Presentation is loading. Please wait.

Presentation is loading. Please wait.

Findings by the Auditor General of Canada on: Information Technology Security in the Federal Government 6th Privacy & Security Workshop Toronto, November.

Published byBelinda Craig Modified over 9 years ago

Similar presentations

Presentation on theme: "Findings by the Auditor General of Canada on: Information Technology Security in the Federal Government 6th Privacy & Security Workshop Toronto, November."— Presentation transcript:

1 Findings by the Auditor General of Canada on: Information Technology Security in the Federal Government 6th Privacy & Security Workshop Toronto, November 3, 2005 Richard Brisebois 6th Privacy & Security Workshop Toronto, November 3, 2005 Richard Brisebois

2 Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005 2 Objective To provide you with an insider’s perspective to the IT security report tabled in Parliament on February 15, 2005 To provide you with an update of what has occurred since the tabling of the report To provide you with an insider’s perspective to the IT security report tabled in Parliament on February 15, 2005 To provide you with an update of what has occurred since the tabling of the report

3 Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005 3 Agenda Background/personal notes Findings of the 2002 report Main points Message from the AG Press/media reaction Events since February 2005 Questions Background/personal notes Findings of the 2002 report Main points Message from the AG Press/media reaction Events since February 2005 Questions

4 Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005 4 Background/personal notes 1)This report is a follow-up on our 2002 report 2)Not a horror story 3)Original plan was not to do an IT security 101 audit 4)Audit approach 1)This report is a follow-up on our 2002 report 2)Not a horror story 3)Original plan was not to do an IT security 101 audit 4)Audit approach

5 Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005 5 Findings of the 2002 report 1.2002 revised GSP was an improvement 2.Updated the roles and responsibilities of TBS and 10 lead entities 3.Operational standards did not exist or were outdated 4.Little baseline information on the state of IT security across government 1.2002 revised GSP was an improvement 2.Updated the roles and responsibilities of TBS and 10 lead entities 3.Operational standards did not exist or were outdated 4.Little baseline information on the state of IT security across government

6 Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005 6 Main point (1) Despite encouraging signs of improvement: –« The government has made unsatisfactory progress » Despite encouraging signs of improvement: –« The government has made unsatisfactory progress »

7 Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005 7 « The government has made unsatisfactory progress » GSP, MITS and other standards are a good foundation. There are a number of standards that remain to be developped IT security lead agencies are cooperating well and consult regularly on security matters. More and more internal audits and VA’s are being done since 2002, but « UNSATISFACTORY PROGRESS » is based on: –TBS & OAG survey identified a general lack of compliance with GSP and MITS –Most VA’s reviewed identified several significant (HIGH) level vulnerabilities GSP, MITS and other standards are a good foundation. There are a number of standards that remain to be developped IT security lead agencies are cooperating well and consult regularly on security matters. More and more internal audits and VA’s are being done since 2002, but « UNSATISFACTORY PROGRESS » is based on: –TBS & OAG survey identified a general lack of compliance with GSP and MITS –Most VA’s reviewed identified several significant (HIGH) level vulnerabilities

8 Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005 8 ITS Self-Assessment Results - 2004 Of the 46 departments that completed responses, 1 met Maturity Level 1 and 2 requirements and 0 met only Level 1. A guesstimate would suggest that approximately 25% of the 45 who did not achieve at least Level 1, have a substantial amount of work in progress towards achieving at least Level 1. Of the 45 departments that did not achieve at least level 1, 22 were identified as having some classified information, 13 with some Protected C information and 28 with some Protected B information. Several departments indicated that 100% of their information has no designation or classification. Of the 46 departments that completed responses, 1 met Maturity Level 1 and 2 requirements and 0 met only Level 1. A guesstimate would suggest that approximately 25% of the 45 who did not achieve at least Level 1, have a substantial amount of work in progress towards achieving at least Level 1. Of the 45 departments that did not achieve at least level 1, 22 were identified as having some classified information, 13 with some Protected C information and 28 with some Protected B information. Several departments indicated that 100% of their information has no designation or classification.

9 Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005 9 Main point (2) Senior management is often not aware of IT security risks

10 Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005 10 Senior management is often not aware of IT security risks 55% of departments surveyed had not completed a TRA of their systems. 44% of departments had not performed VA’s 55% had not done an audit of their ITS You cannot fix what you do not know. OAG message goes mainly to senior management: They have to be made aware of the risks and then decide if they want to spend the resources to address them Each dept will be required to prepare an action plan, to be approved by the Deputy Head, and TBS will follow-up Cannot wait for a major disaster to occur to think of IT security 55% of departments surveyed had not completed a TRA of their systems. 44% of departments had not performed VA’s 55% had not done an audit of their ITS You cannot fix what you do not know. OAG message goes mainly to senior management: They have to be made aware of the risks and then decide if they want to spend the resources to address them Each dept will be required to prepare an action plan, to be approved by the Deputy Head, and TBS will follow-up Cannot wait for a major disaster to occur to think of IT security

11 Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005 11 Main point (3) TBS has not completely fulfilled its oversight role

12 Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005 12 TBS has not completely fulfilled its oversight role TBS has received only 10 of the 37 internal reports dealing with ITS TBS has no formal process to obtain these internal ITS report or to analyse their security findings TBS has not yet prepared the mid term GSP report which was due in the summer of 2004. TBS has received only 10 of the 37 internal reports dealing with ITS TBS has no formal process to obtain these internal ITS report or to analyse their security findings TBS has not yet prepared the mid term GSP report which was due in the summer of 2004.

13 Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005 13 Message from the AG Overall, she was disapointed with the lack of progress Purpose is not to point fingers and issue stern rebukes She recognizes the difficulty and complexity of the task Personally, she will continue to use online services Overall, she was disapointed with the lack of progress Purpose is not to point fingers and issue stern rebukes She recognizes the difficulty and complexity of the task Personally, she will continue to use online services

14 Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005 14 Press/media reaction 1.We spend lots of efforts to ensure accurate coverage 2.Significant coverage 3.Except for titles, reporting was generally accurate 4.Constant attempts to find details 5.There is a continuing interest in the chapter 1.We spend lots of efforts to ensure accurate coverage 2.Significant coverage 3.Except for titles, reporting was generally accurate 4.Constant attempts to find details 5.There is a continuing interest in the chapter

15 Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005 15 Examples of Newspaper titles Security lapses open public data to hackers Security gaps in federal computers leave personal data vulnerable FEDS 'VULNERABLE' TO CYBER-ATTACKS: AG FEDS' COMPUTER SYSTEM IN PERIL FEDS ARE TARGET OF HACKERS Hacker heaven LAX COMPUTER SECURITY NO SURPRISE: HACKER Government not protecting data Security lapses open public data to hackers Security gaps in federal computers leave personal data vulnerable FEDS 'VULNERABLE' TO CYBER-ATTACKS: AG FEDS' COMPUTER SYSTEM IN PERIL FEDS ARE TARGET OF HACKERS Hacker heaven LAX COMPUTER SECURITY NO SURPRISE: HACKER Government not protecting data

16 Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005 16 Events since February 2005 1.Public Accounts Committee (March 23, 2005) 2.Letter to Deputy Ministers on MITS Action Plans (May 11, 2005) 3.MITS Action Plans submitted to TBS (Aug 26, 2005) 4.Response from the Government to PAC (Sept 21, 2005) 5.TBS action plan to PAC (Sept 30, 2005) 1.Public Accounts Committee (March 23, 2005) 2.Letter to Deputy Ministers on MITS Action Plans (May 11, 2005) 3.MITS Action Plans submitted to TBS (Aug 26, 2005) 4.Response from the Government to PAC (Sept 21, 2005) 5.TBS action plan to PAC (Sept 30, 2005)

17 Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005 17 Conclusion It is disappointing that the government does not meet its own minimum standards for IT security, even though they have been known for over a decade. Government systems and the sensitive data they hold are vulnerable to security breaches. As more and more government services are offered on-line, individuals and businesses need to have confidence that the information they share will be protected It is disappointing that the government does not meet its own minimum standards for IT security, even though they have been known for over a decade. Government systems and the sensitive data they hold are vulnerable to security breaches. As more and more government services are offered on-line, individuals and businesses need to have confidence that the information they share will be protected

18 Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005 18 Questions? Richard Brisebois Principal, IT Audit Services Office of the Auditor General of Canada Tel: (613) 952-0213 ext. 2235 Fax: (613) 957-9736 Richard.Brisebois@oag-bvg.gc.ca 240 Sparks Street Ottawa, Ontario, Canada K1A 0G6 www.oag-bvg.gc.ca Richard Brisebois Principal, IT Audit Services Office of the Auditor General of Canada Tel: (613) 952-0213 ext. 2235 Fax: (613) 957-9736 Richard.Brisebois@oag-bvg.gc.ca 240 Sparks Street Ottawa, Ontario, Canada K1A 0G6 www.oag-bvg.gc.ca

Download ppt "Findings by the Auditor General of Canada on: Information Technology Security in the Federal Government 6th Privacy & Security Workshop Toronto, November."

Similar presentations

Performance Audit of the Childrens Foster Care Program, Department of Human Services THOMAS H. McTAVISH, C.P.A. AUDITOR GENERAL.

Performance Audit of the Childrens Foster Care Program, Department of Human Services THOMAS H. McTAVISH, C.P.A. AUDITOR GENERAL.
North Carolina Office of the State Auditor Honesty Integrity Professionalism.

North Carolina Office of the State Auditor Honesty Integrity Professionalism.
Building blocks for adopting Performance Budgeting in Canada Bruce Stacey – Executive Director Results Based Management Treasury Board Secretariat, Canada.

Building blocks for adopting Performance Budgeting in Canada Bruce Stacey – Executive Director Results Based Management Treasury Board Secretariat, Canada.
Budget Execution; Key Issues

Budget Execution; Key Issues
1 ACI Annual Audit Committee Survey - Global M A R K E T I N G & C O M M U N I C A T I O N S R E S E A R C H Charles Garbowski Research February 21, 2006.

1 ACI Annual Audit Committee Survey - Global M A R K E T I N G & C O M M U N I C A T I O N S R E S E A R C H Charles Garbowski Research February 21, 2006.
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
1 A View of the United States Federal Statistical System from OMB Katherine K. Wallman Chief Statistician U. S. Office of Management and Budget.

1 A View of the United States Federal Statistical System from OMB Katherine K. Wallman Chief Statistician U. S. Office of Management and Budget.
U.Va.’s IT Security Risk Management Program (ITS-RM) April 2004 LSP Conference Brian Davis OIT, Security and Policy.

U.Va.’s IT Security Risk Management Program (ITS-RM) April 2004 LSP Conference Brian Davis OIT, Security and Policy.
Evaluation in the Government of Canada

Evaluation in the Government of Canada
Presentation to ISACA Ottawa Valley Chapter Richard Brisebois, Principal November 9, 2010.

Presentation to ISACA Ottawa Valley Chapter Richard Brisebois, Principal November 9, 2010.
Office of the Auditor General of Canada The State of Program Evaluation in the Canadian Federal Government Glenn Wheeler Director, Results Measurement.

Office of the Auditor General of Canada The State of Program Evaluation in the Canadian Federal Government Glenn Wheeler Director, Results Measurement.
Purpose of the Standards

Purpose of the Standards
INTERNAL CONTROLS. Session Objectives Understand why an organization should have internal controls Understand the key components of internal controls.

INTERNAL CONTROLS. Session Objectives Understand why an organization should have internal controls Understand the key components of internal controls.
“The Impact of Sarbanes Oxley, An Evolving Best Practice” Ellen C. Wolf Senior Vice President & Chief Financial Officer American Water National Association.

“The Impact of Sarbanes Oxley, An Evolving Best Practice” Ellen C. Wolf Senior Vice President & Chief Financial Officer American Water National Association.
SAS 112: The New Auditing Standard Jim Corkill Controller Accounting Services & Controls.

SAS 112: The New Auditing Standard Jim Corkill Controller Accounting Services & Controls.
IMPLEMENTATION OF WINDHOEK RESOLUTIONS ACCOUNTABILITY WORKSHOP PAC NAMIBIA.

IMPLEMENTATION OF WINDHOEK RESOLUTIONS ACCOUNTABILITY WORKSHOP PAC NAMIBIA.
1 Implementing an External Audit Reform Program  A country case study Uganda Presented by: John F. S. Muwanga Auditor General of Uganda May 24, 2003.

1 Implementing an External Audit Reform Program  A country case study Uganda Presented by: John F. S. Muwanga Auditor General of Uganda May 24, 2003.
Performance Audit Fraud management in local government Report 19: 2014-15 David Toma Manager 24 July 2015.

Performance Audit Fraud management in local government Report 19: David Toma Manager 24 July 2015.
1 Charles Garbowski Senior Director Research March 16, 2007 R E S E A R C H K P M G L L P ACI Second Annual Global Audit Committee Survey.

1 Charles Garbowski Senior Director Research March 16, 2007 R E S E A R C H K P M G L L P ACI Second Annual Global Audit Committee Survey.
Challenges Faced in Developing Audit Plans and Programs 21 st March, 2013.

Challenges Faced in Developing Audit Plans and Programs 21 st March, 2013.

Similar presentations

Ads by Google