Statistics Canada1 Statistics Canada’s strategic approach to IT Security OECD Conference on IT Security Paris, April 19th and 20th, 2001 Dave Venables Director, Informatics Technology Services Division Statistics Canada (613)

Statistics Canada2 Overview Business requirements Threats Overall strategy Tactics Challenges Summary

Statistics Canada3 Character Organisational Character Statistics Canada comprises: –5100 employees at Headquarters –650 employees in 9 Regional Offices –1200 interviewers in the Regions Informatics is integral to our business: –850 IT Staff, 400 in Central Informatics –7,000 workstations; 300 Servers; 1 Mainframe Strong corporate culture –Security

Statistics Canada4 Business requirements Maintain respondent confidence Protect respondent confidentiality Preserve data integrity Ensure data availability Facilitate data accessibility Support ongoing operations

Statistics Canada5 Threats Unauthorised disclosure –Data collection –Collected micro-data and Published data Authentication –Collection and Access Accessibility –denial of service Viruses –known, variants and unknown

Statistics Canada6 Overall Strategy Centrally managed infrastructure Dual Network Prevention Proactive Balance operational flexibility with safeguards

Statistics Canada7 Tactics Dual network with air gap –Internal network (A) for confidential data –External network (B) for published data –Robotic A/B switch –Manual A/B switch Firewall with hardened OS Automatic encryption –between HQ, RO and interviewers

Statistics Canada8 Tactics Interviewer Laptop - full disk encryption Internal access controls Token based remote access Anti-virus desktop software Anti-virus software at firewall Attribute checking of at firewall Inbound overnight mail queued

Statistics Canada9 Tactics Oath Clear security policy Clear security practices Proactive security awareness program Regular automated policy reminder Proactive entry attempts

Statistics Canada10 Challenges Full disk encryption for all laptops Increased electronic data reporting External data research centres Virus detection for encrypted information Wireless technology PDAs Other new technology

Statistics Canada11 Summary Strong security culture Some operational inconvenience Room for improvement Continual reassessment High respondent confidence High level of protection

Statistics Canada12 Schematic