Audit of Information Technology Security - Report Summary

Global Affairs Canada
Office of the Chief Audit Executive

December 14, 2016

Background
Audit Objective
Audit Scope
Observed Strengths
Findings
Conclusion
Statement of Conformance
Acronyms

Background

Global Affairs Canada’s (the Department) latest Corporate Risk Profile and Departmental Security Plan include information technology (IT) security risks. In these reports, cyber threats and exfiltration of information were noted as key corporate risks to the Department. Global Affairs Canada operates in Canada, and within its network abroad in 174 countries and due to this international presence and mandate, the Department is a likely target of would-be malicious internet users.

Based on this information, the audit team conducted a preliminary analysis and risk assessment and determined that an audit of privileged access would be an appropriate and relevant area of examination related to the IT security risks identified by the Department. Effective management of privileged access to IT systems is a key component in the defense against risks related to the theft and exfiltration of information by these agents, and is considered to be a staple of good IT security practices.

To address these risks, the Department is guided by Government of Canada and department specific policy and by the adoption of best practices in the industry by GAC employees. IT Security at Global Affairs Canada is governed by federal government policies, such as the Policy on Government Security, Management of Information Technology Security (MITS) Operational Security Standard, and IT Security Risk Management: A Lifecycle Approach (ITSG-33). These policies and standards include: definitions of the basic requirements to safeguard employees and assets; directives to assure the continued delivery of services; and baseline requirements for departmental IT security programs so that federal departments can ensure the security of information and IT assets under their control. Finally, these policies, standards and guidelines provide a list of recommended IT security activities at both the program level and for IT projects.

In 2015, Treasury Board issued a Security Policy Implementation Notice (SPIN 2015-01) that requires departments to report progress on their management of privileged access. Specifically:

Departments must keep access to the minimum required for individuals to perform their duties (i.e., the least privilege principle), and ensure that access privileges are regularly updated to accurately reflect the current responsibilities of the individual; and,
Departments must withdraw access privileges from individuals (including students, contractors, or others with short-term access) who leave the organization, and revise access privileges when individuals move to jobs that don't require the same level of access.

Additionally, the MITS, section 12.6 requires that:

Departments must segregate IT responsibilities as much as possible. Individuals who are authorized to conduct sensitive operations must not be allowed to audit these operations.

Audit Objective

The objective of the audit was to provide reasonable assurance that Global Affairs Canada has adequate controls in place over the management of privileged access to the Department's IT systems, and that these controls are operating effectively.

Audit Scope

The audit examined the Department’s management of privileged access for the period April 1, 2015 through June 30, 2016.

Progress made in response to audit recommendations related to privileged access management from the former Department of Foreign Affairs and International Trade (DFAIT) 2012 Audit of IT Security was also included in the scope of the audit.

Privileged access granted to users at headquarters and at missions was examined; including processes supporting:

Granting, modifying, suspending, restoring and revoking accounts that provide access to administrative-level privileges to SIGNET networks;
Granting, modifying, suspending, restoring and revoking accounts that provide access to administrative-level privileges to selected IT applications; and,
Monitoring of network activities resulting from the use of administrative-level privileged accounts.

Observed Strengths

The following strengths were identified during the audit:

The audit found that an IM/IT Security Program Governance structure is in place for the Department. Oversight committees exist and meet regularly;
Processes in place to provision accounts to system users are generally well controlled;
The principle of least privilege and separation of duties were considered when role-based groups were designed and created;
Controls have been implemented that remove access on privileged accounts each year.

Findings

Based on a combination of the evidence gathered through the examination of documentation, analysis, interviews and process walk-throughs, each audit criterion was assessed. Where a significant difference between the audit criterion and the observed practice was found, the risk of the gap was evaluated and used to develop a conclusion and to document recommendations for improvement.

Observations were noted in the following areas during the audit:

Roles and responsibilities
Privileged Account Management
Monitoring

Conclusion

The audit team concludes that while some controls are implemented, they should be improved to fully detect and describe privileged access usage in the Department.

More specifically, the audit found that a governance structure for IT security exists, frameworks for the management of privileged access are in place and have been documented, and access granting processes include appropriate approvals. However, improvements are required with respect to privileged account management.

Statement of Conformance

In my professional judgment as the Chief Audit Executive, this audit was conducted in conformance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and with the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program. Sufficient and appropriate audit procedures were conducted, and evidence gathered, to support the accuracy of the findings and conclusion in this report, and to provide an audit level of assurance. The findings and conclusion are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed upon with management and are only applicable to the entity examined and for the scope and time period covered by the audit.

Criteria	Sub-Criteria
1. A governance structure for IT security, including access to systems, has been established for the Department.	1.1 An information technology security management structure is in place and aligns with Departmental governance and oversight committees. 1.2 The organization develops, documents and disseminates to users and management: access control policies and associated controls that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities and compliance; and, procedures to facilitate the implementation of the access control policy and associated access controls.
2. An effective framework for the administration of privileged access to the Department's IT systems that includes defined access roles based on business needs, the periodic review of privileged access assignments, and the monitoring of activities of users with privileged access is established and meets operational needs of the Department.	2.1 The Department has defined privileged access based on business needs, and has documented conditions for assignment of access roles, groups and permissions to users based on their business function. 2.2 The Department periodically reviews accounts with privileged access for compliance with account management requirements. 2.3 Processes are in place to enable monitoring of system activities performed by users with privileged access, and to review and detect inappropriate access.
3. Control procedures are in place for the granting and revoking of privileged access to users of the Department's IT systems.	3.1 Privileged access to Departmental IT systems complies with documented requirements and principles. 3.2 Requests for new privileged access to Departmental IT systems and for changes to privileged access follow a formal process, are made by user management, are approved by system owners, and align with business needs. 3.3 Privileged access to IT systems is revoked from individuals who leave the Department.
4. Follow-up on technical access controls recommended in the 2012 audit of IT security.	4.1 The Department has implemented separate network processing domains (zones) to enable finer-grained allocation of user privileges. 4.2 The Department has implemented technical controls to control access to the Department's IT systems by computers and mobile devices that have not been certified for use.

Acronyms

GAC: Global Affairs Canada
IM: Information Management
IT: Information Technology
MITS: Management of Information Technology Security
MSI: Manual of Security Instructions
SIGNET: Secure Integrated Global Network

Date modified:: 2017-01-24

Language selection

Search and menus

Search