Audit of Access to the Corporate Management System. Audit Report
|
|
- Maximilian Tyler
- 7 years ago
- Views:
Transcription
1 Audit of Access to the Corporate Management System Audit Report Project Number: 19010/10-11 SP E March 2012
2 Paper ISBN: Cat. No.: HS28-202/2012E PDF ISBN: Cat. No.: HS28-202/2012E-PDF
3 Table of Contents EXECUTIVE SUMMARY... i 1.0 BACKGROUND Context Risk Environment Audit Objective Scope Methodology AUDIT FINDINGS Insufficient governance supporting CMS user access management Controls related to the user access management lifecycle are not adequately applied No departmental risk management process exists for CMS CONCLUSION STATEMENT OF ASSURANCE APPENDIX A: Audit Criteria APPENDIX B: Glossary APPENDIX C: Definitions APPENDIX D: CMS User Access Information... 26
4
5 EXECUTIVE SUMMARY The Corporate Management System (CMS) is a large-scale enterprise management system, built, maintained and used by Human Resources and Skills Development Canada (HRSDC) to support its business environment. CMS is made up of eleven modules and more than 350 different screens. The main groupings are: Human Resources (HR), Control Data, Security, Administration Operations and Maintenance Transaction Module (OMTM) and Finance. CMS users fall into two groups. The first includes all 26,000 HRSDC employees, who can access CMS through the Paperless Office to input and view leave balances, and to enter related personal information. The second group includes approximately 6,000 1 active users who access the system through modules and screens to process financial and HR transactions. For this audit, we reviewed the user access management of the second group of users. The information contained in CMS is a valuable departmental asset. User access management is more than just an Information Technology (IT) function as it affects every aspect of the Department by providing an overall and integrated approach to security, departmental business and practices. User access management and privileged user management ensure the right access to information is available to authorized users and denied to unauthorized users as part of an effective, efficient Identity and Access Management (IAM) Lifecycle. The System is Evolving HRSDC is preparing to replace CMS with a current, industry standard enterprise resource planning (ERP) system. This initiative is in the planning stage and will not immediately address current vulnerabilities raised by either the Office of the Auditor General (OAG), previous internal audit reports or other reviews commissioned by the Department. This audit will help HRSDC gain further understanding of the current IAM vulnerabilities, and inform the next phase of ERP. Audit Objective The objective of the audit is to assess the adequacy of the management control framework as it is applied to safeguard access to HRSDC s Corporate Management System information assets. 1 User access information can be found in Appendix D. Internal Audit Services Branch, HRSDC i
6 More specifically, the audit will determine if: CMS governance and oversight, as it applies to access, is adequate and effective in supporting its activities. Controls are designed and applied consistently to safeguard access to information assets. Risks related to access have been identified, assessed and mitigated. Summary of Key Findings Overall, we found that there was insufficient infrastructure, standardized practices and procedures to provide adequate governance. Governance is ad hoc and employees are managing intuitively. The Department is granting access to CMS without adequately managing the system s user access lifecycle based on the least-privilege principle and the need-to-know. Protected There is little to no oversight that exists to ensure managers are fulfilling their responsibilities as set out in Treasury Board Secretariat (TBS) and HRSDC policies and guidelines. With regard to CMS the Department is not in compliance with TBS policies such as the Policy on Privacy Protection, the Government Security Policy and the Operational Security Standard: Management of Information Technology Security (MITS). An effective risk management process is not in place to continuously manage security risks to CMS information assets. Audit Conclusion The audit concluded that the current CMS control framework and its related system of controls and risk management practices are not adequate in safeguarding access to its information assets. Although weaknesses have been identified that require management attention, issues are considered to be moderate as the access to CMS is limited to HRSDC s internal network. It is also important to note that improvements should focus on the Identity and Access Management Lifecycle rather than on the system itself as CMS will soon be replaced by industry standard ERP system. ii Internal Audit Services Branch, HRSDC
7 Summary of Recommendations Innovation, Information and Technology Branch (IITB), in consultation with Chief Financial Officer Branch (CFOB) and Human Resources Services Branch (HRSB), should develop and implement a comprehensive IAM strategy to address current weaknesses, to provide guidance and standardize access management practices. CFOB and HRSB, in consultation with IITB, should develop and implement a centralized privileged user management (PUM) process, as an important element of the Department s overall IAM strategy. CFOB and HRSB, in consultation with IITB, should remind all managers and authorized requestors who are approving access to CMS of their roles, responsibilities and accountabilities associated with user access management. CFOB and HRSB, in consultation with IITB, should undertake the following activities to mitigate some of the risks identified during the audit: - develop a process to manage temporary personal record identifiers (PRIs) and perform a review of the current (active) temporary PRIs; - reuse the same usercode instead of creating a new one each time a request for access is granted; - Protected - determine who should have access to the system and communicate decisions to the appropriate parties; and - request that managers review and update employee access based on the least-privilege principle and the need-to-know. CFOB and HRSB should determine what level of CMS risk assessment is required to safeguard CMS as it continues to support the Department s business environment over the next few years while ERP is being implemented. Original signed by: Vincent DaLuz, CA, CIA Chief Audit Executive Department of Human Resources and Skills Development Canada Internal Audit Services Branch, HRSDC iii
8 Audit Team Members Senior Director - Brigitte Marois, CGA, CMA Giuseppe Tartaglia, CGAP, CISA Mary Lou Sauriol Sébastien Pilote Amanda Elliott iv Internal Audit Services Branch, HRSDC
9 1.0 BACKGROUND 1.1 Context The Audit of Access to CMS was included in the approved Risk- Based Internal Audit Plan. It is important to note that this audit was underway before the announcement of Shared Services Canada. CMS is a large-scale enterprise management system, built, maintained and used by HRSDC to support its business environment. CMS is made up of modules, the main groupings are: HR, Control Data, Security, Administration OMTM and Finance. CMS users fall into two groups: all 26,000 HRSDC employees can access CMS through Paperless Office to input and view leave balances, and to enter related personal information. Approximately 6,000 2 active users access CMS through modules and screens to process financial and HR transactions. For this audit, we reviewed the user access management of the second group of users. User Access Management Defined User access management is the process of managing who has access to what information over time. It is more than an IT function as this process affects every business practice throughout the Department. HRSDC currently manages approximately 6,000 users with access rights and a variety of permissions to perform specific departmental activities within CMS. User Access Management answers the following: Who are you? What can you do? What did you do? A user s role changes over the course of employment, this may include: promotion, demotion, changes in the business roles, moves to different branches and departure. Users can also accumulate access privileges over time and as such strong user access management practices are required to manage the entire lifecycle in order to safeguard information. 2 User access information can be found in Appendix D. Internal Audit Services Branch, HRSDC 1
10 The key success factor of user access management is involvement and commitment from the appropriate stakeholders. Senior management, managers and employees are all responsible for the privacy and security of the Department s information assets. The System is Evolving The Department is preparing to replace CMS with industry standard technology endorsed by TBS (PeopleSoft to replace HR modules and SAP 3 to replace finance modules). IITB is currently planning to deliver an IAM strategy as an automated service for over 120 applications including CMS. These initiatives are in various stages of planning and will not immediately address current vulnerabilities raised by the OAG, previous internal audit reports and other reviews commissioned by the Department. Therefore, it is important that HRSDC gain an understanding as to the current deficiencies in order to course correct and to bring this knowledge into the next phase of these initiatives. 1.2 Risk Environment When it comes to IT security, one of the weakest links 4 is IAM. 5 Often the focus of user access management is to quickly provide employees with the access they require to perform their duties. However, just as important is removing this access when it is no longer appropriate or necessary (based on the least-privilege principle 6 and the need-to-know 7 ). CMS data is subject to privacy and confidentiality regulations. A lapse in security controls could constitute high risk to the Department. The potential deficiencies centre on how the Personal information Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as: age, name, identification numbers, income, ethnic origin, or blood type; opinions, evaluations, comments, social status, or disciplinary actions; and employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs). Personal information does not include the name, title or business address or telephone number of an employee of an organization. Privacy Act Section The name SAP stands for Systems, Applications and Products in Data Processing. The Fundamentals of Identity and Access Management, article published in the Internal Auditor Journal from the Institute of Internal Auditor, April IAM is a comprehensive set of business processes and supporting infrastructure for creating and maintaining digital identities and providing efficient, secure and documented access to applications, , printers and the organization's internal network. The least-privilege principle: To provide the minimum level of access to a user in order to complete their business roles (giving a user only those powers which are absolutely essential to do his/her work). The need-to-know: Takes the least-privilege principle one step further, by providing access to systems and information only where there is a need for the user to have such access at that time. 2 Internal Audit Services Branch, HRSDC
11 Protected The potential impacts of unauthorized access include: the Deputy Minister and Departmental Security Officer may be held accountable for policy non-compliance; reputational damage may result from the loss of information confidentiality, integrity and availability; the Department may not be able to adequately demonstrate that it has satisfactorily discharged its responsibilities regarding Stewardship, Information Management and Controls; and inappropriate disclosure may result in legal penalties in the event of an offence Audit Objective The objective of the audit is to assess the adequacy of the management control framework as it is applied to safeguard access to HRSDC s Corporate Management System information assets. More specifically, the audit will determine if: CMS governance and oversight, as it applies to access, is adequate and effective in supporting its activities. Controls are designed and applied consistently to safeguard access to information assets. Risks related to access have been identified, assessed and mitigated. 1.4 Scope The audit assessed the internal control framework, business processes, and operational procedures to ensure that unauthorized access to CMS is prevented. This audit engagement focused on selected components within the IAM lifecycle process that apply strictly to the non-technological 9 aspects of CMS user access management. Furthermore, the scope of the audit did not include access privileges granted to processes and programs that are interfacing with CMS nor any forensic analysis of information breaches. 8 9 Department of Human Resources and Skills Development Act (2005, c. 34) PART 4 Protection of Personal Information The focus is on the business processes of user access management and not the system currently in use (i.e. CMS). Internal Audit Services Branch, HRSDC 3
12 1.5 Methodology The audit team examined the CMS control framework, the related processes and guidance documents. The audit team interviewed key departmental personnel at National Headquarters (NHQ) and in selected regions (Moncton, Belleville and Montreal). The team also analysed computer generated reports from the Electronic Document System (EDS) in order to review CMS access. The audit team also researched and reviewed information from the web on IT governance, IAM, audits conducted by other federal departments and white papers from a variety of sources in order to provide best practices to the appropriate stakeholders. 4 Internal Audit Services Branch, HRSDC
13 2.0 AUDIT FINDINGS 2.1 Insufficient governance supporting CMS user access management The audit team did not find that the Department had the infrastructures, standardized practices and procedures in place to effectively and efficiently manage user access in CMS. Analysis In assessing CMS Governance, we expected to find the following key elements: The HRSDC Control Framework for CMS is compliant with TBS policies and directives. User access management is included in the control framework and is aligned to ensure that management monitors progress and has in place a continuous improvement plan. The roles, responsibilities and accountabilities are clearly defined, delegated and communicated. The current control framework has not evolved to keep pace with the continuously changing environment of the Department or with TBS Policies. Governance is ad hoc and employees are managing intuitively with the emphasis on granting access to the system rather than managing the entire user access lifecycle. CMS is being managed informally, without standardized processes and employees are creating their own user access procedures as they have not received guidance from NHQ. However, CFOB has since advised the audit team that they are currently working on initiatives to address these issues. The only document provided to the audit team to describe CMS governance was a draft version of the CMS Control Framework, last updated in The document was not approved or endorsed by the Department, nor were its contents appropriately communicated to stakeholders. In more than 30 interviews, only three individuals indicated they were aware of the framework. All three stated that the framework was outdated and not in use. Furthermore, IITB has developed a Policy on IT Security Management that describes the overall roles and responsibilities of all employees in the Department as it pertains to IT security. The majority of interviewees were also not aware of this policy. Internal Audit Services Branch, HRSDC 5
14 Outdated and unsanctioned, the CMS Control Framework is not compliant with TBS policies such as the Policy on Government Security 10 and the Policy Framework for Information and Technology. 11 Both state that Deputy Heads are responsible for ensuring that IT activities are effectively managed by having clearly defined governance, accountabilities, defined objectives that are aligned with departmental and government-wide policies and priorities. The policies also indicate that performance must be monitored, assessed and reported on to help ensure objectives are being met. We could not locate a memorandum of understanding describing the roles and responsibilities of CFOB and HRSB in managing CMS. Moving forward as the Department transitions from CMS to an ERP solution it will be indispensable for business owners to establish and document their roles, responsibilities and accountabilities. As CMS will eventually be decommissioned in favour of ERP technology (PeopleSoft for HRSB, and SAP for CFOB), there is no value added in updating the current governance framework. However, it would be advisable that HRSB, CFOB and IITB develop a management control framework for the ERP solution. 2.2 Controls related to the user access management lifecycle are not adequately applied The Department is not adequately managing the CMS user access lifecycle based on the least-privilege principle and the need-to-know. Protected The audit found that accountability for user access management was placed on the managers of employees requesting CMS access. The managers interviewed did not always understand the extent of their responsibility, nor did they have the tools to facilitate effective CMS user access management and as such monitoring is limited. Findings also show that the Department is not in compliance with TBS policies such as the Policy on Privacy Protection, 12 (under section ensuring that a privacy and impact assessment is completed), the Policy on Government Security (under section ensuring that managers at all levels integrate security and identity management requirements into plans, programs, activities and services) and the Operational Security Standard: MITS (under section 16 - prevention: controls to protect the confidentiality, integrity and availability of information and IT assets, and section 17 - detection: monitoring of systems performance and security audit log functions must be established) Policy on Government Security, Section 6.0. Policy Framework for Information and Technology, Section 2.2. Policy on Privacy Protection, Section Internal Audit Services Branch, HRSDC
15 While some user access controls are in place to mitigate risks related to granting access to CMS, there is no standardized, documented and approved user access management process in place to provide only authorized individuals with access to the system based on business requirements. Analysis In assessing the controls for CMS user access management we expected to find processes and practices that securely manage the user access lifecycle based on the least-privilege principle and the need-to-know. These processes and practices should be found within the following areas: Provisioning; Authentication; Authorization; Compliance; and De-provisioning. Provisioning: creating and approving user accounts The provisioning for CMS begins with a request from an employee s manager asking that the employee be provided access to the system in order to perform their duties. IITB creates the usercode based on the manager s manual authentication of the new user s identity and on the assertion that the employee has a PRI and is security cleared. The user access provisioning process for CMS is a two-tier process which demonstrates good segregation of duties. IITB is responsible for creating usercodes before CFOB or HRSB can approve and grant access to the requested CMS modules or screens. However, the process is not standardized as there are differences in how NHQ and the regions request user account creation and in how new usercodes are provided. Protected the least-privilege principle and the need-to-know and the overall awareness of managers and authorized requestors. HRSB and CFOB are the business owners and as such are accountable for applying access to roles, they provide a challenge function should access requests contravene segregation of duties; however, managers and authorized requestors are ultimately accountable for the access they request. Internal Audit Services Branch, HRSDC 7
16 Authentication: sign-on, validating user and ensuring appropriate profile (or usercode) For the authentication of new users, the auditors found that not all user request forms were approved by the immediate responsibility centre (RC) managers. The auditors were informed that the user request form could be approved by any manager in an employee s work area and that no distinction was made regarding the reporting relationship. However, the audit team has recently been advised that CFOB is addressing this issue by verifying NHQ access requests with delegated signing authority. We were also told that IITB confirms an acting manager s status prior to assigning the usercode. This process is dependent on the accuracy of the reporting relationship in the active directory. 13 Protected A CMS usercode cannot be provided without an employee s PRI 14. Protected We also observed that temporary PRIs were provided to temporary workers (e.g., consultants, casual employees and students) to give them access to CMS. There was no consistency as some interviewees did not condone the practice, while others felt that temporary workers fulfill an operational need and should be granted access. Protected CFOB has since advised the audit team that the actual number is lower. The discrepancies are attributable to the ongoing cleanup of CMS and the method required to obtain reliable user data. In order to produce user data multiple reports 18 must be generated and then validated in CMS. CMS users are intended to be uniquely identifiable by their CMS usercodes and as such should receive only one usercode during their employment at HRSDC. These usercodes can be activated, deactivated and reactivated as necessary. The testing indicated that due to a lack of standardization there were employees Active Directory provides the means to manage the identities and relationships that make up network environments. Protected Protected Protected Protected CFOB is using a combination of LOCUM and DSS as well as manually validating the information in CMS. 8 Internal Audit Services Branch, HRSDC
17 with more than one usercode (i.e. one active usercode and several non-active usercodes). We also noted that managers and authorized requestors did not consistently apply the least-privilege principle and the need-to-know requirements. It is a common practice for managers and authorized requestors to ask for the same as or 9999 access without a clear understanding that employees could, as a result, gain more access than is needed to perform their duties. Employee movement is not systematically tracked and access appropriately modified within CMS. Protected Guidance is limited to security awareness training. No additional guidance (i.e. reference materials) is available to assist managers and authorized requestors as they make decisions regarding employee access. Authorization: granting access and appropriate role In a role based CMS environment permissions to perform specific computersystem functions are assigned to roles. The users are provided specific roles in order to perform their duties. When strictly applied users can only acquire permissions through their roles. The management of these users would be a matter of assigning the appropriate role(s). Protected There are approximately 180 default HR and finance roles, and more than 1,000 customized roles that are created and assigned to CMS user profiles, since customized roles can t be reused for another account. The risk increases when too many customized roles are being created to fit specific functions, as they need to be maintained. Although roles are being created to fit user needs, the audit team did not find any standardized documentation describing the naming convention, the definition of the different roles and when or how to apply them to user profiles. It was noted in one of the regions we visited, that a CMS coordinator was playing a dual function. This individual was responsible for applying roles to the usercode and was also approving user request forms. The auditors discussed the situation with CFOB (NHQ and the region) and at the conclusion of the audit; this matter was resolved by removing the individual s privileged access to CMS. Compliance: real-time logging, monitoring user access, auditing and reporting An important part of the Department s responsibility in managing the user lifecycle and privileged user access is demonstrating that access restrictions are enforced and monitored. Internal Audit Services Branch, HRSDC 9
18 Protected In an effective IAM environment, managers ensure that an employee s access is accurate and aligned with current job responsibilities. The auditors found that the majority of interviewees were not aware that user access reports were available. We also found that the LCM001 report, used for this audit, was inadequate. For example: the information is not consistently updated, e.g.: last login date was 2007 but the account was still active; 10 Internal Audit Services Branch, HRSDC
19 managers are not able to easily identify their employees as the report is sorted by RC; 19 Protected and there are data integrity issues such as: first and last names reversed, spelling mistakes, inconsistency of upper and lower case, blank fields and initials instead of names. Protected At the time of the audit, CFOB was developing a privileged user management process for CFOB privileged users. Although this process is a step in the right direction it is not standardized or centralized across the Department as it is limited to CFOB privileged users with access to the business modules. This process does not include HRSB and IITB nor does it address the actual number of privileged user accounts required to adequately maintain the system. The majority of interviewees stated that privileged user monitoring involved only random manual spot checks conducted on an ad hoc basis by colleagues and not by their managers. Protected De-provisioning: removing access De-provisioning involves removing access to the system an action prompted by circumstances such as a change to an employee s role where access is no longer required (least-privilege principle and the need-to-know), extended leave (i.e. maternity or sick leave), or the employee is leaving the Department. 19 The access report is sorted by RC and then usercode. The seven-digit access code contains the first four digits of the RC code where the employee first obtained access. Any subsequent movement of the employee within the Department, including name of the employee, will not appear under the RC where he/she currently reports. Internal Audit Services Branch, HRSDC 11
20 The automatic payroll control in the HR module was designed to suspend the employee s account. This control however requires a manual change in the pay status of the employee in order to suspend access and is not a substitute for effective user access management. Protected Recommendations 1. IITB, in consultation with CFOB and HRSB, should develop and implement a comprehensive IAM strategy to address current weaknesses, to provide guidance and standardize access management practices. 2. CFOB and HRSB, in consultation with IITB, should develop and implement a centralized PUM process, as an important element of the overall Department s IAM strategy. 3. CFOB and HRSB, in consultation with IITB, should remind all managers and authorized requestors who are approving access to CMS of their roles, responsibilities and accountabilities associated with user access management. 4. CFOB and HRSB, in consultation with IITB, should undertake the following activities to mitigate some of the risks identified during the audit: - develop a process to manage temporary PRIs and perform a review of the current (active) temporary PRIs; - reuse the same usercode instead of creating a new one each time a request for access is granted; - Protected - determine who should have access to the system and communicate decision to appropriate parties; and - request that managers review and update employee access based on the least-privilege principle and the need-to-know. 2.3 No departmental risk management process exists for CMS The audit team did not find a risk management process in place to identify, mitigate and monitor risks in safeguarding access to CMS. Analysis An effective risk management process is an important component of a successful IT security system or program. This process helps to raise awareness and continuously manage the security risks to information and IT assets throughout 12 Internal Audit Services Branch, HRSDC
21 the life of the system or program. The Department must be aware of threats and vulnerabilities to its information systems in order to prevent, detect, react to and recover from incidents. The auditors were advised by interviewees from CFOB, HRSB and IITB that there is no formal or informal risk management process for CMS and no current and updated threat and risk assessment (TRA) to identify, assess, mitigate and monitor risks related to safeguarding access to CMS. Consequently, the Department is non-compliant with the Government Security Policy and the Operational Security Standard: MITS, both of which require departments to continuously carry out activities designed to manage IT security risks. Recommendation 5. CFOB and HRSB should determine what level of CMS risk assessment is required to safeguard CMS as it continues to support the Department s business environment over the next few years while ERP is being implemented. Internal Audit Services Branch, HRSDC 13
22 3.0 CONCLUSION The audit concluded that the current CMS control framework and its related system of controls and risk management practices are not adequate in safeguarding access to its information assets. Although weaknesses have been identified that require management attention, issues are considered to be moderate as the access to CMS is limited to HRSDC s internal network. It is also important to note that improvements should focus on the Identity and Access Management Lifecycle rather than on the system itself as CMS will soon be replaced by industry standard ERP system. 4.0 STATEMENT OF ASSURANCE In our professional judgement, sufficient and appropriate audit procedures have been performed and evidence gathered to support the accuracy of the conclusions reached and contained in this report. The conclusions were based on observations and analyses of the situations as they existed at the time against the audit criteria. The conclusions are only applicable to the Audit of Access to the Corporate Management System. The evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing. 14 Internal Audit Services Branch, HRSDC
23 APPENDIX A: Audit Criteria The conclusions reached for each of the audit criteria were developed according to the following definitions. Numerical Categorization Conclusion on Audit Criteria 1 Significant Improvements Required Definition of Conclusion Requires significant improvements (at least one of the following three criteria need to be met): financial adjustments material to line item or area or to the Department; or control deficiencies represent serious exposure; or major deficiencies in overall control structure. Note: Every audit criterion that is categorized as a 1 must be immediately disclosed to the Chief Audit Executive (CAE) and the client Director General or higher level for corrective action. 2 Moderate Issues Has moderate issues requiring management focus (at least one of the following two criteria need to be met): control weaknesses, but exposure is limited because likelihood of risk occurring is not high; control weaknesses, but exposure is limited because impact of the risk is not high. 3 Controlled well managed, but minor improvements are needed; and effective. 4 Well Controlled well managed, no material weaknesses noted; and effective. The following table outlines the audit criteria and examples of key evidence and/or observations noted which were analyzed and against which conclusions were drawn. In cases where significant improvements (1) and/or moderate issues (2) were observed, these were reported in the audit report. Internal Audit Services Branch, HRSDC 15
24 Audit Criteria Conclusion Observations/Examples of Key Evidence 2.1 CMS Governance: It is expected that the Department has the infrastructure, policies, practices and procedures in place to manage user access in CMS. The HRSDC Control Framework for CMS is compliant with TBS policies and directives. 2 The CMS framework provided was last updated in 2002 and is not compliant with TBS policies. Although CMS is primarily a financial system, it also holds HR data. In NHQ, CFOB is responsible for approving and applying roles to the HR modules. We have not found a Memorandum of Understanding between CFOB and HRSB describing roles and responsibilities regarding user access management for the HR module. User access management is included in the control framework and is aligned to ensure that management monitors progress and has in place a continuous improvement plan. 2 The control framework does not specifically address information asset management or user access management. There is currently no IAM within the Department; however, IITB is developing a departmental strategy. There is no evidence of progress monitoring related to CMS user access management. The roles, responsibilities and accountabilities are clearly defined, delegated and communicated. 2 There is no formal documentation, i.e. a framework outlining roles, responsibilities and accountabilities of all employees, as part of the CMS user access lifecycle. CMS is primarily a financial system, it also holds HR data. In NHQ, CFOB is responsible for approving and applying roles to the HR modules. We have not found a Memorandum of Understanding between CFOB and HRSB describing roles and responsibilities regarding user access management for the HR module. Managers interviewed during the audit did not always understand the extent of their responsibility. 16 Internal Audit Services Branch, HRSDC
25 Audit Criteria Conclusion Observations/Examples of Key Evidence Processes are in place to establish, maintain and monitor user access in order to preserve the confidentiality, integrity and availability of data. 2 Obtaining an accurate inventory of employees that have access to CMS and their level of access proved to be very difficult, as multiple reports need to be generated and validated in CMS. The information provided in the requested reports was not sufficiently detailed and specific to CMS. This element was also assessed in 2.2, under compliance. Internal Audit Services Branch, HRSDC 17
26 Audit Criteria Conclusion Observations/Examples of Key Evidence 2.2 Controls: It is expected that CMS has a documented and approved user access management process in place to provide only authorized individuals with access to the system based on business requirements. Internal policies and practices, related to information access, comply with TBS policies and regulations. 3 and 2 The Policy on departmental IT Security Management complies, as it relates to information access, with TBS policies. The auditors observed that usercode creation in NHQ is the same as in the regions as it is performed by IITB-SECURITY. IITB-SECURITY has established a standardized process for usercode creation, modification and deletion; however, the procedure differs slightly between NHQ and the regions. In NHQ the request (form 5012) is initiated by managers and is sent directly to CFOB. CFOB then requests the user code from IITB-SECURITY. CFOB grants access to the appropriate module (HR and/or finance), as CFOB is responsible for both modules. In Moncton and Montreal, the request (form 5046) in sent directly to IITB-SECURITY, then to CFOB for approval of the financial module access and HRSB for approval of the HR module access. In Belleville, the process is similar to NHQ. Current information access practices are not aligned to reflect the intent of the policy, as the leastprivilege principle and the need-toknow are not always considered when creating and approving user accounts. 18 Internal Audit Services Branch, HRSDC
27 Audit Criteria Conclusion Observations/Examples of Key Evidence CMS users (internal, external and temporary) are uniquely identifiable and have appropriate security clearance. Managers and authorized requestors understand their responsibility in granting access to users (based on the least-privilege principle/need-to-know). CMS user access rights are formally requested by management or an authorized requestor, approved and implemented 2 Not all user accounts are uniquely identifiable. We found an instance where a user had a permanent and temporary PRI active at the same time. The security level is determined by the job description at the time of hiring and is done systematically. The security level is tied to the job description of an incumbent. When an employee is assigned a PRI, the appropriate security level is required and it is done prior to an employee start date. The personnel security screen, within the HR module, is where all users and potential users have their appropriate security level entered. The Atlantic and Montreal regions stated that no access is granted before a security check is performed. We have not been able to find any documentation describing the required security levels for users needing access to CMS. 2 Although most managers and authorized requestors interviewed told the auditors that they were aware of the least-privilege principle and the need-to-know, we noticed that some access request forms are still based on same as or 9999 access, especially in the regions. We observed that some users have more rights than needed to perform their duties. 2 We found that requests are approved by managers, even though the users do not report directly to that manager. Internal Audit Services Branch, HRSDC 19
28 Audit Criteria Conclusion Observations/Examples of Key Evidence by the data owners based on a predefined level of access appropriate to each group of users. Authorized requestors who approve a request need to be on an approved list of authorized requestors to whom authority has been delegated by the manager/director using form Management understands their responsibility in granting access to super users/privileged users (based on the leastprivilege principle and the need to-know). CMS information can only be accessed or modified by those authorized to do so. Segregation of duties is reflected in access privileges; no one user can independently control all aspects of a process or a system including privileged users. 2 Assessed in 2.2, under compliance. 2 Although log files for unauthorized access (i.e. browsing) are available, they are not systematically monitored. We observed users who had moved from one position to another and/or to different branches, still had potential non-related access attached to their accounts, circumventing the least-privilege principle and the need-to-know. 3, except for one exception For the most part, we observed good segregation of duties between IITB (creation of usercodes) and CFOB and/or HRSB (attribution of roles to usercodes). Segregation of duties for CMS users (roles assigned to complete a task) could not be assessed due to system limitations as reports did not provide adequate information. In one region, a CMS coordinator was approving user access request forms and was attributing roles to the same accounts. This situation was brought up to management s attention which resolved the issue. CMS access privileges are regularly updated to accurately reflect the 1 Access is not regularly updated, and is not assessed to determine if a user s access has changed 20 Internal Audit Services Branch, HRSDC
29 Audit Criteria Conclusion Observations/Examples of Key Evidence current responsibilities and users organizational units; during the course of an employee s employment with the Department. privileges are revised when users move to new positions, and are withdrawn from users who leave the organization. Without proper module integration and a standardized process, movement of employees is very difficult to establish and is limited in CMS. (This criterion was used to assess the movement and the departure of employees.) CMS user activity, including super users/privileged users, is monitored and any security issues or abuse of privileges are reported to management in a timely manner. An audit trail is maintained to confirm "who did what, when and how". We have found no evidence of a standardized process for applying roles to usercode. It is left to the discretion of the CMS coordinator. The Department is not granting access consistently. Testing indicated that user access management is not being updated to reflect the current status of the employee. 2 Successful or unsuccessful user access is captured in log files; however, we have found no evidence of an automatic and systematic monitoring function. Transactional activities are captured. At the time of the audit, CFOB was working on a privileged user access process. Processes are in place to ensure that unauthorized accesses are detected, investigated, reported and appropriate administrative action is taken. 2 We have not found any evidence of a standardized process to capture and report unauthorized access. The process is ad hoc and manual. Internal Audit Services Branch, HRSDC 21
30 Audit Criteria Conclusion Observations/Examples of Key Evidence 2.3 Risk Management: It is expected that there is a process in place to identify, mitigate and monitor risks in safeguarding access to CMS. Documented and approved risk management process is in place to identify, assess, mitigate and monitor risks related to the safeguarding of access to CMS information assets. 2 We found no evidence of any risk management or ongoing TRA to identify, assess, mitigate and monitor risks related to safeguarding access to CMS information assets. Interviewees were not aware of formal or informal risk management process for CMS. In addition, interviewees were not aware of current or updated threat risk assessment having been carried out. 22 Internal Audit Services Branch, HRSDC
31 APPENDIX B: Glossary CAE CFOB CMS EDS ERP HR HRSB HRSDC IAM IITB IT MITS OAG OMTM NHQ PRI PUM RC SAP TBS TRA Chief Audit Executive Chief Financial Officer Branch Corporate Management System Electronic Document System Enterprise Resource Planning Human Resources Human Resources Services Branch Human Resources and Skills Development Canada Identity and Access Management Innovation, Information and Technology Branch Information Technology Management of Information Technology Security Office of the Auditor General Operations and Maintenance Transaction Module National Headquarters Personal Record Identifier Privileged User Management Responsibility Centre Systems, Applications and Products Treasury Board Secretariat Threat and Risk Assessment Internal Audit Services Branch, HRSDC 23
32 APPENDIX C: Definitions Access Authorization Authorized Requestor Control Framework Enterprise Resource Planning Identity and Access Management System/Strategy Identity Identity Lifecycle Management Job Profile Privacy Impact Assessment Provisioning The right or permission that is granted to an identity. These informational access rights can be granted to allow users to perform transactional functions at various levels. A process for determining what types of activities are permitted. Ordinarily, once authenticated, a user may be authorized to perform different types of activity or granted certain access rights. An authorized requestor is an employee delegated by their manager, using form 5054, to approve access to CMS on his or her behalf. A recognized system of control categories that covers all internal controls expected in an organization. A system used to manage and coordinate all the resources, information, and functions of a business. A system consisting of one or more subsystems and components that facilitates the establishment, management, and revocation of identities and accesses to resources. A unique sequence or set of characteristics that uniquely identifies an individual. The processes used to create and delete accounts, manage account and entitlement changes, and track policy compliance. A collection of application screens required to be accessed by individuals in the performance of their job. A privacy impact assessment is a process to determine the impacts of a proposal on an individual s privacy and ways to mitigate or avoid any adverse effects. The process used to create identity, associate identities with access, and configure the systems appropriately. 24 Internal Audit Services Branch, HRSDC
33 PeopleSoft Roadmap SAP Segregation of duties Stakeholder Privileged User Threat and Risk Assessment Usercode/Profile A commercial-off-the-shelf (COTS) system, modified to meet common Government of Canada (GC) HR and legislative requirements that provides an integrated platform for the management of HR information. A tool to enable stakeholders and leaders to better plan for and make decisions about the future. Systems, Applications and Products in Data Processing is a commercial-off-the-shelf (COTS) system, modified to meet common GC financial and legislative requirements that provides an integrated platform for the management of financial information. A control mechanism whereby a process is broken into its constituent components and the responsibility for executing each component is divided among different individuals. Segregation of duties segments the process so that no individual has an excessive ability to execute transactions or unilaterally cover irregularities without detection. A stakeholder is anyone who has either a responsibility for or an expectation from the enterprise s IT, e.g., senior managers, directors, managers, users and employees. A privileged user or super user who has by virtue of function, and/or seniority, been allocated powers within the computer system, which are significantly greater than those available to the majority of users. Such persons will include, for example, the system administrator and database administrator. The objective of a threat and risk assessment is to determine exactly what needs to be protected and why; it aids in the determination of security requirements. An identifier or login identification on a specific resource used to manage access to that resource. Internal Audit Services Branch, HRSDC 25
34 APPENDIX D: CMS User Access Information The information provided below was generated from the DSS database by CFOB dated January 31, Although the information below provides some detail in terms of the breakdown of user access it does not indicate which users have transactional and or inquiry access. Due to system limitations a detailed grouping of user access roles in CMS is not easily achieved. In order to determine access levels CFOB would have to manually review each role assigned to the user to determine the level of permission. CMS User Access Information User Access Distribution Employees Non-Employees Atlantic CFOB Enabling Services Renewal 27 2 Program CFOB HRSDC & Service Canada (SC) IITB HRSB Labour NHQ Ontario Processing & Payment Services Branch Quebec SC Chief Operating Officer Roll-up 2 0 SC Citizen Service Branch 54 0 SC Service Management 83 5 SC Assistant Deputy Minister Integrity 63 6 Services Branch Western Canada & Territories Total Grand Total Internal Audit Services Branch, HRSDC
Audit of Policy on Internal Control Information Technology General Controls (ITGCs) Audit
D.2.1D Audit of Policy on Internal Control Information Technology General Controls (ITGCs) Audit Office of the Chief Audit Executive Audit and Assurance Services Directorate March 2015 Cette publication
More informationFinal Audit Report. Audit of the Human Resources Management Information System. December 2013. Canada
Final Audit Report Audit of the Human Resources Management Information System December 2013 Canada Table of Contents Executive summary... i A - Introduction... 1 1. Background... 1 2. Audit objective...
More informationAudit of the Canada Student Loans Program
PROTECTED A Internal Audit Services Branch Audit of the Canada Student Loans Program November 2013 SP-1056-11-13E Internal Audit Services Branch (IASB) As of July 2013, the official names of the minister
More informationAudit of Canada Pension Plan Disability Program Benefits authorization and payment
Unclassified Internal Audit Services Branch Audit of Canada Pension Plan Disability Program Benefits authorization and payment December 2015 SP-1120-03-16E You can download this publication by going online:
More informationOffice of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget
Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,
More informationAudit of the Management of Projects within Employment and Social Development Canada
Unclassified Internal Audit Services Branch Audit of the Management of Projects within Employment and Social Development Canada February 2014 SP-607-03-14E Internal Audit Services Branch (IASB) You can
More informationMecklenburg County Department of Internal Audit. PeopleSoft Application Security Audit Report 1452
Mecklenburg County Department of Internal Audit PeopleSoft Application Security Audit Report 1452 February 9, 2015 Internal Audit s Mission Through open communication, professionalism, expertise and trust,
More informationAccess Control Policy
Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you
More informationHow To Ensure Health Information Is Protected
pic pic CIHI Submission: 2011 Prescribed Entity Review October 2011 Who We Are Established in 1994, CIHI is an independent, not-for-profit corporation that provides essential information on Canada s health
More informationAudit of Vendor Management Phase I
Unclassified Internal Audit Services Branch Audit of Vendor Management Phase I March 2016 CA-271-05-16E This publication is available for download at canada.ca/publicentre-esdc. It is also available upon
More informationInformation Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services
Information Security Policy Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Contents 1 Purpose / Objective... 1 1.1 Information Security... 1 1.2 Purpose... 1 1.3 Objectives...
