Audit of IT Security

Internal Audit Report

378-1-275

May 9, 2012

Table of Contents

Executive Summary

Background

Correctional Service Canada’s (CSC) 2011-2014 Risk-Based Audit Plan (RBAP) identified IT Security as an area of moderate risk and requires that an audit of Information Technology (IT) Security be completed in 2011-2012. The purpose of this audit was to assess CSC’s IT Security capabilities primarily in the areas of incident detection and incident response. The audit objectives were two-fold, to:

  • assess the adequacy of CSC’s current approach to ensure the protection of IT systems, data and IT services from accidental or deliberate threats to confidentiality; and
  • assess the adequacy of CSC’s current approach to respond to deliberate or accidental threats to confidentiality, integrity or availability of IT systems, data or IT services.

To achieve these objectives, the audit team included consultants hired for their IT expertise. The team reviewed documentation, policies, procedures, and logs. It interviewed CSC IT staff and conducted ‘active testing’ that was modeled after high-profile security incidents experienced by the Government of Canada in 2010, including vulnerability testing and social engineering.

A glossary of terms is available in Annex D.

Conclusion

The results of the audit indicate that overall, CSC has an IT security management framework, with supporting procedures and technology for IT security incident detection and response. Specifically:

  • CSC policies and procedures are consistent with TB policies;
  • Comprehensive and functional technology investments in incident detection and prevention have been made in many areas of the CSC IT network;
  • CSC’s IT Operations and IT Security groups recognise the need for, and have developed and follow some incident management practices; and
  • CSC receives and generates vulnerability and threat intelligence.

Recommendations have been made in the report to address these areas for improvement.  Management has reviewed and agrees with the findings contained in this report and a Management Action Plan has been developed to address the recommendations (see Annex E).

Statement of assurance

This mandate was conducted at a moderate level of assurance.

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with management. The opinion is applicable only to the area examined. The evidence was gathered in compliance with Treasury Board policy, directives and standards on internal audit and the procedures used meet the professional standards of the Institute of Internal Auditors. The evidence gathered was sufficient to provide senior management with proof of the opinion derived from the internal audit.


__________________________________  Date: __________________
Sylvie Soucy,
Chief audit Executive

1.0 Introduction

Background

CSC’s 2011-2014 Risk-Based Audit Plan (RBAP) identified IT Security as an area of moderate audit priority. The RBAP requires that an audit of IT Security be completed in 2011-2012 with the objective of providing reasonable assurance that the processes in place throughout CSC are efficient, effective, and meet regulations.

The Treasury Board (TB) Policy on Government Security states that “government security is the assurance that information, assets and service are protected against compromise. The extent to which government can ensure its own security, directly affects its ability to ensure the continued delivery of services that contribute to the health, safety, economic well-being and security of Canadians.”1

The TB Operational Security Standard: Management of Information Technology Security (MITS) then “defines the baseline security requirements that federal departments must fulfill to ensure the security of information and information technology (IT) assets under their control.”2 Baseline requirements include such matters as IT Security policy, defined roles and responsibilities, incident management, and vulnerability management. MIT identifies IT security as “an integral part of continuous program and service delivery. To avoid the loss of service and trust that IT security breaches can cause, departments need to view IT security as a business imperative; a service enabler.”3

The MITS standard further details that “IT continues to rapidly advance in support of greater interconnectedness and improved service delivery. At the same time, the number and potential severity of threats, vulnerabilities and incidents similarly increase. Departments need to be aware of this evolving environment, and understand how to manage their IT security programs in order to respond.”4

MITS identifies that in order for departments to protect information and ensure service delivery, they must continuously monitor system performance to rapidly detect:

  • attempts (failed or successful) to gain unauthorized access to a system, or to bypass security mechanisms;
  • unauthorized probes or scans to identify system vulnerabilities;
  • unplanned disruption of systems or services;
  • denial-of-service attacks; unauthorized changes to system hardware, firmware, or software; and
  • system performance anomalies and known attack signatures.5

CSC Background

A glossary of terms is available in Annex D.

The IT security environment changed at CSC when the Government of Canada announced the creation of Shared Services Canada (SSC) on August 4, 2011. This entity will assume responsibility for some of the IT activities at CSC.  As a result, all resources associated with the delivery of email, data and network services will be transferred to SSC, which will have a significant HR and financial impact on CSC. It will also impact the manner in which IT security is managed within the department.

IT Security at CSC

CSC’s Information Management Services (IMS), which is led by the Chief Information Officer, who reports to the Senior Deputy Commissioner, has responsibility for the overall information management and information technology framework. IMS is comprised of seven divisions, one of which is IT Security.

CSC’s IT Security division, which is led by a Director of IT Security, oversees the security of electronic information and assets that are stored, processed or transmitted on computer and telecommunications systems. IT Security is devoted to the implementation and adherence to the technology security requirements of the business and the standards, policies and procedures set by the Government of Canada.

Shared Services Canada (SSC)

On August 4, 2011, the federal government announced the creation of SSC, which is charged with cutting overall government IT costs by rolling more than 100 e-mail systems into one and more than 300 data centers into 20 across 44 federal departments. Shared Services Canada has effectively assumed the role as a service provider for CSC and is mandated to provide technical and personnel resources to support CSC’s IT needs within common services. This mandate includes a portion of the IT Security domain, where SSC will provide the operational IT Security services while departments will maintain a business and oversight responsibility.

2.0 Audit Objectives and Scope

2.1 Audit Objectives

The audit objectives were to:

  • assess the adequacy of the current approach taken by CSC to ensure the protection of IT systems, data and IT services from accidental or deliberate threats to confidentiality; and
  • assess the adequacy of the current approach taken by CSC to respond to deliberate or accidental threats to confidentiality, integrity or availability of IT systems, data or IT services.

Specific criteria related to each of the objectives are included in Annex A.

2.2 Audit Scope

The audit was national in scope and included the common network infrastructure, internet gateways, and regional users in the audit tests. It focused on the IT infrastructure, in particular the CSC network environment and included an examination of controls pertaining to incident detection and response elements, quality checks to verify technical incident detection capabilities, and looked for the existence and consistency of governance and operational practices in the areas of incident response.

For the purposes of this audit, examination of incident detection and response was considered within the following elements: governance of IT security, IT operations at CSC and CSC’s technical capabilities within IT security.

The audit did not include CSC’s applications and services (such as the Offender Management System, Messaging, the Human Resource Management System, etc.)  The audit focused on the overall capability of CSC to detect and respond to deliberate or accidental threats to its IT systems supporting infrastructure.

The timeframe for the audit’s examination phase was January – February 2012.

3.0 Audit Approach and methodology

The approach taken on this audit included a combination of interviews with CSC IT Security Division and SSC IT Operations staff, reviews of documentation, detailed testing and walkthroughs of systems.
Section 1210.A1 of the Institute of Internal Auditors Professional Practices Framework (PPF) states that “the Chief Audit Executive should obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed to perform all or part of the engagement.”6 Due to the technical expertise required to successfully execute the audit of IT Security and to ensure that it was conducted with proficiency and due professional care, the Internal Audit group contracted a third party expert consultant to conduct the audit on its behalf.


1 TB Policy on Government Security, section 3.1,
http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=16578&section=text

2 TB Operational Security Standard: MITS, section 1,
http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12328&section=text

3 TB Operational Security Standard: MITS, section 4,
http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12328&section=text

4 TB Operational Security Standard: MITS, section 4,
http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12328&section=text

5 TB Operational Security Standard: MITS, section 17,
http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12328&section=text

6 IIA Professional Practices Framework, section 1210