RCMP findings relating to the Office of the Comptroller General Horizontal Internal Audit of Information Technology (IT) Security

Vetted Report

February, 2016

This report has been reviewed in consideration of the Access to Information and Privacy Acts. The asterisks [***] appear where information has been removed; published information is UNCLASSIFIED.

Table of Contents

Acronyms and Abbreviations

CIO
Chief Information Officer
CSEC
Communications Security Establishment Canada
DG
Director General
DSB
Departmental Security Branch
DSO
Departmental Security Officer
DSP
Departmental Security Plan
IA
Internal Audit
IM/IT PROGRAM
Information Management/Information Technology Program
IT
Information Technology
ITSC
IT Security Coordinator
MAP
Management Action Plan
MITS
Operational Security Standard: Management of IT Security
OCG
Office of the Comptroller General
***
RCMP
Royal Canadian Mounted Police
SSC
Shared Services Canada
TB
Treasury Board
TBS
Treasury Board Secretariat
***

Executive Summary

The Royal Canadian Mounted Police (RCMP) was one of twelve large departments and seven small departments selected by the Office of the Comptroller General (OCG) to participate in a Horizontal Internal Audit of Information Technology (IT) Security. The objectives of the audit were to determine whether governance frameworks over IT Security were in place within departments as well as across government; and whether selected control frameworks were in place in departments to mitigate IT Security risks. The scope of the audit included the governance and control frameworks over IT Security for unclassified government networks as at March 31, 2014. The planning phase of the audit, including development of the objective, scope and criteria, was completed by the OCG. RCMP Internal Audit (IA) was asked to complete the examination phase of the audit using a methodology developed by the OCG and to report findings and conclusions to the OCG for inclusion in a consolidated report.

***

This companion report provides additional RCMP-specific details and context with respect to the OCG's findings. The OCG's consolidated findings are consistent with the situation within the RCMP. While elements of the governance framework over IT security were in place ***

Management's Response to the Audit

The Departmental Security Branch (DSB) agrees with the findings reported in the OCG's "Horizontal Internal Audit of IT Security" report and the subsequent "RCMP Findings Relating to the OCG's Horizontal Audit of IT Security" report. They have highlighted *** in the following key areas: ***

  • inter-departmental governance including policy updates; ***

The current operating environment is driving key responsibilities that must be well defined between the RCMP, Shared Services Canada (SSC), CSEC and Treasury Board. *** DSB in partnership with the IM/IT Program will assume the leadership roles needed internally to move forward on the recommendations. ***

Peter Henschel, Deputy Commissioner
Specialized Policing Services
Royal Canadian Mounted Police

1.0 Background

Information technology (IT) is as much an enabler of government operations as it is a source of risk to the confidentiality, integrity and availability of information on which the government depends to operate. *** The RCMP was one of twelve large and seven small departments selected by the OCG to participate in this horizontal internal audit. The objectives, established by the OCG, were to determine whether: governance frameworks over IT Security were in place within departments as well as across government; and selected control frameworks were in place in departments to mitigate IT Security risks related to unclassified networks.

IT Security refers to the safeguards that preserve the confidentiality, integrity, availability, intended use, and value of electronically stored, processed, or transmitted information. IT Security also includes the safeguards that are applied to the assets used to gather, process, receive, display, transmit, reconfigure, scan store, or destroy information electronically.Footnote 1

Within the RCMP, IT security is a shared responsibility. The Departmental Security Branch (DSB) is the national policy centre for IT Security. The Information Management / Information Technology (IM/IT) Program delivers IT services across the RCMP, ***. External agencies also play a role, with Shared Services Canada (SSC) being the service provider for network infrastructure, acquisition and provision of hardware, software and related support.Footnote 2

RCMP Internal Audit (IA) was asked to complete the examination phase of the horizontal audit using a methodology developed by the OCG, and based on OCG-determined criteria (see Appendix A). At the conclusion of the examination phase, RCMP IA provided findings and conclusions to the OCG for inclusion in a consolidated report. The consolidated report was tabled by the OCG at the Government of Canada Audit Committee in February 2016.

The OCG report includes three findings and associated recommendations: Governance at the Government-Wide Level; Governance at the Departmental Level; and Selected Departmental Control Frameworks. *** Accordingly, this report includes additional RCMP-specific details and context with respect to these findings ***. ***

2.0 Objectives, Scope and Methodology

2.1 Objectives

The objectives of the OCG horizontal internal audit were to determine whether:

  1. Governance frameworks over IT Security were in place within departments as well as across government; and,
  2. Selected control frameworks were in place in departments to mitigate IT Security risks.

The criteria used to assess the objectives relevant to the RCMP can be found in Appendix A.

The objective of this report is to provide additional context and detail related to those findings and recommendations relevant to the RCMP.

2.2 Scope

The scope of the audit included the governance and control frameworks over IT Security for unclassified government networks as at March 31, 2014. The audit focused on unclassified networks ***. ***

2.3 Methodology

The planning phase was completed by the OCG. The OCG also determined the methodology to be used by participating departments during the examination phase. Participating departments submitted their results, and the OCG reported on the consolidated findings.

During the examination phase, RCMP IA conducted interviews with key employees within the Departmental Security Branch (DSB), Information Management / Information Technology (IM/IT) Program ***. As well, documentation from these groups was collected and analyzed.

3.0 Audit Findings

3.1 Governance at the Departmental Level

The OCG report indicates that both large and small departments could improve their IT governance frameworks by: updating their IT Security policies in a timely manner ***.

3.1.1 IT Security Policy

The RCMP's IT Security policy is aligned with the government's IT security policy framework.

The Treasury Board Secretariat (TBS) Operational Security Standard: Management of IT Security (MITS) requires every department to have a departmental IT security policy that is approved by senior management. The IT security policy must define roles and responsibilities and be communicated to stakeholders. To ensure the IT security policy remains relevant, it must also reflect the changing environment.

At the time of the audit, a departmental IT security policy was in place ***. ***

Consistent with MITS requirements, the RCMP's IT security policy defined roles and responsibilities related to IT security. ***

3.1.2 IT Security Governance

Governance structures supporting the coordination of IT security activities have been established within the RCMP.

The Treasury Board (TB) Policy on Government Security requires that departments appoint a DSO, who is functionally responsible to the deputy head or to the departmental executive committee to manage the departmental security program. The TBS Directive on Departmental Security Management also requires departments to establish security governance mechanisms (committees, working groups) to ensure the coordination and integration of security activities, and facilitate decision making.

The RCMP's Director General (DG) DSB has been appointed to perform the function of DSO. In this capacity, the DSO is responsible for all IT systems under the control and stewardship of the RCMP. Additionally, the DSO is responsible for arranging the inspection of and consultations on RCMP computer facilities and for coordinating the implementation of any related recommendations. Reporting to the DSO, the Director, Information Technology Security Communications is the RCMP's IT Security Coordinator (ITSC). As the RCMP is one of Shared Services Canada's (SSC) partner organizations, SSC is also a stakeholder in the RCMP's IT security governance activities.

*** IT security is discussed and decisions relative to IT security are made in committees in which the DSO and ITSC participate. ***

3.1.3 Departmental Security Plan

At the time of the audit, the RCMP's Departmental Security Plan was under development; it was subsequently completed and approved.

The TB Policy on Government Security requires that deputy heads approve a Departmental Security Plan (DSP) detailing decisions for managing security risks and outlining strategies, goals, objectives, priorities and timelines for improving departmental security. ***

At the time of the audit, the RCMP's DSP was being developed and was intended to reflect the security control objectives in the TBS Directive on Departmental Security Management. ***

A DSP *** should help better coordinate resources to proactively address IT security risks, manage risks more effectively, and respond more efficiently to IT security incidents. Following completion of the audit, in the summer of 2015, the RCMP completed its first DSP. ***

3.1.4 ***

***

Faced with a continuously evolving threat environment in the area of IT security, a systematic approach to understand, manage and communicate risk is important to ensure the best use of resources. In its lead security agency role, Communications Security Establishment Canada (CSEC) issued guidance (Overview of IT Security Risk Management: A Lifecycle Approach [ITSG-33], Annex 1) recommending a specific approach for managing IT security risks consistently.

At the time of the audit, ***

3.1.5 ***

***

The TB Policy on Government Security requires deputy heads to ensure that periodic reviews are conducted to assess the effectiveness of their departmental security program. MITS also requires an annual assessment of the IT security program and practices to monitor compliance with government and departmental security policies and standards. ***

3.2 ***

4.0 ***

5.0 ***

Appendix A – Audit Objectives and Criteria

The following objectives and criteria, of relevance to the RCMP, were determined by the OCG. The OCG audit report "Horizontal Internal Audit of IT Security" was finalized in February 2016.

Objective 2Footnote 3: Governance Over IT Security Within Departments

At the departmental level, governance frameworks are in place for the management of IT security.

Criterion 2.1: Departmental IT security policies aligned with the government's IT security policy framework have been developed and communicated within departments.

Criterion 2.2: Departmental oversight bodies for the management of IT security have been established.

Criterion 2.3: An IT security plan that is aligned with government-wide and departmental priorities has been developed, communicated and updated.
Criterion 2.4: A Human Resources Plan for IT security professionals that is aligned with government-wide and departmental priorities and plans has been established.
Criterion 2.5: A departmental approach to managing IT security risks has been developed and implemented.
Criterion 2.6: Departmental reporting of policy compliance and IT security program performance is being performed to inform decision making.
*** ***
***
***
Date modified: