Corporate Audit of Security - Final Summary Report

Recommendations	Response	Action Plan and Tasks	Responsibility	Target Dates
2. The management framework for security should be more integrated between NHQ, the regions and sites to ensure the effective implementation of policies and procedures. Senior management should strengthen the security framework by: 2.1 Ensuring that policy development is improved and that the draft policy is promulgated - this would include promulgation of the IT Security policy, cleaning up or replacing existing intranet sites, and coordinating policy between security elements; 2.2 Ensuring that all responsible organizations develop a plan outlining security objectives and time frames, including improved training; 2.3 Establishing joint security committees (regional/national, regional/regional, security/business) and record proceedings to share information, action taken, results and “best” security practices.	CIC agrees that a set of common, clear, comprehensive, communicated and current policies is key to an effective security program. Policies already exist, but awareness and understanding of these policies still need to increase across the organization. Treasury Board is in the process of revising the standards associated with the revised GSP. CIC will integrate and complete its security policy so that it can adapt to changes in federal government security policies. CIC will incorporate an appropriate level of security into regular business operations. Staff will work within the parameters of the GSP in the same way that they currently do within those established by the Financial Management Act or the Public Service Staff Relations Act.	2.1 Ensuring that policy development is improved, and that draft policy is promulgated - this would include promulgation of the IT Security Policy, cleaning up or replacing existing Intranet sites, and coordinating policy between security elements a) Integration Citizenship and Immigration security policy will be revised to meet the demands of the new GSP and its evolving standards documents. CIC will harmonize all security policy - current status, target state, gap analysis and migration plan - and integrate it within the GSP.	DSO Corporate Security HR IT Security	End of FY 02/03
b) IT Security Policy and Review The Information Management and Technologies Branch completed a security policy review on June 28, 2002, and addressed several issues identified in the audit, including: The significant increase in the requirement for more secure electronic communications Improvements needed to manage a changing environment and growing operational reliance on IT Security controls on local area network appropriate to the sensitivity of stored information Ways to address the lack of a system life-cycle approach for maintenance of security safeguards Revising policy, procedures, governance structure and transition plans	IMTB	Completed
The resulting recommendations include the following projects and activities to improve the security of the Department. IT security staffing actions Perimeter security project to augment the protection and privacy of CIC information resources Integration of Continuous Security Risk Management into CIC Project Governance framework Development of Remote Access policy Creation of certification and accreditation procedures for CIC systems Development of CIC IT security standards Implementation of monitoring, audit and intrusion detection Upgrade of IT security awareness program
2.2 Ensuring that all responsible organizations develop a plan outlining security objectives and time frames, including improved training a) Security Awareness Program The revised GSP requires departments to set up a security awareness program. CIC will continue to implement its Security Awareness Program. The Operational Corporate Security website will make Corporate Security training modules, manuals and links to other security components available to all CIC employees.	DSO IMTB HR Corporate Security	Operational Corporate Security website planned for 3rd quarter FY 02/03
2.3 Establishing joint committees (regional/national, regional/regional, security/business) and record proceedings to share information, action taken, results and “best” security practices a) Joint Committees CIC will use the DSMC as the mechanism for identifying and establishing appropriate joint committees.	See 2.2a	See 2.2a
b) Incident reporting system A system has been developed to capture data on incidents. Reports and trend analyses for offices and regions are available, as well as from a national roll-up perspective.	Corporate Security	Completed

Recommendations

Response

Action Plan and Tasks

Responsibility

Target Dates

2. The management framework for security should be more integrated between NHQ, the regions and sites to ensure the effective implementation of policies and procedures. Senior management should strengthen the security framework by:

2.1 Ensuring that policy development is improved and that the draft policy is promulgated - this would include promulgation of the IT Security policy, cleaning up or replacing existing intranet sites, and coordinating policy between security elements;

2.2 Ensuring that all responsible organizations develop a plan outlining security objectives and time frames, including improved training;

2.3 Establishing joint security committees (regional/national, regional/regional, security/business) and record proceedings to share information, action taken, results and “best” security practices.

CIC agrees that a set of common, clear, comprehensive, communicated and current policies is key to an effective security program. Policies already exist, but awareness and understanding of these policies still need to increase across the organization.

Treasury Board is in the process of revising the standards associated with the revised GSP. CIC will integrate and complete its security policy so that it can adapt to changes in federal government security policies.

CIC will incorporate an appropriate level of security into regular business operations. Staff will work within the parameters of the GSP in the same way that they currently do within those established by the Financial Management Act or the Public Service Staff Relations Act.

2.1 Ensuring that policy development is improved, and that draft policy is promulgated - this would include promulgation of the IT Security Policy, cleaning up or replacing existing Intranet sites, and coordinating policy between security elements

a) Integration

Citizenship and Immigration security policy will be revised to meet the demands of the new GSP and its evolving standards documents. CIC will harmonize all security policy - current status, target state, gap analysis and migration plan - and integrate it within the GSP.

DSO
Corporate Security
HR
IT Security

End of FY 02/03

b) IT Security Policy and Review

The Information Management and Technologies Branch completed a security policy review on June 28, 2002, and addressed several issues identified in the audit, including:

The significant increase in the requirement for more secure electronic communications
Improvements needed to manage a changing environment and growing operational reliance on IT
Security controls on local area network appropriate to the sensitivity of stored information
Ways to address the lack of a system life-cycle approach for maintenance of security safeguards

Revising policy, procedures, governance structure and transition plans

IMTB

Completed

The resulting recommendations include the following projects and activities to improve the security of the Department.

IT security staffing actions
Perimeter security project to augment the protection and privacy of CIC information resources
Integration of Continuous Security Risk Management into CIC Project Governance framework
Development of Remote Access policy
Creation of certification and accreditation procedures for CIC systems
Development of CIC IT security standards
Implementation of monitoring, audit and intrusion detection
Upgrade of IT security awareness program

2.2 Ensuring that all responsible organizations develop a plan outlining security objectives and time frames, including improved training

a) Security Awareness Program

The revised GSP requires departments to set up a security awareness program.
CIC will continue to implement its Security Awareness Program.
The Operational Corporate Security website will make Corporate Security training modules, manuals and links to other security components available to all CIC employees.

DSO
IMTB
HR
Corporate Security

Operational Corporate Security website planned for 3rd quarter FY 02/03

2.3 Establishing joint committees (regional/national, regional/regional, security/business) and record proceedings to share information, action taken, results and “best” security practices

a) Joint Committees
CIC will use the DSMC as the mechanism for identifying and establishing appropriate joint committees.

See 2.2a

See 2.2a

b) Incident reporting system
A system has been developed to capture data on incidents. Reports and trend analyses for offices and regions are available, as well as from a national roll-up perspective.

Corporate Security

Completed

Search

Corporate Audit of Security
Final Summary Report

5.2 MANAGEMENT RESPONSE
AND ACTION PLAN (2 of 3)

5.2 MANAGEMENT RESPONSE AND ACTION PLAN (2 of 3)

5.2 MANAGEMENT RESPONSE
AND ACTION PLAN (2 of 3)