IT Security

Table of Contents


Executive Summary

Introduction

The Internal Audit of IT Security is part of the Risk-Based Annual Internal Audit Plan 2010-11 approved by the Canadian Institutes of Health Research (CIHR) Governing Council (GC).

The Canadian Institutes of Health Research (CIHR)

The Canadian Institutes of Health Research (CIHR) is the Government of Canada's agency responsible for funding health research in Canada. CIHR was created in 2000 under the authority of the CIHR Act and reports to Parliament through the Minister of Health. CIHR's mandate is to "excel, according to internationally accepted standards of scientific excellence, in the creation of new knowledge and its translation into improved health for Canadians, more effective health services and products and a strengthened Canadian health-care system." CIHR comprises 13 "virtual" institutes - each headed by a Scientific Director, who is assisted by an Institute Advisory Board - which bring together all partners in the research process - the people who fund research, those who carry it out, and those who use its results - to share ideas and focus on what Canadians need: good health and the means to prevent and fight disease. Each Institute supports a broad spectrum of research in its topic areas and, in consultation with its stakeholders, sets priorities for research in those areas. CIHR funds nearly 13,000 researchers and trainees in universities, teaching hospitals, and other health organizations and research centres in Canada.

IT Security

The government policy on security and Information Technology (IT) security operational standard require that departments and agencies protect information throughout its life cycle. IT security is the safeguards that preserve the confidentiality, integrity, and availability of electronically stored, processed, and transmitted information.

The observations made in these reports informed the planning of this audit; as of this report date, management has stated that all issues included in these reports have been resolved. The Director, Financial Operations and Monitoring undertook the Internal Control Framework Project which reported several findings relevant to IT security. These issues were included as part of the scope of this audit.

Risks Addressed by the Audit

The audit addresses whether the IT security framework adequately preserves the confidentiality, integrity, and availability, of electronically stored, processed, and transmitted information at CIHR. This risk is related to the TBS Management Accountability Framework (MAF) elements of Stewardship – "The departmental control regime (assets, money, people, services, etc.) is integrated and effective, and its underlying principles are clear to all staff" – and Risk Management – "The executive team clearly defines the corporate context and practices for managing organizational and strategic risks proactively."

Audit Objective

The objective of the audit is to provide reasonable assurance that the safeguards that preserve the confidentiality, integrity, and availability of electronically stored, processed, and transmitted information at CIHR are adequate and effective.

Scope

The audit covered the organization and administration of IT security and IT-related aspects of personnel, physical, hardware, software, communications and operations security.

Criteria

The criteria used for assessing the audit objective are derived from the Treasury Board (TB) Policy on Government Security, Policy on the Management of Information Technology, Directive on the Management of Information Technology, Operational Security Standard on Physical Security, Operational Security Standard on Business Continuity Planning Program, Operational Security Standard: Management of Information Technology Security (MITS), Security Organization and Administration Standard, Information Technology Security Audit Guide; Information Systems Audit and Control Association/IT Governance Institute's (ISACA/ITGI) Control Objectives for Information and related Technology (COBIT®); RCMP guide on Physical Protection of Computer Servers; and Communications Security Establishment (CSE) guides on Baseline Security Requirements for Network Security Zones in the Government of Canada [ PDF (2.01 MB) - external link ] and Clearing And Declassifying Electronic Data Storage Devices [ PDF (1.44 MB) - external link ].

Overall Audit Opinion

The audit has concluded that IT Security at CIHR has moderate issues in that some control weaknesses were identified, but exposure is limited because either the likelihood or the impact of the risk is not high and because management has recognized the weaknesses and initiated mitigating actions.

Statement of Assurance

The audit of the IT Security was conducted in accordance with the Federal Government Policy on Internal Audit and related professional standards. In my professional judgement as Chief Audit Executive, sufficient and appropriate audit procedures have been performed and evidence gathered to support the accuracy of the opinion provided in this report. The audit opinion is based on a comparison of conditions that existed at the time of the audit against established audit criteria that were agreed upon with management.

Summary of Internal Control Strengths

The following key elements of IT Security have been implemented:

Summary of Internal Control Weaknesses

The following elements of IT Security have not been implemented:

Internal Audit thanks management and staff for their excellent cooperation during this audit.

Martin Rubenstein

Chief Audit Executive
Canadian Institutes of Health Research

Management agrees with the conclusions of this audit.

Evie Gray
Chief Information Officer

Detailed Report

Methodology and Criteria

The assessment of IT Security at CIHR was performed through interviews with management and staff; review of documentation; and analysis of controls against audit criteria. Controls were deemed adequate if they were sufficient to minimize the risks that threatened the achievement of objectives.

The audit criteria used for assessing the audit objective are derived from the Treasury Board (TB) Policy on Government Security, Policy on the Management of Information Technology, Directive on the Management of Information Technology, Operational Security Standard on Physical Security, Operational Security Standard on Business Continuity Planning Program, Operational Security Standard: Management of Information Technology Security (MITS), Security Organization and Administration Standard, Information Technology Security Audit Guide; Information Systems Audit and Control Association/IT Governance Institute's (ISACA/ITGI) Control Objectives for Information and related Technology (COBIT®); RCMP guide on Physical Protection of Computer Servers; and Communications Security Establishment (CSE) guides on Baseline Security Requirements for Network Security Zones in the Government of Canada [ PDF (2.01 MB) - external link ] and Clearing And Declassifying Electronic Data Storage Devices [ PDF (1.44 MB) - external link ].

The audit was conducted between August 2010 and May 2011.

Observations, Recommendations, and Management Action Plan

The following are audit observations, recommendations, and management action plan to address weaknesses in the IT Security at CIHR.

Observation Recommendation Management Action Plan
1. CIHR's network has not been certified since 2006.

The original certification of the network through a comprehensive Threat and Risk Assessment (TRA) occurred in 2006 and has not been updated since that time.

In addition, CIHR’s physical security, which protects its IT assets, has not been reviewed since 2007.

Security assessments of new systems do not always include a formal review of possible changes or impacts to the network or other systems.

Risk and impact
Failing to update system certification could render the assumptions made in a system’s initial security assessment obsolete.

1.1 The network should be regularly evaluated through a formal TRA.

1.2 As part of any new system deployment, the network should be checked to determine whether the new system adds, removes or alters pre-existing security risks.

Responsibility: CIO

Action

1.1 A network TRA will be performed in FY2012-13

Expected completion: March 2013

1.2 The Security Assessment template will be updated to include a section to identify impacts to the network or other systems.

Expected completion: March 2012
2. Employees receive limited IT security training at orientation and on an ongoing basis.

Employee IT security training consists of a mandatory review of the Account Holder Acceptance Agreement as part of the orientation process, occasional briefings on specific security topics and the non-mandatory Security Awareness Week activities. The agreement:

  • has not been updated in several years;
  • contains several inaccuracies;
  • does not list IT security risks; and
  • does not make users aware of the risks presented by CIHR’s remote access solution.

Finally, despite a large number of positions in ITAMS having administrator accounts, security responsibilities and access to the server room, no specific security training is required for these positions.

Risk and impact
Failing to train employees to recognize the threats of their equipment or tactics of malicious individuals could introduce risks to the environment.

2.1 The Account Holder Acceptance Agreement should be updated to reflect the most current IT security risks and employee responsibilities.

2.2 [redacted for security reasons].

2.3 [redacted for security reasons].

2.4 Employees with administrator accounts or access to the server room should be given specific security training regarding the risks of their enhanced access rights.

Responsibility: CIO

Action

2.1 The Account Holder Acceptance Agreement will be updated to reflect current policies.

Expected completion: March 2012

2.2 The ITSC will work with HR to include information on security awareness in the employee orientation information package.

Expected completion : March 2013

[redacted for security reasons].

2.3 Terms of Use for blackberry devices will be developed by the ITSC together with IM/IT

Expected completion: June 2012

2.4 [redacted for security reasons]

A Privileged Account Holder Acceptance Agreement will be drafted by the ITSC, addressing the responsibilities and risks of these accounts, including physical access to equipment.

3. There is no formal process to address or follow-up on the recommendations made in TRAs, vulnerability assessments (VAs), privacy impact assessments (PIAs).

A formal process does not exist to address the recommendations made in in TRAs, vulnerability assessment (VAs) or privacy impact assessments (PIAs).

