Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

Similar documents
Audit of Information Technology Security: Roadmap Implementation

Public Safety Canada. Audit of the Business Continuity Planning Program

Follow-up to Information Technology Security Audit

Aboriginal Affairs and Northern Development Canada. Internal Audit Report Summary. Audit of Information Technology Security.

Follow-up on Audit of Security for Sensitive Inventories

REPORT 2015/149 INTERNAL AUDIT DIVISION

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

REPORT 2015/010 INTERNAL AUDIT DIVISION

Policy. Business Resilience MB2010.P.119

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

Audit of the Departmental Control Framework for the Management of Personal Information (Privacy)

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

REPORT: Audit of Information Technology (IT) Security. AAFC Office of Audit and Evaluation CFIA Audit and Evaluation Branch

Information Technology Branch Organization of Cyber Security Technical Standard

General Information Technology Controls Follow-up Review

MNsure Privacy Program Strategic Plan FY

Gatekeeper Public Key Infrastructure Framework. Information Security Registered Assessors Program Guide

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

Independent Assurance Statement

AUDIT OF ICT STRATEGY IMPLEMENTATION

INTERNAL AUDIT DIVISION REPORT 2017/138

DEFINITIONS AND REFERENCES

REPORT 2015/186 INTERNAL AUDIT DIVISION

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Cyber Security Standards Drafting Team Update

The Project Charter. Date of Issue Author Description. Revision Number. Version 0.9 October 27 th, 2014 Moe Yousof Initial Draft

Critical Cyber Asset Identification Security Management Controls

Position Description IT Auditor

Article I - Administrative Bylaws Section IV - Coordinator Assignments

Cyber Security Reliability Standards CIP V5 Transition Guidance:

Audit and Compliance Committee - Agenda

Information Technology General Control Review

Audit Report. The Prince s Trust. 27 September 2017

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

ISO/ IEC (ITSM) Certification Roadmap

National Policing Community Security Policy

NORTH CAROLINA NC MRITE. Nominating Category: Enterprise IT Management Initiatives

KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)

NHS Fife. 2015/16 Audit Computer Service Review Follow Up

Threat and Vulnerability Assessment Tool

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets.

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

CASA External Peer Review Program Guidelines. Table of Contents

Physical Security Reliability Standard Implementation

Audit Report. Scottish Bakers. 30 March 2015

National Policy On Classified Information Spillage

Ministry of Government and Consumer Services. ServiceOntario. Figure 1: Summary Status of Actions Recommended in June 2016 Committee Report

Information Security Incident Response Plan

Credit Card Data Compromise: Incident Response Plan

manner. IOPA conducts its reviews in conformance with Government Auditing Standards issued by the Comptroller General of the United States.

Resolution: Advancing the National Preparedness for Cyber Security

Security and Privacy Governance Program Guidelines

Critical Infrastructure Protection Version 5

CERTIFICATE IN LUXEMBOURG COMPANY SECRETARIAL & GOVERNANCE PRACTICE

Protecting information across government

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Rules for LNE Certification of Management Systems

Information Security Incident Response Plan

INTERNAL AUDIT DIVISION REPORT 2017/151. Audit of business continuity in the United Nations Interim Force in Lebanon

Office of the City Auditor 2014 Third Quarter Activity Report November 25, 2014

Audit Report. Chartered Management Institute (CMI)

CHAIR AND MEMBERS CIVIC WORKS COMMITTEE MEETING ON NOVEMBER 29, 2016

Number: USF System Emergency Management Responsible Office: Administrative Services

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Regulating Cyber: the UK s plans for the NIS Directive

NATIONAL INFRASTRUCTURE COMMISSION CORPORATE PLAN TO

IT Audit Process Prof. Liang Yao Week Six IT Audit Planning

Analysis of CIP-006 and CIP-007 Violations

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

Texas A&M University: Learning Management System General & Application Controls Review

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

History of NERC August 2013

Appendix 3 Disaster Recovery Plan

Procedure re-written. (i.e. All staff with responsibility for the creation, use and management of organisational responsibility)

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

Certification Body Audit Resources

Postal Inspection Service Mail Covers Program

DHS Overview of Sustainability and Environmental Programs. Dr. Teresa R. Pohlman Executive Director, Sustainability and Environmental Programs

Standard CIP Cyber Security Critical Cyber Asset Identification

Cybersecurity & Privacy Enhancements

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

COUNTY AUDIT HILLSBOROUGH COUNTY, FLORIDA CONSULTANT COMPETITIVE NEGOTIATION ACT (CCNA) PROCUREMENT PROCESS AUDIT REPORT # 251

ITSM20F_Umang. Number: ITSM20F Passing Score: 800 Time Limit: 120 min File Version: 4.0. Exin ITSM20F

NEWCASTLE CLINICAL TRIALS UNIT STANDARD OPERATING PROCEDURES

Academic Program Review at Illinois State University PROGRAM REVIEW OVERVIEW

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

AUTHORITY FOR ELECTRICITY REGULATION

Provider Monitoring Report. City and Guilds

Office of Internal Audit

"Charting the Course... ITIL 2011 Managing Across the Lifecycle ( MALC ) Course Summary

Certification Report

Global Statement of Business Continuity

TEL2813/IS2820 Security Management

HIPAA RISK ADVISOR SAMPLE REPORT

ERO Enterprise Strategic Planning Redesign

Transcription:

Assistant Deputy Minister (Review Services) Reviewed by in accordance with the Access to Information Act. Information UNCLASSIFIED. Security Audits: Management Action Plan Follow-up December 2015 1850-3-003 ()

Caveat The result of this work does not constitute an audit of the security control areas. Rather, this report was prepared to provide reasonable assurance that Management Action Plan (MAP) items resulting from the various security audits were implemented as stated and as such have addressed the associated recommendations.

Table of Contents Acronyms and Abbreviations... ii Introduction... 1 Methodology... 1 Statement of Conformance... 2 Context... 3 Progress towards MAP Implementation... 5 Conclusion... 8 Annex A MAP Progress... A-1 i/ii

Acronyms and Abbreviations Assistant Deputy Minister (Review Services) BCP Business Continuity Planning CAF Canadian Armed Forces CDS Chief of the Defence Staff DGDS Director General Defence Security DM Deputy Minister DND Department of National Defence DSO Departmental Security Officer DSP Departmental Security Plan DSX Defence Strategic Executive Committee FY Fiscal Year IM Information Management IT Information Technology L1 Level 1 MAP Management Action Plan NDSOD National Defence Security Orders and Directives SRT Security Reform Team TBS Treasury Board Secretariat VCDS Vice Chief of the Defence Staff ii/ii

Introduction In keeping with the Treasury Board Policy on Internal Audit, 1 Assistant Deputy Minister (Review Services) () is required to undertake audit follow-ups to assess the implementation status of Management Action Plan (MAP) items developed in response to previous audit recommendations. In accordance with the Chief Review Services 2 Risk-Based Audit Plan for fiscal year (FY) 2015/16 to 2017/18, this audit follow-up was selected to determine MAP progress for the following audits: Audit of Security of Sensitive Inventories (May 2004) Audit of Security Clearance Process (September 2006) Audit of Security Incident Management (June 2010) Audit of Industrial Security (May 2011) Audit of Sanitization and Destruction of Information Management (IM)/Information Technology (IT) Assets (December 2012) Audit of Business Continuity Planning (BCP) (October 2013) Two other security related audits conducted during the same timeframe were not included in this follow-up. The Audit of IT Security: Certification and Accreditation Process was not selected because the certification and accreditation process has been replaced with the Security Assessment and Authorization process. An audit of this new process is planned for FY 2017/18. Additionally, the security posture assessments conducted on the Defence Wide Area Network and the Consolidated Secret Network Infrastructure, with the assistance of the Methodology This audit follow-up is based on a review of documentation and evidence to assess the progress made in implementing the MAP items. The following methods were used to assess progress: detailed assessment of the progress of the MAP items reported by the office of primary interest; interviews with key stakeholders; and examination of supporting documentation. This follow-up does not represent a second audit of the same issues. Instead, it is an assessment of the progress made towards implementing the MAP items. No testing was performed to determine whether the action plans were achieving the desired results. 1 Treasury Board Policy on Internal Audit. http://www.tbs-sct.gc.ca/pubs_pol/dcgpubs/ia-vi/ia-vi_e.asp 2 Chief Review Services is the former designation of. The designation came into effect on May 15, 2015. 1/8

Statement of Conformance The audit follow-up conclusions contained in this report are based on sufficient and appropriate audit evidence gathered in accordance with procedures that meet the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing. The audit follow-up thus conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program. The opinions expressed in this report are based on conditions as they existed at the time of the audit follow-up and apply only to the entity examined. 2/8

Context has conducted a number of security-related internal audits since 2004. It has also completed various follow-up audits in this timeframe to determine progress made toward implementing the specific MAP items. Efforts have been made over the past decade to address shortcomings. However, until now, little progress has been made in part because the Departmental Security Officer (DSO) had neither the authority over the affected security process nor the personnel to implement the required changes. More significantly, having an outdated departmental security policy made it impractical to amend or improve processes without first addressing the policy issue. In order to address the identified issues, the Deputy Minister (DM) and the Chief of the Defence Staff (CDS) issued an initiating directive in March 2013 to the Vice Chief of the Defence Staff (VCDS) to establish a Security Reform Team (SRT). The team s objective was to conduct a full review of the existing security program, recommend ways to address previously identified shortcomings, and provide recommendations for the development of a more robust Defence Security Program. The SRT review was conducted over an eight-month period beginning in March 2013, and the findings and recommendations were presented to the Defence Strategic Executive Committee (DSX) in November 2013. The SRT findings were consistent with those identified in the audits conducted between 2004 and 2013. Key SRT program findings included the following: The SRT provided the DSX with numerous program and process recommendations designed to address the more significant program issues. Some of the key program recommendations included the following: centralization of the security organization, whereby the organization would exercise a more robust functional authority, retain current line authorities, and assume responsibility for personnel security, industrial security, physical security, and identity management; upgrading the rank of the DSO to ensure appropriate visibility given the complexity of the security program; and development of a comprehensive security policy that would include clearly defined security authorities. 3/8

The DSX supported all of the recommendations, including the implementation of a revamped Defence Security Program that would provide the DSO with full functional authority over the program and command authorities over selected processes. 3 In addition, the DM and CDS assigned the DSO additional responsibilities for oversight of the security threat and risk assessment and information assurance. To further strengthen this authority, in March 2014, the VCDS established the Director General Defence Security (DGDS) organization. The DM/CDS then appointed the director general as the DSO and upgraded the rank from colonel to brigadier general. The DGDS/DSO was made responsible for defence security including leadership, development, and management of the entire Defence Security Program and was made accountable to the DM/CDS for the effective, efficient, and integrated management of the program. 4 To fulfill this responsibility, four directorates were created within DGDS, and considerable time and effort was expended staffing the organization. The DSX also approved the creation of six regional DSO positions with the role of providing functional security support and coordination to the DSO to manage and implement the security requirements. As part of the restructuring of the security program and to strengthen the overall governance structure, the Senior Security Advisory Committee was re-established and held its first meeting in December 2014. The committee is chaired by the VCDS, and it provides guidance and oversight of the Defence Security Program so as to ensure that the program is managed in an effective, efficient, and integrated manner. The committee also ensures security activities, requirements, and the impact of changes in government and departmental policies are known and understood by the Department of National Defence and Canadian Armed Forces (DND/CAF) organizations responsible for the implementation of appropriate force protection and security measures. 5 The establishment of this senior body is another component of the security program that sets the foundation to improve and strengthen security program governance. 3 DG SRT. VCDS Defence Security Renewal Action Directive, November 26, 2013. 4 National Defence Security Orders and Directives (NDSOD), Chapter 1 National Defence Security Program and Responsibilities. 5 Senior Security Advisory Committee Terms of Reference (Approved October 2014). 4/8

Progress towards MAP Implementation The objective of the audit follow-up was to assess progress made towards implementation of the MAP items. However, doing so would not accurately reflect the level of effort expended by the DGDS organization in developing the foundation required to ensure that any process changes would be implementable, resolve the identified shortcomings, and comply with established policy. Significant progress has been made in establishing the foundation required to develop and implement a strong Defence Security Program. In particular, establishing and staffing the DGDS organization, completing the Departmental Security Plan (DSP), and publishing a security policy suite that supersedes all existing directives (National Defence Security Policy, National Defence Security Instructions, and National Defence Security Manual) comprise the basis and means for addressing the outstanding MAP items. That being said, a summary of the audit findings from the original audits and an indication of any progress specific to the audit findings can be found in Annex A. DSP A key priority for the DSO over the last year has been to complete the DSP. The Policy on Government Security states that Deputy heads of all departments are responsible for approving the DSP that details decisions for managing security risks and outlines strategies, goals, objectives, priorities and timelines for improving departmental security and supporting its implementation. 6 Since the DSO is functionally accountable to the deputy head, he/she is responsible for developing, implementing, monitoring, and maintaining the DSP. 7 While the TBS requirement was to have a DSP fully implemented by June 2012, DND was granted an extension to that requirement. In May 2015, the DM and the CDS formally approved the DSP, and there is a commitment to review and update it annually. 8 The DSP identifies security risks for all the Treasury Board Secretariat (TBS) security control objectives, as well as for the three additional security control objectives specific to DND/CAF (force protection, identity management and travel security). The plan outlines security program objectives, priorities, and for addressing identified departmental security risks. Having been provided with formal authority, responsibility, the DSP, and resources, the DSO is now in a better position to implement the security process changes required to reduce security risks across the Department and ensure compliance with policy. 6 TBS Policy on Government Security, 2009. 7 TBS Directive on Departmental Security Management, 2009. 8 DND/CAF DSP, May 2015. 5/8

Policy and Direction reports have consistently noted that security policy documents were unclear and outdated. The VCDS issued a Renewal Action Directive 9 in November 2013 and stated that one of the main focuses for the near term had to be updating the policy suite. The VCDS indicated that the DM/CDS supported a full, comprehensive security policy suite renewal. The VCDS also noted that within the policy renewal, there needed to be an overarching policy document containing a defence security policy statement that would be signed by the DM and CDS. After extensive effort and consultation with all the Level 1s (L1), the NDSOD were published in June 2015. Defence Administrative Order and Directive 2006-0 Defence Security designates DGDS as the DSO and recognizes the establishment of the NDSOD. The NDSOD clarify roles, responsibilities, and authorities for DGDS, L1s, and all DND/CAF personnel as it relates to security. The NDSOD have 16 chapters, covering all TBS security control objectives and the three security control objectives specific to DND. Therefore, DGDS can now begin to focus on developing plans to implement the requirements of these new directives and on improving current process rigour. Training In an effort to address the and SRT finding regarding the lack of security training and awareness across the Department and to ensure compliance with the TBS policy, DGDS developed a mandatory online security awareness training course for all DND/CAF personnel. This was strengthened by the release of a Canadian Forces General Order in December 2014 indicating the requirement to complete the course. Personnel in the National Capital Region were required to complete the course by March 31, 2015, and all other employees and CAF members were required to complete the course by June 30, 2015. As of April 1, 2015, 65% of personnel in the National Capital Region had completed the online course. 10 This department-wide, high-level training is a good start in addressing the issues with respect to the lack of training and awareness. Risk Treatment Plans The development of the DSP helped DGDS identify and assess departmental security risks. DGDS consulted each of the L1s in order to identify security risks relevant to their organization. It assessed these risks and subsequently developed risk treatment plan objective statements for each of the identified risks. These objectives are found in DGDS s security risk register and will be used to develop mitigation plans for the identified security risks. The audit team reviewed the risk treatment plan/security risk register to ensure that the findings from the security audits had been reflected in the plans. While some of these findings have already been addressed 9 VCDS. Defence Security Renewal Action Directive. November 24, 2013. 10 Senior Security Advisory Committee, Meeting Record and Decision Sheet, April 1, 2015. 6/8

DGDS is currently expecting a progress update for year one commitments made in the DSP by October 2015. Detailed work plans including scope requirements, business planning, and sequencing of tasks have started for commitments in years two and three of the DSP. These plans should articulate the steps to develop and implement the process changes required to address the security process rigour issues identified in previous audit reports, and they should ensure compliance with the new departmental security policy suite. Upon completion of these detailed plans, the Department will then be in a better position to monitor progress towards completion of each MAP and ensure identified risks are being properly mitigated. 7/8

Conclusion Significant progress has been made toward establishing the governance structure for defence security and setting the foundation to improve the effectiveness of the security program. Focus now needs to shift to maturing the governance structure and strengthening the processes and controls in order to reduce identified security risks across the Department and ensure compliance to policy. Until all MAP items are fully implemented, current departmental security processes intended to protect personnel and ensure information, assets, and services are safeguarded from compromise That being said, a strong foundation is now in place to facilitate the implementation of the changes required to strengthen the Defence Security Program. 8/8

Annex A MAP Progress Audit of Security for Sensitive Inventories (2004) Original Audit Assessment The Department Original Audit Findings The Department does not know Physical security policy is too prescriptive and implementation of risk mitigation options is not linked to risk assessment results. Local management has a responsibility Progress to Date NDSOD Chapter 15 has been released, providing a definition and examples DGDS is developing an implementation plan to address DSP risk treatment plan objectives. DGDS is currently working on an implementation plan for the conduct of threat risk assessments that will build on lessons learned from reviewing physical security surveys and threat risk assessments received from some Defence sites. A-1/6

Audit of the Security Clearance Process (2006) Original Audit Assessment The Department s personnel security clearance process Original Audit Findings o o o o o Progress to Date A draft business plan with goals and requirements has been developed. Detailed plans, as they relate to specific MAP items, are still required. There is a plan to conduct a to assist in developing options to address process shortcomings noted in the 2006 audit. Identity management and the security clearance groups within DGDS have been amalgamated. The new departmental policy requires that Director Personnel Security Identity Management, not the line manager, grant reliability status. A business case analysis of is being conducted. A-2/6

Audit of Security Incident Management (2010) Original Audit Assessment The Department Original Audit Findings There is insufficient evidence to confirm that There is insufficient evidence to confirm that Progress to Date DGDS is in the process of developing a plan to address risk treatment plan objectives. DGDS is currently working on harmonizing the security incident management process. DGDS plans to DGDS has developed a new policy that requires organizations to maintain a Unit Security Incident Register of all incidents originating within their unit and to report this information to DGDS on a semi-annual basis. DGDS is developing a process to maintain strategic oversight of A-3/6

Audit of Industrial Security (2011) Original Audit Assessment The Department s industrial security practices Original Audit Findings The Provost Marshal Mandate and objectives of the industrial security program are not well established. throughout the life of a contract. Office of the Auditor General audits: o 2007: This audit determined that o 2013: This audit determined that Progress to Date NDSOD Chapter 8 states that a Security Requirement Check List must be completed for all contracts whether there are security requirements or not. A new Security Identification Document is needed for all contracts with security requirements. This will replace the Project Identification Document. These documents are essentially the same; however, the security identification document is required for all contracts rather than just for projects. DGDS staff have started to provide specific contract security training to units. Public Works and Government Services Canada will no longer process a DND contract unless the contract is accompanied by a Security Requirement Check List. A-4/6

Audit of Sanitization and Destruction of IM/IT Assets (2012) Original Audit Assessment Current processes related to the governance and risk management of the sanitization and destruction of IM/IT assets Original Audit Findings o o Progress to Date DGDS has developed Publication of NDSODs: o Chapter 6 Security of Information highlights the requirement to ensure information is disposed of correctly; however, specific procedures for destroying information are still under development. Reference is made to o various Government of Canada policies. Chapter 7 Information Security is a section on data storage media protection and provides more direction on the destruction of IT assets. It makes reference to Information Technology Security Guidance 06, clearing and declassifying electronic data storage devices. Sanitization control requirements are addressed in the DND/CAF IT Security Control Catalogue. The implementation and maintenance of these controls for specific IT systems and networks should be confirmed and validated through the Security Assessment and Authorization process. The DND/CAF IT Security Standard on portable/mobile data storage devices has been drafted and is expected to be promulgated by the end of December 2015. It will address the TBS Information Technology Policy Implementation Notice 2014-01, which details the new requirements for clearing and disposal of information from portable/mobile data storage devices. A-5/6

Audit of Business Continuity Planning (2013) Original Audit Assessment A BCP governance structure with clearly defined roles and responsibilities was established in 2007. Original Audit Findings Progress to Date Accountabilities, responsibilities, and authorities have been defined as part of NDSOD Chapter 10 on BCP. Focus is on developing the National Capital Region Level 0 and L1 interim BCPs. Initial consultations have taken place with L1 BCP coordinators, who have provided clarification on their initial input to the interim National Capital Region BCP. o Process to identify critical assets and services has begun. o An Intradepartmental Committee on BCP has been established. A methodology and a template, to be added to the policy suite, is being developed to assist L1s in the writing of both business impact and threat risk assessments. A-6/6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback