Embed Size (px)
Citation preview
Findings by theAuditor General of Canada on:
Information Technology Security in the Federal Government
Findings by theAuditor General of Canada on:
Information Technology Security in the Federal Government
6th Privacy & Security Workshop
Toronto, November 3, 2005
Richard Brisebois
6th Privacy & Security Workshop
Toronto, November 3, 2005
Richard Brisebois
Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005
2
ObjectiveObjective
• To provide you with an insider’s perspective to the IT security report tabled in Parliament on February 15, 2005
• To provide you with an update of what has occurred since the tabling of the report
• To provide you with an insider’s perspective to the IT security report tabled in Parliament on February 15, 2005
• To provide you with an update of what has occurred since the tabling of the report
Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005
3
AgendaAgenda
• Background/personal notes• Findings of the 2002 report• Main points• Message from the AG• Press/media reaction• Events since February 2005• Questions
• Background/personal notes• Findings of the 2002 report• Main points• Message from the AG• Press/media reaction• Events since February 2005• Questions
Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005
4
Background/personal notesBackground/personal notes1) This report is a follow-up on our
2002 report2) Not a horror story3) Original plan was not to do an
IT security 101 audit4) Audit approach
1) This report is a follow-up on our 2002 report
2) Not a horror story3) Original plan was not to do an
IT security 101 audit4) Audit approach
Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005
5
Findings of the 2002 reportFindings of the 2002 report1. 2002 revised GSP was an
improvement2. Updated the roles and responsibilities
of TBS and 10 lead entities3. Operational standards did not exist or
were outdated4. Little baseline information on the
state of IT security across government
1. 2002 revised GSP was an improvement
2. Updated the roles and responsibilities of TBS and 10 lead entities
3. Operational standards did not exist or were outdated
4. Little baseline information on the state of IT security across government
Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005
6
Main point (1)Main point (1)
Despite encouraging signs of improvement:
– « The government has made unsatisfactory progress »
Despite encouraging signs of improvement:
– « The government has made unsatisfactory progress »
Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005
7
« The government has made unsatisfactory progress »
« The government has made unsatisfactory progress »• GSP, MITS and other standards are a good
foundation.• There are a number of standards that
remain to be developped• IT security lead agencies are cooperating
well and consult regularly on security matters.
• More and more internal audits and VA’s are being done since 2002, but « UNSATISFACTORY PROGRESS » is based on:
– TBS & OAG survey identified a general lack of compliance with GSP and MITS
– Most VA’s reviewed identified several significant (HIGH) level vulnerabilities
• GSP, MITS and other standards are a good foundation.
• There are a number of standards that remain to be developped
• IT security lead agencies are cooperating well and consult regularly on security matters.
• More and more internal audits and VA’s are being done since 2002, but « UNSATISFACTORY PROGRESS » is based on:
– TBS & OAG survey identified a general lack of compliance with GSP and MITS
– Most VA’s reviewed identified several significant (HIGH) level vulnerabilities
Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005
8
ITS Self-Assessment Results - 2004ITS Self-Assessment Results - 2004• Of the 46 departments that completed responses,
1 met Maturity Level 1 and 2 requirements and 0 met only Level 1. A guesstimate would suggest that approximately 25% of the 45 who did not achieve at least Level 1, have a substantial amount of work in progress towards achieving at least Level 1.
• Of the 45 departments that did not achieve at least level 1, 22 were identified as having some classified information, 13 with some Protected C information and 28 with some Protected B information. Several departments indicated that 100% of their information has no designation or classification.
• Of the 46 departments that completed responses, 1 met Maturity Level 1 and 2 requirements and 0 met only Level 1. A guesstimate would suggest that approximately 25% of the 45 who did not achieve at least Level 1, have a substantial amount of work in progress towards achieving at least Level 1.
• Of the 45 departments that did not achieve at least level 1, 22 were identified as having some classified information, 13 with some Protected C information and 28 with some Protected B information. Several departments indicated that 100% of their information has no designation or classification.
Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005
9
Main point (2)Main point (2)
Senior management is often not aware of IT security risks
Senior management is often not aware of IT security risks
Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005
10
Senior management is often not aware of IT security risksSenior management is often not aware of IT security risks
• 55% of departments surveyed had not completed a TRA of their systems.
• 44% of departments had not performed VA’s• 55% had not done an audit of their ITS• You cannot fix what you do not know.• OAG message goes mainly to senior management:
They have to be made aware of the risks and then decide if they want to spend the resources to address them
• Each dept will be required to prepare an action plan, to be approved by the Deputy Head, and TBS will follow-up
• Cannot wait for a major disaster to occur to think of IT security
• 55% of departments surveyed had not completed a TRA of their systems.
• 44% of departments had not performed VA’s• 55% had not done an audit of their ITS• You cannot fix what you do not know.• OAG message goes mainly to senior management:
They have to be made aware of the risks and then decide if they want to spend the resources to address them
• Each dept will be required to prepare an action plan, to be approved by the Deputy Head, and TBS will follow-up
• Cannot wait for a major disaster to occur to think of IT security
Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005
11
Main point (3)Main point (3)
TBS has not completely fulfilled its oversight role
TBS has not completely fulfilled its oversight role
Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005
12
TBS has not completely fulfilled its oversight roleTBS has not completely fulfilled its oversight role• TBS has received only 10 of the
37 internal reports dealing with ITS
• TBS has no formal process to obtain these internal ITS report or to analyse their security findings
• TBS has not yet prepared the mid term GSP report which was due in the summer of 2004.
• TBS has received only 10 of the 37 internal reports dealing with ITS
• TBS has no formal process to obtain these internal ITS report or to analyse their security findings
• TBS has not yet prepared the mid term GSP report which was due in the summer of 2004.
Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005
13
Message from the AGMessage from the AG
• Overall, she was disapointed with the lack of progress
• Purpose is not to point fingers and issue stern rebukes
• She recognizes the difficulty and complexity of the task
• Personally, she will continue to use online services
• Overall, she was disapointed with the lack of progress
• Purpose is not to point fingers and issue stern rebukes
• She recognizes the difficulty and complexity of the task
• Personally, she will continue to use online services
Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005
14
Press/media reactionPress/media reaction
1. We spend lots of efforts to ensure accurate coverage
2. Significant coverage3. Except for titles, reporting was
generally accurate4. Constant attempts to find
details5. There is a continuing interest in
the chapter
1. We spend lots of efforts to ensure accurate coverage
2. Significant coverage3. Except for titles, reporting was
generally accurate4. Constant attempts to find
details5. There is a continuing interest in
the chapter
Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005
15
Examples of Newspaper titlesExamples of Newspaper titles• Security lapses open public data to hackers• Security gaps in federal computers leave
personal data vulnerable• FEDS 'VULNERABLE' TO CYBER-ATTACKS:
AG• FEDS' COMPUTER SYSTEM IN PERIL• FEDS ARE TARGET OF HACKERS• Hacker heaven• LAX COMPUTER SECURITY NO SURPRISE:
HACKER• Government not protecting data
• Security lapses open public data to hackers• Security gaps in federal computers leave
personal data vulnerable• FEDS 'VULNERABLE' TO CYBER-ATTACKS:
AG• FEDS' COMPUTER SYSTEM IN PERIL• FEDS ARE TARGET OF HACKERS• Hacker heaven• LAX COMPUTER SECURITY NO SURPRISE:
HACKER• Government not protecting data
Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005
16
Events since February 2005Events since February 2005
1. Public Accounts Committee (March 23, 2005)
2. Letter to Deputy Ministers on MITS Action Plans (May 11, 2005)
3. MITS Action Plans submitted to TBS (Aug 26, 2005)
4. Response from the Government to PAC (Sept 21, 2005)
5. TBS action plan to PAC (Sept 30, 2005)
1. Public Accounts Committee (March 23, 2005)
2. Letter to Deputy Ministers on MITS Action Plans (May 11, 2005)
3. MITS Action Plans submitted to TBS (Aug 26, 2005)
4. Response from the Government to PAC (Sept 21, 2005)
5. TBS action plan to PAC (Sept 30, 2005)
Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005
17
ConclusionConclusion
• It is disappointing that the government does not meet its own minimum standards for IT security, even though they have been known for over a decade.
• Government systems and the sensitive data they hold are vulnerable to security breaches.
• As more and more government services are offered on-line, individuals and businesses need to have confidence that the information they share will be protected
• It is disappointing that the government does not meet its own minimum standards for IT security, even though they have been known for over a decade.
• Government systems and the sensitive data they hold are vulnerable to security breaches.
• As more and more government services are offered on-line, individuals and businesses need to have confidence that the information they share will be protected
Richard Brisebois - 6th Privacy & Security Workshop – November 3, 2005
18
Questions?Questions?Richard Brisebois
Principal, IT Audit ServicesOffice of the Auditor General of Canada
Tel: (613) 952-0213 ext. 2235Fax: (613) 957-9736
[email protected] Sparks Street
Ottawa, Ontario, CanadaK1A 0G6
www.oag-bvg.gc.ca
Richard BriseboisPrincipal, IT Audit Services
Office of the Auditor General of CanadaTel: (613) 952-0213 ext. 2235
Fax: (613) 957-9736
[email protected] Sparks Street
Ottawa, Ontario, CanadaK1A 0G6
www.oag-bvg.gc.ca
