Corporate Audit of Security
Final Summary Report
3.3 Information Security
The departmental approach to security is based on the assumption that most business lines use only information that has been designated “protected.” Local managers and staff are responsible for the safeguarding of sensitive information and assets within the scope of their delegated authority. The audit determined that many sites actually collect, store and use information that could require a higher level of protection. The departmental position on information security, consequently, requires a thorough examination, possibly as one aspect of a corporate level TRA.
Areas of the Department that require exceptional protection, such as intelligence units, employed additional safeguards. Within the headquarters region, Corporate Security provided well-managed special services for the control of sensitive information.
To establish and maintain the security of its information in the regions, CIC was heavily dependent on physical security, such as staff access restrictions to certain locations within a building and computer systems perimeter controls. The management of documents and information, and employee awareness of security requirements for information processing were highly variable in the regions.
Key documents were generally controlled but the level of control varied across the Department. There are consequences of this variability in control, especially when combined with the tendency to collect, use and store information that may exceed normal protection requirements. There is a gap in security coverage and the level of protection provided to information does not always meet the requirements of the GSP.
- Date Modified:
