Audit of Information Technology Management

Final Report
December 19, 2014

[ * ] An asterisk appears where sensitive information has been removed in accordance with the Access to Information Act and Privacy Act.

[PDF 115 KB]

Table of Contents

  1. Acronyms Used in this Report
  2. 1.0 Introduction
    1. 1.1 Authority
    2. 1.2 Objective
    3. 1.3 Scope
    4. 1.4 Background
    5. 1.5 Approach and Methodology
    6. 1.6 Statement of Assurance
  3. 2.0 Audit Conclusion
  4. 3.0 Audit Findings and Recommendations
    1. 3.1 IT Management
    2. 3.2 IT Security
    3. 3.3 IT Service, Support, and Delivery Processes
  5. 4.0 Management Response
  6. 5.0 Management Action Plan
  7. Appendix A - IT Services Program Framework
  8. Appendix B - Audit Criteria and Sources

Acronyms Used in this Report

ADM Assistant Deputy Minister
CIO Chief Information Officer
DSO Departmental Security Officer
IT Information Technology
ITSD Informatics and Technical Services Division
OTRS Open-source Ticket Request System
PCO Privy Council Office
SSC Shared Services Canada

1.0 Introduction

1.1 Authority

The Audit of Information Technology (IT) Management was approved by the Clerk of the Privy Council Office (PCO) as part of the 2013-2016 Risk-Based Audit Plan.

1.2 Objective

The objective of this audit was to provide assurance on the extent to which an effective framework of controls over IT management is in place and managed by PCO to support its business requirements and coordinate IT requirements with Shared Services Canada (SSC).

1.3 Scope

The scope included the framework of controls in place from April 1, 2012 to September 1, 2013 that supported IT management, as well as the internal controls PCO had put in place to manage IT within the department and to coordinate requirements with SSC. The IT management framework used by SSC to deliver IT services to PCO was excluded from the scope.

For the purposes of the audit, IT management was defined as the processes in place to manage IT, deliver services and provide service support. This definition is consistent with the IT Services Program Framework included in the Government of Canada Profile of Information Technology Services (depicted in Appendix A - Figure 1).

1.4 Background

The Clerk’s Twentieth Annual Report to the Prime Minister focused on transforming how the Public Service does business; information technology is an important part of this transformation. IT management is provided by PCO’s Informatics and Technical Services Division (ITSD) which provides IT support, services and solutions: to the Prime Minister’s Office, to PCO, to Commissions of Inquiry and to Ministerial Offices within the Prime Minister’s portfolio. ITSD provides professional informatics services, management, security, advice, guidance and corporate-wide products to assist the Department in fulfilling its mandate.

ITSD has undergone significant changes. In August 2011, the government created SSC and tasked it with the operation of email, data centres and telecommunication services to 43 federal departments and agencies including PCO. SSC brought together people, technology resources and assets to improve the efficiency, reliability and security of the government’s IT infrastructure and to transform how the Government manages its IT infrastructure. As well, internal restructuring and re-organization within ITSD have brought about a number of changes at PCO in the roles, responsibilities and processes used to manage IT and deliver IT services and support.

1.5 Approach and Methodology

During audit planning, risks to IT management at PCO were identified and assessed. Based on this risk assessment, we focused the audit on IT program management processes, as well as on two areas of risk: namely, IT security and PCO’s Helpdesk. Auditors then developed an audit plan which included audit criteria sourced from Treasury Board policies, directives and guidelines (see Appendix B), and obtained management concurrence with these criteria.

Processes to plan and organize IT investments, to implement new projects, to coordinate requirements with third parties, and to monitor and evaluate results were tested. IT security now requires significant coordination among PCO’s Security Operations Division, ITSD and SSC. We reviewed the security program in place at PCO including processes to identify, coordinate and communicate risks. The Helpdesk, which is frontline in PCO’s IT management program, provides IT service support and coordinates service delivery.

The examination phase consisted of an assessment of governance, risk management and control processes in place to support IT management at PCO. The audit team: interviewed managers, staff, and stakeholders; reviewed projects, controls and process documentation; conducted walk-throughs of the service request logging system (Open-source Ticket Request System - OTRS) as well as the 2013-14 IT investment planning process; and tested service support controls. Two 2013-14 IT investment project files were assessed. A sample of 41 Helpdesk service requests (classified as high or very high priority) were selected judgementally from the 25,601 service requests received by the Helpdesk during the scope of the audit. Audit testing was focused on more complex priority service requests which could involve IT security elements and SSC. The controls in place to communicate requirements, respond to requests, record outcomes and confirm resolution of the requests were tested.

Audit findings were discussed with management and a draft report was prepared and sent by the Chief Audit Executive to the Assistant Deputy Minister (ADM) of Corporate Services for response and development of an action plan to address recommendations (see Sections 4.0 and 5.0). Draft audit reports and management action plans are tabled at PCO’s Audit Committee for review, after which they are jointly recommended to the Clerk of the Privy Council for approval.

1.6 Statement of Assurance

In my professional opinion as Chief Audit Executive, this audit conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of PCO’s quality assurance and improvement program.

Original signed by:

Chief Audit Executive
Jim Hamer

2.0 Audit Conclusion

PCO’s control framework over IT management features both formal and informal elements which include internal IT management controls, interim measures that define the PCO-SSC relationship, and controls to support the management of business requirements between the departments. The framework has evolved since SSC was created, but related PCO governance documents have not been updated. Through transition, the framework has supported PCO’s day-to-day IT operations, and expectations are it will continue to do so, but opportunities exist to improve controls within the framework so that it would contribute to (a) improved IT management at PCO (e.g. stronger oversight and better IT performance management and reporting) and (b) improved coordination between PCO and SSC (e.g. more coordinated IT investment planning, IT project delivery, and information sharing; and better coordination in managing IT security issues and elements).

3.0 Audit Findings and Recommendations

3.1 IT Management

The IT governance framework in place meets PCO’s day-to-day operational requirements but it has not been updated to align with current IT management, support and service delivery processes.

We reviewed the governance processes used to align IT management activities, priorities and resources to departmental requirements. We assessed the controls in place to identify, monitor and evaluate IT management risks as well as the controls to execute, monitor and report on IT projects. We looked at the processes in place to coordinate decision making and resolve issues with Shared Services Canada. Finally, we evaluated the processes in place to report IT performance to management.

ITSD’s governance and management structure has been changed through internal restructuring and re-organization and through an external transfer of services and responsibilities to SSC. Effective governance processes are key to aligning resources and management activities to operational requirements. The IT governance framework should ensure that structures and processes are in place to provide strategic direction. Performance measures should be used to report to management on the achievement of objectives and on the effectiveness of internal controls.

3.1.1 Governance over IT Management

The roles and information requirements for IT governance committees have not been updated to reflect changes in PCO’s IT environment. In 2012-13, there were three committees with IT management governance roles at PCO: the Executive Committee, the Corporate Management Advisory Committee, and the Joint IT and Security Operations Steering Committee. The Executive Committee exercises overall management and decision making over IT infrastructure and security; however decisions on PCO’s IT network infrastructure should now be coordinated with and supported by SSC. Corporate Management Advisory Committee’s role, which is to provide strategic leadership and direction on IT governance while also supporting Executive Committee, has not been impacted by changes. As well, a Joint IT and Security Operations Steering Committee was established in 2009 to provide direction setting for IT security and a platform for information sharing between the Chief Information Officer (CIO) and Departmental Security Officer (DSO). However, the operations of the Joint IT and Security Operations Steering Committee were suspended in 2013-14.

PCO has a defined IT management governance framework, which includes documented processes and roles and responsibilities. However, framework processes and related documentation have not been updated to reflect these internal changes and changes resulting from the creation of SSC. PCO employees, whose job functions were identified as being 70% or more responsible for email, data centres, and/or telecommunications, were transferred to SSC in 2012. This resulted in some instances of employees being transferred to SSC while a portion of their responsibilities remained at PCO. In cases where roles and responsibilities have changed and procedures have not been updated, there is a risk that controls may no longer be working as intended. For example, the control requiring IT technicians to close their assigned Helpdesk tickets when completed is no longer effective in the case of IT network technicians who are now SSC employees who no longer use PCO’s Helpdesk reporting system. During the walk-through of the OTRS Helpdesk ticket system, we noted that approximately half of outstanding open service requests were for SSC related tickets. There is also a further risk that responsibilities for PCO’s IT controls and processes have not been clearly communicated and re-assigned to ITSD employees following the creation of SSC.

Recommendation:

  1. 1. The ADM Corporate Services should review IT governance, security, support and delivery processes, and update related documentation taking into account where roles and responsibilities for processes and controls have been revised, re-assigned within PCO, transferred to SSC, or eliminated altogether.

3.1.2 IT Investment Planning and Projects

A clearly defined and communicated IT investment plan that sets the direction for the operations of ITSD is in place. However, PCO has not involved SSC in its IT investment planning which has resulted in a lack of clarity on resource commitments and project implementation timelines. It is not clear to PCO during its investment planning process if extra project funding is required and if resources are available within implementation timelines. SSC announcements on transformation initiatives have occurred after the completion of PCO’s IT investment planning which have necessitated a subsequent re-alignment of project resources within PCO. Further coordination and more timely communication between PCO and SSC during the investment planning process would improve resource management and priority setting.

ITSD has developed standardized templates to document IT projects but this process does not include the requirement to conduct a project security risk assessment. A project security risk assessment identifies the inherent risks, controls and residual risks of an IT project which would be reviewed by IT and the project owner with considerations given to the size and complexity of the project. Two project files were reviewed to assess project management controls but neither file contained evidence of a security risk assessment having been considered or performed. Without project risk assessments, there is a risk that IT project security risks are not being appropriately considered, addressed, mitigated and/or accepted by management. Files were found to otherwise be appropriately documented. Regarding project management, appropriate processes were in place to track projects and report on project completion.

Recommendations:

  1. 2. The ADM Corporate Services should include SSC in PCO’s IT investment planning discussions so that IT investment decisions take into account SSC priorities, timelines, and resource requirements.

  2. 3. The ADM Corporate Services should integrate security requirements into ITSD support and delivery processes including IT projects.

3.1.3 Shared Services Canada

PCO enjoys a good working relationship with both management and IT service counterparts at SSC. Processes in place to coordinate decision making with third party suppliers including SSC and to facilitate the timely resolution of issues are generally effective. In addition to working level meetings, regular meetings are held between the CIO and SSC’s Chief of Infrastructure for PCO. PCO has been given access to SSC’s National Service Desk, which allows PCO technicians and managers to view progress on issues sent to SSC for resolution. Interim protocols and processes are in place to guide PCO during the transition period as SSC works to develop a government-wide approach to client department engagement. A more detailed draft protocol is currently being developed by ITSD.

Both PCO and SSC have recognized coordination in the areas of investment planning (see 3.1.2), security, access to buildings, access to information, and resource requirements as continuing challenges. PCO requires all employees working on-site to have a minimum Secret clearance. While SSC provides PCO with a greater pool of resources to maintain the IT and telecommunication networks, it has been challenging to coordinate in advance with SSC on employee building access, security and information access requirements, particularly in priority situations when critical IT functions are affected. Delays in maintenance and repairs have occurred while access, security, and information requirements are coordinated by PCO and SSC.

Employees transferred to SSC in 2012 included those who supported and maintained top-secret network. An Order in Council in June of 2012 clarified that top-secret networks were exempted from the transfer; however, the employees’ primary duties for network maintenance still fell within SSC employee transfer requirements. This situation has resulted in PCO’s responsibilities for support and maintenance of its top-secret network being performed by SSC employees through an informal agreement. This solution is not considered by ITSD as sustainable in the long-term.

Recommendations:

  1. 4. The ADM Corporate Services should clearly define in PCO’s operating protocols with SSC suitable notification requirements for items including: security clearance, regular and emergency building access, and information sharing requirements.

  2. 5. The ADM Corporate Services should develop formal arrangements for the sustainable support and maintenance of PCO’s top-secret network.

3.1.4 Monitoring and Performance Reporting

IT management performance, including that of SSC, is not regularly reported to management within ITSD, to Corporate Services or to PCO’s governance committees. ITSD has developed draft performance measures but has not implemented a formal performance monitoring and reporting process. Processes are in place to report on IT projects and IT investment planning; however, most other IT management information is reported informally (e.g. Helpdesk service performance). The lack of performance measurement activities coupled with limited formal reporting on IT service delivery increases decision making risks. For example, the effects of resourcing decisions on Helpdesk performance cannot be clearly assessed because Helpdesk service response times are not routinely tracked and reported (see 3.3.3). Of the Helpdesk tickets reviewed, only half specified a service response time, and of these, only 60% met the response time indicated.

As communication channels and processes change at SSC, there is a risk PCO may not be well informed on the performance of network, security and infrastructure controls. PCO relies on SSC for the completion of critical services such as network security and maintenance, and information back-ups. A more formal process is needed to inform PCO in case of a failure of controls or services.

Recommendation:

  1. 6. The ADM Corporate Services should implement an IT monitoring and performance reporting program that includes regular reporting of ITSD and SSC performance to the Director ITSD/CIO, as well as periodic performance reporting to the ADM Corporate Services and to the Executive Committee.

3.2 IT Security

Controls and processes for IT security are not effectively integrated into IT support and delivery processes.

We reviewed the policies and procedures, roles, responsibilities and accountabilities established for IT security. We assessed control processes in place to monitor IT security and to identify, prioritize and report risks. We assessed the extent to which security processes had been integrated into IT support and delivery processes.

IT security policies and procedures protect departmental information, programs and resources from internal and external threats. Clear roles and responsibilities are necessary to assign authorities, tasks, and reporting requirements among ITSD, Security Operations and SSC. Regular security processes including threat and risk assessments, certification and accreditation activities, system and network monitoring, authentication, and the use of access controls are used to prevent, identify and detect vulnerabilities. As a critical part of any IT management program, IT security must be integrated into support and service delivery procedures to address emerging risks in the changing IT environment.

3.2.1 Policies and Procedures

A framework of security related policies is in place, which outlines general responsibilities and requirements, but procedures to execute these security requirements are not clearly defined and communicated. Some IT security processes have been documented but remain in draft form and have not been communicated with employees. Examples include PCO’s ‘IT Security and Risk Management Certification and Accreditation Guidelines’ (draft 2007) and PCO’s ‘Information Technology Incident Management Plan’ (draft 2011).

Other operational security controls are in place but are not reflected in process documentation. PCO has an IT security awareness program to educate users, which is supplemented by Helpdesk procedures that remind users of PCO’s IT requirements (e.g., the use of only PCO issued devices on the network). Processes are in place to coordinate security patches and updates with SSC and security assessments and authorizations are conducted before users are given access to IT networks.

The lack of a more formalized overall IT security program has resulted in information gaps and security requirements not being effectively integrated into IT support and delivery processes. For example, while PCO and SSC have put in place extensive IT continuity procedures and disaster recovery processes, we could not find evidence of a formal documented IT disaster recovery plan. An IT disaster recovery plan is needed to efficiently and effectively restore critical IT services in an emergency situation. A documented plan is required to clearly communicate PCO’s recovery requirements to IT employees (both at PCO and SSC) as the availability of all key employees in an emergency situation cannot be guaranteed.

See recommendations #1 & 3.

3.2.2 Roles and Responsibilities

Communication and cooperation are key to effective IT security. Responsibilities for IT security at PCO are now shared among ITSD, Security Operations and SSC (e.g., IT continuity management and disaster recovery). Significant changes in roles and responsibilities for IT security have occurred as a result of the transfers to SSC, strategic operating reviews, and the suspension of the IT and Security Operations Steering Committee. PCO recently staffed the new Information Systems (IS) Security Coordinator who works with SSC to identify and resolve IT security risks. This new position has security monitoring and reporting responsibilities to both PCO’s DSO and CIO. The changes in roles and responsibilities, in addition to the informal security processes, have resulted in gaps in controls. For five months (April to August 2013) from the time the Joint IT and Security Operations Steering Committee ceased meeting until the new Information Systems Security Coordinator position was filled, there was no formal process in place to coordinate security requirements between the CIO and the DSO.

See recommendation #1.

3.2.3 Internal and External Security Monitoring and Controls

PCO relies on external IT security monitoring provided by SSC and by the Communications Security Establishment Canada. These organizations monitor PCO’s network, detect risks, identify threats and provide external monitoring reports to PCO’s Information Systems Security Coordinator for resolution, who in turn reports the results of external monitoring and resolution to the CIO and DSO.

There are no regular internal PCO processes to identify vulnerabilities and report them to the Information Systems Security Coordinator and the CIO. [*] As well, the Helpdesk’s role in reporting IT security incidents is not clearly defined (see 3.3.2). There are requirements for ITSD to report certain IT security incidents to the DSO; however, it is not clear what incidents should be reported.

Recommendation:

  1. 7. The ADM Corporate Services should ensure that the CIO in coordination with the DSO and the Information Systems Security Coordinator, develop and communicate guidelines and standard operating procedures for the identification, communication, response, recovery and reporting of internal IT security incidents.

3.3 IT Service, Support, and Delivery Processes

Effective processes are in place to provide operational client support services and resolve IT problems; however, there are limited formal controls in place to identify, report, and manage IT incidents and to provide oversight on PCO’s Helpdesk.

We assessed whether the responsibilities of PCO’s Helpdesk have been clearly defined and communicated and if effective lines of communication and reporting have been put in place. We examined the effectiveness of processes and controls for incident and problem management in place at PCO. We verified the effectiveness of oversight, monitoring and reporting controls over Helpdesk processes. Key operating controls in the Helpdesk’s service processes include: indentifying the service or support required, communicating the right information to the appropriate individual(s), resolving requests within ITSD’s service standards, documenting the resolution, confirming that the request has been resolved, and marking the request as having been completed.

Service desk management within ITSD is provided by PCO’s Helpdesk. The Helpdesk provides frontline support services to the Prime Minister’s Office, to all branches of PCO, to all Ministerial offices within the Prime Minister’s portfolio and to Commissions of Inquiry. Users request services and report problems either directly by phone, by email or in person. The Helpdesk plays a key role in keeping PCO’s distributed computing network functioning by relaying information to and from third parties (such as SSC to resolve network issues), by fulfilling service and support requests, by resolving problems, and by reporting IT incidents. During the audit’s scope (April 2012 to September 2013) in excess of 25,000 requests were logged by the Helpdesk in the OTRS system.

3.3.1 Helpdesk Management and Client Support Services

The Helpdesk has effective controls in place to provide IT support and services to its clients. Business processes for routine service requests and problems are outlined in a document which has been maintained but not updated to reflect new PCO processes and those transferred to SSC. Guidance exists which outlines services within or outside SSC’s responsibilities, and SSC’s service levels and priority settings. The OTRS system allows clear and effective lines of communication and reporting for IT support services. Service requests were, in general, dealt with promptly and sent to an appropriate individual(s) for resolution. With the exception of one transaction reviewed, service requests were referred to SSC when required. The majority of service requests reviewed were resolved the same day the request was received.

3.3.2 IT Incident and Problem Management

“Incident management aims to restore normal service operation as quickly as possible and minimize the adverse effect on business operations. Problem management aims to resolve the root causes of incidents and thus to minimize the adverse impact of incidents to operations.”1

The ITSD Helpdesk has appropriate controls in place to manage problems and resolve incidents. Service requests are documented and recorded in the OTRS system from the time a service request is reported to the Helpdesk until it has been resolved by a technician. Various Helpdesk tickets can be linked together to identify trends. Of the 41 tickets reviewed, 38 of 41 had been resolved and marked as closed in the OTRS system at the time of our audit examination. There was appropriate documentation to support resolution of the service request on 34 of the 38 closed tickets.

Helpdesk IT security incident reporting processes are not clear. Reportable incidents may include any events which affect the confidentiality, integrity, or availability of an information system, including components, or an event or collection of events which may violate information systems policies2. For example, if a client has lost an IT device, PCO’s policy requires the client to report the loss to the IT Security Coordinator. Should the client instead report the loss to the Helpdesk and request a new device, the Helpdesk would record the request for the new device, but it is not otherwise required to confirm with the IT Security Coordinator that the lost device has been reported as a security incident. There is therefore a risk that not all internal IT security incidents reported to ITSD are being communicated to Security Operations.

One IT service request reviewed involved an IT security incident where information had been lost due to a back-up failure. SSC, which is responsible for information back-ups, did not have a regular IT incident reporting process for PCO in place at the time. SSC has since put in place detailed IT incident reporting procedures to notify ITSD. It was not clear from the information recorded in PCO’s OTRS if this IT security incident was reported internally.

See recommendation #7.

3.3.3 Monitoring and Oversight

There is no regular monitoring of open service requests by Helpdesk management to ensure that issues have been resolved, service levels are being met, solutions are being documented and service requests are being closed. Service response times have been established in the OTRS system but are not regularly used when tickets are created. Performance measurement criteria have also been established, however they are not being used to measure performance and report to ITSD management. ITSD managers instead rely on reporting by users and technicians to ensure that services are meeting client expectations. The completion status of service requests were not consistently updated by IT technicians - of 41 high or very high priority tickets reviewed, three tickets remained open as of December 2013. PCO’s OTRS ticket system is not being leveraged to support effective performance measurement and reporting.

See recommendation #6.

4.0 Management Response

Management accepts this report and will oversee the implementation of its recommendations.

5.0 Management Action Plan

Audit of IT Management

Recommendation Response and Planned Actions Responsibility Due Date
1. The ADM Corporate Services should review IT governance, security, support and delivery processes, and update related documentation taking into account where roles and responsibilities for processes and controls have been revised, re-assigned within PCO, transferred to SSC, or eliminated altogether. Management agrees with the recommendation. PCO will implement the necessary governance with SSC and update the associated Policies and Procedures.* CIO Governance - Complete

Policy Analysis - Complete

Policy and Process Implementation - March 2017*
2. The ADM Corporate Services should include SSC in PCO’s IT investment planning discussions so that IT investment decisions take into account SSC priorities, timelines, and resource requirements. Management agrees with the recommendation and will develop and implement the necessary strategic plans and governance in alignment with TBS and SSC processes. CIO Complete
3. The ADM Corporate Services should integrate security requirements into ITSD support and delivery processes including IT projects. Management agrees with the recommendation. PCO will update the Project Management Framework, will create a Departmental Security Profile and implement the associated security controls.* CIO Project Management Framework - Complete

Security Profile - December 2015

Security Controls - March 2017*
4. The ADM Corporate Services should clearly define in PCO’s operating protocols with SSC suitable notification requirements for items including: security clearance, regular and emergency building access, and information sharing requirements. Management agrees with the recommendation. PCO and SSC will develop Standard Operating Procedures governed by an MOU. CIO, DSO Requirements Statement - December 2015

Standard Operating Procedures - March 2016

Memorandum of Understanding - April 2016
5. The ADM Corporate Services should develop formal arrangements for the sustainable support and maintenance of PCO’s top-secret network. Management agrees with the recommendation and will work with CSE, through a contractual relationship, on an analysis of the current environment and a recommended strategic approach.* CIO Option analysis and recommendation -December 2015

Implementation - TBD*
6. The ADM Corporate Services should implement an IT monitoring and performance reporting program that includes regular reporting of ITSD and SSC performance to the Director ITSD/CIO, as well as periodic performance reporting to the ADM Corporate Services and to the Executive Committee. Management agrees with the recommendation. PCO will develop an IT monitoring and reporting practice.* CIO Governance for Monitoring and Reporting - Complete

Monitoring and Reporting Scheme - December 2016*

Implementation Plan for Monitoring Tool - TBD as will leverage the SSC Enterprise approach
7. The ADM Corporate Services should ensure that the CIO in coordination with the DSO and the Information Systems Security Coordinator, develop and communicate guidelines and standard operating procedures for the identification, communication, response, recovery and reporting of internal IT security incidents. Management agrees with the recommendation and will implement it by developing an Incident Management Plan with associated Operating Procedures and Processes.* CIO Incident Management Plan - December 2015

Update Standard Operating Procedures and Processes - March 2017*

*The pace of implementation is subject to availability of funding

Appendix A - IT Services Program Framework

Figure 1 - Process Model for the Government of Canada’s IT Services Program Framework3

Figure 1 - Process Model for the Government of Canada's IT Services Program Framework
Text version

Appendix B - Audit Criteria and Sources

Audit Criteria

Line of Enquiry 1: An effective IT governance framework is in place to align IT management, support and service delivery with operational needs.

Audit Criteria

An IT governance framework is in place which includes structures, processes, leadership, roles and responsibilities.

PCO has a clearly defined and communicated IT Plan to align IT activities, priorities and resources with PCO's mandate.

PCO has controls in place to identify, monitor and evaluate risks to IT support and service delivery.

Processes are in place to coordinate decision making with third party suppliers and facilitate the timely resolution of issues.

IT management performance is reported regularly to senior management.

Line of Enquiry 2: Effective processes and controls are in place over IT Security.

Audit Criteria

An IT security framework is defined, established and aligned with the IT governance framework and control environment.

There is an overall IT security plan in place that considers the IT infrastructure and the security culture of PCO. Security procedures are aligned with policies and procedures.

Roles, responsibilities and accountabilities for IT security are established and communicated.

The IT security control environment is continuously monitored. Vulnerabilities associated to IT infrastructure, sensitive information and IT employees are identified, prioritized and managed; results are reported to senior management.

IT security requirements have been integrated into IT support and delivery processes.

Line of Enquiry 3: Effective processes and controls are in place to provide client support services, troubleshoot problems and manage incidents.

Audit Criteria

Authorities, responsibilities and accountabilities related to IT client support services are defined and communicated.

An organization structure that permits clear and effective lines of communication and reporting to support IT support services exists.

Established oversight, monitoring and reporting functions for IT support services exist.

Processes and controls for effective Incident and Problem Management are in place.

Criteria Sources

The following sources were used to develop the audit criteria used during the conduct phase of the audit:

  • Treasury Board Secretariat:
    • Audit Criteria related to the Management Accountability Framework: A Guide for Internal Auditors
    • Policy on Government Security
    • Operational Security Standard: Management of Information Technology Security
    • Policy on Management of Information Technology
    • Directive on the Management of Information Technology
    • Directive on Internal Support Services
  • Control Objectives for Information Technology

Other guidance used as background information include:

  • Treasury Board Secretariat:
    • An Enhanced Framework for the Management of Information Technology Projects
    • Profile of Government of Canada Information Technology Services

Endnotes

  1. Information Technology Infrastructure Library - Definition of Problem Management and Incident Management.
  2. Government of Canada’s Information Technology Incident Management Plan.
  3. Government of Canada Profile of Information Technology Services.