Follow-up on the January 2018 Internal Audit Report on Managing Information Technology Security
Practice Review and Internal AuditFollow-up on the January 2018 Internal Audit Report on Managing Information Technology Security
At a Glance
The Office of the Auditor General of Canada made good progress in addressing the observations and recommendations from the January 2018 Internal Audit Report—Managing Information Technology Security.
The Office respected the timeline initially agreed upon for addressing the observations.
Objective
The objective of the follow-up internal audit was to assess the extent to which management of the information technology (IT) security team
- had addressed the observations made in the Internal Audit Report—Managing Information Technology Security, issued in January 2018; and
- had made progress in addressing the observations according to the initially agreed-upon timeline.
See the Appendix for the review criteria.
Why This Follow-up Internal Audit Matters
In the January 2018 Internal Audit Report on Managing Information Technology Security, we concluded that the Office of the Auditor General of Canada had designed an adequate framework to support the security of its IT systems, but that the Office’s management of the IT security framework hindered its effectiveness.
The Internal Audit team made recommendations to the IT security team. Management agreed with the recommendations and issued an action plan. Because of the importance of the observations, a follow-up internal audit was planned to monitor management’s progress.
Work Conducted by the Practice Review and Internal Audit Team
As part of its follow-up internal audit, the Internal Audit team assessed whether management had addressed the report’s observations and recommendations. The Internal Audit team also retested a statistical sample of test scripts to assess management’s progress in completing the IT security control tasks.
The follow-up internal audit covered the period from 1 January 2016 to 30 April 2019.
Background
As noted above, the Internal Audit team concluded in January 2018 that the Office of the Auditor General of Canada had designed an adequate framework to support the security of its information technology (IT) systems. However, the Office’s management of the IT security framework hindered its effectiveness. Specifically, IT security management had not systematically reviewed its policies, procedures, and guidelines, and it had not implemented many controls required by the Treasury Board’s policy instruments and guidance that were relevant to IT security.
We also reported that the 2016 self-assessment was thorough and resulted in a comprehensive action plan. We arrived at this conclusion by reviewing management’s process for its self-assessment, which included management’s testing of IT security controls. For each control tested, management documented its work through a test script. In the initial internal audit, the Internal Audit team agreed with management’s conclusion after retesting 25 scripts.
As part of its self-assessment, management determined that for 69% of the tests performed, the controls partially met, mostly met, or did not meet the requirements. These controls were selected from the 2012 guidelines in IT Security Risk Management: A Lifecycle Approach (ITSG-33), published by Communications Security Establishment Canada, and were tested on a selection of the Office’s systems. Management established an action plan for all of the deficiencies identified in its self-assessment.
We have followed up on management’s action plan.
Observations
Follow-up on the self-assessment of information technology security
Management informed us that as of April 2019, approximately 96% of the IT security controls for the selected systems in its self-assessment had been implemented. To validate this information, we retested 34 scripts by using low and moderate levels of assurance based on risk. We noted no discrepancies.
On the basis of the work performed, we concluded the following:
- The Internal Audit team could rely on IT security management’s conclusion from the analysis performed in the test scripts.
- IT security management had made good progress in implementing its action plan and was still adhering to the original timelines.
Management informed us that the remaining tasks were related to renewing or acquiring IT security tools and renewing our security architecture.
Follow-up on the PRIA team’s recommendations in the January 2018 report
As part of its regular process, the PRIA team conducted ongoing monitoring of management’s action plan to address the recommendations in the internal audit report on managing IT security. The PRIA team’s monitoring activities were based on the target dates for completion of management’s actions. The PRIA team also prepared a summary follow-up report for each Audit Committee meeting. We used three of the report’s recommendations as criteria for this follow-up internal audit (see Appendix). One recommendation was addressed, and two were outstanding at the beginning of our follow-up.
The status of these two recommendations is as follows:
- Management had put in place adequate measures to monitor the implementation of the Treasury Board’s new policy instruments and guidance that were relevant to IT security and in effect as of 1 July 2019. Management informed us that at the end of June 2019, it had completed its assessment of compliance with these new policies.
- Management had put in place adequate measures to annually assess its IT security procedures, standards, and guidelines to ensure that they were up to date and in line with the Treasury Board’s policy instruments and guidance relevant to IT security. Management informed us that it planned to delete the Office’s current security policies in the near future, given that the Treasury Board’s new policies and directives had taken effect. Management also told us that the compliance assessment had been completed and integrated with the Office’s annual risk assessment process.
Follow-up on the PRIA team’s other observations in the January 2018 report
In January 2018, the Internal Audit team reported that it agreed with the self-assessment of IT security management that the Office had many weaknesses related to IT security risks. The Internal Audit team reported detailed findings about these weaknesses and made certain observations. As part of our follow-up internal audit, the Internal Audit team reviewed all of these observations and assessed management’s progress in addressing them.
Governance. The Internal Audit team had found that three work descriptions for IT security staff were either outdated, did not align with the Treasury Board’s Operational Security Standard: Management of Information Technology Security (MITS), or did not align with the staff members’ current responsibilities.
Updated conclusion: On the basis of the work performed in the follow-up internal audit, the Internal Audit team concluded that the issues identified for the work descriptions had been properly addressed.
In January 2018, we found a lack of oversight by the IT Change Management Board. This board was chaired by someone from the IT security team, but that person attended only two thirds of the meetings and no one from the IT security team replaced him in his absence. Furthermore, the terms of reference for the board were outdated.
Updated conclusion: On the basis of the work performed in the follow-up internal audit, the Internal Audit team concluded that terms of reference had been prepared and approved, and that someone from the IT security team was attending each meeting.
We had also found a lack of oversight by the Virtual Security Team Committee. The committee had no terms of reference and only a few records of decision.
Updated conclusion: On the basis of the work performed in the follow-up internal audit, the Internal Audit team concluded that terms of reference had been prepared and approved, and that minutes were taken at each committee meeting.
The Internal Audit team had also reported that the Office’s automated tools that send alerts to monitor IT security events needed to be improved.
Updated conclusion: On the basis of the work performed in the follow-up internal audit, the Internal Audit team concluded that although improvements had been made, more remained to be done.
The Internal Audit team reported that the Office had not formally informed its employees of the nominations of new key IT security staff.
Updated conclusion: On the basis of the work performed in the follow-up internal audit, the Internal Audit team concluded that this matter had been addressed. The Office had issued a corporate message to inform its employees of the nominations of new key IT security staff.
In January 2018, the Internal Audit team also reported that it had not found evidence that Office management had approved the Office’s IT security policies.
Updated conclusion: On the basis of the work performed in the follow-up internal audit, the Internal Audit team concluded that Office management had addressed this issue. Office management informed us that instead of creating its own policies, the Office would adopt the Treasury Board’s new policies on security that were in effect as of 1 July 2019. Management also informed us that it had recently completed its assessment of compliance with the new policies.
Implementation of the IT security framework. In January 2018, the Internal Audit team reported that the Office had partially implemented or had not implemented many of the requirements in its policies and procedures.
Updated conclusion: On the basis of the work performed in the follow-up internal audit, the Internal Audit team concluded that this observation was no longer relevant because the Office had decided to adopt the Treasury Board’s new security policies instead of developing its own security policies.
Departmental Security Plan. In January 2018, the Internal Audit team reported that the Office had not updated its Departmental Security Plan to reflect changes in its IT security risks.
Updated conclusion: On the basis of the work performed in the follow-up internal audit, the Internal Audit team concluded that this observation had been addressed. A new Departmental Security Plan that considered current IT security risks had been issued for 2017 to 2020 and had been approved by the Auditor General of Canada on 31 January 2018.
Threat and risk assessments. In January 2018, the Internal Audit team reported that the Office had not regularly updated its threat and risk assessments. We also reported that management had since implemented a plan to address the issue.
Updated conclusion: On the basis of the work performed in the follow-up internal audit, the Internal Audit team concluded that management had made good progress toward achieving its plan to review the threat and risk assessments of all IT systems on a regular basis.
External and internal reporting. In January 2018, the Internal Audit team reported that the documentation process for reporting IT security incidents was clear, relevant, and understandable. However, the process was still in draft format.
Updated conclusion: On the basis of the work performed in the follow-up internal audit, the Internal Audit team concluded that this observation had been addressed. The documentation was finalized by management and approved by the Departmental Security Officer.
Contracts. In January 2018, the Internal Audit team reported that until May 2016, the contracting process had not automatically included verification of IT security requirements.
Updated conclusion: On the basis of the work performed in the follow-up internal audit, the Internal Audit team concluded that this observation had been addressed. The team noted that the checklist prepared by the Procurement team now included a requirement to consult security for each new contract.
Security risks from social engineering attacks. In January 2018, the Internal Audit team noted that social engineering exercises were an excellent way to assess staff members’ reactions to possible IT security attacks. However, the Office had not conducted this type of exercise since 2011.
Updated conclusion: On the basis of the work performed in the follow-up internal audit, the Internal Audit team concluded that management had addressed this matter by including social engineering exercises as part of its Departmental Security Plan.
Recommendations
We made no recommendations in our follow-up internal audit.
Conclusion
We concluded that the Office had made good progress, in line with the timeline initially agreed upon, to address the observations and recommendations from our January 2018 internal audit report on managing information technology security.
We note that management is continuing its work on those systems that were not selected in the initial self-assessment. The type of controls tested in management’s 2016 self-assessment were selected on the basis of a tailored approach in line with the Office’s risk environment. It is our understanding that management will continue to use this approach in its annual assessment of selected systems and controls.
Follow-up Internal Audit Hours
2019 Actual (estimated) | 2019 Budgeted | Difference | |
---|---|---|---|
Review hours | 300 | 300 | – |
Appendix—Criteria and Sources
Criteria | Sources |
---|---|
Management has put in place adequate measures to monitor its implementation of the Treasury Board’s new policy instruments and guidance that are relevant to IT security (if issued) and, if necessary, has taken action in a timely manner. |
Internal Audit Report—Managing Information Technology Security (Recommendation 48), Office of the Auditor General of Canada, January 2018 |
Management has put in place adequate measures to annually assess its IT security procedures, standards, and guidelines to ensure that they are up to date and in line with the Treasury Board’s policy instruments and guidance that are relevant to IT security. The measures should include monitoring compliance with requirements. |
Internal Audit Report—Managing Information Technology Security (Recommendation 49), Office of the Auditor General of Canada, January 2018 |
Management has done the following:
|
Internal Audit Report—Managing Information Technology Security (Recommendation 50), Office of the Auditor General of Canada, January 2018 |
Management has made progress in implementing its action plan according to the target date for remediation. |
Internal Audit Report—Managing Information Technology Security (Recommendation 61), Office of the Auditor General of Canada, January 2018 |