Risk and impact
Operating and/or implementing systems without addressing vulnerabilities could compromise the confidentiality, integrity and availability of CIHR’s information and information assets.

3.1 A formal process should be developed and implemented to address the recommendations noted in TRAs, VAs, and PIAs.

3.2 Recommendations should be regularly followed-up on to verify the appropriate actions were taken, with follow-up continuing until all outstanding items have been addressed. The follow-up process should be applied to recommendations made in existing security documents.

Responsibility: CIO

Action

3.1 The Certification and Accreditation process will be reviewed and clarified to ensure that all recommendations from risk management documents are addressed and any residual risk accepted by accreditation authorities. This will be done once ITSG 33, which defines the new standard for these processes, is released by TBS.

Expected completion: Contingent on the timing of ITSG 33 (currently expected to be April, 2012).

3.2 An inventory of recommendations from security documents will be created and managed by the IT Security Coordinator. This inventory will track the recommendations, the action plan and the status of these actions. Actions will be coordinated with all other IT activities as part of the IT Change Management Process.

Expected completion: December 2012
4. [redacted for security reasons]

[redacted for security reasons]

[redacted for security reasons]

[redacted for security reasons]

5. [redacted for security reasons]

[redacted for security reasons]

[redacted for security reasons]

[redacted for security reasons]

6. The criteria used to determine whether a position requires administrator access is not clear.

It is unclear what criteria are used to determine which employees receive an administrator account.

[redacted for security reasons].

Risk and impact
The access rights of an administrator account allow individuals the possibility to erase or modify information and IT assets, as well as allowing them to remove records of their activities. [redacted for security reasons].

6.1 Criteria should be established to determine which positions require administrator rights. [redacted for security reasons].

Responsibility: CIO

Action

6.1 [redacted for security reasons].

A Privileged Account Holder Acceptance Agreement will be drafted by the ITSC, addressing the responsibilities and risks of administrator accounts, including physical access to equipment.

Expected completion: March 2013
7. CIHR's business continuity plan (BCP) has not been tested.

The BCP was approved in October 2011 but has not yet been tested.

Risk and impact
Without properly tested BCP, CIHR may be unable to function in the case of an actual disaster. A BCP that is not maintained does not stay aligned to changes in CIHR’s mandate, strategic or operational priorities, or register the addition of critical new systems.

7.1 CIHR's BCP should be tested and regularly updated.

Responsibility: Departmental Security Officer

Action

7.1 The Departmental Security Officer will be responsible for ensuring updates to the BCP are made as required. Testing of the BCP will be scheduled for every two years.

Expected completion: Testing will start in FY2012-13
8. he process to review RFPs does not require input from the ITSC.

The ITSC’s role profile requires the position to review potential third party contracts with IT security implications, but there are no, procedures or practices to facilitate this. The security requirements checklist published by TBS includes a section on IT security; requiring the use of the checklist would ensure there is a review of IT security conducted for all RFPs.

Risk and impact
Not having the ITSC review third party contracts for potential IT security issues could place the organization at undue risk.

8.1 The contracting process should include a formal process to review contracts for sections with IT security implications, and when appropriate, forward any relevant documents to the ITSC for review and recommendation.

8.2 The contracting and IT security policies should be amended to incorporate the ITSC’s responsibilities regarding the contracting process.

Responsibility: Departmental Security Officer

Action

8.1 The Security Team and Procurement unit will define a process requiring the completion of a security requirements checklist (SRCL) when preparing procurement documentation. This SRCL will be reviewed by Security who will assess the security requirements for the contract. Any IT related SCRL will be reviewed by the ITSC for recommended actions.

Expected completion: September 2012

Responsibility: Manager, Procurement

Action

8.2 Contracting procedures will be amended to incorporate ITSC responsibilities regarding the contracting process.

Expected completion: September 2012
9. The standard for mobile devices does not describe current practices.

[redacted for security reasons].

Risk and impact
The current standard prohibits and prescribes certain activities which are not in line with current practices. This can lead to confusion for employees, managers and Helpdesk staff.

9.1 ITAMS should revise the Standards for Mobile Devises so that they reflect current acceptable uses and best IT security practices.

Responsibility: CIO

Action

9.1 ITAMS will review and modify accordingly the Standard on Mobile Devices.

Expected completion: March 2013
Date modified: