Internal Audit of PPP Canada’s Information Management, Security and Privacy Processes

Report Summary

The objective of this audit was to provide assurance on the effectiveness of governance, risk management and controls related to Information Management, Security and Privacy (IMSP). In order to complete this audit, the auditors used the guidelines provided in the ISO 27001 standard which is a commonly used tool to assess an organization's ability to meet its information security requirements. In doing so, ISO 27001 provides the requirements for establishing, implementing, maintaining and continually improving an information security management system within an organization.

In 2013 PPP Canada also entered into a shared services arrangement with Canadian Commercial Corporation (CCC) in an effort to avoid redundant costs and to harness efficiencies through the shared use of a range of corporate services. Under this arrangement, CCC is to establish and maintain capacity sufficient to support both CCC and PPP Canada in the following internal service areas: Information Technology Services (including internal network and applications) and payroll processing.

The auditors divided the scope of this audit into the following related lines of inquiry:

  1. To ensure an effective IMSP strategic planning process.
  2. To ensure an up-to-date, approved and communicated IMSP policy suite.
  3. To ensure an agreed level of information security and service delivery in line with supplier agreements while ensuring the protection of the organization’s assets that are accessible by suppliers.
  4. To ensure authorized user access and to prevent unauthorized access to systems and services.
  5. To ensure that information receives an appropriate level of protection in accordance with its importance to the organization.
  6. To prevent unauthorized physical access to the organization’s information and information processing facilities.
  7. To ensure integrity and security of the operations of information processing facilities and processes.
  8. To ensure a consistent and effective approach to the detection and management of information security incidents, including communication on security events and weaknesses.

The auditor’s opinion was that some of the key controls surrounding the Corporation’s information management and security processes examined within the scope of the audit are not functioning as intended, resulting in a “Needs Improvement” opinion.

The audit also revealed areas of strength which can be identified as:

  • An information technology (IT) strategic plan incorporating IT security has been developed for the organization.
  • Effective physical access controls are in place to ensure secure operation of the information security facilities.
  • Knowledgeable staff on information security from previous work experience in the Government of Canada.

The table below presents specific findings from the audit, the auditor’s observations, the potential impact and risk, the recommendation to management as well as management’s response and action plan.

As a result, many of the audit observations are the responsibility of CCC which will be monitored by PPP Canada as part of our responsibility under the shared services agreement.

#

Observation

 Impact/Risk

Recommendation

A1

PPP Canada has developed a three-year information management and information technology (IM/IT) strategic plan which includes various IT security activities such as the implementation of a security classification scheme and the performance of threat and risk assessments on a regular basis. However, we did not see any formal update on the status or the progress of the identified deliverables to the management committee.

For example, one of the goals identified on the IM/IT strategic plan was to implement the recommendations identified in the Threat Risk Assessment (TRA) report. However, based on our audit, we did not see a formal process to provide progress updates on the identified recommendations and the corresponding management action plans to ensure they were actioned in a timely and effective manner. As a result, we noted that a few of the recommendations that were identified in the December 2014 Deloitte TRA report had not been fully implemented at the time of our audit. Lack of implemented remedial action plan in response to the recommendation from the external security assessment that was performed in 2014 was also highlighted in the Office of the Auditor General (OAG)’s 2015 special exam report.

Lack of an effective performance measurement and monitoring process could lead to the organization not following the direction established by the approved IM/IT strategic plan.

Furthermore, not actioning the observations identified in various assessments will continue to expose the Corporation to various risks which could impact the integrity, availability and security of the information.

Implement performance measures focused on the priorities and risks identified in the IM/IT strategic plan, and present the plan updates and related performance measures to the management committee and the Board of Directors on a regular basis.

Implement a formal and systematic follow-up process in order to manage and monitor the progress of the status on the observations identified from various assessments in order to ensure timely and effective implementation and management of the identified risks.

