The Canadian government doesn’t meet its own minimum standards for IT security, Canada’s auditor general said in a report last month.
In a document that pulled no punches, Sheila Fraser dubbed the government’s IT security efforts as “unsatisfactory.”
“Two and a half years after revising its Government Security Policy, the government has…to translate its policies and standards into consistent, cost-effective practices that will result in a more secure IT environment in departments and agencies,” the report said.
Those findings, which were tabled in the House of Commons on Feb. 15, represent an update to a 2002 report that put IT security under scrutiny. Fraser expressed concern that the government had made little progress on the earlier report’s recommendations.
“In many departments and agencies, senior management is not aware of IT security risks and does not understand how breaches of IT security could affect operations and the credibility of the government,” Fraser told the House. “If security weaknesses allowed someone to access a database or confidential information, Canadians’ trust in the government would be greatly eroded.”
Her report warned that if a citizen’s privacy were violated because of a failure to keep confidential information secure, “it could cause that person hardship and seriously undermine the government’s efforts to deliver services to Canadians electronically.”
In a news release on the report, Fraser expressed disappointment that though most IT security standards have been known for more than a decade, the government still does not fully comply with them. “It means government systems and the sensitive data they hold are vulnerable to security breaches.”
The report also said compliance and awareness failures have broad implications and could “erode the trust Canadians have in the ability of their government to transact business online, in a secure and confidential environment.” The auditor general recommended all departments and agencies should prepare timely IT security action plans, which would be reviewed in December, 2006.
A Canadian security expert agreed and said IT security breaches would be more than just an embarrassment to the government. “The consequences are very high [and] the penalty could be severe. Security is like quality, you need it,” said Brian O’Higgins, CTO for Ottawa-based Third Brigade, a software security firm. As well, Fraser’s audit found that, in general, depart