Opening Statement to the Standing Committee on Public Accounts

Information Technology Security
(Chapter 3 - April 2002 Report of the Auditor General)

Mr. Chairman, thank you for this opportunity to discuss the results of our audit of information technology security. Joining me at the table are Nancy Cheng and Richard Brisebois, the Principal and the Director responsible for this audit.

Cyber threats are real and can cause significant damage to an organization. Data from the United States show a dramatic rise in reported incidents, particularly in recent years. Canadian data show a parallel trend.

In addition, security and privacy concerns have been identified as a key issue in the Government On-Line initiative, a major government initiative to connect Canadians and provide them with on-line access to services. As a result, information technology security in government is becoming increasingly important.

The Government Security Policy was previously updated in 1994 and was revised during 2001. The revised policy came into effect in February 2002 and is an important step in the right direction. It puts a strong focus on information technology security, or IT security, and provides a governance framework for security across government.

The policy is supported by operational and technical security standards. The operational security standards were last updated in 1995 and a set of technical security standards was published by the RCMP in 1997. Those standards remain unchanged and a plan to update them has yet to be completed. Technology has advanced significantly since that time. Without up-to-date standards, the 2002 security policy will not be fully effective.

The 1994 policy required departments to conduct internal audits of security and request the RCMP to review their IT security program at least once every five years. At the Treasury Board Secretariat's request, the RCMP had to submit a report on the state of IT security in government based on its reviews.

We found that there had been little monitoring of the state of IT security across government. In the past five years, of about 90 departments and agencies subject to the Government Security Policy, only 10 departments have submitted internal audit reports and 14 have had RCMP reviews. The last RCMP report on the government's IT security program was submitted in 1995, and the Secretariat has not requested any reports since then.

As a result, the government does not have an adequate basis to determine whether existing IT security practices are acceptable; nor does it have an appropriate baseline to measure future progress. The 2002 policy calls for a report card on the effectiveness of the policy by 2004. In our view, the assessment of the effectiveness of IT security across government needs to be done sooner.

The revised security policy no longer stipulates a minimum frequency for internal audits and independent assessments. Under the revised policy, the Treasury Board Secretariat is responsible for active monitoring, but each department will decide when and how often audits and assessments will be conducted.

Mr. Chairman, we also reviewed IT security practices in four departments. We found several weaknesses that could be symptoms of potential weaknesses in other departments and agencies.

It is neither feasible nor cost-effective to eliminate all risks or threats to information assets. Risk assessments help direct resources to areas that warrant them. We found that departments had prepared threat and risk assessments on an ad hoc basis and the assessments had tended to focus on a single application. We also found that some departments had conducted little or no technical testing of their network systems for unauthorized modems and potential vulnerabilities.

Finally, as part of the audit, we conducted certain technical tests on some departments to identify vulnerabilities in their network systems, but we did not exploit them. Of the 260 systems that we tested, 85 contained vulnerabilities. We noted that most of them could allow the system to be readily compromised by a targeted attack. In fact, one of them could have posed an imminent threat and we reported the situation immediately to that department. In January 2002, we provided all other test data and results of our vulnerability assessments to the various departments for corrective action.

The results confirmed the merit of conducting vulnerability assessments. We recommended that the government consider requiring departments to conduct periodic vulnerability assessments of their information systems.

Specific and timely action to address IT security concerns is important. The Committee may wish to request a detailed action plan to update IT security standards. It may also wish to consider the merit of evaluating the effectiveness of IT security in government sooner than required by the Government Security Policy.

Mr. Chairman, that concludes my opening remarks and we would be pleased to answer any questions that members of this Committee may have.