Canada Revenue Agency invests in IT security

Canada Revenue Agency is beefing up its IT security just weeks after a phishing scheme tried to fool users about their refunds and as tax season gets under way.

The measures include a security awareness program for all of the Canada Revenue Agency’s (CRA) 50,000 employees and the implementation of an identity and access management program. CRA is also enforcing a policy that 15,000 laptops under its control be encrypted, and is rolling out a vulnerability assessment program to see where software patches may need to be applied.

Ken Canam, CRA’s director of IT security, said the agency has been exploring ways to improve the protection of data and applications following its compliance with the federal Management of Information Technology Security (MITS) standard, which was made mandatory by Treasury Board Secretariat two years ago. The CRA isn’t stopping there, though.

“You can be MITS-compliant, but you have to recognize that MITS is only a baseline,” Canam said. “You have to look at your organization and determine where you meet MITS and where it needs to be exceeded.”

Shane Schick’s Computerworld

What we talked about at GovSym

Canam made his comments at GovSym, a public sector security event held in Ottawa last week by IT World Canada and founding sponsor Symantec.

The CRA is a mix of Windows servers, Unix and even Linux machines. A critical priority for the agency is scanning and ensuring the integrity of its NetFile online tax filing system. This is especially important, Canam noted, in light of a recent phishing scheme where Canadians were asked to click a link that promised a lucrative refund.

Mark Fossi, who leads the research effort around Symantec’s Internet Threat Security Report, said the CRA phishing scheme demonstrates the increasing sophistication of online threats.

“It’s not like it’s an e-mail about millions of dollars coming from Africa,” he said, referring to phoney e-mail messages purportedly from Nigera. “It’s reasonable amounts. Who couldn’t use an extra hundred bucks right now?”

Canam noted that the only thing that looked different from the real CRA site was a minor discrepancy in a French character.

The CRA is as focused internally as it is on citizen-facing applications like NetFile. Part of the CRA’s plan involves an enterprise security monitoring console, which Canam said looks for simultaneous access on the same account. “So if you were in Halifax and logged on, and then at the same time someone else logged on with the same ID in Toronto, that would send an alert and we could block that access,” he said.

Besides phishing schemes and online pranksters, Canam said the CRA was most concerned about bot nets and SQL injections. The agency is paying special attention to commercial off-the-shelf software, scanning it a minimum of three times for any issues, he said.

The CRA has is also using Entrust PKI security technology to allow employees to sign in remotely and to secure the more than 100 e-mails and federal documents that get sent to courts every day.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Shane Schick
Shane Schickhttp://shaneschick.com
Your guide to the ongoing story of how technology is changing the world

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now