Audit Report
December 17, 2012
Project Number: 80590-73
- Executive Summary
- Introduction
- Background
- Audit Objectives
- Scope
- Approach
- Authority
- Findings, Recommendations and Management Responses
- Control environment for the management of the DSA
- Data Stewardship
- Physical and Informatics Technology (IT) security
- Appendices
- Appendix A: Audit Criteria
- Appendix B: Acronyms
Executive summary
To achieve its mandate, Manufacturing and Energy Division (MED) enters into statistical data-sharing agreements with organizations under the authority of section 12 of the Statistics Act. In general, data-sharing for statistical purposes occurs when statistical and information inquiry is initiated by joint survey partners, or where a common data resource is equally and jointly owned by two or more partners. Data Sharing Agreements (DSAs) are a key business process. In recent years, data-sharing has become a growing and increasingly complex area to manage. Ensuring confidentiality of data is a challenge.
To protect the confidentiality and sensitive nature of the information collected, the DSA's contain terms and conditions to ensure that confidentiality of information is not compromised.
The objective of this audit is to provide assurance to the Chief Statistician (CS) and Statistics Canada's Departmental Audit Committee (DAC) that:
- The Terms and Conditions of the Data Sharing Agreement (DSA) between Statistics Canada and the Alberta Minister of Energy are met.
The audit was conducted by Internal Audit Division in accordance with the Government of Canada's Policy on Internal Audit.
Although the scope of this audit was limited to one specific DSA, it was determined that the nature of the findings impacted the broader process of managing data sharing agreements in the agency. Consequently, Statistics Canada's Policy Committee provided input to the management response and action plan to address the findings and recommendations at the corporate level.
Key findings
At Statistics Canada, roles, responsibilities and practices for the implementation and management of the DSA with Alberta Energy are in place, but the audit noted that they were not always followed due to lack of clarityin internal procedural guidelines at the program level.
Practices for the management of the DSA should be strengthened within MED to ensure that confidential information shared with Alberta Energy are only for the years which are referenced in the DSA.
The audit revealed that practices and procedures for sharing Statistics Canada confidential information exist but should be strengthened. The policy framework for the management of DSAs and advance release of confidential microdata would benefit from better clarity and integration to ensure consistent and appropriate application.
At Alberta Energy, internal protocols for the management and handling of Statistics Canada confidential information were not always followed as employees did not have a clear understanding of their roles and responsibilities.
Effective controls for physical access to Alberta Energy's premise are in place. Logical access controls and identification and authentication safeguards are in place and monitored by the Information Technology (IT) group. However, opportunities exist to strengthen data access controls by ensuring that Statistics Canada microdata are securely stored and only accessible to authorized individuals at Alberta Energy as per the Terms and Conditions of the DSA.
Overall conclusion
Alberta Energy entered into a statistical data-sharing agreement with Statistics Canada for statistical and research purposes and to help decision making related to the energy sector in the Province.
While Statistics Canada has outlined roles and responsibilities related to the management of DSAs, greater clarity of the roles and responsibilities is necessary to ensure sound management of confidential microdata. Improving the policy framework for the management of DSAs and advance release of confidential microdata would ensure consistent and appropriate application of polices and directives.
Data stewardship at Alberta Energy is in place but should be enforced to ensure that Statistics Canada confidential microdata are accessed by only authorized individuals and that the storage of Statistics Canada confidential microdata adheres to the terms and conditions set out in the DSA.
Conformance with professional standards
The audit conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program.
Patrice Prud'homme
Chief Audit Executive
Introduction
Background
The Energy Statistics sector is one of the two subject matter programs of the Manufacturing and Energy Division (MED) at Statistics Canada with the mandate to collect, compile, analyze, abstract and publish statistical information on Canadian business activity in the energy sector. Statistics on the financial, industrial, operational and location characteristics of the energy sector are obtained through twenty-three surveys on energy supply and demand – eight monthly, two quarterly and thirteen annual. The major forms of energy covered are crude oil, natural gas, coal, electricity, and refined petroleum products. The Energy Statistics section provides information on energy producing and distributing industries, the consumption of specific forms of energy, and operating and technical information.
The energy sector has been high profile given emerging issues such as rising energy prices, the deregulation of electricity and natural gas markets, energy security and dependencies, and greenhouse gas emissions from the production and consumption of fossil fuels.
To achieve its mandate, MED enters into statistical data-sharing agreements (DSAs) with organizations under the authority of section 12 of the Statistics Act. In general, data-sharing for statistical purposes occurs when statistical and information inquiry is initiated by joint survey partners, or where a common data resource is equally and jointly owned by two or more partners. Data-sharing is exercised when there are significant reductions in response burden and compliance costs for data-sharing partners, as well as improvements in statistical data accuracy, coverage, relevance and timeliness. The DSA with Alberta Energy was signed in 2010 and twenty-one energy monthly and annual surveys are included in the agreement.
The monthly surveys cover detailed volumetric data on production, imports, exports, pipeline movements and domestic sales of various energy commodities. Quarterly and annual disposition surveys provide data on the consumption of energy commodities by key sectors including mining and oil and gas extraction, manufacturing, forestry, construction, transportation, agriculture, residential, commercial and other institutional. Other annual surveys provide operating and technical information such as generating capacities of electric power stations, greenhouse gas emissions by large industrial facilities or financial statements of the energy industries.
Data are collected directly from respondents for most surveys. The exceptions are for monthly electricity, crude oil and natural gas production data and for energy import and export data where federal and provincial administrative sources are used.
Alberta Energy may use the information shared pursuant to the DSA, relating to an identifiable respondent, for statistical and research purposes only. The audit will ensure that the confidentiality of information is not compromised and data is protected.
Audit objectives
The objective of the audit is to provide assurance to the Chief Statistician (CS) and Statistics Canada's Departmental Audit Committee (DAC) that:
- The Terms and Conditions of the Data Sharing Agreement (DSA) between Statistics Canada and Alberta Energy are met.
Scope
The scope of this audit included an examination of the terms and conditions prescribed in the DSA to ensure that confidentiality of information is protected. The audit focused on the confidentiality and security (physical access, IT storage and transmission, physical storage and information copying and retention and record management) safeguards at Alberta Energy to ensure that data is protected and confidentiality is maintained.
Approach
The audit approach consisted of a review of applicable policies, procedures, and information for the administration and management of the agreement with Alberta Energy. Interviews with MED staff and management and an examination, review and testing of the processes and procedures in place within MED took place. The approach at Alberta Energy consisted of interviews with key Senior Management and an examination and review of the processes and procedures to ensure the terms and conditions of the DSA between Statistics Canada and Alberta Energy are met with emphasis on whether the security requirements are in place and complied to and confidentiality of data is maintained.
This audit was conducted following the Standards for the Professional Practice of Internal Auditing as per the Institute of Internal Auditors (IIA) and in accordance with the TBS Policy on Internal Audit.
Authority
The audit was conducted under the authority of Statistics Canada Integrated Risk-Based Audit and Evaluation Plan 2012/13-2014/15 recommended by the Departmental Audit Committee, April 2012 and subsequently approved by the Chief Statistician.
Findings, recommendations and management responses
LOE #1: The Terms and Conditions of the Data Sharing Agreement (DSA) between Statistics Canada and Alberta Energy are met.
Control environment for the management of the DSA
Within Manufacturing and Energy Division (MED), roles, responsibilities and practices for the implementation and management of the DSA are in place, but were not always followed, due to lack of clarity in internal procedural guidelines.
Practices for the management of the DSA should be strengthened within MED to ensure that confidential information shared with Alberta Energy are only for the years which are referenced in the agreement.
Practices and procedures for the sharing of Statistics Canada confidential information exist but should be strengthened. The policy framework for the management of DSAs and advance release of confidential microdata would benefit from better clarity and integration to ensure consistent and appropriate application.
Clear delineation of roles, responsibilities and accountabilities to support effective management of the Terms and Conditions (T&Cs) of the DSAs should exist to ensure efficient and effective operations. Monitoring of operational performance should take place to detect errors or potential errors which would otherwise increase operational risk.
Authority
Statistics Canada exercises its mandate to enter into statistical data-sharing agreements (DSAs) with other organizations under the authority of sections 11 and 12 of the Statistics Act.
To support policy development and data initiatives, Alberta Energy requires accurate information on various energy production, consumption and distribution within the province. As a result, pursuant to section 12 of the Statistics Act, Statistics Canada has entered into a DSA with Alberta Energy to share information from 21 energy surveys listed in the agreement.
Policy framework for Data Sharing Agreements
Roles and responsibilities related to the development, implementation and monitoring requirements of DSAs are set out in the Directive on Data Sharing under Sections 11 and 12. The Directive notes that Information Management Division (IMD), in consultation with Legal Services, is responsible for drafting data-sharing agreements when requested from directors of statistical programs. IMD is also required to support managers during the development of new or modified data-sharing agreements with receiving parties, pursuant to section 12 of the Statistics Act. Subject Matter Divisions are responsible for communication with recipient organizations during the negotiations and drafting of the agreements.
Practices for management of the Data Sharing Agreement
The DSA with Alberta Energy was drafted by IMD and signed in January 2010. The Energy Statistics (ES) section in Manufacturing and Energy Division (MED), is the liaison between Alberta Energy and Statistics Canada with responsibility for the implementation of the DSA. The Dissemination and Frame Services (DFS) section in MED is the liaison between Alberta Energy and IMD for negotiating and drafting the agreement, and oversees the secure transmission of the prepared survey files to Alberta Energy.
When a request for data under the DSA is received from Alberta Energy, the ES section prepares the microdata files requested to ensure only data for the province is included and tax information has been stripped and stores it in a folder on the shared drive. They advise the staff in the DFS section that the files are ready for transfer. The microdata files are then prepared for secure transmission either by computer disks (CDs) or by electronic file-transfer (e-FT) by the DFS section.
As per the Directive on Data Sharing Agreements under Section 11 and 12, a control log is maintained within the subject matter division, which lists the organization, section of the Statistics Act under which the DSA falls, name of the official recipient, name of end-user, date sent to recipient, date received by recipient and transmission method. A description of contents – file name, reference period covered, survey number, date request received, subject-matter expert (SME) who prepared the file, name of person who prepared the microdata for transmission and time it took to process the request are also recorded.
Since implementation of the DSA, Alberta Energy has requested two data sets on CDs. The first was for the Coal Monthly Survey which was requested and sent in January 2011. Review of the transmission control log revealed that this request for the microdata was made by and transmitted to the authorized contact at Alberta Energy in the Economics and Markets (EM) branch. This request was handled and processed at Statistics Canada by the SME for the survey in the ES section.
The second request was for the Annual Coal Mines Survey, which was sent in October 2011. Staff in the DFS section is required to match the contact information provided by the SME with the one identified in the agreement to ensure that the CDs are transmitted only to the authorized contact. The transmission control log showed that this request was made directly by the end-user and not the authorized contact and data custodian. The request was processed by the ES section and sent directly to the end-user and not the authorized contact as required in the Terms and Conditions of the DSA. The audit noted that the internal guidelines document "Procedures-File transmission" did not provide clear directives related to who is an authorized data recipient.
The audit concluded that at Statistics Canada, roles, responsibilities and practices for the implementation and management of the DSA are in place but they were not always practiced due to lack of clarity in internal procedural guidelines.
The sharing of Statistics Canada microdata under section 12 of the Statistics Act requires giving respondents prior notification of the proposed sharing, and giving them the right to refuse to allow their information to be shared. This requirement is reflected in the DSA with Alberta Energy which states
"Each survey questionnaire used by Statistics Canada will contain a statement that the information provided may be shared by Statistics Canada with Alberta Energy, unless the respondent objects to such sharing, as required by the federal Statistics Act".
Review of the second data file (the Annual Coal Mines Survey) prepared and sent to Alberta Energy revealed that Statistics Canada transmitted data to Alberta Energy for calendar years that were not covered in the DSA. The DSA covered data for the Coal Survey beginning in 2010, however confidential microdata for years 2006, 2007 and 2008 were sent to the recipient party.
Survey respondents were not given the opportunity to object to the sharing of information with Alberta Energy for these years which is in conflict with both the federal Statistics Act and the data-sharing agreement with Alberta Energy.
Sharing of Statistics Canada confidential information
Confidential information sent to DSA recipient parties prior to official release in The Daily are subject to the Policy on Official Release in The Daily. The Policy sets out four conditions that must be met by organizations in order to have access to new data sets or information products prior to official release in The Daily, and notes the types of arrangements and submission forms which must be in place to allow for the advance release of sensitive statistical information. These conditions include:
- Authorization by the Clerk of the Privy Council on the advice of the Chief Statistician;
- Work-in-progress agreements or peer reviews;
- External partnerships in collaborative programs (cost-recovery, common governance and administrative programs);
- The Chief Statistician may authorize dissemination of information in advance of release in special circumstances in which the benefits justify the exception.
The audit determined that preliminary data for the Annual Coal Survey for 2010 which had not been fully processed was shared with Alberta Energy in October 2011, prior to official release which took place in The Daily in May 2012. In this instance, for the pre-release of the data, an Advance Release Submission form should have been prepared and submitted to the Communications Division for approval as per the Policy. This was not completed.
The audit found that the program area within MED felt that pre-release of microdata was acceptable when there is a section 11 or section 12 DSA in place. Within the Dissemination unit, there was an understanding that the scope of the Policy exempts DSAs from the pre-release conditions. This understanding is a result of the scope clause within the Policy which states,
"The sharing of survey microdata under sections 11 and 12 of the Statistics Act is governed by the provisions of the Statistics Act and the terms and conditions of the data sharing agreements."
The program stated that their interpretation is that this is an exclusion clause. The audit confirmed with Communications Division and Information Management Division that DSAs fall within the scope of the Policy and as such pre-release of microdata falls under the Policy. The audit also revealed that the Directive on Data Sharing under Sections 11 and 12 does not provide guidance on the different requirements that programs should be aware of when releasing protected information involving microdata or statistical aggregates at a confidential level.
A second source of confusion within the DSA with Alberta Energy was brought to the attention of the audit team. MED staff felt that the DSA had a clause within it that implied that the sharing of microdata was permitted. Clauses 4 and 5(1) in the DSA with Alberta Energy state:
4. The Department (Alberta Energy) may release or publish only statistical aggregates derived from the information provided to it pursuant to this Agreement. However:
5. (1) The Department (Alberta Energy) shall not do so prior to the official release by Statistics Canada.
The program felt that because the agreement specifies that the department (Alberta Energy) agrees only to release or publish after official release by Statistics Canada; it is permissible to provide confidential microdata in advance of the official release by Statistics Canada.
Review of the new approved DSA templates for Provincial, Provincial omnibus, Federal and Crown corporations revealed that all templates include similar clauses and therefore inadvertently imply the sharing of microdata with external partners prior to the official release by Statistics Canada in The Daily. This is in conflict with Statistics Canada's Policy on Official Release in The Daily.
The audit concluded that the practices and procedures for the sharing of Statistics Canada confidential information exist but should be strengthened. The policy framework for the management of DSAs and advance release of confidential microdata would benefit from better clarity and integration to ensure consistent and appropriate application.
Risk management and monitoring
MED conducts a formal risk exercise on an annual basis, to assess and monitor the internal environment (survey process) and external environment for risks and to provide input into the corporate planning exercise. The 2010 Program Performance Review identified that management of all the DSAs in MED should be centralized. Subsequent to this review, the management function of all DSAs within MED has been centralized under the Dissemination and Frame Services (DFS) section within the division.
Monitoring is prescribed by Statistics Canada in an audit clause included in the DSA. Monitoring of the DSA at Alberta Energy is the responsibility of the EM branch. Since only two data sets have been requested by Alberta Energy, and no researchers have been contracted to provide survey-related product or service at the premises of Alberta Energy, EM branch has not performed any monitoring.
Statistics Canada's DSA with Alberta Energy has a provision outlining the requirements should unauthorized access occur. No incidences of unauthorized access have been reported to Statistics Canada by Alberta Energy.
Recommendations:
The Assistant Chief Statistician (ACS) Business and Trade Statistics should ensure that:
- Employees understand their roles and responsibilities with respect to the handling and management of Statistics Canada confidential information.
- Confidential information for only those surveys that are referenced in a valid data-sharing agreement and for cycles, for which respondents were informed of sharing, is shared with external partners pursuant to section 12 of the Statistics Act.
- The conditions set out in the Policy on Official Release in The Daily to provide access to pre-release data sets and information products to external partners are followed.
Management response:
Management agrees with the recommendations. Since the nature of the findings impacted the broader process of managing data sharing agreements in the agency, Statistics Canada's Policy Committee provided input to the management response and action plan to address the findings and recommendations at the corporate level.
MED has DSAs with a large (30 and growing) number of partner and user organizations across the country. In 2012, the division identified as a risk and strategic priority in its PPR the need to improve the management of these DSAs due to: the growing number, the complexity of this work, the high rate of staff turnover, and the potentially high impact if problems emerge. MED received long term planning funding last fiscal year to take steps to address this challenge. Several of the related strategies will help to ensure that the types of problems experienced with Alberta Energy do not re-occur.
- The Director MED, will direct Alberta Energy to destroy the data they received for years 2006 to 2008 (annual coal survey) and years 2006 to 2009 (monthly coal survey), and ask for written confirmation of date the data were destroyed.
Deliverables and Timeline: Letter from Director, MED, to Alberta Energy in November 2012. - The centralization of the management of DSAs within the Dissemination and Frame (D&F) Section in MED. This will allow for the development of expertise, experience and back-up capacity; improved monitoring and follow-up procedures; and greater accountability.
Deliverables and Timeline: The Director MED established the new centralized unit with the responsibility to manage DSAs for MED, in March 2012. - Staff in the new centralized unit receives periodic training on rules and procedures for managing DSAs.
Deliverables and Timeline: The Chief D&F Services Section is responsible for ensuring periodic training is provided to staff. Training so far has occurred in May and October 2012. - Information on confidentiality & security will be presented by IMD to MED employees annually.
Deliverables and Timeline: The Chief D&F Services Section is responsible for ensuring that information session are provided by IMD to MED at all staff meetings, on an annual basis. The first session was held in June 2012. - Information on the new processes and organization is communicated to MED management.
Deliverables and Timeline: The Chief D&F Services Section sent instructions to all MED managers in July 2012. - Detailed procedures and a checklist for staff working on DSAs will be developed.
Deliverables and Timeline: The Chief D&F Services Section prepared and ensured the implementation of the checklist in May 2012. The checklist was updated in October 2012. - A new mandatory certificate to record the conformity of the information being shared will be signed by directors every time a share file is provided to an external partner.
Deliverables and Timeline: New procedure, records and documentation to be developed by IMD and followed by Program directors by June 2013. - A new mandatory requirement for the external partner to acknowledge receiving the information and being aware of the conditions set in the data-sharing agreement every time a share file is provided to them.
Deliverables and Timeline: New procedure, records and documentation to be developed by IMD and followed by Program directors by June 2013. - A new mandatory training session for directors about data-sharing agreements.
Deliverables and Timeline: Training by IMD and Human Resources Development Division (HRDD) by June 2013. - Reminders to program managers to follow communication protocol and quickly report incidents through the proper management channels.
Deliverables and Timeline: Reminders to programs by ACS and senior management teams by December 2012.
Recommendations:
The Assistant Chief Statistician (ACS) Business and Trade Statistics in collaboration with the ACS of Informatics and Methodology and the ACS of Census, Operations and Communications should ensure that:
- In consultation with IMD, the DSA with Alberta Energy is amended to clarify that microdata cannot be shared with Alberta Energy prior to the official release by Statistics Canada.
- The clause in the new DSA templates for Provincial, Provincial omnibus, Federal and Crown corporations is amended to clarify that microdata cannot be shared with external partners prior to the official release by Statistics Canada unless the conditions for pre-release in the Policy on Official Release in The Daily are met
- The conditions in the Directive on Data Sharing under Sections 11 and 12 of the Statistics Act are consistent with those set in the Policy on Official Release in The Daily that Subject Matter Divisions have to meet for advance release of sensitive statistical information.
Management response:
Management agrees with the recommendations.
- The Director, IMD and the Director MED, will prepare an updated DSA template, to replace current DSA with Alberta Energy.
Deliverables and Timeline: An updated DSA template signed by Statistics Canada and Alberta Energy by June 2013. - The Director, IMD will prepare an updated DSA template.
Deliverables and Timeline: An updated DSA template by June 2013. - The Director IMD and the Director General, Communications Division, will ensure the recommended consistency.
Deliverables and Timeline: Required updates to the Directive on Data Sharing under Sections 11 and 12 and the Policy on Official Release in The Daily by March 2013.
Data stewardship
At Alberta Energy, internal protocols for the management and handling of Statistics Canada confidential information were not always followed as employees did not have a clear understanding of their roles and responsibilities.
Internal protocols that outline roles, responsibilities and practices and procedures for the sound management of data should be in place to ensure the protection and safeguarding of Statistics Canada confidential information.
Roles and responsibilities of the data recipient
At Alberta Energy, functional responsibility for the administration and management of the Statistics Canada energy survey data rests with the Economics and Markets (EM) branch who is the designated data-custodian and recipient. The EM branch acts as the liaison between Statistics Canada and all the individuals at Alberta Energy requesting information from Statistics Canada.
As part of the Terms and Conditions of the DSA, access to Statistics Canada confidential information at Alberta Energy is to be granted on a need-to-know basis, to employees whose work responsibilities require such access in order for Alberta Energy to meet its' statistical and research needs. The audit noted that Alberta Energy has set out internal protocols specifying the procedures for sending, receiving, handling and storing Statistics Canada confidential microdata within Alberta Energy. Provisions provided in the DSA are included in an internal Memorandum of Understanding (MOU) prepared by the EM branch. Individuals requesting access are required to provide their adherence to the provisions by signing the MOU.
Review of the MOU template at Alberta Energy revealed that in addition to the above, it also contained the provisions that the EM branch will receive all the confidential microdata from Statistics Canada and will then transmit it to authorized individuals within Alberta Energy; and confidential microdata will be stored in a secured location while in the possession of the EM branch and any individual at Alberta Energy.
As part of the audit, all signed MOUs were to be reviewed to match and confirm the signatures of the end-users to the names on the MOUs. End-user names on the forms were to be traced to the names listed on the transmittal control log maintained by the DFS section. As a result, only one signed MOU was found to be in place at Alberta Energy. Enquiry at Alberta Energy revealed that the first end-user did not understand his roles and responsibilities and as a result provided access to confidential microdata to an employee in his branch for whom formal approval was not requested. This is in conflict with the requirement in the agreement with Alberta Energy which requires all users of Statistics Canada confidential microdata to receive formal approval from the EM branch and acknowledge their adherence by signing the MOU.
At Alberta Energy, internal protocols for the management and handling of Statistics Canada confidential information have been documented, however they were not always followed as employees did not have a clear understanding of their roles and responsibilities.
Third party recipients
Under the current agreement, Alberta Energy is not allowed to share or disclose Statistics Canada confidential information to external third party recipients. Only researchers directly under contract with Alberta Energy, who provide survey-related product or services on the premises of Alberta Energy, are allowed access to Statistics Canada confidential microdata.
The audit revealed that in keeping with the provisions of the agreement, Statistics Canada confidential information has not been shared with external third party recipients, and Alberta Energy has not entered into any contracts with researchers to provide survey-related product or service on the premises of Alberta Energy as allowed by the agreement.
Microdata received from Statistics Canada is for statistical and research purposes, and for internal use only. The audit confirmed that statistical aggregates that directly or indirectly identify a person, business organization or an identifiable product are never released or published.
Recommendations:
The Assistant Chief Statistician (ACS) Business and Trade Statistics should communicate with Alberta Energy to ensure that:
- Employees understand their roles and responsibilities with respect to the handling and management of Statistics Canada confidential information and have signed the internal MOU outlining these responsibilities.
Management response:
Management agrees with the recommendation.
- The Director, MED will ensure the updated DSA template includes all of the necessary information, already covered in the current DSA template.
Deliverables and Timeline: An updated DSA template signed by Statistics Canada and Alberta Energy and in person meeting at Alberta Energy to provide additional information and guidance by June 2013.
Physical and Informatics Technology (IT) security
Effective physical and logical access controls are in place at Alberta Energy, however data access controls should be strengthened by ensuring that Statistics Canada microdata are kept in the custody of the designated data-custodian and securely stored and accessible to authorized individuals only.
Information provided to Alberta Energy is designated as 'Protected B' information as defined in the federal Policy on Government Security. Alberta Energy is required to ensure that the control and protection of information, either physically or electronically, is carried out in a manner that protects against loss, theft, compromise or improper disclosure. Access should only be given to employees on a "need-to-know" basis as part of their duties.
Physical access to Alberta Energy's premises
A physical inspection was conducted of Alberta Energy's site during the examination phase of the audit. The audit noted that each floor of Alberta Energy is secured and can only be accessed by authorized staff. There is a card reader outside each set of doors and staff must swipe their ID card to enter. Visitors have to sign-in at the reception desk; they receive a visitor pass that has to be visible at all times but does not authorize access to secure areas; and they are to be escorted by an authorized person at all times.
Physical access to the data files
Access to Statistics Canada survey files is on a need-to-know basis only. At the time of the audit, only 2 employees had access to the CDs.
The audit noted that the CDs for the two data sets that had been sent to Alberta Energy (Annual Coal and Monthly Coal Survey) under the section 12 DSA are kept in a key locked safe in the secured area of the end-user as required by the terms and conditions of the DSA. In order to make the key to the safe accessible to staff, it is kept in an unlocked desk drawer of a staff member which is in an open office environment. This elevates the risk that the data may be accessed by unauthorized individuals within Alberta Energy.
Statistics Canada confidential data is held on the original CDs and is not transferred to a server or a computer or any other electronic media.
Identification and authentication safeguards, IT storage and transmission
Devices and networks are protected by logical access controls at Alberta Energy and are administered by the IT group. Passwords are required to access the Alberta Energy computer networks and must be updated every 6 weeks.
The Government of Alberta's "Policy for Maintaining Security of Government Data Stored on Electronic Data Storage Devices" does not recommend the storage or transmission of high-sensitivity data on a laptop or memory key. Memory sticks are only used for storing presentations to stakeholders at conferences, and when used they are password protected. Remote access for departmental information is allowed using Citrix system.
Effective controls for physical and electronic access to Alberta Energy's premises are in place. However, opportunities exist to strengthen physical storage access controls by ensuring that Statistics Canada original CDs are in the custody of the designated data-custodian only and by ensuring that the key to the safe which holds the CDs is properly secured as per the terms and conditions set out in the DSA.
Recommendation:
The Assistant Chief Statistician (ACS) Business and Trade Statistics should communicate with Alberta Energy to ensure that:
- Microdata files transmitted from Statistics Canada are securely stored and only accessible to authorized individuals as per the Terms and Conditions of the DSA.
Management response:
Management agrees with the recommendation.
- The Director, MED will ensure the updated DSA template includes all of the necessary information, already covered in the current DSA template.
Deliverables and Timeline: An updated DSA template signed by Statistics Canada and Alberta Energy and in person meeting at Alberta Energy to provide additional information and guidance by June 2013.
Appendices
Appendix A: Audit criteria
Line of Enquiry / Core Controls / Criteria | Sub-Criteria | Policy Instrument |
---|---|---|
The Terms and Conditions of the Data Sharing Agreement (DSA) between Statistics Canada and Alberta Energy are met. | ||
Accountability | ||
1.1 Authorities, responsibilities and accountabilities, are clear, communicated and the segregation of duties is appropriately established at the program level and at Alberta Energy. (AC-1) | 1.1.1 Responsibilities are formally defined and clearly communicated and delegated and authority is aligned with individuals' responsibilities. Where applicable, incompatible functions are not combined. | Core Management Control Model (CMC) of the office of the Comptroller General. Statistics Act DSA with Alberta Energy Policy on the Security of Sensitive Statistical Information Directive on Data Sharing Agreements under Sections 11 & 12 |
1.1.2 Authority is formally delegated and delegated authority is aligned with individuals' responsibilities. Where applicable, incompatible functions are not combined. | CMC Statistics Act Policy on the Security of Sensitive Statistical Information Directive on Data Sharing Agreements under Sections 11 & 12 MED's Procedures-File transmission |
|
1.2 Alberta Energy has established processes to identify, solicit, evaluate and manage the agreement. (ST-22) | 1.2.1 The processes are understood and are complied with. | CMC Statistics Act DSA with Alberta Energy Directive on Data Sharing Agreements under Sections 11 & 12 Memorandum of Understanding template prepared by Alberta Energy |
Risk Management | ||
2.1 Management at Manufacturing & Energy Division (MED) and Alberta Energy identify, assess and respond to the risks that may preclude the achievement of their objectives. (RM-2 & 4) | 2.1.1 Risks are identified and take into consideration the internal and external environments. | CMC Divisional Risk Register Manufacturing and Energy Division Program Performance Report |
2.2 Management identifies and assesses the appropriateness of existing controls to effectively manage its risks. (RM-3) | 2.2.1 Formal processes and guidelines exist to assess the controls in place to manage identified risks | Directive on Data Sharing Agreements under Sections 11 & 12. Policy on Official Release in the Daily DSA with Alberta Energy |
Stewardship | ||
3.1 Assets are protected at MED and at Alberta Energy. (ST-9) | 3.1.1 Access to data is limited to authorized individuals and is appropriately secured in compliance with the Data Sharing Agreements (DSAs). | TBS – Government Policy on Security TBS Standard on Physical Security TBS Directive on Departmental Security Management Security Practice Manual |
3.1.2 Access is physically restricted | TBS – Government Policy on Security TBS Standard on Physical Security Security Practice Manual Policy on Security of Sensitive Statistical Information |
|
3.1.3 Procedures to safeguard the shared data upon termination of an agreement exist. | TBS – Government Policy on Security TBS Standard on Physical Security Security Practice Manual Policy on Security of Sensitive Statistical Information |
|
3.1.4 Procedures exist to protect the use of data from abuse or fraud. | TBS – Government Policy on Security TBS Standard on Physical Security Security Practice Manual |
|
3.2 Appropriate system application controls exist at Alberta Energy. (ST-11) | 3.2.1 Logical access controls exist to ensure access to systems and data, is restricted to authorized users, e.g., systems require users to logon using unique user name and password. | TBS – Government Policy on Security TBS Standard on Physical Security Security Practice Manual GoA Information Technology Baseline Security Requirements TBS – Government Policy on Security TBS Standard on Physical Security |
3.2.2 Authentication and access procedures and mechanisms exist for and are applied in order to keep authentication and access mechanisms effective. | StatCan's Security Practice Manual GoA IT Security Policy GoA Internet and Email Use Policy Policy on Security of Sensitive Statistical Information |
|
Results and performance | ||
4.1 Management monitors actual performance against planned results, and adjusts course as needed, to better address the requirements/ needs of the program. (RP-3) | 4.1.1 Responsibility for monitoring is clear and communicated and results are reported to required authority levels. | Core Management Control Model (CMC) of the office of the Comptroller General |
4.2.1 Active monitoring is demonstrated. | Core Management Control Model (CMC) of the office of the Comptroller General |
Appendix B: Acronyms
Acronym | Description |
---|---|
CD | Computer Disk |
CS | Chief Statistician |
DAC | Departmental Audit Committee |
DFS | Dissemination and Frame Services |
DSA | Data Sharing Agreement |
e-FT | Electronic File Transfer |
EM | Economics and Market |
ES | Energy Statistics Section |
ID | Identification |
IIA | Institute of Internal Auditors |
IMD | Information Management Division |
IT | Information Technology |
LOE | Line of Enquiry |
MED | Manufacturing and Energy Division |
MOU | Memorandum of Understanding |
PPR | Program Performance Report |
SME | Subject Matter Expert |
TBS | Treasury Board Secretariat |
T&C | Terms and Conditions |