Treasury Board of Canada Secretariat
Symbol of the Government of Canada

ARCHIVED - Government Response to the Fourteenth Report of the Standing Committee on Public Accounts

Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

Introduction

The government welcomes the Committee's Report, shares its concerns and agrees with its objectives. In several areas the government has suggested alternative courses of action or timelines to realize the objectives of the Committee's recommendations. This approach will strengthen the posture of IT security in federal departments and agencies and in turn the security, reliability and safety of government services for Canadians.

The Government Security Policy prescribes measures to safeguard information systems, and supports the objectives of the National Security Policy and the government's initiatives in service delivery.  As part of the Government Security Policy, the standard for Management of Information Technology Security (MITS) defines the mandatory security requirements that departments and agencies must fulfill to ensure the security of Information and Information Technology (IT) assets under their control.

Recommendation 1

That Treasury Board Secretariat accelerate the timetable for the development and implementation of all remaining IT security standards with the goal of having them completed well in advance of the December 2006 deadline it has established.

The Treasury Board Secretariat is committed to completing all Operational Security Standards listed in the 2005 Office of the Auditor General report. The highest priority standards will be completed by December 2005.  All remaining standards will be completed by July 2006.

To date, the Secretariat has completed the following operational security standards: Administrative Procedures for the Security of Information Act, Business Continuity Planning, Management of Information Technology Security, Physical Security, and Readiness Levels for Federal Government Facilities.  There are several standards that are near completion: Security in Contracting, Identification and Categorization of Assets, and Training and Awareness.  The Secretariat will make it a priority to complete the Security Risk Management standard and the Security Program standard by December 2005 in response to the recommendations of the Office of the Auditor General and the Committee. Of the remaining standards initial drafts have been completed for Investigations and Sanctions, Security Screening, Incident Management, and Intrusion Detection, while drafting of Sharing of Information and Protection of Employees has not yet started.   In addition, interim guidance and consultation draft standards will be provided to departments to ensure that guidance is available at the earliest possible opportunity.

Technical and operational guidance will continuously be developed to meet the needs of the current dynamic risk environment. As part of this activity the Secretariat will establish a committee to examine areas where new IT security standards are needed. The consolidated standards and technical documentation plan will be made available to departments and updated regularly.  In addition, the Treasury Board Secretariat and lead security agencies continuously monitor other national and international standards activities, and adopt or adapt these standards as appropriate. 

Recommendation 2

That beginning in September 2005 Treasury Board Secretariat submit semi-annual status reports to the Standing Committee on Public Accounts on the development and implementation of remaining IT security standards.

The Treasury Board Secretariat will submit a status report to the Committee in September 2005 as part of the detailed action plan to implement the recommendations made by the Auditor General of Canada.  The Secretariat will regularly review and update the status of the standards development plan and, if any significant delays are foreseen, will report such delays and the reasons for them to the Committee.

Recommendation 3

That Treasury Board Secretariat submit a detailed action plan to the Standing Committee on Public Accounts specifying the measures it will take to implement the recommendations made by the Auditor General of Canada. The action plan must include target implementation dates and must be provided to the Standing Committee on Public Accounts no later than 30 September 2005.

A detailed action plan will be submitted directly to the Committee before the end of September 2005.

Recommendation 4

That Treasury Board Secretariat adhere to the requirements of the Government Security Policy as stated in Appendix A of the Policy, paying close attention to its duty to provide "advice and assistance on security" and to monitor "the implementation of the [P]olicy and the state of security in the Government of Canada."

The Treasury Board Secretariat is taking an active role in advising and assisting departments and agencies with the implementation of the security policy. 

The Treasury Board Secretariat has conducted six interdepartmental workshops to assist departments with their Management of IT Security (MITS) standard implementation.  The Secretariat will continue these workshops throughout MITS implementation.

The Treasury Board Secretariat established an interactive web-based collaboration forum for IT Security Coordinators and other IT Security Practitioners to share information and best practices, discuss current developments and matters of mutual interest, identify issues and concerns, and ask questions. The forum currently has over 140 members. 

The Treasury Board Secretariat has also inaugurated an annual Security Awareness Week for all federal departments and agencies. In preparation for this, the Secretariat holds an annual Government Security Policy Day for Government of Canada security professionals. In 2005 over 600 security practitioners participated.

Lead security agencies provide briefings, including regular threat updates, for Departmental Security Officers five times a year. 

Monitoring and oversight of IT Security is a high priority for the Treasury Board Secretariat. The Secretariat is currently implementing and developing additional measures to enhance performance measurement, monitoring and oversight of the policy's implementation and "government's state of IT security". This will address the basis for the Office of the Auditor General and Committee's recommendations on monitoring and oversight.      

The first step in the development of the IT security monitoring and oversight program is to establish an integrated performance measurement framework for IT security.  This framework will be based on the expected results and outcomes to protect services to Canadians, and safeguard government information and operations in support of service delivery.  Key performance indicators will be established that are not based exclusively on compliance, but also consider effectiveness. The performance measurement framework will also take into account best practices and the extensive literature available in this area across the government as well as from standards bodies, the private sector, and other governments.

Once the performance measurement framework is in place, the Treasury Board Secretariat will design a monitoring and oversight process and document it in the new Security Program Standard. It will include requirements for departments to develop an annual schedule of their planned IT security monitoring activities and for the Secretariat to monitor implementation.  The standard will identify the required performance reporting processes to ensure senior management at all levels of government has the information they need to manage security. This will include annual reporting to the Chief Information Officer and the Secretary of the Treasury Board on the implementation of the Government Security Policy and the state of IT security in the government.

The Secretariat will also develop any required tools to support performance measurement and reporting. This could include self-assessments, databases, and executive reporting structures. Lead security agencies will take an active role to support oversight and monitoring by conducting horizontal analyses of Business Continuity Plans, vulnerabilities and incidents. The Treasury Board Secretariat will also consider horizontal audits of IT Security as part of the monitoring regime.  

IT security performance measurement and monitoring will be consistent with existing processes and will reuse information already available or provided by departments.  The Secretariat will incorporate IT security into existing frameworks as appropriate, including the Management Accountability Framework (MAF).  The Secretariat will take action to ensure that departmental IT security performance assessments are included in future MAF assessments. MAF assessments will be refined once the performance measurement framework for IT security is established.      

Implementation of the monitoring program will be coordinated with MITS implementation.  In late 2005, The Chief Information Officer will provide a status report to the Secretary of the Treasury Board based on MITS action plans, which will provide a better indication of the state of IT security.  To follow up on MITS implementation after December 2006, a more comprehensive measurement and monitoring process will be in place and will be used to provide a detailed report to the Secretary of the Treasury Board in early 2007.  Compliance with the MITS standard will provide a common baseline on which we will continue to build and improve IT security.  A sustainable, on-going program for IT security performance management will be used on an annual basis.

Recommendation 5

That the Treasury Board Secretariat provide, in its annual departmental performance reports, information on its monitoring activities with respect to its obligations as set forth in Appendix A of the Government Security Policy. Reference must be made to the frequency and scope of monitoring, the results, and corrective measures taken. This reporting should begin with the report for the period ended 31 March 2005.

The Secretariat will include monitoring activities in its annual departmental performance reports beginning with the period ending 31 March 2006. This report will reflect the results of monitoring of MITS implementation in the summer and fall of 2005, and progress towards implementation of a comprehensive IT Security performance measurement, monitoring and oversight program.

Recommendation 6

That the Government of Canada review the adequacy of resources and authorities available to the Office of the Chief Information Officer to lead government-wide IT security efforts, explore the option of consolidating resources and authorities to take full responsibility for government-wide IT security in the hands of a single entity, and report the results to the Standing Committee on Public Accounts no later than 31 December 2005.

The Auditor General noted that inter-agency cooperation and coordination has improved.  The Treasury Board Secretariat, in cooperation with the lead security agencies, is continuing to strengthen IT security governance.  

The government believes that it is premature at this time to consider organizational changes related to the roles and responsibilities of lead security agencies.  It is the government's view that organizational changes should not be the first step in improving the government-wide IT Security program.   In conjunction with activities such as MITS implementation and the transition to common infrastructure and services, the Treasury Board Secretariat will conduct a comprehensive analysis to identify the scope and adequacy of the government-wide IT Security program. Deputy Ministers must submit their MITS Action Plans to the Secretariat by 26 August 2005.  The Secretariat will conduct a detailed analysis of these plans and will determine if any changes to the IT Security program are required to achieve the objectives of MITS. The results of these analyses will be reported to the Secretary of the Treasury Board. In addition, the Secretariat will conduct an in-depth analysis of the security implications of implementing government-wide enterprise solutions to consolidate IM/IT infrastructure and services (for example, intrusion detection services offered by the Secure Channel).

Once the underlying issues are better understood, the Treasury Board Secretariat, in consultation with departments and lead security agencies, will review resource requirements and examine how to best coordinate and align IT security activities in the government.

Recommendation 7

That Treasury Board Secretariat identify the reasons for turnover in the position of Chief Information Officer, analyze the results, and report its findings, along with an action plan listing the steps it will take to extend the tenure of this officer to a minimum five-year term, to the Standing Committee on Public Accounts no later than 31 December 2005.

Since the creation of the Chief Information Officer (CIO) branch in 1997 there have been three confirmed CIOs. The last confirmed Chief Information Officer held the position for three years and nine months.  This is longer than the tenure of most other senior Assistant Deputy Minister level positions across government.

Recommendation 8

That Treasury Board Secretariat develop and implement a plan for an awareness of the importance of IT security among senior departmental managers, with an emphasis on deputy ministers, and provide the Standing Committee on Public Accounts with a copy of this plan no later than 30 September 2005.

The Treasury Board Secretariat has already taken steps to increase senior management awareness of IT security. Some of these include:

  • Integrated security and privacy measures have already been introduced as a measure for Information and IT Management in the Management Accountability Framework.
  • In May 2005 the Secretary of the Treasury Board Secretariat notified deputy heads that they must sign and submit departmental MITS implementation plans to the Secretariat by August 2005. This will significantly improve awareness of IT Security issues at the deputy minister level.
  • The Cyber Protection Forum was held in 2005 to foster collaboration with those involved in setting government direction, formulating policies and administering programs.  Delegates included executives, Chief Information Officers, Directors, Business and IT investment decision makers, and Senior Program Managers.
  • The Communications Security Establishment provides security-training modules for courses provided the Canada School of Public Service. One aim is to expand upon this to include some security training as part of management courses.

In addition, departments will be required to report annually to their deputy ministers on the state of security and to submit these reports to the Treasury Board Secretariat. This will bring IT security issues to the attention of deputy ministers on an ongoing basis.

A full report on awareness will be included in the action plan to be provided to the Committee in September 2005.

Recommendation 9 and RECOMMENDATION 10

That a mandatory direct reporting relationship be established for departmental security officers and departmental IT security coordinators to their deputy ministers.

That departmental security officers be positioned at a strategic level within departments and agencies so that they can have meaningful influence over department-wide IT security strategies and input into budgeting decisions affecting security.

The Government Security Policy already recommends that Departmental Security Officers be "strategically positioned within the organization so as to provide department-wide strategic advice and guidance to senior management". The Treasury Board Secretariat will review internal audit reports on security to see how departments are implementing this requirement.

As part of its standards program the Treasury Board Secretariat will develop a Security Program Standard that will provide guidance on departmental organization and governance to ensure that Departmental Security Officers and IT Security Coordinators have the required access to the DM and departmental executives.  This will include responding to significant incidents or security issues that require DM attention (e.g. denial of security clearance) as well as reporting on departmental security risks and state of security.  

The Security Risk Management Standard will include a requirement that departments identify and assess their key security risks and challenges and determine the appropriate level of risk to accept as part of their Corporate Risk profile. Senior management must approve the security risk profile.

Recommendation 11

That departments and agencies be required to develop BCPs (Business Continuity Planning) on a priority basis and to test these plans at least every two years, with the results to be communicated to the Office of the CIO at TBS.

Under the National Security Policy, Public Safety and Emergency Preparedness Canada (PSEPC) is the department responsible for "strengthening the testing, and auditing of key capabilities and conducting assessments of other departments. This will include a review of the plans of federal departments to ensure they are able to continue operating during emergencies."  In this role, Public Safety and Emergency Preparedness Canada is developing a comprehensive quality assurance program including monitoring, testing and auditing of Business Continuity Plans.  Departments will report the results of their Business Continuity Plans testing and audit activities to Public Safety and Emergency Preparedness Canada.  PSEPC in turn will report annually to the Treasury Board Secretariat on the results of the Business Continuity Planning monitoring and testing to provide valuable input into the overall state of government security.

The Treasury Board Secretariat and Public Safety and Emergency Preparedness Canada have placed a priority on completion of Business Continuity Plans. The requirement for departments to develop Business Continuity Plans is set out in the operational standard on Business Continuity Planning published by the Secretariat in April 2004.  To facilitate implementation of the standard the Treasury Board Secretariat, in collaboration with Public Safety and Emergency Preparedness Canada and the Canada School of Public Service, developed a Business Continuity Plan training course available across Canada.  In addition, Public Safety and Emergency Preparedness Canada is sending a Quick Scan questionnaire to departments to check compliance with the Business Continuity Plans standard in fall 2005.

Operational Standard includes a requirement for the regular testing and validation of all plans. The government agrees in principle with the requirement for testing plans every two years.    In consultation with departments, Public Safety and Emergency Preparedness Canada will determine appropriate tests for the proposed two-year cycle. Within the context of its Business Continuity Planning quality assurance program, PSEPC will evaluate the adequacy of departments' testing programs.

Recommendation 12

That the Office of the Chief Information Officer conduct a government-wide review to ascertain the total level of human, technological, and financial resources that are being devoted in fiscal year 2005 06 to IT security in departments and agencies, that it analyze the results to determine whether they are appropriate, and that it report the results to Parliament by 30 April 2006.

The Secretariat fully agrees with the need for a review of IT Security expenditures. The Secretariat is planning to develop a picture of IT security expenditures and a framework for a comprehensive approach to manage IT security investments; however this is extremely difficult to achieve and we will not be able to complete this by April 2006 due to the complexity of this work.. 

The Treasury Board Secretariat has already started collecting information on IT security spending.  The Information Technology Service Review conducted in 2004/2005 captured IT security spending from 48 departments and agencies that represent 94% of the total IM/IT investment for the government for the year 2003/2004.  While this information was invaluable it did not present a complete picture of all IT security spending because a significant portion is embedded in various departmental programs. The results of the Expenditure Review did indicate that efficiencies could be gained through common IT services and infrastructure.  This conclusion also applies to IT security, and options for common IT security services will be further explored as part of the development of government-wide enterprise solutions.  

Obtaining such a picture is extremely difficult because there is no universally accepted definition of IT security or method to define and track costs. Additionally, IT security costs are often imbedded in many program areas. For example, security safeguards are imbedded in almost every IT component including software licences, desktops, applications, and networks. Fixed price competitive contracts also may not provide the kind of detailed price breakdown needed capture all security costs.  In other cases it is not even clear which elements to include as security expenditures.  In addition, there are many variables associated with determining the appropriate level of IT security spending. For example, spending must be commensurate with departments' corporate risk profiles, which vary significantly across government. Therefore IT security spending must be considered within the context of the overall IT security performance measurement framework.

This problem is not unique to government. Information on security spending is uncertain and often unreliable in the private sector for reasons similar to those described above.

The Treasury Board Secretariat will continue to assess approaches to solve this problem with the aim of clarifying and benchmarking government IT security expenditures.  Business cases will be identified for development and implementation of common security services as a means to improve efficiencies.  Analysis of availability of adequate resources and the appropriate level of investment will be an important factor in the review of MITS implementation plans and, subsequently, MITS compliance by December 2006.  The results of this analysis will be reflected in MITS compliance reports to be provided to the Secretary of the Treasury Board in late 2005 and early 2007.