Internal Audit Report

Audit of Information Technology Security

Project 6B279
Date: December 9, 2016


TABLE OF CONTENTS



1.0 EXECUTIVE SUMMARY

The objective of this audit was to provide assurance that the Department of Fisheries and Oceans Canada (DFO), including the Canadian Coast Guard (CCG), has an adequate and effective control framework in place to support information technology (IT) security. The scope of this audit included governance; human resources (HR) planning; IT security training and security awareness; IT security framework; and key IT security controls, including account management and patching. The CCG operational network and applications were included and a sample of systems was selected to gain an opinion on the IT Security of DFO systems. The audit also included follow-up on the recommendations from the 2011-2012 Internal Audit of the Management of IT Security. The Department’s Business Continuity Plan (BCP) and Physical Security were excluded from the scope of this audit, as an audit of BCP was conducted in 2010-11 and an audit of physical security is planned for 2017-18.

Why This is Important

IT security refers to the safeguards that preserve the confidentiality, integrity, availability, intended use, and value of electronically stored, processed, or transmitted information. IT security also includes the safeguards that are applied to the assets used to gather, process, and store, or destroy information electronically. DFO systems are becoming increasingly interconnected in order to better serve Canadians and businesses. The pervasive use of IT to process, store and transmit information coupled with the ever-increasing reliance on these interconnected systems and the pace at which IT is evolving exposes DFO to an array of IT security risks. These risks, along with the Department’s broad mandate, expose the organization’s people, information and assets to a number of internal and external threats.

Key Findings

The audit found that there are opportunities for improvement to ensure that DFO, including CCG, has an adequate and effective control framework in place to support information technology security. While governance structures do exist, IT security roles and responsibilities should be better documented to ensure the Department’s IT security program is being adequately and effectively managed. Although IT Security guidance is dated, updates are currently underway.

Opportunities exist to strengthen DFO’s IT security program by implementing improvements to the account management and patch management processes and ensuring that IT security threats and risks are regularly assessed and monitored. There are processes and procedures in place for managing and monitoring applications’ user access; ''''''''''''''''' '''''''''' ''''''''''''''''''' '''''' ''''''' ''''''''''''''''''' ''''''''''' ''''''''''''''''''''''''' ''''''''' ''''''' ''''''''''''''' ''''''' ''''''''''''''' '''' ''''''''''''''''''''''''' '''''''''''''''' ''''''' ''''''''' ''''''' ''''''''' '''''''''''' '''''''''''''''' '''''' '''''''''''''' '''''''''''''''' ''''''''''''''''''''''''''''' '''''''''''' '''''''' ''''''''''''' '''''' ''''''' '''''''''''' '''' ''''''''''''''''''''' ''''' ''' ''''''''''''''' ''''''''''' '''''''''''''''''''''''''' '''''''''''' ''''''''''''''''''' ''''' ''''''' ''''''''' ''''' '''''''''''' '''''''''' '''' '''''''''''''''''''' ''''''''''''''''' '''''' ''''''''''''''''''''''''''' ''''''' '''''''''' '''''''''''''''''' '''' ''''''' '''''''''''''''' '''''''''' ''''''''''' ''''''''' '''''''''''''' '''''''''''' '''' ''''''' '''''''''''''''''''''''

'''''''''' ''''''''''''' ''''''''' '''''''''' ''''''''''''''''''''''''' ''''' '''''''''''''''' ''''''''''''' ''''''''''''''''''''''''''''' '''''''''' '''''''''''''''' ''''''''' ''''''' ''''''''''''''''''''''''''' ''''''''''''' '''''' ''''''''''' ''''''''''' ''''''''''''''''''''' ''''' ''''''' ''''''''''''''''' ''''''''''''''''''''' ''''''' '''' '''''''''''''''' ''''''''''''''' '''' '''''''''''''''''' ''''''''''''''''''' ''''''' ''''''''''''''''' '''' '''''''''' '''''''''''''''''''''''''''''''' ''' ''''''' '''''''''''''''''' ''''' ''' ''''''''''''' '''''''''' '''' ''''''''''''' ''''''''' ''''''' ''''''''''' ''''''''''''''''''''''' ''''''''''''' '''' '''''''''''''''''''''''' '''' '''''''''''''''''''' ''''''''' '''' ''''''''''''''''' ''''''''''' '''''''''''''''' ''''''''''' '''''''''''''''''''''''''' '''''''''' '''''''''''' '''''''''''''' ''' ''''''' '''' '''''''''''''''''''''''' ''''''''''' ''''''''''''''''''''''''''''''''' '''''''''''''''''''''''''''''' '''''''''''''''' '''' ''''''''''''''' '''''''''''''' ''''''' ''''''''''''''''''''''''''''''''' ''''''''''''' '''''''''''''' '''''''''''' ''''''''' ''''''' '''''''''''''''''''''''''''' '''''' ''''''''''''' ''''''' ''''''''''''''' '''''' ''''''' ''''''' '''''''''''''''''''''''''

Conclusion

The audit identified a need for improvement in terms of the governance and controls over IT security to strengthen the effectiveness of the control framework in place and to ensure key security measures are taken to protect departmental systems.

Management Response

Management is in agreement with the audit findings, has accepted the recommendations included in this report, and has developed a management action plan to address them. The management action plan has been integrated in this report.

Approvals

The internal audit report for the Audit of Information Technology Security was presented at the Departmental Audit Committee on December 9, 2016. The report was recommended for approval by the Departmental Audit Committee and approved by the Deputy Minister.

2.0 BACKGROUND

Information Technology (IT) security refers to the safeguards that preserve the confidentiality, integrity, availability, intended use, and value of electronically stored, processed, or transmitted information. IT security also includes the safeguards that are applied to the assets used to gather, process, and store, or destroy information electronically. As the Department, including the CCG, faces important and increasing risks related to IT security, this subject area was assessed as high risk during the annual audit planning process and subsequently, an audit of IT Security was included in the multi-year Risk-based Audit Plan 2016 to 2019.

Currently, the Government of Canada (GC) is standardizing, consolidating, and re-engineering the way it does business internally. As part of the GC’s Strategy for IT Modernization, Shared Services Canada (SSC) was established in 2011 to maintain and improve IT service delivery, generate savings, and implement government-wide solutions that are modern, reliable and secure. IT security governance has become inherently more complex, as it is now a shared responsibility between SSC and the Department of Fisheries and Oceans Canada (DFO). SSC is responsible for DFO’s perimeter defense, networks management, storage management, and servers provisioning, with the exception of the Canadian Coast Guard’s (CCG) operational network. DFO, including CCG, remains responsible for the management of desktops, databases and applications.

The Department’s systems are becoming increasingly interconnected in order to better serve Canadians and businesses. The extensive use of IT to process, store and transmit information coupled with the ever-increasing interconnectedness of IT systems, the reliance on these systems, and the pace at which IT is evolving, exposes DFO to a vast array of IT security risks. These risks along with the Department’s broad mandate expose the organization’s people, information and assets to a number of external and internal threats. '''''''''''''''' '''''''''''''' '''''''''''''' ''''''''''''''''''''''''''' ''''''''' ''''''''''''' '''''''''''''''' ''''''''''''''''''' '''' ''''''''''' '''''''''''''' ''''''''''''''''''''''' '''''''''''''''''''' ''''''' ''''''''''''''''''' ''''''''''''''''''' '''' ''''''''''''''' '''''''''''''''''''''''''''' ''''''''''''''''''''''''' ''''''' ''''''''''''''''''' ''''''''''''''''''''' '''''''''' ''''''' '''''''''''''''''''''' '''''''' ''''''''''''''' '''' ''''''''''''''''''''''''''' '''''''' '''''''''''''''''''''' ''''''''''''' '''''''''''''' ''''''''''''' '''''''''''''' ''''''' ''''' ''''''''''''''''' '''''''''''''''''' '''''''''''''''''' '''''''' '''''''''''''''' '''''''''''''''''''''''' '''''''' '''''''''' ''''''''''''' ''''''''''''''' '''' '''' ''''''' '''''''''''' ''''' ''''''''''''''''''''''

The DFO IT Security Program aims to protect the confidentiality, integrity and availability of information and IT assets through technical and non-technical means, consistent with DFO's mandate, GC legislation, regulations and policies. As such, the Chief Information Officer (CIO) and the Departmental Security Officer (DSO) work together to ensure that appropriate security controls are applied to all departmental records, IM/IT assets, activities and processes. The expected results of the IT Security Program are to adopt a systematic and consistent approach to the planning, operation and monitoring of internal IT security activities, and to promote employee awareness of their IT security obligations.

3.0 AUDIT OBJECTIVE

The objective of this audit was to provide assurance that the Department of Fisheries and Oceans Canada (DFO), including the Canadian Coast Guard (CCG), has an adequate and effective control framework in place to support information technology (IT) security.

4.0 AUDIT SCOPE

The scope of this audit included governance; human resources (HR) planning; IT security training and security awareness; IT security framework; and key IT security controls, including account management and patching. The CCG operational network and applications were included and a sample of systems was selected to gain an opinion on the IT Security of DFO systems. The Department’s Business Continuity Plan (BCP) and Physical Security were excluded from the scope of this audit, as an audit of BCP was conducted in 2010-11 and an audit of physical security is planned in 2017-18.

The audit also included a follow-up on the recommendations from the 2011-2012 Internal Audit of the Management of IT Security, to determine the extent to which corrective actions had been implemented. The 2011-12 audit examined compliance to governmental policies and standards such as the Treasury Board (TB) Policy on Government Security (PGS) and the Operational Security Standard on the Management of Information Technology Security (MITS). There were ten recommendations which covered the following areas: IT Security Planning, Monitoring and Reporting, IT Governance, Authorization and Access Control, Security Training and Awareness, Electronic Communication and Storage of Information, Incident Response and Recovery, and Incident Detection.

5.0 AUDIT APPROACH

The audit team carried out its mandate in accordance with Treasury Board’s Policy on Internal Audit and the Internal Audit Standards for the Government of Canada. The audit employed various techniques including a risk assessment of the audit entity, interviews, testing of key IT security controls, as well as review and analysis of documentation and information.

6.0 AUDIT FINDINGS

This section provides the observations and recommendations resulting from the audit work carried out. While the audit was conducted based on the lines of enquiry and audit criteria identified in the planning phase (see Appendix A), this report is structured along the following main themes:

  • Governance;
  • IT Security Framework;
  • IT Security Controls;
  • Monitoring and Reporting; and
  • IT Security Training.

Based on the audit work performed and our professional judgment, the risk associated with each observation was rated using a three-point scale. The risk ranking (high, moderate, low) is based on the level of potential risk exposure we feel may have an impact on the achievement of Fisheries and Oceans Canada objectives, and is indicative of the priority management should give to the recommendations associated with that observation. The following criteria were used in determining the risk exposure:

Table 1: Risk ranking criteria
HighControls are not in place or are inadequate.
Compliance with legislation and regulations is inadequate.
Important issues are identified that could negatively impact the achievement of program/operational objectives.
ModerateControls are in place but are not being sufficiently complied with.
Compliance with central agency/departmental policies and established procedures is inadequate.
Issues are identified that could negatively impact the efficiency and effectiveness of operations.
LowControls are in place but the level of compliance varies.
Compliance with central agency/departmental policies and established procedures varies.
Issues identified are less significant but opportunities that could enhance operations exist.

6.1 GOVERNANCE '''''''''''''''''''''' '''''''''

Governance is the combination of processes and structures implemented to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. Governance contributes to the strategic direction, oversight, decision-making, and accountability for an organization to successfully meet its objectives. Oversight provides management with control over activities such as determining strategic direction, allocating appropriate resources, analyzing activities related to exposure to risk and determining suitable mitigation strategies.

Documented roles, responsibilities and accountabilities are out-of-date

We expected that departmental IT security roles, responsibilities and accountabilities would be clearly defined, documented and communicated.

The Policy on Government Security (PGS) states that deputy heads are accountable for the effective implementation and governance of security within their departments and share responsibility for security of government as a whole. The PGS also requires that departments appoint a Departmental Security Officer (DSO), who is functionally responsible to the deputy head or to the departmental executive committee to manage the departmental security program. The Operational Security Standard: Management of Information Technology Security (MITS) in turn requires that departments appoint an IT Security Coordinator (ITSC) with at least a functional reporting relationship to both the CIO and the DSO. The ITSC is responsible for establishing and managing a departmental IT security program as part of a coordinated departmental security program.

As per the DFO Policy on Departmental Safety, Security, and Emergency Management, the CIO is responsible for ensuring the effective and efficient management of the Department’s information and IT assets and all departmental common IT services. The CIO and DSO work together to ensure that appropriate security controls are applied to all departmental records, IM/IT assets, activities and processes. The Director, Desktop Engineering and IT Security, is the DFO ITSC and is responsible for departmental IT security. The DFO ITSC has a functional reporting relationship to the DSO and a line reporting relationship to the CIO. CCG also has an IT security group for the CCG operational network, within CCG’s Integrated Technical Services (ITS) Directorate, which has a functional reporting relationship to the DFO ITSC. The DFO ITSC is the point of contact in case of an incident and for communication with lead security agencies regarding government-wide incident response.

While key roles and responsibilities for IT security are documented in various governance documents, the audit found that these are either out of date or in draft format. Also, the 2011-2012 DFO Internal Audit of MITS recommended that the roles and responsibilities between CCG and DFO be clarified. Although a Memorandum of Understanding (MOU) was developed at the time, it was never approved. In addition, interviews confirmed the need to review and clarify the relationship between DFO Information Management and Technology Services (IM&TS) and CCG ITS in light of the Government of Canada IT Transformation. As a result, the DFO ITSC may be unable to fulfill his responsibilities in managing the departmental IT security program.

Furthermore, the Department is now dependant on Shared Services Canada (SSC) for its IT infrastructure, including the DFO network and servers, with the exception of the CCG operational network. The current DFO and SSC responsibilities, with the exception of the CCG operational network, are illustrated in Figure 1 below.

Figure 1, titled DFO and SSC Responsibilities, depicts Shared Services Canada (SSC) responsibilities, which include perimeter defense, networks management, storage management, and servers provisioning. DFO Security Management for Desktops and Applications is responsible for providing protection for DFO/CCG desktops and applications within the SSC perimeter. The source of the diagram is listed as the 2016 IM&TS Cybersecurity presentation to IM/IT-MB.

As a shared service provider and owner of a shared IT infrastructure relied upon by 43 partner organizations, SSC is expected to define its roles, responsibilities, and accountabilities toward its partner organizations. The Office of the Auditor General, in its Fall 2015 Audit of Information Technology Shared Services, identified the lack of Service Level Agreements (SLAs) and their monitoring as a weakness that needed to be addressed. Currently, there is no SLA for IT security between SSC and DFO and little documentation exists describing SSC and DFO IT Security roles and responsibilities.

Recommendation 1: It is recommended that the Assistant Deputy Minister, Human Resources and Corporate Services, in collaboration with CCG, assess, define and document clear IT security roles, responsibilities and accountabilities for key positions within DFO, including CCG, and SSC.

Management Response: The CIO, in collaboration with the DSO and in accordance with the new GC Security Policy and Directive, will define departmental IT security roles, responsibilities and accountabilities more clearly by:

  • Upgrading / updating the governance documents describing roles and responsibilities within DFO, including CCG;
  • Ensuring departmental IT Security is managed in accordance to GC policies and standards regardless of the location; and
  • Continuing to provide input, regarding IT Security related departmental mandates and requirements, into the partnership and engagement with Shared Services Canada (SSC).

Target Completion Date: March 2017

Departmental oversight bodies do not receive regular reports on IT Security

We expected that departmental oversight bodies for the management of IT security would be established and operating effectively.

The departmental governance structure in place for IT security is comprised of three main committees; the National Informatics Advisory Committee (NIAC), the Information Management and Information Technology (IM/IT) Management Board (IM/IT-MB) and the Safety, Security, and Emergency Management Oversight Committee (SSEMOC), as illustrated in Figure 2. The purpose of NIAC is to provide DFO sectors, regions and the CCG with a forum for the strategic management of IM/IT at an enterprise-wide level. NIAC previously reported to the Directors General Management Committee (DG-MC) and the Deputy’s Management Committee (DMC), but now reports to the IM/IT-MB. The IM/IT-MB is a senior decision-making body that was created in September 2015 and chaired by the Associate Deputy Minister (Associate DM); it is now chaired by the Commissioner of CCG. NIAC and IM/IT-MB are now the key committees with IT security responsibilities; however, we found that documentation has not been updated to reflect this change. As such, there is a need for the new governance structure to be reflected in committee documentation, including the roles and responsibilities of these committees, as it pertains to IT security.

Figure 2

Figure 2, titled Departmental Governance Structure for IT Security, shows that the Executive Table provides oversight for two committees with IT Security responsibilities: the Safety, Security and Emergency Management Oversight Committee (SSEMOC) which is chaired by an Associate DM and meets quarterly or at the call of the chair; and the Information Management Technology Management Board (IM/IT MB) which is chaired by the Commissioner, CCG and meets every 4-6 weeks or as required. The IM/IT MB oversees the National Informatics Advisory Committee (NIAC) which is chaired by the Chief Information Officer (CIO) & Information Management Senior Officer (IMSO) and meets monthly.

The Safety, Security, and Emergency Management Oversight Committee (SSEMOC) is a senior decision-making body chaired by the Associate DM and its membership includes the CIO. SSEMOC provides senior management oversight of all aspects of the departmental safety, security and emergency management (SSEM) programs, including IT security, to ensure alignment with government-wide policy and program direction, as well as alignment with departmental policy and program requirements.

Based on an analysis of committee documentation, the audit team found that the committees were meeting at the intended frequency and documenting decisions and follow up; however, IT security was rarely discussed at these committees. Given the significance of the risks associated with IT Security, a lack of oversight on IT security issues at senior governance committees could result in increased exposure to IT security vulnerabilities.

Recommendation 2: It is recommended that the Assistant Deputy Minister, Human Resources and Corporate Services, update the terms of reference of the key IT security governance committees to clarify their mandates and reporting relationships and ensure that regular discussion of IT security issues occurs at these governance committees.

Management Response: The Term of References for NIAC and the IM/IT MB have been updated to ensure IT Security is being addressed by these committees. IM&TS will collaborate with the key IT security governance committees to update the terms of references to ensure a more consistent alignment within their structures to the IT security related departmental mandates and requirements.

Target Completion Date: March 2017

6.2 IT SECURITY FRAMEWORK '''''''''''''''''''' '''''''''

As per the Operational Security Standard on the Management of Information Technology Security (MITS), every department must have a departmental IT security policy based on the Treasury Board (TB) Policy on Government Security (PGS) and other related policies, standards and technical documentation. This policy can be a separate document or it can be policy statements within the departmental security policy. A departmental policy framework should enable IT security policies and practices based on their relevance to the Department, IT security risks and compliance with external requirements.

The departmental IT security framework is outdated ''''''' '''''' ''''''''''''''''''''''' ''''''''''''' ''''''''''''''' ''''''' '''''''''''''''''''''' '''''''''''''''''''''''' '''''''' ''''''''' ''''''''''''''''' ''''''''''''''''''''''' ''''' ''' ''''''''''''''

We expected that departmental IT security policies, standards, directives and plans have been developed, are current, aligned with the government’s IT security framework, and well-communicated within the Department. The provision of enterprise-wide consistent, effective and secure IT security solutions requires a forum to provide IT security policies, directives and standards, advice on security products, and assessment of compliance with these standards and guidelines. Further, MITS compels all federal departments and agencies to develop an IT security management strategy that provides an overall framework for effective management of IT security processes and procedures.

We found that DFO policies are mostly in place and evidence shows that they are aligned with existing government policies and standards, and there was evidence of appropriate communication of existing DFO policy and standard documents to stakeholders. Most of these documents were issued several years ago and need considerable revision to make them current in terms of business and technical changes since they were last issued. IM&TS has begun the process of updating the DFO IT security policy and standard documents; however, they are not yet approved, due to the anticipated near-release of a new policy suite by TBS and DFO management’s desire to align with it once it is issued. ''''''''''' '''' '''''''''''''' ''''''''''''''' '''''''''''''''''''''''''''' '''' '''''''''''''' '''''''''''''' '''''''''''''''''' '''''''' '''''''''''''''''' ''''''''''''''' '''''' ''''''' '''' '''''''''''''''' ''''''''''''' ''''''''''''''''''''''''' '''' '''''''' ''''''''''''''''' ''''''''''''''''''' ''''''' '''''''''''''''''''''' '''''''''''''

At the time of the audit, the Departmental Safety, Security, and Emergency Management Plan (DSSEMP) was being approved, ''''''' '''''''''' '''''''' ''''''''''''''''' '''''''''''''''''' ''''''''''''''''''''' '''''' ''''''' '''' '''''''''''''' '''''''''''''''' ''''''' ''''''''''''''''' The DSSEMP includes a three-year action plan that will focus on mitigating the following key risks: Safety of Employees Risk, Security of Information Risk, Asset Risk and Critical Services Delivery Risk. The DSSEMP included input from program areas from across the organization and analysis of risk information collected through the Comprehensive Review of Safety, Security, and Emergency Management (SSEM) at the program, regional, and corporate levels. ''''''''''''''''' '''''' ''''''''''''''''''''''''''''' ''''''''''''' '''' ''''''''''' '''''' '''''' '''''''''''''' ''' '''''''''''''''''' ''''''''''''''''''''''' '''''''''''''''''''' '''' '''' ''''''''''''''''' '''''''' '''''''''''''' '''''''''''''''''''''''' '''' '''''' ''''''''''''''''' ''''''''' ''''''''''''' ''''' ''''''' '''' '''''''''''''''' '''''''''''''''''' ''''''''''' ''''''''''''''''''''' '''' ''' '''''''' '''' '''''''''''''''''''''' '''' ''''''''' '''' '''''''''''''''' '''''''''''''''' ''''''''''''''''''

Recommendation 3: It is recommended that the Assistant Deputy Minister, Human Resources and Corporate Services, in collaboration with CCG, ensure that the DFO suite of IT security policies, directives and standards be updated ''''''' ''''''''' ''''''''''''' '''''''''''''''' '''' ''''''' '''''''''''''' ''''''''''''' ''''''''' ''''''''''''''''''''''''''' ''''''''''''''''''''''' ''''' '''''' '''' '''''''''''''' ''''''''''''''''' ''''''' ''''''''''''''''

Management Response: IT Security will upgrade / update the DFO IT policy suite, including the IT Security Incident Response, to better align with roles and responsibilities of the Safety & Security Branch and the development of the DSSEMP for all DFO incidents.

Target Completion Date: June 2017

''' '''''''''''''''''''''''''' '''' '''''''''''''' ''''''''''''' ''''''' ''''''' '''''''''''''''''''''' ''''''' '''''' ''''''''' '''''''''''''''''

''''''' ''''''''''''''''''' '''' ''''''' ''' '''''''''''' ''''''''''''''''''''''' ''''' '''''' ''''''''''''''''''''''' '''' '''''''''''''''' '''''''' ''''''''' ''''' ''''' '''' '''''''''''''''' '''''''''''''' '''''''' ''''''' ''''''''''''''''''''''''' ''''' ''''''''''''''' '''' '''''' '''''''''''''''''''''''''''' '''''''''''''''' ''''''''''''''''''''''''''' ''''''''''''''''''' ''''''''''''' ''''''''''''''''''''' '''''''''''''''''''' ''''''''''''''' '''''''''''''''' ''''' '''' ''''''''''''''' '''''''' '''''''''''''''''''''''''' '''''''''''''''''''' ''''' ''''''' ''''''''''''''''''''''''''''''''''''''' ''''' '''''''''''' '''''''' ''''' '''' ''''''''''''''' ''''''''''' ''''''' '''''''' ''''''''''''''''''''' ''''''''''' ''''''' '''''' ''''''''' ''''''''''''''''''' '''' ''''''''''''''' '''' ''''''''''''''' ''''''' ''' '''''''''' ''' ''''''''''''''' '''' '''''''''''''''' ''''''' '''''' '''' '''''' '''''''''''''' '''''' '''' '''''''''''''''''' '''''''' '''''''''''''''''' ''''''''' ''''''' ''''''' ''''''''' ''''''''''''''' '''''''''''''''''''' '''' '''''''''''''''''''' ''''''''''''''''''''''''''''''' ''''''' ''''''''''''' '''' '''''''''''''''''''' ''''''' '''''''''''''''''' ''''''''''''''''''''''' ''' '''''' ''''''''''' '''''''''''' ''''''''''''''''''''' ''''''''''''''' '''''' '''''''''''''''''''''''''''' ''''''''''' '''' ''''''''''''' ''''''' ''''''''''''''''''''''''''' ''''''''''''''' ''''''' ''''''''''''''''''' ''''' '''''''''''''''''''''''' ''''''' '''' ''''''''''''

Some IT security risks have been identified during the corporate risk management process, ''''''''' ''''''' '''''''''''''''' '''''''''''''''''''' ''''''' ''''''''''''' ''''''''''' ''''''''''''''''''' '''' ''''''''''''''' ''''''''' '''' ''''''' '''''''''''''' '''' '''''''''' '''''''''''''''' ''''''''''''' ''''' '''''''' '''''''''' The Comprehensive Review of SSEM was recently presented at Safety, Security, and Emergency Management Oversight Committee '''''''' '''''''''''''''''' ''''''''''''' '''' '''''''''''''''' ''''''''''''''' ''''' ''' '''''''''''''''' ''''''''''''''''''' '''''''''''''''''''''''' '''' '''' '''''''''''''''' '''''''' ''''''' '''''''''''''''''''' '''''''' ''''''''''''''' ''''' '''' ''''''''''''''''' ''''''''''''' '''' ''''''' ''''''''''''''''''''''''''''''' '''' '''''''''''''''''' ''''''''''''''' '''''''''''''' ''''''' ''''''' ''''''''''''''''''' '''' ''''''''''''''''' ''''''''''''''''''''''' '''''''' ''''''''''''''''''''''''''' ''''''''''' '''''' '''' '''''''''''''''' '''''''''''' '''''''''''''''''''''' '''' ''''''''''

At the application level, the Department has in place a well-developed and mature risk management methodology. Departmental applications had been reviewed under the former Certification and Accreditation (C&A) process to determine the level of risks associated with the application and the controls that need to be applied to mitigate the risks. In addition, the IT Security Branch has been proactive in implementing the new ITSG-33 SA&A process. ''''' '''''''''' '''''' ''''''''''''''''''''''' '''''''' '''''''''''''''''''''' ''''''' ''''''''''''''''''''''' ''''''''''''' ''''''''' ''''''' '''''''''' ''''''''''' ''''''''''''''''''''' DFO IT Security is also engaged in conducting reviews on the progress of the application owners in applying controls that are required to ensure systems security.

Recommendation 4: It is recommended that the Assistant Deputy Minister, Human Resources and Corporate Services, in collaboration with CCG, ''''''''''''' '''''''''''''''' ''''''' '''''''''''''''''''''' ''' ''''''''''''''''''''''''''''' '''''' ''''''''''''' '''' '''' ''''''''''''''' '''''''''

Management Response: '''''''' '''''''' '''' ''''''''''''''''''''''''' '''''''''' ''''''' ''''''''' ''''''' '''''' ''''''' '''''' ''''''''''''''' '''''''''''''''' ''''''' '''''''''' ''''''''''''' ''''''''''' ''''''' '''''''''''' '''''''''''''''''''''''''''''' '''''''' ''''''''''''''''''''''''''''''' ''''''''''''''' ''''' ''''''' '''''' '''''''''''''''''''''''' '''''''''''''' '''''' '''' '''''''''''''' '''''''' '''''''''''' '''''' '''''''''''''''''''''' Collaborative roles, responsibilities and accountabilities definitions are required for the DFO IT Security Coordinator (ITSC), the Departmental Security Officer (DSO), and the CCG IT Security team. '''''''' '''' '''''''''''''''' ''''''' '''''''''''''''''''''''''' ''''''''''''''' '''''' ''''' ''''''''''''''''''''' ''''''' ''''''' ''''''''''''''' ''''''''''' '''''''''''''''''''''''''' '''''''''' '''' ''''''''''''''' '''''''''''''''''''''''

Target Completion Date: June 2017

6.3 IT SECURITY CONTROLS '''''''''''''''''''''' ''''''''''

Account Management

Access Management is one of the Top 10 security actions in CSEC’s Top 10 IT Security Actions to Protect Government of Canada Internet-Connected Networks and Information. Access controls are security features that control how users and systems communicate and interact with other systems and resources. The DFO Security Directive on IT System Access requires that access to DFO IT Systems is limited to those individuals whose identity has been authenticated, who have at least Reliability security clearance status and who have a need to access the system.

