Canadian federal departments say they are already taking steps to address the concerns raised in a report from Auditor General Sheila Fraser to improve the IT security of mission-critical systems.
released late Tuesday follows up on a review of the public sector’s IT security policies and practices from 2002. In the latest report, Fraser and her team criticize Treasury Board Secretariat, which typically leads policy development in this area, for failing to complete standards related to intrusion detection and incident response, as well as a lack of consistency in applying standards and adhering to security policies among many government departments.
Paul Rummell, a former CIO with the Treasury Board who now works as a consultant with EDS, said the government will continue to be challenged by IT security until a central authority is established.
“You need a single agency that’s accountable for policy and operations,” he said. “Right now it’s divided across Treasury Board, RCMP and the (Canadian Security Establishment).”
A Treasury Board Secretariat official told ITBusiness.ca two years ago that it was in the final stages of a government-wide IT security review that would allow departments to better interoperate in the event of a crisis. It also said its guidelines would be consistent with international standards bodies.
The Auditor General’s report singled out several departments as lagging behind in three key areas of IT security under the revised Government Security Policy and Management of Information Technology (MITS) standard.
The report noted, for example, that while the National Parole Board has recently started a project to review its IT security policies, senior management at both Social Development Canada and Fisheries and Oceans Canada haven’t approved these policies.
As a result of its internal audit, however, Social Development made a similar recommendation, said David Beach, the department’s director of IT security. Social Development’s internal audit branch conducted its own audit of IT security between 2003 and 2004.
Since the publication of its internal audit, Social Development has set up a new policy coordination shop within systems which focuses on arranging for corporate consolidation acceptance of all IT policies, Beach said.
“It would be a mistake for anybody to think the policies aren’t there,” he added. “In terms of the process to get them blessed at the most senior department levels and promulgated to all the employees who will need to know them for their various job functions, we think that process has just gotten a lot easier with the setting up of this different policy shop.”
Since the 2002 Auditor-General report, Fisheries and Oceans Canada has been working on a $6 million, four-year plan called the IT security enhancement project. To date, there are 11 final drafts of policies that cover a wide range of IT security, including policies on threat assessment, wireless technologies and configuration of personal computers.
Christopher Seifried, department director of technology services, said these policies will be approved within this calendar year.
“The departmental senior management knows that IT security is important, or it wouldn’t have approved the $6-million dollar project,” Seifried said, adding that while management recognizes the importance of the project, the department has to worry about a plethora of issues ranging from accessible waterways to serving a sustainable fishery. “There are so many important priorities that departmental management has to deal with all the time that it’s hard to get on their agenda.
“Now that the drafting and consultation is over, it’s going to be more of a formality to get these policies on the agenda of the departmental management and have them approved.”
In search of funding
But Seifried admits this process could have started earlier than April 2004.
“I think we could have started a year earlier, but there were a lot of other important projects that were seeking the same funding,” he said.
Fisheries and Oceans sought funding for the project through the major capital fund, a special fund provided by the government of Canada to departments for specific types of investments to build or secure assets.
However, Seifried pointed out that while the department historically received $10 million, in recent years it’s only been getting $6 million every four years.
Neil Thomlinson, a professor in the School of Politics and Public Administration at Ryerson University, said the government’s IT security problems may be traced to a lack of financial investment.
“The solution is, they’ve got to put more money into it,” he said. “The taxpayers are going to be bleating about, ‘Don’t you ever dare hire an additional public servant ever, in this lifetime,’” he said. “They don’t ‘want to see any more waste and sloth in government, but somehow we want them to deliver a flawless mechanism for information control.”
Support for CSOs
The report also found that Industry Canada, Social Development and Fisheries and Oceans had varying degrees of compliance with regulations that require them to define roles of their security officers, in particular for IT security.
Seifried says this recommendation is something he’s acknowledged himself within his department.
“We read that recommendation as a signal that we should build on that relationship,” said Seifried. “We accept that and we’ll improve it.”
To address this, Social Development set up an IT security governance committee two years ago, which meets quarterly, to address horizontal departmental IT security issues, said Beach.
Rummell said security may need more support at the top as well within departments.
“The chief information officer should have a chief security officer side by side with them,” he said. “Many private sector organizations now have chief security officers that are in strategic positions in their organizations that are reporting alongside the CIOs.”
Lastly, the Government Security Policy requires that departments and agencies certify and accredit any new or modified system or application before it is used. Organizations also need to sign off of the system or app to certify that all risk assessment requirements have been met.
While it found that Social Development has developed a project life-cycle model that includes certifying and accrediting systems and apps under development, IT security isn’t always taken into consideration at the outset.
Beach said that’s probably true, noting that Social Development and the Human Resource Development Council are comprised of between 27,000 to 30,000 employees.
“As with any bureaucracy of any size, it happens. The reality is we do have mechanisms to catch things later on in the process like project review committees and expenditure review committees.
“We’re slowly but surely able to move most if not all of the IT organizations and business organizations to come up and talk to us right up front.”
Beach added that the situation is comparable to when someone goes out to buy a Mercedes, for example, doesn’t watch it roll off the assembly line and then decides to put an airbag in.
National Parole Board spokesperson John Vandoremalen said the Board is currently working on two projects to address these issues that will be completed by the end of fiscal year 2005, ending March 31. The Board will be supplying a plan on these projects to the Treasury Board in June.
“We accepted the report already,” said Vandoremalen. “We knew there were areas we were shy in. We knew there were things we’re going to have to focus on and things we’re going to have to do. It’s a question of lining up the necessary resources to do that.”
The first project is a conditional release system (CRS), which is currently undergoing risk assessment and will have certification and accreditation conducted on it as well.
“Up to now we’ve been riding with (Correctional Services Canada) on what’s known as the offender management system, which is being revised by correctional services,” said Vandoremalen. “The Board took the opportunity to design its own system that suited our needs.”
The other project is called the Pardon Application Documentation System (PADS), which the Board started one year ago.
“That’s basically looking at the whole government security policy,” said Vandoremalen. “We’re trying to identify the ones that the Board is particularly weak on.
Earlier this year the government announced a plan to deal with IT security threats by creating the Canadian Cyber Incident Response Centre and creating a partnership program that would see Microsoft Canada act as an advisor.
Key contacts from the Microsoft side include its chief security advisor and privacy compliance officer, John Weigelt, the former senior director of IT security and PKI at Treasury Board Secretariat. In previous interviews with ITBusiness.ca, Weigelt had said government was working hard to move on the recommendations in Fraser’s 2002 report by working more collaboratively with the CSE, Canadian Security Intelligence Service and the RCMP. This is still going on, he said, and goes hand in hand with Microsoft’s own recommended security strategies.
“They’re looking at the defence in depth,” Weigelt said in a telephone interview from the RSA security conference in Las Vegas. “It’s a combined, multi-disciplinary program that’s required.”
Weigelt said his recent experience at the Treasury Board (he joined Microsoft last year) would serve him well now that the government is a client.
“That comprehensive view across the spectrum of solutions is something that I can bring back to Microsoft to say, ‘This is how Canada does it,’ and provide that to other government customers around the world,” he said.
Weigelt refused to comment on how specific departments might better manage IT security or create a culture of security policy compliance.
Comment: [email protected]