Opening Statement to the Standing Committee on Public Accounts

Information Technology Security
(Chapter 1 - February 2005 Report of the Auditor General of Canada)

23 March, 2005

Douglas G. Timmins, CA
Assistant Auditor General

Mr. Chairman, thank you for this opportunity to discuss the results of our audit of information technology security. Joining me at the table are Richard Brisebois and Guy Dumas, the Principal and the Director responsible for this audit.

We last audited IT security in 2002. Since that time, cyber threats to information technology have increased dramatically.

In 2002, a revised Government Security Policy had just been released, but the operational standards needed to implement the Policy were outdated or did not exist.

Since 2002, the Treasury Board Secretariat has worked with lead security agencies and some departments to issue several operational and technical security standards. For example, standards have been issued for business continuity and for the management of IT security (MITS). However, several other operational standards remain to be developed, mostly in other areas that affect IT security, such as threat and risk assessments, contracting, security training and awareness, and identification of assets.

To be effective, policies and standards must be translated into real actions by the departments and agencies. In general, we found that departments and agencies do not meet the core requirements of the Policy and standards. Or, if they do, it is not done consistently across all business sectors and geographic locations.

As part of our audit, we looked at the results of an IT security self-assessment questionnaire administered by the Treasury Board Secretariat where, out of 46 departments and agencies, only 1 stated that it met the baseline requirements. We complemented this questionnaire with a survey of our own of 82 departments and agencies and obtained similar results.

We looked at 20 reports of technical tests conducted over the past two years in various departments and agencies. Most of these reviews identified significant weaknesses in IT systems that, if exploited, could have led to serious breaches of security, loss of confidentiality, and damage to unsuspecting citizens or businesses.

Mr. Chairman, we also reviewed IT security practices in the four departments we had examined in 2002. While some of these departments made significant improvements in specific security practices, none met all the baseline requirements of the Policy.

In our survey, we found that, out of 82 departments and agencies, only 37 (45 percent) prepared threat and risk assessments of their programs, systems, or services as required by the Policy. In most departments and agencies, senior management is not made aware of the results or is unaware of the IT risks, and, therefore, may not attach sufficient priority to addressing them.

In our report, we also note that the Treasury Board Secretariat has not completely fulfilled its oversight role as defined in the Policy. It did not have processes in place to collect and analyze the IT security findings identified in departmental audit reports. The Secretariat also has not completed the mid-term report to the Treasury Board on how effective the Government Security Policy is in strengthening security. This report was due in the summer of 2004. As a result, little baseline information continues to exist on the state of IT security across the government.

Mr. Chairman, specific and timely action to address IT security concerns is important.

The Committee may want to ask the Treasury Board Secretariat these questions:

• How will it ensure all needed IT security standards are developed and issued in a timely manner?
• How will it ensure departments and agencies implement a reasonable level of IT security and are held accountable for its implementation?
• How will it fulfill its oversight role concerning IT security and monitor IT security audits in departments?
• When will the mid-term report on the Government Security Policy be prepared?

That concludes my opening remarks. We would be pleased to answer any questions the Committee may have.