Follow-up on the January 2018 Internal Audit Report on Managing Information Technology Security

Practice Review and Internal AuditFollow-up on the January 2018 Internal Audit Report on Managing Information Technology Security

At a Glance

The Office of the Auditor General of Canada made good progress in addressing the observations and recommendations from the January 2018 Internal Audit Report—Managing Information Technology Security.

The Office respected the timeline initially agreed upon for addressing the observations.

Objective

The objective of the follow-up internal audit was to assess the extent to which management of the information technology (IT) security team

See the Appendix for the review criteria.

Why This Follow-up Internal Audit Matters

In the January 2018 Internal Audit Report on Managing Information Technology Security, we concluded that the Office of the Auditor General of Canada had designed an adequate framework to support the security of its IT systems, but that the Office’s management of the IT security framework hindered its effectiveness.

The Internal Audit team made recommendations to the IT security team. Management agreed with the recommendations and issued an action plan. Because of the importance of the observations, a follow-up internal audit was planned to monitor management’s progress.

Work Conducted by the Practice Review and Internal Audit Team

As part of its follow-up internal audit, the Internal Audit team assessed whether management had addressed the report’s observations and recommendations. The Internal Audit team also retested a statistical sample of test scripts to assess management’s progress in completing the IT security control tasks.

The follow-up internal audit covered the period from 1 January 2016 to 30 April 2019.

Background

As noted above, the Internal Audit team concluded in January 2018 that the Office of the Auditor General of Canada had designed an adequate framework to support the security of its information technology (IT) systems. However, the Office’s management of the IT security framework hindered its effectiveness. Specifically, IT security management had not systematically reviewed its policies, procedures, and guidelines, and it had not implemented many controls required by the Treasury Board’s policy instruments and guidance that were relevant to IT security.

We also reported that the 2016 self-assessment was thorough and resulted in a comprehensive action plan. We arrived at this conclusion by reviewing management’s process for its self-assessment, which included management’s testing of IT security controls. For each control tested, management documented its work through a test script. In the initial internal audit, the Internal Audit team agreed with management’s conclusion after retesting 25 scripts.

As part of its self-assessment, management determined that for 69% of the tests performed, the controls partially met, mostly met, or did not meet the requirements. These controls were selected from the 2012 guidelines in IT Security Risk Management: A Lifecycle Approach (ITSG-33), published by Communications Security Establishment Canada, and were tested on a selection of the Office’s systems. Management established an action plan for all of the deficiencies identified in its self-assessment.

We have followed up on management’s action plan.

Observations

Follow-up on the self-assessment of information technology security

Management informed us that as of April 2019, approximately 96% of the IT security controls for the selected systems in its self-assessment had been implemented. To validate this information, we retested 34 scripts by using low and moderate levels of assurance based on risk. We noted no discrepancies.

On the basis of the work performed, we concluded the following:

Management informed us that the remaining tasks were related to renewing or acquiring IT security tools and renewing our security architecture.

Follow-up on the PRIA team’s recommendations in the January 2018 report

As part of its regular process, the PRIA team conducted ongoing monitoring of management’s action plan to address the recommendations in the internal audit report on managing IT security. The PRIA team’s monitoring activities were based on the target dates for completion of management’s actions. The PRIA team also prepared a summary follow-up report for each Audit Committee meeting. We used three of the report’s recommendations as criteria for this follow-up internal audit (see Appendix). One recommendation was addressed, and two were outstanding at the beginning of our follow-up.

The status of these two recommendations is as follows:

Follow-up on the PRIA team’s other observations in the January 2018 report

In January 2018, the Internal Audit team reported that it agreed with the self-assessment of IT security management that the Office had many weaknesses related to IT security risks. The Internal Audit team reported detailed findings about these weaknesses and made certain observations. As part of our follow-up internal audit, the Internal Audit team reviewed all of these observations and assessed management’s progress in addressing them.

Governance. The Internal Audit team had found that three work descriptions for IT security staff were either outdated, did not align with the Treasury Board’s Operational Security Standard: Management of Information Technology Security (MITS), or did not align with the staff members’ current responsibilities.

Updated conclusion: On the basis of the work performed in the follow-up internal audit, the Internal Audit team concluded that the issues identified for the work descriptions had been properly addressed.

In January 2018, we found a lack of oversight by the IT Change Management Board. This board was chaired by someone from the IT security team, but that person attended only two thirds of the meetings and no one from the IT security team replaced him in his absence. Furthermore, the terms of reference for the board were outdated.

Updated conclusion: On the basis of the work performed in the follow-up internal audit, the Internal Audit team concluded that terms of reference had been prepared and approved, and that someone from the IT security team was attending each meeting.

We had also found a lack of oversight by the Virtual Security Team Committee. The committee had no terms of reference and only a few records of decision.

Updated conclusion: On the basis of the work performed in the follow-up internal audit, the Internal Audit team concluded that terms of reference had been prepared and approved, and that minutes were taken at each committee meeting.

The Internal Audit team had also reported that the Office’s automated tools that send alerts to monitor IT security events needed to be improved.

Updated conclusion: On the basis of the work performed in the follow-up internal audit, the Internal Audit team concluded that although improvements had been made, more remained to be done.

The Internal Audit team reported that the Office had not formally informed its employees of the nominations of new key IT security staff.

Updated conclusion: On the basis of the work performed in the follow-up internal audit, the Internal Audit team concluded that this matter had been addressed. The Office had issued a corporate message to inform its employees of the nominations of new key IT security staff.

In January 2018, the Internal Audit team also reported that it had not found evidence that Office management had approved the Office’s IT security policies.

Updated conclusion: On the basis of the work performed in the follow-up internal audit, the Internal Audit team concluded that Office management had addressed this issue. Office management informed us that instead of creating its own policies, the Office would adopt the Treasury Board’s new policies on security that were in effect as of 1 July 2019. Management also informed us that it had recently completed its assessment of compliance with the new policies.

Implementation of the IT security framework. In January 2018, the Internal Audit team reported that the Office had partially implemented or had not implemented many of the requirements in its policies and procedures.

Updated conclusion: On the basis of the work performed in the follow-up internal audit, the Internal Audit team concluded that this observation was no longer relevant because the Office had decided to adopt the Treasury Board’s new security policies instead of developing its own security policies.

Departmental Security Plan. In January 2018, the Internal Audit team reported that the Office had not updated its Departmental Security Plan to reflect changes in its IT security risks.

Updated conclusion: On the basis of the work performed in the follow-up internal audit, the Internal Audit team concluded that this observation had been addressed. A new Departmental Security Plan that considered current IT security risks had been issued for 2017 to 2020 and had been approved by the Auditor General of Canada on 31 January 2018.

Threat and risk assessments. In January 2018, the Internal Audit team reported that the Office had not regularly updated its threat and risk assessments. We also reported that management had since implemented a plan to address the issue.

Updated conclusion: On the basis of the work performed in the follow-up internal audit, the Internal Audit team concluded that management had made good progress toward achieving its plan to review the threat and risk assessments of all IT systems on a regular basis.

External and internal reporting. In January 2018, the Internal Audit team reported that the documentation process for reporting IT security incidents was clear, relevant, and understandable. However, the process was still in draft format.

Updated conclusion: On the basis of the work performed in the follow-up internal audit, the Internal Audit team concluded that this observation had been addressed. The documentation was finalized by management and approved by the Departmental Security Officer.

Contracts. In January 2018, the Internal Audit team reported that until May 2016, the contracting process had not automatically included verification of IT security requirements.

Updated conclusion: On the basis of the work performed in the follow-up internal audit, the Internal Audit team concluded that this observation had been addressed. The team noted that the checklist prepared by the Procurement team now included a requirement to consult security for each new contract.

Security risks from social engineering attacks. In January 2018, the Internal Audit team noted that social engineering exercises were an excellent way to assess staff members’ reactions to possible IT security attacks. However, the Office had not conducted this type of exercise since 2011.

Updated conclusion: On the basis of the work performed in the follow-up internal audit, the Internal Audit team concluded that management had addressed this matter by including social engineering exercises as part of its Departmental Security Plan.

Recommendations

We made no recommendations in our follow-up internal audit.

Conclusion

We concluded that the Office had made good progress, in line with the timeline initially agreed upon, to address the observations and recommendations from our January 2018 internal audit report on managing information technology security.

We note that management is continuing its work on those systems that were not selected in the initial self-assessment. The type of controls tested in management’s 2016 self-assessment were selected on the basis of a tailored approach in line with the Office’s risk environment. It is our understanding that management will continue to use this approach in its annual assessment of selected systems and controls.

Follow-up Internal Audit Hours

Follow-up Internal Audit Hours
2019 Actual (estimated) 2019 Budgeted Difference
Review hours 300 300

Appendix—Criteria and Sources

Criteria and Sources
Criteria Sources

Management has put in place adequate measures to monitor its implementation of the Treasury Board’s new policy instruments and guidance that are relevant to IT security (if issued) and, if necessary, has taken action in a timely manner.

Internal Audit Report—Managing Information Technology Security (Recommendation 48), Office of the Auditor General of Canada, January 2018

Management has put in place adequate measures to annually assess its IT security procedures, standards, and guidelines to ensure that they are up to date and in line with the Treasury Board’s policy instruments and guidance that are relevant to IT security. The measures should include monitoring compliance with requirements.

Internal Audit Report—Managing Information Technology Security (Recommendation 49), Office of the Auditor General of Canada, January 2018

Management has done the following:

  • defined, documented, updated, and approved the roles and responsibilities for all positions that support IT security, including backup support for key positions; and
  • communicated its IT security governance framework promptly to all staff once management has approved changes to the framework.

Internal Audit Report—Managing Information Technology Security (Recommendation 50), Office of the Auditor General of Canada, January 2018

Management has made progress in implementing its action plan according to the target date for remediation.

Internal Audit Report—Managing Information Technology Security (Recommendation 61), Office of the Auditor General of Canada, January 2018