LIST OF RECOMMENDATIONS
RECOMMENDATION 1
That Treasury Board Secretariat accelerate the timetable for the development and implementation of all remaining IT security standards with the goal of having them completed well in advance of the December 2006 deadline it has established.
RECOMMENDATION 2
That beginning in September 2005 Treasury Board Secretariat submit semi-annual status reports to the Standing Committee on Public Accounts on the development and implementation of remaining IT security standards.
RECOMMENDATION 3
That Treasury Board Secretariat submit a detailed action plan to the Standing Committee on Public Accounts specifying the measures it will take to implement the recommendations made by the Auditor General of Canada. The action plan must include target implementation dates and must be provided to the Standing Committee on Public Accounts no later than 30 September 2005.
RECOMMENDATION 4
That Treasury Board Secretariat adhere to the requirements of the Government Security Policy as stated in Appendix A of the Policy, paying close attention to its duty to provide “advice and assistance on security” and to monitor “the implementation of the [P]olicy and the state of security in the Government of Canada.”
RECOMMENDATION 5
That the Treasury Board Secretariat provide, in its annual departmental performance reports, information on its monitoring activities with respect to its obligations as set forth in Appendix A of the Government Security Policy. Reference must be made to the frequency and scope of monitoring, the results, and corrective measures taken. This reporting should begin with the report for the period ended 31 March 2005.
RECOMMENDATION 6
That the Government of Canada review the adequacy of resources and authorities available to the Office of the Chief Information Officer to lead government-wide IT security efforts, explore the option of consolidating resources and authorities to take full responsibility for government-wide IT security in the hands of a single entity, and report the results to the Standing Committee on Public Accounts no later than 31 December 2005.
RECOMMENDATION 7
That Treasury Board Secretariat identify the reasons for turnover in the position of Chief Information Officer, analyze the results, and report its findings, along with an action plan listing the steps it will take to extend the tenure of this officer to a minimum five-year term, to the Standing Committee on Public Accounts no later than 31 December 2005.
RECOMMENDATION 8
That Treasury Board Secretariat develop and implement a plan for an awareness of the importance of IT security among senior departmental managers, with an emphasis on deputy ministers, and provide the Standing Committee on Public Accounts with a copy of this plan no later than 30 September 2005.
RECOMMENDATION 9
That a mandatory direct reporting relationship be established for departmental security officers and departmental IT security co ordinators to their deputy ministers.
RECOMMENDATION 10
That departmental security officers be positioned at a strategic level within departments and agencies so that they can have meaningful influence over department-wide IT security strategies and input into budgeting decisions affecting security.
RECOMMENDATION 11
That departments and agencies be required to develop business continuity plans on a priority basis and to test these plans at least every two years, with the results to be communicated to the Office of the Chief Information Officer at Treasury Board Secretariat.
RECOMMENDATION 12
That the Office of the Chief Information Officer conduct a government-wide review to ascertain the total level of human, technological, and financial resources that are being devoted in fiscal year 2005 06 to IT security in departments and agencies, that it analyze the results to determine whether they are appropriate, and that it report the results to Parliament by 30 April 2006.