Audit of Information Technology Security

Agriculture and Agri-Food Canada - Office of Audit and Evaluation, February 4, 2015

Canadian Food Inspection Agency - Audit and Evaluation Branch, May 29, 2015


Executive summary

Agriculture and Agri-Food Canada (AAFC) and the Canadian Food Inspection Agency (CFIA) manage sensitive digital information, and Information Technology (IT) security has become a significant concern, given the increasing sophistication and prevalence of IT threats, as well as the public's increasing awareness and expectations related to the safeguarding of their information by organizations. AAFC and CFIA's operational environments pose challenges from an IT Security perspective, given their decentralized nature, with regional operations across the country. Furthermore, the IT and operational environments of AAFC and CFIA are undergoing renewal and transformation.

AAFC and CFIA have been impacted by the creation of Shared Services Canada (SSC) and the resulting consolidation of IT infrastructure-related services for the Federal Government of Canada. In the summer of 2011, IT infrastructure-related services that were formerly performed by AAFC and CFIA were transitioned to SSC. This consolidation included the monitoring of the security detection devices related to the IT infrastructure and the transition of AAFC and CFIA personnel who carried out these services.

Managing IT security has been and remains a top priority for AAFC, CFIA and SSC.

The audit included a review of the processes and controls in place at AAFC and CFIA to oversee and govern the IT Security related services provided by SSC.

The AAFC's Information Systems Branch (ISB) and CFIA's Information Management and Information Technology (IMIT) Branch report to the same individual who holds dual positions: AAFC's Assistant Deputy Minister (ADM) ISB and CFIA's Vice President, IMIT. AAFC is a third party service provider for CFIA for the provision of IT systems, including the corporate financial and human resources (HR) systems. Given the above, and the interconnectedness of AAFC and CFIA's operational environments, as well as similarities in relation to the potential IT security challenges, both organizations considered the benefits of conducting a joint IT Security Audit.

As federal government entities, both AAFC and CFIA are required to adhere to the Treasury Board's baseline security requirements as outlined in the Policy on Government Security (PGS) and related directives, standards and guidance.

The IT Security audit was included in AAFC's 2013-2016 Risk-Based Audit Plan and the CFIA's 2013-2016 Risk-Based Audit Plan. As IT security was identified as a significant risk, the objective of the audit was to provide assurance that AAFC and CFIA have adequate controls related to IT security in place for their IT systems, and these controls were operating efficiently and effectively. The scope of the audit focused on current IT security-related processes in place within AAFC and CFIA, with audit testing focused on the 2013-14 fiscal year.

As identified throughout the report, AAFC and CFIA have taken a number of positive steps related to IT security. Despite this, the audit found that gaps exist in the current IT security control framework. Opportunities for improvement in order to address these gaps are related to IT security governance, IT security risk management, security controls related to third party service providers, the management of sensitive digital information, physical security to IT assets, IT security risk assessment related to IT systems, and the implementation of logical access controls for IT systems. The audit provides a number of recommendations to address these identified gaps. While the audit focused on the management control framework for IT security, there were no specific security breaches identified.

1.0 Introduction

1.1 Background

Background specific to Agriculture and Agri-Food Canada

Background specific to the Canadian Food Inspection Agency

1.2 Audit objective

1.3 Audit scope

1.4 Audit approach

1.5 Conclusion

1.6 Statement of conformation

2.0 Detailed observations, recommendations and management responses

2.1 Information Technology security governance

Findings specific to Agriculture and Agri-Food Canada

Findings specific to the Canadian Food Inspection Agency

2.1.7 Recommendations

2.2 Information Technology security risk management

Findings Specific to Agriculture and Agri-Food Canada

Findings specific to the Canadian Food Inspection Agency

2.2.9 Recommendation

2.3 Third party management

Findings specific to Agriculture and Agri-Food Canada

Findings specific to the Canadian Food Inspection Agency

2.3.9 Recommendation

2.4 Management of digital information

Findings specific to Agriculture and Agri-Food Canada

Findings specific to the Canadian Food Inspection Agency

2.4.14 Recommendations

2.5 Physical security to Information Technology assets

Findings specific to Agriculture and Agri-Food Canada

Findings specific to the Canadian Food Inspection Agency

2.5.9 Recommendations

2.6 Information Technology security risk assessment

Findings specific to Agriculture and Agri-Food Canada

Findings specific to the Canadian Food Inspection Agency

2.6.8 Recommendations

2.7 Logical access controls

Findings specific to Agriculture and Agri-Food Canada

Findings specific to The Canadian Food Inspection Agency

2.7.14 Recommendations

Annex A: Audit criteria

Line of enquiry 1:
A governance structure for Information Technology (IT) Security has been established for the Department / Agency and its relationship with partners and third parties.

Line of enquiry 2:
A formal process for the management of sensitive information assets exists and is consistently implemented to ensure the appropriate classification, use, and management of sensitive digital information.

Line of enquiry 3:
A formal process for IT security risk management is in place and implemented for IT systems.

Line of enquiry 4:
Logical access to systems is appropriately restricted to authorized users.

Annex B: Acronyms

AAFC
Agriculture and Agri-Food Canada
AD
Active Directory
ADD
Applications Development Directorate
ADM
Assistant Deputy Minister
AEB
Audit and Evaluation Branch
AMCP
Asset Management and Capital Planning
ASO
Agency Security Officer
ASP
Agency Security Plan
CFIA
Canadian Food Inspection Agency
CFO
Chief Financial Officer
CMB
Corporate Management Branch
CSEC
Communication Security Establishment Canada
DG
Director General
DSO
Departmental Security Officer
DSMC
Departmental Security Management Committe
DSP
Departmental Security Plan
DSROR
Departmental Security Risk and Opportunity Register
HMC
Horizontal Management Committee
HR
Human Resources
IMIT
Information Management and Information Technology
IMS
Information Management Services
ISB
Information Systems Branch
IT
Information Technology
ITSC
Information Technology Security Coordinator
ITSRM
Information Technology Security Risk Management
ITSWG
IT Security Working Group
NHCAP
National Headquarters Complex for the Agriculture Portfolio
OAE
Office of Audit and Evaluation
OAG
Office of the Auditor General
PGS
Policy on Government Security
PWGSC
Public Works and Government Services Canada
RDIMS
Record Document Information Management System
SA&A
Security Assessment and Authorization
SDLC
System Development Life Cycle
SISC
Security and Identity Steering Committee
SMD
Strategic Management Directorate
SPMC
Security Program Management Committee
SRCL
Security Requirements Checklist
SSC
Shared Services Canada
TRA
Threat and Risk Assessment
VA
Vulnerability Assessment
Date modified: