Audit of IT Security - Summary
January 2019
Background
Deputy heads are accountable for the effective implementation of security management, including IT Security, within their organizations. The Treasury Board Secretariat (TBS) Management of Information Technology Security Standard (MITS) defines the baseline security requirements that federal departments must fulfill to ensure the security of information and information systems under their control. While CIHR does not manage information or provide services deemed critical to the Government of Canada, the Agency does collect and retain data requiring protection such as information on research proposals, adjudication results and the personal details of applicants.Footnote 1
An audit of IT security was last conducted in 2012. Since then, new software has been deployed and both CIHR’s IT infrastructure and the threat environment have evolved. As such, an audit of IT security was necessary to ensure risks continued to be effectively managed.
Why this is important
Government of Canada (GC) departments rely on information systems to support their business activities. These interconnected information systems are often subject to serious attacks that can have adverse effects on departmental business activities through theft or loss of access to information. Canada’s Communications Security Establishment reports that the GC blocks on average more than 600 million attempts each day to identify or exploit vulnerabilities in its systems and networksFootnote 2. While the true number of successful attempts on government networks is unknown, there have been several high profile attacks in recent years where unauthorized access has occurred, underscoring the importance of robust IT security for all government departments.
Objective and Scope
The objective of the audit was to provide assurance that CIHR is equipped to protect its information systems (and the data contained within these system) from threats and vulnerabilities. To do this, the audit assessed the adequacy and effectiveness of CIHR’s,
- IT security governance;
- Approach to managing IT security risk; and
- Key IT controls related to the identification, mitigation and monitoring of threats and vulnerabilities.
Findings and Recommendations
CIHR’s IT security program was found to be well established. The Agency had an approved Departmental Security Plan and individual accountabilities, roles and responsibilities for IT security were assigned and documented. As part of its IT security program, the Agency had implemented key security controls to prevent, detect and correct vulnerabilities.
The audit identified opportunities for improvement in some aspects of IT security and recommendations were issued in the areas of governance, risk management and control. Management accepted the audit recommendations and has responded with an action plan to address the findings.
Statement of Conformance
The Audit of IT Security conforms with the Policy on Internal Audit as supported by the results of the quality assurance and improvement program.
Internal Audit thanks management and staff for their assistance and cooperation throughout the audit.
Ian Raskin
Chief Audit and Evaluation Executive
Canadian Institutes of Health Research
Management agrees with the conclusion of the audit.
Jason Reid
Chief Information Officer and Director General, Information Management, Technology and Security
Canadian Institutes of Health Research
- Date modified: