Audit of IT security: Threat and vulnerability management
Final report summary
Global Affairs Canada
Office of the Chief Audit Executive
Background
In accordance with Global Affairs Canada‘s approved 2018-19 Risk-Based Audit Plan, the Office of the Chief Audit Executive conducted an Audit of Information Technology (IT) Security : Threat and Vulnerability Management.
Properly planned and implemented threat and vulnerability management (TVM) programs represent a key element in an organization’s Information Technology (IT) security program to detect cyber threats and to provide an approach to risk and vulnerability mitigation that is proactive and business-aligned based on risk, not just reactive and technology-focussed. These TVM programs are intended to provide a way to assess the potential business impact and likelihood of threats and risks to an organization’s information infrastructure before cyber security incidents occur. Effective TVM programs help organizations meet and exceed those critical requirements.
Cyber attacks and the associated risks are forcing most organizations to focus more attention on information security. Several factors have driven the increased risk and subsequent attention paid to IT security issues, including the evolving threat landscape and rapid changes in technology. Federal government departments and agencies are subject to millions of cyber-intrusion attempts every day.
The Department’s IT system supports Canada’s international presence at 178 points of service in over 100 countries. The Department faces constant cyber security threats and risks due to the nature of its mandate. IT security at Global Affairs Canada is about mitigating vulnerabilities and reinforcing the safety of its IT systems and digital information through properly planned and implemented Threat and Vulnerability Management (TVM) programs.
IT Security threat and vulnerability programs are legislated by a number of policy and guidelines as follow:
- The Treasury Board (TB) Policy on Government Security establishes the policy framework for departmental security activities.
- TB Directive on Departmental Security Management mandates that departments establish an internal departmental security plan, define roles and responsibilities for security and establish minimum security controls.
- The TB Operational Security Standard: Management of Information Technology Security (MITS) elaborates on how baseline security controls should be fulfilled to ensue the security of information and IT assets under departmental control.
- The Information Technology Security Guidance 33 provides guidance regarding the implementation of an IT Security Management Framework through a life cycle approach.
Audit objective
The objective of the audit was to assess the existence, design and effectiveness of information security controls implemented by the Department to detect, evaluate and remediate IT security-related threats and vulnerabilities.
Audit scope
The audit assessed the processes and controls in place over IT threat and vulnerability management during the period of April 1, 2018 to February 28, 2019.
For the purpose of this audit, IT threat and vulnerability management processes included:
- Detection, management and remediation of IT threats and vulnerabilities applicable to Global Affairs Canada’s existing IT system;
- Evaluation of IT vulnerabilities during the system development life cycle; and
- Processes in place to measure and report on IT threats and vulnerabilities up to senior management.
The scope of this audit did not include organizations outside of GAC but did consider how GAC manages the information received from external organizations to inform their IT security program.
The audit team examined documents, conducted interviews with departmental officials, and assessed vulnerability of departmental IT system. In addition, the audit team conducted technical vulnerability assessment of three GAC applications.
Observed strengths
The following strengths were identified during the audit:
- Processes to collect cyber threat intelligence from both internal and external sources are in place;
- The department has drafted an IT Security Risk assessment that allows for tailoring IT security requirement; and
- The department has a Security Performance Measurement Framework that includes performance indicators and targets have been established.
Findings
Based on a combination of the evidence gathered through the examination of documentation, analysis, interviews and process walk-throughs, each audit criterion was assessed. Observations were noted in the following areas during the audit:
- Enterprise-wide threat and vulnerability management program;
- Roles and responsibilities;
- Risk assessment; and
- Training.
Conclusion
The audit team found that the Department has implemented some information security controls to detect, evaluate and remediate IT security-related threats and vulnerabilities. However, areas for improvement regarding the existence, design and effectiveness of controls were noted.
More specifically, the audit team found that the Department had processes in place to collect cyber threat intelligence from both internal and external sources, but would benefit from an enterprise-wide threat and vulnerability management program to coordinate activities across the Department.
Statement of conformance
In my professional judgment as the Chief Audit Executive, this audit was conducted in conformance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and with the Treasury Board Policy and Directive on Internal Audit, as supported by the results of the quality assurance and improvement program. Sufficient and appropriate audit procedures were conducted, and evidence gathered, to support the accuracy of the findings and conclusion in this report, and to provide an audit level of assurance. The findings and conclusion are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed upon with management and are only applicable to the entity examined and for the scope and time period covered by the audit.
Acronyms
- GAC
- Global Affairs Canada
- IT
- Information Technology
- MITS
- Management of Information Technology Security
- TB
- Treasury Board
- TVM
- Threat and vulnerability management
Criteria
| Criteria | Sub-criteria |
|---|---|
1. To provide assurance that GAC has implemented an effective management control framework, which includes accountabilities, policy and monitoring to mitigate IT threats and vulnerabilities | 1.1 Roles and responsibilities related to TVM between internal and external partners, including between HQ and missions, and clearly defined and understood 1.2 There is an effective process to manage and prioritize the IT assets in scope for TVM at GAC 1.3 The TVM Program and related policy framework is adequate to ensure required IT security controls are consistently applied throughout the organization. 1.4 A performance monitoring process is in place to evaluate and report on TVM performance and the evolution of IT security vulnerabilities. |
2. To provide assurance that GAC has implemented effective operational and technical controls throughout the department to mitigate risks related to IT threats and vulnerabilities. | 2.1 There are effective controls and processes in place to detect, evaluate and prioritize IT security related vulnerabilities 2.2 There is an effective process to define IT security requirements in missions, aligned with defined threat and vulnerability levels 2.3 There is an effective process to provide IT security awareness and training on IT security threats and vulnerabilities tailored to various user groups 2.4 There are effective processes and controls in place to ensure identified vulnerabilities are remediated in a timely manner based on the severity of the vulnerability and the underlying threat, including patch management and system hardening; 2.5 There is a process in place to ensue IT security vulnerabilities are considered in GAC’s SDLC. |