'''''''''''''''''''' '''''''' '''''''''''''''''''' ''''''''''''''''''''''''' ''''''' '''''''''''' '''' ''''''''''''''''''''''' '''''''''''' ''''''''''''' ''''''''''''''''''''''

'''''' ''''''''''''''''' '''''' '''''''''''''''''''''' '''' ''''''''' ''''''''''''''''''''''''''' ''''''''''''''' ''''''''''''''''''''''' '''''''''''''''' ''''''''' '''''''''''' ''''''' ''''''''''''''''''''''''''''''' ''''''''''''''''' ''''''' ''''''''''''''''''''' ''''' '''' ''''''''''''' ''''''' '''''''''''''''''''' ''''''''''' ''''''''''''''' '''''''''''''' '''''''' '''''''''''''''''''' '''' ''''''''''''''''''' ''' ''''''''' ''''''''''''''' ''''' '''''''''''''''' '''''''''''''''' '''''''''''''''''' ''''''''''''' '''''''''''' ''''''''''''''' ''''''' ''''''''''''''''''''' ''''' '''''''''''''''' ''''''''''''''' '''''''' ''''''''' '''''''''''''''''''''''''''''' ''''''''''''''''' ''''''' '''''' '''''''''''' '''' ''''''''''''''' '''''''''''''''''''''''' '''''' '''''''''' '''''''' '''''''''' ''''' ''''''' '''''''''''''''''''' ''''''''''''''''' '''''' ''''''' ''''''''''''' ''''' '''' ''''''' ''''''''''''''''''' ''''''''''''''''' '''''''''''''''''''' ''''''' '''''''''''''''' ''''''' ''''''''' ''''''''''''''''''''''' '''''''' '''''''''''''''''''''''''''' '''''' '''''''''''' ''''''' ''''''' ''''''''' '''''''' ''''''''''''' '''' '''''''''''''''''''' ''''' ''''''''''''''''''' ''''''' ''''''''' ''''''''' '''''''''''''''' '''''''' '''''''''''''''''''' '''''' ''''''' ''' '''''''''' ''''''''''''''''' '''''' ''''''''' ''''''''''''''''' ''''''''''''''''' '''' ''''''''''''' '''''''''' '''''''''''''''''' ''''''''''''' ''''' '''' ''''''''''''''''' ''''''''''''''''' '''''' ''''''''''' '''''''''' '''' '''''''''''''''''' '''''''''' ''''''''''''' '''''' '''''''''' '''''''''''''''' '''''''''''''''''''

The IM&TS Account Management Process describes the safeguards that must be in place to ensure the confidentiality, integrity and availability of IT assets. The I&A Policy states that I&A mechanisms must be applied to the DFO Wide Area Network and Local Area Networks, especially for mission critical systems or applications. The DFO IT Security Access Control Policy indicates that data and system resource owners shall adhere to the principle of least privilege and when an individual leaves DFO, all IT access privileges shall be revoked immediately. The Policy also states that user access is granted based on users’ assigned tasks and responsibilities and all Access Control Lists (ACLs) shall be reviewed regularly to ensure that they meet the business requirements.

The draft DFO IT Security Operational Standard on Access Control establishes the baseline security requirements for controlling access to DFO IT Systems. Annex A of the draft Standard describes DFO account and password requirements; '''''''' '''''''''' '''''''''''''''''' ''''''''''' ''''''''' ''''''' ''''''''' '''''''''''''''' ''''''' ''''' '''''''' '''''''''' '''''''''''''''''' ''''''''''' ''''''''' ''''''' ''''''''' '''''''''''''''' ''''''' ''''' '''''''''''''''' '''''''''' ''''' '''''''''''''''''''''''' '''''''''''' '''''''''' ''''''''''''''''''' ''''''' '''''''''''''''''''''''' ''''''''''' '''''''''' ''''' ''''''''''''''''' ''''''' ''''''''''''' ''' '''''' '''''''''''''''''''' '''''''' ''''''''''''''''' '''''''''''''''''''''' '''' '''''''''' ''''''''''''''''''' ''''''' ''''''' '''''''''' ''''''''''''''' '''''''''''''''''''' ''''''''''''''''''' '''''''''''''''' ''''''''' '''''''' '''''''''''''''''''' '''''''''' '''''''''' ''''''''''''''''''''

'''''' '''''''''''''''' ''' ''''''''''''' '''' ''''''''''' ''''''''''''''''''' '''''''''''''''''''''''''''''' ''''''''''''''' ''''''''''''''''''''''' '''''''''''' and that any user or employee with administrative rights to the network must have and maintain a valid Secret security clearance. ''''''' ''''''''''''''''' ''''''''' ''''''''''' ''''''''''''''''''''''' ''''' '''''''''''''''' '''''''''''''''''''''''''' ''''''''''' ''''''''' '''''''''''''''''''' '''''''''''''''''' ''''''''''''''''''''''''''''' '''''' ''''''''' '''''''' '''''''''' '''''''' ''''''''' '''''''''' '''''''''''''''' '''''''''''''''''' '''''''''''''''''''''' ''''''' ''''''''' '''''' ''''' ''''' ''''''''''''''''''' '''''''''' ''''''''''' ''''' '''''''''''''''''' ''''''''''''''' '''' '''''''''''' ''''''''' ''''''''''' '''''''''''''''''' ''''''''''''' ''''''''''''''''' ''''''' '''''''''''''''''''''''''' ''''' ''''''' ''''''''''' '''''''''''''' ''''''''''''''' '''''''''''''''''''''''''''''''' '''''''' ''''''''' '''''''''''' ''''''''' '''''''''''''''' '''''''''' ''''''' '''''''''''''''''''' ''''''' ''''''''''''''''''''''' '''' ''''''''' '''''' ''''''''''''''''' ''''''' '''''''''''''''''''' '''''''''''''''''''''''' '''''''' ''''''''''''' ''''''''''' '''''''''''''''''' '''''' ''''''' '''''''''''''''''''' ''''''''''' ''''''''''''''''''''''''

'''''' '''''''''''''''' ''' ''''''''''''' '''' ''''''''''' ''''''''''''''''''' '''''''''''''''''''''''''''''' ''''''''''''''' ''''''''''''''''''''''' '''''''''''' '''''''''' '''''''' '''''''' ''''''' '''''''''''''''''''''''' '''''''''''''''' ''''' ''''''' '''' ''''''''''''''' '''''''''''''' '''''''''''' ''''' ''''''' ''''''''' ''''''''''''''''''''' ''''''''''''''''' '''''' ''''''''''''''' ''''''''''''' ''''''' ''''''''' ''''''''''' '''''''' '''''''''''''''' ''''''''' '''''''''' ''''' '''''''''''''''''''''''''' ''''''''''''''''''''''''' ''''' ''''''''''' ''''''''''''''''''''''' ''''''' ''''''''''''' '''''''' '''''''''''''''''''''''' ''''''''''''''' '''''''''' ''''''' ''''''''''''''' '''''''''' ''''''''' '''''''''''' '''''''' '''''''''''''''''' ''''''' '''''' ''''''' ''''''''''''' '''''''''''''' '''' '''''''''' ''''''''''''' '''''''''' ''''''' '''''''''''''''''''''' '''''''''''''' ''''''' '''''''''''''' ''''''' '''''''''''''''' '''' '''''''''''''''''''''''''' '''''''''''''''''' '''''''' ''''''''' ''''''' '''''''''''' '''' '''''''''' '''''''''''''''''' ''''''' ''''''''''''' '''''' '''''' '''' ''''''''''''''''''' ''''''''' '''''''' '''''' ''''''''''''''' ''''''''''''''''''' '''' '''''''''''''' '''''''' ''''''' ''''''''''''' '''''''''''''''' ''''''' ''''''' '''''''''''''''''''''''' '''''''''''''''''''''''''''' ''''''''''' '''''''' '''''''''''''''' '''''' '''''' '''''''''''' ''''' ''''''''''''''''''' ''''' ''' '''''''''''''' ''''''''' ''''''' ''''''''' ''''' '''''' '''' ''''''' '''''''''''''''''' '''''''''' '''''''' ''' ''''''''' ''''''''''''' '''''''''''''' ''''''''''''''''''' '''' '''''''''''''''''' '''''' ''''''''''' ''''''''' ''''''''''''''''''''''''' '''''''''''' ''''' ''''''' '''''''''''''' '''''''''''''''''''''''' '''' ''''''''''''''''''''' ''''' '''''' '''''''''' '''''''''''''''''''' '''''''''' ''''' '''''''' ''''''''''' ''''''''''''' '''''''' ''''' ''' ''''''''''''''''' '''''''''''''''''' '''''' '''''''' ''''''''''''''''''' ''''''' '''' '' ''''''''''''' '''''''''''''''' '''' '''''''''''''''''''' ''''''''''''' ''''''' ''''''''''''''''''''''''

'''''''''''''''''''''''''' '''''''''''''' '''''''' ''''''''''' '''' '''''''''''''''' ''''''''''''''''''''''' '''''''''''''''''' '''''''' ''''''''''''' ''''''''' ''''''''''' ''''''''''''''''''''''' '''''' ''''''''''

'''''' '''''''''''''''' ''' ''''''''''''' '''' '''''''''' ''''''''''''''''''''' ''''''''''''' ''''''''''' ''''''' ''''''''''''''''' '''' '''''''' ''' '''''''''''''''''''''' '''''''''' '''''''''' ''''''' ''''''''''''''' '''''''' ''''''' '''''''''' '''''' '''''''''''''''''''' '''''''''''''' ''''''''''''''' ''' ''''''''''' '''''''''''''' '''''''''''''''' '''' ''''''''''' ''''''' ''' ''''''''''''' ''''''''' '''' '''''' ''''''''''''''''''' ''''''''''''''''''' ''''''''''''''''''''' ''''''''''''''''''''' ''''''''''''' '''''' ''''''''' ''''''''''' ''''''''''''''''' ''''''''''''' ''''''''''''''''''' '''''' ''''''''''' ''''''' '''''''''''' ''''''''''''''''''' ''''''''''' ''''''' ''''''' ''''''''' ''''''' '''' ''''''' '''''''''''''''''' ''''''''''''''''''''''''''''' ''''''' '''' '''''' '''' '''''''''''''''''' '''' ''''''' ''''''''''' ''''''''''''''''''' ''''''''''''' ''''' ''''''' ''''''' '''''''''' ''''' '''''''''''''''''''''' '''''''''''''''' '''''''''''''''''' ''''''''''' '''' ''''''''''''''''' ''''''''''' ''' ''''' '''''''''''''''''' ''''''''' '''''' '''''' ''''' '''''''''''' ''''''''''''''''''' ''''''''''''' ''''''' '''''''''''''''' ''''''''' ''' ''''''' ''''''''''''''''''''''

'''''' '''''''''''''''' ''' ''''''''''''' '''' '''''''''' ''''''''''''''''''''' ''''''''''''' ''''''''''' ''''''' ''''''''''''''''' '''' '''''''' ''' '''''''''''''''''''''' '''''''''' '''''''''' ''''''' ''''''''''''''' '''''''' ''''''' '''''''''' '''''' '''''''''''''''''''' '''''''''''''' ''''''''''''''' ''' ''''''''''' '''''''''''''' '''''''''''''''' '''' ''''''''''' ''''''' ''' ''''''''''''' ''''''''' '''' '''''' ''''''''''''''''''' ''''''''''''''''''' ''''''''''''''''''''' ''''''''''''''''''''' ''''''''''''' '''''' ''''''''' ''''''''''' ''''''''''''''''' ''''''''''''' ''''''''''''''''''' '''''' ''''''''''' ''''''' '''''''''''' ''''''''''''''''''' ''''''''''' ''''''' ''''''' ''''''''' ''''''' '''' ''''''' '''''''''''''''''' ''''''''''''''''''''''''''''' ''''''' '''' '''''' '''' '''''''''''''''''' '''' ''''''' ''''''''''' ''''''''''''''''''' ''''''''''''' ''''' ''''''' ''''''' '''''''''' ''''' '''''''''''''''''''''' '''''''''''''''' '''''''''''''''''' ''''''''''' '''' ''''''''''''''''' ''''''''''' ''' ''''' '''''''''''''''''' ''''''''' '''''' '''''' ''''' '''''''''''' ''''''''''''''''''' ''''''''''''' ''''''' '''''''''''''''' ''''''''' ''' ''''''' ''''''''''''''''''''''

Recommendation 5: It is recommended that the Assistant Deputy Minister, Human Resources and Corporate Services ensure that:

  1. access logs are reviewed on a regular basis;
  2. '''' '''''''''''''''''''''''' '''''''''''' '''''''''''' ''''''' '''''''''''''''''' ''''' '''''' ''''''''''''''''' ''''''''''''''''''''''''''''
  3. ''''''''''''''''''''' '''''''''''''' '''''''''''''' ''''''' '''''''''''''''''''''''''' ''''''' '''''''''''''''''''''''''''''' ''''''' ''''''''''''''''' '''''''''' '''''''
  4. ''''''''''''''''''''''''' ''''''' ''''''''''''''''''' ''''''''''' ''''''''' ''''''' '''''''''''''''''''''''' ''''''''''''''' '''''''''''''''''' ''''''''''

Management Response: ''''''' ''''''' ''''''' '''''''''''''''''''''' '''''''''''''''' ''''''' '''''''''''''' ''''''''''''' ''''''''''''''''' '''''''''''''''' ''''''' ''''''''''''''''''''''''' ''''''' '''''''''''''''''''' ''''' ''''''''''' ''''''''''''' The CIO will update the DFO IT security policies, directives and standards related to Identification & Authentication and Access Control.

Target Completion Date: March 2017

Patch Management

Patch management is a set of processes executed within the Department to manage the incremental fixes and patches to production systems. Software suppliers release patches to address vulnerabilities in their software as they are discovered. Patching operating systems and applications is one of the top 10 security actions in CSEC’s Top 10 IT Security Actions to Protect Government of Canada Internet-Connected Networks and Information. '''' ''''''''''' '''''''''''''''''''''''''' '''''''''''' ''''''' '''''''''''''''''' '''''''''''''''' ''''''''''''''' '''''''''' '''' ''''' '''''''''''''' '''' ''' '''''''''''' '''''''''''''' ''''''''''' '''''' ''''' '''''''''''''''''' ''''''''''' ''''''''''''''''''''''''''' ''''''''''''''

''''''' '''''''''' ''''''''''''''''''''''' '''''''''''''' ''' '''''' '''''''''''''''''''' ''''' ''' ''''''''''''' ''''''''''

''''''' ''''''''''''''''' ''''''''' '''''''''''' '''''''''''''''''''''''''' '''''' '''''''''' '''''''''' '''''''''''''''''''''' ''''''' '''''''''''''''''' '''''''''''''' ''' ''''''''''''''''''''''''''' ''''''' ''''''''''''''''''''''''' ''''''' ''''''''''''''' ''''''''''''''''''''' ''' ''''''''''''''''''''' ''''''''''''''''''' '''''''' '''''''''''''''''''''' '''''''''' ''''''''''''''''''''''''''' '''''''''''''' '''''''''''''''' ''''''''''''''''''''' ''''''' '''''''''''''''' '''' '''''' '''''''''''' ''''''''''' ''''' ''' '''''''''''''' ''''''''' '''' ''''''''''''' ''''''''' '''''' '''''''''''''''''''''''' '''''''''' '''''''''''''''''''''''''' '''''''''''''' '''' '''''''''''''''''''''''''''' ''''' '''''''''''''''''' ''' ''''''''''''''' ''''''' '''''''' ''''''''''''''''''''' '''''''''''''''''' ''''''' '''''''''''''''' ''''''''''' ''''''''''''''''''''' ''''''' ''''''''''''''''' ''''''''' '''''''''''' '''''''''''''''''''''''''' '''''' '''''''''' '''''''''' '''''''''''''''''''''' ''''''' '''''''''''''''''' '''''''''''''' ''' ''''''''''''''''''''''''''' ''''''' ''''''''''''''''''''''''' ''''''' ''''''''''''''' '''''''''''''''''''''

DFO has a documented patch management process for the Windows Operating System and Core Desktop Software which is the responsibility of Desktop Engineering within DFO. This group receives notifications through the Government of Canada Computer Incident Response Team when a patch has been issued for any DFO Standard Software. Once received, Desktop Engineering follows a standard process of recording the patch in a patch log, then testing and implementing the patch. They are able to monitor desktop patches using SCCM, which can track the percentage of computers that have implemented the patches. In addition, the overall effectiveness of the patch management process can be monitored using the patch tracking log.

For non-core desktop software, business application owners are responsible for implementing and monitoring a patch management process for their applications. '''''' ''''''''''''''' ''' '''''''''''''''''''''' ''''''''''''''' '''' ''''''''''' ''''''' '''''''' ''''''''''''''''''''''' ''''''''' '''''' '''''' '''' '''''''''''''' '''''''''''' ''''''''''''''''''''''''' ''''''' ''''''''''' '''''''''''''' '''''''''''''''''''''''''''' '''''''''''''''''''''' ''''''' ''''''''''' ''''''''''''''''''''''''' ''''''''''''' '''''' '''''''''' ''''''''''''''''''''' ''''''' ''''''' '''''''''' ''''''' ''''''' ''''''' ''''''' ''''''''''''''''''''' ''''''''''''''''' ''''''''''''''''''''' ''''' ''''''''''' '''''''''''''''''''''' '''''''''''''''''''' '''''' ''''''''''''''''''' '''''''''''''''''''''''''' ''''' ''' '''''''''''' '''''''''''''''''''''' ''''''''''''' ''''''''' '''''''''''''''''''''' '''''''''' ''''''''' '''''''''''''''''' ''''''' '''''''''' '''' '''''''''''''''''' ''''''''''' ''''''''''''''''''''''''' '''''''''''''''' ''''''' ''''''' '''''''''' ''''''''''''''''''' '''''''''''' '''''' '''''''''''''''''''' ''''''''''''' '''''' '''''''''' ''''''''''''' '''''''''' ''' '''''''''''' ''''' ''''''''' '''''''''''''' '''''' '''''''''' '''''''''''''''''''''''''''' '''''''' ''''' ''''''' '''''''''''''' '''''' ''''''''' ''''''''' '''''''''''''''''' ''''''' ''''''''''''''''''''''' '''' ''''''''''''' '''''''''' '''''''''''''''''''''''''''''''' ''''''' '''''' ''''''''' '''''''''' '''''' '''''''''''''''''''''' ''''''''''''''''' '''' '''''''''''''''' '''''' '''''''''''' ''''''''''''''''''''''''' '''' ''''''' ''''''''''' ''''''''''''''''''''''''' '''''''''''''''''

'''''''''''' ''''''''''''' '''''' ''''''' ''''''''''''''''''''''' ''''' ''' '''''''''''' '''''''''

