Targeted Control Audit of the Management of the Treasury Board of Canada Secretariat’s Data Storage Devices: Final Report

Table of Contents

Statement of conformance

The Internal Audit and Evaluation Bureau (IAEB) has completed a targeted control audit (TCA) of the Treasury Board of Canada Secretariat’s (TBS’s) management of data storage devices. This audit conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the IAEB’s quality assurance and improvement program.

1. Background

1.1 Authority

The Targeted Control Audit of the Management of the Treasury Board of Canada Secretariat’s Data Storage Devices is part of the approved TBS’s three-year Risk-Based Audit Plan for 2015 to 2017.

1.2 Context

A TCA is an assurance product aimed at providing reasonable assurance that key controls within an audit entity are designed and working as intended. Compared to a typical internal audit, the scope of a TCA is defined using less intensive approaches and is more focused. To be the most effective, a TCA requires that the audit entity has established stable and documented control processes.

In 2014, the IAEB conducted a review of the security of data storage devices (DSDs) that identified areas of improvement in the management of the DSDs. This previous work, and subsequent control enhancements that management had made, were considered when developing the scope for the TCA.

The following areas pertaining to the management of DSDs were scoped into this TCA: asset management, physical security, incident management and IT security.

1.3 Objective and scope

The objective was to assess the adequacy and effectiveness of the key controls over the management of TBS’s DSDs and the information they contain, and to provide a reasonable level of assurance for a specific set of key controls.

The TCA scope was limited to controls addressing key control objectives agreed upon with management during the planning phase. The key control objectives pertained to the provisioning, devices in use, deprovisioning and disposal life-cycle phases of the management of DSDs. The following devices were included within the scope: laptops, tablets, smartphones (BlackBerry devices and iPhones), USB flash keys, desktop computers and multifunctional devices (printers).

Scope exclusions

Servers were excluded, because they fall under the purview of Shared Services Canada. Digital cameras, scanners and portable hard drives were also excluded from the scope of the TCA given their limited use. Controls pertaining to smartphones were examined to the extent that TBS, rather than Shared Services Canada, owns the controls.

The TCA covered controls in place for the period from January 2015 to June 2016.

1.4 Approach and methodology

The approach and methodology were designed to result in reasonable assurance on the defined TCA objective. The TCA included various tests that were considered necessary for providing such assurance, including:

  • interviews
  • process walk-throughs
  • sample-based control testing
  • data analytics

2. Results

[This information has been severed]

3. Conclusion

Encryption is a key element in managing information security risks, and the TCA found that encryption controls were operating effectively. Beyond encryption, control objectives were not met in other areas of the management of data storage devices, which could expose the organization to other residual risks. [This information has been severed.]

4. Recommendations

It is recommended that TBS Corporate Services Sector (CSS) develop a plan to enhance controls over data storage devices in consideration of the results of this TCA. To assist in this regard, the IAEB has identified four recommendations for control improvements:

[This information has been severed.]

5. Management responses

Management has accepted the TCA findings and has developed an action plan (refer to the Appendix) to address the recommendations. The management action plan is expected to be fully implemented by March 31, 2018.

Appendix: management responses

[This information has been severed.]

Date modified: