March 24, 2015
Project Number: 80590-87
- Executive Summary
- Introduction
- Background
- Audit objectives
- Scope
- Approach and methodology
- Authority
- Findings, Recommendations and Management Responses
- Governance and Risk Management
- Control in place for to protect advance release information provided to external organizations
- Controls within Statistics Canada to ensure the confidentiality of pre-release information
- Appendices
- Appendix A: Audit criteria
- Appendix B: Acronyms
Executive Summary
Statistics Canada's Official Release is disseminated through the Daily. The Daily issues news releases on current social and economic conditions and announces new products. It provides a comprehensive one-stop overview of new information available from Statistics Canada. Statistics Canada has been using the Daily as the Official Release vehicle since 1932.
Access to the Daily is provided on the Statistics Canada website at 8:30 a.m. Eastern time each business day. This ensures that Canadian's receive equitable and timely access to all new Statistics Canada information. When advance release of information is required, the Statistics Canada's Policy on Official Release outlines the conditions that must be met.
The objectives of the audit were to provide the Chief Statistician (CS) and the Departmental Audit Committee (DAC) with assurance that:
- Statistics Canada has adequate governance structures and a risk management framework in support of the Official Release.
- Effective control mechanisms have been established and are consistently applied to ensure that the advance release of Agency products is compliant with the Policy on Official Release and other applicable Statistics Canada policies and directives.
The audit was conducted by Internal Audit Division in accordance with the Government of Canada's Policy on Internal Audit.
Key Findings
Roles, responsibilities and accountabilities for Official Release are formally defined through internal procedural documentation and communicated to employees. Appropriate and effective oversight bodies for Official Release have been established. The Electronic File Transfer Governance Steering Committee is in place and operational, but it does not have a formal mandate outlining roles and responsibilities, which may reduce the effectiveness of the intended oversight of this committee.
The Official Release process encompasses activities in several divisions as well as outside organizations. The risk management framework currently used throughout the Agency does not compel managers to consider risk inter-dependencies, nor provide an integrated lens to risk management which could limit the effectiveness of potential mitigation strategies.
Official Release includes a process for external parties to formally acknowledge their responsibilities as they relate to sensitive statistical information. This process needs to be strengthened to be fully effective and reduce the risk to the protection of sensitive statistical information.
The media lock-up room is secure. Its operating procedures, combined with the physical security features of the room, are effective and ensure the protection of information.
Individuals designated as media spokespersons for information releases have not all followed the mandatory media training. As a result, there is an increased risk that employees will not understand their roles and responsibilities with respect to being an official spokesperson for the Agency.
Access privileges on internal shared drives which contain pre-release information are restricted, but not regularly updated when employees leave a division or program.
The manual controls that have been developed combined with the daily monitoring of the transfer of Official Release information between secure networks are effective mechanism to address IT malfunctions and minimize delays of the official release materials.
Contracting practices for the procurement of translation services require strengthening. The audit found significant weaknesses with the current controls in place and identified several instances of non-compliance, which considerably increases the risk to the confidentiality of sensitive statistical information.
Overall Conclusion
Statistics Canada has established adequate governance and risk management frameworks, which are aligned to support Official Release activities. The effectiveness of these frameworks could be improved by formalizing the mandate of the Electronic File Transfer (EFT) Governance Steering Committee and compelling managers to consider risk inter-dependencies through the risk management framework.
Certain controls in place to protect advance release information provided to external organizations need to be strengthened to ensure that all the requirements related to the Policy on Official Release are understood. More specifically, all advance release recipients should have valid Acknowledgements of Confidentiality.
Control activities within Statistics Canada to ensure the confidentiality of pre-release information are effective. There are opportunities for improvement in the areas of updating of access permissions and media training. The management of procurement activities for translation services must be strengthened to ensure compliance to relevant Government of Canada policies and to ensure the protection of sensitive statistical information.
Conformance with Professional Standards
The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) and the International Standards for the Professional Practice of Internal Auditing.
Sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the findings and conclusions in this report and to provide an audit level of assurance. The findings and conclusions are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The findings and conclusions are applicable to the entity examined and for the scope and time period covered by the audit.
Patrice Prud'homme
Chief Audit Executive
Introduction
Background
Statistics Canada, as the national statistical agency, is required to "collect, compile, analyse, abstract and publish" statistical information on Canada's economy and society that is fundamental to support evidence based decision-making and inform debate.
The Daily is Statistics Canada's official release vehicle and supports the mandate to publish statistical information on Canada. Official Release (OR) is governed under the Policy on Official Release at Statistics Canada. Under this Policy, every new cycle of every statistical program, whether based on surveys or administrative data, whether funded through estimates or cost recovery, must be released in The Daily before it can be disseminated to the public. Until Official Release, the dataset or product has "Protected" status as defined by the Government Security Policy. The minimum requirement for OR is a statement in The Daily that a dataset is available. This practice ensures that all potential users have access to statistical program results and products at the same time. It creates a level playing field that reinforces the Agency's reputation for neutrality.
Under the Policy on Official Release, there are certain circumstances in which Statistics Canada can release information to external parties in advance of OR in The Daily. These circumstances occur when:
- Federal officials have advance access to a small number of key releases to prepare appropriate responses for ministers, given that ministerial comment can have repercussions on markets.
- Work-in-progress datasets, analytical products and information products may be provided in advance of OR to designated individuals of external organizations for the purposes of data validation.
- Analytical products may be provided in advance of OR to an individual or external organization for the purpose of institutional and peer review.
- Microdata files or confidential aggregates from which datasets are obtained may be shared with a third party prior to the OR.
- Advance release (AR) for information applies to collaborative programs (cost-recovery programs, administrative data files and common governance structure).
- The Chief Statistician may authorize dissemination of information in advance of release in special circumstances in which the benefits justify the exception.
Oversight of the application of the Policy on Official Release falls under the responsibility of Communications Division within the Agency. Directors of program areas are responsible for ensuring that protected information is securely transmitted when provided outside the agency and that it is covered by an acknowledgement of confidentiality requiring the receiving organization to comply with requirements described in the Policy. Additionally,outside organizations that receive AR information must acknowledge receipt of the protected information they receive, safeguard the information, limit access and must destroy all protected information once the review has been completed.
Audit Objectives
The objectives of the audit were to provide the Chief Statistician (CS) and the Departmental Audit Committee (DAC) with assurance that:
- Statistics Canada has adequate governance structures and a risk management framework in support of the Official Release.
- Effective control mechanisms have been established and are consistently applied to ensure that the advance release of Agency products is compliant with the Policy on Official Release and other applicable Statistics Canada policies and directives.
Scope
The scope of this audit included an examination of the adequacy and effectiveness of the controls for OR. Specific areas that were examined include:
- Governance and monitoring practices that support clear accountability, oversight, scrutiny and challenge functions;
- Effective risk management processes for the identification of the key risks for OR, as well as the development and monitoring of risk management strategies; and
- Operational processes and controls in place to ensure the confidentiality and integrity of sensitive statistical information in the advance release of information.
The scope of the audit work included an assessment of AR activities from January 1, 2013 to July 1, 2014.
Approach and Methodology
The audit work consisted of a comprehensive review and analysis of relevant documentation, interviews with key management and staff and a review for compliance with relevant policies and guidelines.
The field work included a review and testing of the OR processes and procedures in place to ensure the protection of sensitive statistical information until dissemination of the information in The Daily.
This audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) International Professional Practices Framework.
Authority
This audit was conducted under the authority of the approved Statistics Canada Integrated Risk-Based Audit and Evaluation Plan 2013/14 to 2017/18.
Findings, Recommendations and Management Response
Objective 1: Statistics Canada has adequate governance structures and a risk management framework in support of the Official Release.
Governance and Risk Management
Roles, responsibilities and accountabilities for Official Release are formally defined through internal procedural documentation and communicated to employees. Appropriate and effective oversight bodies for Official Release have been established. The Electronic File Transfer Governance Steering Committee is in place and operational, but it does not have a formal mandate outlining roles and responsibilities, which may reduce the effectiveness of the intended oversight of this committee.
The Official Release process encompasses activities in several divisions as well as outside organizations. The risk management framework currently used throughout the Agency does not compel managers to consider risk inter-dependencies, nor provide an integrated lens to risk management which could limit the effectiveness of potential mitigation strategies.
A robust governance and risk management framework is essential to ensure that Official Release materials are adequately protected, both internally to Statistics Canada and when information is transmitted to third parties. Roles, responsibilities and accountabilities for Official Release should be clear, communicated and understood. Appropriate and effective oversight bodies should be established and their roles and responsibilities formalized. Employees should understand their obligations under the Values and Ethics code; it should be easily accessible and explain how to proceed should any potential wrongdoing be observed.
Roles, responsibilities and accountabilities for staff working on OR are defined and communicated.
One of the expected results of the Policy on Official Release is that governance structures, mechanisms and resources are in place to ensure the continuous and effective management of Statistics Canada pre-release information. Oversight of the application of the Policy on Official Release falls under the responsibility of Communications Division within the Agency. As per the Policy, Directors of program areas are responsible for ensuring that protected information is securely transmitted when provided outside the agency and that it is covered by an acknowledgement of confidentiality requiring the receiving organization to comply with requirements described in the Policy.
The audit examined several job descriptions and procedures documents and found that these adequately outlined the various tasks associated with the preparation of OR materials.
Oversight bodies have clearly defined mandates to govern the OR process.
The Editorial Board of The Daily is responsible for overseeing The Daily editorial and guides The Daily team on strategic and operational issues related to The Daily. A review of meeting minutes and interviews with staff indicated that the Editorial Board was fulfilling its mandate as a forum to ensure a coherent and uniform approach to writing and publishing ORs. Moreover, review of the mandate and minutes revealed that the Board helps serve as an oversight function, given that the content and the format of The Daily has greatly evolved over the past few years. The audit found that the Communications Division has a step-by-step 'Process Flow for Daily Releases', which helps the Subject Matter Divisions (SMDs) understand the steps to follow and approvals required when writing a release for their division.
The EFT Governance Steering Committee (EFT-DGC) was established to comply with the requirements stated in the Directive on the Transmission of Protected Information. Interviews with members of the committee noted that they serve as a second level of review to ensure that a request was placed for the creation of an EFT safe-box, but that the key control remains with the SMDs, which retain responsibility for ensuring that all requirements are met when providing AR information to third parties as per the Policy on Official Release. The audit determined that although the EFT-DGC is in place and operational, a formal mandate and membership list have not been developed, nor does it post minutes of its meetings. Without a formal mandate, the effectiveness of the intended oversight may be reduced.
The Corporate Risk Management framework requires updating.
Management at Statistics Canada is required to periodically identify and assess risks to their division and this is done through the annual risk register exercise. Communications Division has identified risks associated with OR in its risk register. The risk register also notes that the protection of pre-release information is critical, and that access to pre-release information should be restricted throughout the process and that management periodically conducts compliance checks within the Communications Division to ensure that access is restricted.
The audit noted that with respect to OR, subject matter divisional risk registers examined were not detailed enough to capture specific risks to OR. Similarly, corresponding SMD's divisional Business Continuity Plans assessed were at too high a level to address specific risks to OR objectives, and did not provide guidance on action plans should risks to OR occur.
During audit interviews, a number of risks were identified informally by staff at both the management and operational levels within SMDs. Risks identified included: the risk posed to the timeliness of OR when working with tight timelines and small teams; the risk that last minute changes to The Daily text may change the meaning of the release or may not be captured appropriately when translated into the second official language; the risk of the unauthorized release of information before the OR; and the risk posed by outdated access rights within divisions.
The audit found that the Official Release process encompasses activities in several divisions as well as outside organizations. The risk management framework currently used throughout the Agency does not compel managers to consider risk inter-dependencies, nor provide an integrated lens to risk management. As a result, significant risks noted by SMDs are not considered in the Communications Division risk register, therefore possibly limiting the effectiveness of potential mitigation strategies.
Recommendations:
It is recommended that the Assistant Chief Statistician of Census, Operations and Communications ensures that:
- A formalized mandate, and membership list is put in place that includes the roles and responsibilities of the EFT Dissemination Governance Committee.
Management Response:
Management agrees with the recommendation.
- The Director, Dissemination Division will develop a formalized document including mandate, membership and roles and responsibilities for the EFT Dissemination Committee.
Deliverables and Timeline: A formalized document including mandate, membership and roles and responsibilities for the EFT Dissemination Committee by June 2015.
It is recommended that the Corporate Risk Officer ensure that:
- The Corporate Risk Management framework is updated to enable the integration of risks inter-dependencies across departmental divisions.
Management Response:
Management agrees with the recommendation.
- The risk registry and corporate risk profile have been conducted annually and have evolved with improvements year over year. The Corporate Risk Officer will undertake a review of current business processes to more efficiently and effectively capture operational and strategic risks. This review will lead to an improved risk framework and introduce more rigor during the development of the risk registry, including the identification of interdependencies that impact outcomes.
Deliverables and Timeline: A documented business process for the integrated risk management framework; the development of a risk framework and risk registry; and tools to support the development of the risk registry will be developed by March 2016.
Objective 2: Effective control mechanisms have been established and are consistently applied to ensure that the Advance Release of the Agency products is compliant with the Policy on Official Release and other applicable Statistics Canada policies and directives.
Control in place to protect advance release information provided to external organizations
The Official Release process includes a process for external parties to formally acknowledge their responsibilities as they relate to sensitive statistical information. This process needs to be strengthened to be fully effective and reduce the risk to the protection of sensitive statistical information.
The media lock-up room is secure. Its operating procedures, combined with the physical security features of the room, are effective and ensure the protection of information
Effective control activities include IT security practices and other activities that effectively manage third parties, prescribe how associated tasks should be performed, prohibit inappropriate action, and provide the limit of acceptable action that third parties should clearly understand and follow.
The system used to ensure that advance release information is protected and sent only to authorized external parties requires improvement.
Under the Policy on Official Release, all new Statistics Canada datasets, analytical and information products are released through The Daily, which is the OR vehicle for the Agency. The Policy notes that there are 5 conditions that allow information to be disseminated prior to OR. The conditions under which AR is permitted are:
- Authorization by the Clerk of the Privy Council on the advice of the Chief Statistician;
- Authorization by the Chief Statistician;
- Work-in-progress agreements (for data validation purposes);
- AR for information purposesFootnote 1 (cost recovery and administrative data back to the source organization); and
- Common Governance.
To obtain an authorization by the Clerk of the Privy Council for an AR, a letter is sent from the Chief Statistician to the Clerk, requesting authorization for a department. The Clerk of the Privy Council sends a letter back to Statistics Canada, authorizing ARs under this condition. As at June 2014, there were 6 federal departments or agencies that had authorization by the Clerk of the Privy Council for AR for the various mission critical surveys and major economic indicators.
There were no AR arrangements in place under authorization of the Chief Statistician.
The majority of ARs fall under the category of work-in-progress (91 submissions) and AR for information purposes (47 submissions). In all cases, except Common Governance (8 submissions), when organizations request AR of information, requests must be approved by the SMDs as well as the Director General of Communications Division.
A Common Governance Structure Recognition Submission form must be prepared for a formal collaborative program that has been designated by the Executive Management Board in a recognized common governance structure with partner organizations. For the audit period there were 8 common governance recognitions in place.
The Policy requires that for approved AR submissions, external partners must acknowledge their responsibilities. For this purpose, the Acknowledgement of Confidentiality (AoC) forms have been created for recipients to sign. The terms in these forms are:
- acknowledging receipt of the information
- safeguarding the confidentiality of the protected release information provided to them
- limiting access to the protected information to those designated officials within their organizations for work-related purposes (respecting the 'need-to-know')
- undertaking not to further disseminate the protected release information
- destroying the protected information once the review is completed, prior to official release.
Additionally, the Policy notes that when AR is used to brief a Minister, the briefing cannot take place prior to 5 pm EST on the business day preceding the day on which the information will be published in The Daily.
For ARs under the conditions of information purposes and work-in-progress agreements, new AoCs must be signed every 15 months. The audit was advised by staff in Communications Division that there is no renewal requirement for AR under Authorization of the Clerk or for Common Governance. The audit noted that the terms in the AoCs have changed over time. As a result, if there is no requirement for a renewal of AoCs with recipients, should respondent responsibilities on AoCs change (i.e. AoC terms are changed), recipients will not have acknowledged these new responsibilities, and will not have been periodically reminded of their responsibilities for the protection of sensitive statistical information.
The Policy notes that Communications Division is responsible for keeping a registry of all ARs and to periodically collect information on the results and benefits of previously approved ARs from program managers in the organization. This is to ensure continuous and effective management of Statistics Canada's advance release information as required in the Policy. CommunicationsDivision also keeps copies of signed AoCs.
The audit examined the AR registries in place in Communications Division for 2012-13 and 2013-14 and found that a registry was in place for all AR conditions except for AR under authorization of the Clerk of the Privy Council.
While the Office of the Chief Statistician had a list of all departments receiving information under Authorization of the Clerk, Communications Division did not have a registry in place for advance releases under authorization of the Clerk of the Privy Council as required by the Policy. As a result, the management of AR under this condition is not fully effective. The audit noted in the two major indicators sampled, in one case, incorrect forms were signed and not all those designated to receive the information had signed AoCs. For one SMD who provided AR information under authorization of the Clerk of the Privy Council, no AoCs were in place at all (Table 1).
The Policy on Official Release requires that the results and benefits of previously approved advance releases are documented to ensure that there is a demonstrable benefit to allowing outside organizations to have advance release materials. The Policy also requires that Communications Division periodically collect this information from subject matter divisions. The audit noted that subject matter divisions contacted do not document this information and Communications Division does not collect this information. In the absence of documented evidence of the benefits of allowing protected information to be accessed in advance of official release, the organization may not be able to adequately complete the risk/reward exercise and could lead to unnecessarily providing advance releases with little or no benefit to the organization.
During the annual update of the advance release registries, Communications Division undertakes an exercise in which subject matter divisions provide a justification for continued advance release under common governance, Work In Progress (WIP), and advance release for information purposes. The audit noted that these justifications are at a high level and included rationales such as: recipient is a partner; recipient provides validation; provided for information purposes. Justifications are high level and generic in nature, and do not provide enough information to prove a demonstrable benefit.
The audit tested AR submissions and the corresponding AoCs under each of these conditions for the period of January 1, 2013 to July 1, 2014. As a result, 13 of the 14 AR submissions tested under the 4 conditions where the audit found AoCs, SMDs had recipients sign the correct forms. The audit also tested to determine if all submissions under work-in-progress, information purposes and common governance had the required signed Acknowledgements of Confidentiality in place (Table 1). Overall testing results revealed that some of the AoCs were not in place. More specifically, under each advance release condition, audit testing found:
- Work-In-Progress agreements - Of the 5 WIP submissions sampled, 4 submissions had the required number of Acknowledgements of Confidentiality in place.
- Advance release for information purposes, 4 of the 4 submissions sampled had all of the required Acknowledgements of Confidentiality on file.
- Common Governance – 2 of the 2 submissions sampled had all of the required Acknowledgments of Confidentiality in place.
- Advance release Under Authorization of the Clerk, of the 2 submissions sampled, neither used the correct AR submission forms, and one had the required number Acknowledgements of Confidentiality in place.
Advance Release Submission Type | Total | Sampled | Appropriate approvals for AR Submission sampled | Correct AR Submission Forms were used | AR Submission has all AoCs in place | Expected total number of AoCs as per sample | Actual Number of AoCs on file as per sample |
---|---|---|---|---|---|---|---|
Footnote
|
|||||||
WIP | 91 | 5 | 5 | 5 | 4 | 50 | 48 |
Information | 47 | 5 | 5 | 4 | 4 | 35 | 35 |
Common Governance | 8 | 2 | 2 | 2 | 2 | 42 | 42 |
Under Authorization of the Clerk | Footnote *6 | 2 | 2 | 0 | 1 | 17 | 10 |
Further, the audit noted in 2 of the signed AoCs in place, the AR recipients had changed the terms on the acknowledgements without approval from Communications Division.
While there is a process in place for external parties to formally acknowledge their responsibilities as they relate to sensitive statistical information, the current process is not fully effective which may increase the risk to the protection of sensitive statistical information.
The media lock-up room is secure
When there is a major economic, Census or National Household Survey release, journalists holding a valid Parliamentary Press Gallery Pass may attend a media lock-up. The Media lock-up provides an environment where journalists can access OR materials approximately one hour in advance of the official release to prepare an article.
The media lock-up room was last renovated in September 2013 and the room is protected against all wireless or radio-frequency communications. Additionally, except for the telephone on the Media Relations staff monitoring desk, all other landlines are disabled during lockup. During a media-lockup, the room is locked from the start of lock-up (usually 7:30 am) until the official release time of 8:30 am. When in lock-up mode and the door to the room is closed, no communication with external parties is permitted until release time. Journalists are required to turn in all cell phones which are placed in a secure lead box. During the lock-up period, journalists receive a copy of the OR material after the room has been secured and prepare their articles. At exactly 8:30 am (synchronized with the standard time of the National Research Council), the lock-up room is unsecured and journalists are able to submit their articles for publication.
The audit tested the media lock-up room and its operating procedures and found that the security features of the room are effective and ensure the protection of information.
Recommendations:
It is recommended that the Assistant Chief Statistician of Census, Operations and Communications ensures that:
- Communications Division works with SMDs to enhance the registry for Advance Release Submissions to enable effective management of submissions and ensure AR materials are limited to authorized individuals only.
- All Advance Releases should be managed by a single authority (i.e. Communications Division), and requirements for Acknowledgements for Confidentiality should be made uniform to ensure that periodic updates to Acknowledgments of Confidentiality take place which would ensure confirmation of recipients understanding and their responsibilities with respect to protection of protected information.
- There is a demonstrable benefit associated with Advance Releases for Work in Progress (WIP) purposes and they should be documented by SMDs and collected by Communications Division.
Management response:
Management agrees with the recommendations.
- The Director General, Communications will work with the Directors of Subject-matter Divisions to confirm the accuracy of the information in the registers, collect signed copies of acknowledgement of confidentiality for all advance release agreements and add them to Statistics Canada's register of advance release and common governance agreements.
Deliverables and Timeline: An enhanced and accurate registry for Advance Release Submissions by June 2015.
- The Director General, Communications will ensure that a register for the Advance Releases authorized by the Clerk of the Privy Council is established and maintained by the Communications Division.
Deliverables and Timeline: A register for Advance Releases authorized by the Clerk of the Privy Council maintained by Communications Division by June 2015. - The Director General, Communications will ensure that the Policy on Official Release is modified to specify periodic updates for the Acknowledgements of Confidentiality for the Advance Releases authorized by the Clerk of the Privy Council and for Common Governance Structure agreements. The forms "Acknowledgement of Confidentiality for Advance Releases authorized by the Clerk of the Privy Council" and "Acknowledgment of Confidentiality for Common Governance" will be modified accordingly.
Deliverables and Timeline: A modified Policy on Official Release by June 2015. - The Director General, Communications will ensure that the Communications Division works with Subject Matter Divisions to ensure that the benefits associated with Work-in-progress agreements (advance release for validation purposes) are stated specifically in the register.
Deliverables and Timeline: Documentation of the benefits of WIPS, with greater specificity in the register by June 2015.
Controls within Statistics Canada to ensure the confidentiality of pre-release information
Access privileges on internal shared drives which contain pre-release information are restricted, but not regularly updated when employees leave a division or program.
Individuals designated as media spokespersons for information releases have not all followed the mandatory media training. As a result, there is an increased risk that employees will not understand their roles and responsibilities with respect to being an official spokesperson for the Agency.
The manual controls that have been developed combined with the daily monitoring of the transfer of Official Release information between secure networks are effective mechanism to address IT malfunctions and minimize delays of the official release materials.
Contracting practices for the procurement of translation services require strengthening. The audit found significant weaknesses with the current controls in place and identified several instances of non-compliance, which considerably increases the risk to the confidentiality of sensitive statistical information.
Effective control mechanisms and processes support the organization in the management of risks and the achievement of the established objectives by ensuring that assets are safeguarded and that actions and decisions of the organization are in compliance with applicable laws, policies and directives.
Access privileges to shared folders require regular updating.
The Directive on the Security of Sensitive Statistical Information and the Security Practices Manual note that Statistics Canada considers all sensitive statistical information under its care and control as Protected B. As such, this information should be controlled to protect against loss, theft, compromise or improper disclosure. Within Statistics Canada, this information may only be circulated to individuals on a need-to-know basis.
Subject Matter Divisions noted that all protected information is housed on secure shared drives. Shared drives are on secure Network A and access to these drives is restricted on a need-to-know basis. The audit confirmed that when a review of information is to take place, a hyperlink to the information is circulated via an email, and that electronic versions of the information are not sent.
The audit examined file folders and the associated permissions for the pre-release information for the Labour Force Survey (LFS), Monthly Retail Trade Survey (MRTS) and Communications Division to determine if file access is restricted to only those with a need to know. Although access was found to be restricted in the prerelease folders, the audit found that permissions were not regularly updated and that in both SMDs pre-release folders examined, some individuals with permission to these folders were no longer working in the division.
The Smart Daily application allows Subject Matter Divisions to load pre-release Daily texts into an application which formats the official release materials. All SMDs which have Official Releases use this application; however access is to be restricted to authorized users only within divisions. Communications Division manages the access and permissions for this application. The audit examined the Smart Daily application to ensure that SMD employees who are authorized to use the Smart Daily application have access to only their own materials and that pre-release information from other areas is restricted. The audit found that employees in Communications Division limit access and users can only access their own information and cannot view information from other programs or divisions.
Media spokespersons for information releases have not all followed the mandatory media training.
Prior to speaking to the media, individuals designated to be media spokespersons are to have taken the "Encountering the Media" course. This training is designed to help Statistics Canada staff to be prepared for media requests and ensure that spokespersons understand their responsibilities when designated as media spokespersons.
The Agency has adopted a policy to accept media requests for interviews and to provide comments on program issues and data interpretation, and for each OR, will designate certain individuals within SMDs as media spokespersons or information contacts. According to both the Policy on Official Release and the Policy on Media Relations: Spokespersons and Response to the Media, Communications Division is responsible for providing media training to information contacts for OR purposes and directors in SMDs must ensure identified spokespersons have taken the required training.
A training and development plan exists for the handling and management of the media; however the audit took a sample of 25 individuals who were named as media spokespersons over the audit period and found that 28% of them had not completed the required media training. Interviews with Communications employees who provide the training noted that refresher courses and mock interviews can be arranged with Communications Division on an ad-hoc basis, but that these informal courses are not considered as a substitute for the formal course.
When media spokespersons have not taken the required formal media training there is an increased risk that employees will not understand their roles and responsibilities with respect to being an official spokesperson for the Agency.
Monitoring the transfer of information from the secure network to the public network ensures IT malfunctions are dealt with in a timely manner.
The IT infrastructure that is used to prepare and package OR materials is under the responsibility of Shared Services Canada. At the same time, Statistics Canada staff are responsible for ensuring that the OR materials (the Daily) are disseminated at the OR time of 8:30 am EST (Eastern Standard Time). Because the IT infrastructure is no longer under Statistics Canada control, staff from Administrative and Dissemination Systems Division (ADSD) monitor the release process on each release day beginning at 7:00 am until OR at 8:30 am.
The IT environment is complex, given that there are several servers and the movement of information is time-sensitive. Additionally, some servers move information in and out of the protected zone into the Public Access Zone, which is where information becomes available to the public at the OR time of 8:30 a.m.
ADSD staff has developed a series of protocols and automated notifications at each movement of data to ensure that staff is made aware of any malfunctions in the process and to advise them of where the malfunction took place. The protocol also notes at each step what manual intervention must be activated in the event of an IT malfunction. These protocols are evergreen and are updated when there are changes to the IT infrastructure.
ADSD maintains a schedule of employees who are responsible for ensuring that adequate monitoring always takes place. Additionally, the chief responsible for monitoring the movement of information noted that there are always 2 individuals on site. It was noted that this is an important control. Should a malfunction occur, one individual can focus on initiating the manual controls and the other employee can ensure the communication of the issue with management, subject matter and Shared Services staff.
The audit observed the monitoring of transfer of information and found that the process is followed as outlined in the protocol, the automated notifications are generated as described and the ADSD monitor validates that the correct information has been transferred which is an effective method to mitigate the risks of an IT malfunction.
Contracting practices for the procurement of translation services require strengthening.
All official release materials are disseminated in both official languages. Statistics Canada outsources translation services to professional translators. Government of Canada security and contracting policies require that when protected information is accessed by external parties, several security measures are required. This includes ensuring that the individuals accessing protected information have the appropriate security clearance and that the facility and document safeguarding capabilities correspond to the level of security of the information received. As part of the procurement process, departments send the Security Requirement Checklist (SRCLs) to Public Works and Government Services Canada (PWGSC) for confirmation. SRCLs outline the classification of the information to be handled and PWGSC confirms whether the proposed contractor holds the appropriate security clearances commensurate with the level of security of the information to be accessed. PWGSC also conducts the document and facility security inspections of facilities that will be handling Government of Canada protected information. Additionally, the Government of Canada Policy on Contracting notes that, "the government security policy is to be applied equally to procurement contracts as it is to internal operations."
The audit examined translation contracts to determine if the appropriate security requirements were included and that the contractors had the appropriate security clearances in place. Testing found 28% of translation contracts sampled (10 of 36) did not include security requirements. Given this, no protected or secret information should be sent out for translation under these contracts. The audit noted that in 66% (6 of 9) of sub-sampled contracts that did not contain security requirements, protected information had been provided to contractors who did not have the appropriate facility and document safeguarding or, in some cases, a personal security clearance.
Project authorities are responsible for establishing terms & conditions within contracts, including SRCLs when applicable. Interviews with the contracting authority and departmental security noted that they do not provide a challenge function to project authorities on the necessity of including security requirements in contracts.
The audit found several other contracting weaknesses and inconsistencies. Certain, but not all, translation contracts require that individuals having access to protected information sign an acknowledgement of values and ethics and the Oath of Secrecy. There was no evidence of any of these in any of the contracts sampled. For some translation contracts, the project authority noted that contractors must sign a "security statement" in lieu of having security clearances. The "security statement" document was developed internally at Statistics Canada, with the collaboration of departmental security, as a means to compensate for the absence of security requirements in certain contracts. There was no evidence of any of these in any of the contracts sampled.
The audit found significant control weaknesses for the procurement of translation services and identified several instances of non-compliance, which considerably increases the risk to the confidentiality of sensitive statistical information.
Recommendations:
It is recommended that the Assistant Chief Statistician of Census, Operations and Communications ensures that:
- Prior to release, subject matter divisions and media relations staff verify that media contacts listed for Official Release have been provided with Media Training and are aware of their roles and responsibilities under the Policy on Media Relations: Spokespersons and Response to the Media.
- Contracts issued for the procurement of translation services include security requirements commensurate with the level of security of the information that will be accessed by contractors.
Management agrees with the recommendations.
Management response:
- The Director General, Communications, in collaboration with Directors of subject-matter divisions will ensure that all spokespersons take formal media training prior to speaking to media. This is accomplished with:
- Quarterly emails to directors by the Director General, Communications, with follow-ups as required;
- Media training sessions provided by Communications Division throughout the year;
- Support for mandatory training confirmed by the Learning and Development Committee.
Deliverables and Timeline: All spokespersons have taken formal media training prior to speaking to media by July 2015. - Management agrees with the recommendation and acknowledges that the security clearance of some of its translation service providers was issued by departmental security and not by PWGSC as it should have been. Although this was a lapse in procedures, the audit did not identify any specific case where the information that had been sent for translation was used inappropriately.
Upon being informed of the situation, two mechanisms were established to remedy the situation:- Protected B documents are sent to suppliers who have the required security clearance;
- Within Communications Division, a process to confirm the security clearance of service providers has been established.
Deliverables and Timeline: Implementation of mechanisms to ensure translation service providers have the required security clearances was implemented on December 5th, 2014 and RFPs to select suppliers for 2015-16 will include the proper security requirements by April 2015.
It is recommended that the Assistant Chief Statistician of Corporate Services (and CFO) ensure that:
- Access privileges to shared folders containing protected information are regularly updated to ensure only those with a need-to-know requirement can access information.
Management response:
- Management agrees with the recommendation.
A reminder stressing the importance and necessity to review and update access privileges to shared folders containing protected information will be circulated by the Chief Information Officer (CIO) to all executives. Options to automate the management of access privileges will also be explored.
Deliverables and Timeline: A generic reminder will be circulated by the CIO annually, effective immediately. A working group, in conjunction with the Administrative Processes Review and Automation (APRA) project, will be set-up to explore options to automate the management of access privileges. A recommendation will be presented to the Information Management Committee by September 2015.
Appendices
Appendix A: Audit criteria
Control Objective / Core Controls / Criteria | Sub-Criteria | Policy Instrument |
---|---|---|
1) Statistics Canada has appropriate governance structures and risk management framework in support of the Official Release (OR). | ||
1.1 Roles, responsibilities and accountabilities for official release (OR) are clear, communicated and understood. (AC-1). | Roles, responsibilities and accountabilities for staff in charge of Official Release are formally defined and clearly communicated. Roles, responsibilities and accountabilities for subject matter divisions; and, federal officials (outside of Statistics Canada) that have advance access to statistical releases are formally defined and clearly communicated. |
TBS Audit Criteria related to the Management Accountability Framework Policy on Official Release |
1.2 Appropriate and effective oversight bodies have been established and their roles and responsibilities have been formalized, as it pertains to the internal and external environments of the OR process. (G-1, G-3, G-4, G5 & G-6) | Oversight bodies have clearly defined mandates and they request and receive sufficient, complete, timely and accurate information, to govern the official release of datasets, analytical and information products. | TBS Audit Criteria related to the Management Accountability Framework Policy of Official Release Directive on the Transmission of Protected Information |
1.3 An effective risk management framework exists surrounding the security of OR datasets, analytical and information products, and adequate strategies have been developed. | Management identifies and periodically assesses the risks that may preclude the achievement of the OR objectives. Employees are aware of values and ethics directives and understand who and where to go to in the event of witnessing wrongdoing and feel free to do so. |
TBS Audit Criteria related to the Management Accountability Framework Policy on Official Release Values and Ethics Code for the Public Service |
1.4 External parties receiving AR information formally acknowledge their understanding and acceptance of their accountability. (AC-2) | A system is in place for external partners to formally acknowledge their understanding and acceptance of the accountabilities related to the OR process. Arrangements for the AR of datasets, analytical and information products to partner and/or outside organizations are regularly and formally monitored for its applicability / validity. |
TBS Audit Criteria related to the Management Accountability Framework Policy on Official Release Directive on Data Sharing under Sections 11 and 12 |
2) Appropriate control mechanisms have been established and are consistently applied to ensure that the AR of the Agency products is compliant with the Agency's Policy on Official Release and other applicable Statistics Canada policies and directives. | ||
2.1 AR data are protected and released according to established criteria within the Policy on Official Release. (ST-9) | Access to assets, records and information utilized when disseminating information in advance of the release are limited to authorized individuals. Access is restricted, such that assets are secured and confidential information is provided only on a 'need-to-know' basis. |
TBS Audit Criteria related to the Management Accountability Framework: A Tool for Internal Auditors Policy on Official Release Directive on the Security of Sensitive Statistical Information |
2.2 Appropriate system application and physical security controls surrounding confidential statistical information exist, as they are communicated to and/or transmitted electronically to, within and outside Statistics Canada according to approved standards and methods. (ST-11) | Logical access controls exist to ensure access to systems, data and programs, is restricted to authorized users (i.e. especially as it applies to the Media Lock-Up Room). The method of providing AR information to external organizations meet the security requirements for transmission of sensitive statistical information to ensure that only the intended recipient sees the information. |
TBS Audit Criteria related to the Management Accountability Directive on the Security of Sensitive Statistical Information Direction on the Transmission of Protected Information |
2.3 Records and information of sensitive statistical products are safeguarded, using information systems that are maintained in accordance with applicable policies and directives. (ST-12) | IT controls for the OR process include manual controls that can be initiated in the event of an IT malfunction, and their operating effectiveness is periodically tested. In the event of an IT malfunction, responsibility for monitoring the management of information is clearly assigned to key stakeholders involved in the AR process. Third party contracts have requirements in place that ensure the protection of sensitive statistical information. |
TBS Audit Criteria related to the Management Accountability Policy on Official Release Directive on the Security of Sensitive Statistical Information Directive on the Transmission of Protected Information Policy on Government Security GOC Policy on Contracting STC Policy on Official Languages |
2.4 The Agency provides employees, whom are appointed as media spokespersons for their respective divisions, with the necessary media training, tools, resources and information to support the discharge of their responsibilities. (PPL-4) | A suitable training and development plan exists for the handling and management of the Media. | TBS Audit Criteria related to the Management Accountability Policy on Official Release Policy on Media Relations: Spokespersons and Response to the Media |
Appendix B: Acronyms
Acronym | Description |
---|---|
AoC | Acknowledgement of Confidentiality |
ADSD | Administrative and Dissemination Systems Division |
AR | Advance Release |
CS | Chief Statistician |
DAC | Departmental Audit Committee |
EFT | Electronic File Transfer |
EFT-DGC | Electronic File Transfer – Dissemination Governance Committee |
EST | Eastern Standard Time |
ICN | Internal Communications Network |
IIA | Institute of Internal Auditors |
IT | Information Technology |
LFS | Labour Force Survey |
MACS | Materiel and Contract Services |
MRTS | Monthly Retail and Trade Survey |
OR | Official Release |
PWGSC | Public Works and Government Services Canada |
SMD | Subject Matter Division |
SRCL | Security Requirement Checklist |
Statistics Canada | Statistics Canada |
TBS | Treasury Board Secretariat |
Note:
- Footnote 1
-
For this list, Common Governance has been separated out of advance release for information purposes as the approval process and forms differ from all other advance release requests under this condition.