More informationAUDIT OF READINESS FOR THE IMPLEMENTATION OF THE POLICY ON INTERNAL CONTROL
AUDIT OF READINESS FOR THE IMPLEMENTATION OF THE POLICY ON INTERNAL CONTROL AUDIT REPORT JUNE 2010 TABLE OF CONTENTS EXCUTIVE SUMMARY... 3 1 INTRODUCTION... 5 1.1 AUDIT OBJECTIVE. 5 1.2 SCOPE...5 1.3 SUMMARY
More informationINTERNAL AUDIT REPORT ON THE FINANCIAL MANAGEMENT CONTROL FRAMEWORK FOR INITIATIVES RELATED TO CANADA S ECONOMIC ACTION PLAN (EAP) REPORT.
INTERNAL AUDIT REPORT ON THE FINANCIAL MANAGEMENT CONTROL FRAMEWORK FOR INITIATIVES RELATED TO CANADA S ECONOMIC ACTION PLAN (EAP) REPORT July 2010 PREPARED BY THE INTERNAL AUDIT BRANCH (IAB) Project No:
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationNSERC SSHRC AUDIT OF IT SECURITY Corporate Internal Audit Division
AUDIT OF IT SECURITY Corporate Internal Audit Division Natural Sciences and Engineering Research Council of Canada Social Sciences and Humanities Research Council of Canada September 20, 2012 Corporate
More informationPhase II of Compliance to the Policy on Internal Control: Audit of Entity-Level Controls
Phase II of Compliance to the Policy on Internal Control: Audit of Entity-Level Controls Office of the Chief Audit and Evaluation Executive Audit and Assurance Services Directorate November 2013 Cette
More informationU.S. Department of Energy Office of Inspector General Office of Audits and Inspections
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report Management of Los Alamos National Laboratory's Cyber Security Program DOE/IG-0880 February 2013 Department
More informationMONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY
MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency
More informationPassenger Protect Program Transport Canada
AUDIT REPORT OF THE PRIVACY COMMISSIONER OF CANADA Passenger Protect Program Transport Canada Section 37 of the Privacy Act 2009 AUDIT OF PASSENGER PROTECT PROGRAM, TRANSPORT CANADA The audit work reported
More informationOffice of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget
Office of the Auditor General Performance Audit Report Statewide Oracle Database Controls Department of Technology, Management, and Budget March 2015 071-0565-14 State of Michigan Auditor General Doug
More informationAudit of Financial Reporting Controls
Audit of Financial Reporting Controls WESTERN ECONOMIC DIVERSIFICATION CANADA Audit & Evaluation Branch February 2012 Table of Contents 1.0 Executive Summary 1 2.0 Statement of Assurance 1 3.0 Introduction
More informationWe are the regulator: Our job is to check whether hospitals, care homes and care services are meeting essential standards.
Inspection Report We are the regulator: Our job is to check whether hospitals, care homes and care services are meeting essential standards. Bury DCA United Response, City View Business Centre, 9 Long
More informationPRIVY COUNCIL OFFICE. Audit of Information Technology (IT) Security. Final Report
An asterisk appears where sensitive information has been removed in accordance with the Access to Information Act and Privacy Act. PRIVY COUNCIL OFFICE Audit of Information Technology (IT) Security Audit
More informationIT Infrastructure Audit
IT Infrastructure Audit Office of the Chief Audit and Evaluation Executive Audit and Assurance Services Directorate June 2011 Cette publication est également disponible en français. This publication is
More informationMICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, C.P.A., C.I.A. AUDITOR GENERAL ENTERPRISE DATA WAREHOUSE
MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT PERFORMANCE AUDIT OF THE ENTERPRISE DATA WAREHOUSE DEPARTMENT OF TECHNOLOGY, MANAGEMENT, AND BUDGET August 2014 Doug A. Ringler, C.P.A., C.I.A. AUDITOR
More informationON RECOMMENDATIONS FROM THE 2008 AUDITS ON TRAVEL AND HOSPITALITY EXPENDITURES AND PROACTIVE DISCLOSURE ON TRAVEL AND HOSPITALITY EXPENSES
FOLLOW-UP REPORT ON RECOMMENDATIONS FROM THE 2008 AUDITS ON TRAVEL AND HOSPITALITY EXPENDITURES AND PROACTIVE DISCLOSURE ON TRAVEL AND HOSPITALITY EXPENSES Audit Services Division Approved by Chief Public
More informationDepartment of Public Utilities Customer Information System (BANNER)
REPORT # 2010-06 AUDIT of the Customer Information System (BANNER) January 2010 TABLE OF CONTENTS Executive Summary..... i Comprehensive List of Recommendations. iii Introduction, Objective, Methodology
More informationInternal Audit. Audit of HRIS: A Human Resources Management Enabler
Internal Audit Audit of HRIS: A Human Resources Management Enabler November 2010 Table of Contents EXECUTIVE SUMMARY... 5 1. INTRODUCTION... 8 1.1 BACKGROUND... 8 1.2 OBJECTIVES... 9 1.3 SCOPE... 9 1.4
More informationPeopleSoft IT General Controls
PeopleSoft IT General Controls Performance Audit December 2009 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of
More informationU.S. Department of Energy Office of Inspector General Office of Audits and Inspections
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report The Department's Configuration Management of Non-Financial Systems OAS-M-12-02 February 2012 Department
More informationPersonal Information Protection and Electronic Documents Act
PIPEDA Self-Assessment Tool Personal Information Protection and Electronic Documents Act table of contents Why this tool is needed... 3 How to use this tool... 4 PART 1: Compliance Assessment Guide Principle
More informationManagement of Information Technology Security Standards Audit
Management of Information Technology Security Standards Audit February 2008 Paper ISBN: SG5-20/2008E Cat. No.: 978-0-662-48337-3 PDF ISBN: SG5-20/2008E-PDF Cat. No.: 978-0-662-48338-0 Management of Information
More informationSoftware Licenses Managing the Asset and Related Risks
AUDITOR GENERAL S REPORT ACTION REQUIRED Software Licenses Managing the Asset and Related Risks Date: February 4, 2015 To: From: Wards: Audit Committee Auditor General All Reference Number: SUMMARY The
More informationPRIVY COUNCIL OFFICE. Audit of Compensation (Pay and Benefits) Final Report
PRIVY COUNCIL OFFICE Audit of Compensation (Pay and Benefits) Audit and Evaluation Division Final Report February 4, 2011 Table of Contents Executive Summary... i Statement of Assurance...iii 1.0 Introduction...
More informationContact: Henry Torres, (870) 972-3033
Information & Technology Services Management & Security Principles & Procedures Executive Summary Contact: Henry Torres, (870) 972-3033 Background: The Security Task Force began a review of all procedures
More informationInternal Audit Manual
Internal Audit Manual Version 1.0 AUDIT AND EVALUATION SECTOR AUDIT AND ASSURANCE SERVICES BRANCH INDIAN AND NORTHERN AFFAIRS CANADA April 25, 2008 #933907 Acknowledgements The Institute of Internal Auditors
More informationU.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal
More informationAUDIT REPORT PERFORMANCE AUDIT OF COMMUNITY HEALTH AUTOMATED MEDICAID PROCESSING SYSTEM (CHAMPS) CLAIMS EDITS
MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT PERFORMANCE AUDIT OF COMMUNITY HEALTH AUTOMATED MEDICAID PROCESSING SYSTEM (CHAMPS) CLAIMS EDITS DEPARTMENT OF COMMUNITY HEALTH AND DEPARTMENT OF TECHNOLOGY,
More informationStatus Report of the Auditor General of Canada to the House of Commons
2011 Status Report of the Auditor General of Canada to the House of Commons Chapter 1 Financial Management and Control and Risk Management Office of the Auditor General of Canada The 2011 Status Report
More informationPerformance Audit E-Service Systems Security
Performance Audit E-Service Systems Security October 2009 City Auditor s Office City of Kansas City, Missouri 15-2008 October 21, 2009 Honorable Mayor and Members of the City Council: This performance
More informationApril 2010. promoting efficient & effective local government
Department of Public Works and Environmental Services Department of Information Technology Fairfax Inspections Database Online (FIDO) Application Audit Final Report April 2010 promoting efficient & effective
More informationCraig Stroud Multnomah County Interim Auditor
Audit of SAP Identity and Access Management April 2009 Craig Stroud Multnomah County Interim Auditor Sarah Landis Deputy Auditor Audit Staff Judith DeVilliers Mark Ulanowicz We conducted this performance
More information2007 Follow-Up Report on the Audit of Information Technology January 2005
2007 Follow-Up Report on the Audit of Information Technology January 2005 Natural Sciences & Engineering Research Council of Canada & Social Sciences & Humanities Research Council of Canada October 2007
More informationU.S. Department of Energy Office of Inspector General Office of Audits & Inspections
U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Audit Report Management of Western Area Power Administration's Cyber Security Program DOE/IG-0873 October 2012 Department
More informationEPA s Computer Security Self-Assessment Process Needs Improvement
OFFICE OF INSPECTOR GENERAL Catalyst for Improving the Environment Audit Report EPA s Computer Security Self-Assessment Process Needs Improvement Report No. 2003-P-00017 September 30, 2003 Report Contributors:
More informationOffice of the Chief Information Officer
Office of the Chief Information Officer Business Plan: 2012 2015 Department / Ministère: Executive Council Date: November 15, 2012 1 P a g e This Page Left Intentionally Blank 2 P a g e Contents The Business
More informationSTATE OF NORTH CAROLINA
STATE OF NORTH CAROLINA INFORMATION SYSTEMS AUDIT OFFICE OF INFORMATION TECHNOLOGY SERVICES INFORMATION TECHNOLOGY GENERAL CONTROLS OCTOBER 2014 OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA STATE AUDITOR
More informationInternal Audit of the Sport Canada Hosting Program
Internal Audit of the Sport Canada Hosting Program Office of the Chief Audit and Evaluation Executive November 2009 Table of Contents Executive Summary...i 1. Introduction and Context...1 1.1 Authority
More informationAlign Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:
More informationAudit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland
Audit Report Effectiveness of IT Controls at the Global Fund Follow-up report GF-OIG-15-20b Geneva, Switzerland Table of Contents I. Background and scope... 3 II. Executive Summary... 4 III. Status of
More informationFraud Risk Assessment FINAL REPORT
Fraud Risk Assessment FINAL REPORT Privy Council Office April 2, 2015 Privy Council Office Page 1 Table of Contents 1.0 Introduction... 3 2.0 Authority... 3 3.0 Objectives... 3 4.0 Scope... 3 5.0 Context...
More informationCredit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information
Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information INTRODUCTION Privacy legislation establishes legal privacy rights for individuals and sets enforceable
More informationAudit of Procurement Practices
Audit Report Audit of Procurement Practices Audit and Evaluation Directorate April 2014 TABLE OF CONTENTS EXECUTIVE SUMMARY... 3 INTRODUCTION... 5 Background... 5 Risk Assessment... 5 Objective and Criteria...
More informationaugust09 tpp 09-05 Internal Audit and Risk Management Policy for the NSW Public Sector OFFICE OF FINANCIAL MANAGEMENT Policy & Guidelines Paper
august09 09-05 Internal Audit and Risk Management Policy for the NSW Public Sector OFFICE OF FINANCIAL MANAGEMENT Policy & Guidelines Paper Preface Corporate governance - which refers broadly to the processes
More informationFinal Report. Audit of the Project Management Framework. December 2014
Final Report Audit of the Project Management Framework December 2014 Audit of the Project Management Framework Table of Contents Executive summary... i A - Introduction... 1 1. Background... 1 2. Audit
More informationGENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS
GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS December 2005 2 GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS I. OBJECTIVE... 1 II. SCOPE... 1 III. APPLICATION OF LOCAL LAWS...
More informationOAIG-AUD (ATTN: AFTS Audit Suggestions) Inspector General of the Department of Defense 400 Army Navy Drive (Room 801) Arlington, VA 22202-4704
Additional Copies The Office of Audit Policy and Oversight, Office of the Assistant Inspector General for Auditing of the Department of Defense, prepared this report. To obtain additional copies of this
More informationChapter 3 Office of Human Resources Absenteeism Management
Office of Human Resources Absenteeism Management Contents Section A - Background, Objective and Scope............................ 24 Section B - Criterion 1 - Communicating Expectations.......................
More informationCorporate Policy and Procedure
Page Page 1 of 9 TAB: SECTION: SUBJECT: ROADS AND TRAFFIC TRAFFIC OPERATIONS CLOSED CIRCUIT TELEVISION (CCTV) TRAFFIC MONITORING SYSTEMS POLICY STATEMENT POLICY PURPOSE The City of Mississauga may install
More informationAudit of Occupational Safety and Health (OSH)
National Research Council Canada Audit of Occupational Safety and Health (OSH) Internal Audit, NRC SEPTEMBER 2010 1.0 Executive Summary and Conclusion Background This report presents the findings of the
More informationComputer Security Roles and Responsibilities and Training Should Remain Part of the Computer Security Material Weakness.
Computer Security Roles and Responsibilities and Training Should Remain Part of the Computer Security Material Weakness September 2004 Reference Number: 2004-20-155 This report has cleared the Treasury
More informationData Protection Policy
Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and
More informationDepartment of Transportation Office of Transportation Technology Services
Audit Report Department of Transportation Office of Transportation Technology Services October 2005 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY This report
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationFEDERAL FAMILY EDUCATION LOAN PROGRAM (FFELP) SYSTEM
REPORT NO. 2015-007 AUGUST 2014 DEPARTMENT OF EDUCATION FEDERAL FAMILY EDUCATION LOAN PROGRAM (FFELP) SYSTEM Information Technology Operational Audit DEPARTMENT OF EDUCATION Pursuant to Article IX, Section
More informationJudiciary Judicial Information Systems
Audit Report Judiciary Judicial Information Systems November 2008 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY This report and any related follow-up correspondence
More informationCompliance and Industry Regulations
Compliance and Industry Regulations Table of Contents Introduction...1 Executive Summary...1 General Federal Regulations and Oversight Agencies...1 Agency or Industry Specific Regulations...2 Hierarchy
More informationReport on. Office of the Superintendent of Financial Institutions. Corporate Services Sector Human Resources Payroll. April 2010
Report on Office of the Superintendent of Financial Institutions Corporate Services Sector Human Resources Payroll April 2010 Table of Contents 1. Background... 3 2. Audit Objectives, Scope and Approach...
More informationAboriginal Affairs and Northern Development Canada. Internal Audit Report. Audit of Internal Controls Over Financial Reporting.
Aboriginal Affairs and Northern Development Canada Internal Audit Report Audit of Internal Controls Over Financial Reporting Prepared by: Audit and Assurance Services Branch Project #: 14-05 November 2014
More informationAudit of the Financial Management Control Framework - Revenue
N A T I O N A L R E S E A R C H C O U N C I L C A N A D A Audit of the Financial Management Control Framework - Revenue I n t e r n a l A u d i t, N R C N O V E M B E R 2011 1.0 Executive Summary and
More informationSocial Services Contract Monitoring Audit
City of Austin AUDIT REPORT A Report to the Austin City Council Mayor Lee Leffingwell Mayor Pro Tem Sheryl Cole Social Services Contract Monitoring Audit October 2011 Council Members Chris Riley Mike Martinez
More informationPUBLIC SERVICE COMMISSION AUDIT REPORTS 2012
PUBLIC SERVICE COMMISSION AUDIT REPORTS 2012 All of the audit work in this publication was conducted in accordance with the legislative mandate and audit policies of the Public Service Commission of Canada.
More informationDivision of Insurance Internal Control Questionnaire For the period July 1, 2013 through June 30, 2014
Official Audit Report Issued March 6, 2015 Internal Control Questionnaire For the period July 1, 2013 through June 30, 2014 State House Room 230 Boston, MA 02133 auditor@sao.state.ma.us www.mass.gov/auditor
More informationWright State University Information Security
Wright State University Information Security Controls Policy Title: Category: Audience: Reason for Revision: Information Security Framework Information Technology WSU Faculty and Staff N/A Created / Modified
More informationPROTECTION OF PERSONAL INFORMATION
PROTECTION OF PERSONAL INFORMATION Definitions Privacy Officer - The person within the Goderich Community Credit Union Limited (GCCU) who is responsible for ensuring compliance with privacy obligations,
More informationEPA Needs to Improve Its. Information Technology. Audit Follow-Up Processes
U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Information Technology EPA Needs to Improve Its Information Technology Audit Follow-Up Processes Report No. 16-P-0100 March 10, 2016 Report
More informationInternal Controls over Financial Reporting. Integrating in Business Processes & Key Lessons learned
Internal Controls over Financial Reporting Integrating in Business Processes & Key Lessons learned Introduction Stephen McIntyre, CA, CPA (Illinois) Senior Manager at Ernst & Young in the Risk Advisory
More informationHuman Resources and Skills Development Canada Departmental Privacy Policy
Human Resources and Skills Development Canada Departmental Privacy Policy Effective Date: April 2007, Updated October, 2009 CA-579-03-10E You can order this publication by contacting: Publications Services
More informationToronto Maintenance Management System Application Review. the exercise to harmonize business practices is completed;
STAFF REPORT March 30, 2004 To: From: Subject: Audit Committee Auditor General Toronto Maintenance Management System Application Review Purpose: The purpose of this audit was to assess how well the Toronto
More informationGuidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004
Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004 1. INTRODUCTION Financial institutions outsource business activities, functions and processes
More informationMajor IT Projects: Continue Expanding Oversight and Strengthen Accountability
Secretary of State Audit Report Jeanne P. Atkins, Secretary of State Gary Blackmer, Director, Audits Division Major IT Projects: Continue Expanding Oversight and Strengthen Accountability Summary Information
More informationMarch 17, 2015 OIG-15-43
Information Technology Management Letter for the U.S. Citizenship and Immigration Services Component of the FY 2014 Department of Homeland Security Financial Statement Audit March 17, 2015 OIG-15-43 HIGHLIGHTS
More informationReport of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:
Information and Privacy Commissioner of Ontario Report of the Information & Privacy Commissioner/Ontario Review of the Canadian Institute for Health Information: A Prescribed Entity under the Personal
More informationAccountable Privacy Management in BC s Public Sector
Accountable Privacy Management in BC s Public Sector Contents Accountable Privacy Management In BC s Public Sector 2 INTRODUCTION 3 What is accountability? 4 Steps to setting up the program 4 A. PRIVACY
More informationOCR SHOULD STRENGTHEN ITS OVERSIGHT OF COVERED ENTITIES COMPLIANCE WITH THE HIPAA PRIVACY STANDARDS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL OCR SHOULD STRENGTHEN ITS OVERSIGHT OF COVERED ENTITIES COMPLIANCE WITH THE HIPAA PRIVACY STANDARDS Suzanne Murrin Deputy Inspector General
More informationAudit and Advisory Services
Audit and Advisory Services Integrity, Innovation and Quality April 2012 Table of Contents Table of Contents EXCUTIVE SUMMARY... I 1.0 INTRODUCTION... 1 1.1 BACKGROUND... 1 1.2 OBJECTIVES... 2 1.3 SCOPE
More informationCOMPLIANCE FRAMEWORK AND REPORTING GUIDELINES
COMPLIANCE FRAMEWORK AND REPORTING GUIDELINES DRAFT FOR CONSULTATION June 2015 38 Cavenagh Street DARWIN NT 0800 Postal Address GPO Box 915 DARWIN NT 0801 Email: utilities.commission@nt.gov.au Website:
More informationDATA PROTECTION POLICY
Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection
More informationEPA Needs to Improve Security Planning and Remediation of Identified Weaknesses in Systems Used to Protect Human Health and the Environment
U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Information Technology EPA Needs to Improve Security Planning and Remediation of Identified Weaknesses in Systems Used to Protect Human
More informationWeb Version. Information Technology (IT) Security Management Practices
Department of Innovation, Energy and Mines Treasury Board Secretariat Department of Finance Civil Service Commission 3 Information Technology (IT) Security Management Practices January 2013 55 55 Executive
More informationDEPARTMENTAL REGULATION
U.S. DEPARTMENT OF AGRICULTURE WASHINGTON, D.C. 20250 DEPARTMENTAL REGULATION SUBJECT: Identity, Credential, and Access Management Number: 3640-001 DATE: December 9, 2011 OPI: Office of the Chief Information
More informationSupervisory Policy Manual
This module should be read in conjunction with the Introduction and with the Glossary, which contains an explanation of abbreviations and other terms used in this Manual. If reading on-line, click on blue
More informationCredit Union Code for the Protection of Personal Information
Introduction Canada is part of a global economy based on the creation, processing, and exchange of information. The technology underlying the information economy provides a number of benefits that improve
More informationCal Poly Information Security Program
Policy History Date October 5, 2012 October 5, 2010 October 19, 2004 July 8, 2004 May 11, 2004 January May 2004 December 8, 2003 Action Modified Separation or Change of Employment section to address data
More informationIT Security Risk Management: A Lifecycle Approach
Information Technology Security Guidance IT Security Risk Management: A Lifecycle Approach ITSG-33 November 2012 Foreword The of is an unclassified publication issued under the authority of the Chief,
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationCITY UNIVERSITY OF NEW YORK EMPLOYEE ACCESS TO THE STUDENT INFORMATION MANAGEMENT SYSTEM AT SELECTED CAMPUSES. Report 2007-S-23
Thomas P. DiNapoli COMPTROLLER OFFICE OF THE NEW YORK STATE COMPTROLLER DIVISION OF STATE GOVERNMENT ACCOUNTABILITY Audit Objective... 2 Audit Results - Summary... 2 Background... 3 Audit Findings and
More informationGAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement
GAO For Release on Delivery Expected at time 1:00 p.m. EDT Thursday, April 19, 2007 United States Government Accountability Office Testimony Before the Subcommittee on Emerging Threats, Cybersecurity,
More informationLegislative Language
Legislative Language SEC. 1. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) IN GENERAL. Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting
More informationManagement and Use of Information & Information Technology (I&IT) Directive. Management Board of Cabinet
Management and Use of Information & Information Technology (I&IT) Directive Management Board of Cabinet February 28, 2014 TABLE OF CONTENTS PURPOSE... 1 APPLICATION AND SCOPE... 1 PRINCIPLES... 1 ENABLE
More information