OTTAWA – On paper, federal deputy ministers or department heads who fail to comply with the Management of Information Technology Security (MITS) standard by the end of the year should expect a dressing down at the very least, and maybe a pink slip in the worst case scenario.
But in reality, it will likely be those responsible for IT security in their organizations who will shoulder the blame if they fail to communicate the need to meet the standard.
“Accountability is clearly established in the MITS policy itself,” said Pierre Boucher, senior director, architecture and standards in a keynote address at the Treasury Board of Canada Secretariat at Microsoft Canada’s second annual Security Summit in Ottawa Tuesday. “The DM or the head of the organization is accountable.”
At the same time, though, he added, while the Treasury Board wields a big stick and has been meeting with department heads to discuss the issue, managers and DMs won’t invest in IT security unless they can be persuaded it makes business sense – and that’s IT’s responsibility.
“One of the challenges was to get IT security out of the closet,” said Boucher. “As an IT security practitioner you know about things, you see the vulnerability and you know how to fix them. But until senior executives understand the risks of running the systems they won’t put the priority on this.”
Boucher said he had met with IT people who complained their DMs wanted to cut their funding even though they were doing a good job of preventing malware and viruses, for example. That’s why it is so important to communicate to managers what could happen if those security practices and technologies were not in place. But those discussions need to be framed in language managers understand – which is not geek-speak, he added.
“It’s about program delivery, it’s not about techie tools,” he said. “So it’s a question of how you relate that message to them.”
Managers understand that if their IT system is down, they can’t do their job. Likewise, he said, they need to understand that if their systems are broken into and information escapes, they risk losing the confidence of Canadians. Once they understand those fundamentals, funding and expertise can suddenly be found, he said.
Boucher advised IT departments to keep statistics on security-related incidents, such as the number of viruses or intrusion attempts, to show to department heads.
“You need to report that back in dashboard form or whatever,” he said. “There’s nothing wrong and it’s not crying wolf to show stats on a quarterly basis of things that are happening in your systems. You’re just stating the facts and as long as you state the facts you’ve got credibility.”
December is the deadline for full compliance, but all 100 or so departments are required to submit an update in September outlining their progress in meeting MITS compliance. At the very least, they should know by that point their critical functions and have a sustainable organizational structure to protect those functions on an ongoing basis.
“If you don’t have that we’re going to have a discussion,” Boucher said.
But while MITS compliance clearly applies to all federal departments, it gets a little fuzzier when it comes to external service providers, Boucher admitted. “Right now MITS does not make a distinction as to whether a service is provided internally or externally,” he said. “That’s one of the areas we’re trying to address, because if you think about shared services, they might build internally or they might outsource. At the end of the day the department that receives the service should have some level of assurance it meets requirements.”
Boucher, who also participated in a roundtable with vendors and consultants following his keynote, said he hopes eventually the government can focus more on “are we secure” as opposed to “are we compliant?”
“It’s not solely for satisfying Treasury Board needs,” he said.
That’s a situation that is unlikely to ever change, noted Brian O’Higgins, chief technology officer at Ottawa-based Third Brigade.
O’Higgins pointed out that the latest security vulnerability is no longer just in the network, but in the applications. On average there are 20 new vulnerabilities posted every day, so an application that’s secure one day may not be the next. Hackers are no longer in it just for the glory, but for the money, so there is an additional danger posed by lax security, he said.
O’Higgins, who called MITS “good, sensible stuff,” said it’s unrealistic to hope people will implement security standards unless forced to do so — or there’s a big security scare.
“When there’s a regulatory environment people tend to do stuff and it really works.”
Steve Lloyd, chief security advisor for Microsoft Canada, said one of the ways Microsoft is trying to help governments improve security is through its trustworthy computing initiative, which aims to one day make computing as safe and reliable as telephone service.
That’s a long way away, he said. But in the meantime, Microsoft has launched its MITS planning guide, which identifies 120 MITS requirements and the Microsoft products that can help meet those. “They may already have stuff that can help them meet those requirements,” he said.
But while the 2005 Auditor General’s report criticized the Treasury Board for inconsistencies in the implementation of security policies across the federal government, the truth is most major departments – especially those dealing with human resources, finance and national security – have already had huge IT security infrastructures in place for years, said Hugh Ellis, vice-president of professional services in the Cinnabar Networks division of Bell Security Solutions Inc. in Ottawa.
“MITS picked off a few little spots here but they had massive programs under way that were very successful,” he said of those departments. “I think the public has a pessimistic view of security and maybe that’s the proper view to be asking those challenging questions, but I can tell you as an insider it’s very encouraging the efforts and the priority, the budget and the training of the people.”