One year after the Office of the Auditor General of Canada (OAG) released its report on information technology security, the Treasury Board Secretariat is undertaking measures to reduce inconsistencies identified in the report by reviewing plans from over 100 departments and agencies.
“The OAG saw a great deal of inconsistency in the departments,” said Pierre Boucher, senior director, enterprise architecture and standards, Treasury Board. “That’s what we’re trying to tackle at the moment. We’re trying to make sure that there’s a consistent implementation of IT security policy within each of the departments.”
Last year, Auditor General Shelia Fraser and her team criticized the Treasury Board for a lack of consistency in applying the Management of Information Technology Security (MITS) standard and the revised Government Security Policy. While Fraser noted increased involvement and commitment to IT security from agencies and departments, she stated in her report, “…the government has much work to do to translate its policies and standards into consistent, cost-effective practices that will result in a more secure IT environment in departments and agencies.”
A spokesperson for the OAG said it is the department’s policy not to comment between reports.
In its response, the Treasury Board, which typically leads policy development in this area, asked each department to provide it with a detailed compliance action plan by last August to show how they intend to comply with the requirements in the MITS standard. Departments and agencies have until the end of 2006 to be 100 per cent compliant. The Treasury Board is currently auditing and following up with each department’s CIO to ensure what they’ve said they’re doing is taking place.
John Weigelt, former senior director of IT security and PKI at the Treasury Board, said during his time with the government — he currently works for Microsoft — his department developed a roadmap for the standards process starting with the Policy moving down to the MITS standard. But Weigelt said standards are just a piece of paper if they aren’t acted on.
“Standards without projects or activities to implement them simply take up shelf space,” he said. “Standardization is a great way for consistency across the board.”
To facilitate improved consistency across the government, Boucher and other department officials recognize the importance of merging business needs with IT security, he said. That’s why the Treasury Board is working with top department executives to make sure that they understand and embed these requirements in their practices and language.
“The security guys are called in at the 11th hour before the system goes live,” said Boucher, describing a common scenario. “It’s too late by that time to reengineer some of the things that have been done. That’s why we’re working with the business owners and make sure they understand the implications of not doing proper security.”
In his security consulting practice, CMS Consulting Inc. president Brian Bourne said organizations, both in the private and public sectors, need to think of IT security throughout the product lifecycle and not at the last moment.
“It’s always cheaper to do it right the first time,” said Bourne, who is a co-founder of the security user group Toronto Area Security Klatch (TASK), which holds regular meetings to discuss security issues. “That’s the strong message that’s not necessarily talked about enough. Far too often there’s a security budget and an IT budget.”
Likewise, Christopher Seifried, director of IT sustainability for Fisheries and Oceans Canada, said the best defense against threats is an educated workforce, something his department is working towards to ensure a cohesive security strategy.
“Awareness gives you the best protection,” he said. “What really counts is creating a broad culture of security.”
The department is working the MITS requirements into its ongoing $6 million, four-year plan called the IT security enhancement project.
Similarly, David Beach, director of IT security for Service Canada, an initiative within Human Resources and Skills Development Canada (HRSDC), said his department’s plan calls for it to be MITS-compliant ahead of the December 2006 deadline.
“There are things that we need to finalize before the December ’06 deadline and our action plan talks about how we’re going to be doing that,” said Beach, adding that he couldn’t get into specific because of security concerns. But he did say as one of the largest departments with approximately 28,000 employees, “we have an important part to play working with Treasury Board and other departments working towards the horizontalization of IT security across the government.”
Consistency aside, risk assessment has also been an ongoing concern of the Treasury Board, which in 2004 surveyed more than 90 departments, finding that only one out of the 46 that responded met all of the basic requirements.
“We wanted to make sure they have the right processes internally to assess risk adequately in terms of the systems that they are implementing,” said Boucher.
The survey also found that 35 per cent of departments did not have a policy requiring threat and risk assessments. Despite efforts by the Treasury Board such as the publication of the Integrated Risk Management Framework, many departments aren’t utilizing these resources to help improve IT security, according to the report.
The report did, however, find that many departments and agencies have carried out vulnerability assessments of their information systems. But these assessments do not determine what vulnerabilities could be exploited, the report went on to say. Because of the evolving nature of security threats, this is not always an easy feat.
“We cannot control all the threats,” said Boucher. “We cannot control all the systems. But what we certainly can control is the way by which we respond to that changing environment.”