The Canadian government doesn’t meet its own minimum standards for IT security, Canada’s auditor general said Tuesday.
In a report that pulled no punches Sheila Fraser dubbed the government’s IT security efforts as “unsatisfactory.”
“Two and a half years after revising its Government Security Policy the government has…to translate its policies and standards into consistent, cost-effective practices that will result in a more secure IT environment in departments and agencies,” the report said. I am disappointed that the government still does not meet its own minimum standards for IT security, even though most of the standards have been well known for more than a decade.Sheila Fraser.
Those findings – tabled in the House of Commons on Tuesday afternoon – are an update to a 2002 report that put IT security under scrutiny. Fraser expressed concern that the government has made little progress on the earlier report’s recommendations.
“In many departments and agencies, senior management is not aware of IT security risks and does not understand how breaches of IT security could affect operations and the credibility of the government,” Fraser told the House. “If security weaknesses allowed someone to access a database or confidential information, Canadians’ trust in the government would be greatly eroded.”
Her report warned that if a citizen’s privacy were violated because of a failure to keep confidential information secure, “it could cause that person hardship and seriously undermine the government’s efforts to deliver services to Canadians electronically.”
In a news release on the report Fraser expressed disappointment that though most IT security standards have been known for more than a decade the government still does not fully comply with them. “It means government systems and the sensitive data they hold are vulnerable to security breaches.”
Her audit found that – in general – departments and agencies have not adequately assessed IT security risks. It identified key security weaknesses in several (unnamed) government departments and agencies. These weaknesses include:
• Failure to adequately control access to sensitive data and programs; and,
• Inadequate networks security and network access controls.
The auditor general recommended that departments and agencies subject to the Government Security Policy provide the Treasury Board Secretariat with an annual schedule of planned IT security monitoring activities. “As more and more government services are offered on-line, individuals and businesses need to have confidence that the information they share will be well protected,” she said.
The audit found most departments and agencies did not fully comply with the federal government’s IT Security policy. Possible reasons for this, it said, include a shortage of money and people, as well as a lack of overall interest in IT security by senior management in government.
The report said compliance and awareness failures have broad implications and could “erode the trust Canadians have in the ability of their government to transact business online, in a secure and confidential environment.” The auditor general recommended all departments and agencies should prepare timely IT security action plans, which would be reviewed in December, 2006.
A Canadian security expert agrees that Ottawa needs to pay more attention to IT security and says an overhaul of security technologies would be a good place to begin.
“[The government should] understand that some of yesterday’s solutions are not applicable anymore and (should) look for new solutions and technology,” said Brian O’Higgins, CTO for Ottawa-based Third Brigade, a software security firm. Outdated technology, he said, could lock down networks.
O’Higgins said the federal government needs to allocate more money to IT security. He estimated the Canadian government spends less than three per cent of its IT budget on security, which is relatively low compared to government investment in other areas of IT. In stark contrast, he said, the U.S. recently announced a 15 per cent IT security spending increase in its budget.