1 / 18

6th Privacy & Security Workshop Toronto, November 3, 2005 Richard Brisebois

Findings by the Auditor General of Canada on: Information Technology Security in the Federal Government. 6th Privacy & Security Workshop Toronto, November 3, 2005 Richard Brisebois. Objective.

eze
Download Presentation

6th Privacy & Security Workshop Toronto, November 3, 2005 Richard Brisebois

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Findings by theAuditor General of Canada on: Information Technology Security in the Federal Government 6th Privacy & Security Workshop Toronto, November 3, 2005 Richard Brisebois

  2. Objective • To provide you with an insider’s perspective to the IT security report tabled in Parliament on February 15, 2005 • To provide you with an update of what has occurred since the tabling of the report

  3. Agenda • Background/personal notes • Findings of the 2002 report • Main points • Message from the AG • Press/media reaction • Events since February 2005 • Questions

  4. Background/personal notes • This report is a follow-up on our 2002 report • Not a horror story • Original plan was not to do an IT security 101 audit • Audit approach

  5. Findings of the 2002 report • 2002 revised GSP was an improvement • Updated the roles and responsibilities of TBS and 10 lead entities • Operational standards did not exist or were outdated • Little baseline information on the state of IT security across government

  6. Main point (1) Despite encouraging signs of improvement: • « The government has made unsatisfactory progress »

  7. « The government has made unsatisfactory progress » • GSP, MITS and other standards are a good foundation. • There are a number of standards that remain to be developped • IT security lead agencies are cooperating well and consult regularly on security matters. • More and more internal audits and VA’s are being done since 2002, but « UNSATISFACTORY PROGRESS » is based on: • TBS & OAG survey identified a general lack of compliance with GSP and MITS • Most VA’s reviewed identified several significant (HIGH) level vulnerabilities

  8. ITS Self-Assessment Results - 2004 • Of the 46 departments that completed responses, 1 met Maturity Level 1 and 2 requirements and 0 met only Level 1. A guesstimate would suggest that approximately 25% of the 45 who did not achieve at least Level 1, have a substantial amount of work in progress towards achieving at least Level 1. • Of the 45 departments that did not achieve at least level 1, 22 were identified as having some classified information, 13 with some Protected C information and 28 with some Protected B information. Several departments indicated that 100% of their information has no designation or classification.

  9. Main point (2) Senior management is often not aware of IT security risks

  10. Senior management is often not aware of IT security risks • 55% of departments surveyed had not completed a TRA of their systems. • 44% of departments had not performed VA’s • 55% had not done an audit of their ITS • You cannot fix what you do not know. • OAG message goes mainly to senior management: They have to be made aware of the risks and then decide if they want to spend the resources to address them • Each dept will be required to prepare an action plan, to be approved by the Deputy Head, and TBS will follow-up • Cannot wait for a major disaster to occur to think of IT security

  11. Main point (3) TBS has not completely fulfilled its oversight role

  12. TBS has not completely fulfilled its oversight role • TBS has received only 10 of the 37 internal reports dealing with ITS • TBS has no formal process to obtain these internal ITS report or to analyse their security findings • TBS has not yet prepared the mid term GSP report which was due in the summer of 2004.

  13. Message from the AG • Overall, she was disapointed with the lack of progress • Purpose is not to point fingers and issue stern rebukes • She recognizes the difficulty and complexity of the task • Personally, she will continue to use online services

  14. Press/media reaction • We spend lots of efforts to ensure accurate coverage • Significant coverage • Except for titles, reporting was generally accurate • Constant attempts to find details • There is a continuing interest in the chapter

  15. Examples of Newspaper titles • Security lapses open public data to hackers • Security gaps in federal computers leave personal data vulnerable • FEDS 'VULNERABLE' TO CYBER-ATTACKS: AG • FEDS' COMPUTER SYSTEM IN PERIL • FEDS ARE TARGET OF HACKERS • Hacker heaven • LAX COMPUTER SECURITY NO SURPRISE: HACKER • Government not protecting data

  16. Events since February 2005 • Public Accounts Committee (March 23, 2005) • Letter to Deputy Ministers on MITS Action Plans (May 11, 2005) • MITS Action Plans submitted to TBS (Aug 26, 2005) • Response from the Government to PAC (Sept 21, 2005) • TBS action plan to PAC (Sept 30, 2005)

  17. Conclusion • It is disappointing that the government does not meet its own minimum standards for IT security, even though they have been known for over a decade. • Government systems and the sensitive data they hold are vulnerable to security breaches. • As more and more government services are offered on-line, individuals and businesses need to have confidence that the information they share will be protected

  18. Questions? Richard Brisebois Principal, IT Audit Services Office of the Auditor General of Canada Tel: (613) 952-0213 ext. 2235 Fax: (613) 957-9736 Richard.Brisebois@oag-bvg.gc.ca 240 Sparks Street Ottawa, Ontario, Canada K1A 0G6 www.oag-bvg.gc.ca

More Related