IT Security
Table of Contents
Executive Summary
Introduction
The Internal Audit of IT Security is part of the Risk-Based Annual Internal Audit Plan 2010-11 approved by the Canadian Institutes of Health Research (CIHR) Governing Council (GC).
The Canadian Institutes of Health Research (CIHR)
The Canadian Institutes of Health Research (CIHR) is the Government of Canada's agency responsible for funding health research in Canada. CIHR was created in 2000 under the authority of the CIHR Act and reports to Parliament through the Minister of Health. CIHR's mandate is to "excel, according to internationally accepted standards of scientific excellence, in the creation of new knowledge and its translation into improved health for Canadians, more effective health services and products and a strengthened Canadian health-care system." CIHR comprises 13 "virtual" institutes - each headed by a Scientific Director, who is assisted by an Institute Advisory Board - which bring together all partners in the research process - the people who fund research, those who carry it out, and those who use its results - to share ideas and focus on what Canadians need: good health and the means to prevent and fight disease. Each Institute supports a broad spectrum of research in its topic areas and, in consultation with its stakeholders, sets priorities for research in those areas. CIHR funds nearly 13,000 researchers and trainees in universities, teaching hospitals, and other health organizations and research centres in Canada.
IT Security
The government policy on security and Information Technology (IT) security operational standard require that departments and agencies protect information throughout its life cycle. IT security is the safeguards that preserve the confidentiality, integrity, and availability of electronically stored, processed, and transmitted information.
The observations made in these reports informed the planning of this audit; as of this report date, management has stated that all issues included in these reports have been resolved. The Director, Financial Operations and Monitoring undertook the Internal Control Framework Project which reported several findings relevant to IT security. These issues were included as part of the scope of this audit.
Risks Addressed by the Audit
The audit addresses whether the IT security framework adequately preserves the confidentiality, integrity, and availability, of electronically stored, processed, and transmitted information at CIHR. This risk is related to the TBS Management Accountability Framework (MAF) elements of Stewardship – "The departmental control regime (assets, money, people, services, etc.) is integrated and effective, and its underlying principles are clear to all staff" – and Risk Management – "The executive team clearly defines the corporate context and practices for managing organizational and strategic risks proactively."
Audit Objective
The objective of the audit is to provide reasonable assurance that the safeguards that preserve the confidentiality, integrity, and availability of electronically stored, processed, and transmitted information at CIHR are adequate and effective.
Scope
The audit covered the organization and administration of IT security and IT-related aspects of personnel, physical, hardware, software, communications and operations security.
Criteria
The criteria used for assessing the audit objective are derived from the Treasury Board (TB) Policy on Government Security, Policy on the Management of Information Technology, Directive on the Management of Information Technology, Operational Security Standard on Physical Security, Operational Security Standard on Business Continuity Planning Program, Operational Security Standard: Management of Information Technology Security (MITS), Security Organization and Administration Standard, Information Technology Security Audit Guide; Information Systems Audit and Control Association/IT Governance Institute's (ISACA/ITGI) Control Objectives for Information and related Technology (COBIT®); RCMP guide on Physical Protection of Computer Servers; and Communications Security Establishment (CSE) guides on Baseline Security Requirements for Network Security Zones in the Government of Canada [ PDF (2.01 MB) - external link ] and Clearing And Declassifying Electronic Data Storage Devices [ PDF (1.44 MB) - external link ].
Overall Audit Opinion
The audit has concluded that IT Security at CIHR has moderate issues in that some control weaknesses were identified, but exposure is limited because either the likelihood or the impact of the risk is not high and because management has recognized the weaknesses and initiated mitigating actions.
Statement of Assurance
The audit of the IT Security was conducted in accordance with the Federal Government Policy on Internal Audit and related professional standards. In my professional judgement as Chief Audit Executive, sufficient and appropriate audit procedures have been performed and evidence gathered to support the accuracy of the opinion provided in this report. The audit opinion is based on a comparison of conditions that existed at the time of the audit against established audit criteria that were agreed upon with management.
Summary of Internal Control Strengths
The following key elements of IT Security have been implemented:
- an IT security coordinator (ITSC) responsible for managing a department-wide IT security program with defined accountabilities, activities and responsibilities has been appointed and serves as CIHR's principle IT security contact;
- policies, procedures and/or practices exist governing IT security, security clearance approvals, distribution of IT resources, incident management, system development and modification, system standard builds, and the patching of Windows software;
- many vital IT systems [redacted for security reasons] have undergone a threat and risk assessment and these assessments classify the information and system that allow the identification of proper handling and security clearance requirements;
- a business continuity plan developed by the Business Continuity Planning Coordinator in conjunction with the ITSC has been approved;
- basic IT security training is provided at employee orientation;
- a centralized Helpdesk facility that formally tracks and manages IT issues and incidents exists and its activities are integrated with network administration personnel;
- personnel responsible for managing cryptographic materiel and security equipment have been appropriately trained;
- [redacted for security reasons];
- IT security assets are segregated from public access; and
- the IT security management process incorporates risk information from central agencies.
Summary of Internal Control Weaknesses
The following elements of IT Security have not been implemented:
- IT systems are not recertified in the face of a changing IT environment;
- [redacted for security reasons];
- recommendations made in security assessment documents lack formal follow-up;
- [redacted for security reasons];
- [redacted for security reasons];
- [redacted for security reasons];
- the business continuity plan has not been tested;
- the ITSC is not formally involved in the contracting process for IT-related items; and
- current practices regarding Blackberries are not in line with the relevant internal standard.
Internal Audit thanks management and staff for their excellent cooperation during this audit.
Martin Rubenstein
Chief Audit Executive
Canadian Institutes of Health Research
Management agrees with the conclusions of this audit.
Evie Gray
Chief Information Officer
Detailed Report
Methodology and Criteria
The assessment of IT Security at CIHR was performed through interviews with management and staff; review of documentation; and analysis of controls against audit criteria. Controls were deemed adequate if they were sufficient to minimize the risks that threatened the achievement of objectives.
The audit criteria used for assessing the audit objective are derived from the Treasury Board (TB) Policy on Government Security, Policy on the Management of Information Technology, Directive on the Management of Information Technology, Operational Security Standard on Physical Security, Operational Security Standard on Business Continuity Planning Program, Operational Security Standard: Management of Information Technology Security (MITS), Security Organization and Administration Standard, Information Technology Security Audit Guide; Information Systems Audit and Control Association/IT Governance Institute's (ISACA/ITGI) Control Objectives for Information and related Technology (COBIT®); RCMP guide on Physical Protection of Computer Servers; and Communications Security Establishment (CSE) guides on Baseline Security Requirements for Network Security Zones in the Government of Canada [ PDF (2.01 MB) - external link ] and Clearing And Declassifying Electronic Data Storage Devices [ PDF (1.44 MB) - external link ].
The audit was conducted between August 2010 and May 2011.
Observations, Recommendations, and Management Action Plan
The following are audit observations, recommendations, and management action plan to address weaknesses in the IT Security at CIHR.
| Observation | Recommendation | Management Action Plan |
|---|---|---|
| 1. CIHR's network has not been certified since 2006. | ||
|
The original certification of the network through a comprehensive Threat and Risk Assessment (TRA) occurred in 2006 and has not been updated since that time. In addition, CIHR’s physical security, which protects its IT assets, has not been reviewed since 2007. Security assessments of new systems do not always include a formal review of possible changes or impacts to the network or other systems. Risk and impact |
1.1 The network should be regularly evaluated through a formal TRA. 1.2 As part of any new system deployment, the network should be checked to determine whether the new system adds, removes or alters pre-existing security risks. |
Responsibility: CIO Action 1.1 A network TRA will be performed in FY2012-13 Expected completion: March 2013 1.2 The Security Assessment template will be updated to include a section to identify impacts to the network or other systems. Expected completion: March 2012 |
| 2. Employees receive limited IT security training at orientation and on an ongoing basis. | ||
|
Employee IT security training consists of a mandatory review of the Account Holder Acceptance Agreement as part of the orientation process, occasional briefings on specific security topics and the non-mandatory Security Awareness Week activities. The agreement:
Finally, despite a large number of positions in ITAMS having administrator accounts, security responsibilities and access to the server room, no specific security training is required for these positions. Risk and impact |
2.1 The Account Holder Acceptance Agreement should be updated to reflect the most current IT security risks and employee responsibilities. 2.2 [redacted for security reasons]. 2.3 [redacted for security reasons]. 2.4 Employees with administrator accounts or access to the server room should be given specific security training regarding the risks of their enhanced access rights. |
Responsibility: CIO Action 2.1 The Account Holder Acceptance Agreement will be updated to reflect current policies. Expected completion: March 2012 2.2 The ITSC will work with HR to include information on security awareness in the employee orientation information package. Expected completion : March 2013 [redacted for security reasons]. 2.3 Terms of Use for blackberry devices will be developed by the ITSC together with IM/IT Expected completion: June 2012 2.4 [redacted for security reasons] A Privileged Account Holder Acceptance Agreement will be drafted by the ITSC, addressing the responsibilities and risks of these accounts, including physical access to equipment. |
| 3. There is no formal process to address or follow-up on the recommendations made in TRAs, vulnerability assessments (VAs), privacy impact assessments (PIAs). | ||
|
A formal process does not exist to address the recommendations made in in TRAs, vulnerability assessment (VAs) or privacy impact assessments (PIAs). Risk and impact |
3.1 A formal process should be developed and implemented to address the recommendations noted in TRAs, VAs, and PIAs. 3.2 Recommendations should be regularly followed-up on to verify the appropriate actions were taken, with follow-up continuing until all outstanding items have been addressed. The follow-up process should be applied to recommendations made in existing security documents. |
Responsibility: CIO Action 3.1 The Certification and Accreditation process will be reviewed and clarified to ensure that all recommendations from risk management documents are addressed and any residual risk accepted by accreditation authorities. This will be done once ITSG 33, which defines the new standard for these processes, is released by TBS. Expected completion: Contingent on the timing of ITSG 33 (currently expected to be April, 2012). 3.2 An inventory of recommendations from security documents will be created and managed by the IT Security Coordinator. This inventory will track the recommendations, the action plan and the status of these actions. Actions will be coordinated with all other IT activities as part of the IT Change Management Process. Expected completion: December 2012 |
| 4. [redacted for security reasons] | ||
|
[redacted for security reasons] |
[redacted for security reasons] |
[redacted for security reasons] |
| 5. [redacted for security reasons] | ||
|
[redacted for security reasons] |
[redacted for security reasons] |
[redacted for security reasons] |
| 6. The criteria used to determine whether a position requires administrator access is not clear. | ||
|
It is unclear what criteria are used to determine which employees receive an administrator account. [redacted for security reasons]. Risk and impact |
6.1 Criteria should be established to determine which positions require administrator rights. [redacted for security reasons]. |
Responsibility: CIO Action 6.1 [redacted for security reasons]. A Privileged Account Holder Acceptance Agreement will be drafted by the ITSC, addressing the responsibilities and risks of administrator accounts, including physical access to equipment. Expected completion: March 2013 |
| 7. CIHR's business continuity plan (BCP) has not been tested. | ||
|
The BCP was approved in October 2011 but has not yet been tested. Risk and impact |
7.1 CIHR's BCP should be tested and regularly updated. |
Responsibility: Departmental Security Officer Action 7.1 The Departmental Security Officer will be responsible for ensuring updates to the BCP are made as required. Testing of the BCP will be scheduled for every two years. Expected completion: Testing will start in FY2012-13 |
| 8. he process to review RFPs does not require input from the ITSC. | ||
|
The ITSC’s role profile requires the position to review potential third party contracts with IT security implications, but there are no, procedures or practices to facilitate this. The security requirements checklist published by TBS includes a section on IT security; requiring the use of the checklist would ensure there is a review of IT security conducted for all RFPs. Risk and impact |
8.1 The contracting process should include a formal process to review contracts for sections with IT security implications, and when appropriate, forward any relevant documents to the ITSC for review and recommendation. 8.2 The contracting and IT security policies should be amended to incorporate the ITSC’s responsibilities regarding the contracting process. |
Responsibility: Departmental Security Officer Action 8.1 The Security Team and Procurement unit will define a process requiring the completion of a security requirements checklist (SRCL) when preparing procurement documentation. This SRCL will be reviewed by Security who will assess the security requirements for the contract. Any IT related SCRL will be reviewed by the ITSC for recommended actions. Expected completion: September 2012 Responsibility: Manager, Procurement Action 8.2 Contracting procedures will be amended to incorporate ITSC responsibilities regarding the contracting process. Expected completion: September 2012 |
| 9. The standard for mobile devices does not describe current practices. | ||
|
[redacted for security reasons]. Risk and impact |
9.1 ITAMS should revise the Standards for Mobile Devises so that they reflect current acceptable uses and best IT security practices. |
Responsibility: CIO Action 9.1 ITAMS will review and modify accordingly the Standard on Mobile Devices. Expected completion: March 2013 |
- Date modified: