While MITS standards are the same for each federal government organization, the effort required for implementation varies significantly from one organization to another.
Assuring compliance with MITS in a small centralized organization is far easier than it is for an organization like Service Canada, due to the numerous service delivery channels situated across Canada providing multiple services to many different clients and partners.
In such a rapidly changing and technologically complex environment, Service Canada’s Innovation, Information and Technology Branch (IITB) did an enormous amount of work to comply with MITS and protect Service Canada’s information and IT assets against internal and external threats. During the MITS implementation, IITB underwent a massive reorganization which better positioned the branch to deal with security threats.
At the same time the reorganization slowed MITS implementation as new roles and responsibilities were identified and positions were staffed. Service Canada has successfully enhanced or implemented many security controls, both soft (awareness and culture change controls) and hard (implementation of physical security controls). Service Canada’s ongoing activities continue to demonstrate its commitment to complying with MITS and safeguarding confidential client information.
Statement of Assurance
In our professional judgment, sufficient and appropriate audit procedures have been conducted and evidence gathered to provide a high level of assurance and support the accuracy of the conclusions reached and contained in this report. The conclusions were based on observations and analyses of the situations as they existed at the time against the audit criteria. The conclusions are only applicable for the Service Canada.
This internal audit was conducted in accordance with the Treasury Board Policy on Internal Audit and the Institute of Internal Auditors Standards for the Professional Practice of Internal Auditing.
APPENDIX A: Management Action Plan
Internal Audit Recommendations
Management Plan Action(s) to be undertaken
Planned Completion Date
Responsibility Title and RC Number
PROTECTED PROTECTED
December 31, 2007 IITB/Operations Branch Bettylynn Stoops,
DG, BCP
PROTECTED PROTECTED
Review Completed:
Norm Smith, Manager, Infrastructure Program Office
Dave Beach, Director, IT Security Services Nicole Gratton, Director, National Data Network Systems
Murray Jaques, Director, Distributed Computing Services
Réjean Poitras, Director, Hosting Technical Services René Lalande, A/Director, Platform Engineering and Support Services
Al Gauthier, A/Director, Hosting Production Services
Internal Audit Management Plan Planned Responsibility Title and RC Number Recommendations Action(s) to be undertaken Completion Date
PROTECTED PROTECTED
April 1, 2008 ATS:
Donald Toussaint, A/Director, IT Security Centre of Excellence
PROTECTED PROTECTED
Positions Identified:
October 2007
Clearance Strategy:
November 2007
IS:
Norm Smith, Manager, Infrastructure Program Office
PROTECTED PROTECTED
July 1, 2008 ATS:
Donald Toussaint, A/Director, IT Security Centre of Excellence
Internal Audit Management Plan Planned Responsibility Title and RC Number Recommendations Action(s) to be undertaken Completion Date
PROTECTED PROTECTED
Opportunity
Paul Wagner, DG
ADS:
Duc-Chi Tran, DG
ATS:
Donald Toussaint, A/Director, IT Security Centre of Excellence
PROTECTED PROTECTED
PPQA:
Paul Wagner, DG
ADS:
Duc-Chi Tran, DG
ATS:
Donald Toussaint, A/Director, IT Security Centre of Excellence
Internal Audit Management Plan Planned Responsibility Title and RC Number Recommendations Action(s) to be undertaken Completion Date
PROTECTED PROTECTED
PPQA: Awareness for IT Project Managers:
November 2008
BMS:
Paul Wagner, DG
ADS:
Duc-Chi Tran, DG
ATS:
Donald Toussaint, A/Director, IT Security Centre of Excellence
PROTECTED PROTECTED
PPQA:
Paul Wagner, DG
ADS:
Duc-Chi Tran, DG
ATS:
Donald Toussaint, A/Director, IT Security Centre of Excellence
Internal Audit Management Plan Planned Responsibility Title and RC Number Recommendations Action(s) to be undertaken Completion Date
PROTECTED PROTECTED
10.c: June 2008 IS:
Brian Graham, Director, IT Service Management
PROTECTED PROTECTED
PPQA Gating Process:
February 2008 Solution Development Improvement:
March 2009
BMS:
Paul Wagner, DG
ADS:
Duc-Chi Tran, DG
Internal Audit Management Plan Planned Responsibility Title and RC Number Recommendations Action(s) to be undertaken Completion Date
PROTECTED PROTECTED
PPQA:
February 2008 Initiate Business Case: April1, 2008 Complete
Assessments:
March 31, 2012
BMS:
Paul Wagner, DG
ATS:
Donald Toussaint, A/Director, IT Security Centre of Excellence
PROTECTED PROTECTED
Certification Process:
November 2008
ATS:
Donald Toussaint, A/Director, IT Security Centre of Excellence
PROTECTED PROTECTED
Accreditation Process:
November 2008
ATS:
Donald Toussaint, A/Director, IT Security Centre of Excellence
Internal Audit Management Plan Planned Responsibility Title and RC Number Recommendations Action(s) to be undertaken Completion Date
PROTECTED PROTECTED
Completed IS:
Dave Beach, Director, IT Security Services
PROTECTED PROTECTED
Completed IS:
Brian Graham, Director, IT Service Management
PROTECTED PROTECTED
MOUs Established:
March 2008
Mission Critical Lists Created: June 2008
IS:
Brian Graham, Director, IT Service Management
PROTECTED
PROTECTED
February 2008 July 2008
Internal Audit Branch Denis Tisseur, Director IT Audit
Internal Audit Management Plan Planned Responsibility Title and RC Number Recommendations Action(s) to be undertaken Completion Date
PROTECTED PROTECTED
Study Completion:
August 2008
ATS:
Donald Toussaint, A/Director, IT Security Centre of Excellence
IS:
Dave Beach, Director, IT Security Services
PROTECTED PROTECTED
Q1 – 2008/2009 IS:
Dave Beach, Director, IT Security Services &
Nicole Gratton, Director, National Data Network Systems
ATS:
Donald Toussaint, A/Director, IT Security Centre of Excellence
Internal Audit Management Plan Planned Responsibility Title and RC Number Recommendations Action(s) to be undertaken Completion Date
PROTECTED PROTECTED
April 2008 Internal Audit Branch Malcolm Powell
Senior Director, Planning and Audit
PROTECTED PROTECTED
Initiation:
May 1, 2008 Completion:
July 1, 2009
ATS:
Donald Toussaint, A/Director, IT Security Centre of Excellence
Internal Audit Management Plan Planned Responsibility Title and RC Number Recommendations Action(s) to be undertaken Completion Date
PROTECTED PROTECTED
Initiation:
February 1, 2008 Completion:
July 1, 2008
ATS:
Donald Toussaint, A/Director, IT Security Centre of Excellence IS:
Dave Beach, Director, IT Security Services IITB Portfolio Leads - Sylvie Desjardins (Service Development DGO)
- Kevin Dalliday (HRSDC DGO)
- Sue Blais (Transaction Processing DGO) - Gisele Armstrong (Service Delivery Networks & Channels DGO)
Brian Maither (Corporate Operations DGO)
Financial & Vendor Management Services Susan Donovan-Brown
Internal Audit Management Plan Planned Responsibility Title and RC Number Recommendations Action(s) to be undertaken Completion Date
PROTECTED PROTECTED
March 31, 2008 ATS:
Donald Toussaint, A/Director, IT Security Centre of Excellence
IS:
Dave Beach, Director, IT Security Services
PROTECTED PROTECTED
Q1 – 2008/2009 IS:
Dave Beach, Director, IT Security Services &
Nicole Gratton, Director, National Data Network Systems