lack of coordinated information security policies. The assignment of accountability and responsibility is key to addressing the information security needs of the City. Recommendation: 1. The Commissioner of Corporate Services, prepare a report outlining options available to the City to implement an Information Security Program designed to ensure: (a) (b) information security accountability and responsibility is clearly defined and acknowledged; all parties with a need to know, including but not limited to, information owners and information security practitioners, have access to documented principles, standards, conventions or mechanisms for the security of information and information systems, and are informed of applicable threats to the security of information;
- 5 - (c) (d) (e) (f) (g) and information systems addresses the considerations and viewpoints of all interested parties; information security controls are proportionate to the risks of modification, denial of use, or disclosure of the information; are co-ordinated and integrated with each other and with the City s policies and procedures to create and maintain security throughout an information system; all accountable parties act in a timely, co-ordinated manner to prevent or respond to breaches of and threats to the security of information and information systems; and the risks to information and information systems are assessed periodically. Policies and Procedures Policies and procedures are the building blocks for a strong Information Security Framework. Putting policy into place requires a special effort by the information security team, with the support of management. Similarly, updating, reviewing and revising information policies take considerable work. Maintenance of current and effective security policies would allow the City to state its information security objectives, thereby, providing guidance to in-house staff who are selecting, developing and implementing systems. A written policy can change attitudes and perspective toward security throughout the City. It also demonstrates that the City has diligently addressed information security matters which may become a significant factor should the City be challenged in this area. In the 2000 Operating Budget highlights, the program description of the Chief Administrative Officer s Office states, The CAO is accountable to Council for the policy direction and program delivery of all departments and programs. However, there is a need to more clearly define the responsibility for formulating policy governing the security of the City s information; the policy approval process; communication of approved policy to members of the organization; and the custodial requirements of approved information security policies. In the past, information policies applied only to the data-processing department. Perhaps this is the reason that ownership over the formulation and development of policy for information security gravitates to the Information Technology Division. However, today s distributed processing systems require that the scope of these policies encompass the entire organization. In fact, with the continued movement to electronic services, one could argue that the scope should include the City s customers and clients as well.
- 6 - With the exception of the recent project initiated by the Information Technology Division to review existing Corporate IT Standards Policies and Guidelines, the City has not undertaken an exercise to examine the various information security policies created by the former municipalities. Consequently we have a variety of policies but no official policy to support what we are doing in practice. As mentioned, the Information Technology Division has initiated a review of Corporate IT Standards Policies and Guidelines. Twenty eight documents are under examination and the review should be completed in the first quarter of 2001. The documents under review cover several areas, and in many cases, include standards and procedures which deal more with outlining a technical strategy to address a particular item. It should be noted that these documents are tailored for the Information Technology group and do not represent an attempt to formulate city-wide policies. A key element missing from this exercise is the risk assessment step. Ideally, the City should initiate its policy development effort after conducting a comprehensive information security risk assessment. This risk assessment should indicate the value of the information in question, the risks to which this information is subjected and the control vulnerabilities associated with the current method of handling this information. The results of the risk assessment drive the tone and rigour of the policies. Recommendation: 2. The Commissioner of Corporate Services, take a leadership role in ensuring a risk assessment exercise is conducted as a prerequisite to the formulation of effective information security policies and procedures. The results of the risk assessment performed for the Year 2000 project and existing policies from former municipalities be reviewed in connection with completing this task. User Security Awareness Program Data and information systems are important resources and when they are misused or mismanaged, those actions would put the City at risk. It is therefore important that each City employee is educated and continually advised through a user security awareness program of the best procedures for using information assets. The awareness program sets the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure. There is currently no formal, documented security awareness program in the City. Recommendation: 3. The Commissioner of Corporate Services, implement a user security awareness program which promotes security awareness through regular communications, and as part of the orientation program for new employees. The awareness program be reviewed on an annual basis, at a minimum, to ensure it is up to date and relevant.
- 7 - Conclusion: There is a need for a management group, with a security mandate and authority, to ensure that effective and appropriate security policies and procedures are implemented. In addition to an effective organization structure, other key elements for a good security infrastructure should be addressed including, a risk assessment process, a business continuity plan and a user security awareness program. Contact: Jeffrey Griffiths, City Auditor, Tel: (416) 392-8461; Fax: (416) 392-3754 E-mail: Jeff.Griffiths@city.toronto.on.ca Jeffrey Griffiths City Auditor dl/cg C:\DATA\Audit\Reports\2001\Department\Corp Svcs\I T\Information Security Framework Jan 26 01.doc