Audit of the Management of Information Technology Security

Project Number 6B206
Audit report
October 26, 2011

Table of Contents

List of acronyms

CCG
Canadian Coast Guard
CIO
Chief Information Officer
DFO
Department of Fisheries and Oceans
DSP
Departmental Security Plan
ITS
Information Technology Security
ITSC
IT Security Coordinator
MAF
Management Accountability Framework
MITS
Management of Information Technology Security (the standards)
PKI
Public Key Infrastructure
TBS
Treasury Board Secretariat
TRA
Threat and Risk Assessment

1.0 Executive Summary

Effective Management of Security and Business Continuity are management priorities against which the Department is assessed in the Treasury Board Secretariat (TBS) Management Accountability Framework (MAF). The Department must also comply with the Management of Information Technology Security (MITS) standards which require an audit of Information Technology (IT) security every five years.

The overall audit objective was to assess the adequacy and effectiveness of the control framework in place to support information technology security within DFO, and the compliance with relevant governmental and departmental policies and guidelines on IT security.

The audit examined and assessed the responsibilities for, and the management of, security of information technology within DFO, including the Canadian Coast Guard (CCG). Compliance to governmental policies and standards such as the TBS Policy on Government Security and MITS was assessed.

While the overall management control framework governing the Department’s management of information technology security has evolved greatly in recent years, there remain a number of areas for which improvements were identified. The following summarizes the audit findings and areas for improvement with respect to IT Security.

IT Security Planning - An IT Security Plan is in place with a focus on improving compliance with MITS and identifying IT projects for funding. The Department is currently developing a Departmental Security Plan to comply with the TBS Directive on Departmental Security Management. The Department has until June 30, 2012 to comply with the Directive.

IT Security Monitoring and Reporting - A performance measurement framework has not been finalized. As a result, the Department is not in a position to monitor the performance of its IT security program beyond compliance to MITS, incident management and security in application development. A mature performance measurement framework would enable the measuring and monitoring of the performance of the IT Security Program, including its effectiveness, as well as identify any gaps or security control issues requiring attention.

IT Organization - There is a lack of documented roles and responsibilities between the Chief Information Officer (CIO), Departmental Security Officer, Canadian Coast Guard IT Security Coordinator and the Departmental IT Security Coordinator, which may result in unclear accountabilities and authority. This could lead to duplication of efforts or gaps in security coverage, rendering the IT security program inefficient and ineffective. A Memorandum of Understanding is currently being drafted to define the roles and responsibilities as well as the lines of communication between the CCG IT Security Coordinator, DFO IT Security Coordinator, CIO and Departmental Security Officer.

Authorization and Access Control - The audit identified opportunites for improvement related to technical safeguards to ensure the confidentiality, integrity and availability of IT systems and related information.

Security Training and Awareness - The audit revealed that the mandatory security awareness training is not being monitored to ensure that all new employees are receiving the mandatory training within six months of their effective date of employment.

Electronic Communication and Storage of Information - Our tests revealed inconsistencies in the storage and transmission of classified and protected data. Based on a review of practices in place within the Department, routine monitoring of storage and transmission of protected data is not conducted to ensure compliance to governmental and departmental policies and standards.

Incident Response and Recovery - DFO does not have a departmental documented process to test backups and restoration procedures regularly to ensure that data can be recovered effectively and within the expected timeframe. Also, the Department does not have a documented standard for backup requirements of tape storage lifecycle (e.g., daily, weekly, monthly, annually).

Incident Detection - The audit identified opportunities for improvement in the monitoring of detective controls.

2.0 Introduction

2.1 Background

Information technology (IT) continues to rapidly advance and, at the same time, the number and potential severity of threats, vulnerabilities and incidents similarly increase. Departments need to be aware of this evolving environment and manage their IT security program in order to be able to respond. An effective IT security program combines people, processes and technologies. Senior managers, program and service delivery managers, security personnel, IT operational personnel, human resources personnel and other stakeholders should work together in a concerted manner to achieve a high level of IT security.

According to the Treasury Board Secretariat (TBS) Operational Security Standard: Management of Information Technology Security (MITS), IT security should be seen as an integral part of continuous program and service delivery, a business imperative and a “service enabler.” The MITS standard defines the baseline security requirements that federal departments must fulfil to ensure the security of information and information technology (IT) assets under their control.

The effective management of security and business continuity is one of the management priorities identified by the TBS and is included in the Management Accountability Framework (MAF) assessment (Area of Management: Effective Management of Security). Since receiving a rating of “Attention Required” in the 2007 MAF assessment (round V), the Department has made continuous improvements in the area of IT Security resulting in the Department receiving an “Acceptable” rating in the 2009 (round VII) and 2010 (round VIII) MAF assessments.

After a 2005 audit of the security program conducted by the Internal Audit Directorate, it was determined that a Departmental Threat and Risk Assessment (TRA) was needed to identify high risk security processes, procedures and classes of facilities. An IT and Departmental TRA was prepared in 2008 and served as a firm foundation on which the Department prioritized security issues and risks and developed related mitigation strategies. The last IT corporate risk profile done in 2007 rated the risks of compromised security and business continuity as medium.

Description of the Management Framework

The DFO Information Technology Security (ITS) Program Framework is based on the Treasury Board policies and was implemented in 2008. The program framework outlines the overall approach to effective management of information technology security processes/procedures that are necessary to protect the Department’s valuable IT assets against harm from either internal or external threats.
 
Some specific physical and personnel controls are important facets of security and are within the purview of the Departmental Security Officer. These controls include, for example, employee security screening or physical access to the buildings. Accordingly, they are more particularly described in the DFO Safety and Security Policy and Accountability Framework document.

In order to enable risk tolerable execution of the departmental programs, DFO has developed this framework around which the ITS Program is implemented. The following diagram illustrates the ITS Program Framework.

Diagram of the DFO IT Security Gevernance

2.2 Objectives and Scope

The overall audit objective was to assess the adequacy and effectiveness of the control framework in place to support information technology security within DFO, and the compliance with relevant governmental and departmental policies and guidelines on IT security.

The audit examined and assessed the responsibilities for, and the management of, security of information technology within DFO (including the Canadian Coast Guard). Compliance with governmental policies and standards such as the TBS Policy on Government Security and Operational Security Standard: Management of Information Technology Security (MITS) was assessed.

The following are the lines of enquiry used by the audit team to complete the conduct phase of the audit engagement:

  • Line of Enquiry 1: The IT security framework is well established and consistent with governmental and departmental policies and guidelines. It includes a planning process and continuous monitoring.
  • Line of Enquiry 2: The roles and responsibilities for IT security are well established, consistent with policy requirements and efficient.
  • Line of Enquiry 3: The security of information technology systems (hardware, network and software) is appropriately managed.
  • Line of Enquiry 4: Key IT security management controls or technical safeguards ensure that IT assets and information are protected and support the secure and uninterrupted delivery of DFO services.

2.3 Statement of Assurance

Sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The extent of the examination was planned to provide a reasonable level of assurance with respect to the audit criteria. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with management. The opinion is applicable only to the entity examined and within the scope described herein. The evidence was gathered in compliance with Treasury Board policy, directives and standards on internal audit, and the procedures used meet the professional standards of the Institute of Internal Auditors. The evidence gathered was sufficient to provide senior management with proof of the opinion derived from the internal audit.

2.4 Audit Approach

The audit team carried out its mandate in accordance with Government of Canada internal audit standards, as set out in the TBS Policy on Internal Audit.  The approach included the following activities:

  • Risk Assessment – As per the Internal Audit Standards, a risk assessment was conducted as part of the preliminary survey in order to help define the audit direction.
  • Terms of Reference – They were vetted with the Departmental Audit Committee, endorsed by the Chief Information Officer, the Commissioner of the CCG and the Departmental Security Officer before being signed by the Assistant Deputy Minister of Human Resources and Corporate Services.
  • Document Review – A detailed document review was conducted in both the planning and conduct phases, with the document review being more directed during the conduct phase as the audit team identified specific documentation requirements.
  • Interviews – The audit team conducted interviews with departmental management in the Information Management and Technical Services (IM&TS) Sector, the Integrated Technical Services Branch within CCG, and the Safety and Security Branch within the Human Resources and Corporate Services Sector.
  • Compliance Testing – Tests were conducted to assess compliance to selected Management of IT Security (MITS) Standard criteria. Also, a sample of six IT applications was selected to assess the IT security of DFO and CCG systems.
  • Site visits – The audit team visited the Maritime and Quebec regions during the conduct phase.
  • Internal Quality Assurance and Improvement Program – The entire working paper file covering all aspects of the internal audit engagement was reviewed and approved by the Internal Audit Directorate’s quality assurance function.

The audit referenced control frameworks such as the Control Objectives for Information and related Technology (CobiT), the Information Systems Audit and Control Association (ISACA) IT Standards, Guidelines and Tools and Techniques for Audit and Assurance and Control Professionals, and the TBS Information Technology Security Audit Guide.

3.0 Observations and Recommendations

The overall management control framework governing the Department’s management of information technology security has evolved greatly in recent years.  In particular, The IM&TS sector has made great strides to implement and continually improve on the IT security program as demonstrated by the continued improvement in MAF ratings for IT security.  Opportunities for improvement were identified in the areas of IT security planning, monitoring, IT organization, authorization and access control, security training and awareness, electronic communication and storage of information, and incident response and detection. 

3.1 IT Security Planning

An IT Security Plan is in place with a focus on improving compliance with MITS and identifying IT priorities. The Department is currently developing a Departmental Security Plan to comply with the TBS Directive on Departmental Security Management. The Department has until June 30, 2012 to comply with the Directive.

Recommendation:

1. It is recommended that the Departmental Security Officer work with the Information Technology Security Coordinators to develop a Departmental Security Plan that integrates the IT Security Plan to comply with the requirements outlined in the Directive on Departmental Security Management.

3.2 IT Security Monitoring and Reporting

The draft IM&TS Strategy dated May 2010 indicated that a performance measurement framework with related measures applicable to all of DFO, including the CCG, will be developed for internal and external reporting requirements (e.g., MAF). A draft performance measurement framework was subsequently presented for discussion at an Informatics Steering Committee meeting held on January 14, 2011.

As this performance measurement framework has not been finalized, the Department is not in a position to monitor the performance of its IT security program beyond compliance to MITS, incident management and security in application development. A mature performance measurement framework would enable the measuring and monitoring of the performance of the IT Security Program, including its effectiveness, as well as identify any gaps or security control issues requiring attention.

Recommendation:

2. It is recommended that the Chief Information Officer continue to work on finalizing the development of the performance measurement framework and related key performance indicators and ensure that the framework also defines the monitoring and reporting requirements.

3.3 Information Technology Organization

There are two IT Security Coordinators (ITSC) within DFO. There is a departmental ITSC, and the Canadian Coast Guard (CCG) has appointed its own ITSC. While the departmental ITSC reports to the Chief Information Officer (CIO) and has a functional reporting relationship to the Departmental Security Officer, the functional linkage between the Departmental Security Officer, the CIO and the CCG ITSC has not been clearly defined.

The lack of documented roles and responsibilities between the CIO, Departmental Security Officer, CCG ITSC and Departmental ITSC may result in unclear accountabilities and authority. This could lead to duplication of efforts or gaps in security coverage, rendering the IT security program inefficient and ineffective. A Memorandum of Understanding is currently being drafted to define the roles and responsibilities as well as the lines of communication between the CCG IT Security Coordinator, DFO IT Security Coordinator, CIO and Departmental Security Officer.

Recommendation:

3. The Assistant Deputy Minister – Human Resources and Corporate Services should ensure that the roles, responsibilities and accountabilities for security, including IT security, between the Departmental Security Officer, the IT Security Coordinator and the Canadian Coast Guard IT Security Coordinator are clearly defined and documented. The reporting relationship of both IT Security Coordinators to the Departmental Security Officer should also be defined and documented.

3.4 Authorization and Access Control

The TBS Operational Security Standard: Management of Information Technology Security (MITS) section 16.4.3 for Authorization and Access Control under section 16.4 Technical Safeguards states that departments must restrict IT and information access to individuals who have been screened and authorized, have been identified and authenticated, and have a “need to know.” Departments must keep access to the minimum required for individuals to perform their duties (i.e., the least-privilege principle), and ensure that they are regularly updated to accurately reflect the current responsibilities of the individual. Departments must withdraw access privileges from individuals (including students, contractors or others with short-term access) who leave the organization, and revise access privileges when individuals move to jobs that don’t require the same level of access.

The audit identified opportunities for improvement related to technical safeguards to ensure the confidentiality, integrity and availability of IT systems and related information.

Recommendations:

4. The Assistant Deputy Minister – Human Resources and Corporate Services should review current procedures to ensure that business owners are aware of and fulfil their responsibilities regarding access to information technology resources.

5. The Chief Information Officer should review current processes as well as roles and responsibilities, and implement a consistent approach for monitoring and managing user access to ensure that authorization and access to information technology resources are appropriately managed.  

3.5 Security Training and Awareness

DFO offers security awareness sessions to all new hires. It is mandatory for new hires to register for this session within 6 months of their start date. It is also advised that employees retake this session once every three years to remain up to date on current safety and security concerns.

