Management of Information Technology Security Standards Audit

Management of Information Technology Security Standards Audit February 2008

Paper ISBN: SG5-20/2008E Cat. No.: 978-0-662-48337-3 PDF ISBN: SG5-20/2008E-PDF Cat. No.: 978-0-662-48338-0

Management of Information Technology Security Standards Audit February 2008 Project Number: 09016/06-07 Audit Team: Chief Audit Executive: A/Senior Director: Audit Director: Audit Team: Barbara McNab Paul LePage Denis Tisseur Ken Allen François-Michel Brière Kenneth Gourlay Sonja Mitrovic

Table of Contents EXECUTIVE SUMMARY... i 1.0 BACKGROUND... 1 2.0 AUDIT FINDINGS... 5 3.0 CONCLUSION... 43 APPENDIX A: Management Action Plan... 45

EXECUTIVE SUMMARY The Management of Information Technology Security (MITS) standards define the baseline security requirements that federal departments must fulfill to ensure the security of information and IT assets under their control. In April 2005, Treasury Board Secretariat () established December 31, 2006 as the target date for complying with the standards. The audit of MITS was part of the Internal Audit Branch 2006-07 Risk- Based Audit Plan that was approved by Service Canada s Audit and Evaluation Committee. The objective of the audit was to review Service Canada s compliance with each mandatory MITS standard and to provide an opinion on its state of implementation. As requested by, Service Canada reported its compliance with MITS in January 2007. This self-assessment consisted of 52 questions and dealt with each of the mandatory MITS standards. For consistency, this audit treated each of the 52 questions as a compliance criterion. This audit was mainly conducted at National Headquarters and Service Canada s four Information Technology Centres (ITCs). The audit was conducted between November 2006 and March 2007. Audit Conclusion: While MITS standards are the same for each federal government organization, the effort required for implementation varies significantly from one organization to another. Assuring compliance with MITS in a small centralized organization is far easier than it is for an organization like Service Canada, due to the numerous service delivery channels situated across Canada providing multiple services to many different clients and partners. In such a rapidly changing and technologically complex environment, Service Canada s Innovation, Information and Technology Branch (IITB) did an enormous amount of work to comply with MITS and protect Service Canada s information and IT assets against internal and external threats. During the MITS implementation, IITB underwent a massive reorganization which better positioned the branch to deal with security threats. At the same time the reorganization slowed MITS implementation as new roles and responsibilities were identified and positions were staffed. Service Canada has successfully enhanced or implemented many security controls, both soft (awareness and culture change controls) and hard (implementation of physical security controls). Service Canada s ongoing activities continue to demonstrate its commitment to complying with MITS and safeguarding confidential client information. Internal Audit Branch, Service Canada i

Main Findings The audit team found that, as of March 31, 2007, Service Canada was in compliance with 32 of the 52 mandatory MITS standards. The remaining 20 areas of non-compliance were ranked by the level of perceived risk to the organization as follows: YELLOW ORANGE RED GREEN indicates that nine out of 52 criteria do not comply with the MITS and pose a LOW level of risk. indicates that seven out of 52 criteria do not comply with the MITS and pose a MEDIUM level of risk. indicates that four out of 52 criteria do not comply with the MITS and pose a HIGH level of risk. indicates that the 32 remaining criteria for which Service Canada was fully compliant with MITS. The four criteria that raise the highest level of concern are: 1 The report contains a summary of internal audit observations and analysis and, where warranted, risks and recommendations for each MITS standard. In the Audit Findings section of the report, the results of all 52 compliance criteria are presented in a single table for the convenience of the reader. 1 ii Internal Audit Branch, Service Canada

In our professional judgment, sufficient and appropriate audit procedures have been conducted. Evidence has been gathered to provide a high level of assurance and it supports the accuracy of the conclusions reached and contained in this report. A Management Action Plan to address the audit s recommendations is contained in Appendix A Statement of Assurance In our professional judgment, sufficient and appropriate audit procedures have been conducted and evidence gathered to provide a high level of assurance and support the accuracy of the conclusions reached and contained in this report. The conclusions were based on observations and analyses of the situations as they existed at the time against the audit criteria. The conclusions are only applicable for the Service Canada. This internal audit was conducted in accordance with the Treasury Board Policy on Internal Audit and the Institute of Internal Auditors Standards for the Professional Practice of Internal Auditing. Internal Audit Branch, Service Canada iii

iv Internal Audit Branch, Service Canada

1.0 BACKGROUND In May 2004, the Treasury Board Secretariat (), in consultation with the lead security organizations, departments, and agencies, developed and published the Management of Information Technology Security (MITS) standards. MITS standards define the fundamental security requirements that federal organizations must fulfill to ensure the security of information and IT assets under their control. Specifically, the MITS standards are a consolidation of standards required under Government Security Policy (GSP), and the Policy of the Management of Government Information. identified December 31, 2006 as the target date for all departments to comply with the standards but later rescheduled to January 2007 at which time Service Canada s IITB reported the status of its compliance with each mandatory MITS standard. MITS standards are divided into two main sections: the management control framework components and the operational and technical components. Within the management control framework, MITS define the roles and responsibilities of key security officers. The operational and technical components promote consistency in the implementation of security measures across departments and the sharing of best practices. Further, they offer guidance on maintaining secure IT systems in the following areas: management controls, risk assessments, dealing with security incidents and weaknesses in systems, auditing security, and business continuity planning. Three factors have had a particular impact on Service Canada s ability to comply with MITS. These factors are: 1. Innovation and Information Technology Branch reorganization Coincidental to implementing MITS, IITB initiated a major organizational change affecting the delivery of its operational and technical services, and approximately 2,800 staff. IITB s focus was centered on implementing the organizational transition which delayed some projects including the implementation of MITS. The delivery of the security services was affected in the new IITB organization as several responsibilities were shifted, regrouped, and reorganized to optimize the security operations. MITS standards cover a number of operational activities such as security processes related to system development and maintenance, infrastructure security, network security, security of IT operations, and many more. Due to IITB s transition period, the branch was significantly affected in developing and implementing these standards. Internal Audit Branch, Service Canada 1

2. Complexity of technological environment Over the years, the implementation of IT security measures has significantly changed. In the first IT era (dumb terminals linked to a centralized mainframe environment using dedicated telecommunication lines) security measures were mainly restricted to controlling access to corporate applications and networks, protecting data, and limiting access to the computer centre. In today s world, security measures are facing an open environment where microcomputers are virtually linked to processing computers (mainframes or midrange servers) through virtual networks (World Wide Web) to access corporate applications and office automation tools. The implementation of security measures in today s environment is so much more complex and demanding as new laws have emerged (privacy of information), electronic information has become much more valuable (identity theft), origins of transactions have become unsecured (web-based), and technology has become wireless. 3. Diversity of Service Canada offerings Service Canada: offers over 60 distinct services to 32 million Canadians in addition to 1.3 million employers each year provides in-person, telephone, mail and web-based service delivery has nearly 600 in-person points of contact distributed across 11 geographic regions processes one million transactions daily with four mainframes and more than 500 midrange servers located in four Information Technology Centres (ITCs) across Canada supports an inventory of roughly 500 applications which range from traditional batchprocessing mainframe systems to leading edge web-based open systems and manages the office automation and e-mail services to Service Canada staff in 19 solution centres across Canada. Scope The audit focused on two main points: the IT security management control framework and the operational and technical organization responsible for implementing security measures throughout Service Canada. The MITS audit was almost entirely conducted in National Headquarters (NHQ) including the four ITCs. When and where practical, regional staff were also interviewed to gain their perspectives on Service Canada s security readiness. The fieldwork enabled the Internal Audit Branch to make on-site assessments on the status of implementation of security safeguards required by MITS. 2 Internal Audit Branch, Service Canada

Methodology As per Treasury Board s Internal Audit Guidelines and Professional Internal Audit Standards, assurance was provided through a number of methodologies and tools including: collecting and analysing information relating to the status of each MITS statement by interviewing staff and management team members, reading relevant documents, and visiting operational sites to observe the IT security measures in place reviewing the processes and methodologies followed by Service Canada to report the status of each MITS standard and optionally conducting a detailed assessment of compliance with MITS for selected policy statements. Internal Audit Branch, Service Canada 3

4 Internal Audit Branch, Service Canada

2.0 AUDIT FINDINGS Audit Objective The objective of this audit was to review the compliance of each MITS statement to provide an unbiased and independent opinion on the state of implementation of IT security measures and compliance with MITS. Findings by Criterion A summary of the findings for each of the 52 criteria can be found in the body of this report. Each summary includes audit observations and analysis. In areas where Service Canada was found to be non-compliant the audit team included an assessment of the risk posed to Service Canada and recommendations to mitigate these risks. The audit team s analysis identified a number of strengths and areas that could be improved with Service Canada s compliance to MITS, and the management of IT security in general. The audit team found that, as of March 31, 2007, Service Canada was in compliance with 32 of the 52 mandatory MITS standards. The remaining 20 areas of non-compliance were ranked by the level of perceived risk to the organization as follows: YELLOW ORANGE RED GREEN indicates that nine out of 52 criteria do not comply with the MITS and pose a LOW level of risk. indicates that seven out of 52 criteria do not comply with the MITS and pose a MEDIUM level of risk. indicates that four out of 52 criteria do not comply with the MITS and pose a HIGH level of risk. indicates that the 32 remaining criteria for which Service Canada was fully compliant with MITS. The four criteria that raise the highest level of concern are: Internal Audit Branch, Service Canada 5

6 Internal Audit Branch, Service Canada

A chart itemizing each of 52 questions criteria is presented in the following table. QUESTIONS GREEN Compliant YELLOW (Low) ORANGE (Medium) RED (High) 1. IT security coordinator s role and responsibilities 2. IT security coordinator s secret security clearance 3. Departmental Security Officer s role and responsibilities 4. Chief Information Officer s role and responsibilities 5. Culture of security in the department 6. Segregation of duties 7. Security clearance for privileged access 8. IT Security Policy 9. IT security requirements for new systems 10. IT security requirements for departmental priorities 11. Project security requirements 12. IT security clauses for contracts of goods and services 13. Security requirements - Review of life cycle stages 14. Criticality and sensitivity of IT assets and information 15. Written agreements to share information 16. Risk assessment of new and changed systems 17. TRA for systems, services and programs 18. Certification of system before implementation 19. Accreditation of systems 20. Procedure to follow to report an IT incident 21. Trust time and event logging 22. Detection of network intrusion 23. Incident detection tools performance 24. Enabling of audit logs 25. Central point of communication to report IT incidents 26. Documentation of IT incidents 27. PSEPC threat and risk briefings and conferences 28. Communication with PSEPC for serious IT incident 29. Tracking and review of vulnerability status 30. Applying fixes and patches for vulnerability sources 31. Regular vulnerability assessments for sensitive systems 32. Action taken based on PSEPC advisories and alerts 33. Business continuity planning (BCP) (development) 34. Business continuity planning (BCP) (testing) 35. Regular reminder of security responsibilities 36. IT security responsibilities 37. IT security awareness 38. Appropriate IT security training 39. IT security requirements in accommodation 40. Protection of portable devices 41. Disposal and destruction for IT media 42. Marking of classified and protected IT media 43. Onsite and offsite backup protection 44. Least privilege principle 45. PKI procedure 46. Encrypted sharing of protected information 47. Network security and perimeter defence 48. Safeguards protecting external access points 49. Accessing Service Canada information from remote locations 50. Authentication at wireless access points 51. Controlled monitoring of access to telecommunication 52. Use of antivirus software TOTAL 32 9 7 4 Internal Audit Branch, Service Canada 7

In the following pages, a description of the findings is presented for each MITS standard. Question 1 Has an IT Security Coordinator role been filled, and does that role include the following? Reviews and recommends approval of Service Canada s IT security policies and standards, and all policies that have IT security implications; Monitors compliance with these standards and associated documentation, and promotes IT security in Service Canada; Ensures review of the IT security related portions of Request for Proposals and other contracting documentation, including Security Requirements Checklists and recommends approval of all contracts for external providers of IT security services; and Works closely with CIO and DSO as well as with program and service delivery managers. 8 Internal Audit Branch, Service Canada

Question 2 Has the IT Security Coordinator position been screened to the secret level or higher? Question 3 Has the DSO role been filled and does that role include the following? Directs a departmental security program, and provides a list of their responsibilities? Working with ITSC ensures that physical, personnel and IT security stakeholders coordinate their efforts? Question 4 Has the Chief Information Officer (CIO) role been filled and does that role include the following? Working with the ITSC, ensures that appropriate security measures are applied to all departmental Information Management (IM) and IT assets, activities and processes? Working with the DSO, ITSC, and BCP Coordinator, ensures a comprehensive approach to continuous service delivery? Internal Audit Branch, Service Canada 9

Question 5 Is a "culture of security" actively being fostered in the organization? Question 6 To ensure that no one single person has complete control of an entire IT system or a major operational function, does your department segregate IT responsibilities as much as possible? 10 Internal Audit Branch, Service Canada

Question 7 Are there measures in place to ensure that all personnel (including contractors) with privileged access to critical systems are cleared to at least the secret level? Internal Audit Branch, Service Canada 11

12 Internal Audit Branch, Service Canada

Question 8 Does your department have an IT security policy that has been approved by senior management and meets the following requirements? Defines the roles and responsibilities of program and service delivery managers, the Chief Information Officer, departmental legal, privacy specialists and security specialists, and other personnel with regard to IT security. Makes the necessary connections with other departmental policies, standards, and legal and regulatory requirements that relate to IT security (e.g., an acceptable use policy). States the requirement for making IT security an integral part of program and service delivery. States a requirement for seeking funding in support of IT security requirements. States requirements for the review and revision of Service Canada s IT security policy and supporting documentation. NOTE: The IT Security Policy could be a separate document or statements within Service Canada s security policy. Internal Audit Branch, Service Canada 13

Question 9 In planning new programs, services or major upgrades to existing programs or services, are there processes in place to ensure that managers determine the IT security requirements and include resource requirements in funding requests? 14 Internal Audit Branch, Service Canada

Question 10 Does senior management address IT security requirements when defining departmental priorities and strategic directions, program objectives, budget and personnel allocations? Question 11 Are IT Project Managers required to ensure that project security requirements are met through the development and implementation of technical security specifications? Internal Audit Branch, Service Canada 15

Question 12 Before issuing a contract, does your department have a process in place to determine if IT security is relevant to the goods or services to be provided, and if so, account for the security requirements at every stage of contracting? 16 Internal Audit Branch, Service Canada

Question 13 Are processes in place to ensure that security requirements for systems/services are reviewed in each of the following life cycle stages: Initiation; Development/implementation; Production release; Production (periodic reviews); Retirement or replacement; and Disaster recovery. Internal Audit Branch, Service Canada 17

Question 14 Have you determined the criticality and sensitivity of your department's information and IT assets? NOTE: This should not be confused with asset management. This requirement of MITS is really about identifying the information and systems within your organization and classifying them according to their sensitivity/criticality (confidentiality, availability, and integrity and value to your department's business and to the government as a whole). 18 Internal Audit Branch, Service Canada

Question 15 If your department shares information or services, are there written agreements in place that define the terms and conditions of the arrangement and are those agreements respected? Question 16 Is there a process in place to ensure that new or significantly changed systems have a risk assessment conducted on them? NOTE: A TRA generally starts with a statement of sensitivity (SOS). If the SOS shows that the data is not sensitive then Service Canada may decide to accept the risks of not proceeding further, if the data s sensitivity is low a TRA-lite process could be used and if the data is highly sensitive a more rigorous TRA may be required. This is acceptable provided the risk sign-off is documented. Internal Audit Branch, Service Canada 19

Question 17 Has a threat and risk assessment (TRA) been done for each of your department's existing programs, systems or services? NOTE: A TRA generally starts with a statement of sensitivity (SOS). If the SOS shows that the data is not sensitive then Service Canada may decide to accept the risks of not proceeding further, if the data s sensitivity is low a TRA-lite process could be used and if the data is highly sensitive a more rigorous TRA may be required. This is acceptable provided the risk sign-off is documented. 20 Internal Audit Branch, Service Canada

Question 18 Are appropriate security reviews and testing completed, documented and used to support an informed risk acceptance decision of a new or significantly changed system or service before it is deemed production ready? (Certification). NOTE: The security testing will vary depending on the type of system and the risk associated with it. At the low risk end it could be a simple check of top security vulnerabilities, and at the high end it could be in-depth penetration testing, design review, and requirements validation. Question 19 Are new or significantly changed systems or services accepted by senior management, business owners, or another appropriate body before they are deemed production ready? (accreditation). Internal Audit Branch, Service Canada 21

Question 20 Are your users and IT support staff provided the procedures to follow in the event of an incident? Question 21 Has your department implemented services such as trusted time and event logging in support of security services? 22 Internal Audit Branch, Service Canada

Question 22 Is your department able to detect the following within a risk managed timeframe? attempts (failed or successful) to gain unauthorized access to a system, or to bypass security mechanisms; unauthorized probes or scans to identify system vulnerabilities; unplanned disruption of systems or services; denial-of-service attacks; unauthorized changes to system hardware, firmware, or software; system performance anomalies; and known attack signatures. Question 23 Are automated, real-time, incident detection tools incorporated in high risk systems? Internal Audit Branch, Service Canada 23

Question 24 Are audit logs enabled on your IT systems? Question 25 Is there an individual or group that are the point of communication for governmentwide incidents? Question 26 Does your department document how incidents were handled, including the background on how the incident occurred, time detected, actions taken, rational for decisions taken, and reporting? 24 Internal Audit Branch, Service Canada

Question 27 Does your department participate in PSC (Public Safety Canada - previously known as Public Safety and Emergency Preparedness Canada (PSEPC)) threat and risk briefings and teleconferences? Question 28 Do your incident response procedures include contacting PSC, and the appropriate law enforcement agency if the incident appears to be criminal or CSIS if it has national security implications? Question 29 Are there processes in place to ensure that your department tracks and periodically reviews vulnerability statuses? NOTE: We recognize that some vulnerabilities cannot be completely filled due to time, resource, or impact. However, if a vulnerability is not fixed, it should be tracked and periodically reviewed as sometimes situations change and the priority on fixing the vulnerability changes with it. Internal Audit Branch, Service Canada 25

Question 30 Does your department check various sources for vulnerability information and apply appropriate fixes or patches as required? 26 Internal Audit Branch, Service Canada

Question 31 For highly sensitive systems, are vulnerability assessments regularly conducted and results documented? Question 32 Does your department take action based on PSC advisories and alerts? Question 33 and Question 34 Does your department have a Business Continuity Plan for critical services? NOTE: The BCP that your organization produces should be risk managed. As stated in the BCP standard, "a BCP is required for critical services and associated assets or other services and assets when warranted by a threat and risk assessment." A disaster recovery site is not required for all systems. Is the Business Continuity Plan regularly updated, maintained and tested? Internal Audit Branch, Service Canada 27

28 Internal Audit Branch, Service Canada

Question 35 Is the planning of IT security audits incorporated into the overall departmental internal audit planning process? Internal Audit Branch, Service Canada 29

Question 36 Are personnel regularly reminded of their IT security responsibilities, and advised of current IT security concerns and issues? 30 Internal Audit Branch, Service Canada

Question 37 Are new personnel provided IT security awareness in their orientation training? Question 38 Is appropriate IT security training provided to IT security personnel? Internal Audit Branch, Service Canada 31

Question 39 In planning for the accommodation of IT assets and information are physical security requirements identified and implemented? Question 40 Are appropriate steps being taken to ensure that laptops and other portable devices (and the information they contain) are properly protected? 32 Internal Audit Branch, Service Canada

Question 41 Are approved methods used to destroy or dispose of IT media containing classified or protected information? Question 42 Are classified or protected IT media marked accordingly? Internal Audit Branch, Service Canada 33

Question 43 Are your backups of medium and high availability systems or services stored in containers designed to resist fire and other environmental damage? NOTE: This applies to both on-site and off-site backups. Question 44 Is the least privilege principle applied when providing security access, and are access privileges removed when job functions change and they are no longer required? 34 Internal Audit Branch, Service Canada

Internal Audit Branch, Service Canada 35

Question 45 Are appropriate measures in place to ensure effective key management including protection and recovery of cryptographic keys? 36 Internal Audit Branch, Service Canada

Question 46 Is encryption used in the following situations? Electronic communication of classified and protected C information (unless other approved CSE safeguards are in place). Protected A or B information when supported by a TRA. Protected B information on wireless networks or the Internet. Question 47 Has your department's network been segregated into zones with perimeter defence and network security safeguards in place between zones? Internal Audit Branch, Service Canada 37

Question 48 Are firewalls, routers and other perimeter defence safeguards in place to protect external network access points? Question 49 Are there procedures in place for accessing departmental information and IT assets from outside government offices and are personnel aware of their security responsibilities when working in these situations? NOTE: This includes access from home, hotels, or other external sites. Question 50 Does your department apply authentication at wireless access points? 38 Internal Audit Branch, Service Canada

Internal Audit Branch, Service Canada 39

Question 51 Are procedures in place to ensure that access to telecommunications wiring, spaces, and pathways is authorized, controlled and monitored in a manner appropriate to the sensitivity level of the information being transmitted? 40 Internal Audit Branch, Service Canada

Question 52 Is antivirus software installed and used, and is it updated as soon as practical? Internal Audit Branch, Service Canada 41

42 Internal Audit Branch, Service Canada

3.0 CONCLUSION While MITS standards are the same for each federal government organization, the effort required for implementation varies significantly from one organization to another. Assuring compliance with MITS in a small centralized organization is far easier than it is for an organization like Service Canada, due to the numerous service delivery channels situated across Canada providing multiple services to many different clients and partners. In such a rapidly changing and technologically complex environment, Service Canada s Innovation, Information and Technology Branch (IITB) did an enormous amount of work to comply with MITS and protect Service Canada s information and IT assets against internal and external threats. During the MITS implementation, IITB underwent a massive reorganization which better positioned the branch to deal with security threats. At the same time the reorganization slowed MITS implementation as new roles and responsibilities were identified and positions were staffed. Service Canada has successfully enhanced or implemented many security controls, both soft (awareness and culture change controls) and hard (implementation of physical security controls). Service Canada s ongoing activities continue to demonstrate its commitment to complying with MITS and safeguarding confidential client information. Statement of Assurance In our professional judgment, sufficient and appropriate audit procedures have been conducted and evidence gathered to provide a high level of assurance and support the accuracy of the conclusions reached and contained in this report. The conclusions were based on observations and analyses of the situations as they existed at the time against the audit criteria. The conclusions are only applicable for the Service Canada. This internal audit was conducted in accordance with the Treasury Board Policy on Internal Audit and the Institute of Internal Auditors Standards for the Professional Practice of Internal Auditing. Internal Audit Branch, Service Canada 43

44 Internal Audit Branch, Service Canada

APPENDIX A: Management Action Plan Internal Audit Recommendations Management Plan Action(s) to be undertaken Planned Completion Date Responsibility Title and RC Number December 31, 2007 IITB/Operations Branch Bettylynn Stoops, DG, BCP Review Completed: December 2007 Compensatory Measures Implemented: February 2008 IS: Norm Smith, Manager, Infrastructure Program Office Dave Beach, Director, IT Security Services Nicole Gratton, Director, National Data Network Systems Murray Jaques, Director, Distributed Computing Services Réjean Poitras, Director, Hosting Technical Services René Lalande, A/Director, Platform Engineering and Support Services Al Gauthier, A/Director, Hosting Production Services Internal Audit Branch, Service Canada 45

Internal Audit Management Plan Planned Responsibility Title Recommendations Action(s) to be undertaken Completion Date and RC Number April 1, 2008 ATS: Donald Toussaint, A/Director, IT Security Centre of Excellence Positions Identified: October 2007 Clearance Strategy: November 2007 IS: Norm Smith, Manager, Infrastructure Program Office July 1, 2008 ATS: Donald Toussaint, A/Director, IT Security Centre of Excellence 46 Internal Audit Branch, Service Canada

Internal Audit Management Plan Planned Responsibility Title Recommendations Action(s) to be undertaken Completion Date and RC Number Opportunity Management Working Group: November 2007 BMS: Paul Wagner, DG ADS: Duc-Chi Tran, DG ATS: Donald Toussaint, A/Director, IT Security Centre of Excellence Solution Development Improvement: March 2009 PPQA: February 2008 BMS: Paul Wagner, DG ADS: Duc-Chi Tran, DG Solution Development Improvement: March 2009 ATS: Donald Toussaint, A/Director, IT Security Centre of Excellence Internal Audit Branch, Service Canada 47

Internal Audit Management Plan Planned Responsibility Title Recommendations Action(s) to be undertaken Completion Date and RC Number PPQA: February 2008 Solution Development Improvement: March 2009 IT Security Awareness for IT Project Managers: November 2008 BMS: Paul Wagner, DG ADS: Duc-Chi Tran, DG ATS: Donald Toussaint, A/Director, IT Security Centre of Excellence PPQA: February 2008 BMS: Paul Wagner, DG ADS: Duc-Chi Tran, DG Solution Development Improvement: March 2009 ATS: Donald Toussaint, A/Director, IT Security Centre of Excellence 48 Internal Audit Branch, Service Canada

Internal Audit Management Plan Planned Responsibility Title Recommendations Action(s) to be undertaken Completion Date and RC Number 10.c: June 2008 IS: Brian Graham, Director, IT Service Management PPQA Gating Process: February 2008 Solution Development Improvement: March 2009 BMS: Paul Wagner, DG ADS: Duc-Chi Tran, DG Internal Audit Branch, Service Canada 49

Internal Audit Management Plan Planned Responsibility Title Recommendations Action(s) to be undertaken Completion Date and RC Number PPQA: February 2008 Initiate Business Case: April1, 2008 Complete Assessments: March 31, 2012 BMS: Paul Wagner, DG ATS: Donald Toussaint, A/Director, IT Security Centre of Excellence Certification Process: November 2008 ATS: Donald Toussaint, A/Director, IT Security Centre of Excellence Accreditation Process: November 2008 ATS: Donald Toussaint, A/Director, IT Security Centre of Excellence 50 Internal Audit Branch, Service Canada

Internal Audit Management Plan Planned Responsibility Title Recommendations Action(s) to be undertaken Completion Date and RC Number Completed IS: Dave Beach, Director, IT Security Services Completed IS: Brian Graham, Director, IT Service Management MOUs Established: March 2008 Mission Critical Lists Created: June 2008 IS: Brian Graham, Director, IT Service Management February 2008 July 2008 Internal Audit Branch Denis Tisseur, Director IT Audit Internal Audit Branch, Service Canada 51

Internal Audit Management Plan Planned Responsibility Title Recommendations Action(s) to be undertaken Completion Date and RC Number Study Completion: August 2008 ATS: Donald Toussaint, A/Director, IT Security Centre of Excellence IS: Dave Beach, Director, IT Security Services Q1 2008/2009 IS: Dave Beach, Director, IT Security Services & Nicole Gratton, Director, National Data Network Systems ATS: Donald Toussaint, A/Director, IT Security Centre of Excellence 52 Internal Audit Branch, Service Canada

Internal Audit Management Plan Planned Responsibility Title Recommendations Action(s) to be undertaken Completion Date and RC Number April 2008 Internal Audit Branch Malcolm Powell Senior Director, Planning and Audit Initiation: May 1, 2008 Completion: July 1, 2009 ATS: Donald Toussaint, A/Director, IT Security Centre of Excellence Internal Audit Branch, Service Canada 53

Internal Audit Management Plan Planned Responsibility Title Recommendations Action(s) to be undertaken Completion Date and RC Number Initiation: February 1, 2008 Completion: July 1, 2008 ATS: Donald Toussaint, A/Director, IT Security Centre of Excellence IS: Dave Beach, Director, IT Security Services IITB Portfolio Leads - Sylvie Desjardins (Service Development DGO) - Kevin Dalliday (HRSDC DGO) - Sue Blais (Transaction Processing DGO) - Gisele Armstrong (Service Delivery Networks & Channels DGO) Brian Maither (Corporate Operations DGO) Financial & Vendor Management Services Susan Donovan-Brown 54 Internal Audit Branch, Service Canada

Internal Audit Management Plan Planned Responsibility Title Recommendations Action(s) to be undertaken Completion Date and RC Number March 31, 2008 ATS: Donald Toussaint, A/Director, IT Security Centre of Excellence IS: Dave Beach, Director, IT Security Services Q1 2008/2009 IS: Dave Beach, Director, IT Security Services & Nicole Gratton, Director, National Data Network Systems Internal Audit Branch, Service Canada 55