PACP Committee Report

A general lack of concern for IT security risks leaves systems vulnerable, where weaknesses could be exploited. As a result, sensitive data, including information on the privacy of Canadians, payroll and financial transactions, program information, and other mission-critical data are at increased risk of unauthorized disclosure, modification, or loss — possibly without being detected. ^[1]

INTRODUCTION

In her April 2002 Report, the Auditor General presented the results of an audit of information technology (IT) security in the federal government. The findings were sobering. The government’s IT security standards were incomplete and many existing standards were out of date. There was no plan in place to update them. The 2002 Government Security Policy, a recent revision of the 1994 policy, would not be fully effective in the absence of these updated standards.

The Auditor General also discovered that the government had not been monitoring its 1994 IT security policy, with the result that the government did not have

enough information to assess the overall state of IT security. It does not have an adequate basis for determining whether current practices across government are acceptable, nor does it have an appropriate baseline for measuring future progress. ^[2]

Mrs. Fraser noted that the revised (2002) policy called for a report on its effectiveness but not before summer 2004. In her view, a report was needed sooner. It was produced in draft form in May 2005.

Many government services are available in electronic format that Canadians can, from their homes or workplaces, access via their computers and other devices. The combination of low cost, and easy, fast availability to a widely scattered population makes the growth of the number of services provided in this way a certainty. As this expansion takes place, the vulnerability of the electronic delivery and storage systems has become a major concern. In the extreme, cyber attacks could result in personal information falling into the wrong hands, the destruction of vital data, the release of sensitive information on government operations, or the shutdown of internal government systems.

The Committee decided to review the results of a follow-up audit of the Auditor General’s 2002 audit of IT security precisely because vulnerabilities in these systems pose enormous potential risks to the health and safety of Canadians, and to the functional ability of government.

To assist it with its review, the Committee met with Auditor General Sheila Fraser on 23 March 2005. The Auditor General was accompanied by Mr. Douglas Timmins (Assistant Auditor General), Mr. Richard Brisebois (Principal), and Mr. Guy Dumas (Director) of the Office of the Auditor General of Canada. At the same meeting, the Committee also heard from Helen McDonald, Acting Chief Information Officer for the Government of Canada, who is with the Treasury Board Secretariat. Mr. Simon Gauthier, Deputy Chief Information Officer, and Mr. Pierre Boucher, Acting Senior Director, Enterprise Architecture and Standards, also with Treasury Board Secretariat, appeared with Ms. McDonald.

OBSERVATIONS AND RECOMMENDATIONS

Subsequent to its review, the Committee has serious concerns that need resolution in the following areas: the current status of the standards used to support IT security; the role of Treasury Board Secretariat in monitoring the state of IT security; the role of departments and agencies; and, the resources available to support IT security.

IT Security Standards

The government’s IT security standards are meant to establish minimum requirements that all departments and agencies must meet to ensure that their systems are secure from outside intrusion and data loss. In 2002, the Auditor General told Parliament that these standards were out of date, a troubling observation in light of the rapid change that characterizes information technology. In 2005, the Auditor General found that some improvement had taken place, but that overall the government had made “unsatisfactory progress” in strengthening IT security since her 2002 audit. (1.1)

The Government Security Policy (the Policy) establishes broad requirements for security in a range of areas including information technology. These requirements are supported by “security standards” that stipulate what departments and agencies must do to meet the Policy’s minimum requirements. The presence of standards also, in the Auditor General’s words, “… promote consistency in security measures across departments and sharing of best practices.” (1.25)

In 2002, when the revised Policy came into force, many of the 40 supporting standards for IT security were not yet developed while some were outdated. The government published the Management of Information Technology Security (MITS) standard in May 2004. MITS covered 28 standards out of a total of 40, leaving 12 to be completed. Departments and agencies must await the completion of these standards in order to determine the extent to which they are in compliance with the Policy.

Treasury Board Secretariat (TBS, the Secretariat) has indicated that it will prioritize the 12 remaining standards according to a plan that it will make available early in fiscal year 2005 06. Acting Chief Information Officer Helen McDonald informed the Committee that 3 of the 12 standards are now in draft form and that TBS is proposing to have all of them completed by December 2006 at the latest.

Treasury Board Secretariat has set December 2006 as the date by which it expects departments and agencies to be compliant with the MITS standard. TBS indicates that it will monitor both the development of the remaining standards and departmental compliance with them.

This testimony needs to be put in context. When former Chief Information Officer Michelle d’Auray spoke to the Committee about the 2002 audit of IT security, she agreed that the government needed to accelerate the work on standards. Ms. d’Auray also told the Committee — over two years ago —that the government had “now developed a comprehensive plan that prioritizes the development of key standards.”

There are thus three issues involved. The first concerns the timely completion of standards without which departments and agencies lack formal guidance on the minimal levels of security they need for their IT systems — and without which the actual status of government-wide IT security cannot be fully determined. Second is the high turnover in the position of Chief Information Officer that undermines the ability of the incumbent to make accurate, knowledgeable forecasts of the time and effort needed to bring about urgent change. And the last, linked to the second, has to do with the credibility of similar statements being issued by TBS today.

The current environment is unforgiving of delay. The urgency with which government addresses IT security must reflect this. Accordingly, the Committee recommends the following:

RECOMMENDATION 1

That Treasury Board Secretariat accelerate the timetable for the development and implementation of all remaining IT security standards with the goal of having them completed well in advance of the December 2006 deadline it has established.

It is difficult, in a dynamic environment, to make accurate estimates about the length of time it will take to complete complex projects. However, when Treasury Board Secretariat officials make commitments before a parliamentary committee, they must strive to be accurate and, afterward, they must make every possible effort to ensure that their commitments are met. When, for various reasons, estimates turn out to be overly optimistic and compromise commitments based on them, then Parliament must be informed. This is the only way in which accountability can be fully exercised and in which credibility can be earned — or, in this instance, regained. Consequently, the Committee recommends:

RECOMMENDATION 2

That beginning in September 2005 Treasury Board Secretariat submit semi-annual status reports to the Standing Committee on Public Accounts on the development and implementation of remaining IT security standards.

The Committee also notes that, as in 2002, the Secretariat has agreed to all of the Auditor General’s recommendations. Since the Committee’s enthusiasm regarding this response is constrained by the unacceptable results of the recent audit, it recommends:

RECOMMENDATION 3

That Treasury Board Secretariat submit a detailed action plan to the Standing Committee on Public Accounts specifying the measures it will take to implement the recommendations made by the Auditor General of Canada. The action plan must include target implementation dates and must be provided to the Standing Committee on Public Accounts no later than 30 September 2005.