ARCHIVED - Follow-up to the 2007-08 Audit of Information Technology (IT) Security Management

Archived Content

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

ARCHIVED - Follow-up to the 2007-08 Audit of Information Technolgy (IT) Security Management (PDF, 243 KB)

Executive Summary and Conclusion

Background

This report presents the findings of the Follow-up to the 2007-08 Internal Audit of the Management of IT Security. The decision to conduct the audit was approved by the President following the recommendation of the Senior Executive Committee and thereafter by the Departmental Audit Committee on April 29, 2010 as part of the ARCHIVED - NRC 2010-11 to 2012-13 Risk-Based Internal Audit Plan.

Audit objective, scope and methodology

The audit commenced with two objectives. In accordance with the Treasury Board Policy on Internal Audit and professional auditing standards, the first objective of the audit was to verify management’s progress in implementing their action plans in response to the recommendations contained in the 2007-08 Internal Audit of the Management of IT Security (as shown in Appendix A).  The scope of the audit included Information Management Service Branch (IMSB) and two of the Institute/Branch/Programs (IBPs) included in the 2007-08 audit.

The second objective of the audit was to verify NRC’s compliance with the seven IT security measures (as shown in Appendix B) identified as important for NRC to be considered a secure environment for the use of the Government of Canada Compensation Web Applications (CWA).  These seven measures align with the Treasury Board Policy on Government Security (PGS) within the context of the overall updated Treasury Board Framework for Information and Technology. The audit work, which was nearing completion, was discontinued for this audit objective following the announcement that Shared Services Canada (SSC) would have, for the most part, responsibilities for this area. By this time, the audit work had sufficiently progressed to provide management with the information needed to address areas requiring improvement. However, this work does not meet the standards for audit assurance; the findings presented for this portion of the work can only be characterized as “review”.  The scope encompassed a review of the key IT security measures for all of NRC, namely IMSB and the ten IBPs that managed their own IT security within the context of NRC’s federated model.

Due to the specialized nature of the audit, the NRC audit team was supplemented by a team of experienced IT security experts with audit expertise that were contracted to assist in conducting the audit work.  For both audit objectives, the findings are based on evidence gathered between December 2010 and May 2011.

Audit opinion and conclusion

Overall, we found the level of implementation of Internal Audit’s recommendations to be adequate, with exception of the development of a NRC Business Continuity Plan which requires management’s attention.

Based upon our review procedures, the IBPs for which IMSB provides IT security services are overall well managed and can be considered as strong.  While there are notable exceptions of strong and adequate performance by other IBPs not under IMSB’s management, there are opportunities overall for improvement with respect to managing public and operations access zones, and performing vulnerability assessments.

Recommendations

1. NRC should review and analyze the Statements of Criticality provided by IBPs to determine whether IMSB needs to re-prioritize its risk management activities in scheduling and conducting additional Threats and Risk Assessments for all NRC and IBP business critical systems. [HIGH Priority - Level 1]

NRC Management Response:

With the transfer of management responsibility for NRC’s network and IT infrastructures to Shared Services Canada (SSC), it is still unclear how security risk management for IT will work within the federal government. Nevertheless, a review and analysis of NRC statements of criticality is an important action item for articulating to SSC NRC’s security requirements.

With the recent consolidation of NRC’s security services during the Spring of 2011, NRC is in the process of re-prioritizing its security risk management activities as a whole e.g. research facilities, office buildings, business critical systems, etc. A new security risk management plan will be developed as a project under NRC’s Departmental Security Plan, and will be implemented as resources permit. [March 2012]

2. NRC should align business critical processes and systems identified in an updated Business Impact Analysis with those identified in the IBP Statements of Criticality and thereafter complete the development of a Business Continuity Plan for NRC. [HIGH Priority - Level 1]

NRC Management Response:

NRC will undertake the development of a Business Continuity Planning Program to address deficiencies in this area. A project requirements document and high-level plan are being developed for SEC approval. Should approval be granted, development of the program will commence in January 2012.

3. NRC should ensure IBPs’ remote access systems comply with its Telecommunications Security Standard.[Moderate Priority - Level 3]

NRC Management Response:

With the creation of SSC, management control and responsibility for remote access services will no longer be the responsibility of NRC. NRC will continue to work with its new SSC colleagues to help ensure its remote access systems both meet NRC’s requirements and are compliant with federal security standards. [Date N/A]

Statement of assurance

In my professional judgement as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed upon by management. The opinion is applicable only to the entity examined.

Jayne Hinchliff-Milne, CMA, Chief Audit Executive

NRC Audit Team Members:Footnote 1

Irina Nikolova, Audit Manager, FCCA, CIA, CISA
Allison Smith, Junior Auditor, BA
Andy Lang, Junior Auditor, BCom

Appendix: NRC Internal Audit Implementation Rating Scale for Management Action Plans

Actions such as striking a new committee, having meetings, and generating informal plans are regarded as insignificant progress.

Level 1: No Progress or Insignificant Progress

Formal plans for Organizational changes have been created and approved by the appropriate level of management (at a sufficiently senior level, usually executive committee level or equivalent) with appropriate resources and a reasonable timetable.

Level 2: Planning Stage

The entity has made preparation for implementing a recommendation by hiring or training staff, or developing or acquiring the necessary resources to implement the recommendation.

Level 3: Preparations for Implementation

The entity has made preparation for implementing a recommendation by hiring or training staff, or developing or acquiring the necessary resources to implement the recommendation.

Level 4: Substantial Implementation

The structures and processes are in place and integrated within at least some parts of the organization, and some achieved results have been identified. The entity will also probably have a short-term plan and timetable for full implementation.

Level 5: Full Implementation

The structures and processes are operating as intended and are fully implemented.

Obsolete

It is no longer applicable because the process or issue has become outdated as a result of having been superseded by something newer, i.e., management resolved the issue by doing something else.

Footnotes

Footnote 1

The NRC audit team was supplemented by a team of contracted auditors from Deloitte with expertise in IT security management to assist in conducting the audit work.

Return to footnote 1 referrer

Date modified: