The Canadian government doesn’t meet its own minimum standards for IT security, Canada’s auditor general said.
In a report that pulled no punches, Sheila Fraser dubbed the government’s IT security efforts as “unsatisfactory.”
“Two and a half years after revising its Government Security Policy the government has…(yet) to translate its policies and standards into consistent, cost-effective practices that will result in a more secure IT environment,” the report said. The findings were tabled in the House of Commons on Feb. 15.
They are an update to a 2002 report that put IT security under scrutiny. Fraser expressed concern that the government had made little progress on the earlier report’s recommendations.
“In many departments and agencies, senior management is not aware of IT security risks and does not understand how breaches of IT security could affect operations and the credibility of the government,” Fraser told the House. Her report warned that if a citizen’s privacy were violated because of a failure to keep confidential information secure, “it could cause that person hardship and seriously undermine the government’s efforts to deliver services to Canadians electronically.”
In a news release on the report Fraser expressed disappointment that — though most IT security standards have been known for more than a decade — the government still does not fully comply with them. “It means government systems and the sensitive data they hold are vulnerable to security breaches.”
The report also said compliance and awareness failures have broad implications and could “erode the trust Canadians have in the ability of their government to transact business online, in a secure and confidential environment.” The auditor general recommended all departments and agencies should prepare timely IT security action plans, which would be reviewed in December, 2006.
A Canadian security expert agreed and said IT security breaches would be more than just an embarrassment to the government.
“The consequences are very high [and] the penalty could be severe,” said Brian O’Higgins, CTO for Ottawa-based Third Brigade, a software security firm.
As well, Fraser’s audit found that, in general, departments and agencies had not adequately assessed IT security risks. The auditor general recommended that departments and agencies, subject to the Government Security Policy, provide the Treasury Board Secretariat with an annual schedule of planned IT security monitoring activities. “As more and more government services are offered online, individuals and businesses need to have confidence that the information they share will be well protected,” she said.
O’Higgins said it was good the report addressed how threats have evolved since 2002 but found the over-emphasis on threat and risk assessments a red flag.
“If you spend all your energy analyzing a problem you are not spending any of your energy solving it. I’d rather go ahead and apply the corrective technology and improve the situation rather than spend all the time analyzing it,” said O’Higgins.
The audit also found most departments and agencies did not fully comply with the federal government’s IT security policy. Possible reasons for this, it said, include a shortage of money and people, as well as a lack of overall interest in IT security by senior management.
O’Higgins agreed, and said Ottawa needs to pay more attention to IT security and that an overhaul of security technologies would be a good place to begin.
“[The government should] understand that some of yesterday’s solutions are not applicable any more and (it should) look for new solutions and technology.” Outdated technology, he said, could lock down networks. As well, O’Higgins said the federal government needs to allocate more money to IT security. He estimated that the Canadian government spends less than three per cent of its IT budget on security — which is relatively low compared to government investment in other areas of IT.
Quick Link 058517