Corporate Audit of Security - Final Summary Report

Recommendations	Response	Action Plan and Tasks	Responsibility	Target Dates
3. Senior management should ensure that security objectives and activities relating to information assets: 3.1 Improve employee awareness of security requirements for information handling; 3.2 Improve the threat/risk assessment process and ensure that regular SOS/TRAs are carried out, updated and reported; 3.3 Require that a corporate-level TRA is carried out to investigate and document departmental risks and concerns; 3.4 Ensure that current operating systems are reviewed for information storage protection requirements; 3.5 Improve control over the storage, use and reconciliation of controlled documents.	Since the audit was conducted, the recommended departmental TRA was initiated and a national physical and information technology survey was completed. The Information Management and Technologies Branch security review completed in June 2002 addresses the identified issue regarding the appropriate design and use of IT systems for protected data.	3.1 Improve employee awareness of security requirements for information handling a) Introduction of the Immigration and Refugee Protection Act (IRPA). With the introduction of IRPA, Corporate Security undertook a security review project to normalize the level of security for regional identified positions. Close to 1,500 such positions were reviewed and upgraded to the appropriate level.	Corporate Security	Completed
3.2 Improve the threat/risk assessment process and ensure that regular SOS/TRAs are carried out, updated and reported	Corporate Security	Last quarter
a) Physical facility TRAs While physical facility TRA policies are clearly specified, there is inconsistent application across CIC. Some see the process as too complex and not specifically useful. Consequently, the majority of audited sites did not have a recent TRA. The TRA tools will be reviewed for effectiveness and staff will be trained in its use.	See above 2.1b	See above 2.1b
b) IT Security TRAs Only 30% of systems have been reviewed. A comprehensive IT TRA policy will be completed. c) Continuous risk management IT Security procedures will address security risk management throughout the system life cycle. This process will be integrated into the overall project management mechanism for CIC.	IMTB	December 31, 2002
3.3 Require that a corporate-level TRA is carried out to investigate and document departmental risks and concerns a) Departmental TRA CIC is conducting a corporate-level departmental TRA to investigate and document departmental risks and concerns. This is the basis from which low-level TRAs will flow.	Corporate Security	Review 3rd quarter FY 02/03
3.4 Ensure that current operating systems are reviewed for information storage protection requirements a) Enhancement of perimeter security The Information Management and Technologies Branch is currently engaged in a coordinated effort between IT Security and the IMTB Operations Datacom Group to improve perimeter security around CIC’s computer systems environment	IMTB
b) Information storage protection requirements IMTB will address the need to ensure that production applications and operating systems meet the Communications Security Establishment guidelines. 3.5 Improve control over the storage, use and reconciliation of controlled documents a) Controlled forms A committee chaired by the Director, Information Management, has been established to review and refine policies, procedures and guidelines for the production, distribution, storage, use and tracking of control forms. Also, a resource has been dedicated to the monitoring of regular reporting requirements for CIC offices and missions with regard to control forms. In addition, revisions have been made to CIC’s guide on the distribution, storage, use and destruction of control forms. Reporting procedures have also been developed to follow up on discrepancies in this area.	HR Corporate Security International Region Domestic Regions Material Management Enforcement Global Case Management System War Crimes	Ongoing

Recommendations

Response

Action Plan and Tasks

Responsibility

Target Dates

3. Senior management should ensure that security objectives and activities relating to information assets:

3.1 Improve employee awareness of security requirements for information handling;

3.2 Improve the threat/risk assessment process and ensure that regular SOS/TRAs are carried out, updated and reported;

3.3 Require that a corporate-level TRA is carried out to investigate and document departmental risks and concerns;

3.4 Ensure that current operating systems are reviewed for information storage protection requirements;

3.5 Improve control over the storage, use and reconciliation of controlled documents.

Since the audit was conducted, the recommended departmental TRA was initiated and a national physical and information technology survey was completed. The Information Management and Technologies Branch security review completed in June 2002 addresses the identified issue regarding the appropriate design and use of IT systems for protected data.

3.1 Improve employee awareness of security requirements for information handling

a) Introduction of the Immigration and Refugee Protection Act (IRPA).
With the introduction of IRPA, Corporate Security undertook a security review project to normalize the level of security for regional identified positions. Close to 1,500 such positions were reviewed and upgraded to the appropriate level.

Corporate Security

Completed

3.2 Improve the threat/risk assessment process and ensure that regular SOS/TRAs are carried out, updated and reported

Corporate Security

Last quarter

a) Physical facility TRAs
While physical facility TRA policies are clearly specified, there is inconsistent application across CIC. Some see the process as too complex and not specifically useful. Consequently, the majority of audited sites did not have a recent TRA. The TRA tools will be reviewed for effectiveness and staff will be trained in its use.

See above 2.1b

See above 2.1b

b) IT Security TRAs
Only 30% of systems have been reviewed. A comprehensive IT TRA policy will be completed.

c) Continuous risk management
IT Security procedures will address security risk management throughout the system life cycle. This process will be integrated into the overall project management mechanism for CIC.

IMTB

December 31, 2002

3.3 Require that a corporate-level TRA is carried out to investigate and document departmental risks and concerns
a) Departmental TRA
CIC is conducting a corporate-level departmental TRA to investigate and document departmental risks and concerns. This is the basis from which low-level TRAs will flow.

Corporate Security

Review 3rd quarter FY 02/03

3.4 Ensure that current operating systems are reviewed for information storage protection requirements
a) Enhancement of perimeter security
The Information Management and Technologies Branch is currently engaged in a coordinated effort between IT Security and the IMTB Operations Datacom Group to improve perimeter security around CIC’s computer systems environment

IMTB

b) Information storage protection requirements
IMTB will address the need to ensure that production applications and operating systems meet the Communications Security Establishment guidelines.

3.5 Improve control over the storage, use and reconciliation of controlled documents
a) Controlled forms
A committee chaired by the Director, Information Management, has been established to review and refine policies, procedures and guidelines for the production, distribution, storage, use and tracking of control forms.
Also, a resource has been dedicated to the monitoring of regular reporting requirements for CIC offices and missions with regard to control forms.
In addition, revisions have been made to CIC’s guide on the distribution, storage, use and destruction of control forms. Reporting procedures have also been developed to follow up on discrepancies in this area.

HR
Corporate Security
International Region
Domestic Regions
Material Management
Enforcement
Global Case Management System
War Crimes

Ongoing

Search

Corporate Audit of Security
Final Summary Report

5.3 MANAGEMENT RESPONSE
AND ACTION PLAN (3 of 3)

5.3 MANAGEMENT RESPONSE AND ACTION PLAN (3 of 3)

5.3 MANAGEMENT RESPONSE
AND ACTION PLAN (3 of 3)