PACP Committee Report

OBSERVATIONS AND RECOMMENDATIONS

The Role of the Treasury Board Secretariat

The office of the Chief Information Officer is located in Treasury Board Secretariat, the central agency that holds main responsibilities for coordinating, leadership, oversight, and monitoring of IT security across government.

The Secretariat is instructed by the Government Security Policy (the Policy) to monitor the results of departmental internal IT security audits and to produce a mid-term report to Treasury Board on the effectiveness of the Policy.

It was therefore worrisome to discover that the Secretariat “is not adequately fulfilling its role” of monitoring and overseeing the state of security in departments and agencies. (1.23) The audit found, for example, that the Secretariat has “no formal process in place for getting departments and agencies to submit their [internal IT security] audit reports or analyzing the security findings” they contain. (1.72) While the Secretariat has only received 10 audit reports on IT security since 2002, (1.72) the Auditor General found that 37 departments and agencies had audited their IT security systems in the last two years. (1:70) In other words, the Secretariat had no formal means it could use to compel the production of IT security audit reports. This appears to be the result of the Secretariat’s zeal for placing the entire burden of compliance with its policies on the shoulders of the departments and agencies and then hoping for the best.

The Committee believes strongly that, as in so many other areas under its responsibility, Treasury Board Secretariat must abandon its passive approach and actively monitor the application of the policies it promulgates. The Committee therefore recommends:

RECOMMENDATION 4

That Treasury Board Secretariat adhere to the requirements of the Government Security Policy as stated in Appendix A of the Policy, paying close attention to its duty to provide “advice and assistance on security” and to monitor “the implementation of the [P]olicy and the state of security in the Government of Canada.”

RECOMMENDATION 5

That the Treasury Board Secretariat provide, in its annual departmental performance reports, information on its monitoring activities with respect to its obligations as set forth in Appendix A of the Government Security Policy. Reference must be made to the frequency and scope of monitoring, the results, and corrective measures taken. This reporting should begin with the report for the period ended 31 March 2005.

The Committee is concerned about the capacity of the Secretariat to do what the Policy calls for. It notes the small number of staff assigned to the Office of the Chief Information Officer (CIO) and the frequent turnover in the CIO position. It also notes that responsibility for IT security is divided between Treasury Board Secretariat and 10 lead agencies. Paul Rummell, a former Chief Information Officer has said that the government will continue to have problems with IT security unless a single agency is created that is accountable for policy and operations ^[3]. Although the Auditor General found that inter-agency co-operation and coordination have improved, the Committee shares concerns similar to those voiced by Mr. Rummell. The Committee accordingly recommends:

RECOMMENDATION 6

That the Government of Canada review the adequacy of resources and authorities available to the Office of the Chief Information Officer to lead government-wide IT security efforts, explore the option of consolidating resources and authorities to take full responsibility for government-wide IT security in the hands of a single entity, and report the results to the Standing Committee on Public Accounts no later than 31 December 2005.

RECOMMENDATION 7

That Treasury Board Secretariat identify the reasons for turnover in the position of Chief Information Officer, analyze the results, and report its findings, along with an action plan listing the steps it will take to extend the tenure of this officer to a minimum five-year term, to the Standing Committee on Public Accounts no later than 31 December 2005.

TOP OF PAGE

The Role of Departments and Agencies

Under the Government Security Policy, deputy ministers are responsible for their department’s ability to meet the requirements of the Policy and its supporting standards. This responsibility encompasses the performance of threat and risk assessments to determine whether departments need safeguards in addition to those prescribed by the Policy. The Policy also directs departments to conduct active monitoring and internal audits of their security systems on an ongoing basis and to report the results to Treasury Board Secretariat.

The Auditor General reported that departmental IT systems are “vulnerable to breaches in security,” and that the majority of departments “do not meet the minimum standards” set by Treasury Board Secretariat for IT security. (1.3) The Committee was particularly concerned when it learned that senior management in many departments and agencies “is not aware of the IT security risks and does not understand how breaches of security could affect operations and the credibility of government.” (1.4)

Yet deputy ministers bear the responsibility for determining the emphasis departments place on IT security and the level of resources that will be allocated for this purpose. Improvements are unlikely to occur unless deputy ministers are fully aware of the actual status of IT security in their departments and the risks associated with unresolved vulnerabilities.

Under the Government Security Policy, Treasury Board Secretariat is responsible for coordinating the provision of security training and awareness. The Secretariat is aware of the need to promote an awareness of the importance of IT security at the senior levels and is requiring that deputy ministers sign off on action plans for compliance with security standards in the fall of 2005. The Committee believes that these actions should be part of a wider effort to instil a greater awareness among senior managers and recommends:

RECOMMENDATION 8

That Treasury Board Secretariat develop and implement a plan for an awareness of the importance of IT security among senior departmental managers, with an emphasis on deputy ministers, and provide the Standing Committee on Public Accounts with a copy of this plan no later than 30 September 2005.

Each department and agency has a departmental security officer and an IT security coordinator but there is no assurance that they report directly to the deputy minister. Since direct access to the deputy minister is necessary to promote awareness of, and responsiveness to, IT security status and needs, the Committee recommends:

RECOMMENDATION 9

That a mandatory direct reporting relationship be established for departmental security officers and departmental IT security coordinators to their deputy ministers.

The Committee also notes that departmental security officers are not, in some cases, in a position to influence department-wide security-related decisions. This is a serious oversight that needs to be corrected as quickly as possible. The Committee accordingly recommends:

RECOMMENDATION 10

That departmental security officers be positioned at a strategic level within departments and agencies so that they can have meaningful influence over department-wide IT security strategies and input into budgeting decisions affecting security.

Despite the best precautions and monitoring, there remains a good chance that critical departmental IT systems might be shut down by a cyber attack. This is why the Government Security Policy requires departments and agencies to develop business continuity plans that will allow them to continue functioning in the event that such an attack takes place. The audit found that more than half of departments (53 out of 82, or 65 %) had such plans but only 24 had tested them over the last two years. This is unacceptable. The Committee recommends:

RECOMMENDATION 11

That departments and agencies be required to develop business continuity plans on a priority basis and to test these plans at least every two years, with the results to be communicated to the Office of the Chief Information Officer at Treasury Board Secretariat.