The audit team obtained a list from Human Resources of all new hires for 2010. A random selection of 20 new employees who have been employed in the Department for more than 6 months (including term, indeterminate and casual) was drawn to determine whether they have taken the mandatory security awareness session. The names were given to Human Resources Management Security (PeopleSoft Technical Analyst) and the Security Officers within the Safety and Security Branch to confirm if the selected individuals had taken the awareness session. The test revealed that only 2 of the 20 employees had taken the awareness session.

Recommendation:

6. The Assistant Deputy Minister – Human Resources and Corporate Services should establish a process whereby Human Resources notifies the Departmental Security Officer of new hires to allow Safety and Security to monitor and track security awareness training within the Department. The process should also include informing sector heads of staff that have not completed the mandatory awareness training within the required timeframe.

3.6 Electronic Communication and Storage of Information

The Department’s network, DFONet, is a “Protected A” network. The DFO IT Security Branch Guide – Proper Handling & Storage of Sensitive Information states that “Protected B” information may be stored on the network if additional safeguards are used such as encryption. For transmission of “Protected B” data, users are required to encrypt the data using Public Key Infrastructure (PKI) services.A Public Key Infrastructure protects privacy by ensuring that electronic communications are not intercepted and read or altered by unauthorized persons.

Our tests revealed inconsistencies in the storage and transmission of classified and protected data. According to the MITS standard, the IT Security Coordinator must monitor departmental compliance with the standard and associated documentation. Based on a review of practices in place within the Department, routine monitoring of storage and transmission of protected data are not conducted to ensure compliance to governmental and departmental policies and standards.

Recommendations:

7. The Assistant Deputy Minister – Human Resources and Corporate Services should develop and implement a process for performing random monitoring of electronic communications and information stored on the Electronic Knowledge Management Environment (EKME) and the DFO network, and report to the sector heads and regional directors general on the results of the monitoring in their sector or region.

8. The Assistant Deputy Minister – Human Resources and Corporate Services should ensure that sector heads and regional directors general are aware of the importance of, and their responsibilities for, the proper communication and storage of protected and classified information.

3.7 Incident Response and Recovery

DFO does not have a departmental documented process to test backups and restoration procedures regularly to ensure that data can be recovered effectively and within the expected timeframe.  Also, the Department does not have a documented standard for backup requirements of tape storage lifecycle (e.g., daily, weekly, monthly, annually).

In 2010, DFO reviewed the Department’s decentralized backup processes and began an initiative to centralize the backup procedures in the National Capital Region.  The Department is implementing a phased approach to centralizing backups and, at the time of the audit, the exercise had not been completed. As a result, there are some regions and offices that house and operate their own systems, and still maintain ownership and responsibility for conducting and maintaining a backup and restoration process. 

Recommendation:

9. The Chief Information Officer should continue to develop and implement a department-wide data recovery standard documenting the requirements for backups and restore testing procedures that address the requirements of the MITS standard, and consider additional requirements and/or differences for backup and restore testing on mission critical systems.

3.8 Incident Detection

As has been highlighted by the recent public disclosures of successful executive spear-phishing attacks against multiple federal government departments, information security programs need to include a balance of both preventive controls and detective controls. 

Preventive controls are those technologies or procedures that are designed to prevent an attacker or an unauthorized user from performing unintended activities. Detective controls are those technologies and techniques that are used to detect and notify IT representatives of inappropriate activity, indicative of an attack in progress.

The preference is to prevent malicious hacking attempts prior to a digital attacker entering the Department’s information technology systems by using preventive controls. However, the reality is that information security programs need to adapt to an era where it is likely that persistent, highly skilled and highly motivated attackers will be able to eventually gain some level of access to departmental computer systems.  In such an environment, the Department needs automated, real-time capabilities to detect attackers or malicious employees that are accessing unauthorized information resources.

The audit identified opportunities for improvement in the area of incident detection.

Recommendation:

10. The Chief Information Officer should ensure that the perimeter and internal technical safeguards are adequate to meet the security needs of the Department.

4.0 Conclusion

The IM&TS sector has made great strides in recent years to implement and continually improve on the IT security program as demonstrated by the continued improvement in MAF ratings for IT security.

Given the recent IT security threats, IT security will remain a key concern for federal government departments. As new threats present themselves and departments work to adapt to these threats, departments must ensure that IT security decisions are made based on risk and on sound cost/benefit analyses in order to ensure that their strategies are cost effective.

Overall, it is evident that much work has been done to improve the adequacy and effectiveness of the control framework governing the Department’s management of information technology security. However, the observations presented in this report demonstrate that there are opportunities for improvement in the areas of planning, monitoring, training and awareness, incident response and performance measurement.  The audit recommendations should contribute to further improve the control framework of the management of IT security for DFO. 

5.0 Management Action Plan

Recommendations Management Action-Plan Status Report Update
Actions Completed Actions Outstanding Target Date
1. It is recommended that the Departmental Security Officer work with the Information Technology Security Coordinators to develop a Departmental Security Plan that integrates the IT Security Plan to comply with the requirements outlined in the Directive on Departmental Security Management.

The Departmental Security Officer will work with the Information Technology Security Coordinators to ensure that the Information Technology Security Plan will be included in the Departmental Security Plan.

 

Engagement of consultant to develop Departmental Security Plan.

Sept. 30, 2011

Development of Departmental Security Plan.

June 30, 2012

2. It is recommended that the Chief Information Officer continue to work on finalizing the development of the performance measurement framework and related key performance indicators and ensure that the framework also defines the monitoring and reporting requirements.

Information Management and Technology Services defined its Performance Measurement Strategy and continues to work on its implementation, within resources availability.

Performance Measurement Strategy submitted to Evaluation in December for review.

Performance Measurement Strategy presented at Informatics Steering Committee.

Established Key Performance Indicators Working Group.

Adopt the client-facing Performance Measurement Strategy for Information Management and Technology Services.

June 30, 2011

Key Performance Indicators Working Group will:

• Design Initial client-facing Key Performance Indicators;

• Identify Key Performance Indicators owners; and

• Present to governance and implement.

Sept. 30, 2011

3. The Assistant Deputy Minister - Human Resources and Corporate Services should ensure that the roles, responsibilities and accountabilities for security, including IT security, between the Departmental Security Officer, the IT Security Coordinator and the Canadian Coast Guard IT Security Coordinator are clearly defined and documented. The reporting relationship of both IT Security Coordinators to the Departmental Security Officer should also be defined and documented.

The Safety and Security Policy and Accountability Framework will be updated to ensure that the roles, responsibilities and accountabilities for security, including Information Technology security between the Departmental Security Officer, the Information Technology Security Coordinator and the Canadian Coast Guard Information Technology Security Coordinator are clearly defined and documented. As well, the reporting relationship of both Information Technology Security Coordinators to the Departmental Security Officer will be defined.

 

Action on this item was delayed, pending the arrival of the new Departmental Security Officer (May 2, 2011). Work on updating this document began this summer (2011).

March 31, 2012

4. The Assistant Deputy Minister - Human Resources and Corporate Services should review current procedures to ensure that business owners are aware of and fulfil their responsibilities regarding access to information technology resources.

Through the National Employee Departure Form Committee, meetings with stakeholders take place to discuss lessons learned, ensure continuous improvement of the National Employee Departure Form, and address regional issues in relation to the Form. The proper notification of business owners will be addressed at these meetings.

Briefing Notes, which were signed by Directors General of Human Resources and Corporate Services, were forwarded to responsibility center managers through In The Loop.

E-mails were sent to managers in Sept. 2010 to remind them of their responsibilities as business owners and to ensure that they were aware of the process relating to employee departure.

The National Departure Form Committee will be reconvened to assess the success of the National Employee Departure Form and make changes as necessary.

Sept. 30, 2011

Develop a process to help and monitor follow-up action.

Dec. 31, 2011

5. The Chief Information Officer should review current processes as well as roles and responsibilities, and implement a consistent approach for monitoring and managing user access to ensure that authorization and access to information technology resources are appropriately managed.

Datacentre will align itself to the Departmental Security Officer procedure.

Database, application specific and standalone systems not managed by Datacentre will be the responsibility of the asset/application owners.

Task Based Informatics Professional Services completed with three of four contractors onsite. PM anticipated June 1st.

Phase I assessment completed.

Governance schedule:

June - Information Management and Technology Services Management Committee

July - Informatics Steering Committee, Regional Informatics Coordinating Committee

Dec. 15, 2011

Phase II testing

10,800 workstations and 800 servers in 327 sites require modifications

May 30, 2011

Rollout plan

June 30, 2011

Target % conversion timelines estimated to be: 30%

July 31, 2011

Target % conversion timelines estimated to be: 60%

Sept. 30, 2011

Target % conversion timelines estimated to be: 90%

Dec. 31, 2011

6. The Assistant Deputy Minister - Human Resources and Corporate Services should establish a process whereby Human Resources notifies the Departmental Security Officer of new hires to allow Safety and Security to monitor and track security awareness training within the Department. The process should also include informing sector heads of staff that have not completed the mandatory awareness training within the required timeframe.

Safety and Security will work with Human Resources staff to develop a process to track, monitor and report on new staff who have completed mandatory security training.

 

Develop a communication plan to advise employees of the requirement to complete security awareness training.

Sept. 30, 2011

Develop a process and tools to track, monitor and report on new staff who have completed mandatory security training.

Nov. 30, 2011

Develop a process to ensure that sector heads are advised of newly hired employees that have not yet received security awareness training.

Nov. 30, 2011

Implement the process in the Department.

Jan. 30, 2012

7. The Assistant Deputy Minister - Human Resources and Corporate Services should develop and implement a process for performing random monitoring of electronic communications and information stored on the Electronic Knowledge Management Environment (EKME) and the DFO network and report to sector heads and regional directors general on the results of the monitoring in their sector or region.

As part of its ongoing delivery of Information Technology Services, Information Management and Technology Services has the ability to evaluate the level of sensitivity of information processed and stored on departmental IT assets. Although Information Management and Technology Services has the ability to monitor these transactions, an employee's reasonable expectation of privacy must be respected.

Within the legal boundaries Information Management and Technology Services will develop and implement automated procedures to randomly monitor electronic communications and information stored on EKME and the DFO network in line with the policy on Information Management.

Registered Personal Information Bank (RDA Number: 98/001 Bank Number: PSE 922).

Information regarding requirements for classification, storage and transmission of electronic information is included in existing training and awareness material.

Develop and test monitoring scripts.

March 31, 2011

Implement new procedure.

May 31, 2011

8. The Assistant Deputy Minister - Human Resources and Corporate Services should ensure that sector heads and regional directors general are aware of the importance of, and their responsibilities for, the proper communication and storage of protected and classified information.

Awareness material and tools will be developed to respond to the recommendation.

Awareness and training will be provided to targeted users based on findings from network and databases monitoring.

An online Departmental Security Awareness Traning tool is now available for all departmental employees. Notice to all employees via In The Loop was sent on Feb. 11, 2011.

The Information Technology Security Awareness Action Plan has been developed.

Supporting material specific to groups of employees with similar responsibilities has been delivered (Legal and Audit groups - more to come).

Action plan developed and approved on Oct. 28, 2010.

Master Presentations developed for all employees and specialized awareness content and tools.

Metrics being tracked to monitor progress and usage of the Departmental Online Security Awareness by DFO employees.

Memo from the Assistant Deputy Minister - Human Resources and Corporate Services sent to Departmental Management Board members to remind them about the importance of, and their responsibilities for, the proper communication and storage of protected and classified information.

June 30, 2011

Implement activities based plan for Information Technology Security Awareness: Ongoing promotion of Departmental Online Security Awareness;

Ongoing

Implement activities based plan for Information Technology Security Awareness: Presentations of Departmental Online Security Awareness to groups of employees;

June 2011

Implement activities based plan for Information Technology Security Awareness: Client-oriented presentations; and

Sept. 2011

Implement activities based plan for Information Technology Security Awareness: Government of Canada Security Awareness week.

Feb. 2012

9. The Chief Information Officer should continue to develop and implement a department-wide data recovery standard documenting the requirements for backups and restore testing procedures that address the requirements of the MITS standard, and consider additional requirements and/or differences for backup and restore testing on mission critical systems.

Datacentre has implemented standard backup schedules that are customizable by data value and application importance. Datacentre will apply any business requirement to backups upon notification from the application and data owners.

Restore testing is carried out on a daily basis today; however, further testing by specific application/client is available upon request.

The standard national backup software is implemented in all three Class A Data Centres.

Datacentre will complete the rollout and implementation of a standardized backup solution.

March 31, 2012

10. The Chief Information Officer should ensure that the perimeter and internal technical safeguards are adequate to meet the security needs of the Department.

Information Management and Technology Services will validate the technical safeguard requirements and implement any recommended additions.

Activity monitoring of perimeter and internal security logs are ongoing.

Validation of requirements completed.

Procurement of resources/systems

Sep. 30, 2011

Implementation of resources/systems

Dec. 31, 2011

Validation of efficacy of changes

March 31, 2012