Corporate Audit of Security
Final Summary Report

1.0 EXECUTIVE SUMMARY

This objective was examined by focusing on the effectiveness of the management structure of the security organization, security administration, including threat and risk assessments, and security operations, including protection of information, personnel screening, and safeguards for the protection of personnel and physical assets.

The scope of the audit encompassed all aspects of security for a sample of all the business lines of the Department. This audit was directed by CIC Corporate Review and conducted under contract between November 2000 and May 2001. Briefings were held during and after the audit field work. The auditors conducted additional security briefings with CIC staff during the fall and winter of 2001–2002.

The overall assessment is that CIC has implemented a security approach that largely reflects the requirements of the GSP. However, the security functions were not fully effective. More attention is required from senior management to define corporate level risks and provide appropriately sized budgets. This would provide a broad security framework for regions and sites to implement their own effective security programs.

CIC manages information that is sensitive and frequently classified. There is a trend toward the increased use of sensitive information in the normal course of business. This trend, combined with the general lack of attention to data sensitivity when assessing security requirements, heightens the Department’s risk of inappropriate disclosure of information that should be protected.

Since the terrorist attacks of September 11, 2001, the government of Canada implemented and financed new high-level security measures for most areas under federal responsibility, and senior management at CIC have given greater attention to security.

<< Contents| Previous | Next >>