Canadian federal departments say they are already taking steps to address the concerns raised in a report from Auditor General Sheila Fraser to improve the IT security of mission-critical systems.
A report released last month follows up on a review of the public sector’s IT security policies
and practices from 2002. In the latest report, Fraser and her team criticize the Treasury Board Secretariat, which typically leads policy development in this area, for failing to complete standards related to intrusion detection and incident response, as well as a lack of consistency in applying standards and adhering to security policies among many government departments.
Paul Rummell, a former CIO with the Treasury Board who now works as a consultant with EDS, said the government will continue to be challenged by IT security until a central authority is established.
“”You need a single agency that’s accountable for policy and operations,”” he said. “”Right now it’s divided across Treasury Board, RCMP and the (Canadian Security Establishment).””
A Treasury Board Secretariat official told Computing Canada two years ago it was in the final stages of a government-wide IT security review that would allow departments to work better together in the event of a crisis. It also said its guidelines would be consistent with those of international standards bodies.
AG singles out departments
The Auditor General’s report singled out several departments as lagging behind in three key areas of IT security under the revised Government Security Policy and Management of Information Technology (MITS) standard.
The report noted, for example, that while the National Parole Board has recently started a project to review its IT security policies, senior management at both Social Development Canada and Fisheries and Oceans Canada haven’t approved these policies.
As a result of its internal audit, however, Social Development made a similar recommendation, said David Beach, the department’s director of IT security. Social Development conducted its own audit of IT security in 2003 and 2004.
Since the publication of its internal audit, Social Development has set up a new policy co-ordination shop within systems which focuses on arranging for corporate consolidation acceptance of all IT policies, Beach said.
“”It would be a mistake for anybody to think the policies aren’t there,”” he added. “”In terms of the process to get them blessed at the most senior department levels and promulgated to all the employees who will need to know them for their various job functions, we think that process has just gotten a lot easier with the setting up of this different policy shop.””
Since the 2002 Auditor-General report, Fisheries and Oceans Canada has been working on a $6-million, four-year plan called the IT security enhancement project. To date, there are 11 final drafts of policies that cover a wide range of IT security, including policies on threat assessment, wireless technologies and configuration of personal computers.
Christopher Seifried the department’s director of technology services, said these policies will be approved within this calendar year.
“”The departmental senior management knows that IT security is important or it wouldn’t have approved the $6-million dollar project,”” Seifried said, adding that while management recognizes the importance of the project, the department has to worry about a plethora of issues ranging from accessible waterways to serving a sustainable fishery. “”There are so many important priorities that departmental management has to deal with all the time that it’s hard to get on their agenda.
“”Now that the drafting and consultation is over, it’s going to be more of a formality to get these policies on the agenda of the departmental management and have them approved.””
Neil Thomlinson, a professor in the School of Politics and Public Administration at Ryerson University, said the government’s IT security problems may be traced to a lack of financial investment.
“”The solution is they’ve got to put more money into it,”” he said. “”The taxpayers are going to be bleating about, ‘Don’t you ever dare hire an additional public servant ever in this lifetime,'”” he said. “”They don’t want to see any more waste and sloth in government, but somehow we want them to deliver a flawless mechanism for information control.””
The report also found that Industry Canada, Social Development and Fisheries and Oceans had varying degrees of compliance with regulations that require them to define roles of their security officers, in particular for IT security.