In Ottawa, and in federal government offices across the country, staff and contractors are scrambling to sign off on a list of 144 security items to demonstrate compliance. Federal agencies and departments have until December 31 to comply with the Management of IT Security (MITS) standard.
Some of the 102 departments and agencies affected will not make it. In some cases, an agency is so small that compliance is not really an issue, but in other cases the department is so large that it does not have to meet any standards but its own.
There is no effective instrument by which a central agency can impose discipline on individual departments and agencies. The de facto disciplinary bodies for IT security in the federal government are the Office of the Auditor General and the Public Accounts Committee of the House of Commons.
Successive Auditor General’s reports have been harsh on the departments that have been sampled for effective IT security. The 2002 report called the revised Government Security Policy of that year “an important step in the right direction, but without the Treasury Board Secretariat providing up-to-date standards, the policy has little effect and the IT security initiative will flounder.”
Since then, Treasury Board Secretariat has provided the MITS standard, but in the opinion of many, it still falls short of effective protection.
It would be difficult to be more severe than the 2005 Auditor General’s judgment: “The majority of departments do not meet the minimum standards set by the Secretariat for IT security.
Vulnerability assessments, conducted in departments and agencies over the last two years, have revealed significant weaknesses that, if exploited, could result in serious damage to government information systems.”
In what other area of government would “significant weaknesses” leading to “serious damage” be tolerated? Food safety? Traffic lights?
There are many desired outcomes for IT services in the federal government. Effective implementation will bring government that is “responsive, transparent, efficient and effective,” and government that “makes better decisions, more quickly and with more confidence.” Officials are quick to declare victory in the campaign to date. For citizens, go the speaking notes, the federal government’s online services are more accessible and responsive. (Somehow, trust in those online services is increasing just as public confidence in private sector online services is dropping.)
It is impossible to assign a dollar value to increased client satisfaction with government services and more citizen confidence in government and its activities; but when poor IT security puts them at risk, it puts many government assumptions about lower cost of service delivery at risk. In its review of the Auditor General’s February 2005 report, the Commons Public Accounts Committee report goes directly to the heart of the current IT security impasse.
“The decisions about resource allocation within department operating budgets are in the hands of the deputy minister,” the report states.
“This audit shows that many deputy ministers are either unaware of the status of IT security inside their departments or do not assign sufficient importance to it.”
By now it is highly doubtful whether anyone of executive rank in the federal government does not understand the potential impact of IT security failure within their own departments. But as long as deputy ministers bear the responsibility for IT security within their departments – and remain the ultimate spending authorities – it will receive what they consider to be the appropriate attention.
Unlike the United States, where a central agency can reduce departmental budgets for failure to comply, penalties in this country are negligible. IT security has been added to the departmental report card called the Management Accountability Framework, but it is doubtful whether executives who perform well in other, positive measurements will suffer for a low score in IT security, which is perceived as an investment without a return.
The minimum standards that MITS has set are inadequate. Departments and agencies will be expected to have IT security fundamentals in place, with an IT security organization and a risk management program. Critical systems will be identified and at least some action will be taken to ensure their security. The final, minimal MITS expectation is that senior executives within each department understand the damage that IT security failure can cause and assign each risk a priority.
There will be meaningful action to protect federal government IT systems only when there is a disaster so big that it cannot be concealed, covered up or explained away. There is an opportunity now to get things right, but MITS – with its “security light” approach, tolerance of non-compliance and lack of enforcement mechanisms – is not the answer.
Richard Bray is an Ottawa-based freelance journalist specializing in high technology and security. He can be contacted at email@example.com
Read about the state of Security and Emergency Services in Canada
Read about Information Technology Security
Read article on Canadian Government Security