Management Action Plan

Person accountable for completing the management action plan (MAP)
A1 – VP, Finance, Risk and Administration, and CFO
Detail Description of the MAP
PPP Canada agrees with the finding. In order to track performance, PPP Canada will develop a management dashboard to monitor the implementation of the strategic plan as well as other initiatives by CCC’s IT group. The dashboard will also track performance standards outlined in the shared services agreement between PPP Canada and CCC. This dashboard will be presented to the management committee on a quarterly basis as well as at regular meetings between CCC and PPP Canada.
Date MAP will be completed
June 2017
Describe the activities in order to prepare users to accept the changes
PPP Canada will work with the Director of IT at CCC to develop acceptable timelines for implementation of recommendations and initiatives as well as performance standards against which the group will be measured. 
# Observation
Impact/Risk
Recommendation
B1 A usage policy has not been developed to provide guidance on the use of myKEY as expected in the Shared Services Canada (SSC) Service Level Agreement.
Out-of-date or incomplete policy suite could increase the risk of inconsistent, ineffective and inefficient activities which might not be in line with management’s direction for information security in accordance with business requirements, partner expectations and relevant laws and regulations.
Management should review and update the information security policies and instructions with a view to identify and address any gaps, inconsistencies or other improvement opportunities to ensure a consistent and complete application in line with the overall business objectives.
B2 The policies do not formalize the requirement to remove access to systems in a timely manner when no longer required.
B3 Even though, the Information Security Instruction identifies eight different types of records (PROTECTED A, PROTECTED B, PROTECTED C, COMMERCIAL CONFIDENTIAL, HIGHLY SENSITIVE, CONFIDENTIAL, SECRET and TOP SECRET), it does not provide any guidance on the handling requirements for COMMERCIAL CONFIDENTIAL and HIGHLY SENSITIVE document types.
B4

An essential component of an effective policy suite is an effective and ongoing training program in order to promote awareness and provide employees with the knowledge necessary to manage information throughout its life cycle.

Although, training on the overall information security was held, we did not see any formal IT security specific training in order to provide awareness on various exposures and vulnerabilities in information security as it relates to IT and how to effectively respond and recover from these vulnerabilities.
Lack of effective IT training will increase the risk that the employees will not have the required knowledge in order to consistently apply the guidelines in line with the management’s direction for information security in accordance with business requirements and relevant authorities.

Management should provide ongoing IT security training and awareness programs to users based on the updated policies on topics such as how to identify and respond to malware, viruses, and how to use myKEY as a tool to encrypt out going emails.

Management Action Plan
Person accountable for completing the MAP
B1, B2, B3, B4 – VP, Finance, Risk and Administration, and CFO
Detail Description of the MAP
PPP Canada agrees with the recommendation and will update policies accordingly. PPP Canada will incorporate IT security training into its IT training program; this information will be communicated to all staff through the “IM Tip of the Month” program.
Date MAP will be completed
PPP Canada will hold a refreshed IT training session by June 2017. 
Describe the activities in order to prepare users to accept the changes
A detailed training module will be developed to highlight the importance of IT security and the risks of security breaches. Through the use of the Human Resources (HR) online platform, staff will be required to answer questions regarding IT security and sign off on having received proper instruction.
# Observation Impact/Risk Recommendation
C1 The IT group is not systematically and proactively involved in helping with the selection and management of IT vendors in order to ensure that they have incorporated IT and information security controls in all their processes.   
Increased risk that the effective IT and information security controls might not be in place with suppliers that provide IT support to maintain the availability, integrity and confidentiality of the information.
Involve IT in the selection and management of external IT vendors to help assess if they have adequate IT security controls, and to ensure adequate IT security provisions are added to the vendor agreements and contracts.
C2 There is no formal process in place to consider what assessments need to be performed (e.g. Privacy Impact Assessment [PIA], TRA and Vulnerability Assessment [VA]) when new or modified IT systems are implemented at the Corporation.
Increased risk that the effective IT and information security controls might not be in place in IT systems to maintain the availability, integrity and confidentiality of the information.
Implement a formal process to determine what assessments need to be performed (e.g. PIA, TRA and VA) prior to the implementation or modification of the IT systems.
C3 While some vendors offer an audit report on the status of the controls they have in place, the Corporation does not have a formal process to proactively request and review those reports on an ongoing and annual basis. The OAG’s 2015 special exam report also highlighted that the Corporation did not formally document its review of the control reports or its assessment of the controls for which it remained responsible.
Increased risk that gaps in the IT and information security controls in place at suppliers will not be identified and corrected in a timely manner.

Implement a formal process to request and review on an annual basis available vendor audit reports on the controls they have in place.

Management Action Plan
Person accountable for completing the MAP
C1, C2, C3 – VP, Finance, Risk and Administration, and CFO
Detail Description of the MAP

PPP Canada agrees with the recommendations.

With respect to observations C1, C2, and C3, these activities form part of the shared services agreement with CCC. While CCC’s IT group is involved with the selection of new vendors, the process is not formally documented. The agreement between PPP Canada and CCC states that CCC should provide advice and recommendations on IT equipment to purchase on request by PPP Canada. Through the use of regular meetings between the groups, PPP Canada will ensure that CCC’s IT group has provided input with respect to new IT services and hardware.

In order to fully utilize the services provided by CCC’s IT group, PPP Canada will develop a dashboard (see response in Section A). Through this dashboard, PPP Canada will ensure that the services outlined in the agreement are provided to the standards prescribed. Any issues with respect to performance will be discussed at regular meetings between the two organizations as well as with PPP Canada’s management committee.
Date MAP will be completed
June 2017
# Observation Impact/Risk Recommendation
D1 Access controls for the network and applications such as Bamboo (leave management system) and FreeBalance (financial system) are not aligned to the approved System Access and Acceptable Use Policy, as the system does not force the user to change their password every 90 days. Inconsistent application of password was also highlighted in the OAG’s 2015 special exam report.
Internal network and applications could become more susceptible to external attacks by unauthorized users which could compromise the confidentiality and potentially the integrity of the data.
Ensure that all application and system passwords are in line with the password policy requirements identified in the approved System Access and Acceptable Use Policy.
D2 Some internet-accessible IT services (such as the Wi‑Fi) are located directly in the internal PPP Canada network instead of being located in an intermediary public-access zone (also referred to as a “demilitarized zone” [DMZ]) in order to make the internal network less susceptible to external attacks.  
Internal network and applications could become more susceptible to external attacks by unauthorized users which could compromise the confidentiality and potentially the integrity of the data.

Review the network IT security architecture and consider the possibility of moving internet-accessible services to a public-access zone as recommended in the Communications Security Establishment (CSE)’s guidance ITSG-22.

D3 Password used to connect to the Wi-Fi network is shared by users and does not expire, making it more difficult to trace user actions. Inconsistent application of password was also highlighted in the OAG’s 2015 special exam report.
Internal network and applications could become more susceptible to external attacks by unauthorized users which could compromise the confidentiality and potentially the integrity of the data.
In line with the System Access and Acceptable Use Policy, strengthen access controls for the Wi-Fi network by changing the shared password on a regular basis.
D4 Service account (accounts with elevated privileges used by applications) passwords are set to never expire which is not consistent to the approved corporate policy. Inconsistent application of password was also highlighted in the OAG’s 2015 special exam report.
Internal network and applications could become more susceptible to external attacks by unauthorized users which could compromise the confidentiality and potentially the integrity of the data.
In line with the System Access and Acceptable Use Policy, protect service accounts by manually changing the passwords as required.
D5 The process to manage user accounts including shared mailboxes as people go on vacation or leave is not formally documented, and there is no process to review accounts of regular and privileged users on a regular (i.e. annual) basis to ensure that access granted to users remains appropriate. Lack of formalized user access provisioning and user access review process was also highlighted in the 2014 TRA report.
Unauthorized access to the information system that could compromise the confidentiality and potentially the integrity of the data due to the lack of formalized access provision and review process.

Document and enable a formal process in managing user accounts as well as the shared mailboxes at the Corporation, including a formal process to review and approve user access to all significant applications on a regular basis.
Management Action Plan
Person accountable for completing the MAP

D1, D5 – VP, Finance, Risk and Administration, and CFO

D2, D3, D4 – Director, IT, CCC
Detail Description of the MAP

PPP Canada agrees with the recommendations. For observation D1, PPP Canada will work with 3rd party providers in order to implement a required password change that is in line with the Corporation’s policy. For observation D5, PPP Canada currently restricts user access to certain folders of the Electronic Documents and Records Management System (EDRMS), however, with respect to mailbox access, no formal process is in place. PPP Canada will implement a formal process whereby access is granted by the IM/IT manager following approval by the HR Manager. The list of those with access will be reviewed on a semi-annual basis.

With respect to observations D2, D3 and D4, PPP Canada will use the performance dashboard highlighted in Section A to monitor the implementation of these recommendations by CCC.
Date MAP will be completed
June 2016
# Observation Impact/Risk Recommendation
E1 One employee had stored SECRET documents that he had received from other departments in the Corporation’s P3C Docs application which is not compliant with the Information Security Instruction. The same individual also indicated that at times he would email COMMERCIAL CONFIDENTIAL information to clients unencrypted since his counterparts do not have any myKEY encryption ability. 
If sensitive or personal information did not receive the appropriate level of protection accordance with its importance to the organization, it could be breached and lead to damage the Corporation’s reputation as well as result in noncompliance to legislative authorities such as the Privacy Act.

Provide ongoing information security training to users in order to ensure employees remain compliant to the information security policy and instruction. Consideration should be given on providing tailored training program for specific units as each unit has different security requirements.

Consistent with the approved information security policy, management must ensure that all instance of noncompliance is formally documented and approved by the policy owner to ensure adequate transparency and visibility.
E2 The Information Security Instruction indicates that the HR pay and benefit information is to be labeled as PROTECTED B. However, based on our reviews and discussions we noted that, since the inception of ADP as the payroll service provider, the complete set of payroll-related information is sent outside the Corporation unencrypted, and as a result, not compliant with the Information Security Instruction
Management Action Plan
Person accountable for completing the MAP
E1, E2 – VP, Finance, Risk and Administration, and CFO
Detail Description of the MAP
PPP Canada agrees with the recommendation and has already taken steps to address the transfer of unencrypted HR information between organizations. This information is now sent via myKEY encryption. PPP Canada will also conduct training sessions regarding the transfer of sensitive information between external stakeholders.
Date MAP will be completed
The recommendation regarding HR information has already been rectified. PPP Canada intends to hold IT security training sessions before June 2017. 
# Observation Impact/Risk Recommendation
G1 Even though, the IT worksheets do contain a number of IT security measures such as changing default passwords; there was no evidence that the Corporation had selected a reputable baseline configuration standard as suggested in the CSE’s bulletin ITSB-110.  
Increase risk of non-standards configurations and workstations and servers being susceptible to unauthorized access or attack with the intent to steal, corrupt or destroy the data.
Ensure a proactive and ongoing review and update of the worksheet to incorporate the effective security of servers and workstations. As part of this review, incorporate the security configurations and mitigations recommended in the CSE’s bulletin ITSB-110.
G2 The current IT worksheet does not provide any guidelines on wiping hard drives before reassigning a workstation to another user. IT staff have confirmed that although they do perform a wiping of the hard drives, this process is ad hoc and informal and not always implemented in a systematic manner.
This could increase the risk of unintentionally providing unauthorized access to sensitive data or functionality to users.

Formalize the process of wiping hard drives before they are reassigned to another user or disposed of.

G3 The current worksheets also specify that only the hard drives of laptops and tablets should be encrypted, which is a necessary control considering the higher risk of loss or theft of these mobile devices. However, we did not see the same requirement for fixed workstations. Lack of encrypted hard drives for fixed workstations was also highlighted in the 2014 TRA assessment.
Although, the risk of loss or theft is lower for fixed workstations, unencrypted hard drives do increase the risk that a person with malicious intent could access, steal or modify sensitive information.
We recommend that management consider encrypting the hard drives of workstations and servers especially considering that encryption mechanisms are already built into the operating systems of the workstations and servers.
G4 We noted that even though the IT team has recently started to inventory the list of workstations, laptops and tablets, the listing does not include encrypted USB sticks.
Without an effective process to track encrypted USB sticks, there is a greater risk that data could be compromised if the USB sticks are lost or stolen.
In order to minimize and proactively manage the risk of data loss, ensure that the issuance of all devices is inventoried and recorded for identification and tracking purposes.
G5 We also noted that even though the Corporation is using encrypted USB sticks to transfer information, the current workstation configuration does not prevent the use of a non-encrypted USB stick.
Without an effective process to limit access to encrypted USB sticks, there is a greater risk that data could be compromised if the USB sticks are lost or stolen.
Modify all end point devices (workstations, laptops and tablets) configurations in order to only allow approved encrypted USB sticks to be used on the end point devices.
G6

Although, we were able to confirm that most security patches had been installed, we noted that there was no documented patch management process to ensure that all servers and workstations security patches are installed in a consistent manner.

Furthermore, we were able to confirm that the backup processes implemented by the IT team were adequate; however, we noted that there was no documented backup process to ensure these activities were done in a consistent manner.

Finally, we were able to confirm that a malware protection process was in place and there was evidence of active malware monitoring by the IT team, we noted however that there was no documented malware protection process to ensure malware management was done in a consistent manner.
Increase risk that activities which will ensure security, integrity and availability of information will not be performed in a consistent, efficient and effective manner.
Document all IT security processes including patch management, back up and malware processes.
G7 Given the size of the IT network and support staff (five members), there is not always an effective segregation of duties amongst the functions that are performed within the group.
Lack of segregation of duties could increase the risk of intentional or unintentional errors or activities which could have a significant impact on the integrity and confidentiality of the information.
Although, effective segregation of duties might not be possible given the size of the team, we recommend that, at a minimum IT should consider having all IT infrastructure changes reviewed by a second person.
Management Action Plan
Person accountable for completing the MAP

G4 – VP, Finance, Risk and Administration, and CFO

G1, G2, G3, G5, G6, G7 – Director, IT, CCC
Detail Description of the MAP

PPP Canada generally agrees with the recommendations. With respect to recommendation G4, however, PPP Canada does not agree with the recommendation. PPP Canada feels documenting USBs would be administratively burdensome.

With respect to recommendations G1, G2, G3, G5, G6 and G7. PPP Canada will use the performance dashboard highlighted in Section A to monitor the implementation of these recommendations by CCC.
# Observation  Impact/Risk Recommendation
H1 Although, the IT team stated that no significant IT security incident has been identified in recent years, we noted that security reports are only being reviewed in an ad hoc and informal basis, and there is no routine and proactive monitoring of the logs that are produced by servers and security applications with regards to security matters. We also noted that the incident monitoring and detection process is not documented in order to ensure a consistent and timely response. Formalizing the regular, periodic and consistent monitoring and review of audit logs as well as security incident management handling process was also highlighted in the 2014 TRA report.

This could increase the risk that attackers operate undetected for extended periods of time on compromised systems to steal, alter or delete information, which could have a significant impact to the Corporation.
Document and formalize the incident management and security monitoring processes, and determine the feasibility of using a tool such as Security Information and Event Management (SIEM) system to automate the collection and analysis of logs to more efficiently and effectively detect potential incidents. The documentation should also include the means for reporting on the IT security risk, vulnerabilities, incidents, events and mitigation action to those who should know and take action on a timely basis.  
H2 The PPP Canada’s Business Continuity Management Program (BCMP) document is still in a draft format and has not been tested. 
This will increase the risk that IT services and applications will be unavailable for an extended duration in the event of a disaster that exceeds the identified recovery time objectives (RTOs). 
Update and approve the BCMP and test its effectiveness on an annual basis.
Management Action Plan
Person accountable for completing the MAP

H2 – VP, Finance, Risk and Administration, and CFO

H1 – Director, IT, CCC
Detail Description of the MAP
PPP Canada agrees with the recommendations. With respect to observation H2, PPP Canada will update and approve the BCMP, and implement simulations to test its effectiveness, at a minimum, on an annual basis and with any changes to the IM/IT infrastructure. The results will be shared with management. With respect to observation H1, PPP Canada will use the performance dashboard highlighted in Section A to monitor the implementation of these recommendations by CCC.
Date MAP will be completed
June 2016