November 18, 2014
Project Number: 80590-86
- Executive Summary
- Introduction
- Background
- Audit objectives
- Scope
- Approach and methodology
- Authority
- Findings, Recommendations and Management Responses
- Administration of microdata research contracts
- Information technology security
- Physical security
- Appendices
- Appendix A: Audit criteria
- Appendix B: Acronyms
Executive Summary
The Research Data Centre (RDC) at Dalhousie University is one of 27 RDCs operating across Canada. These RDCs were established through the efforts of Statistics Canada, Social Sciences and Humanities Research Council, Canadian Institutes of Health Research, Canadian Foundation for Innovation and university consortia, to strengthen Canada's social research capacity and support the policy research community. The Dalhousie RDC facility was first opened in 2001.
The mandate of RDCs is to promote and facilitate social science research using Statistics Canada's confidential microdata, while protecting the confidentiality of data through effective operational and analytical policies and procedures that create a culture of confidentiality.
The RDCs are staffed by Statistics Canada employees and are operated under the provisions of the Statistics Act in accordance with all confidentiality rules, and are accessible only to researchers with approved research projects who have been sworn in under the Statistics Act. Day-to-day monitoring of the environment and physical security within the RDC is the responsibility of RDC analysts. RDC analysts administer the operation of the RDCs and ensure that the activities are consistent with Statistics Canada's mandate.
The objectives of this audit are to provide the Chief Statistician (CS) and the Departmental Audit Committee (DAC) with assurance that the RDC at Dalhousie University
- has effective practices and mechanisms in place to ensure that the confidentiality of data is protected in the delivery of services; and
- complies with applicable Treasury Board Secretariat (TBS) and Statistics Canada policies and standards regarding Information Technology (IT) and physical security, to ensure that confidentiality of data is protected in the delivery of services.
The audit was conducted by Internal Audit Division (IA) in accordance with the Government of Canada's Policy on Internal Audit.
Key findings
The administration of research contracts is supported by roles and responsibilities that are well defined and communicated both at the program level and within the RDC. Communiqués are an effective means to inform staff in the regions of changes in policies and procedures.
Staff at the Dalhousie RDC follows procedures to ensure that researchers become deemed employees prior to being approved for research contracts. There are complete records supporting contract management on file at headquarters, but there are opportunities to improve procedures for contract management to ensure that acknowledgements of the Values and Ethics Code are signed by all researchers and are on file.
There are regular discussions on risks between the regional manager, the RDC analyst and MAD management, and they are considered within the context of the annual risk register exercise. Integration of RDC program risk information by CSSD into a risk based inspection approach would improve and optimize inspection activities.
Processes and procedures for confidentiality vetting are in place and are effective in protecting the confidentiality of the data. The analyst also maintains an audit trail of all vetted documents which cannot be modified by researchers; this has been deemed a good practice.
Roles, responsibilities and accountabilities for Dalhousie IT support staff are outlined in service level agreements, and are aligned to government policies for IT and the Statistics Act. IT general controls, including access, identification and authentication safeguards were embedded in systems and software configurations and were operating as intended at the Dalhousie RDC.
Staff at the Dalhousie RDC is employing an effective practice by using a reliable USB key strictly dedicated for transferring electronic files to the server. Currently, there are no documented procedures or protocols in place to mitigate security threats associated with the use of external USB keys for the RDC program. All RDCs could benefit from this practice and further protect the data stored on the closed network.
Physical security measures in place within the Dalhousie University RDC comply with applicable TBS policies and Statistics Canada's Security Practices Manual. Key controls such as a secure perimeter with intrusion detection and restricted access to the centre are in place and effective to ensure the security of the information held in the facility.
Overall conclusion
The RDC at Dalhousie University is well managed and has effective practices and mechanisms in place to ensure that the confidentiality of data is protected in the delivery of services. There are opportunities for improvement in areas of acknowledgments for values and ethics, and by formalizing risk management and integrating the results into the RDC inspection strategy.
The RDC's physical and IT environments comply with TBS, as well as Statistics Canada policies and standards, and are effective in protecting the confidentiality of data in the delivery of services.
Conformance with professional standards
The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing.
Sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the findings and conclusions in this report and to provide an audit level of assurance. The findings and conclusions are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The findings and conclusions are applicable to the entity examined and for the scope and time period covered by the audit.
Patrice Prud'homme
Chief Audit Executive
Introduction
Background
The Research Data Centres (RDCs) are part of an initiative by Statistics Canada, the Social Sciences and Humanities Research Council (SSHRC), Canadian Institutes of Health Research (CIHR), Canadian Foundation for Innovation and university consortia to strengthen Canada's social research capacity and to support the policy research community. The SSHRC is a federal agency that promotes and supports university-based research and training in the social sciences and humanities disciplines. CIHR is the major federal agency responsible for funding health research in Canada.
The Microdata Access Division (MAD) provides restricted access to confidential microdata through RDCs at universities across the country and the federal RDC in Ottawa. MAD is responsible for ensuring the confidentiality of information provided by Canadians. Currently, there are 27 RDCs: 26 are located in a secure setting on university campuses, and one is located within a research institute. These RDCs provide researchers with access to microdata from population and household surveys, meaning that researchers do not need to travel to Ottawa to access Statistics Canada microdata. In addition to centres located on campuses, the Federal Research Data Centre (FRDC) in Ottawa provides microdata access to researchers from federal policy departments. For the RDC program as a whole, functional authority is formally delegated to the manager/director of the RDC Program. At the regional level, functional authority resides with the RDC regional manager.
The mandate of RDCs is to promote and facilitate social science research using Statistics Canada's confidential microdata, while protecting the confidentiality of data through effective operational and analytical policies and procedures that create a culture of confidentiality. The RDCs are staffed by Statistics Canada employees and are operated under the provisions of the Statistics Act in accordance with all confidentiality rules and are accessible only to researchers with approved research projects, who have been sworn in under the Statistics Act. Day-to-day monitoring of the environment and physical security within the RDC is the responsibility of RDC analysts. RDC analysts administer the operation of the RDCs and ensure that the activities are consistent with Statistics Canada's mandate.
The Statistics Canada Risk-Based Audit and Evaluation Plan requires that the Internal Audit Division completes an audit of one RDC per year. Over the past three years, the RDCs located in the following universities were audited: University of Calgary and University of Lethbridge (2011); University of Alberta (2012); and McMaster University (2013).
Audit objectives
The objectives of the audit were to provide the Chief Statistician (CS) and the Departmental Audit Committee (DAC) with assurance that the RDC at Dalhousie University
- has effective practices and mechanisms in place to ensure that the confidentiality of data is protected in the delivery of services; and
- complies with applicable Treasury Board Secretariat (TBS) and Statistics Canada (StatCan) policies and standards regarding Information Technology (IT) and Physical Security, to ensure that confidentiality of data is protected in the delivery of services.
Scope
The scope of this audit included a detailed examination of the systems and practices of the RDC at Dalhousie University for the protection of data, the use of technology and the physical security.
The audit focused on the confidentiality vetting of data output by the on-site Statistics Canada employees; deemed employee status and security clearance requirements for access to microdata; research proposal process for RDC; microdata research contracts; physical security of the RDC site in compliance with applicable TBS and Statistics Canada policies and standards and IT protection in compliance with applicable TBS and Statistics Canada policies and standards.
Approach and methodology
The audit work consisted of an examination of documents, interviews with key program management, and personnel within the Microdata Access Division (MAD), Information Technology Operations Division (ITOD) and Dalhousie University, as well as a review for compliance with relevant policies and guidelines.
The field work included a review, assessment, and testing of the processes and procedures in place to ensure physical security, use of technology and the protection of data at Dalhousie University. A sample of microdata research contracts (completed, in progress, and microdata research contracts in evaluation) was examined to ensure coverage of contract types, data sources, multiple contract holders and research purpose. A combination of judgemental and systematic samples, totaling 43 out of 89 contracts having a start date between 2010 and 2014, was selected for testing, representing nearly 50% of recent microdata research contracts for this RDC.
This audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) International Professional Practices Framework.
Authority
The audit was conducted under the authority of Statistics Canada's Integrated Risk-Based Audit and Evaluation Plan for 2014/15 to 2018/19.
Findings, Recommendations and Management Responses
Objective 1: The Dalhousie University RDC has effective practices and mechanisms in place to ensure that the confidentiality of data is protected in the delivery of services.
Administration of microdata research contracts
The administration of research contracts is supported by roles and responsibilities that are well defined and communicated both at the program level and within the RDC. Communiqués are an effective means to inform staff in the regions of changes in policies and procedures.
Staff at the Dalhousie RDC follows procedures to ensure that researchers become deemed employees prior to being approved for research contracts. There are complete records supporting contract management on file at headquarters, but there are opportunities to improve procedures for contract management to ensure that acknowledgements of the Values and Ethics Code are signed by all researchers and are on file.
There are regular discussions on risks between the regional manager, the RDC analyst and MAD management, and they are considered within the context of the annual risk register exercise. Integration of RDC program risk information by CSSD into a risk based inspection approach would improve and optimize inspection activities.
Processes and procedures for confidentiality vetting are in place and are effective in protecting the confidentiality of the data. The analyst also maintains an audit trail of all vetted documents which cannot be modified by researchers; this has been deemed a good practice.
Effective management of research contracts is key to ensuring that only approved data are used by the authorized individuals and for purposes that are in line with program objectives. Program and RDC staff have a shared responsibility in ensuring that researchers become deemed employees with valid security clearance. As RDCs are located within university campuses, a collaborative approach to contract management, ongoing communication and risk management are required to protect the confidentiality of data.
Roles and responsibilities
Roles, responsibilities and accountabilities should be clearly defined and communicated. Effective means of communication are also necessary to ensure that staff is up to date on current policies, practices and procedures.
The roles and responsibilities for the management of the Microdata Research Contracts (MRCs), access to confidential microdata and confidentiality vetting are defined and communicated to stakeholders in policies, guidelines, standards and detailed guides. At the program level, authority is formally delegated to the RDC manager in Statistics Canada's Security Practices Manual,which states that the RDC manager:
"is responsible for establishing and maintaining an inventory of administrative information on research projects involving deemed employees for headquarters, the regional offices and the research data centres. Information includes research proposals and other information throughout the life-cycle of the project and certification that required procedures have been followed."
Additionally, the Policy on the Security of Sensitive Statistical Information assigns to Directors,
"the responsibility for controlling and protecting all sensitive statistical information obtained or held by their respective areas in the pursuit of their program objectives. When access to sensitive statistical information is provided in a Research Data Centre or equivalent, the Manager, Research Data Centre Program, assumes these responsibilities."
At the Dalhousie RDC, there is one full-time RDC analyst and two part-time statistical assistants. The RDC analyst reports to the regional manager, and the statistical assistants report to the full-time RDC analyst. The regional manager responsible for the Dalhousie RDC is located at the University of Guelph.
Information from RDC contracts is compiled by the Head Office Operations Unit (HOOU) in the Client Relationship Management System (CRMS) central database. Information entered in the system includes contract status, approval dates, names of researchers, reviewers and review outcomes, contract end dates and data approved for access. Staff working in RDCs cannot access this system and do not use its outputs within the context of their daily operations; however, they do received periodic reports generated from the CRMS and are asked to validate the information with their records. Information drawn from the CRMS is used by headquarters to manage the final stages of project completion, to follow up on security clearance renewal, and to monitor program growth and data usage. Information on the number of deemed employees and the use of datasets is also compiled and reported to Subject Matter Divisions (SMD). The audit team tested the accuracy of the information entered in CRMS on a sample of contracts. Test results revealed a small number of immaterial data-entry errors in CRMS, which did not impact the RDC's operations.
Communiqués are posted on the RDC extranet and provide information on new policies, processes, procedures and best practices to RDC staff. During interviews, it was established that staff at the Dalhousie RDC knew where to find these communiqués and were also able to provide examples of recent messages communicated through this means.
The administration of research contracts is supported by roles and responsibilities that are well defined and communicated both at the program level and within the RDC. Communiqués are an effective means to inform staff in the regions of changes in policies and procedures.
Deemed employees
A key management control relied upon to ensure the confidentiality of information within RDCs is the deemed employee status which all researchers must obtain prior to accessing the RDC. In addition to having an approved project, each researcher must undergo a security screening and be sworn in under the Statistics Act.
As per the Policy on the Use of Deemed Employees revised in August 2007, researchers wishing to access the RDC are required to become deemed employees and undergo a reliability security screening pursuant to sub-sections 5(2) and 5(3) of the Statistics Act, and take an oath or affirmation of office and secrecy, pursuant to sub-section 6(1) of the Statistics Act. They must also sign an acknowledgment that they have read and understood theStatistics Canada Values and Ethics Code for the Public Service. These actions are to be completed prior to the MRC being signed by Statistics Canada. Once a researcher has successfully completed these requirements and attended an orientation session, they are officially a deemed employee of Statistics Canada.
Testing was conducted to ensure that all required documentation was in place and valid for 31 researchers associated with 15 sampled contracts. Results revealed that valid security clearances and oaths of office and secrecy had been signed by all researchers. Additionally, tests were conducted to ensure that researcher acknowledgements of the Values and Ethics Code for the Public Service were on file. Results revealed that of the 31 researchers associated with the sampled contracts, 24 had signed this acknowledgement and copies were on file. For the other seven researchers, there were no signed copies of the acknowledgements on file, nor were they subsequently found. According to program management, researchers were allowed to submit their acknowledgements of the Values and Ethics Code after the research contracts were approved. Signed Values and Ethics forms attest to the fact that researchers have read and agreed to the terms and conditions set out by the RDC program. In order to ensure that Values and Ethics acknowledgment forms are on file, the RDC program has recently adopted a new approach where forms are required as part of the proposal package sent to headquarters for evaluation. This practice is expected to ensure that acknowledgements of the Values and Ethics Code are signed by all researchers and are on file.
Staff at the Dalhousie RDC follows procedures to ensure that researchers become deemed employees prior to being approved for research contracts. There are complete records supporting contract management on file at headquarters, but there are opportunities to improve procedures for contract management to ensure that acknowledgements of the Values and Ethics Code are signed by all researchers and are on file.
Contract management
MRCs are signed either by the Director of MAD or a delegated manager within the RDC program once project proposals have been evaluated and approved by the program. The audit tested compliance of the contract processing procedures by reviewing a sample of 31 active and completed contracts associated with the Dalhousie RDC. All proposals, project descriptions or course syllabuses and signed MCRs were found to be on file at headquarters. The audit also determined that contracts were signed by the appropriate authority at Statistics Canada. According to procedures established for the RDC Program, a new contract cannot be approved until all deliverables for other contracts are completed. Researchers have 12 months after the contract expiry date to complete and remit end products (publication or results). Contracts for which the end product has not been remitted become delinquent in the CRMS. MAD has implemented a checklist which is completed by the RDC program staff prior to approval of all new contracts; this control includes verification that all deliverables for previous contracts have been submitted prior to approval of the contract.
File documentation supporting MRCs was found to be complete. Contracts were signed by the appropriate authority and there are mechanisms in place to ensure that new contracts are signed only for researchers with projects in good standing.
Risk management
Risk management practices involving both program management and RDC staff in the regions are essential to identify, assess and respond to risks that may preclude the achievement of RDC program objectives.
Interviews with program management and RDC staff revealed that regular discussions on risks are held between the regional manager, the RDC analyst and MAD, and they are considered within the context of the annual risk register exercise.
IT and Physical Security Inspection Report are also used as a means to identify and mitigate risks that are specific to individual RDCs. Inspections are led by CSSD with the help of ITOD staff. Two physical security inspections and two IT security inspections have been conducted for the Dalhousie University RDC, once prior to opening the centre in 2001 and again in 2011. The strategy used to establish the calendar of security inspections for RDCs is currently established by CSSD. The current approach neither considers nor integrates risks identified by the RDC program, such as changes to the IT environment. MAD management has stated that the current approach to security inspections for RDCs could be improved and optimized by integrating risk information obtained from the RDC program and adopting a risk-based approach to RDC inspections, which the RDC program itself would be better positioned to determine.
There are regular discussions on risks between the regional manager, the RDC analyst and MAD management, and they are considered within the context of the annual risk register exercise. Integration of RDC program risk information into a risk based inspection approach would improve and optimize inspection activities.
Confidentiality vetting
RDCs are repositories of Statistics Canada microdata files that are accessible to researchers with approved projects. Effective and appropriate processes and procedures for confidentiality vetting should be in place and adhered to in order to significantly reduce the risk of unwanted disclosure.
Confidentiality vetting is the process of screening research outputs, syntax or any confidential data-related material to assess the risk of a prohibited disclosure. This is done by analysing whether obvious identification of individual cases or information about individual cases can be inferred or deduced from the statistical output. The RDC analyst's primary responsibility with respect to confidentiality vetting is to ensure confidentiality is not breached when allowing research outputs to leave the RDC. The analyst should review all materials that the researcher would like to remove from the RDC and the final responsibility and decision to release the output rests with the analyst. Confidentiality vetting is conducted using the survey-specific guidelines for all surveys housed in the RDCs. Questions or concerns related to the vetting process or to unfamiliar statistical techniques are addressed by the RDC regional manager or with the RDC Vetting Committee.
During the orientation session, researchers receive training on the confidentiality vetting process and the required documentation for vetting requests. This documentation includes descriptions of variables, weighted and non-weighted counts, syntax and completion of the disclosure request form for every output request. A detailed draft document entitled, Disclosure Control Rules for Outputs from Survey Data at RDCs provides instructions on how to conduct and perform confidentiality vetting. Guidelines on disclosure risk analysis for various data types and descriptive or tabular output and variance-covariance and correlation matrices, graphs, and models are included.
Confidentiality vetting guidelines and processes are found in the Researcher Guide. An important part of the process is for researchers to complete the Vetting Request Form, which provides the required information for the analyst to conduct and document the vetting request. Information required from the researcher includes:
- the name of the output file, survey and cycles used
- characteristics of the population being analyzed
- the statistical procedure and weights used
- a description of the variables
- weighted and unweighted outputs.
Once the vetting is complete, output deemed non-confidential is released to the researcher.
At the Dalhousie RDC, all confidentiality vetting is completed by the full-time RDC analyst. This same analyst has been working with the RDC program for several years and understands Statistics Canada data and the confidentiality requirements. This analyst also has active MRCs; to ensure segregation of duties, the confidentiality vetting for her outputs are completed at headquarters.
Using judgemental sampling (to ensure the inclusion of a variety of data sets, researchers and contract types); 14 completed, active, delinquent and withdrawn contracts were selected to verify that confidentiality vetting takes place at Dalhousie and that the method used is appropriate. Results showed that for all contracts, confidentiality vetting forms were completed and that the method used for each survey was in accordance with the established process. The required supporting documentation for previously vetting material, variables used, definitions of derived variables, as well as weighted and unweighted counts were provided. Evidence was in place that the analyst used the appropriate vetting techniques and effectively applied vetting procedures.
Additionally, the analyst has implemented a procedure to ensure that the finalized vetted material was under the analyst's control. This control helps ensure, should vetting have to be recreated or more vetting is to be done, the analyst has a record that cannot be modified by a researcher.
Processes and procedures for confidentiality vetting are in place and are effective in protecting the confidentiality of the data. The analyst also maintains an audit trail of all vetted documents which cannot be modified by researchers; this has been deemed a good practice.
Recommendations
It is recommended that the Assistant Chief Statistician of Social, Health and Labour Statistics should ensure that:
- procedures for contract management are strengthened to ensure that acknowledgements of the Values and Ethics Code are signed by all researchers and are on file;
- discussions on risks between the regional manager, the RDC analyst and MAD management are used to inform and determine the physical and IT inspections strategy.
Management response:
Management agrees with the recommendations.
- The contracts that were missing the signed Value and Ethics forms were mainly dating from contracts signed between 2009 and 2012. A number of improvements in the contract processing system, including the acknowledgements of the Values and Ethics Code component, have been made since 2012. These have strengthened the process to ensure that all the necessary documents are completed and stored on file/integrated with the research contracts. The following three improvements were made in the past year to address the deficiency that had been identified internally prior to the audit, and will continue to be put in place to address this situation:
- Introduced procedures when sending documents to Head Office -outlined in communiqué 2013-05. Contracts will not be processed by Head Office unless all documentation is received (since October 2013).
- Introduced the use of a checklist when the Microdata Research Contract (MRC) is signed by the Director or designate. The checklist indicates that the Head Office staff have received and processed all documents. This checklist must be completed before an MRC is signed (since December 2013).
- Implemented a new MRC to integrate the Network Use Form and Values and Ethics Code into the contract (since July 2014).
- The Director of MAD will work with IT and physical security to develop a more integrated schedule for the RDCs taking into account risk management and mitigation strategies for the RDC program. Focus will be placed on IT inspections to be conducted in each of the research data centres that are connected to the Wide Area Network over the next 2 years with a view to ensuring that new and upgraded equipment and configurations meet TBS security requirements. While no on site physical inspections will be done unless a new centre is built or a centre has been renovated, physical Security inspectors will meet with RDC Analysts by phone to confirm that no changes have occurred at their centre since the last inspection. MAD management will continue to meet with IT and physical security several times per year and will review the schedule and inspection strategy with the Security Coordinating Committee as required.
Deliverables and Timeline: A revised strategy for IT and physical security inspections, and an integrated risk-based schedule will be developed between January 2015 and September 2016.
Objective 2: The RDC at Dalhousie University complies with applicable TBS and Statistics Canada policies and standards' regarding Information Technology Security and Physical Security to ensure that confidentiality of data is protected in the delivery of services.
Information technology security
Roles, responsibilities and accountabilities for Dalhousie IT support staff are outlined in service level agreements, and are aligned to government policies for IT and the Statistics Act. IT general controls, including access, identification and authentication safeguards were embedded in systems and software configurations and were operating as intended at the Dalhousie RDC.
Staff at the Dalhousie RDC is employing an effective practice by using a reliable USB key strictly dedicated for transferring electronic files to the server. Currently, there are no documented procedures or protocols in place to mitigate security threats associated with the use of external USB keys for the RDC program. All RDCs could benefit from this practice and further protect the data stored on the closed network.
Information technology security in RDCs should be compliant with applicable TBS policies, such as the Operational Security Standards, Management of IT Security and Statistics Canada's Security Practices Manual. Roles, responsibilities, and accountabilities should be clearly defined and communicated. In the context of RDCs, IT security should include controls for the protection of the information system; communications with and within the information system; access controls that ensure the ability to permit or deny user access to the systems; and identification and authentication controls that allow unique identification and authentication of each user.
Roles and responsibilities
Within Statistics Canada the Information Technology Operations Division (ITOD) provides guidance and directives on IT security requirements for the RDC program.
At the Dalhousie RDC, IT services are provided locally by university IT staff members. These staff members respond to the RDC analyst's requests as required and ensure that workstation computers, the RDC server and other IT equipment are configured to adhere to Statistics Canada directives and policies.
Roles, responsibilities and accountabilities for Dalhousie IT support staff are outlined in service level agreements, and are aligned to government policies for IT and the Statistics Act.
IT systems safeguards and software configurations
In 2013, all computer systems and hardware at the Dalhousie RDC were replaced and the IT environment was configured to join the headquarters domain. As a result of this change, user accounts are now being created by the HOOU, and only the perimeters of access are controlled locally at the RDC. The server at the Dalhousie RDC has recently been updated and is a stand-alone setup with open directories, using the BASIS Proxcard-II Access System to grant permissions. Apart from the wide-area network (WAN), the server has no external connection. As a result, remote access to the server outside of the RDC is not possible.
During the on-site visit there were nine functional stand-alone workstations available for use by the researchers. These were new computer systems acquired in the last year, all identically configured, with the same hardware and software. The audit team selected a number of key computer safeguards which were tested to ensure they were functioning as intended. Results of the audit team's inspection were as follows:
- Computers in the research lab are not connected to the Internet (Internet access is only available to RDC employees in the RDC analysts' offices), and data and researcher folders are stored on the server.
- Software is installed on each workstation by Dalhousie's IT support and each workstation has a Deepfreeze application which ensures no residual data remains on the computer upon log out. The audit team tested the Deepfreeze and confirmed it to be effective; documents appeared in a local temporary folder, and were erased when the user logged back in.
- The McAfee anti-virus is the prescribed software to be used and was operational on all computers. For all computers linked to the closed network, regular updates are processed by headquarters every week via the WAN. For the computer having Internet access in the RDC analyst's office, the anti-virus application is updated daily via Internet.
- Password configuration and validation have been set to standards that are in accordance with Statistics Canada's IT requirements.
- The server and back-up drives are locked in a cabinet housed inside the RDC secured area, for which only the analyst has the keys; this complies with the program's security requirements.
- Printouts of researchers' work can only be produced from a network printer which is located in the RDC analyst's office.
- USB ports available on computers in the research lab are programmed to detect and reject all devices which have storage capacity and/or communication media. The audit team connected a cell phone and USB key to a sample of three out of the nine functional lab computers, all devices were rejected by the system.
In all cases, IT general controls were embedded in systems and software configurations and were operating as intended.
Access, identification and authentication safeguards
Procedures specify that user accounts should be created only when a contract is approved and becomes active. Access should be removed upon the expiry date of the MRC and password configuration should meet Statistics Canada standards.
The RDC analyst is responsible for configuring accounts to ensure that only data approved in the final contract are accessible for the duration of the project and has administrative privileges to access the system. The statistical assistants do not have administrative privileges. Individual userIDs are created for each researcher and for each contract. When researchers are associated with more than one research project, a separate userID is created corresponding to each project. This way, access user accounts are set to reflect the contract start and end dates and the security clearance expiry date. This also prevents researchers from moving files between projects. Password configuration for access user accounts is set in accordance with Statistics Canada standards.
Although not Statistics Canada employees, the Dalhousie IT support staff are deemed employees. They ensure that systems within the RDC are configured to StatCan requirements and have administrative privileges for IT systems only. This access allows them to modify computer system configurations, such as downloading software, installing printers or other devices locally. IT staff at Dalhousie also use administrative privileges to service IT problems, workstation issues and all server related requirements. They do not have administrative privileges to modify access perimeters for individual userID accounts created for researchers.
The audit team tested a sample of 43 out of 89 contracts having a start date in 2010 to 2014, and compared the data sets noted in the MRC to the information recorded in CRMS and data sets included in the IT system parameters for selected users. Results showed that the list of data sets entered in the system for access privileges agreed with the list of data sets included in the contract or subsequent amendments.
The audit team also tested a random sub-sample of nine individual researchers selected for active contracts to ensure that expiry dates did not exceed the valid security clearance period and that access was granted only for the period stipulated in the MRC. Results confirmed that when the security clearance date expired before the contract end date, the date entered was the security clearance expiry date; this control is effective in ensuring that individuals have security clearance in order to access Statistics Canada data. All other dates were consistent with the MRC, as required.
The audit team also tested data file access perimeters entered in the system for contracts indicating a status of suspended, incomplete, withdrawn or inactive and verified that access was disabled. Tests confirmed that, as required, userID accounts were disabled.
The audit determined that applicable IT security measures are in place and adhere to Statistics Canada's standards for safeguarding and protecting confidential data. IT access, identification and authentication safeguards are embedded in systems and software configurations at the Dalhousie RDC and are working as intended.
Protection of RDC servers against IT threats and protocol for reporting incidents
The Analyst and Statistical Assistants control which electronic files can be added to research project files on the closed network. Making researcher's electronic documents and tables available on the closed network is necessary as part of daily operations. Researchers bring their files on a personal USB key. Because workstations in the research lab are configured in such a way that USB keys cannot be accessed, the retrieval of researchers' files is done from the computers under the RDC staff's control.
At the program level, there are procedures on the RDC extranet that explain the terms and conditions for which a researcher can have data, documentation or other information added to their research projects. However, these procedures do not explain how to safely transfer the researchers' electronic documents from an external USB key onto the server.
In order to reduce the risk of a computer virus, malware or other spyware coming into contact with the data stored on the closed network, specific procedures have been implemented at the Dalhousie RDC for electronic file transfers when using a researcher's USB key. The researcher's USB key is inserted into the RDC analyst's Internet computer and the McAfee virus scan is run on the entire key. Copies of the files that the researcher wants transferred to his/her project folder on the server are then saved to the desktop and individual files are scanned a second time for viruses. The RDC analyst transfers the files/folders of documents from the desktop of the Internet computer to a dedicated RDC USB key and then transfers the files from the researcher's account to the server by using the computer that is linked to the closed network. Using a separate USB dedicated to the RDC was recommended by Dalhousie's IT staff.
Interviews with ITOD confirmed that docking a USB key owned by external users onto a computer that is linked to the closed network increases the risk of inadvertently transferring viruses, spyware and/or malware and should be prohibited. Using a reliable USB key strictly dedicated for transferring files to the server is a good practice which significantly reduces the risk of inadvertently transferring viruses, spyware and/or malware, as the USB key has not been in contact with computers outside of the RDC facility.
Staff at the Dalhousie RDC is employing an effective practice by using a reliable USB key strictly dedicated for transferring electronic files to the server. Currently, there are no documented procedures or protocols in place to mitigate security threats associated with the use of external USB keys for the RDC program. All RDCs could benefit from this practice and further protect the data stored on the closed network.
Recommendations:
It is recommended that the Assistant Chief Statistician of Social, Health and Labour Statistics should ensure that:
- Procedures are documented, on the use of USB keys to transfer researchers' data files onto the closed network.
Management response:
Management agrees with the recommendations.
- This is a best practice that is utilized in every centre in the program, but it has not been systematically documented. The Director of MAD will prepare and distribute a Communiqué to all RDC staff and researchers to document procedures on the use of USB keys to transfer researchers' data files onto the closed network.
Deliverables and Timeline: Procedures will be posted to the communications network by December 31, 2014.
Physical security
Physical security measures in place within the Dalhousie University RDC comply with applicable TBS policies and Statistics Canada's Security Practices Manual. Key controls such as a secure perimeter with intrusion detection and restricted access to the centre are in place and are effective to ensure the security of the information held in the facility.
The physical security measures required in RDCs are intended to safeguard the confidentiality of the information held in the facility. Physical security inspections verify that security measures comply with applicable TBS policies, such as the Government Policy on Security (GPS) and Statistics Canada's Security Practices Manual. Physical security should include key controls such as the establishment of a secure perimeter with intrusion detection, restricted access to the centre, and ongoing monitoring through observation during business hours.
Departmental physical security inspections
Physical security inspections are completed upon initial opening of RDCs and Statistics Canada management has determined that RDC inspections will take place every four years. Departmental security staff performs the physical inspections, and provide recommendations to the RDC regional managers and headquarters staff. The last Dalhousie University RDC physical security inspection was conducted in 2011. As a result of this inspection, one recommendation was issued: it was recommended that access system reports be printed and reviewed on a regular basis. The RDC staff is able to login to a security system supported by the Dalhousie Security office and print access system reports. At the Dalhousie RDC, access system reports are produced monthly, mainly to track the hours recorded for projects involving fee-for-services. The swipe card log reports are available for examination if required to investigate the comings and goings of researchers more thoroughly. By printing out access system reports and reviewing them monthly, staff at the Dalhousie RDC has addressed the recommendation issued from the 2011 physical inspection.
Through comparison with the information provided in the 2011 physical site inspection and interviews with MAD and RDC staff, it was confirmed that the RDC has not relocated or made any significant changes to its physical structural environment since it was last inspected. In light of this, the audit team selected a number of key physical controls within the RDC's physical environment and verified compliance with RDC physical security requirements. Results of the audit team's inspection were as follows:
- The facility has secure locked storage cabinets for storing researchers' files.
- There are no printers located in the research area.
- The printer/fax/scanning device is for RDC staff use only and is located in the RDC analyst's office.
In all cases, key physical controls were set up in accordance with RDC physical security requirements.
Secure perimeter with intrusion detection
The RDC is located on the main floor at Dalhousie University. The RDC was constructed in compliance with Statistics Canada's requirements for perimeter security for 'shared floor occupancy.' Physical access in and out of the RDC is through a single door entrance, accessible from the university library. In accordance with security requirements for RDCs, the centre is secured by a steel door with a deadbolt with a one-inch throw. RDC staff and campus security have keys to the facility. The RDC does not have exterior windows. Interior windows are frosted except the one in the RDC analyst office (which faces out to the library) which has vertical blinds that are kept closed.
Campus security provides 24/7 monitoring of the university facilities. The RDC also has an alarm system and motion detectors, which are functional and safeguard the facility after working hours. If the alarm or motion sensor system is triggered, campus security would be notified as first response who would then notify the RDC analyst.
Restricted access to the RDC
At the Dalhousie RDC, there is one full-time RDC analyst and two part-time statistical assistants. RDC staff is present during business hours and monitor researchers' presence at the facility, to ensure that access to the centre is restricted to individuals who are authorised. The presence of RDC staff during business hours is a critical control in safeguarding assets within the secure area. RDC staff at Dalhousie set work schedules to ensure continuous presence at the centre to cover vacation leave and personal appointments. In rare cases where coverage amongst staff is not possible during extended periods which go beyond health breaks and brief absences during lunch, the RDC at Dalhousie is closed.
An electronic swipe card access system is also in place. Identification cards are assigned to authorised researchers and there are two swipe readers located on the exterior and interior sides of the door to the RDC. The card must be swiped in order to unlock the door when entering and leaving the secured area. In doing so, the system records all swipe entries and exits. RDC staff has access to the electronic swipe card access system's logs from the analyst's computer through remote login to the Dalhousie security system. The audit team examined the swipe access logs for the RDC for the three days the auditors were on site, as well as the system's reports for the RDC for the month of June 2014. Tests confirmed that the system accurately recorded all swipe entries and exits for the centre. However, reports generated by the access card system do not reflect all individuals' entries and exits during business hours. There are situations where individuals can enter or leave the centre during operating hours without having to swipe their own individual card. For example, if a number of individuals leave the RDC at the same time, or if someone enters the facility just as someone exits, individuals do not remember to always swipe their card. Additional tests performed showed that the use of the manual sign-in log as a compensatory control was effective in ensuring that a list of all visitors to the centre is maintained.
Ongoing monitoring
In order to effectively monitor activities in the RDC, the analyst should have a clear view of researchers while in the centre. At Dalhousie, the RDC analyst can easily observe researchers when they use the workstations located at the front of the RDC. While in the RDC analyst's office, there are challenges in observing researchers sitting at workstations located in the rear of the RDC. As a mitigation strategy, the RDC staff walks through the RDC and observes the workstations from various positions on a regular basis. Program management has stated that it is a challenge to strike the appropriate balance between protecting the confidentiality of the information and affording researchers a certain level of privacy to carry out their work. Each RDC is configured differently; RDC managers are encouraged to use a risk based approach in this regard for each RDC.
Physical security measures in place within the Dalhousie University RDC comply with applicable TBS policies and Statistics Canada's Security Practices Manual. Key controls such as a secure perimeter with intrusion detection and restricted access to the centre are in place and are effective to ensure the security of the information held in the facility.
Appendices
Control Objective / Core Controls / Criteria | Sub-Criteria | Policy Instrument |
---|---|---|
1) The Dalhousie University RDC complies with applicable TBS and Statistics Canada policies and standards' regarding Information Technology Security and Physical Security to ensure that confidentiality of data is protected in the delivery of services. | ||
1.1 The physical environment in which the RDC operates complies with current StatCan policies. | 1.1.1 Policies, directives and procedures are in place detailing physical security requirements. 1.1.2 Physical access controls are in place to ensure that the physical environment is effective in safeguarding sensitive data. 1.1.3 Both manual and automated controls exist to ensure physical security (i.e. card readers, alarm systems, sign-in sheets). 1.1.4 Ongoing monitoring of the environment takes place to ensure changes/new risks can be quickly addressed. 1.1.5 Regular periodic Physical inspections take place to ensure compliance to policies and are conducted by corporate service functions. Results from Physical inspections are recorded and remedial action is taken when non-compliance is found. |
TBS Government Policy on Security TBS Standard on Physical Security TBS Directive on Departmental Security Management Statistics Canada Security Practices Manual Internal RDC physical security documentation Security of Sensitive Statistical Information Statistics Act Discretionary Disclosure Directive Policy on Deemed Employees |
1.2 The IT environment in which the RDC operates complies with current StatCan policies. | 1.2.1 Policies, directives and procedures are in place detailing IT security requirements. 1.2.2 IT hardware, software and general computer controls are in place to safeguard sensitive data. 1.2.3 Each workstation is configured to ensure compliance to StatCan and TBS IT security requirements. 1.2.4 Passwords must be entered to activate the computer systems and are regularly updated and time-outs are functional. 1.2.5 Regular periodic IT inspections take place to ensure compliance to policies and are conducted by corporate service functions. Results from IT inspections are recorded and remedial action is taken when non-compliance is found. |
TBS Government Policy on Security TBS Directive on Departmental Security Management Statistics Canada Security Practices Manual Statistics Canada IT Security Policy Security of Sensitive Statistical Information Statistics Act Discretionary Disclosure Directive Policy on Deemed Employees |
1.3 Access to sensitive statistical information is restricted to authorized individuals using IT and environmental control systems that are maintained in accordance with applicable policies. | Physical and IT access is controlled to ensure only those authorized can physically access the RDC premises, and log-in to workstations restricts access to authorized data sets only. 1.3.1 Physical and IT Access control listings are regularly updated and validated. 1.3.2 University staff who maintain the IT systems understand the IT security requirements and ensure access to data is restricted to authorized uses only. 1.3.3 RDC staff monitor researchers and workstations to ensure researchers comply procedures 1.3.4 Researchers authorized to use the RDC have access to only those data sets noted in the MRC. 1.3.5 Accounts are automatically disabled upon contract expiry dates and all external ports have been disabled on researcher workstations. 1.3.6 Access to files is restricted to researchers having MRCs in good standing. |
Statistical Information Security of Sensitive Discretionary Disclosure Directive TBS Directive on Departmental Security Management Statistics Canada Security Practices Manual Statistics Canada IT Security Policy TBS Government Policy on Security TBS Standard on Physical Security Discretionary Disclosure Directive |
1.4 The confidentiality of sensitive statistical information is protected through the application of continuous vetting activities prior to letting written documentation leave the RDC. | 1.4.1 Practices of continuous data vetting are applied to ensure documents containing sensitive statistical information do not leave the RDC. | Statistics Canada Security Practices Manual Directive on Sensitive Statistical Information |
2) The Dalhousie University RDC has effective practices and mechanisms in place to ensure that the confidentiality of data is protected in the delivery of services. | ||
2.1 Accountabilities in support of the RDC's operations and collaborative initiatives shared among RDC staff, university staff and researchers are formally defined. | 2.1.1 Agreements, terms of reference or equivalent documents outlining roles, responsibilities and accountabilities for functions involving the Dalhousie University staff are in place outlining the responsibilities for the:
2.1.3 Oaths and values and ethics documents outline requirements related to the confidentiality of Statistics Canada data and are in place prior to granting access to data. 2.1.4 Documentation is in place to outline confidentiality data vetting responsibilities for statistical outputs is in place. 2.1.5 RDC staff receives regular communications and updates from headquarters related to new processes and procedures, changes to process, issues and other items related to RDC operations, MRC management and confidentiality requirements. 2.1.6 RDC staff receives regular information updates related to confidentiality vetting and when new data sets arrive in the RDC locations, vetting requirements are communicated. |
Internal RDC roles and responsibilities documentation RDC documentation for Academic Directors RDC Researcher Guide Policy on Deemed Employees MRC contracts templates Oath / Affirmation of Secrecy Values and Ethics documents Internal Confidentiality Vetting documents |
2.2 As deemed employees, researchers, RDC staff and university staff formally acknowledge compliance with Statistics Canada's corporate values and ethics, code of conduct or equivalent policies as it pertains to the confidentiality of sensitive statistical information. | 2.2.1 Upon commencement of a new contract with the RDC, researchers are required to sign a statement acknowledging understanding and compliance with the policies and the Statistics Act through the following activities:
|
Values and Ethics documents Documentation distributed at orientation session RDC Researcher Guide Evidence of orientation sessions provided, and acknowledgement to comply with values and ethics/code of conduct Evidence of security clearance for researchers |
2.3 Management identifies, assesses and responds to the risks that may preclude the achievement of its objectives and assesses the effectiveness of existing controls. | 2.3.1 Regular discussions are held between the Regional Manager, the RDC Analyst and MAD. 2.3.2 Management led IT and physical security Inspection Report are conducted for the Dalhousie University and used to determine risks and mitigation strategies. |
RDC Security Inspections Confidentiality Vetting guidelines Audit trail/files kept within the RDC in support of vetting activities. |
2.4 Management has established processes to develop and manage relevant agreements, Memorandum of Understandings (MoUs), and/or contracts, for the purposes of the RDC Program in the region. | 2.4.1 Microdata Research Contracts exist, are up to date and outline data requirements, the research being conducted and contain relevant dates (start and expiry dates), and outline the terms and conditions for RDC usage. 2.4.2 All security screening is in place for contracts. 2.4.3 Oaths are signed and in place. |
Internal RDC documentation Security clearance evidence Confidentiality oaths |
Acronym | Description |
---|---|
CIHR | Canadian Institute of Health Research |
CRDCN | Canadian Research Data Centre Network |
CRMS | Client Research Management System |
CS | Chief Statistician |
CSSD | Corporate Support Services Division |
DAC | Departmental Audit Committee |
DS | Departmental Security |
FRDC | Federal Research Data Centre |
HOOU | Head Office Operations Unit |
IA | Internal Audit Division |
ICN | Internal Communication Network |
IIA | Institute of Internal Auditors |
IT | Information Technology |
ITOD | Information Technology Operations Division |
MAD | Microdata Access Division |
MRC | Microdata Research Contract |
RDC | Research Data Centre |
SMD | Subject Matter Division |
SSHRC | Social Sciences and Humanities Research Council |
TBS | Treasury Board Secretariat |
USB | Universal Serial Bus |
WAN | Wide Area Network |