Canadian federal departments say they are already taking steps to address the concerns raised in a recent report from Auditor General Sheila Fraser to improve the IT security of mission-critical systems.
Fraser’s most recent report follows up on a review of the public sector’s IT security policies
and practices from 2002. In it, Fraser and her team criticize the Treasury Board Secretariat, which typically leads policy development in this area, for failing to complete standards related to intrusion detection and incident response, as well as a lack of consistency in applying standards and adhering to security policies among many government departments.
Paul Rummell, a former CIO with the Treasury Board who now works as a consultant with EDS, said the government will continue to be challenged by IT security until a central authority is established.
“”You need a single agency that’s accountable for policy and operations,”” he said. “”Right now it’s divided across Treasury Board, RCMP and the (Canadian Security Establishment).””
Singled out
A Treasury Board Secretariat official told ITBusiness.ca two years ago it was in the final stages of a government-wide IT security review that would allow departments to better interoperate in the event of a crisis. It also said its guidelines would be consistent with international standards bodies.
The Auditor General’s report singled out several departments as lagging behind in three key areas of IT security under the revised Government Security Policy and Management of Information Technology (MITS) standard. The report noted, for example, that while the National Parole Board has recently started a project to review its IT security policies, senior management at both Social Development Canada and Fisheries and Oceans Canada haven’t approved these policies.
As a result of its internal audit, however, Social Development made a similar recommendation, said David Beach, the department’s director of IT security. Social Development’s internal audit branch conducted its own audit of IT security between 2003 and 2004. Since the publication of its internal audit, Social Development has set up a new policy co-ordination shop within systems which focuses on arranging for corporate consolidation acceptance of all IT policies, Beach said.
“”It would be a mistake for anybody to think the policies aren’t there,”” he said. “”In terms of the process to get them blessed at the most senior department levels and promulgated to all the employees who will need to know them for their various job functions, we think that process has just gotten a lot easier with the setting up of this different policy shop.””
Since the 2002 Auditor General report, Fisheries and Oceans Canada has been working on a $6 million, four-year plan called the IT security enhancement project. To date, there are 11 final drafts of policies that cover a wide range of IT security, including policies on threat assessment, wireless technologies and configuration of personal computers.
Security not the only issue
Christopher Seifried, department director of technology services, said these policies will be approved within this calendar year.
“”The departmental senior management knows that IT security is important, or it wouldn’t have approved the $6-million dollar project,”” Seifried said, adding that while management recognizes the importance of the project, the department has to worry about a plethora of issues ranging from accessible waterways to serving a sustainable fishery. “”There are so many important priorities that departmental management has to deal with all the time that it’s hard to get on their agenda. Now that the drafting and consultation is over, it’s going to be more of a formality to get these policies on the agenda of the departmental management and have them approved.””
But Seifried admits this process could have started earlier than April 2004.
“”I think we could have started a year earlier, but there were a lot of other important projects that were seeking the same funding,”” he said. Fisheries and Oceans sought funding for the project through the major capital fund, a special fund provided to departments for specific types of investments to build or secure assets.
— Sarah Lysecki and Shane Schick