PACP Committee Report
If you have any questions or comments regarding the accessibility of this publication, please contact us at accessible@parl.gc.ca.
GOVERNMENT RESPONSE TO THE FOURTEENTH REPORT OF THE STANDING COMMITTEE ON PUBLIC ACCOUNTS
INFORMATION TECHNOLOGY SECURITY
RECOMMENDATION 1
RECOMMENDATION 2
RECOMMENDATION 3
RECOMMENDATION 4
RECOMMENDATION 5
RECOMMENDATION 6
RECOMMENDATION 7
RECOMMENDATION 8
RECOMMENDATIONS 9 AND 10
RECOMMENDATION 11
RECOMMENDATION 12
APPENDIX: IT SECURITY ACTION PLAN
INTRODUCTION
The government welcomes the Committee's Report, shares its concerns and agrees with its objectives. In several areas the government has suggested alternative courses of action or timelines to realize the objectives of the Committee's recommendations. This approach will strengthen the posture of IT security in federal departments and agencies and in turn the security, reliability and safety of government services for Canadians.
The Government Security Policy prescribes measures to safeguard information systems, and supports the objectives of the National Security Policy and the government's initiatives in service delivery. As part of the Government Security Policy, the standard for Management of Information Technology Security (MITS) defines the mandatory security requirements that departments and agencies must fulfill to ensure the security of Information and Information Technology (IT) assets under their control.
RECOMMENDATION 1
That Treasury Board Secretariat accelerate the timetable for the development and implementation of all remaining IT security standards with the goal of having them completed well in advance of the December 2006 deadline it has established.
The Treasury Board Secretariat is committed to completing all Operational Security Standards listed in the 2005 Office of the Auditor General report. The highest priority standards will be completed by December 2005. All remaining standards will be completed by July 2006.
To date, the Secretariat has completed the following operational security standards: Administrative Procedures for the Security of Information Act, Business Continuity Planning, Management of Information Technology Security, Physical Security, and Readiness Levels for Federal Government Facilities. There are several standards that are near completion: Security in Contracting, Identification and Categorization of Assets, and Training and Awareness. The Secretariat will make it a priority to complete the Security Risk Management standard and the Security Program standard by December 2005 in response to the recommendations of the Office of the Auditor General and the Committee. Of the remaining standards initial drafts have been completed for Investigations and Sanctions, Security Screening, Incident Management, and Intrusion Detection, while drafting of Sharing of Information and Protection of Employees has not yet started. In addition, interim guidance and consultation draft standards will be provided to departments to ensure that guidance is available at the earliest possible opportunity.
Technical and operational guidance will continuously be developed to meet the needs of the current dynamic risk environment. As part of this activity the Secretariat will establish a committee to examine areas where new IT security standards are needed. The consolidated standards and technical documentation plan will be made available to departments and updated regularly. In addition, the Treasury Board Secretariat and lead security agencies continuously monitor other national and international standards activities, and adopt or adapt these standards as appropriate.
RECOMMENDATION 2
That beginning in September 2005 Treasury Board Secretariat submit semi-annual status reports to the Standing Committee on Public Accounts on the development and implementation of remaining IT security standards.
The Treasury Board Secretariat will submit a status report to the Committee in September 2005 as part of the detailed action plan to implement the recommendations made by the Auditor General of Canada. The Secretariat will regularly review and update the status of the standards development plan and, if any significant delays are foreseen, will report such delays and the reasons for them to the Committee.
RECOMMENDATION 3
That Treasury Board Secretariat submit a detailed action plan to the Standing Committee on Public Accounts specifying the measures it will take to implement the recommendations made by the Auditor General of Canada. The action plan must include target implementation dates and must be provided to the Standing Committee on Public Accounts no later than 30 September 2005.
A detailed action plan will be submitted directly to the Committee before the end of September 2005.
RECOMMENDATION 4
That Treasury Board Secretariat adhere to the requirements of the Government Security Policy as stated in Appendix A of the Policy, paying close attention to its duty to provide “advice and assistance on security” and to monitor “the implementation of the [P]olicy and the state of security in the Government of Canada.”
The Treasury Board Secretariat is taking an active role in advising and assisting departments and agencies with the implementation of the security policy.
The Treasury Board Secretariat has conducted six interdepartmental workshops to assist departments with their Management of IT Security (MITS) standard implementation. The Secretariat will continue these workshops throughout MITS implementation.
The Treasury Board Secretariat established an interactive web-based collaboration forum for IT Security Coordinators and other IT Security Practitioners to share information and best practices, discuss current developments and matters of mutual interest, identify issues and concerns, and ask questions. The forum currently has over 140 members.
The Treasury Board Secretariat has also inaugurated an annual Security Awareness Week for all federal departments and agencies. In preparation for this, the Secretariat holds an annual Government Security Policy Day for Government of Canada security professionals. In 2005 over 600 security practitioners participated.
Lead security agencies provide briefings, including regular threat updates, for Departmental Security Officers five times a year.
Monitoring and oversight of IT Security is a high priority for the Treasury Board Secretariat. The Secretariat is currently implementing and developing additional measures to enhance performance measurement, monitoring and oversight of the policy's implementation and “government's state of IT security”. This will address the basis for the Office of the Auditor General and Committee's recommendations on monitoring and oversight.
The first step in the development of the IT security monitoring and oversight program is to establish an integrated performance measurement framework for IT security. This framework will be based on the expected results and outcomes to protect services to Canadians, and safeguard government information and operations in support of service delivery. Key performance indicators will be established that are not based exclusively on compliance, but also consider effectiveness. The performance measurement framework will also take into account best practices and the extensive literature available in this area across the government as well as from standards bodies, the private sector, and other governments.
Once the performance measurement framework is in place, the Treasury Board Secretariat will design a monitoring and oversight process and document it in the new Security Program Standard. It will include requirements for departments to develop an annual schedule of their planned IT security monitoring activities and for the Secretariat to monitor implementation. The standard will identify the required performance reporting processes to ensure senior management at all levels of government has the information they need to manage security. This will include annual reporting to the Chief Information Officer and the Secretary of the Treasury Board on the implementation of the Government Security Policy and the state of IT security in the government.
The Secretariat will also develop any required tools to support performance measurement and reporting. This could include self-assessments, databases, and executive reporting structures. Lead security agencies will take an active role to support oversight and monitoring by conducting horizontal analyses of Business Continuity Plans, vulnerabilities and incidents. The Treasury Board Secretariat will also consider horizontal audits of IT Security as part of the monitoring regime.
IT security performance measurement and monitoring will be consistent with existing processes and will reuse information already available or provided by departments. The Secretariat will incorporate IT security into existing frameworks as appropriate, including the Management Accountability Framework (MAF). The Secretariat will take action to ensure that departmental IT security performance assessments are included in future MAF assessments. MAF assessments will be refined once the performance measurement framework for IT security is established.
Implementation of the monitoring program will be coordinated with MITS implementation. In late 2005, The Chief Information Officer will provide a status report to the Secretary of the Treasury Board based on MITS action plans, which will provide a better indication of the state of IT security. To follow up on MITS implementation after December 2006, a more comprehensive measurement and monitoring process will be in place and will be used to provide a detailed report to the Secretary of the Treasury Board in early 2007. Compliance with the MITS standard will provide a common baseline on which we will continue to build and improve IT security. A sustainable, on-going program for IT security performance management will be used on an annual basis.
RECOMMENDATION 5
That the Treasury Board Secretariat provide, in its annual departmental performance reports, information on its monitoring activities with respect to its obligations as set forth in Appendix A of the Government Security Policy. Reference must be made to the frequency and scope of monitoring, the results, and corrective measures taken. This reporting should begin with the report for the period ended 31 March 2005.
The Secretariat will include monitoring activities in its annual departmental performance reports beginning with the period ending 31 March 2006. This report will reflect the results of monitoring of MITS implementation in the summer and fall of 2005, and progress towards implementation of a comprehensive IT Security performance measurement, monitoring and oversight program.
RECOMMENDATION 6
That the Government of Canada review the adequacy of resources and authorities available to the Office of the Chief Information Officer to lead government-wide IT security efforts, explore the option of consolidating resources and authorities to take full responsibility for government-wide IT security in the hands of a single entity, and report the results to the Standing Committee on Public Accounts no later than 31 December 2005.
The Auditor General noted that inter-agency cooperation and coordination has improved. The Treasury Board Secretariat, in cooperation with the lead security agencies, is continuing to strengthen IT security governance.
The government believes that it is premature at this time to consider organizational changes related to the roles and responsibilities of lead security agencies. It is the government's view that organizational changes should not be the first step in improving the government-wide IT Security program. In conjunction with activities such as MITS implementation and the transition to common infrastructure and services, the Treasury Board Secretariat will conduct a comprehensive analysis to identify the scope and adequacy of the government-wide IT Security program. Deputy Ministers must submit their MITS Action Plans to the Secretariat by 26 August 2005. The Secretariat will conduct a detailed analysis of these plans and will determine if any changes to the IT Security program are required to achieve the objectives of MITS. The results of these analyses will be reported to the Secretary of the Treasury Board. In addition, the Secretariat will conduct an in-depth analysis of the security implications of implementing government-wide enterprise solutions to consolidate IM/IT infrastructure and services (for example, intrusion detection services offered by the Secure Channel).
Once the underlying issues are better understood, the Treasury Board Secretariat, in consultation with departments and lead security agencies, will review resource requirements and examine how to best coordinate and align IT security activities in the government.
RECOMMENDATION 7
That Treasury Board Secretariat identify the reasons for turnover in the position of Chief Information Officer, analyze the results, and report its findings, along with an action plan listing the steps it will take to extend the tenure of this officer to a minimum five-year term, to the Standing Committee on Public Accounts no later than 31 December 2005.
Since the creation of the Chief Information Officer (CIO) branch in 1997 there have been three confirmed CIOs. The last confirmed Chief Information Officer held the position for three years and nine months. This is longer than the tenure of most other senior Assistant Deputy Minister level positions across government.
RECOMMENDATION 8
That Treasury Board Secretariat develop and implement a plan for an awareness of the importance of IT security among senior departmental managers, with an emphasis on deputy ministers, and provide the Standing Committee on Public Accounts with a copy of this plan no later than 30 September 2005.
The Treasury Board Secretariat has already taken steps to increase senior management awareness of IT security. Some of these include:
- Integrated security and privacy measures have already been introduced as a measure for Information and IT Management in the Management Accountability Framework.
- In May 2005 the Secretary of the Treasury Board Secretariat notified deputy heads that they must sign and submit departmental MITS implementation plans to the Secretariat by August 2005. This will significantly improve awareness of IT Security issues at the deputy minister level.
- The Cyber Protection Forum was held in 2005 to foster collaboration with those involved in setting government direction, formulating policies and administering programs. Delegates included executives, Chief Information Officers, Directors, Business and IT investment decision makers, and Senior Program Managers.
- The Communications Security Establishment provides security-training modules for courses provided the Canada School of Public Service. One aim is to expand upon this to include some security training as part of management courses.
In addition, departments will be required to report annually to their deputy ministers on the state of security and to submit these reports to the Treasury Board Secretariat. This will bring IT security issues to the attention of deputy ministers on an ongoing basis.
A full report on awareness will be included in the action plan to be provided to the Committee in September 2005.
RECOMMENDATION 9
That a mandatory direct reporting relationship be established for departmental security officers and departmental IT security coordinators to their deputy ministers.
RECOMMENDATION 10
That departmental security officers be positioned at a strategic level within departments and agencies so that they can have meaningful influence over department-wide IT security strategies and input into budgeting decisions affecting security.
The Government Security Policy already recommends that Departmental Security Officers be “strategically positioned within the organization so as to provide department-wide strategic advice and guidance to senior management”. The Treasury Board Secretariat will review internal audit reports on security to see how departments are implementing this requirement.
As part of its standards program the Treasury Board Secretariat will develop a Security Program Standard that will provide guidance on departmental organization and governance to ensure that Departmental Security Officers and IT Security Coordinators have the required access to the DM and departmental executives. This will include responding to significant incidents or security issues that require DM attention (e.g. denial of security clearance) as well as reporting on departmental security risks and state of security.
The Security Risk Management Standard will include a requirement that departments identify and assess their key security risks and challenges and determine the appropriate level of risk to accept as part of their Corporate Risk profile. Senior management must approve the security risk profile.
RECOMMENDATION 11
That departments and agencies be required to develop BCPs (Business Continuity Planning) on a priority basis and to test these plans at least every two years, with the results to be communicated to the Office of the CIO at TBS.
Under the National Security Policy, Public Safety and Emergency Preparedness Canada (PSEPC) is the department responsible for "strengthening the testing, and auditing of key capabilities and conducting assessments of other departments. This will include a review of the plans of federal departments to ensure they are able to continue operating during emergencies." In this role, Public Safety and Emergency Preparedness Canada is developing a comprehensive quality assurance program including monitoring, testing and auditing of Business Continuity Plans. Departments will report the results of their Business Continuity Plans testing and audit activities to Public Safety and Emergency Preparedness Canada. PSEPC in turn will report annually to the Treasury Board Secretariat on the results of the Business Continuity Planning monitoring and testing to provide valuable input into the overall state of government security.
The Treasury Board Secretariat and Public Safety and Emergency Preparedness Canada have placed a priority on completion of Business Continuity Plans. The requirement for departments to develop Business Continuity Plans is set out in the operational standard on Business Continuity Planning published by the Secretariat in April 2004. To facilitate implementation of the standard the Treasury Board Secretariat, in collaboration with Public Safety and Emergency Preparedness Canada and the Canada School of Public Service, developed a Business Continuity Plan training course available across Canada. In addition, Public Safety and Emergency Preparedness Canada is sending a Quick Scan questionnaire to departments to check compliance with the Business Continuity Plans standard in fall 2005.
Operational Standard includes a requirement for the regular testing and validation of all plans. The government agrees in principle with the requirement for testing plans every two years. In consultation with departments, Public Safety and Emergency Preparedness Canada will determine appropriate tests for the proposed two-year cycle. Within the context of its Business Continuity Planning quality assurance program, PSEPC will evaluate the adequacy of departments' testing programs.
RECOMMENDATION 12
That the Office of the Chief Information Officer conduct a government-wide review to ascertain the total level of human, technological, and financial resources that are being devoted in fiscal year 2005-06 to IT security in departments and agencies, that it analyze the results to determine whether they are appropriate, and that it report the results to Parliament by 30 April 2006.
The Secretariat fully agrees with the need for a review of IT Security expenditures. The Secretariat is planning to develop a picture of IT security expenditures and a framework for a comprehensive approach to manage IT security investments; however this is extremely difficult to achieve and we will not be able to complete this by April 2006 due to the complexity of this work.
The Treasury Board Secretariat has already started collecting information on IT security spending. The Information Technology Service Review conducted in 2004/2005 captured IT security spending from 48 departments and agencies that represent 94% of the total IM/IT investment for the government for the year 2003/2004. While this information was invaluable it did not present a complete picture of all IT security spending because a significant portion is embedded in various departmental programs. The results of the Expenditure Review did indicate that efficiencies could be gained through common IT services and infrastructure. This conclusion also applies to IT security, and options for common IT security services will be further explored as part of the development of government-wide enterprise solutions.
Obtaining such a picture is extremely difficult because there is no universally accepted definition of IT security or method to define and track costs. Additionally, IT security costs are often imbedded in many program areas. For example, security safeguards are imbedded in almost every IT component including software licences, desktops, applications, and networks. Fixed price competitive contracts also may not provide the kind of detailed price breakdown needed capture all security costs. In other cases it is not even clear which elements to include as security expenditures. In addition, there are many variables associated with determining the appropriate level of IT security spending. For example, spending must be commensurate with departments' corporate risk profiles, which vary significantly across government. Therefore IT security spending must be considered within the context of the overall IT security performance measurement framework.
This problem is not unique to government. Information on security spending is uncertain and often unreliable in the private sector for reasons similar to those described above.
The Treasury Board Secretariat will continue to assess approaches to solve this problem with the aim of clarifying and benchmarking government IT security expenditures. Business cases will be identified for development and implementation of common security services as a means to improve efficiencies. Analysis of availability of adequate resources and the appropriate level of investment will be an important factor in the review of MITS implementation plans and, subsequently, MITS compliance by December 2006. The results of this analysis will be reflected in MITS compliance reports to be provided to the Secretary of the Treasury Board in late 2005 and early 2007.
APPENDIX: IT SECURITY ACTION PLAN
INTRODUCTION
On 21 September 2005 the government tabled its response to the Fourteenth Report of the Standing Committee on Public Accounts (PACP) entitled Chapter 1, Information Technology Security of the February 2005 Report of the Auditor General of Canada.
As detailed in the government response, the Treasury Board Secretariat committed to submit detailed action plans directly to the committee by 30 September 2005. This action plan specifically addresses the response to PACP recommendations 3 (OAG recommendations 1.22, 1.38, 1.39, 1.46, 1.71, 1.74, 1.75) and 8. It draws upon and elaborates the government response.
ACTION PLAN TO IMPLEMENT THE RECOMMENDATIONS OF THE AUDITOR GENERAL OF CANADA
PACP RECOMMENDATION 3
That Treasury Board Secretariat submit a detailed action plan to the Standing Committee on Public Accounts specifying the measures it will take to implement the recommendations made by the Auditor General of Canada. The action plan must include target implementation dates and must be provided to the Standing Committee on Public Accounts no later than 30 September 2005.
OAG RECOMMENDATION 1.28
The Treasury Board Secretariat should complete all the security standards that support the Government Security Policy and the MITS standard. More specifically, it should
- Prioritize the IT security standards that have been identified but not developed,
- Prepare an action plan with timelines for each standard, and
- Continuously identify new IT security areas where standards are needed.
As described in the government response, Treasury Board Secretariat is accelerating the standards plan. The following table details the status and schedule.
| STANDARD | STATUS | COMPLETION DATE |
|---|---|---|
| Readiness Levels for Federal Government Facilities | Published. (Note: Unclassified version is posted on web site; a classified version exists for personnel cleared to Secret.) |
October 2002 |
| Administrative Procedures for the Security of Information Act | Published. This standard is currently under review in accordance with s.8 in the standard, which prescribes a review by TBS in consultation with departments, two years after publication. |
March 2003 |
| Business Continuity Planning | Published. | April 2004 |
| Management of Information Technology Security | Published. | May 2004 |
| Physical Security | Published. | November 2004 |
| Security Risk Management | First draft completed. Interdepartmental consultation to begin in September 2005. |
December 2005 |
| Security Program | First draft is underway. | December 2005 |
| Security in Contracting | First draft completed. Interdepartmental consultation to begin in September 2005. |
December 2005 |
| Security Training and Awareness | First draft completed. Interdepartmental consultation to begin in September 2005. |
December 2005 |
| Identification of Assets | First draft completed. Interdepartmental consultation to begin in September 2005. |
December 2005 |
| Cyber Security Incident Management | First draft completed. Interim guidelines available October 2005. Interdepartmental consultation to begin in January 2005. |
March 2006 |
| Protection of Employees | First draft is underway. | March 2006 |
| Security Screening | First draft completed and legal consultation in progress. Interdepartmental consultation to begin in September 2005. |
March 2006 |
| Sharing of Information | This is still to be drafted. | July 2006 |
| Investigations and Sanctions | First draft is underway. To be published July 2006. |
July 2006 |
| Intrusion Detection | Interim guidelines published April 2004. First draft completed and legal consultation underway. |
July 2006 |
OAG RECOMMENDATION 1.38 AND 1.39
The departments and agencies, subject to the Government Security Policy, should prepare an action plan indicating when they intend to fully comply with the IT security requirements of the Policy and with the Management of Information Technology Security standard. The IT security action plan should be approved by the deputy head or designate and reported to the Treasury Board Secretariat.
The Treasury Board Secretariat should require all departments and agencies, subject to the Government Security Policy, to prepare timely IT security action plans; follow up on these plans shortly after December 2006; and report to the Secretary of the Treasury Board on the organizations that are not complying.
Treasury Board Secretariat (TBS) continues to work with departments and agencies to realize the Auditor General's recommendations. As of September 15, sixty one percent of departments and agencies [1] submitted their Management of Information Technology Security (MITS) action plans. Nine percent of the departments and agencies fall under unique circumstances and as such as have indicated they will not be filing an individual plan. Twenty percent of departments and agencies will be making late submissions and TBS has followed up with the remaining ten percent to confirm when the plans will be submitted.
TBS is proceeding with the analysis and does not expect any delays in the current timeline below:
| ACTION | TARGET DATE |
|---|---|
| Letter to Deputy Ministers (DM) on MITS Action Plans | 11 May 2005 |
| Consultations with departments | Ongoing |
| Interdepartmental MITS Information Sessions | Bi-monthly |
| MITS Action Plans submitted to TBS | 26 August 2005 |
| Review and Analyze MITS Action Plans | October 2005 |
| Report to Secretary | December 2005 |
| Letter to DMs on MITS status | January 2006 |
| Target date for department to comply with MITS | December 2006 |
| Departmental Reports | January 2007 |
| ITS Audits and Assessments | March 2007 |
| Review and Analyze MITS compliance | April 2007 |
| Report to Secretary on MITS compliance | May 2007 |
| Follow up on non-compliance | As required |
OAG RECOMMENDATION 1.46 AND 1.47
Senior management in departments and agencies should ensure that IT security risks are included in preparing the corporate risk profile, identifying and assessing the key IT security risks and challenges, and determining the level of risk to accept.
The Treasury Board Secretariat should provide departments and agencies with guidance and tools for including IT security as a key component in their corporate risk profile.
The Security Risk Management standard, to be completed December 2005, will direct departments and agencies to identify and assess their key security risks and challenges and determine the appropriate level of risk to accept as part of their corporate risk profile. Senior management will be required to approve the security risk profile and the Secretariat will monitor compliance as part of the monitoring and oversight regime.
In addition, MITS requires program and service delivery managers, on behalf of Deputy Ministers, to ensure an appropriate level of security for their programs and services. Managers must determine the IT Security requirements of their programs and services and accept the associated residual risk. The Secretariat will ensure compliance with these requirements by reviewing MITS action plans in 2005 and compliance reports in 2007.
The Secretariat is providing guidance and tools for departments and agencies to include IT security as a key component in their corporate risk profile through the following initiatives.
- The Treasury Board Secretariat has conducted six interdepartmental workshops to assist departments with their Management of IT Security (MITS) standard implementation. The Secretariat will continue these workshops throughout MITS implementation.
- The Treasury Board Secretariat established an interactive web-based collaboration forum for IT Security Coordinators and other IT Security Practitioners. The forum shares information and best practices, discusses current developments and matters of mutual interest, and identifies issues and concerns on the identification and mitigation of risk. To date, the forum has over 140 members.
- Lead security agencies provide briefings, including regular threat updates, for Departmental Security Officers five times a year to assist departments and agencies with managing risk.
- The Communications Security Establishment and RCMP provide risk management training to educate departments and agencies in identifying and mitigating risk.
- The RCMP and Communications Security Establishment are developing a new unified threat and risk assessment guide and tools to assist departments in identifying and mitigating risk.
- The Communications Security Establishment and Treasury Board Secretariat are sponsoring the development of a procurement tool to assist departments and agencies in accessing the expertise and skills for comprehensive IT Security Risk Management services. This tool, Cyber Protection Supply Arrangement, will include:
- On-site Technical Vulnerability Assessments
- Threat and Risk Assessments
- Certification and Accreditation
- Business Continuity Planning (BCP)
- Disaster Recovery Planning services
| ACTION | TARGET DATE |
|---|---|
| Departmental Security Officers briefings | Bi-monthly |
| MITS briefings to Information Technology Security Coordinators | Bi-monthly |
| Secure IT Security Web Forum | Established June 2004 |
| Communications Security Establishment and RCMP Risk Management Training | Ongoing |
| Security Risk Management Standard | December 2005 |
| Unified Threat and Risk Assessment Guide | March 2006 |
| Cyber Protection Supply Arrangement | May 2006 |
OAG RECOMMENDATION 1.71, 1.74, AND 1.75
Departments and agencies, subject to the Government Security Policy, should provide the Treasury Board Secretariat with an annual schedule of their planned IT security monitoring activities, including self-assessments, vulnerability assessments, and internal audits. They should also provide Treasury Board Secretariat with a copy of the internal audit report within three months of completing it.
The Treasury Board Secretariat should monitor departments to determine whether they are carrying out timely audits and other IT security monitoring activities.
The Treasury Board Secretariat should complete mid-term report on the effectiveness of the Government Security Policy in a timely manner, as required by the Policy.
The Secretariat is developing and implementing an enhanced IT Security monitoring and oversight program that goes beyond the Auditor General's recommendations. It includes the following activities, which are described in detail in the government response:
- The development of an integrated performance measurement framework for IT security, which will establish key performance indicators based on compliance and effectiveness.
- The Security Program standard, to be completed by December 2005, which will require departments and agencies to submit an annual schedule of their planned IT security monitoring activities to the Secretariat. The performance reporting component will ensure senior management at all levels of government has the information they need to manage security.
- The development of tools, such as self-assessments, databases, and executive reporting structures, required to support performance measurement and reporting.
- The conduct of horizontal analyses, oversight and monitoring of Business Continuity Plans, vulnerabilities and incidents will be done in collaboration with lead security departments and agencies.
- IT security will be incorporated into future Management Accountability Framework (MAF) assessments beginning in 2005/2006. The Secretariat will take action to ensure departments and agencies submit their internal audit plans and reports. The Secretariat is considering a horizontal audit of IT security in 2007.
| ACTION | TARGET DATE |
|---|---|
| Mid-term report on effectiveness of the Government Security Policy | Completed |
| IT Security performance measurement framework | November 2005 |
| Oversight and monitoring requirements specified in the Security Program Standard | December 2005 |
| IT Security assessments in Management Accountability Framework | Annual, beginning FY 05/06 |
| Monitoring included TBS Departmental Performance Report | Annual, starting FY 05/06 |
| TBS to review departmental internal audit reports | Ongoing, starting FY 05/06 |
| Departmental IT Security monitoring plans | Annual, starting FY 06/07 |
| Departmental IT security performance reports | Annual, starting FY 06/07 |
| “State of Security” report to Secretary | Annual, starting FY 06/07 |
ACTION PLAN TO IMPROVE SENIOR MANAGEMENT AWARENESS
PACP RECOMMENDATION 8
That Treasury Board Secretariat develop and implement a plan for an awareness of the importance of IT security among senior departmental managers, with an emphasis on deputy ministers, and provide the Standing Committee on Public Accounts with a copy of this plan no later than 30 September 2005.
The Secretariat is taking steps to significantly improve security awareness. As outlined below, part of the awareness program focuses on senior management and deputy ministers.
As an initial step, Deputy Ministers were required to approve departmental MITS Action Plans. This ensured DM involvement in the approval of the departmental approach to planning for MITS compliance by December 2006.
The Security Awareness and Training standard will identify requirements for senior management awareness. The Secretariat will develop an awareness module for senior management and work with the Canada School of Public Service to ensure that these modules are incorporated appropriately in their courses. Further to these efforts, senior management and deputy ministers will be actively involved in oversight and monitoring of IT Security through annual departmental security performance reports which will be rolled up into an annual government-wide “state of security” report to the Secretary of the Treasury Board. In addition the Secretariat will include IT security indicators in the Management Accountability Framework, which sets out the expectations for sound management in the Public Service.
This plan will heighten senior management's involvement and as a result increase understanding, commitment, and oversight of IT Security.
| ACTION | TARGET DATE |
|---|---|
| DM approval of departmental MITS Action Plans | 26 August 2005 |
| IT Security assessments in Management Accountability Framework | Annual, beginning FY 05/06 |
| Departmental IT security performance reports to DMs | Annual, starting FY 06/07 |
| Government-wide “State of Security” report to Secretary of Treasury Board | Annual, starting FY 06/07 |
| Security Awareness and Training Standard | December 2005 |
| GSP and Standards training course by the Canada School of the Public Service | March 2006 |
| Awareness module for senior management to be delivered by departmental security officials | March 2006 |