Corporate Audit of Security
Final Summary Report

5.0 RECOMMENDATIONS

It is recommended that:

1. Senior management review the organizational context for security and ensure that all elements of security have a sufficiently high profile by:

  • assessing the appropriateness of the organizational level to which the security function reports;
  • ensuring better integration of the elements between NHQ and the regions;
  • building management team support by incorporating security requirements in the management contracts developed with senior managers across the Department;
  • periodically assessing the security function at regional and local levels against the management contract;
  • revising budgets to help security staffs at all levels provide leadership, then evaluating that leadership as part of the security management contract;
  • improving communications by providing resources for intradepartmental information sharing of “best” security practices;
  • benchmarking the investment in security made by other government departments, and applying ”lessons learned” to the Department.

2. The management framework for security should be more integrated within NHQ, the regions and the sites to ensure that effective implementation of policies and procedures. Senior management should strengthen the security framework by:

  • ensuring policy development is improved and that draft policy is promulgated—this would include promulgation of the information technology (IT) Security policy, cleaning up or replacing existing intranet sites, and coordinating policy between security elements;
  • ensuring all responsible organizations develop a plan outlining security objectives and time frames, including improved training;
  • establishing joint security committees (regional-national, regional-regional, security-business lines) and record proceedings, to share information on actions taken, results and “best” security practices.

3. Senior management should ensure that security objectives and activities relating to information assets:

  • improve employee awareness of security requirements for information handling;
  • improve the TRA process and ensure that regular SOS/TRAs are carried out, updated and reported;
  • require that a corporate level TRA be carried out to investigate and document departmental level risks and concerns;
  • ensure that current operating systems are reviewed for information storage protection requirements;
  • improve control over the storage, use and reconciliation of controlled documents.

<< Contents| Previous | Next >>