Corporate Audit of Security
Final Summary Report

3.5 Information Technology Security

Communications security was managed centrally and was satisfactorily controlled. However, the overall requirement for more secure communications across electronic networks is increasing significantly. Individual systems were constructed under the assumption that only data designated “Protected B” would be used. However, regular communications facilities (wide area network, local area network) were used to operate regular business support systems. The audit determined that regional and site staff have concerns about the significant volume of information now created, collected, used and stored which potentially exceeds the security or protection design specifications for Protected B information. This does not apply to secure systems such as those for the intelligence community, which were treated differently.

Information technology security was not accorded a high profile, and the departmental budget for it was limited. As a result of these factors and limited staff awareness, there was no life-cycle approach applied to information technology systems that required and maintained security safeguards. Also, few operating systems had an SOS or a TRA for information protection requirements completed.

<< Contents| Previous | Next >>

Need Help? Find answers in the Help Centre