Archived - Information Technology Security - Audit Guide

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Preface

This guide was prepared by the Information, Communications and Security Policy Division, in consultation with the Evaluation, Audit and Review Group of the Finance and Information Management Branch, Treasury Board Secretariat.

Treasury Board Secretariat wishes to acknowledge the support, experience and ideas of the following organizations, without which the development of this guide would not have been possible:

  • Communications Security Establishment (CSE)
  • EDP Auditors Association (EDPAA)
  • Government of Canada Informatics Organizations (representative departments)
  • Government of Canada Internal Auditors (representative departments)
  • Industrial & Corporate Security Directorate (ICSD) of PWGSC and
  • RCMP Security Evaluation and Inspection Team (SEIT).

Introduction

Background

In 1990, the (former) Office of the Comptroller General released an exposure draft on Guide to the Audit of Security. This initial draft served the self-assessment, audit and review communities well by providing direction for conducting government security policy (GSP) implementation audits and reviews. In June 1994, Treasury Board approved the revised GSP which reflects recent changes in the political world order and the Canadian and global economies as well as significant developments in the information technology (IT) environment and the associated information technology security environment.

This Audit Guide on Information Technology Security has been designed to function independently. However, at a future date, it may well be that the objectives and criteria of this guide are incorporated into a revised Guide to the Audit of Security.

Purpose

This guide provides guidance to the internal audit community in conducting audits of the implementation of the Government Security Policy and the information technology security (ITS) operational standards. Additionally, departmental management conducting a self-assessment of their department's IT security program, security officials conducting security reviews, and groups responsible for program review may benefit from the guidance provided by this guide in conducting their reviews.

This guide is designed to assist organizations in assessing:

  • departmental compliance with the Security Policy and ITS operational standards
  • the effectiveness of implementation of the Security Policy and ITS operational standards and
  • the efficiency of implementation of the Security Policy and ITS operational standards.

Scope

This guide is intended for use in all organizations subject to the Government Security Policy: all departments listed in Schedule I, Parts I and II of the Public Service Staff Relations Act; the Canadian Armed Forces, the Royal Canadian Mounted Police (RCMP); and the Canadian Security Intelligence Service. The guide applies to both designated and classified information and assets, and to contracts.

The guide will assist in auditing and reviewing departmental ITS operations. For assistance in auditing and reviewing the overall organizational and administrative security framework, physical security operations, and personnel security operations, consult Guide 406, Guide To The Audit Of Security, Exposure Draft, published in 1990 by the Office of the Comptroller General.

This guide deals with the Security Policy and Operational Standards which are the first and second tiers of the government security documentation model. It does not provide detailed guidance in the analysis of compliance of Technical Security Standards (the third-tier security standards) such as those in the Technical Security Standards For Information Technology (TSSIT) published by the RCMP. For assistance in auditing compliance with third-tier standards, consult the lead security agency responsible (RCMP and /or Communication Security Establishment - CSE.)

For assistance in conducting a detailed comprehensive audit of a given ITS environment, consult the Bibliography in Appendix D. Many of the references contain questionnaires and checklists. Additionally, this audit guide is based on generic audit ITS criteria. It may be necessary to obtain additional and more detailed information on the organization, policies, standards and procedures being reviewed. The IT and ITS environments are highly technical and complex. The audits will therefore require special attention to apparent deficiencies which may be affected by compensating controls.

If auditors encounter any difficulties or need further assistance in the interpretation of the Security Policy, they should contact the Information, Communications and Security Policy Division for policy interpretation, and the Evaluation, Audit and Review Group of Treasury Board Secretariat for audit questions.

Guide Organization

This guide is organized in the following manner:

Chapter one, "management issues," provides an overview of current ITS issues, as they relate to overall IT issues.

Chapter two, "conducting the Audit," outlines the procedures for auditing the implementation of the Government Security Policy and the ITS operational standards. The objectives, criteria, detailed criteria and audit procedures to be used in performing ITS audits are included in this section of the guide.

The guide also contains a series of appendices: a list of authorities and references; a suggested table of contents for an ITS audit report; a glossary; a list of IT and ITS committees and standards; and a bibliography.

Chapter 1 - Management Issues

Security Environment

1.1 Accountability Framework

A fundamental principle of the Government Security Policy is the accountability of deputy heads for security within their departments. The policy and operational standards outline requirements with which departments must comply. The operational standards also include recommended safeguards to apply unless a threat and risk assessment indicates otherwise.

If departments are to implement programs that are efficient and effective, they must be able to administer them within their particular mandates and according to their priorities, budgets, and organizational cultures and environments. The policy recognizes this by defining broad requirements to ensure a certain level of security within a department or government as a whole, while allowing the discretion needed to respond to financial needs and other conditions.

1.2 The Government Security Model

The Government Security Policy and Operational Standards describe a departmental security program model having the following components:

  • organizational structure
  • administrative procedures and
  • three (3) sub-systems:
    • Physical Security,
    • Information Technology Security, and
    • Personnel Security.

Therefore, where responsibility for the various sub-systems is assigned to different organizational units, or where it is decentralized, the sub-systems should be structured to support cooperative planning, management and administration.

Refer to Chapter 2-1 of the Treasury Board Manual, Security Volume, for more information.

1.3 The Information Technology Security (ITS) Model

ITS is often described as the protection from threats using an integrated set of safeguards designed to ensure the confidentiality,integrity and availability of information electronically stored, processed or transmitted.

The Operational Standards describes an ITS model with the following components:

  • organizing and administering
  • personnel security
  • physical security
  • hardware security
  • software security
  • communications security
  • operations security.

The effectiveness and efficiency of the ITS program depends upon the performance of each of these elements. Therefore, where responsibility for the various ITS elements is assigned to different organizational units (for example, to an IT Security unit and a communications-electronic security (COMSEC) unit) or where it is decentralized, the elements should be structured to support cooperative planning, management and administration.

ITS is most effective when it is accepted as just one of the many important requirements that system developers and maintainers need to consider. ITS should not be an "add-on". It should be viewed as an integral component of any given IT infrastructure. When properly managed, it provides system and data owners with a return on investment. Refer to Chapter 2-3 of the Treasury Board Manual, Security Volume, for more detailed information.

1.4 Roles and Responsibilities

Senior Official

Departments are required to appoint a senior official to represent the Deputy Head in dealings with Treasury Board Secretariat about the Security policy and standards.

Departmental Security Officer (DSO)

Departments must also appoint a DSO responsible for developing, implementing, maintaining, coordinating and monitoring a departmental security program consistent with the Security policy and standards.

ITS Coordinator

Departments must appoint an ITS Coordinator. This position should have a formal relationship with the DSO, either on a reporting or functional basis.

COMSEC Authority

Coordination of emanations and cryptographic security should be embodied in the role of a COMSEC authority. This role may be filled by someone within the departmental security program or by CSE acting on behalf of the department.

ITS Lead Agencies

The two lead government agencies for ITS are the Royal Canadian Mounted Police (RCMP) and the Communication Security Establishment (CSE.) The RCMP Security Evaluation and Inspection Team (SEIT) carries out reviews of ITS, as per the schedule in the ITS operational standards. CSE inspects, tests and evaluates COMSEC systems and procedures. In addition, CSE's National Central Office of Records (NCOR) audits departmental COMSEC accounts.

1.5 Risk Management Framework

Conducting a threat risk assessment is the fundamental principle in assessing the need for adequate security measures to protect sensitive information technology assets The Security policy requires departments to assess threats and risks to which sensitive information and assets are exposed, select risk-avoidance options, implement cost-effective safeguards, and develop contingency and business resumption plans, as required. A department's IT system development life cycle methodology should include the appropriate steps for :

  • coordination of security plans and implementation
  • application of security risk management techniques throughout the life cycle and
  • approval, selection and implementation of appropriate safeguards.

When properly implemented, the security risk management process helps ensure that appropriate types and levels of protection are built in, thus avoiding less effective and costly retro-fit situations. The process also confirms the need for minimum safeguards and shows the need for additional types or levels of safeguards. Finally, it provides value-added by increasing awareness and support for the ITS program.

Chapter 2 - Conducting the Audit

Audit Objectives, Criteria and Detailed Criteria/Audit Procedures

This chapter identifies specific program objectives, criteria and audit procedures to be used in performing ITS audits. They were chosen because they best approximate the requirements of the Security Policy and Operational Standards relating to establishing and maintaining an effective and efficient ITS program and represent best practices of previously audited security programs.

Auditors may wish to add, modify or delete the specific objectives, criteria and detailed criteria in order to tailor the audit process to their organization.

The following audit objectives are grouped based on the main sections of the June, 1994 ITS Operational Standards:

Organizing and Administering ITS

  • Ensure that an ITS management structure is in place and meets the needs of the department
  • Ensure that ITS safeguards are implemented, maintained, monitored and adjusted, within a risk management environment.
  • Ensure that the information technology (IT) resources are appropriately managed.
  • Ensure that ITS equipment is appropriately managed, repaired, maintained and disposed.
  • Ensure that cryptographic materiel is appropriately managed, repaired, maintained and disposed.
  • Ensure that departmental ITS undergoes regular monitoring and review.
Personnel Security
  • Ensure that personnel having access to IT systems/networks/ applications that process, transmit or store sensitive information are appropriately screened before being given access and are aware of their security-related responsibilities.
Physical Security
  • Ensure that IT is developed and maintained with consideration given to its physical and environmental security requirements.
Hardware Security
  • Ensure that IT is developed and maintained with consideration given to its hardware security requirements.
Software Security
  • Ensure that IT is developed and maintained with consideration given to its software security requirements.
Communications Security
  • Ensure that IT is developed and maintained with consideration given to its general communications security requirements.
  • Ensure that networks and network applications are developed and maintained with consideration given to their security requirements.
  • Ensure that IT is developed and maintained with consideration given to electronic authorization and authentication (EAA) security requirements.
  • Ensure that IT is developed and maintained with consideration given to emanations security requirements.
Operations Security
  • Ensure that ITS operations are in place and meet the needs of the department.

Organizing and administering ITS

Objective #1

Ensure that an Information Technology Security management structure is in place and meets the needs of the department.

Criterion 1.1 Security management responsibilities are established, defined and assigned.

Detailed criteria/Audit Procedures:

1.1.1 Obtain a copy of the most recent departmental security organization chart(s). Determine its adequacy in portraying all security relationships (both line and functional).

1.1.2. Determine whether a senior official has been formally appointed to represent the deputy head in dealings with the Treasury Board Secretariat on matters concerning the security policy and standards.

1.1.3. Determine whether a Departmental Security Officer (DSO) has been formally appointed by the deputy head and if the DSO position is sufficiently senior.

1.1.4. Determine whether an ITS Coordinator has been formally appointed and if the ITS Coordinator has at least a functional relationship with the DSO.

1.1.5. Determine whether a separate position for a Communications-electronic Security (COMSEC) Authority has been formally appointed, or if the Communication Security Establishment (CSE) has been appointed to act on behalf of the department. Assess whether the working relationship of this position with the position of the ITS Coordinator is appropriate.

1.1.6. Review the key ITS position descriptions to determine if the required duties and responsibilities have been included. Determine whether the position descriptions reflect the current organizational needs. Determine what priority and percentage of time is allotted directly to security related duties.

1.1.7. Interview key ITS personnel on their knowledge of the security requirements of their positions. Determine the actual percentage of time spent on ITS matters and compare with that in the position description.

1.1.8. Interview selected middle and senior responsibility centre managers, who are responsible for significant IT, such as critical local area networks (LANs), wide-area networks (WANs), or traditional datacentres, to determine their knowledge of their ITS responsibilities. Determine if their position descriptions include ITS duties and responsibilities.

1.1.9. Interview select LAN/WAN/datacentre managers to determine their knowledge of their ITS responsibilities. Determine if their position descriptions include ITS duties and responsibilities.

Criterion 1.2 An ITS planning process is in place.

Detailed Criteria/Audit Procedures:

1.2.1 Obtain copies of past security audits, management self-assessment reviews, security program reviews, internal security reviews, RCMP Security Evaluation and Inspection Team (SEIT) reviews, CSE reports and any other related security reports.

1.2.2 Determine whether there is a formal plan for ITS for the current fiscal year or whether it is a sub-set of the overall security plan. Determine whether the plan was developed in concert with, and in consideration of, other critical departmental plans and reports, such as: overall security plans; IT plans and strategies; information management plans (IMPs); the departmental business plan; RCMP SEIT reports; CSE reports; and inter-departmental ITS committee recommendations.

1.2.3 Review the level of funding of ITS in relation to the level of funding for IT. Consider the implications of any significant changes in the level of funding and whether the level of funding is adequate.

1.2.4 Examine the plan for completeness, reasonableness of its time frames, adequacy of resources (including financial, personnel, and information) and authorization.

1.2.5 Ensure that the plan addresses the implementation of the security policy, and the ITS standards.

1.2.6 Ensure that the plan addresses the management-accepted recommendations of past security audits and reviews.

1.2.7 Verify that the plan addresses the requirement for developing contingency plans to restore computer operations following an interruption within the specified time as set out in the statement of sensitivity.

1.2.8 Verify that the plan considers the whole of the organization's ITS needs such that it would create economies of scale (e.g. acquisition of computer virus software or laptop computer access control software).

1.2.9 For interdepartmental activities requiring Treasury Board submissions for IT systems, determine whether other potentially affected departments were provided the opportunity to help formulate security plans.

1.2.10 For departmentally shared IT systems, determine whether the other departments were afforded the opportunity to jointly assess threats and risks, agree on security requirements, safeguards, terms and conditions.

1.2.11 For departmentally shared IT systems, determine whether security terms and conditions are agreed to in a Memorandum of Understanding.

Criterion 1.3 Necessary functional linkages exist.

Detailed Criteria/Audit Procedures:

1.3.1 Determine whether internal linkages exist between the ITS function(s) and other administrative functions in the organization, such as:

  • the EDP and/or telecommunications organization(s) (if separate from ITS)
  • IT outsourcing contractor
  • information management (if separate from ITS)
  • materiel management
  • property management and
  • personnel management.

1.3.2 Verify whether the ITS Coordinator has instituted a distributed network of formally appointed, local, part-time, ITS officers (for example, LAN Administrators formally appointed as local ITS officers, and having their ITS duties incorporated into their position descriptions). Verify if the network is kept current.

1.3.3 If an ITS personnel network exists, interview select local ITS officers. Determine the extent to which they are given adequate direction and support from the ITS Coordinator. Assess if they know, and work with their local physical security/personnel screening officer (if similar personnel networks exist).

1.3.4 Determine the extent to which the ITS Coordinator participates in intra-departmental IT committees, working groups, and projects. Determine the level of visibility the ITS function has in each of these committees, groups and projects.

1.3.5 Determine whether external linkages exist between the ITS function(s) and outside agencies such as:

  • Royal Canadian Mounted Police (lead security agency)
  • Communication Security Establishment (lead security agency)
  • Canadian Security Intelligence Service (for specific threat assessment information) and
  • Emergency Preparedness Canada (for specific emergency planning information).

Contact the two lead ITS agencies. Determine their involvement in the ITS activities of the organization being audited during the past several years. Determine whether departmental units contact the lead security agencies directly and if the ITS Coordinator is aware of all security lead agency involvement in the department.

1.3.6 Determine the extent to which the ITS Coordinator participates in inter-departmental ITS committees such as the Information Technology Security Committee (ITSC) and the Communications-Electronic Security Committee (CSC).

1.3.7 Determine if committee representatives are appropriate. Consider the technical expertise of representatives, experience in such roles, and authority levels of representatives.

Criterion 1.4 TS policies, practices, standards, procedures, directives, and bulletins are current and communicated to all personnel.

Detailed Criteria/Audit Procedures:

1.4.1 Examine the departmental security policies, practices and procedures documentation to determine if they adequately address the ITS component and if they are current. Ensure that policies address, as a minimum, the requirements of Chapter 2-3 of the Security Policy. More specifically, determine if policies, practices and procedures exist for the following areas:

  • Organizing and Administering ITS
    • organizing
    • responsibilities and accountabilities
    • planning including contingency planning
    • security risk management
    • certification and accreditation
    • maintenance
    • managing cryptographic materiel
    • monitoring and reviewing
      • Personnel Security
      • Physical Security
      • Hardware Security
      • Software Security
      • Communications Security and
      • Operations Security.

1.4.2 Determine whether departmental policies, practices and procedures for planning, implementing and maintaining information management and IT reflect current ITS policies, practices and procedures. Determine whether they include requirements for consultation with departmental security officials and for the timely use of security documentation such as statements of sensitivity, threat and risk assessments, and security requirements checklists (SRCLs) for use in contracting. Assess whether they emphasize the use of ITS minimum standards and risk management.

1.4.3 Determine whether the ITS-related policies, practices and procedures contain adequate information to allow key personnel to carry out their ITS-related duties.

1.4.4 Ensure that the policies and practices emphasize the importance of balancing the need for security with associated costs.

1.4.5 Determine whether the ITS-related policies, practices and procedures refer readers to the third-tier documents (as described in the security documentation model), such as the Technical Security Standards for Information Technology (TSSIT).

1.4.6 Determine whether the ITS policies, practices and procedures have been formally promulgated by senior management.

1.4.7 Determine whether the policies, practices and procedures have been communicated to all personnel. Interview select responsibility centre managers and personnel to determine their knowledge and understanding of them.

1.4.8 Determine whether TBS Security Policy Implementation Notices (SPINs), RCMP ITS Bulletins, and CSE Information Bulletins and Advisories are regularly distributed to departmental managers and others with a need-to-know.

1.4.9 Determine the extent to which departmental security bulletins are being developed and regularly distributed to all personnel.

Objective #2

Ensure that Information Technology Security safeguards are implemented, maintained, monitored and adjusted , within a risk management environment.

Criteria 2.1 Adequate ITS risk management methodology, procedures and capability exist.

Detailed Criteria/Audit Procedures:

2.1.1 Determine if the department uses a system development life cycle approach to designing, building and maintaining IT. Assess how formal it is. Verify if the System Development Life Cycle contains directions for developing and maintaining security. (Chapter 2-3, Article 2.2) and if it provides for the development of security related deliverables including:

  • system security plan
  • statements of sensitivity
  • mode of operation
  • threat and risk assessment
  • system security requirements
  • system security safeguards
  • safeguard certification and
  • system accreditation.

Assess whether the system provides a methodology for ensuring that electronic privacy concerns are addressed and if the system being developed processes personal information.

Determine the extent to which the departmental ITS Coordinator has participated in the development of these requirements. Verify if these are based on a risk management approach.

2.1.2 Determine whether ITS personnel have adequate knowledge, experience and capability in the area of security risk management. Determine if personnel have attended training courses covering security risk management which are offered by the lead security agencies, private training institutions or other organizations.

2.1.3 Determine whether the ITS function by itself, or through the IT unit, has developed and distributed ITS risk management methodology and procedures to those who need it.

2.1.4 Determine whether the ITS Coordinator regularly provides security risk management training and awareness to IT developers and maintainers.

2.1.5 Verify whether each security deliverable is reviewed and signed-off by the appropriate Responsibility Centre Manager and Security Officer.

Criterion 2.2 Risk decisions are based on adequate information.

Detailed Criteria/Audit Procedures:

2.2.1 Determine whether the threat assessment process begins with the identification and scoping of information and assets, with a focus on those which are sensitive and/or valuable.

2.2.2 Ensure that statements of sensitivity (containing confidentiality, integrity and availability requirements) are developed as a precursor to threat and risk assessment, for all systems, applications, and networks.

2.2.3 Determine whether the following sources are consulted for current threat information:

  • RCMP (threat information related to criminal matters, computer and physical security)
  • CSIS (threat information related to terrorism, espionage, and sabotage)
  • CSE (threat and vulnerability information related to telecommunications, and electronic information processing)
  • Emergency Preparedness Canada (threat information related to civil disaster)
  • Natural Resources Canada (threat information related to earthquakes, wind, tornado, flooding and other natural threats)
  • Local police forces (threat information related to local criminal matters)
  • Local fire departments (threat information related to local fire statistics) and
  • Departmental internal affairs/investigation units (threat information related to local criminal matters).

2.2.4 Determine whether the departmental ITS Coordinator maintains a repository of current ITS threat information for use by security officials, IT managers, and others.

Criterion 2.3 All new IT is developed under the departmentally approved ITS risk management framework.

Detailed Criteria/Audit Procedures:

2.3.1 Obtain a list of all current IT development projects. Select a sampling of varying size and complexity to examine. Also select for analysis a shared government system which the department will be or is using.

2.3.2 Determine whether project planning includes scheduling and budgeting for security.

2.3.3 For departmental systems, interview the project managers. Review key development deliverables. Determine the extent to which the projects are following the approved method(s) for defining and implementing security requirements. Determine if deliverables such as the following were produced:

  • system security plan
  • statements of sensitivity
  • mode of operation
  • threat and risk assessment
  • system security requirements
  • system security safeguards
  • safeguard certification and
  • system accreditation.

2.3.4 Determine whether the Departmental Security Officer or Information Technology Security (ITS) personnel are consulted at the beginning of IT development projects. Determine the extent to which they become involved during the course of the project. If ITS personnel are unable to handle all requests for ongoing project assistance, determine if they are able to assist in the hiring and monitoring of ITS contractors.

2.3.5 Interview the departmental Office of Primary Interest relative to the security of the shared government system. Assess if security safeguards which the department had to implement were provided or described by the sponsoring department. Determine if these safeguards were agreed upon by the department and the sponsoring department in a formal document, such as a security memorandum of understanding. Determine the extent to which the department has implemented these safeguards.

2.3.6 For systems requiring Electronic Authorization and Authentication (EAA) security services, determine whether CSE has been consulted through the DSO, and has approved all related EAA cryptography and key management systems. (EAA Policy, Financial Management Volume, Treasury Board Manual; Chapter 2-3, Article 5.3.3)

Criterion 2.4 All operational IT is maintained under the departmentally approved ITS risk management framework.

Detailed Criteria/Audit Procedures:

2.4.1 Acquire a list of all operational IT systems, networks and applications. Select several of varying size and complexity to examine.

2.4.2 Interview the responsibility centre managers. Determine the extent to which the projects are following the approved method(s) for maintaining security requirements.

Determine whether threat risk assessments are updated on the following conditions:

  • whenever there is a major security policy change
  • on an ongoing basis (usually annually)
  • whenever a security breach occurs and
  • whenever there is significant change in the IT or business environment.

Determine the extent to which the security officer responsible for the IT is involved in the configuration management process. Ensure that this person signs-off any substantive change, after analyzing its possible impacts, and provides recommendations for security safeguard change.

2.4.3 Interview the manager from the project office of primary interest (OPI) for the shared government system. Determine the extent to which the department has continued to implement, monitor and modify as necessary the agreed upon safeguards.

Objective #3

Ensure that access to Information Technology resources is appropriately managed.

Criterion 3.1 Departmental procedures are in place to control the authorization and access to IT systems.

Detailed criteria/Audit procedures

3.1.1 Using a sample of IT areas or systems, determine whether policies and procedures exist to control the following:

  • issuing of IT access privileges
  • withdrawing access privileges when employees conclude their employment and
  • withdrawing these privileges when employees' duties no longer require them.

3.1.2 Determine whether access control records for sensitive material, keys, codes, combinations, badges and system passwords are appropriately managed.

Objective #4

Ensure that Information Technology Security equipment is appropriately managed, repaired, maintained and disposed.

Criterion 4.1 Policies, practices and procedures for proper ITS equipment management, repair, maintenance and disposal are in place.

Detailed Criteria/Audit Procedures:

4.1.1 Examine the departmental security policies, practices and procedures documentation to determine if it adequately addresses the management, repair, maintenance and disposal of ITS equipment.

4.1.2 Determine whether these policies, practices and procedures contain adequate information to allow key personnel to carry out their ITS-related duties.

Criterion 4.2 Personnel responsible for repair and maintenance of ITS equipment have undergone appropriate training, are aware of current issues, and are following departmental policies, practices and procedures.

Detailed Criteria/Audit Procedures:

4.2.1 Determine whether ITS policies, practices and procedures have been communicated to all personnel concerned. Interview selected responsibility centre managers and repair and maintenance personnel to determine their knowledge of them.

4.2.2 Determine the extent to which personnel responsible for repair and maintenance of ITS equipment receive regular and current training. Verify if the level of training is commensurate with the level of complexity and sophistication of the work environment.

4.2.3 Obtain the personnel security screening requirements for repair and maintenance positions and compare them to the level of status or clearance for the incumbents of these positions.

4.2.4 Determine whether the ITS Coordinator or the COMSEC Authority is consulted before TEMPEST and COMSEC equipment and material, including Controlled Cryptographic Items (CCI), is repaired. (Note: for definitions of COMSEC and TEMPEST, see Appendix C.)

4.2.5 Determine if IT systems' electronic media is removed or sanitized in accordance with policies, practices and procedures before being sent out for repair.

4.2.6 Analyze the most recent COMSEC Authority's account inventory to determine if any outstanding problems exist in the COMSEC handling capability.

4.2.7 Determine whether repair and maintenance of ITS equipment is carried out only by qualified and properly screened or supervised personnel.

Objective #5

Ensure that cryptographic materiel is appropriately managed, repaired, maintained and disposed.

Criterion 5.1 Policies, practices and procedures for proper cryptographic materiel management, repair, maintenance and disposal are in place.

Detailed Criteria/Audit Procedures:

5.1.1 Examine the departmental security policies, practices and procedures documentation to determine if they adequately address the management of cryptographic equipment and materiel in accordance with instructions issued by the National Central Record of Office (NCOR) of CSE.

5.1.2 Determine whether these policies, practices and procedures contain adequate information to allow key personnel to carry out their COMSEC disposal and destruction related duties.

Criterion 5.2 Personnel responsible for the disposal and destruction of cryptographic materiel and publications have undergone appropriate training, are aware of current issues, and are following departmental policies, practices and procedures.

Detailed Criteria/Audit Procedures:

5.2.1 Determine whether the policies, practices and procedures have been communicated to all personnel concerned. Interview selected responsibility centre managers and the ITS Coordinator or COMSEC Authority to determine their knowledge and understanding of them.

5.2.2 Determine the extent to which personnel charged with cryptographic materiel related to disposal and destruction receive regular and current training.

5.2.3 Determine whether disposal of cryptographic materiel and publications is carried out according to instructions issued by CSE.

5.2.4 Analyze several recent disposal or destruction records to determine if proper practices and procedures were followed.

Objective #6

Ensure that the departmental Information Technology Security undergoes regular monitoring and review.

Criterion 6.1 The department conducts an internal audit of security, including ITS, at least once every five years.

Detailed Criteria/Audit Procedures:

6.1.1 Verify if management supports regular monitoring of security operations or activities.

6.1.2 Determine when the last internal audit of security (including ITS) was conducted, and if one was conducted during the five years preceding the end of 1993. Determine if management-accepted recommendations were acted upon.

6.1.3 Determine whether an ITS operational standards audit is planned for during the 1994 to 1998 time period, and every five years there after.

Criterion 6.2 A review of the department's IT security is conducted on a scheduled basis by the RCMP SEIT.

Detailed Criteria/Audit Procedures:

6.2.1 Interview the ITS Coordinator to determine whether an action plan and schedule have been developed to track and coordinate RCMP reviews as required.

6.2.2 Determine whether all IT systems, networks and applications are inspected on the following basis:

  • at least once every three years for ones processing, transmitting or storing classified information
  • at least once every five years for ones processing designated information and
  • immediately on the basis of a TRA related to such events as reconfiguration, change in operation or a probable breach of security.

6.2.3 Determine whether an action plan and schedule have been developed to implement the recommendations of each RCMP review and forwarded to RCMP within six months of the review.

6.2.4 Determine whether RCMP recommendations have been implemented, and whether annual progress reports have been provided to RCMP.

6.2.5 Determine whether the deputy head is provided with an annual summary of RCMP recommendations review activity.

Criterion 6.3 The department periodically requests CSE to review departmental communications security procedures and telecommunications systems.

Detailed Criteria/Audit Procedures:

6.3.1 Interview the ITS Coordinator or COMSEC Authority to determine whether an action plan and schedule have been developed to track and coordinate CSE reviews, as required.

6.3.2 Determine the conditions under which CSE is requested to perform these reviews.

6.3.3 Determine whether an action plan and schedule have been developed to implement the recommendations of each CSE review.

6.3.4 Determine whether CSE recommendations have been implemented, and whether regular progress reports are provided to CSE. Determine what actions management intends to take before recommendations are fully implemented.

Criterion 6.4 For contracts containing ITS requirements, the department arranges ITS reviews by the RCMP (when the department is the contracting authority) or by PWGSC (when it is the contracting authority).

Detailed Criteria/Audit Procedures:

6.4.1 Review several recent contracts containing security requirements (refer to Chapter 2-5). Ensure that a security requirements checklist (SRCL) was raised to cover the requirements. For those discovered to have SRCLs attached and found to contain ITS requirements, determine whether the RCMP was requested to conduct an ITS review.

For those contracts containing ITS requirements where Public Works and Government Services Canada (PWGSC) is the contracting authority, determine whether the RCMP was requested by PWGSC to conduct an ITS review.

6.4.2 Determine whether all RCMP recommendations were implemented by the contractor.

6.4.3 Determine the extent to which re-inspections are requested when the contract substantively changes, requiring substantive changes in the use of IT.

Criterion 6.5 Other groups conduct program self-assessments.

Detailed Criteria/Audit Procedures:

6.5.1 Determine the extent to which other groups, such as management or the security organization(s) itself conducts pro-active self-assessments or security reviews.

Personnel Security

Objective #7

Ensure that personnel having access to Information Technology systems/networks/applications that process, transmit or store sensitive information, are appropriately screened before being given access and are aware of their security related responsibilities.

Criterion 7.1 Statements of Sensitivity and Modes of Operatiodocuments (which define the security parameters under which the system operates) exist for systems, networks and applications.

Detailed Criteria/Audit Procedures:

7.1.1 Select and review the documentation for several systems of varying size and complexity. Determine whether current statements of sensitivity and modes of operation documents exist.

7.1.2 Determine whether the statements of sensitivity contain adequate confidentiality-related information so as to allow system managers to determine the general personnel screening requirements for access and access privileges.

7.1.3 Determine whether the modes of operation documents contain adequate and specific confidentiality-related information and personnel screening requirements.

Criterion 7.2 Personnel are screened before being given access to systems/networks/applications processing sensitive information.

Detailed Criteria/Audit Procedures:

7.2.1 Determine whether policies and procedures are in place which require that personnel have their status or clearance verified by the Department Security Officer (DSO) before being granted access to sensitive systems, networks or applications.

7.2.2 Interview end-users and managers to determine their personnel screening status or clearance. Verify them with the DSO's assistance. Compare the verified status or clearance against the position screening requirement and the system, network or application mode of operation screening requirements.

Criterion 7.3 System access rights are revoked for personnel when they leave the organization or when they lose their status or clearance.

Detailed Criteria/Audit Procedures:

7.3.1 Determine whether policies and procedures are in place which require that personnel have their system access privileges revoked for particular events including leaving the organization or losing their status or clearance.

7.3.2 Using a sample of cases where system access rights were revoked, determine whether system access removal procedures were followed.

Criterion 7.4 ITS training programs are prepared and given to departmental personnel involved in the application and maintenance of ITS.

Detailed Criteria/Audit Procedures:

7.4.1 Determine whether ITS personnel have been included in broader departmental training on the security policy and its application.

7.4.2 Determine whether ITS personnel is provided with regular training on current information technology changes and trends, and ITS as it applies to these.

7.4.3 Determine whether these training programs met the requirements of the jobs and the needs of the organization.

Criterion 7.5 ITS security training and awareness programs are prepared and given to personnel involved in using and managing IT.

Detailed Criteria/Audit Procedures:

7.5.1 Determine whether the ITS Coordinator has developed a formal plan and schedule for ITS training for the department.

7.5.2 Interview end-users and managers of information technology to determine their knowledge and understanding of ITS. Determine the extent to which these personnel have received ITS training or awareness material. Determine the extent to which these personnel understand their individual responsibilities.

7.5.3 Determine whether these training programs met the requirements of the jobs and the needs of the organization.

Physical Security

Objective #8

Ensure that Information Technology is developed and maintained with consideration given to its physical and environmental security requirements.

Criterion 8.1 Facilities and accommodations are designed with consideration given to the physical and environmental ITS requirements.

Detailed Criteria/Audit Procedures:

8.1.1 From the unit responsible for accommodations management, gather several recent facilities design, renovation or relocation files for review.

8.1.2 Determine whether security site briefs and design briefs were developed. Determine the extent to which ITS was considered in the briefs.

8.1.3 Determine whether the ITS Coordinator was consulted on the physical design requirements for spaces containing information technology.

8.1.4 Determine whether a budget was allocated for security requirements and more specifically for ITS requirements. Determine the extent to which the budget was based on minimum requirements and threat and risk assessment results. Determine whether the responsibility centre manager made security cost decisions based on the risk assessment.

8.1.5 Determine whether cost-efficiency strategies were investigated such as when costly, physical security requirements are replaced by less costly logical security safeguards (and vice-versa).

8.1.6 Determine whether consideration was given to the physical and environmental security requirements, especially with respect to the security zone requirements and environmental safeguards contained in Chapter 2-2 and within TSSIT. Determine whether the Fire Protection Standards for Electronic Data Processing were taken into consideration.

Criterion 8.2 IT is designed with adequate consideration being given to its physical and environmental security requirements.

Detailed Criteria/Audit Procedures:

8.2.1 Determine the extent to which IT requirements and architecture (or profile), as identified in Criterion 2.1, contain adequate information with respect to physical and environmental security safeguards.

8.2.2 Determine whether departmental physical security specialists are consulted by the ITS Coordinator when determining physical and environmental security architecture.

Hardware Security

Objective #9

Ensure that Information Technology is developed and maintained with consideration given to its hardware security requirements.

Criterion 9.1 Polices, practices, and procedures for IT hardware security are in place.

Detailed Criteria/Audit Procedures:

9.1.1 Examine the organization security policies, practices and procedures documentation to determine if it adequately addresses hardware security. As a minimum, the organization's policies, practices and procedures should address:

  • proper placement and installation of information technology equipment to reduce the effects of interference due to electromagnetic emanations
  • maintenance of an inventory and configuration chart of hardware
  • identification and use of security features implemented within hardware
  • authorization, documentation, and control of change to the hardware
  • identification of support facilities including power and air conditioning
  • provision of uninterruptable power supplies and
  • maintenance of IT equipment and services.

9.1.2 Determine whether these policies, practices and procedures contain adequate information to allow key personnel to carry out their ITS-related duties.

9.1.3 Determine whether the policies encourage the efficient use of ITS equipment.

Criterion 9.2 Hardware security features are set appropriately.

Detailed Criteria/Audit Procedures:

9.2.1 From the list of all operational information technology systems, networks and applications, found in Criterion 2.1, review several of varying size and complexity.

9.2.2 From the information technology documentation, determine the hardware security settings. Determine whether system managers reviewed all default settings upon system initialization.

9.2.3 Determine the basis for which hardware security settings are reviewed.

Criterion 9.3 Access control for remote hardware diagnosis is managed appropriately.

Detailed Criteria/Audit Procedures:

9.3.1 For the selected IT systems under review, determine the conditions under which remote hardware diagnosis is permitted. Determine the extent to which the security practices and procedures are adequate.

9.3.2 Determine whether authorized remote diagnostic technicians have the appropriate security screening status or clearance.

Criterion 9.4 onfiguration management of hardware is adequately controlled and managed appropriately.

Detailed Criteria/Audit Procedures:

9.4.1 Verify whether changes to the hardware configuration are duly authorized prior to implementation.

9.4.2 Determine if a current hardware configuration chart including all hardware and communications equipment is maintained.

Software Security

Objective #10

Ensure that Information Technology is developed and maintained with consideration given to its software security requirements.

Criterion 10.1 Polices, practices and procedures for software security are in place.

Detailed Criteria/Audit Procedures:

10.1.1 Examine the departmental security policies, practices and procedures to determine if it adequately addresses software security. As a minimum, the policies, practices and procedures should address:

  • administrative controls including segregating the duties of IT staff, keeping inventory and reviewing security
  • development life cycle standards including design, development and test standards, change control and problem resolution
  • quality assurance
  • management of configuration
  • identification and authentication
  • isolation, encryption and access control
  • audit controls and surveillance
  • virus scanning.

10.1.2 Determine whether these policies, practices and procedures contain adequate information to allow key personnel to carry out their ITS-related duties.

Criterion 10.2 Privileged and powerful software is appropriately controlled.

Detailed Criteria/Audit Procedures:

10.2.1 For the selected information technology systems under review, determine the conditions under which privileged and powerful software is authorized for use. Determine the extent to which safeguards for the abuse of this software is used including inventory control, physical access control, logical access control, the establishment of resource limits and the use of monitoring mechanisms.

Communications Security

Objective #11

Ensure that Information Technology is developed and maintained with consideration given to its general communications security requirements.

Criterion 11.1 Polices, practices and procedures for general communications security are in place.

Detailed Criteria/Audit Procedures:

11.1.1 Examine the departmental security policies, practices and procedures to determine if they address communications security. As a minimum, the policies, practices and procedures need to address:

  • the mandatory use of encryption methods or other measures endorsed or approved by CSE to protect electronic communications that transmit classified or extremely sensitive, designated information and
  • the use of cryptography to protect low-sensitive and particularly sensitive, designated information communicated electronically, when supported by a treat risk assessment.

Criterion 11.2 Information Technology development projects consider the requirements for communications security and utilize it where appropriate.

Detailed Criteria/Audit Procedures:

11.2.1 Obtain a list of current Information Technology services such as telephone networks, integrated voice-mail services, video-conferencing, cellular and paging services, and facsimile services. Select several of varying size and complexity.

11.2.2 Interview the responsibility centre manager(s). Determine whether the manager(s) considered the need for security; more specifically the need for communications security.

11.2.3 Determine whether the ITS Coordinator and/or the COMSEC authority was consulted for communications security requirements.

11.2.4 Review the statements of sensitivity for the Information Technology confidentiality, integrity and availability requirements.

11.2.5 For electronic transmissions containing classified or extremely sensitive, designated information, determine whether endorsed or approved cryptography, or other CSE approved methods are used.

11.2.6 For low-sensitive, or particularly sensitive, designated information, transmitted without approved cryptography, determine whether this method is supported by an adequate threat and risk assessment. Verify that the threat risk assessment is signed by the appropriate manager and either by the ITS Coordinator or COMSEC authority.

Objective #12

Ensure that networks and network applications are developed and maintained with consideration given to their security requirements.

Criterion 12.1 Polices, practices and procedures for network security are in place.

Detailed Criteria/Audit Procedures:

12.1.1 Examine the organization's security policies, practices and procedures to determine if they address network security. As a minimum, the policies, practices and procedures should address:

  • ensuring that policy and standard requirements for protecting sensitive information in networks and for sensitive network assets are applied
  • maintaining network configuration charts and inventories
  • ensuring networks are certified and accredited
  • obtaining the prior authorization of the ITS Coordinator for all changes to the network configuration and documenting these changes
  • reviewing threat and risk assessments and network certification and accreditation after changes to the configuration
  • monitoring network operations for security irregularities and
  • identifying a formal approach for resolving security problems.

Criterion 12.2 IT networks and network applications consider the requirements for network security and use related safeguards where appropriate.

Detailed Criteria/Audit Procedures:

12.2.1 Acquire a list of Information Technology services such as those related to message handling, electronic data interchange electronic funds transfer and wide-area data transfer.

12.2.2 Interview the service responsibility centre manager(s). Determine whether the manager(s) considered the need for security.

12.2.3 Determine whether the ITS Coordinator or the COMSEC authority was consulted for network security requirements.

12.2.4 Review the statements of sensitivity for the network confidentiality, integrity and availability requirements.

12.2.5 Obtain a list of standards upon which the network service is established. Determine whether the security profiles of each applicable standard was considered and applied.

12.2.6 Determine whether classified and extremely sensitive designated information is protected by approved cryptography.

12.2.7 Where approved cryptography is not being used to protect lower sensitive designated information, determine whether this is based on the results of a threat risk assessment.

12.2.8 For departments using value-added networks in their electronic commerce services, determine whether the confidentiality, integrity and availability security requirements were included in the value added network service contract.

12.2.9 In cases where the private sector provides network services, determine whether security requirements were considered in contracting those services and attached to the contract in a security requirement check list.

12.2.10 Where network services involve more than one department (for example, for message handling) determine whether the departments worked cooperatively on security requirements for best effectiveness, efficiency and economy.

Objective #13

Ensure that Information Technology is developed and maintained with consideration given to electronic authorization and authentication (EAA) security requirements.

Criterion 13.1 In responding to the need for transaction or document authorization and authentication, or digital signatures, information technology systems consider the requirement for EAA security and utilize related safeguards where appropriate.

Detailed Criteria/Audit Procedures:

13.1.1 Based on the sensitivity of the information processed by the application and the degree of accuracy of user identification and authentication required, determine whether electronic authorization and authentication procedures should be implemented.

13.1.2 For systems using digital signatures, public-key cryptography and key management systems, determine whether the cryptography and key management structures are endorsed or approved by CSE.

13.1.3 For applications using digital signatures and also using cryptography for data confidentiality protection, determine whether the two requirements were considered together when being designed.

Objective #14

Ensure that InformationTechnology is developed and maintained with consideration given to emanations security requirements.

Criterion 14.1 Information Technology systems, especially those processing, transmitting or storing top secret or extremely sensitive designated information, are/were developed and maintained with consideration being given to the requirement for emanations security.

Detailed Criteria/Audit Procedures:

14.1.1 Obtain a list of current Information Technology systems. Examine several which process, transmit and/or store top secret or extremely sensitive designated information.

Interview the responsibility centre manager(s). Determine whether the manager(s) considered the need for emanations security. Where TEMPEST safeguards are in place, determine whether they were based on the results of a threat risk assessment.

14.1.2 Determine whether the ITS Coordinator, COMSEC authority or CSE were consulted for emanations security requirements.

14.1.3 For other systems processing, transmitting or storing low-sensitive designated, particularly sensitive designated, confidential or secret information, determine whether each application's method is supported by an adequate threat and risk assessment. Verify the threat risk assessment was signed by the responsibility manager and by the ITS Coordinator or COMSEC authority.

Operations Security

Objective #15

Ensure that Information Technology Security operations are in place and meet the needs of the department.

Criterion 15.1 Policies and procedures for ITS are in place.

Detailed Criteria/Audit Procedures:

15.1.1 Examine the departmental security policies and practices documentation to determine if they adequately address the requirement for Information Technology responsibility centres to develop ITS security procedures. As a minimum, the following procedures should be developed:

  • dayhes.

15.1.2 For the selected Information Technology system environments under review, determine whether these procedures are developed.

15.1.3 Determine whether personnel have been appropriately trained on the use of the procedures.

15.1.4 Determine the extent to which these procedures are followed.

List of Authorities and References

Relevant Legislation

Access to Information Act
Canada Labour Code
Canadian Security Intelligence Service Act
Criminal Code
Criminal Records Act
Financial Administration Act
Interpretation Act
Official Secrets Act
Privacy Act
Public Service Employment Act
Public Service Staff Relations Act
Public Service Reform Act
Queen's Regulations and Orders
Young Offender's Act

 

Policy & Standards

  • Government Security - 1st Tier Policy & 2nd Tier Operational Standards

Security Volume, 1994, Treasury Board Manual.

  • Government Security - 3rd Tier Technical Standards

Canadian Trusted Computer Product Evaluation Criteria, Version 3.0 (NITSM 8/93 and CID 09/19), CSE, 1993

Controlled Cryptographic Items Manual (CID/01/08), CSE, March 1992

Guide to Security Risk Management in Information Technology Systems (draft), CSE, 1994

Certification and Accreditation (draft), CSE, 1994.

INFOSEC Materiel Control Manual (CID/01/10), (draft), CSE, September 1991

Trusted Systems Environment Guideline (CID/09/17), CSE, December 1992

Guide to Threat and Risk Assessment for Information Technology (SIP 5), (draft), RCMP, June 1994

A Security Guide for the Electronic Office Environment (SIP 4), RCMP, October 1992

Technical Security Standards for Information Technology (draft), RCMP, 1994

 

Treasury Board - Information Technology Related

Computers and Personal Information - Guidance for Systems Planners, Treasury Board Secretariat, 1993

Electronic Authorization and Authentication, Chapter 3-2, "Financial Management" volume, Treasury Board Manual

Electronic Data Interchange (EDI), (TBITS-10), "Information Management" volume, Treasury Board Manual

Government of Canada Implementation Guideline for Electronic Data Interchange (TBITS 10-1), "Information Management" volume, Treasury Board Manual

Guide to Open Systems Security, Treasury Board Secretariat, November, 1993

Managing Your Computer Directories and Files, National Archives of Canada and Treasury Board of Canada, 1993

Profile for Message Handling Service (TBITS 6.4), "Information Management" volume, Treasury Board Manual

Security Profile (COSAC), Treasury Board Information Technology Standard (TBITS 6.6), "Information Management" volume, Treasury Board Manual

Summary of Approved Treasury Board Information Technology Standards, Treasury Board Secretariat, September, 1992

Losses of Money and offences and Illegal Acts Against The Crown, Financial Management Volume, Treasury Board Manual, 1992.

Fire Protection Standards for Electronic Data Processing, Chapter 12, Volume 7, Personnel Management Manual.

 

Audit Guides

Audit Guide to Risk Management, Evaluation, Audit and Review Group (EARG), Treasury Board Secretariat, November 1994.

Guide To The Audit Of Systems Under Development (Series 500, Guide 507), Working Draft, Office Of The Comptroller General,March, 1991.

Guide To The Audit Of End-User Computing (Series 500, Guide 508), Working Draft, Office Of The Comptroller General, March, 1991.

Guide To The Audit Of Contingency And Disaster Recovery Planning (Series 500, Guide 509), Working Draft, Office Of The Comptroller General, March, 1991.

Guide To The Audit Of Security (Series 400, Guide 406), Exposure Draft, Office Of The Comptroller General, June 1990.

Guide To An Audit of the Management Process (Series 100, Guide 102), Office Of The Comptroller General, February, 1987.

Audit Guides - Auditing EDP: Planning of the EDP Audit, Office Of The Auditor General, 1983.

 

Government ITS - Information Related Publications

  • CSE

National Information Technology Security Memorandum (NITSM)

COMSEC Technical Information Bulletin (CTIB)

Infosec Newsletter

  • RCMP

ITS Bulletins

  • TBS - Information, Communication & Security Policy Division

Security Policy Implementation Notices (SPINS) - (Regularly related to ITS issues)

 

Government Information Technology Security Committees

Communications-Electronic Security Committee (CSC)

Meets:Once per month
Chair:CSE
Membership:Departments with major COMSEC accounts: CSE, RCMP, DND, PWGSC, CSIS, CC, HRD, FAIT, PCO, TC.
Role:Provides strategic direction to participating departments on the management of COMSEC material and systems.

Information Technology Security Committee (ITSC)

Meets:Once per month
Co-Chairs:Rotates Between RCMP and CSE
Membership:RCMP, CSE, TBS, TC, SC, CSIS, IC, HC, DND, HRD, EC, FAIT, PWGSC, RC.
Role:Advises RCMP & CSE on ITS issues. Recommends and keeps under review the GSP and ITS operational standard. Acts as a forum for ITS information exchange. Fosters ITS cooperation among departments. Communicates and coordinates with other committees on matters of mutual interest.

Suggested Table of Contents for ITS Audit Report

(Document Security Classification)

Notice to the reader

(Inside Front Cover)

Foreword

1.0 Executive summary

1.1 Purpose

1.2 Objectives

1.3 Scope

1.4 Major Observations

1.5 Overall Assessment

  • GSP Compliance Statement
  • GSP Implementation Efficiency Statement
  • GSP Implementation Effectiveness Statement

1.6 Major Recommendations

2.0 Introduction

2.1 Background/Purpose

2.2 Objectives

2.3 Scope

  • Organizations Audited
  • Business Functions Audited
  • Locations
  • Areas of Security Policy Covered

2.4 Approach and Methodology

2.5 Audit Team

2.6 Coverage Period

2.7 Acknowledgments

3.0 Findings and recommendations

3.1 Organizing & Administering ITS

3.2 ITS and Personnel Security

3.3 ITS and Physical Security

3.4 ITS

3.4.1 Hardware Security

3.4.2 Software Security

3.4.3 Communications Security

Operations Security

(Management response(s) for each finding)

Appendix A: Organization Chart

Appendix B: Security Budget

Appendix C: ITS Security Function vs. Security Responsibility Matrix

Appendix D: Summary of Past Reviews, Audits and SEIT Inspections

Notice to the reader

You may find it helpful to contact the head of the department/agency audit unit responsible for this report to obtain further information concerning the audit findings, scope, recommendations, or actions taken since the audit.

Avis aux lecteurs

Vous pouvez obtenir plus de renseignements concernant les constatations, les recommandations et les actions prises depuis la vérification en communiquant avec le chef de la vérification du ministére ou l'agence responsable de ce rapport.

Glossary

Access badge (insigne d'accès) - document issued by a department to indicate the zone or facility to which the bearer has authorized access.

Accreditation (accréditation) - approval by the responsible manager for an information technology system to operate using a particular set of safeguards.

Availability (disponibilité) - the condition of being usable on demand to support business functions.

Basic reliability check (vérification de base de la fiabilité) - an assessment to determine the trustworthiness of individuals; condition for being granted basic reliability status.

Basic reliability status (cote de fiabilité de base) - the minimum type of personnel screening; allows access to non-sensitive information and assets only.

Breach of security (infraction à la sécurité) - when any sensitive information and assets have been compromised. Without restricting its scope, a breach may include compromise in circumstances that make it probable that a breach has occurred.

Business hours (heures d'ouverture) - posted hours when reception zones are open to the public, and when an authorized person or visitor may access the controlled area.

Business resumption planning (planification de reprise des opérations) - the process of developing a plan to restore business operations in the event of an interruption.

Certification (certification) - an examination by qualified personnel of an information technology system's implemented security safeguards against the system's security requirements.

Circuits, approved (circuits approuvés) - telecommunication links approved by CSE into which electromagnetic and physical safeguards have been incorporated to permit secure transmission of unencrypted sensitive information.

Classification and designation guide (guide de classification et désignation) - a corporate document, approved by the deputy head of a department or head of agency, that shows the various types of information that must be either classified or designated.

Classified assets (biens classifiés) - assets, other than information, that are important to the national interest and therefore warrant safeguarding.

Classified information (renseignement classifié) - information related to the national interest that may qualify for an exemption or exclusion under the Access to Information Act or Privacy Act and the compromise of which would reasonably be expected to cause injury to the national interest.

Compromise (atteinte à l'intégrité) - unauthorized disclosure, destruction, removal, modification or interruption.

Compromising emanations (signaux de valeur) - unintentionally radiated intelligence-bearing signals that, if intercepted and analyzed, disclose sensitive information emanating from any information processing system or equipment.

COMSEC (COMSEC) - protection resulting from applying cryptographic, transmission and emission security measures to telecommunication emissions, and information handling equipment, and from applying other measures appropriate to COMSEC information and material. COMSEC also includes the instruction required to effect this protection. These measures are designed to prevent compromise of information stored, transmitted or processed on an information technology system. COMSEC is also designed to ensure the authenticity of telecommunications.

Confidential (confidentiel) - level of classification that applies to information and assets when compromise could reasonably be expected to cause injury to the national interest; in capital letters, a mark to indicate level of sensitivity.

Confidentiality (confidentialité) - the sensitivity of information or assets to unauthorized disclosure, recorded as classification or designation, each of which implies a degree of injury should unauthorized disclosure occur.

Consequence (conséquence) - outcome, effect; used synonymously with impact.

Container (coffre) - any enclosure, including a cabinet or a room, for the storage of information and assets.

Contingency planning (planification des cas d'urgence) - the process of developing a plan to restore information technology operations in the event of a disruption.

Contracting process (Processus de passation des marchés) - includes bidding, negotiating, awarding, performance and termination of contracts.

Controlled area (endroit contrôlé) - an area comprised of any combination of the three restricted zones.

Controlled cryptographic item (CCI) (pièce d'équipement de cryptographie contrôlée) - secure telecommunications or information handling equipment, or associated cryptographic component or ancillary device that is unclassified when unkeyed (or when keyed with an unclassified key) but controlled through an accounting system.

Cryptographic (cryptographique) - of, pertaining to, or concerned with cryptography.

Cryptography (cryptographie) - the discipline that treats the principles, means, and methods for making plain information unintelligible. It also means reconverting the unintelligible information into intelligible form.

Cryptography, approved (cryptographie approuvée) - cryptography that has been endorsed by allied nations such as the United States and is proposed for use in specific, documented departmental applications. Approval for use of this cryptography is obtained from CSE.

Cryptography, endorsed (cryptographique homologuée) - cryptography that has been evaluated by CSE and considered to meet accepted criteria. This includes hardware, software and firmware implementations of cryptographic algorithms.

Custodian departments (ministères gardiens) - departments having responsibility for the administration of a facility assigned to other departments for the conduct of government programs.

Data (données) - a representation of facts, concepts or instructions arranged in a formalized manner suitable for telecommunications, interpretation, or processing by humans or by automated means.

Declassification (déclassification) - the decision, recorded in writing, of the originator of classified information or another officer authorized by the deputy head or head of agency, to remove the classified status of information.

Defence of Canada or any state allied or associated with Canada (défense du Canada ou de tout État allié ou associé) - includes the efforts of Canada and of foreign states to detect, prevent or suppress activities of any foreign state directed toward actual or potential attack or other acts of aggression against Canada or any state allied or associated with Canada.

Department (ministère) - any federal institution subject to the Security policy.

Departmental security officer (agent de sécurité du ministère) - the individual responsible for developing, implementing, maintaining, coordinating and monitoring a departmental security program consistent with the Security policy and standards.

Designated assets (biens désignés) - assets, other than information, that have been identified by the department as being important to operations by virtue of the function performed, or as being valuable and therefore warranting safeguarding; for example, cash and other negotiables; and information technology systems that require protection to ensure the confidentiality, integrity and availability of the information stored in them.

Designated information (renseignements désignés) - information related to other than the national interest that may qualify for an exemption or exclusion under the Access to Information Act or Privacy Act.

Designation guide (guide de désignation) - see classification and designation guide.

Digital signature (signature numérique )- A cryptographic transformation of data which, when appended to a data unit, provides the services of origin authentication, data integrity, and signer nonrepudiation.

Downgrading (déclassement) - the decision, recorded in writing, of the originator of sensitive information or another officer authorized by the deputy head or head of agency, to lower the classification level of information or remove the designated status.

Electronic authorization and authentication (autorisation et authentification électroniques) - an electronic means of identifying and verifying the rights or authorities of a legitimate user of a network application (authorization), and of identifying and verifying legitimate application users and devices (authentication).

Emanation security (sécurité des signaux de valeur) - the discipline of reducing electromagnetic interference between information technology and telecommunications equipment, as well as reducing unintentional electromagnetically radiated signals, that, when intercepted, divulge sensitive information.

Encryption (cryptage) - the transformation of readable data into an unreadable stream of characters using a reversible coding process.

Enhanced reliability check (vérification approfondie de la fiabilité) - an assessment to determine an individual's trustworthiness; condition for enhanced reliability status.

Enhanced reliability status (cote de fiabilité approfondie) - the type of personnel screening that, with a need to know, is required for access to designated information and assets.

Extremely sensitive, designated information (renseignements désignés de nature extrêmement délicate) - a sub-set of designated information that could reasonably be presumed to cause extremely serious injury, such as loss of life, if compromised; may be marked PROTECTED C.

Facility (installation) - a physical setting used to serve a specific purpose. A facility may be part of a building, a whole building, or a building plus its site; or it may be a construction that is not a building. The term encompasses both the physical object and its use.

For cause (avec motif) - a determination based on available information, whether a greater degree of screening is required. This may be determined by the department or the investigative agency in individual cases, or jointly for a particular group or category.

Identification card (carte d'identité) - document issued by a department to identify the bearer as an employee of that department.

Information holdings (Renseignements détenus) - all information under the control of a department, regardless of physical mode or medium in which the information is stored. Materials held by federal libraries that were not prepared or produced by or for the governments are excluded from this definition.

Information technology (technologies de l'information) - the scientific, technological and engineering disciplines and the management practices used in electronic information handling, communication and processing; the fields of electronic data processing, telecommunications, electronic networks, and their convergence in systems; applications and associated software and equipment together with their interaction with humans and machines.

Information technology security (sécurité des technologies de l'information) - the protection resulting from an integrated set of safeguards designed to ensure the confidentiality of information electronically stored, processed or transmitted; the integrity of the information and related processes; and the availability of systems and services.

Integrity (intégrité) - the accuracy and completeness of information and assets and the authenticity of transactions.

Interruption (interruption) - the non-availability of information, assets, systems, or services. Interruption can be accidental or deliberate. (Interruption)

Lead agency (organisme conseil) - an agency with government-wide responsibilities related to the Security policy, as defined in the Security policy.

Limited-access hours (heures d'accès limité) - periods outside business hours, when access to the reception zones and controlled area is limited to authorized persons, usually employees, and by exception to authorized visitors.

Low-sensitive, designated information (renseignement désigné de nature peu délicate) - a sub-set of designated information that could reasonably be presumed to cause injury if compromised; may be marked PROTECTED A.

Modification (modification) - the alteration of information, data, software or ITS equipment. Modification can be accidental or deliberate.

Monitor (surveiller) - to ensure that information and assets, or the safeguards protecting them, are checked by the personnel in control of the information or assets, security staff or electronic means with sufficient regularity to satisfy the threat and risk assessment.

National interest (intérêt national) - concerns the defence and maintenance of the social, political and economic stability of Canada.

Need-to-access principle (principe d'accès sélectif) - limiting access to a specific area to those who need to work there.

Need-to-know principle (principe de connaissance sélective) - limiting access to information to those whose duties require such access.

Network security (sécurité des réseaux) - the protection of electronic networks and their services, and the assurance that the network performs its functions correctly and when needed.

Open-office area (bureau à aires ouvertes) - an office comprised of many work stations not separated by doors and walls.

Operations environment (environnement de travail) - an area that is under the control of computer operations personnel.

Particularly sensitive, designated information (renseignements désignés de nature particulièrement délicate) - a sub-set of designated information that could reasonably be expected to cause serious injury if compromised; may be marked PROTECTED B. See article 5.4 of Chapter 2-1 for a partial list of possible personal information that may qualify to be designated as particularly sensitive.

Personal information (renseignements personnels) - any form of recorded information about an identifiable individual. See Section 3 of the Privacy Act for examples. The Act also includes some exceptions to the definition. Personal information, a subset of other sensitive information, deserves enhanced protection and may carry the marking "PROTECTED¯personal information".

Physical security (sécurité matérielle) - protection, detection and response mechanisms used in the physical environment to control access to sensitive information and assets.

Privileged and powerful software (logiciel privilégié et puissant) - software capable of bypassing, over-riding or altering controls.

PROTECTED (PROTÉGÉ) - the marking that shows that the information qualifies as designated information and requires more than basic protection.

Removal (suppression) - loss of information or assets. Loss can be accidental, as when information is discarded with waste, or deliberate as in theft.

Risk (risque) - (i) chance of vulnerabilities being exploited; (ii) uncertainty.

Risk assessment (évaluation des risques) - an evaluation, based on the effectiveness of existing or proposed security safeguards, of the chance of vulnerabilities being exploited.

Sanitization (démarquation) - (i) altering or erasing recorded sensitive information to prevent unauthorized disclosure; (ii) altering SIGNIT to permit wider dissemination.

Secret (secret) - level of classification that applies to information or assets when compromise could reasonably be expected to cause serious injury to the national interest.

Secure perimeter (périmètre de sécurité) - continuous physical barriers that can reasonably be expected to counter identified threats.

Security assessment (évaluation sécuritaire) - an appraisal of loyalty to Canada and, so far as it is related thereto, the reliability of an individual; condition for a security clearance.

Security clearance (cote de sécurité) - the type of personnel screening that, with a need to know, is required for access to classified information and assets.

Security equipment (équipement de sécurité) - equipment that has been evaluated or tested against standards developed by the lead agency. The Security Equipment Guide lists security equipment for use in the government of Canada.

Security guard (garde de sécurité) - person whose primary duties involve the protection of information and assets.

Security standard (normes de sécurité) - level of attainment regarded as a measure of adequacy; security requirements and guidelines approved for government-wide use. (Operational standards form part of the Treasury Board Manual; technical standards are produced by the lead security agencies).

Sensitive asset (Bien de nature délicate) - classified or designated asset.

Sensitive discussion area (SDA) (aire insonorisée) - specially designed and managed area to prevent the overhearing, by electronic or other methods, of discussions on classified and designated information.

Sensitive information (renseignement de nature délicate) - classified or designated information.

Service spaces (endroits de service) - areas such as cloakrooms, toilets, cafeterias, circulation routes, registries, as well as building service areas such as telephone, electrical and janitorial closets.

Signals intelligence (SIGINT) (renseignement électromagnétique) - term given to information gathered about foreign countries by intercepting and studying their radio, wire, radar and other electronic transmissions.

Site-access security clearance (cote de sécurité donnant accès aux sites) - type of personnel screening required in limited and specific circumstances when duties of individuals require access to only sensitive government-related sites or facilities, usually for a short time, and not to information.

Sponsoring department (ministère tuteur) - a department that makes submissions to Treasury Board for approval of project objectives and expenditure authority, and that is responsible for managing the project.

Statement of sensitivity (énoncés de la nature délicate) - a description of the confidentiality, integrity or availability requirements associated with the information or assets stored or processed in or transmitted by an information technology system.

Telecommunications (télécommunications) - as defined in the Interpretation Act, Chapter I-21 of the Revised Statutes of Canada, any transmission, emission or reception of signs, signals, writing, images, sounds or intelligence of any nature by wire, radio, visual, or other electromagnetic systems. This includes telephone, telegraph, teletype, facsimile, data transmissions, closed circuit television and remote dictation systems.

TEMPEST (TEMPEST) - the discipline that deals with the suppression of unintentionally radiated or conducted electromagnetic signals that divulge information.

Threat (menace) - any potential event or act that could cause one or more of the following to occur: unauthorized disclosure, destruction, removal, modification or interruption of sensitive information, assets or services, or injury to people. A threat may be deliberate or accidental.

Threat assessment (évaluation de la menace) - an evaluation of the nature, likelihood and consequence of acts or events that could place sensitive information and assets at risk.

Top secret (très secret) - level of classification that applies to information or assets when compromise could reasonably be expected to cause exceptionally grave injury to the national interest.

Trusted product (produit éprouvé) - component of an information technology system that has been evaluated against specific criteria.

Trusted system (système éprouvé) - information technology system with an objective basis for the degree of confidence and assurance a user may have in the security provided by technical means.

Value (valeur) - estimated worth.

Violation of security (manquement à la sécurité) - any act or omission that contravenes any provision of the Security policy. Such acts may include failure to classify or designate information in accordance with the policy; classification or designation, or continuation of same, in violation of the policy; unauthorized modification, retention, destruction or removal of sensitive information; and unauthorized interruption of the flow of sensitive information.

Vulnerability (vulnérabilité) - (i) an inadequacy related to security that could permit a threat to cause harm; (ii) an inherent weakness in information technology that makes it.

Committees & Standards

Standards

Government policy promotes the development, distribution and use of IT standards to acquire, manage and use Information Technology effectively and to protect investments. Among many other benefits, this process promotes compatibility, inter-operability, minimizes duplication of data and ensures proper security safeguards are in place. Wherever possible, the government adopts national or international standards. The government will develop new standards itself, but only when a need is specific to the federal government.

Interdepartmental government Information Technology and ITS committees exist to ensure that common problems and resolutions are addressed by all government in a consistent manner. As well, these committees review draft IT and ITS standards to ensure the practicality, completeness, accuracy and viability of these standards.

The departmental organizational unit responsible for ITS should be aware of and possibly even be participating in where appropriate, the Treasury Board Information Technology Standards (TBITS) and committees program. As a minimum, the ITS Coordinator should be knowledgeable of working groups and standards related to ITS. This will help ensure that economies of scale are realized, and that systems maintain their required effectiveness and inter-operability.

The TBITS working groups that relate to security include:

  • Internal Government OSI Implementation Committee
  • Electronic Commerce Working Group
  • Integrated Circuit Cards / Smart Cards Working Group
  • Smart Card Security / Technical Sub-Group
  • Special Interest Group on Remote Access To Information Systems Group
  • Core OSI Working Group
  • Special Focus Group on Network Security and

For detailed information on these and other Information Management/Information Technology Committees and Groups, consult the Office of the CIO, TBS.

ITS Committees

There are two primary inter-departmental committees that deal specifically with ITS issues. These are:

  • Communications-Electronic Security Committee and
  • Information Technology Security Committee;

Communications-Security Committee (CSC)

CSC provides strategic direction to participating departments on the management of COMSEC material and systems. Because of sensitivities involved, it is a committee with strict membership rules; only those departments having a major COMSEC account under CSE may participate. Most meeting discussions and resulting minutes are classified.

Information Technology Security Committee (ITSC)

Under the guidance and direction of TBS, "T" Directorate RCMP and the Director General, Security, CSE, the ITSC:

  • advises CSE, the RCMP and TBS on ITS
  • recommends and keeps under review policies, plans, procedures and standards developed for ITS by the RCMP and CSE
  • reviews and advises on the implementation of ITS policy and standards
  • reviews security standards which interrelate with ITS
  • institutes and maintains effective cooperation on ITS matters among departments and agencies in order to ensure a consistent application of security for the protection of information
  • considers issues which are brought to the attention of the committee by members or by other departments or agencies of the Government of Canada which impact on ITS and
  • communicates and coordinates with other committees on matters of mutual interest.

ITSC is open to membership from those departments having substantial amounts of Information Technology. Meeting minutes are available for download from the RCMP Technical Security Services BBS.

The ITS Auditor should review past minutes of these committees, in order to: determine current, common ITS issues; and ascertain whether departmental knowledge, participation and resolution of the issues is adequate.

Bibliography

  1. Audit, Control and Security of (Various Information Technology Environments). Ernst & Young, The EDP Auditors Association, various release dates.
  2. Auditor General's Report, 1990, Office of the Auditor General.
  3. Computer Auditing, Security, and Internal Control Manual, Javier F. Kuong, Prentice-Hall, Inc., 1987.
  4. Computerized Information Systems (CIS) Audit Manual, John Lainhart & Michael Donahue, EDP Auditors Foundation, Inc, 1993.
  5. Computers At Risk: Safe Computing in the Information Age, National Research Council, U.S.A., National Academy Press, 1991
  6. Handbook of EDP Auditing, Warren Gorham Lamont, 1994 Cumulative Supplement.
  7. Information Systems Management, Control and Audit, The Institute of Internal Auditors, 1990.
  8. Management Computer Ris, Gerald M. Ward & Jonathan D. Harris, John Wiley & Sons, 1986.
  9. Manifesto On Information Systems Control And Management: A New World Order, Marshall Govindan & John Picard, McGraw-Hill Ryerson, 1990.
  10. New Directions for Treasury Board: Guiding Principles (Memorandum), Treasury Board of Canada, Secretary of the Treasury Board, 1990.
  11. Powering Up, Treasury Board of Canada, Communications and Coordination Directorate, Treasury Board of Canada, 1993.
  12. Systems Auditability and Control, The Institute of Internal Auditors Research Foundation.