Audit of IM/IT Governance

The scope of the audit included an examination of the activities in the Office of the Chief Information Officer (OCIO) during the period November 2008 to March 2009.

---

May 2010

Table of Contents

• 1.0 Executive Summary
  • 1.1 Introduction
  • 1.2 Findings and Recommendations
    • Governance
    • Controls
    • Risk Management
  • 1.3 Statement of Assurance
  • 1.4 Audit Opinion
• 2.0 About the Audit
  • 2.1 Background
  • 2.2 Objective and Scope
  • 2.3 Methodology
• 3.0 Findings and Recommendations
  • 3.1 Introduction
  • 3.2 Governance
    • Finding 1: Function and Project Oversight
    • Finding 2: Management of Information and Delivery of IT Services
    • Finding 3: IM/IT Policies and Procedures
  • 3.3 Controls
    • Finding 4: Systems Development
  • 3.4 Risk Management
    • Finding 5: Management of High Risk Initiatives
• Appendix A: Audit Criteria Source
• Appendix B: Management Response and Action Plan

---

1.0 Executive Summary

1.1 Introduction

Generally, information represents one of the more valuable assets for an organization’s operations. Information Management and Information Technology (IM/IT) governance integrates and institutionalizes good practices to ensure that IM/IT supports business objectives by maximizing benefits, capitalizing on opportunities, and gaining improved business services.

The objective of this audit as approved in the 2006-2009 Audit Plan is to conduct an audit, under the Treasury Board of Canada’s Policy on Internal Audit, to provide assurance to the President and Senior Management on the adequacy and effectiveness of the governance controls over Information Management and Information Technology. The scope of the audit included an examination of the activities in the Office of the Chief Information Officer (OCIO) during the period November 2008 to March 2009.

1.2 Findings and Recommendations

Governance

Finding 1: Function and Project Oversight

The existing governance committee structure does not provide comprehensive oversight for the IM/IT function.

Recommendation 1:

The VP, Finance, Administration and Information Technology should ensure the establishment and implementation of a senior management IM/IT oversight committee and a comprehensive supporting committee structure.

Finding 2: Management of Information and the Delivery of IT Services

The management of information and delivery of IT services are not well planned, formalized or monitored.

Recommendation 2:

The VP, Finance, Administration and Information Technology should strengthen management practices to ensure that the management of information and delivery of IT services is well planned, formalized and monitored.

Finding 3: IM/IT Policies and Procedures

A full suite of IM/IT policies and procedures has not been established, approved and communicated.

Recommendation 3:

The VP, Finance, Administration and Information Technology should develop and implement a consistent policy framework with consideration being given to the Treasury Board policy suite renewal. The CIO should produce approved policies and procedures in keeping with this framework.

Controls

Finding 4: Systems Development

Information systems are not developed using current practices or in compliance with Treasury Board policy.

Recommendation 4:

The VP, Finance, Administration and Information Technology should ensure that systems development processes meet current and accepted industry practices and Treasury Board requirements.

Risk Management

Finding 5: Management of High Risk Initiatives

High risk initiatives are not adequately managed and IM/IT activities do not meet government operational security expectations.

Recommendation 5:

The VP, Finance, Administration and Information Technology should ensure that MITS requirements are fully implemented and accurately reported within a reasonable timeframe.

1.3 Statement of Assurance

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The opinion is applicable only to the entities examined and within the scope described herein.

1.4 Audit Opinion

In my opinion, CFIA Information Management and Information Technology governance has deficiencies that represent multiple areas of risk exposure requiring significant improvements related to the governance, control, and risk management processes.¹

Peter Everson
Chief Audit Executive, Canadian Food Inspection Agency

2.0 About the Audit

2.1 Background

Generally, information represents one of the more valuable assets for an organization's operations. Information Management and Information Technology (IM/IT) governance integrates and institutionalizes good practices to ensure that IM/IT supports business objectives by maximizing benefits, capitalizing on opportunities, and gaining improved business services.

2.2 Objective and Scope

The objective of this audit as approved in the revised 2006-2009 Audit Plan is to conduct an audit, under the Treasury Board of Canada's Policy on Internal Audit, to provide assurance to the President and Senior Management on the adequacy and effectiveness of the governance controls over Information Management and Information Technology.

The scope of the audit included an examination of the activities in the Office of the Chief Information Officer (OCIO) during the period November 2008 to March 2009.

2.3 Methodology

To help organizations achieve their IM/IT outcomes several frameworks for control have been introduced. Control Objectives for Information Technology (COBIT) is an industry standard that is widely accepted as a baseline of best practices, and is used in IM/IT circles for as a guide to directing and controlling IM/IT activities (see Appendix A). This audit of IM/IT governance was conducted using compliance with COBIT guidance to identify areas where both adequate and efficient control processes exist and are operating as intended, and where improvements might be possible. COBIT focus areas that included:

• Strategic Alignment;
• Value Delivery;
• Resource Management;
• Risk Management; and
• Performance Measurement.

An audit program was designed using COBIT as a basis for audit objectives and criteria. We conducted interviews with the Office of the Chief Information Officer (OCIO), and Departmental Security Officer (DSO) personnel at CFIA. Three information systems under development were examined for compliance with expected system development practices. These included Laboratory Sample Tracking System (LSTS), Compliance Verification System (CVS) and Single Window Import initiative. Interviews were documented and documents analyzed and appropriate tests were performed to corroborate information that was obtained.

3.0 Findings and Recommendations

3.1 Introduction

This section presents detailed findings from the audit of IM/IT governance in the Office of the Chief Information Officer (OCIO). Findings are based on the evidence and analysis from both our initial risk analysis and detailed audit conduct.

3.2 Governance

Finding 1: Function and Project Oversight

We would expect that the IM/IT function is managed through a committee structure that advises on strategic direction and reviews major investments on behalf of the Management Committee.

Strategic decisions for projects are made at the Sub-Committee on Information Management and Technology (SCIMT) rather than the senior Science and Technology (S&T) Committee or a high-level senior management IM/IT Steering Committee that provides oversight in meeting business and strategic objectives. SCIMT permits non-official members to make decisions. No architecture committee has been established to coordinate the evolution of the enterprise architecture for information, infrastructure, applications and security.

Other committees intended to provide input on IM/IT priorities and monitor projects such as; the Regular Business Application Committee (BAC), Corporate Support and Managed Services Committee (CSMSC) and Essential Infrastructure Committee (EIC) are not meeting regularly due to lack of attendance by members.

In terms of our review, governance was inconsistent in that a Project Steering Committees was not established for a significant project such as the Compliance Verification System (CVS); while an effective steering committee was in place for the Data Centre Project. A two-project leader approach is used where system development and the business area each provide a project manager to jointly manage a project.

There is a risk that IM/IT strategic decisions and activities will not fully consider the business objectives of the Agency. In addition, the risk also exists that project decisions will not be made by appropriate personnel on a timely basis to deliver IM/IT projects successfully (on time, within budget and meeting the user requirements).

Recommendation 1:

The VP, Finance, Administration and Information Technology should ensure the establishment and implementation of a senior management IM/IT oversight committee and a comprehensive supporting committee structure.

Finding 2: Management of Information and Delivery of IT Services

We would expect that both information management and IT services are properly planned and communicated; and aligned with the corporate business strategy and plans.

There is currently no information architecture, no enterprise data dictionary to manage electronic information and no enterprise content management system.

IM/IT planning is incomplete and not monitored. Examples of this include: IM/IT strategic planning that is not linked to business and technical strategies; operational plans not developed from strategic plans or with business area input. IM/IT has no service catalogue, no service level agreements and no mechanism for identifying the cost and performance of services.

IM/IT processes are not formalized, clearly defined or approved; nor are they monitored for compliance with expectations. Processes are not being performed in a consistent manner (e.g.: virus procedures are not defined with clear roles and responsibilities nor monitored and corrected on a timely basis).

A regular replacement and upgrade program does not exist for computer equipment and desktop software. Computer hardware was being purchased using funding that would lapse at the end of the year and warehousing the purchases. For the past two years no new desktop computers were purchased; significantly aging the asset base and requiring a significant capital funding for 2009-10 and future years. The planned upgrade for desktop software has been deferred due to funding.

The risk is for uneconomical, inefficient and ineffective delivery of IT services and information management for the Agency. CFIA is specifically at risk as technical advancements current services are being implemented and delivered on an aging IT infrastructure.

Recommendation 2:

The VP, Finance, Administration and Information Technology should strengthen management practices to ensure that the management of information and delivery of IT services is well planned, formalized and monitored.

Finding 3: IM/IT Policies and Procedures

We would expect that a suite of policies and procedures exists and is approved by the Senior Management Committee to support the IM/IT strategy. We would expect that policies and procedures are communicated to all staff, with clear accountabilities and that they be periodically reviewed for relevance. We would expect that standards, procedures and practices are identified and maintained for key IM/IT processes.

Numerous draft policies and procedures are incomplete or unapproved (for example: the IT Security Framework and the Certification and Accreditation Framework and the Security Incident Response Policy). Many IM/IT policy initiatives have not been submitted for policy implementation tracking.

The draft Finance, Administration and Information Technology (FAIT) policy framework also does not require instruments to be formally approved by CFIA's Senior Management Committee (SMC). However, they are approved by the Resource Management and Oversight Committee (RMOC).

There is no Agency-wide policy framework and each Branch has adopted their own set of policy instruments, structure and contents. The draft FAIT policy framework does not specify the various policy instruments and their purposes to provide for consistent content.

Current IM/IT policies and procedures differ from Treasury Board's policy suite renewal structure that follows a structure to better align responsibilities and accountabilities in the federal government (i.e. Policy, Directives, Standards, Guidelines, Tools).

The risks associated with not having an up-to-date set of approved policy instruments is that accountabilities, roles and responsibilities are unclear and that staff may not perform work in a consistent, high quality, and repeatable fashion.

Recommendation 3:

The VP, Finance, Administration and Information Technology should develop and implement a consistent policy framework with consideration being given to the Treasury Board policy suite renewal. The CIO should produce approved policies and procedures in keeping with this framework.

3.3 Controls

Finding 4: Systems Development

We would expect that an IM/IT project management framework - consistent with applicable Treasury Board policies - is used to guide the development of information systems; on time, within budget and meeting user requirements.

The current IM/IT Project Management Framework is inadequate as it does not include all project phases from project initiation to obsolescence. Also, it does not provide guidance for best practices in managing projects nor incorporate the information security requirements.

The framework is not being followed in the development of information systems. For the two development projects reviewed, Laboratory Sample Tracking System (LSTS) and Compliance Verification System (CVS), we found that no business cases were prepared and that they were non compliant with Treasury Board Project Approval Policy regarding approval of these projects.

Project management practices were not effective in delivering projects. LSTS for example, was originally to cost $1.2 million and take two years to complete. The project is still under construction and total project costs reported in the Capital Project Briefs have increased from the original $1.2 million in 2005-06 to $4.4 million in 2006-07, $4.8 million in 2007-08 and $7.4 million in 2008-09.

We found that Project Managers do not follow project management practices as per the Treasury Board Project Management Policy and do not receive adequate training. The Project Management Office does not effectively monitor project deliverables.

The risk associated with not following an approved framework is that projects will continue to be developed late, over budget, and not meet the functionality of the users.

Recommendation 4:

The VP, Finance, Administration and Information Technology should ensure that project management processes meet current and accepted industry practices and Treasury Board requirements.

3.4 Risk Management

Finding 5: Management of High Risk Initiatives

We would expect that the management of IM/IT activities would adhere to TB's Management of Information Technology Security (MITS) operational security standard. MITS is a government-wide initiative and encompasses numerous information security controls that reduce the risk of threats against Agency information.

Several high risk situations exist where appropriate corrective action has not been taken. These include:

• Threat and Risk Assessments and Privacy Impact Assessments that are either not prepared or security requirements not being implemented for the data centre, network, and applications;
• A Certification and Accreditation program that only allows properly secured infrastructure and applications into the operational environment has not been implemented.
• Business Continuity Plan and business resumption plans do not exist for IM/IT services.
• Steps are needed to complete a suite of IM/IT services and associated Business Impact Assessments (BIA). The existing suit of services was found to be incomplete and inaccurate.
• The CIO is aware of these high risk situations and has recently prepared a gap analysis that compared MITS compliance to the status reported to TBS. The review confirmed that real MITS compliance is 12% in contrast to the reported 65%.

These high risk situations represent an overall security risk profile that may not be acceptable to the Agency. Without action, Agency operations will continue to be vulnerable to numerous threats to its information and assets and may be unable to sustain its mission during an incident.

Recommendation 5:

The VP, Finance, Administration and Information Technology should ensure that MITS requirements are fully implemented and accurately reported within a reasonable timeframe.

Appendix A: Audit Criteria Source

COBIT Audit Objectives

PO - Planning and Organizing

• PO1 To ensure effective IM/IT planning exists within the organization and that it is properly aligned with the corporate business strategy and plans.
• PO2 An effective Information Architecture is defined and maintained.
• PO3 An information services function exists for determining technological direction to support the business.
• PO4 The IM/IT organization is defined by considering requirements for staff, skills, functions, accountability, authority, roles and responsibilities and supervision.
• PO5 A framework is established to manage IT enabled investment programmes that include cost, benefit, prioritization within a budget process and management of actuals against budget.
• PO6 Management has developed an IT control framework and defines and communicates policies across the enterprise to accomplish business and IT objectives, risks and direction.
• PO7 A competent workforce is acquired and maintained for the creation and delivery of IT services.
• PO8 A Quality Management System is developed and maintained that includes proven development and acquisition processes and standards.
• PO9 An IT risk management framework is created and maintained.

AI - Acquire and Implement

• AI1 The need for a new application or function requires analysis before acquisition or creation to ensure that business requirements are satisfied in an effective and efficient approach.
• AI2 Applications are made in line with business requirements.
• AI3 Produce a plan for the acquisition, implementation and maintenance of the technological infrastructure that meets established business functional and technical requirements and is in accord with the organization's technology direction.
• AI4 Knowledge about new systems is made available in the form of documentation and manuals for users and IT, and provides training to ensure the proper use and operation of applications and infrastructure.
• AI15 Where IT resources (including people, hardware, software and services) need to be procured, it must follow the organization's procurement procedures, the selection of vendors, the setup of contractual arrangements, and the acquisition itself.
• AI16 All changes, including emergency maintenance and patches, relating to infrastructure and applications within the production environment are formally managed in a controlled manner.
• AI17 New operational systems are properly tested in a dedicated environment with relevant test data, definition of rollout and migration instructions, release planning and actual promotion to production, and a post-implementation review.

DS - Deliver and Support

• DS1 Communications between IT management and business customers are effective regarding services required by defining these in an IT service level agreement.
• DS2 A third-party management process exists to assure that services provided by third parties (suppliers, vendors and partners) are effective and meet business requirements.
• DS3 IT resource performance and capacity is managed to periodically review current performance and capacity of IT resources.
• DS4 IT continuity plans are developed, maintained and tested to provide continuous IT services.
• DS5 Information integrity is maintained and information assets are protected by a security management mechanism.
• DS6 IT costs are accurately measured and allocated to the business in a fair and equitable manner in agreement with business users.
• DS7 All users of IT systems, including IT are effectively educated and trained in their initial and ongoing use.
• DS8 A well-executed service desk and incident management process exists for responding to user queries and problems on a timely and effective basis.
• DS9 A configuration repository is established and maintained to ensure the integrity of hardware and software configurations.
• DS10 A problem management mechanism is established for the identification and classification of problems, root cause analysis, and resolution of problems.
• DS11 Data requirements are identified to manage data being produced by IT processes.
• DS12 Physical facilities for computer equipment and personnel are well-designed for protection and physical security managed for sensitive physical and information assets.
• DS13 Complete and accurate processing of data requires effective management of data processing procedures and regular maintenance of hardware to recover from errors and failures.

ME - Monitor and Evaluate

• ME1 A regular monitoring process is included in an effective IT performance management regime.
• ME2 A monitoring process is established for effective assessment of the IT internal control programme by reporting of control exceptions, results of self-assessments and third-party reviews.
• ME3 Mechanisms are established over the effective oversight of compliance with laws, regulations, and contractual requirements.
• ME4 Establishing an effective governance framework includes defining organizational structures, processes, leadership, roles and responsibilities to ensure that enterprise IT investments are aligned and delivered in accordance with enterprise strategies and objectives.

Appendix B: Management Action Plan

General Response:

We concur with the findings.

The IM/IT function at CFIA is undergoing significant changes as the results of increasing awareness of the importance of this to the overall direction and effectiveness of the delivery of the Agency's mandate. This change needs to be supported by consistent and continuous engagement between the partners charged with this function- the business lines and the OCIO.

There is an existing governance model for this function. The current model holds the CIO is responsible for all aspects of the IM/IT function, except for the development of applications and systems in support of a business line. In this situation there is dual accountability. Existing committees attempt to allow collective decision. The business line side of this balance is disaggregated (individual proponents of individual initiatives) and does not provide leadership of the system changes being delivered on its behalf by the OCIO. For this reason, the governance model needs to be revised and provide clear direction to the CIO, holding him accountable for results.

Appendix B: Management Action Plan

The audit highlighted the need for renewed IM/IT governance and a strong service model that clearly identifies accountabilities within CFIA for operating, maintaining and building IM/IT services. This new model needs to clearly articulate roles, responsibilities and accountabilities and needs to include the Business Lines not just as partners but as Service Owners. A consistent framework from a services perspective will be used to develop this model of roles, responsibilities and accountabilities (framework shown on the above).

The overall management response to this audit will result in significant changes to the management and oversight of the IM/IT function within the agency along with five main themes as follows:

• Overall governance of IM/IT at CFIA- provide clear direction about who is responsible for the various elements of the IM/IT development; maintenance and operational activities; and put in place effective oversight for these roles;
• Develop clear standards and accountability for the delivery of IM/IT services; provide capacity to support this; and provide oversight;
• As a priority , develop an IM and an IT policy framework as part of the overall FAIT functional policy review;
• Develop and deliver an Enterprise Project Management function that will articulate and monitor an Enterprise Project Management framework;
• Commitment to deliver Management of Information Technology Security, subject to financial constraints and GOC capacities.

Management Response:

We concur with the findings and recommendations of the audit.

The Vice-President of FAIT will make proposals to the president for renewed IM/IT Governance based on clearly articulated roles, responsibilities and accountabilities for the IM/IT function in CFIA. Proposals will include the implementation of senior management oversight over the operational functions of the CIO and a governance model that will allow accountable business line leads to provide direction and oversight over IM/IT enabled project. A consistent framework from a services perspective will be used to develop this model of roles, responsibilities and accountabilities (framework shown above).

Audit Recommendation

Governance

1. The VP, Finance, Administration and Information Technology should establish and ensure the implementation of a senior management IM/IT oversight committee and a comprehensive supporting committee structure.

Proposed Management Actions	Responsible Official	Implementation Date
The OCIO will develop and seek approval of an IM/IT service model based on the framework inserted above in the Management Response box. The Service Model will allow the VP FAIT identify a senior management IM/IT oversight committee and supporting committees.	Chief Information Officer
1. Develop and seek approval for an accountability matrix to operate, maintain, and build IM/IT services in the CFIA.	CIO	Q1 FY 2010/11
2. Establish an oversight framework for the function where CIO is the lead.	VP FAIT	Q3 FY 2010/11
3. Develop and seek approval for a governance structure based on the framework inserted above in the Management Response box for functions where business lines are the lead.	VP FAIT	Q1 2010/2011
4. In the interim, VP FAIT will provide oversight for CIO accountabilities and RMOC will be asked to provide oversight for these areas where there are business line accountabilities and for resource allocations to IM/IT operations, IM/IT enabled projects and IM/IT projects.	VP FAIT

Management Response:

We concur.

• The planning functions at CFIA and within FAIT are undergoing significant redesign as we move to integrated business line planning and resource management. IM/IT is not unique in this regard. VP FAIT will establish more formal planning and internal control processes as part of a renewed IM/IT Governance.

• Within the OCIO this will be done through a consistent IM/IT service oriented framework and will include an IM/IT service model that clearly identifies and articulates roles, responsibilities and accountabilities for the IM/IT function from within both IM/IT and Business Lines at CFIA.

• OCIO will create and maintain capacity for the development of business and operational plans, financial management and internal controls and integrated operational reporting. This will be distinct from the Project Management function.

Audit Recommendation

Governance

2. The VP, Finance, Administration and Information Technology should strengthen management practices to ensure that the management of information and delivery of IT services is well planned, formalized and monitored.

Proposed Management Actions	Responsible Official	Implementation Date
1. CIO will establish a business management capacity which will provide integrated operational and business management for the sector.	Chief Information Officer	April 2011
2. A CTO position will be created, reporting directly to the CIO who will be responsible for directing and delivery of IM/IT services to clients effectively and efficiently.	CIO	June 2011
3. CIO will develop and seek approval from RMOC or its replacement body in corporate governance for an IM/IT Service Model based on the framework inserted above in the Management Response box for Item #1.	CIO	Q2 FY 2010/11
4. SLA will be developed for client service standards, and approved through RMOC, or its successor.	CIO	Starting April 2011
5. Formal protocols and operational procedures will be developed and enforced through the CTO.	CIO	Q4 2010/2011
6. VP FAIT will provide oversight on CIO operational practices through FAIT B.M.C.	VP FAIT	Now
7. CIO will develop a multi-phased plan for the development and delivery of core capacity in the service delivery area.	CIO	April 2011 Q2 2010/2011

Management Response:

We concur.

• VP FAIT is developing a process for Administration Policy review and renewal for all functional areas. The purpose of this is to review, rationalise and clarify CFIA administrative policy environment. The IM/IT policy suite will be the first priority.
• A full suite of IM/IT policies and procedures will be established, approved, communicated and monitored, including appropriate consideration of the Treasury Board policy suite renewal.
• An early priority will be the necessary elements of the IM/IT security policy suite.

Audit Recommendation

Governance

3. The VP, Finance, Administration and Information Technology should develop and implement a consistent policy framework with consideration being given to the Treasury Board policy suite renewal. The CIO should produce approved policies and procedures in keeping with this framework.

Proposed Management Actions	Responsible Official	Implementation Date
Develop and implement a consistent policy framework for IM and IT policies. The framework will consider the Treasury Board policy suite renewal and begin with IT Security Policies.	Chief Information Officer
1. Within this context, develop an overall administrative policy framework and implementation plan.	VP FAIT	Q1 2010/2011
2. Development of the Policy Framework. The policy framework will be approved by RMOC or its successor.	CIO	Q1 FY 2010/11
3. Incorporated Policies into the Framework	CIO
a. IT Security Policies		Q1 – Q2 FY 2010/11
b. Balance of IM & IT Policies		Q2 – Q4 FY 2010/11

Management Response:

We concur.

• FAIT is creating an Enterprise Project Management capacity at the corporate level to provide policy, advice and guidance, and support to all other EPMOs. This new function will report to VP FAIT.
• An early deliverable will be an integrated agency Project Management Framework (PMF) and policy in support of the new Treasury Board policy on investments and capital assets.
• The Systems Development Life Cycle (SDLC) within the OCIO requires a review and refresh in order to ensure that it is consistent with current industry best practices and meets Treasury Board requirements. In addition, the role of business lines as leads on IM/IT enabled projects needs to reinforced. RMOC will act as the governance body for the Project Management.
• Within this context, the Project Management Framework (PMF) within the OCIO requires a review and refresh in order to ensure that it is consistent with current industry best practices and meets Treasury Board requirements.

Audit Recommendation

Controls:

4. The VP, Finance, Administration and Information Technology should ensure that systems development processes meet current and accepted industry practices and Treasury Board requirements.

Proposed Management Actions	Responsible Official	Implementation Date
1. Create EPMO capacity in VPO FAIT.	VP FAIT	April 2010
2. Establish RMOC as project management oversight body.	VP FAIT	April 2010
3. Develop and deliver an PMF framework for CFIA.	EPMO	June 2010
4. Conduct an independent review of IM/IT enabled projects currently underway to confirm scope, cost estimates and authority levels.	VP FAIT	June 2010
5. Establish an EPM project dashboard	EPMO	Sept. 2010
6. Broaden project management currently delivered by OCIO to the executive level and Business Line PM/Project Leader.	EPMO	Sept. 2010
7. Review and refresh within the OCIO ensuring that it is consistent with current industry best practices and meets Treasury board requirements.
a. Comprehensive review of the OCIO PMF	CIO	Q2 FY 2010/11
b. Refresh of the OCIO PMF	CIO	Q2 – Q4 FY2010/11
8. Review and refresh the OCIO Systems Development Life Cycle (SDLC). Taking into consideration best practices (Industry and Government) for currently accepted processes and emerging approaches for systems development.
a. Comprehensive review of SDLC	CIO	Q2 FY 2010/11
b. Refresh SDLC	CIO	Q2 – Q4 FY2010/11

Management Response:

We concur.

• Management acknowledges its responsibility to implement appropriate security measures identified in MITS. Proactive and effective risk mitigation actions will continue to be taken to protect the Agency’s information and technology assets, with attention being given to the highest risk elements. An IT Security workplan is being developed in alignment with the larger compliance requirements under the Policy on Government Security.

Audit Recommendation

Risk Management:

5. The VP, Finance, Administration and Information Technology should ensure that MITS requirements are fully implemented and accurately reported within a reasonable timeframe.

Proposed Management Actions	Responsible Official	Implementation Date
1. A review of the status of MITS compliance is being conducted and a costed delivery plan developed. Progress on MITS is subject to two constraints: funding and capabilities at the GOC level.	Director, IT Security	Q1 2010/2011
2. An IT Security workplan is being developed, in alignment with larger compliance requirements under the Policy on Government Security. Attention will be given to the highest risk elements, and bring IT Security to a position of Acceptable compliance with MITS requirements. This plan will be approved by RMOC or its replacement committee.	CIO	Q4 2010/2011

---

¹ The audit opinion is based on overall materiality and risk as represented by the noteworthy findings and recommendations reported.