Language selection


Audit of Information Technology Security

Agriculture and Agri-Food Canada - Office of Audit and Evaluation, February 4, 2015

Canadian Food Inspection Agency - Audit and Evaluation Branch, May 29, 2015

Executive summary

Agriculture and Agri-Food Canada (AAFC) and the Canadian Food Inspection Agency (CFIA) manage sensitive digital information, and Information Technology (IT) security has become a significant concern, given the increasing sophistication and prevalence of IT threats, as well as the public's increasing awareness and expectations related to the safeguarding of their information by organizations. AAFC and CFIA's operational environments pose challenges from an IT Security perspective, given their decentralized nature, with regional operations across the country. Furthermore, the IT and operational environments of AAFC and CFIA are undergoing renewal and transformation.

AAFC and CFIA have been impacted by the creation of Shared Services Canada (SSC) and the resulting consolidation of IT infrastructure-related services for the Federal Government of Canada. In the summer of 2011, IT infrastructure-related services that were formerly performed by AAFC and CFIA were transitioned to SSC. This consolidation included the monitoring of the security detection devices related to the IT infrastructure and the transition of AAFC and CFIA personnel who carried out these services.

Managing IT security has been and remains a top priority for AAFC, CFIA and SSC.

The audit included a review of the processes and controls in place at AAFC and CFIA to oversee and govern the IT Security related services provided by SSC.

The AAFC's Information Systems Branch (ISB) and CFIA's Information Management and Information Technology (IMIT) Branch report to the same individual who holds dual positions: AAFC's Assistant Deputy Minister (ADM) ISB and CFIA's Vice President, IMIT. AAFC is a third party service provider for CFIA for the provision of IT systems, including the corporate financial and human resources (HR) systems. Given the above, and the interconnectedness of AAFC and CFIA's operational environments, as well as similarities in relation to the potential IT security challenges, both organizations considered the benefits of conducting a joint IT Security Audit.

As federal government entities, both AAFC and CFIA are required to adhere to the Treasury Board's baseline security requirements as outlined in the Policy on Government Security (PGS) and related directives, standards and guidance.

The IT Security audit was included in AAFC's 2013-2016 Risk-Based Audit Plan and the CFIA's 2013-2016 Risk-Based Audit Plan. As IT security was identified as a significant risk, the objective of the audit was to provide assurance that AAFC and CFIA have adequate controls related to IT security in place for their IT systems, and these controls were operating efficiently and effectively. The scope of the audit focused on current IT security-related processes in place within AAFC and CFIA, with audit testing focused on the 2013-14 fiscal year.

As identified throughout the report, AAFC and CFIA have taken a number of positive steps related to IT security. Despite this, the audit found that gaps exist in the current IT security control framework. Opportunities for improvement in order to address these gaps are related to IT security governance, IT security risk management, security controls related to third party service providers, the management of sensitive digital information, physical security to IT assets, IT security risk assessment related to IT systems, and the implementation of logical access controls for IT systems. The audit provides a number of recommendations to address these identified gaps. While the audit focused on the management control framework for IT security, there were no specific security breaches identified.

1.0 Introduction

1.1 Background

Background specific to Agriculture and Agri-Food Canada

Background specific to the Canadian Food Inspection Agency

1.2 Audit objective

1.3 Audit scope

1.4 Audit approach

1.5 Conclusion

1.6 Statement of conformation

2.0 Detailed observations, recommendations and management responses

2.1 Information Technology security governance

Findings specific to Agriculture and Agri-Food Canada

Findings specific to the Canadian Food Inspection Agency

2.1.7 Recommendations

2.2 Information Technology security risk management

Findings Specific to Agriculture and Agri-Food Canada

Findings specific to the Canadian Food Inspection Agency

2.2.9 Recommendation

2.3 Third party management

Findings specific to Agriculture and Agri-Food Canada

Findings specific to the Canadian Food Inspection Agency

2.3.9 Recommendation

2.4 Management of digital information

Findings specific to Agriculture and Agri-Food Canada

Findings specific to the Canadian Food Inspection Agency

2.4.14 Recommendations

2.5 Physical security to Information Technology assets

Findings specific to Agriculture and Agri-Food Canada

Findings specific to the Canadian Food Inspection Agency

2.5.9 Recommendations

2.6 Information Technology security risk assessment

Findings specific to Agriculture and Agri-Food Canada

Findings specific to the Canadian Food Inspection Agency

2.6.8 Recommendations

2.7 Logical access controls

Findings specific to Agriculture and Agri-Food Canada

Findings specific to The Canadian Food Inspection Agency

2.7.14 Recommendations

Annex A: Audit criteria

Line of enquiry 1:
A governance structure for Information Technology (IT) Security has been established for the Department / Agency and its relationship with partners and third parties.

Line of enquiry 2:
A formal process for the management of sensitive information assets exists and is consistently implemented to ensure the appropriate classification, use, and management of sensitive digital information.

Line of enquiry 3:
A formal process for IT security risk management is in place and implemented for IT systems.

Line of enquiry 4:
Logical access to systems is appropriately restricted to authorized users.

Annex B: Acronyms

Agriculture and Agri-Food Canada
Active Directory
Applications Development Directorate
Assistant Deputy Minister
Audit and Evaluation Branch
Asset Management and Capital Planning
Agency Security Officer
Agency Security Plan
Canadian Food Inspection Agency
Chief Financial Officer
Corporate Management Branch
Communication Security Establishment Canada
Director General
Departmental Security Officer
Departmental Security Management Committe
Departmental Security Plan
Departmental Security Risk and Opportunity Register
Horizontal Management Committee
Human Resources
Information Management and Information Technology
Information Management Services
Information Systems Branch
Information Technology
Information Technology Security Coordinator
Information Technology Security Risk Management
IT Security Working Group
National Headquarters Complex for the Agriculture Portfolio
Office of Audit and Evaluation
Office of the Auditor General
Policy on Government Security
Public Works and Government Services Canada
Record Document Information Management System
Security Assessment and Authorization
System Development Life Cycle
Security and Identity Steering Committee
Strategic Management Directorate
Security Program Management Committee
Security Requirements Checklist
Shared Services Canada
Threat and Risk Assessment
Vulnerability Assessment
Report a problem on this page
Please select all that apply:

Date modified: