February 2017
Project Number: 80590-97
Table of Contents
- Executive Summary
- Conformance with Professional Standards
- Introduction
- Findings and Recommendations for Management's Consideration
- Appendices
- Review of IT Infrastructure Access and Continuity Management, Management Action Plan, Status at June 30, 2017
Note to readers: this report contains information severed in accordance with the Access to Information Act
Executive Summary
Statistics Canada shares the management of Information Technology (IT) with its Government of Canada partner, Shared Services Canada. This shared accountability requires Statistics Canada to develop effective communications with its partner, which will ensure the continued delivery of its programs and the protection of its Sensitive Statistical Information (SSI).
Shared Services Canada manages the IT infrastructure for Statistics Canada, including network and data centre components. SSI is stored on the network and must be protected. In addition, Statistics Canada requires information on IT infrastructure risks to make informed decisions on mitigation strategies.
The objectives of this review were to assess whether Statistics Canada has:
- An adequate management control framework in place to manage IT Infrastructure-related risks; and,
- Effective mechanisms to monitor third-party compliance with the requirements of the Directive on the Security of Sensitive Statistical Information and the agency's IT Policy Suite.
The scope of the review included the following elements: roles, responsibilities, accountabilities, authorities, policies, procedures, and monitoring mechanisms established within Statistics Canada, as they relate to IT infrastructure. The scope of this review was limited to documentation, consultations and interviews with employees of Statistics Canada.
Why is this important?
Statistics Canada retains the responsibility for the continued delivery of its programs and the protection of its sensitive data even when stored on infrastructure managed by a third party. This requires Statistics Canada to have policies and processes that will allow it to exercise these responsibilities. Statistics Canada is currently working closely with Shared Services Canada on identifying IT infrastructure requirements and this review will identify considerations for current and future business arrangements.
Key Findings
IT Policies, including roles and responsibilities for the protection of SSI stored on IT Infrastructure have been updated to reflect the current operating environment.
Statistics Canada has processes in place to control and grant employee access to SSI data [This information has been severed].
The Statistics Act Oath of Secrecy is a key control to ensure that employees and deemed employees understand their responsibilities for the protection of SSI. Statistics Canada cannot confirm that all external partner employees having access to the infrastructure have taken the Statistics Act Oath of Secrecy.
Statistics Canada is managing priorities, risks, and issues related to IT infrastructure availability through negotiations with Shared Services Canada. Plans are in place to address key risks to IT capacity issues.
Security Assessment and Authorization Activities (SA&A) identify security risks to IT systems that should be addressed. Statistics Canada does not have sufficient and timely information on SA&A activities on either the legacy infrastructure or the new infrastructure. This issue should be escalated to the relevant Statistics Canada committees for resolution.
Plans are in place to provide risk mitigation strategies in the event of an IT service disruption, but some key IT considerations have not been adequately addressed. [This information has been severed].
Overall Conclusion
Statistics Canada has clearly identified roles and responsibilities for the protection of SSI. Further work is required on the development of processes to obtain assurance over all potential access to SSI stored on the network.
Statistics Canada does not have sufficient or timely information pertaining to all infrastructure risks. Business continuity plans and backup strategies should be further refined to reduce risks resulting from potential IT service disruptions.
Conformance with Professional Standards
This review engagement conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of a quality assurance and improvement program.
Sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the findings and conclusions in this review and to provide an audit level of assurance. The findings and conclusions are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The findings and conclusions are applicable to the entity examined and for the scope and time period covered by the review.
Steven McRoberts
Chief Audit & Evaluation Executive
Introduction
Background
Statistics Canada in its role in producing information on Canadian economic and social trends utilizes information technology to gather, store, analyse and disseminate statistical data. Statistics Canada is committed to ensuring that the confidentiality of all data provided to the agency and processed through its information technology infrastructure is protected.
The management of Information Technology (IT) Infrastructure Security that is used to support Statistics Canada's Operations is done in consideration of the requirements of the Statistics Act and the Treasury Board Policy on Government Security.
The Statistics Act requires employees and deemed employees of the agency to take a Statistics Act Oath of Secrecy to not divulge information to which they may have access during the course of their employment. The Policy on Government Security requires heads of government departments and agencies to effectively manage security activities and contribute to effective government-wide security management.
IT infrastructure management has been a shared responsibility between Statistics Canada and its Government of Canada partner, Shared Services Canada since 2011. Shared Services Canada owns and maintains most of the IT infrastructure for the agency. Statistics Canada is responsible and accountable for protection of all Sensitive Statistical Information (SSI) held within the IT infrastructure. Shared Services Canada's employees, as service providers, are deemed employees under the Act and subject to the oath and the same security provisions as Statistics Canada employees.
Security requirements over SSI are outlined in Statistics Canada's Directive on the Security of Sensitive Statistical Information (DSSSI). The objective of the DSSSI is to protect the confidentiality of all SSI as required by the Statistics Act. According to the DSSSI, the Information Technology Operations Division (ITOD) is responsible for having procedures and controls in place to limit access only to authorized users and protect all SSI in electronic format held by Statistics Canada, including those stored on IT infrastructure managed by an external partner.
In addition, with Statistics Canada's reliance on a third-party to manage its infrastructure, it is critical that there are appropriate risk identification and mitigation strategies in place. This includes ensuring that there is a plan to deliver on the critical elements of Statistics Canada's business such as the production of key economic indicators in the event of a disruption of service to the IT infrastructure.
Given the complexity of the shared management responsibility for IT infrastructure, a review of the control framework was included in the 2016-2019 Risk-Based Audit Plan.
Review Objectives
The objectives of this review were to assess whether Statistics Canada has:
- An adequate management control framework in place to manage IT Infrastructure-related risks; and,
- Effective mechanisms to monitor third-party compliance with the requirements of the DSSSI and the agency's IT Policy Suite.
Scope
The scope of the review included the following elements: roles, responsibilities, accountabilities, authorities, policies, procedures, and monitoring mechanisms established within Statistics Canada, as they relate to IT infrastructure. Coverage included the legacy IT infrastructure located on [This information has been severed], and the new IT infrastructure established within the new Data Centre in [This information has been severed]. The scope of the review also included business continuity planning for high risk areas, including the release of key economic indicators.
Approach and Methodology
The review focused on the examination of documents, interviews with key senior management and personnel, and a review of mechanisms in place to ensure compliance with relevant acts, policies, directives and guidelines.
This review was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors International Professional Practices Framework.
Authority
The review was conducted under the authority of the approved Statistics Canada Integrated Risk-based Audit and Evaluation Plan 2016/17 to 2020/21.
Findings and Recommendations for Management's Consideration
IT Policies and Processes for compliance with the Statistics Act and the DSSSI
IT Policies, including roles and responsibilities for the protection of SSI stored on IT Infrastructure, have been updated to reflect the current operating environment.
Statistics Canada has processes in place to control and grant employee access to SSI data [This information has been severed].
The Statistics Act Oath of Secrecy is a key control to ensure that employees and deemed employees understand their responsibilities for the protection of SSI. Statistics Canada cannot confirm that all external partner employees having access to the infrastructure housing SSI have taken the Statistics Act Oath of Secrecy.
Statistics Canada is managing priorities, risk, and issues related to IT infrastructure availability through negotiations with Shared Services Canada. Plans are in place to address key risks to IT capacity issues.
Roles, responsibilities and accountabilities for the management of IT Security, including the protection of SSI (SSI) should be outlined in Statistics Canada's IT policies and processes. Access to SSI should be limited and expectations for the use and protection of SSI should be clearly communicated.
IT Policies have been updated to reflect the current operating environment including roles and responsibilities for the protection of SSI
The protection of SSI at Statistics Canada is governed by the IT Security Policy, the Policy on Network Use, Chapter 5 of the Security Practices Manual and the DSSSI. These policies provide the governance and expected control environment in order to meet obligations for the protection of data under the Statistics Act.
The review team examined the IT Security Policy, Policy on Network Use and Chapter 5 of the Security Practices Manual to determine if they have been updated to reflect roles and responsibilities of Statistics Canada within the shared operating environment. The review found that roles and responsibilities were updated accordingly, however, not all of these policy instruments have been approved.
The review team also examined the Directive on Security of SSI. The DSSSI was revised in 2012 to include roles and responsibilities for Statistics Canada's oversight of SSI stored on a network managed by an external partner.
The DSSSI requires Statistics Canada to have procedures and controls in place to limit access only to authorized users and protect all SSI in electronic format held by Statistics Canada, including those stored on IT infrastructure managed by an external partner. It also requires Statistics Canada to coordinate with managers of external partners to ensure that they develop and maintain procedures to meet the requirements of the directive with respect to their operations. Lastly, the DSSSI requires Statistics Canada to ensure that staff of external partners requiring access for job-related purposes to email, data centres and networks where SSI is held are administered the Statistics Act Oath of Secrecy as required by section 5(2) of the Statistics Act and described in section 6 of the Statistics Act. It also indicates that the number of deemed employees should be limited to the minimum possible.
Statistics Canada has processes in place to control and grant employee access to SSI data [This information has been severed]
Privileged accounts are user accounts that have network-level administrative rights to create/delete user accounts, grant/revoke access to various files and shared folders housed on the network using [This information has been severed]. The Information Technology and Operations Division (ITOD) stated that Shared Services Canada employees have access to Network A for maintenance, but are not operationally required to open specific folders or view information contents. It would not be appropriate for these employees to access SSI information.
Network A is a network that is highly restricted from outside connections such as Internet or other wireless capabilities, and cannot be accessed from outside sources. Files and folders containing SSI collected under the Statistics Act and protected pre-release information are stored on Network A. Access to certain SSI is restricted through the use of application level controls, [This information has been severed].
In addition, [This information has been severed].
Statistics Canada cannot confirm that all Shared Services Canada employees having access to the infrastructure housing SSI have taken the Statistics Act Oath of Secrecy
Shared Service Canada employees are considered deemed employees under the Statistics Act and as such they are required to take the Statistics Act Oath of Secrecy and acknowledge their responsibilities for the protection of SSI in compliance with the DSSSI and the Statistics Act.
The following process has been in place since April 2016. Shared Services Canada informs the Director of ITOD of new SSC staff members requiring access to the infrastructure to support Statistics Canada's operations. Upon notification, delegated ITOD managers will administer the Oath and keep a record of the justification for the need to access the infrastructure.
Prior to April 2016, Oaths taken by SSC employees actively assigned to the infrastructure housing Statistics Canada data were not formally tracked by ITOD. The Information Management Division (IMD) is responsible for keeping records of Oaths administered throughout the department.
In October 2016, the Informatics Branch submitted a list of active Shared Services Canada employees to IMD for verification of records of the Oath having been administered. Results of this verification revealed that there were some Oath forms missing due to inconsistent record management practices at Statistics Canada. Therefore, Statistics Canada cannot provide written evidence that all active Shared Services Canada employees with access to IT infrastructure housing SSI have signed the Statistics Act Oath of Secrecy and acknowledged their responsibilities as deemed employees. As part of the next steps, interviews revealed that ITOD is planning to identify which of these employees are still active and will have the oath re-administered.
Priorities, risks and issues related to IT infrastructure availability are managed through current negotiations with Shared Services Canada
Priorities, risks and issues related to availability of the IT infrastructure and restricted access to SSI should be managed and communicated in a timely manner, both within Statistics Canada and Shared Services Canada.
In October 2016, Statistics Canada and Shared Services Canada entered into an agreement to address IT capacity issues identified for the legacy infrastructure, which supports the majority of Statistics Canada's operations. It was also agreed to document by mid-April 2017 a migration strategy that will outline the vision, strategy, roles and responsibilities, activities and security considerations with the objective of migrating all applications from the [This information has been severed] Data Centre to the [This information has been severed] Enterprise Data Centre.
ITOD has a process to manage its priorities, risks and issues impacting the availability of the legacy IT infrastructure supporting Statistics Canada operations. Priorities are currently at the heart of the collaborative efforts underway to resolve capacity issues.
There is a documented process in place which includes the escalation of high risks
There should be a documented process in place which includes the escalation of high risk areas including IT related incidents that impact compliance with the Statistics Act.
ITOD has a detailed process flow chart illustrating how incidents are reported within Statistics Canada. The chart also shows that there is a triage which serves to identify major incidents for escalation. When incidents are deemed to be major, they are routed to a coordinator, who has a direct line to contact the Shared Services Canada Service Desk. Interviews with ITOD and IMD indicated that they are not aware of any incidents related to SSI by third party service providers.
Recommendations for management's consideration:
It is recommended that the Assistant Chief Statistician, Corporate ServicesFootnote 1 ensure that:
- [This information has been severed].
- There is an effective process for administering and tracking the Statistics Act Oath of Secrecy for all employees and deemed employees prior to granting access.
Management Response
Management agrees with the recommendations.
- ITOD will prepare a business case to put in place tools for [This information has been severed].
- ITOD will coordinate with IMD to review the process for administering and tracking the Oath for SSC employees prior to granting access.
Deliverables and Timeline:
- The Director, ITOD will produce a Business Case Report—"Monitoring and Access Control Tools" by March 31, 2017.
- The Director, ITOD, with the support of the Director, IMD, and support from the SSC Liaison, will implement a process to ensure that an up-to-date list of SSC employees with access to SSI is maintained, along with evidence of administration of Oath, by June 30, 2017.
IT Infrastructure Risk Management through SA&A
Security Assessment and Authorization Activities identify security risks to IT systems that should be addressed. Statistics Canada does not have adequate and timely information on SA&A activities on either the legacy infrastructure or the new infrastructure. In addition, this issue should be escalated to the relevant committees for resolution.
Security Assessment & Authorization (SA&A) and other IT infrastructure risk management activities should be performed in order to identify risks and ensure risk mitigation measures are implemented in a timely manner. The purpose of SA&A activities is to assess security controls and potential risks within IT systems and grant authorization to operate these systems in the production environment.
Statistics Canada does not have sufficient or timely information on SA&A Activities on IT infrastructure
SA&A activities should be performed on the IT infrastructure. Shared Services Canada as the owner of the IT infrastructure has the responsibility to conduct these activities.
Interviews with the Director of ITOD revealed that Statistics Canada has limited information on SA&A activities for the legacy IT infrastructure. For example, SA&A activities were conducted for the addition of [This information has been severed], however Statistics Canada obtained limited details on any residual risks.
Statistics Canada has started to leverage the new IT infrastructure. Shared Services Canada has created an Enclave in its new Enterprise Data Centre for Statistics Canada, which was first used for the 2016 Census. An Enclave is a separate area within a larger data centre that is specifically designated for Statistics Canada and has distinct access controls. Statistics Canada is planning to use the Enclave for other upcoming initiatives, including the New Dissemination Model (NDM).
For the 2016 Census, Statistics Canada received information on SA&A activities conducted on the new infrastructure being used for the Census. On April 15, 2016, information was provided by Shared Services Canada on [This information has been severed] preliminary risks that should be addressed. These risks [This information has been severed] and governance processes. However, the Census was scheduled to start in early May, [This information has been severed].
The NDM is the next significant project to use the new IT infrastructure. The review team examined the implementation plan for the NDM. The review of the plan revealed that Statistics Canada has identified SA&A activities at each stage of the NDM project lifecycle. However, there were no SA&A activities identified for the IT infrastructure. The integration of SA&A activities at different checkpoints of a project is considered a good practice to help reduce risks in a timely manner and prior to full implementation of a project.
The review team noted that the draft Departmental Project Management Framework indicates that SA&A documentation is to be reviewed by the Security Review Committee, Technology Review Committee, and IT Architecture Committee. A review of the minutes of these committees revealed that the absence of timely SA&A activities on both the legacy and new infrastructure had not been identified as an issue.
Without timely information on SA&A activities, Statistics Canada will have limited knowledge into the IT security risks present within the IT infrastructure in order to make informed decisions around additional controls that should be implemented to protect SSI stored or processed on its IT infrastructure.
Recommendations for management's consideration:
It is recommended that the Assistant Chief Statistician, Corporate ServicesFootnote 1 ensure that:
- Statistics Canada obtains timely SA&A information for IT Infrastructure, including Legacy infrastructure, and implements risk mitigation strategies in the absence of timely SA&A activities.
- SA&A required deliverables for IT infrastructure are integrated at different checkpoints in the Departmental Project Management Framework and other IT enabled project lifecycle-related documents.
Management Response
Management agrees with the recommendations.
- ITOD will work out an agreement with SSC to obtain SA&A inputs required in order to adequately manage risk.
- ITOD will review the joint SA&A process and identify opportunities for improvements.
Deliverables and Timeline:
- The Director, ITOD will produce a list of SA&A deliverables agreed upon by SSC to be supplied as part of SA&A process for each project, as required, by June 30, 2017.
- The Director, ITOD will ensure that clear SSC deliverables are identified in the SA&A process by June 30, 2017.
IT Continuity Management
Plans are in place to provide risk mitigation strategies in the event of an IT service disruption, but some key IT components have not been adequately addressed. Programs have not identified [This information has been severed] that reduce the program delivery risks resulting from an IT service disruption.
The Informatics Branch has not developed a [This information has been severed]strategy to meet the needs of programs in case of a critical event which significantly impacts the [This information has been severed].
An IT Continuity Management (ITCM) program should be in place to help ensure the continuity of critical programs in the event of a disruption. This includes a governance structure, a business impact analysis identifying IT dependencies, Maximum Allowable Downtimes (MADs), and the development of IT Continuity Plans that are tested and updated on a regular basis.
Plans are in place to support business resumption but key IT components have not been adequately addressed
An ITCM program includes the identification of IT requirements, IT dependencies and a business resumption strategy in the event of an IT disruption for mission critical programs and services. These requirements are generally identified within Business Continuity Plans (BCPs). Statistics Canada has identified 12 Mission Critical Programs, as well as 10 mission critical service areas supporting those programs, including the Informatics Branch as specified in the Statistics Canada Business Continuity and Resumption Planning (BCRP) Directive.
The review team requested the BCPs for all 12 programs and the Informatics Branch. All 12 mission critical programs have a BCP as well as the Informatics Branch. However, each BCP is at different stages of development.
A sample of nine program BCPs were examined to determine whether key IT requirements have been identified. The review indicated a need to improve the robustness of these plans.
A review of the program BCPs indicate they rely on the availability of the [This information has been severed] Data Centre. [This information has been severed]. In addition, one BCP did not list the IT databases, servers, or services on which it depends.
[This information has been severed] this could impact Statistics Canada's business resumption capabilities.
The review team also assessed the adequacy of the Informatics Branch BCP. The review identified opportunities to improve this plan. [This information has been severed] It also does not list the IT components identified in program BCPs and prioritize the order in which IT components must be restored, and [This information has been severed].
Recommendations for management's consideration:
It is recommended that the Assistant Chief Statistician, Corporate ServicesFootnote 1 ensure that:
- Consideration is given to [This information has been severed].
- Coordinating an IT recovery strategy with mission critical programs that will ensure that business continuity plans are effective in the event of critical incidents.
Management Response
Management agrees with the recommendations.
- ITOD will prepare a business case to migrate redundant backup capability to [This information has been severed].
- ITOD will be prepare a business case to ensure "cold-standbyFootnote 2" capacity is available [This information has been severed]
- ITOD will obtain SSC's business continuity plan that supports Statistics Canada's Mission Critical programs and coordinate with them to ensure that any gaps in the joint plans are addressed.
Deliverables and Timeline:
- The Director, ITOD will produce a Business Case Document [This information has been severed], by September 30, 2017.
- The Director, ITOD will produce a Business Case Document [This information has been severed], by September 30, 2017.
- The Director, ITOD will obtain a copy of SSC BCP supporting our mission-critical operations, by March 31, 2018.
Appendices
Appendix A: Audit Criteria
| Control Objective / Core Controls / Criteria | Sub-Criteria | Policy Instrument |
|---|---|---|
|
Objective 1: Statistics Canada has an adequate management control framework in place to manage IT Infrastructure-related risks. |
||
|
1.1 There is appropriate governance and clear accountability over the management of IT Infrastructure. |
1.1.1 IT policy suite has been updated to reflect the current context and access and availability risk environment. 1.1.2 There is a process in place to manage priorities, risks and issues related to IT infrastructure access and availability. 1.1.3 There is a process in place to administer oaths and training on DSSSI to Shared Services Canada employees assigned to manage the IT infrastructure. 1.1.4 There is a process to escalate high risks in a timely manner. |
|
|
1.2 There are appropriate risk management practices including mitigation strategies surrounding IT Infrastructure. |
1.2.1 ITOD ensures that Shared Services Canada conducts SA&A activities on the legacy IT infrastructure on a timely manner, and has a process in place to actively manage access and availability of the IT infrastructure-related risks identified by Shared Services Canada through SA&A or other risk management activities. 1.2.2 ITOD ensures that Shared Services Canada conducts SA&A activities on the new IT infrastructure (e.g. the enclave) in a timely manner, and has a process in place to actively manage IT infrastructure-related risks identified by Shared Services Canada through SA&A or other risk management. 1.2.3 ITOD ensures that Shared Services Canada has documented procedures for the management of privileged Shared Services Canada accounts who may access SSI, and a process to inform Statistics Canada of violations that impact SSI. 1.2.4 There is a process at Shared Services Canada to inform Statistics Canada of IT infrastructure-related incidents that may involve SSI. 1.2.5 ITOD formally manages its risk pertaining to capacity for its legacy IT infrastructure. |
|
|
1.3 There is an IT Continuity Program in place for IT infrastructure including governance, business impact analysis, business continuity plans and maintenance of ITCP readiness. |
1.3.1 An ITCP program is in place to ensure delivery on the agency's mission-critical programs. |
|
|
Objective 2: Statistics Canada has effective mechanisms to monitor third-party compliance with the requirements of the Directive on the Security of Sensitive Statistical Information (DSSSI) and the agency's IT Policy Suite. |
||
|
2.1 ITOD has a process in place to ensure compliance with the IT Infrastructure-related requirements of the DSSSI and the Statistics Canada IT Policy Suite. |
2.1.1 ITOD has developed specific procedures to help ensure Shared Services Canada complies with the IT Infrastructure-related requirements of the DSSSI, and 2.1.2 ITOD monitors the IT Infrastructure-related requirements of the DSSSI for compliance. |
|
Appendix B: Acronyms
- BCP
- Business Continuity Plans
- BCRP
- Business Continuity and Resumption Planning
- DSSSI
- Directive on the Security of Sensitive Statistical Information
- IIA
- Institute of Internal Auditors
- IT
- Information Technology
- ITCM
- IT Continuity Management
- ITOD
- Information Technology Operations Division
- ITSG
- IT Security Guidance
- MADs
- Maximum Allowable Downtimes
- NDM
- New Dissemination Model
- SA&A
- Security Assessment & Authorization
- SCC
- Security Coordination Committee
- SSI
- Sensitive Statistical Information collected and produced under the Statistics Act
- TB
- Treasury Board of Canada
Review of IT Infrastructure Access and Continuity Management, Management Action Plan, Status at June 30, 2017
| Action Item | Updates |
|---|---|
|
ITOD will prepare a business case to put in place tools for [This information has been severed].
|
Business case completed. Request For Proposal being processed by SSC. |
|
ITOD will coordinate with IMD to review the process for administering and tracking the Oath for SSC employees prior to granting access.
|
Completed. |
|
ITOD will work out an agreement with SSC to obtain SA&A inputs required in order to adequately manage risk.
|
Completed. |
|
ITOD will review the joint SA&A process and identify opportunities for improvements.
|
Ongoing. |
|
ITOD will prepare a business case to migrate redundant backup capability [This information has been severed].
|
Business Requirement Document has been sent to SSC, they are starting the preliminary cost analysis. |
|
ITOD will be prepare a business case to ensure "cold-standby" capacity is available [This information has been severed].
A cold standby is a redundancy method that involves having one system as a backup for another identical primary system. The cold standby system is called upon only on failure of the primary system. |
Investigating possible approaches to improve availability. |
|
ITOD will request SSC's business continuity plan that supports Statistics Canada's Mission Critical programs and coordinate with them to ensure that any gaps in the joint plans are addressed.
|
Official request has been sent to SSC. |