Findings by the Auditor General of Canada on: Information Technology Security in the Federal Government 6th Privacy & Security Workshop Toronto, November.

Slides:



Advertisements
Similar presentations
Performance Audit of the Childrens Foster Care Program, Department of Human Services THOMAS H. McTAVISH, C.P.A. AUDITOR GENERAL.
Advertisements

North Carolina Office of the State Auditor Honesty Integrity Professionalism.
Building blocks for adopting Performance Budgeting in Canada Bruce Stacey – Executive Director Results Based Management Treasury Board Secretariat, Canada.
Budget Execution; Key Issues
1 ACI Annual Audit Committee Survey - Global M A R K E T I N G & C O M M U N I C A T I O N S R E S E A R C H Charles Garbowski Research February 21, 2006.
CIP Cyber Security – Security Management Controls
1 A View of the United States Federal Statistical System from OMB Katherine K. Wallman Chief Statistician U. S. Office of Management and Budget.
U.Va.’s IT Security Risk Management Program (ITS-RM) April 2004 LSP Conference Brian Davis OIT, Security and Policy.
Evaluation in the Government of Canada
Presentation to ISACA Ottawa Valley Chapter Richard Brisebois, Principal November 9, 2010.
Office of the Auditor General of Canada The State of Program Evaluation in the Canadian Federal Government Glenn Wheeler Director, Results Measurement.
Purpose of the Standards
INTERNAL CONTROLS. Session Objectives Understand why an organization should have internal controls Understand the key components of internal controls.
“The Impact of Sarbanes Oxley, An Evolving Best Practice” Ellen C. Wolf Senior Vice President & Chief Financial Officer American Water National Association.
SAS 112: The New Auditing Standard Jim Corkill Controller Accounting Services & Controls.
IMPLEMENTATION OF WINDHOEK RESOLUTIONS ACCOUNTABILITY WORKSHOP PAC NAMIBIA.
1 Implementing an External Audit Reform Program  A country case study Uganda Presented by: John F. S. Muwanga Auditor General of Uganda May 24, 2003.
Performance Audit Fraud management in local government Report 19: David Toma Manager 24 July 2015.
1 Charles Garbowski Senior Director Research March 16, 2007 R E S E A R C H K P M G L L P ACI Second Annual Global Audit Committee Survey.
Challenges Faced in Developing Audit Plans and Programs 21 st March, 2013.
Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security
Public Bodies Governance Conference 8 March 2013 Performance and risk: keeping your finger on the pulse!
Security Policies Jim Stracka The Problem Today.
PORTFOLIO COMMITTEE PRESENTATION: PROGRESS REPORT ON KEY CONTROLS (MOVING TOWARDS UNQUALIFIED REPORT) TO MONITOR AND EVALUATE RELIABILITY OF FINANCIAL.
From risk to planning Making the bridge from risks to audit plans Richard Maggs Astana September 2014.
Homeland Security. Learning Topics Purpose Introduction History Homeland Security Act Homeland Defense Terrorism Advisory System Keeping yourself safe.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
The 2009 HIMSS Security Survey: Insights into the Status of Healthcare Security Implementation sponsored by Symantec Meeting of the HIT Standards Committee,
1 The Impact of SAS 112 on Governmental Financial Statement Audits GAQC Member Conference Call January 4, 2007 Presented by Chuck Landes, CPA.
STRATEGIC PLANS, BUDGETS AND ANNUAL REPORTS Presentation to Portfolio Committee on Arts and Culture 11 March 2008.
1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.
FORWARD PLANNING COMMITTEE WORK: A ZAMBIAN PERSPECTIVE BY STEPHEN CHIWOTA, PAC CLERK.
Office of the Auditor General of Canada Auditing Transfer Payment Programs Office of the Auditor General of Canada Ronnie Campbell, CMA Assistant Auditor.
Performance Audit of the Management of ICT in the Criminal Justice Sector Document 3:12 (2011–2012) Published 5/31/2012.
National Treasury 11 March Overview of Presentation  The Constitution and oversight  PFMA requirements for tabling of annual reports  Proposed.
Establishig a national Rn program Mark Brennock, Murray Consultants, Ireland Communicating with decision makers The Irish experience.
Research Ethics Board (REB)
New Identity Theft Rules Rodney J. Petersen, J.D. Government Relations Officer Security Task Force Coordinator EDUCAUSE.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
CIVILIAN SECRETARIAT FOR POLICE STATUS REPORT ON IMPLEMENTATION OF THE CIVILIAN SECRETARIAT FOR POLICE SERVICE ACT 2 OF 2011 PORTFOLIO COMMITTEE ON POLICE.
CLEAN AUDIT PROGRAMME - COMMUNITY DEVELOPMENT 2012/13 07 January 2014 Community Development.
Briefing to the Portfolio Committee on International Relations and Cooperation on the audit outcomes for the 2013/2014 financial year 15 October 2014.
Noncompliance and Correction (OSEP Memo 09-02) June 2012.
Title of Presentation in Verdana Bold Managing the Government Agenda Priorities and Planning Presentation Canada School of Public Service August 1, 2007.
The Implementation of BPR Pertemuan 9 Matakuliah: M0734-Business Process Reenginering Tahun: 2010.
ORIENTATION WORKSHOP. Target Capabilities Assessment Purpose Objectives Structure of the Target Capabilities Assessment Process Overview The Self-Assessment.
Slide 1 Federation des Experts Comptables Méditerranéens 4 th FCM Conference Capri, 3-4 May 2004 The Globalisation of Small and Medium-sized Enterprises.
ENFORCEMENT OF PAC RECOMMENDATIONS AND RESOLUTIONS PRESENTED BY HON USUTUAIJE MAAMBERUA PAC CHAIRMAN NAMIBIAN EXPERIENCE – JOINT ACCOUNTABILITY CONFERENCE.
PROGRESS ON THE IMPLEMENTATION OF AUDIT RECOMMENDATIONS FOR 2014/15: INFORMATION AND COMMUNICATION TECHNOLOGY (ICT) 1 Briefing presentation to the Portfolio.
1 Enforcing SAI and PAC Recommendations Parliamentary Oversight Strengthening the powers and Practices of Public Accounts Committee Kampala Uganda 6 th.
ESTATE AGENCY AFFAIRS BOARD UPDATE ON THE AUCTION ALLIANCE vs. ESTATE AGENCY AFFAIRS BOARD LEGAL MATTER 01 st March
Page 1 Portfolio Committee on Water and Environmental Affairs 14 July 2009.
UNDERSTANDING INFORMATION MANAGEMENT (IM) WITHIN THE FEDERAL GOVERNMENT.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Management of the Fiscal Framework June Managing the Fiscal Framework All about fiscal planning / budgeting Projecting total revenues, expenses.
Your partner in service delivery and development
Session objectives After completing this session you will:
Audit of predetermined objectives
Finance & Human Resources
Working with your AoA Project Officer
GDPR support January GDPR support January 2018.
Draft OECD Best Practices for Performance Budgeting
Document 3:12 (2011–2012) Published 5/31/2012
WHAT TO EXPECT: A CROWN CORPORATION’S GUIDE TO A SPECIAL EXAMINATION
Economic Development Department Annual Financial Statements 2011/12
Task Force on Target Setting and Reporting TFTSR
Presentation to the Portfolio Committee - Labour
Senior Friendly Community Plan
Presentation: Audit of Predetermined Objectives
COMMUNITY SCHEMES OMBUD SERVICE – PROGRESS REPORT
Presentation transcript:

Findings by the Auditor General of Canada on: Information Technology Security in the Federal Government 6th Privacy & Security Workshop Toronto, November 3, 2005 Richard Brisebois 6th Privacy & Security Workshop Toronto, November 3, 2005 Richard Brisebois

Richard Brisebois - 6th Privacy & Security Workshop – November 3, Objective To provide you with an insider’s perspective to the IT security report tabled in Parliament on February 15, 2005 To provide you with an update of what has occurred since the tabling of the report To provide you with an insider’s perspective to the IT security report tabled in Parliament on February 15, 2005 To provide you with an update of what has occurred since the tabling of the report

Richard Brisebois - 6th Privacy & Security Workshop – November 3, Agenda Background/personal notes Findings of the 2002 report Main points Message from the AG Press/media reaction Events since February 2005 Questions Background/personal notes Findings of the 2002 report Main points Message from the AG Press/media reaction Events since February 2005 Questions

Richard Brisebois - 6th Privacy & Security Workshop – November 3, Background/personal notes 1)This report is a follow-up on our 2002 report 2)Not a horror story 3)Original plan was not to do an IT security 101 audit 4)Audit approach 1)This report is a follow-up on our 2002 report 2)Not a horror story 3)Original plan was not to do an IT security 101 audit 4)Audit approach

Richard Brisebois - 6th Privacy & Security Workshop – November 3, Findings of the 2002 report revised GSP was an improvement 2.Updated the roles and responsibilities of TBS and 10 lead entities 3.Operational standards did not exist or were outdated 4.Little baseline information on the state of IT security across government revised GSP was an improvement 2.Updated the roles and responsibilities of TBS and 10 lead entities 3.Operational standards did not exist or were outdated 4.Little baseline information on the state of IT security across government

Richard Brisebois - 6th Privacy & Security Workshop – November 3, Main point (1) Despite encouraging signs of improvement: –« The government has made unsatisfactory progress » Despite encouraging signs of improvement: –« The government has made unsatisfactory progress »

Richard Brisebois - 6th Privacy & Security Workshop – November 3, « The government has made unsatisfactory progress » GSP, MITS and other standards are a good foundation. There are a number of standards that remain to be developped IT security lead agencies are cooperating well and consult regularly on security matters. More and more internal audits and VA’s are being done since 2002, but « UNSATISFACTORY PROGRESS » is based on: –TBS & OAG survey identified a general lack of compliance with GSP and MITS –Most VA’s reviewed identified several significant (HIGH) level vulnerabilities GSP, MITS and other standards are a good foundation. There are a number of standards that remain to be developped IT security lead agencies are cooperating well and consult regularly on security matters. More and more internal audits and VA’s are being done since 2002, but « UNSATISFACTORY PROGRESS » is based on: –TBS & OAG survey identified a general lack of compliance with GSP and MITS –Most VA’s reviewed identified several significant (HIGH) level vulnerabilities

Richard Brisebois - 6th Privacy & Security Workshop – November 3, ITS Self-Assessment Results Of the 46 departments that completed responses, 1 met Maturity Level 1 and 2 requirements and 0 met only Level 1. A guesstimate would suggest that approximately 25% of the 45 who did not achieve at least Level 1, have a substantial amount of work in progress towards achieving at least Level 1. Of the 45 departments that did not achieve at least level 1, 22 were identified as having some classified information, 13 with some Protected C information and 28 with some Protected B information. Several departments indicated that 100% of their information has no designation or classification. Of the 46 departments that completed responses, 1 met Maturity Level 1 and 2 requirements and 0 met only Level 1. A guesstimate would suggest that approximately 25% of the 45 who did not achieve at least Level 1, have a substantial amount of work in progress towards achieving at least Level 1. Of the 45 departments that did not achieve at least level 1, 22 were identified as having some classified information, 13 with some Protected C information and 28 with some Protected B information. Several departments indicated that 100% of their information has no designation or classification.

Richard Brisebois - 6th Privacy & Security Workshop – November 3, Main point (2) Senior management is often not aware of IT security risks

Richard Brisebois - 6th Privacy & Security Workshop – November 3, Senior management is often not aware of IT security risks 55% of departments surveyed had not completed a TRA of their systems. 44% of departments had not performed VA’s 55% had not done an audit of their ITS You cannot fix what you do not know. OAG message goes mainly to senior management: They have to be made aware of the risks and then decide if they want to spend the resources to address them Each dept will be required to prepare an action plan, to be approved by the Deputy Head, and TBS will follow-up Cannot wait for a major disaster to occur to think of IT security 55% of departments surveyed had not completed a TRA of their systems. 44% of departments had not performed VA’s 55% had not done an audit of their ITS You cannot fix what you do not know. OAG message goes mainly to senior management: They have to be made aware of the risks and then decide if they want to spend the resources to address them Each dept will be required to prepare an action plan, to be approved by the Deputy Head, and TBS will follow-up Cannot wait for a major disaster to occur to think of IT security

Richard Brisebois - 6th Privacy & Security Workshop – November 3, Main point (3) TBS has not completely fulfilled its oversight role

Richard Brisebois - 6th Privacy & Security Workshop – November 3, TBS has not completely fulfilled its oversight role TBS has received only 10 of the 37 internal reports dealing with ITS TBS has no formal process to obtain these internal ITS report or to analyse their security findings TBS has not yet prepared the mid term GSP report which was due in the summer of TBS has received only 10 of the 37 internal reports dealing with ITS TBS has no formal process to obtain these internal ITS report or to analyse their security findings TBS has not yet prepared the mid term GSP report which was due in the summer of 2004.

Richard Brisebois - 6th Privacy & Security Workshop – November 3, Message from the AG Overall, she was disapointed with the lack of progress Purpose is not to point fingers and issue stern rebukes She recognizes the difficulty and complexity of the task Personally, she will continue to use online services Overall, she was disapointed with the lack of progress Purpose is not to point fingers and issue stern rebukes She recognizes the difficulty and complexity of the task Personally, she will continue to use online services

Richard Brisebois - 6th Privacy & Security Workshop – November 3, Press/media reaction 1.We spend lots of efforts to ensure accurate coverage 2.Significant coverage 3.Except for titles, reporting was generally accurate 4.Constant attempts to find details 5.There is a continuing interest in the chapter 1.We spend lots of efforts to ensure accurate coverage 2.Significant coverage 3.Except for titles, reporting was generally accurate 4.Constant attempts to find details 5.There is a continuing interest in the chapter

Richard Brisebois - 6th Privacy & Security Workshop – November 3, Examples of Newspaper titles Security lapses open public data to hackers Security gaps in federal computers leave personal data vulnerable FEDS 'VULNERABLE' TO CYBER-ATTACKS: AG FEDS' COMPUTER SYSTEM IN PERIL FEDS ARE TARGET OF HACKERS Hacker heaven LAX COMPUTER SECURITY NO SURPRISE: HACKER Government not protecting data Security lapses open public data to hackers Security gaps in federal computers leave personal data vulnerable FEDS 'VULNERABLE' TO CYBER-ATTACKS: AG FEDS' COMPUTER SYSTEM IN PERIL FEDS ARE TARGET OF HACKERS Hacker heaven LAX COMPUTER SECURITY NO SURPRISE: HACKER Government not protecting data

Richard Brisebois - 6th Privacy & Security Workshop – November 3, Events since February Public Accounts Committee (March 23, 2005) 2.Letter to Deputy Ministers on MITS Action Plans (May 11, 2005) 3.MITS Action Plans submitted to TBS (Aug 26, 2005) 4.Response from the Government to PAC (Sept 21, 2005) 5.TBS action plan to PAC (Sept 30, 2005) 1.Public Accounts Committee (March 23, 2005) 2.Letter to Deputy Ministers on MITS Action Plans (May 11, 2005) 3.MITS Action Plans submitted to TBS (Aug 26, 2005) 4.Response from the Government to PAC (Sept 21, 2005) 5.TBS action plan to PAC (Sept 30, 2005)

Richard Brisebois - 6th Privacy & Security Workshop – November 3, Conclusion It is disappointing that the government does not meet its own minimum standards for IT security, even though they have been known for over a decade. Government systems and the sensitive data they hold are vulnerable to security breaches. As more and more government services are offered on-line, individuals and businesses need to have confidence that the information they share will be protected It is disappointing that the government does not meet its own minimum standards for IT security, even though they have been known for over a decade. Government systems and the sensitive data they hold are vulnerable to security breaches. As more and more government services are offered on-line, individuals and businesses need to have confidence that the information they share will be protected

Richard Brisebois - 6th Privacy & Security Workshop – November 3, Questions? Richard Brisebois Principal, IT Audit Services Office of the Auditor General of Canada Tel: (613) ext Fax: (613) Sparks Street Ottawa, Ontario, Canada K1A 0G6 Richard Brisebois Principal, IT Audit Services Office of the Auditor General of Canada Tel: (613) ext Fax: (613) Sparks Street Ottawa, Ontario, Canada K1A 0G6