''''''' ''''''''' ''''''''' ''''''''''''''''' '''''''''''''''' '''' ''''''' '''''''''''''' ''''''''' ''''''''''''''''''''''''''' ''''''''''' ''''''' '''''''''''''''''' ''''''''''''''''''' ''''''' ''''' ''''''' '''''''''''''''''''''''''' ''''''''''''' ''' ''''''''''''' ''''''''''''''''' '''''''''''''''''''''' ''''' '''''''''''''''' '''''''''''''''''''''''' ''''' ''''''''''''''''''' ''''''' ''''''''' ''''''''''''''''' ''''''''' '''''''''''''''''''''' '''''''''''' ''''''''''''''''' ''''''''' ''' '''''''''''''' '''''''''''''''''''''' '''''''''''''' '''' ''''' '''''''''''' '''''''''' ''''''' '''''''''' '''''''''''''' '''''''' ''''''' '''''''''''''''''' '''''' ''''''''''''''' '''' '''''''''' ''''''''' '''''''''' '''''''''''''' '''' '''''''''''''' '''' ''''''''''''' '''''''''''''''''''' ''''''''''' '''''''' '''''''''''''''' ''''' '''''''''''''''' '''''' ''''' ''''''''''' '''''''''''''' '''''''' ''''''''''' ''''''' ''''''''' ''''''''' '''' '''''' '''''''''''''' '''''''''' ''''''''''''''''' '''' ''''' ''''''' '''''''' '''''''' '''' '''''''''''''''' ''''''''' ''''''''''''''''' '''' '''''''''''''' '''''''''''' ''''''' ''''''''''''''''''''''' '''''''''''''''''''''' ''''''' ''''''''''''''''' ''' '''''''''''''' '''' '''''''''' ''''''''''''''' ''''''''''''' '''''''' '''''''''''''''' '''''' ''''''''''' '''''''''''''' ''''''' ''''''' '''''''''''' ''''''' '''''''''' ''''' '''''''''''' ''''''''''''''' '''''''''' ''''''''''''''''''''''''' ''''''''' ''''''' ''''''' '''' ''''''' '''''''''''' '''''''''''''''' ''''''''''''''' '''''''' '''''''''''''''''''''''' ''''''''''''' '''''' '''''''''''''''''''''' '''''''''''' ''''''''' ''''''' '''''''' '''''''' '''' ''''''' '''''''''' '''''''''''''''' ''''''''''''' ''''''''''''''''''' '''''''' ''' '''''''' '''''''''''''''''''''''' ''''''''''''''

''''''' '''''''''' '''''''' ''''''''''' ''''''' ''''''''''''''' '''''''''''''''''''' ''''''''' '''' ''''''''''' ''''''''''''''' ''''''''''''' ''''''' ''''''''''''''''''''''''' '''' ''''''''' ''''''''''''''' ''''''''' ''' ''''''''''''''''''''''' '''''' '''''''' '''''''' ''''''''''' '''''''''''''''''''''''''' ''''''''''''''' ''''''' '''''''' ''''''''''' ''''''''' ''''''' '''''''''''''''''''' '''' '''''' ''''''''''''' '''''''' '''' '''''''''''''' ''''''' '''''''''''' ''''''' ''''''''''''''''''' '''''' ''''''''''''''' ''''''''''''''' '''' ''' ''''''''''' '''''''''''' '''' ''' ''''''' ''''''' ''' ''''''''''' '''''''''' ''''' ''''''''''''''''''''''''''' '''''''''''''' ''''''' '''''''''' '''''''''''' ''''''''''''''' '''''''''''''''''''''' ''' ''''''' ''''''''''''''''''''''''''' ''' ''''''''''''''''''''''' ''''''''' '''' ''''''''''''''''''''''''''' ''' '''''''' '''''''''''''''''' '''' ''''''''''''''' '''''''''''' ''' ''''''''''' ''''' '''''''''''''''''''''' ''''''''''''''''''''' ''''''' '''''' '''''''''''''' ''' '''''''' '''' '''''''''''''' ''''''''''''''''''''''''' '''''''''''''''''''''''' ''''''''''''''' ''''''''''''''''''' ''''''''' '''''''''''''''' ''''''' '''''''' '''''''''''''''''' ''''''''' '''''''''''''''''''' ''''''''''''''''''' ''''' '''''''''''''''' ''''''' '''''''''''''''' '''''''''''' ''''''''''''''''''''''' ''''''''''''''' '''''' '''' '''''''''''''''''''''' ''''''' '''''''''''''''''''''''' '''' '''''''' ''''''''''''''''''''''''' '''''''''''''''''' '''' ''''''''''''''''''' '''''''''' '''''''''''''''''''''' ''''' '''''''''''''''''''''''''''' '''''''''''''''''''' '''''''''''''''' ''''''' ''''''''''' '''''''''' '''''''''''' '''''''''''''

''''''''''' ''''''' ''''''''''''''' ''''''''''''' '''''' ''''''''''''''''''''' '''''' '''''''''' ''''''''''''''''''''''''''' ''''''' ''''''' '''''''''''''''' ''''''''''' ''''''''''''''''''''''''''' ''''''''' '''''' ''''''''''' '''''''''' '''''''''''''''' ''''''''''''''''''' '''''''''''''''''''''' '''' ''''''''''' ''''''''''''''''''''''''' '''''''''''''''''' '''''''''' ''' '' ''''''' '''' '''''''''''''''''''''' '''''''''''' ''''''''''''''''''''''''''''''''' ''''''''''''''''''''' ''''''''''''''''' ''''''' ''''''''''''' '''' '''''''''''''' '''''''''''''''' ''''''''''' ''''''''''' '''' '''''''''''''''''' ''''''''''''''''''' '''' '''''''''''''''' '''''''''''''''''''''''''''' '''' ''''''''''''''''' ''' ''''''' '''' '''''''''''''''''''''''''' ''''' '''''''''''' ''''''''''''''''''''''''' '''''''''''''''''''' ''''''''''''' '''''''''''''''''''''' '''' ''''''' ''''''' '''' ''''''''''''''' '''''''''''''''' ''''''''''''' '''''''''''''' '''''' ''''''''''' '''''''''''''''''''''''' '''''''''''''''''' '''' ''''''''''''' ''''''''''''''''''' '''''''''''' ''''''''''''''''''''''''''''

Recommendation 6: It is recommended that the Assistant Deputy Minister, Human Resources and Corporate Services ensure that:

'''''' ''''''''''''''''''''''' ''''''' '''''''''' '''''''''''''''''''''''' '''''''''''''''' '''' ''''''''''''''' ''''''' '''''''''''''''''''''''''' ''''''''''''''''''''''''''''''' ''''''''''''''''''''''''''''''''' ''''' '''''''''''''''''''' '''''''''' '''''''''''''''''''''''''' '''''''''' ''''''''''' '''''' ''' ''''''''''''' ''''''''''

Management Response: ''''''' '''' ''''''''''''''' ''''''''''''''''''''''''' '''' '''''''''''''''''''''''' ''''''''' ''''''''''' ''''''''''' ''''''' ''''''''''''' '''''''''''''''' ''''''''''''' '''''''''' '''''''''''' ''''''' ''''''''''''' ''''''' ''''''''''''''''''''''''' ''''''' '''''''''''' '''''''''''''''''''''''' ''''''''''''''''

''''''' ''''''' ''''''' ''''''''''''''''''''' '''''''' ''''''''''''''' '''''''''''''''' ''''''' ''''''''''''''''''''''''' ''''''' '''''''''' '''''''''''''''''''''''''' '''''''''''''' '''''''''''''''''''''''' ''''''''''''' ''''''' '''''''''''''''''''''''

Target Completion Date: June 2017

Database Backup and Recovery Processes

Backup refers to the copying of physical or virtual files or databases to a secondary site for preservation in case of equipment failure or other catastrophe. The process of backing up data is pivotal to a successful disaster recovery plan.

''''' ''' ''''''''''''' ''''''''' '''''' ''' '''''' ''' '''''''

''''''' ''''''''''''''''' '''''' '''''''''''''''''''''''' ''''' '''''''''' '''''''''''''''''''''''' ''''''''''''''''' '''''' '''''''''''''' '''''''' ''''''''''''''''''' ''''''''' '''''''''' '''''''''' '''''''' ''''''''''''''''''''''''''' '''''''''''''''' ''''''''' ''''''' '''''''' '''''''' ''''' '''''''''''''''''' '''''''' ''''''''''''''' ''''''''''''' ''' '''''''''' '''''''''''' '''''''''''''''' '''''' '''''''''''' '''''''' ''''''''''' '''''''''''''''''''' '''''' ''''''''''''''' ''''''' '''''''''''''''''' ''''''' ''''''' ''''''''''''''''''''''''' '''' '''''''''''''''''''''''''' ''''''' '''''''''''''''''''''''' '''''''''''''''''' '''''''''''' ''''''' ''''''' ''''''''''' ''''''''''' ''''''''''' '''''' ''''''''''''''''' '''' ''''''' ''''''' ''''''' ''''''' '''''''' '''''''''''''''''' ''''''' '''''''''''''' '''''''''''''''''''''''''' '''''''''' ''''''''''''''''''''' ''''' ''''''''' '''''''''''''''''''''''''' ''''''''''''''''''' '''''' ''''''''''''''' ''''''' '''''''''''''''''' '''''''''''' '''''' ''''''''''''''

''''''' ''''''''' ''''''' ''''''''''' ''''''''' '''''''''''''' '''''''''''''' ''''''' '''''''''''''''' ''''''''' ''''''' '''''''''''''''''''''''''''' '''''' '''''' '''''''' '''''''''''''''''''''''''' ''''''''' '''' ''''''''' ''''''''''' ''''''' '''''''' ''''''''''''''' '''''''' ''''''' '''''''''''''''''''' ''''' ''''' '''''''' '''''''''''''''''''''''''''' ''''''''''''''' '''''''''''''''' ''''''' '''''''''''''' ''''' '''''''' '''''''''' '''''''''''''''' ''''''''''''''''' ''''' '''''''''''''''' ''''''''''''''''' ''''''' ''''''''''''' ''''''''' '''''' '''''''''''''''''''''' '''' '''''''''' '''''''''''''''' '''''''' '''''''' '''''''''''''' ''''''' '''''''''''''''' '''''''''''''''''''''''''''' '''''''''' ''''''''''''''''''''''' '''' ''''''''' '''''''''' ''''''' ''''''''''''''''''' '''' ''''''' '''''''' '''''''''''''''''''''''' ''''''''''''''''' ''''''' '''''''''''' '''''''''''''''''''' '''''''''''''''' '''''''''''''' '''''''' '''''''''''''''''' '''''''''''' ''''''''''''''''''''''''''' '''''''' '''''''''''''''''''''''''''' '''''' '''''''''''''''''''''' '''''''' ''''''''''''''' '''' ''' ''''''''''''' '''''''''''''''''' ''''' '''''''''''''' ''''''' ''''''''''''''''''''''' '''''''''''''''' ''''' ''''''''' '''''''''''''''' '''' '''''''' ''''''''''''''''''''''''' '''''''''' '''''''''''''''''''' ''''''' ''''''''''''' ''''''''''''' '''' ''''''''' ''''''''''''''''' ''''''' ''''''' '''''''''''''''' '''''' '''''' '''''''''''''''''''''''''' ''''''''''''''''''' '''''''''' '''''''''' '''''' ''''''''''''''' '''' ''''''''

SSC recently published the IT General Control Framework for IT Infrastructure Services – Internal Controls document, which identifies SSC as being responsible for performing backup and recovery activities for partner departments and for ensuring that the partner’s environment is backed up in line with its recovery objectives. Departmental responsibilities will include providing SSC with backup and recovery requirements; including an up-to-date list of critical business applications and services; keeping an up-to-date list of designated sites, including locations; communicating any requested information to the SSC Service Desk in a timely manner and testing of backups to ensure recoverability of information.

Recommendation 7: It is recommended that the Assistant Deputy Minister, Human Resources and Corporate Services ensure that backup and recovery standards be documented, with clear roles and responsibilities between DFO and SSC.

Management Response: The CIO will obtain and coordinate the implementation of the backup and recovery standard(s) from Shared Services Canada (SSC) and will collaborate with SSC to ensure that roles and responsibilities are clearly defined within the standard(s).

Target Completion Date: March 2017

6.4 MONITORING AND REPORTING ''''''''''''''''''' ''''''''

To ensure effective monitoring of the IT Security program, reporting must be accurate and consistent to measure management efforts, resources and success toward achieving its expected results. As per the TBS Directive on Management of Information Technology, which supports the Policy on Management of Information Technology, the departmental CIO is responsible for monitoring compliance with this directive and advising the deputy head of reporting results in the annual Departmental Performance Report (DPR) and the Management Accountability Framework (MAF).

''''''' '''''''''''''''' '''' '''''''' ''' ''''''''''''''''''''''''' '''''''''''''''''''''''''' ''''''''''''''' '''' '''''''''' ''''''''''''''''''''' ''''''' ''''''''''''''''''' ''''''''''''' '''''''' ''''''''''''''''''''''''' ''''''''''''''''''' '''''''''' '''' ''' '''''''''''''''' ''''' ''' ''''''''''''''''''''''''''''' '''''''''' ''''''' '''''''''''''''''''''' '''''''''''''' ''''''''''' '''' '''''' ''''''''''''''''''''''' '''' '''' ''''''''''''''''' '''''' ''''''''''''''''''' '''' ''''''' ''''''''' ''' '''''''''''''''' ''''' '''''''''''''' '''''' '''''''''''''''''''''''''''' '''''''''''''''''' '''''''' ''''''''''''''''''' '''''''''''''''''''''' '''''''' '''''' '''''''''' '''''''''''''''''''''''''''''' '''' '''''''''''' ''''''''''''''''''''''' ''''' ''''''''''''''''''''''' '''''''''''''''''' '''''''' '''' ''''''''''''

''' '''''''''''' ''''''''''''''''''''''''''' ''''''''''''''''''''''''' ''''''''''''''''''''''''''' '''''''''''''' '''''' '''' ''''''''''''' '''''''' ''''''' ''''''''

'''''''''''' ''' ''''''''''''' '''''''''''''''''''''' '''''''''''''''''''''''' ''''''''''''''''' '''''''''' '''''' '''''''''' '''''' '''' '''''''''''''''''' reporting occurs on certain metrics and IT security performance status reports were presented to senior management. DFO IT Security has also submitted TBS MAF assessments regarding MITS security elements and on the Department’s compliance with CSEC’s Security Policy Implementation Notices, including patch management, account management and the CSEC Top 10 Self-Assessment. In January 2016, the CIO reported to DMC additional details regarding IT Security, including the status for nine IT security control objectives that were identified in the TBS Directive on Departmental Security Management.

Recommendation 8: It is recommended that the Assistant Deputy Minister, Human Resources and Corporate Services ''''''''''''' ''''''' '''' '''''''''''''''' '''''''''''''''''''''''' '''''''''''''''''''''''''''' ''''''''''''''''''''' '''' ''''''' '''''''' '''''''''''''''''''''''''''''''''''' ''''''''''''''''''''''''''' ''''''''''''''''''' ''''''' '''''''''''''''' '''''''''''''' ''''''''''''''''''' ''''''' ''''''''''''''''''' '''' ''''''''''''''''''''''''''' '''' '''''''''''''''' ''''''''''''''''''''''''

Management Response: IM&TS will ''''''''''''''' '''''' '''' '''''''''''''''' '''''''''''''''''''''''' '''''''''''''''''''''''''' ''''''''''''''''' ''''''''''''''' ''''''' '''''''''''''''''''''''''' ''''''''''''''''''' '''''''''''' ''''''' increase regular monitoring and reporting.

Target Completion Date: March 2017

'''''''''''''' '''''''''''''''''''''' ''''' ''''''''''''''''' '''''''''''''''''''''''''''''' ''''''' '''''''''''''' '''' '''''''''''''''' ''''''' '''''''''''''''' ''''''''''''''''''''' ''' '''''' '''''''''''' '''''''''''

''''''' ''''''' '''''''''' ''''''''' ''''''''''''' ''''''''''''''''''''''' '''' '''''''''''''''''' '''''''''''''''''''''''''' ''''''' ''''''''''''''' ''''' '''''''''''''''''' '''''''' ''''''''''''''''' ''''''''''''''''''''' ''' ''''''' ''''''''''''' ''''''''''' ''''''' '''' '''''''''''' ''' ''''''''''''''''' '''''''''''''''''' '''''' ''''''''''''''''' ''''''''''''''''''''''''' '''''''''''''' ''''''''''''''''''''''''''''' ''''''' '''''''''''''''' ''''''' '''''''''' ''''''''''''''''''''' ''''''' '''''''''''''''''''''''' ''''''''''''''''' ''''''''' '''''' '''''''''''''''''''''''''''' '''''''''''''''''' '''''''''''''''''' ''''''''''''''''''''''''''' '''''''''''''' ''''''''''''''''''' '''''''''''''''''''' ''''''''''''''''''''''''' '''''''''''''''''''''''''' '''''''''''''''' '''' '''''''''' '''''''''' '''' ''' ''''''' '''''''' ''''''''' ''''''''''' '''''' ''''''''''''' '''''''''''' ''''' ''''''''''''''''''' ''''''' ''''''''''''''''' ''''''''''''''''''''''''' '''''''''''' ''''' '' ''''''''' '''' ''''''''''''''' ''''''''''''''''''' '''''''''''''''''''''''''' ''''''''' ''' ''''''' ''''''''''''''''''''''' ''''''' ''''''''''' ''''''' ''''''''''''''' ''''''''''''' ''''''''''''''''' '''''''''''''''''''''' ''''''''''''''''''' '''' ''' ''''''''''''' ''''''''' '''''''''' '''''''''''''''''''''''''''' ''''''''''' '''''''''''''' ''''''''''' '''''''' ''' '''''''''''''''''''''''''''''' '''' '''''''''''''''' ''''''''''''' ''''''' '''''''' ''''''''''''''''''''' '''''''''' '''''' '''''' ''''''''' '''''''''''''''''''' '''''''''''''''' '''''' '''''''''''''''''''''' '''' ''''''''''''' ''''''' '''' ''''''''''''' '''' '''''''''''''''''''''' ''''''' '''' '''''''''''' '''''''''''''''''''''''''''

However, progress is being made with regard to safeguarding the electronic communication and storage of the Department’s protected and classified information, such as the new Information Security Standard that aligns with TBS policies on data storage and security. Also, in order to reduce the risks related to portable storage devices, the Department has disabled the ability to write information to CDs/DVDs ''''''''''''' ''''''' '''''''''''''' ''''''' ''''''''''''''''''''''' '''' ''''''''''''''''''' ''''''' '''''''''''''''' '''''''''''''''''''''''' '''' '''''''''''''''''''''

Recommendation 9: It is recommended that the Assistant Deputy Minister, Human Resources and Corporate Services ''''''''''''' ''''''' '''''''''''''' ''''''' ''''''''''''''''''''''' '''' ''''''''''''''''''' ''''''' '''''''''''''''' '''''''''''''''''''''''' '''' ''''''''''''''''''''' ''''''' ''''''''' ''''''' ''''''''''''''''''' '''''''''''''''''' ''''''''''''' ''''''''''''''''' ''''''' ''''''''''''''''''''''''''

Management Response: The CIO and the DSO will increase awareness regarding the classification and designation of information; and will increase awareness regarding the storage and transmission of protected and classified information.

Security Awareness will include making employees aware of the document / records management system; therefore increasing the usage of the departmental approved system for storing protected and classified information.

IM&TS will roll out the GCDOCS records management system to address the storage requirements for Protected B information.

Target Completion Date: April 2017

6.5 IT SECURITY TRAINING '''''''''''''''''''''' ''''''''

The Operational Security Standard on the Management of Information Technology Security (MITS) requires departments to provide ongoing IT security training to all individuals with significant IT security responsibilities. The Government of Canada Information Technology Strategic Plan 2016-2020 identified that successfully delivering IT services requires a skilled, agile, connected and high-performing IT workforce that combines a knowledge of business and technology. IT professionals need to be able to keep pace with the speed at which technology is evolving. To enable a high-performing, strategic IT workforce will require continued investment in career and talent management.

''' ''''''''''''''' '''''''''''''''''' ''''''' '''''''''''''''''''' '''''''''''''''''' '''''' '''''' ''''''''''''''' '''''''''''''' ''''''''''''''

'''''' '''''''''''''''' ''''''''' '''''''''''''' '''' '''''''''''''''''' '''' '''' ''''''''''''''' ''''''''''''''''''' ''''''' ''''''''''''''''''' '''''''''''''''''''''''' '''''''' ''''''''' '''''''''''''''''''''' '''' '''''''''''''''''''

The 2016/17 IM&TS priorities included a long-term strategy to align employee skills and capacity, in order to meet demand for new business from programs, including those needed to satisfy IT security requirements. To simplify recruitment, staffing, career development and learning efforts, the CIO established an on-going resource capacity exercise leveraging the generic work descriptions, job competencies and statements of work that were created by the Chief Information Officer Board (CIOB) and the Office of the Chief Human Resources Officer at the Treasury Board of Canada Secretariat. Additional reorganization within IM&TS is underway to further improve and streamline the delivery of IT services.

Within CCG, an IT Service Delivery study was conducted that included an environmental assessment, position skills, knowledge and capability assessments and gap analysis. The CCG is currently in the process of creating an IT service delivery group, which will include responsibility for the CCG operational network. CCG is also using the CIOB’s IT generic work descriptions, job competencies and statements of work, including ones with IT security components.

While both DFO and CCG have conducted workforce assessments, we found that training requirements for DFO IT security professionals, specialists and application developers need to be updated to reflect DFO’s adoption of ITSG-33. These updated training requirements need to be communicated and tracked to mitigate IT security vulnerabilities and risks. '''''''''''''''''''''''''''' '''''' '''''''''''''' ''''' ''''''''''''''' '''''' '''''''' '''' '''''''''''''' ''''''''''''''''''' '''''''''''''''' '''''''''' ''''''''''' ''''''''''''''''''' '''' ''''''''''''' ''' ''''''''''''''''' '''''''''''''''' '''' ''''''''''''' ''''''''''''''' ''''''' ''''''''''''''' '''' '''''''''''''''''''' '''''' ''''''''''''''' '''' '''''' ''''''''''''''' '''' ''' '''''''''''' ''''''' ''''''' '''' '''''''''''''''''''''''''''' ''''''''''''''''' '''''''' ''''''''''''''''''' ''''''''''''''''''' '''''''''' '''''''''' ''''''''' '''' '''''''' '''''' ''''''''''''''''''''' '''''''''''''''' '''' ''''''''''''''''' ''''''''' '''''''''''''''''''''''''

Recommendation 10: It is recommended that the Assistant Deputy Minister, Human Resources and Corporate Services identify training requirements of IT security specialists and application developers based on current IT Security Guidance and monitor progress in addressing the requirements.

Management Response: The CIO, in collaboration with the DSO and CCG, will implement the following changes to the IT security training activities for DFO, including CCG, IT security specialists and application developers by:

  • Further expanding on the IT Security curriculum to identify the knowledge, skills and competencies required;
  • Coordinating with the teams to identify IT Security training requirements to address gaps; and
  • Recommending a tracking process to match knowledge, skills and competencies required with training acquired.

Target Completion Date: September 2017

7.0 AUDIT OPINION

The audit found that there are opportunities for improvement to ensure that DFO, including the Canadian Coast Guard, has an adequate and effective control framework in place to support information technology security. While governance structures do exist, IT Security roles and responsibilities should be better defined to ensure the Department’s IT Security Program is being adequately and effectively managed. Although IT Security guidance is dated, updates are currently underway and can be further strengthened by ensuring effective implementation. Opportunities exist to enhance DFO’s IT security program ''''' ''''''''''''''''''''''''' ''''''' '''''''''''''''' '''''''''''''''''''''''' ''''''' ''''''''''' '''''''''''''''''''''''' ''''''''''''''''''' '''''''' '''' '''''''''''''''' ''''''''' '''''''''''' ''''''' ''''''''' '''''' '''''''''''''''''' '''''''''''''''' '''''''' ''''''''''''''''''''''

8.0 STATEMENT OF CONFORMANCE

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The extent of the examination was planned to provide a reasonable level of assurance with respect to the audit criteria. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with Management. The opinion is applicable only to the entity examined and within the scope described herein. The evidence was gathered in compliance with the Treasury Board Policy and Directive on Internal Audit. The audit conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program. The procedures used meet the professional standards of the Institute of Internal Auditors. The evidence gathered was sufficient to provide Senior Management with proof of the opinion derived from the internal audit.

APPENDIX A: LINES OF ENQUIRY AND AUDIT CRITERIA

The audit criteria are presented in the table below, by audit line of enquiry.

Audit Criteria
Audit Criteria
LINE OF ENQUIRY 1: Governance is in place for the management of IT security
Criterion 1.1: Departmental oversight bodies for the management of IT security have been established and are operating effectively.
Criterion 1.2: Roles, responsibilities and accountabilities are clearly defined, documented and communicated.
LINE OF ENQUIRY 2: A Human Resources plan for IT security is established and specific IT security and security awareness training is provided and monitored
Criterion 2.1: A Human resources plan that is aligned with government-wide and departmental priorities and plans has been established and ensures adequate IT security professional capacity.
Criterion 2.2: IT security and security awareness training is provided and participation is monitored.
LINE OF ENQUIRY 3: An IT security framework is well established
Criterion 3.1: Departmental IT security policies, directives, guidelines and standards are aligned with the government’s IT security framework, have been developed, are current and communicated within the Department.
Criterion 3.2: An IT security plan that is aligned with government-wide and departmental priorities has been developed, is current and communicated.
Criterion 3.3: A departmental approach to assessing and managing IT security risks has been developed and implemented.
Criterion 3.4: Departmental reporting of IT security program performance and compliance with TBS and DFO policies, directives, guidelines and standards is being performed to inform decision making.
LINE OF ENQUIRY 4: Selected TBS and lead agency recommended controls are in place at the Department level to mitigate IT security risks
Criterion 4.1: ''''''''''' ''''''''''''''''''''''' '''''' ''''''''' '''''''''' ''''''''''''''''''''' ''''''' ''''''''''''''''''' ''''''''''''''' '''' ''''''''''''''''''''''''''
Criterion 4.2: ''''''''''''''''' '''''''''''''' ''''''''''''''''''''''''' '''''''''''''''' '''''''' '''''''''''''' '''''' '''''''''''''''''''''''''''''' ''''''''''''''''' ''''''' '''''''''''''''''' '''' '''' '''''''''''' '''''' '''''''''''''''''''''''''''
Criterion 4.3: '''''''''''''''''''''' '''' ''''''''''''''''''' '''''''''''''''''''''''''''''' ''''''' ''''''''''''''' '''' '''''''''''''''''' ''''''' ''''''''''''''''' ''''''''''''''''''''''' '''' ''''''''''''' ''''''''''' ''''''''''''' ''''''''''''''''''''''''' ''''''''''' ''''''' ''''''''''''''''''
Criterion 4.4: The Department has documented standards for backup and recovery, with clear roles and responsibilities between DFO and SSC, and recovery testing is being done.

APPENDIX B: LIST OF ACRONYMS

ACL:
Access Control List
BCP:
Business Continuity Plan
C&A:
Certification and Accreditation
CCG:
Canadian Coast Guard
CIO:
Chief Information Officer
CIOB:
Chief Information Officer Board
CRP:
Corporate Risk Profile
CSEC:
Communications Security Establishment Canada
DG-MC:
Directors General Management Committee
DFO:
Fisheries and Oceans Canada
DMC:
Deputy’s Management Committee
DSO:
Departmental Security Officer
DSSEMP:
Departmental Safety, Security, and Emergency Management Plan
EKME:
Electronic Knowledge Management Environment
HR:
Human Resources
HRCS:
Human Resources and Corporate Services
GC:
Government of Canada
I&A:
Identification and Authentication
IM:
Information Management
IM/IT:
Information Management / Information Technology
IM/IT-MB:
Information Management / Information Technology Management Board
IM&TS:
Information Management and Technology Services
IT:
Information Technology
ITS:
Integrated Technical Services
ITSC:
Information Technology Security Coordinator
ITSG-33:
Information Technology Security Guidance on IT Security Risk Management
KPI:
Key Performance Indicators
MAF:
Management Accountability Framework
MITS:
Management of Information Technology Security
MOU:
Memorandum of Understanding
NIAC:
National Informatics Advisory Committee
PGS:
Policy on Government Security
QA:
Quality Assurance
SA&A:
Safety, Assurance and Accreditation
SCCM:
System Centre Configuration Manager
SLA:
Service Level Agreements
SSC:
Shared Services Canada
SSEM:
Safety, Security, and Emergency Management
SSEMOC:
Safety, Security, and Emergency Management Oversight Committee
SSEM-WG:
Safety, Security and Emergency Management Working Group
TB:
Treasury Board
TBS:
Treasury Board of Canada Secretariat
TRA:
Threat and Risk Assessment
WSUS:
Windows Server Update Services