[ Version française ]
Audit Guide - Information Technology Security
Downloadable versions.
AUDIT GUIDE
INFORMATION TECHNOLOGY SECURITY
Evaluation, Audit and Review Group
Treasury Board Secretariat
September 1995
TABLE OF CONTENTS
Preface 1
Introduction 2
Background 2
Purpose 2
Scope 3
Guide Organization 4
CHAPTER 1 - MANAGEMENT ISSUES 5
Security Environment 5
1.1 Accountability Framework 5
1.2 The Government Security Model 5
1.3 The Information Technology Security (ITS) Model 6
1.4 Roles and Responsibilities 6
1.5 Risk Management Framework 7
CHAPTER 2 - CONDUCTING THE AUDIT 9
Audit Objectives, Criteria and Detailed Criteria/Audit
Procedures 9
Organizing and Administering ITS 11
Personnel Security 28
Physical Security 31
Hardware Security 33
Software Security 35
Communications Security 36
Operations Security 42
APPENDICES
List of authorities and references A-1
Suggested table of contents for ITS audit report B-1
Glossary C-1
Committees & Standards D-1
Bibliography E-1
PREFACE
This guide was prepared by the Information, Communications and Security
Policy Division, in consultation with the Evaluation, Audit and Review
Group of the Finance and Information Management Branch, Treasury Board
Secretariat.
Treasury Board Secretariat wishes to acknowledge the support, experience
and ideas of the following organizations, without which the development of
this guide would not have been possible:
þ Communications Security Establishment (CSE)
þ EDP Auditors Association (EDPAA)
þ Government of Canada Informatics Organizations (representative
departments)
þ Government of Canada Internal Auditors (representative departments)
þ Industrial & Corporate Security Directorate (ICSD) of PWGSC and
þ RCMP Security Evaluation and Inspection Team (SEIT).
INTRODUCTION
Background
In 1990, the (former) Office of the Comptroller General released an
exposure draft on Guide to the Audit of Security. This initial draft
served the self-assessment, audit and review communities well by
providing direction for conducting government security policy (GSP)
implementation audits and reviews. In June 1994, Treasury Board approved
the revised GSP which reflects recent changes in the political world
order and the Canadian and global economies as well as significant
developments in the information technology (IT) environment and the
associated information technology security environment.
This Audit Guide on Information Technology Security has been designed to
function independently. However, at a future date, it may well be that
the objectives and criteria of this guide are incorporated into a
revised Guide to the Audit of Security.
Purpose
This guide provides guidance to the internal audit community in
conducting audits of the implementation of the Government Security
Policy and the information technology security (ITS) operational
standards. Additionally, departmental management conducting a self-
assessment of their department's IT security program, security officials
conducting security reviews, and groups responsible for program review
may benefit from the guidance provided by this guide in conducting their
reviews.
This guide is designed to assist organizations in assessing:
þ departmental compliance with the Security Policy and ITS operational
standards
þ the effectiveness of implementation of the Security Policy and ITS
operational standards and
þ the efficiency of implementation of the Security Policy and ITS
operational standards.
Scope
This guide is intended for use in all organizations subject to the
Government Security Policy: all departments listed in Schedule I, Parts
I and II of the Public Service Staff Relations Act; the Canadian Armed
Forces, the Royal Canadian Mounted Police (RCMP); and the Canadian
Security Intelligence Service. The guide applies to both designated and
classified information and assets, and to contracts.
The guide will assist in auditing and reviewing departmental ITS
operations. For assistance in auditing and reviewing the overall
organizational and administrative security framework, physical security
operations, and personnel security operations, consult Guide 406,
Guide To The Audit Of Security, Exposure Draft, published in 1990 by
the Office of the Comptroller General.
This guide deals with the Security Policy and Operational Standards
which are the first and second tiers of the government security
documentation model. It does not provide detailed guidance in the
analysis of compliance of Technical Security Standards (the third-tier
security standards) such as those in the Technical Security Standards
For Information Technology (TSSIT) published by the RCMP. For
assistance in auditing compliance with third-tier standards, consult the
lead security agency responsible (RCMP and /or Communication Security
Establishment - CSE.)
For assistance in conducting a detailed comprehensive audit of a given
ITS environment, consult the Bibliography in Appendix D. Many of the
references contain questionnaires and checklists. Additionally, this
audit guide is based on generic audit ITS criteria. It may be necessary
to obtain additional and more detailed information on the organization,
policies, standards and procedures being reviewed. The IT and ITS
environments are highly technical and complex. The audits will therefore
require special attention to apparent deficiencies which may be
affected by compensating controls.
If auditors encounter any difficulties or need further assistance in the
interpretation of the Security Policy, they should contact the
Information, Communications and Security Policy Division for policy
interpretation, and the Evaluation, Audit and Review Group of Treasury
Board Secretariat for audit questions.
Guide Organization
This guide is organized in the following manner:
Chapter one, "management issues," provides an overview of current ITS
issues, as they relate to overall IT issues.
Chapter two, "conducting the Audit," outlines the procedures for
auditing the implementation of the Government Security Policy and the
ITS operational standards. The objectives, criteria, detailed criteria
and audit procedures to be used in performing ITS audits are included in
this section of the guide.
The guide also contains a series of appendices: a list of authorities
and references; a suggested table of contents for an ITS audit report; a
glossary; a list of IT and ITS committees and standards; and a
bibliography.
CHAPTER 1 - MANAGEMENT ISSUES
Security Environment
1.1 Accountability Framework
A fundamental principle of the Government Security Policy is the
accountability of deputy heads for security within their departments.
The policy and operational standards outline requirements with which
departments must comply. The operational standards also include
recommended safeguards to apply unless a threat and risk assessment
indicates otherwise.
If departments are to implement programs that are efficient and
effective, they must be able to administer them within their particular
mandates and according to their priorities, budgets, and organizational
cultures and environments. The policy recognizes this by defining broad
requirements to ensure a certain level of security within a department
or government as a whole, while allowing the discretion needed to
respond to financial needs and other conditions.
1.2 The Government Security Model
The Government Security Policy and Operational Standards describe a
departmental security program model having the following components:
þ organizational structure
þ administrative procedures and
þ three (3) sub-systems:
_ Physical Security,
_ Information Technology Security, and
_ Personnel Security.
Therefore, where responsibility for the various sub-systems is assigned
to different organizational units, or where it is decentralized, the
sub-systems should be structured to support cooperative planning,
management and administration.
Refer to Chapter 2-1 of the Treasury Board Manual, Security Volume, for
more information.
1.3 The Information Technology Security (ITS) Model
ITS is often described as the protection from threats using an
integrated set of safeguards designed to ensure the confidentiality,
integrity and availability of information electronically stored,
processed or transmitted.
The Operational Standards describes an ITS model with the following
components:
þ organizing and administering
þ personnel security
þ physical security
þ hardware security
þ software security
þ communications security
þ operations security.
The effectiveness and efficiency of the ITS program depends upon the
performance of each of these elements. Therefore, where responsibility
for the various ITS elements is assigned to different organizational
units (for example, to an IT Security unit and a communications-
electronic security (COMSEC) unit) or where it is decentralized, the
elements should be structured to support cooperative planning,
management and administration.
ITS is most effective when it is accepted as just one of the many
important requirements that system developers and maintainers need to
consider. ITS should not be an "add-on". It should be viewed as an
integral component of any given IT infrastructure. When properly
managed, it provides system and data owners with a return on investment.
Refer to Chapter 2-3 of the Treasury Board Manual, Security Volume, for
more detailed information.
1.4 Roles and Responsibilities
Senior Official
Departments are required to appoint a senior official to represent the
Deputy Head in dealings with Treasury Board Secretariat about the
Security policy and standards.
Departmental Security Officer (DSO)
Departments must also appoint a DSO responsible for developing,
implementing, maintaining, coordinating and monitoring a departmental
security program consistent with the Security policy and standards.
ITS Coordinator
Departments must appoint an ITS Coordinator. This position should have a
formal relationship with the DSO, either on a reporting or functional
basis.
COMSEC Authority
Coordination of emanations and cryptographic security should be embodied
in the role of a COMSEC authority. This role may be filled by someone
within the departmental security program or by CSE acting on behalf of
the department.
ITS Lead Agencies
The two lead government agencies for ITS are the Royal Canadian
Mounted Police (RCMP) and the Communication Security Establishment
(CSE.) The RCMP Security Evaluation and Inspection Team (SEIT) carries
out reviews of ITS, as per the schedule in the ITS operational
standards. CSE inspects, tests and evaluates COMSEC systems and
procedures. In addition, CSE's National Central Office of Records
(NCOR) audits departmental COMSEC accounts.
1.5 Risk Management Framework
Conducting a threat risk assessment is the fundamental principle in
assessing the need for adequate security measures to protect sensitive
information technology assets The Security policy requires departments
to assess threats and risks to which sensitive information and assets
are exposed, select risk-avoidance options, implement cost-effective
safeguards, and develop contingency and business resumption plans, as
required. A department's IT system development life cycle methodology
should include the appropriate steps for :
þ coordination of security plans and implementation
þ application of security risk management techniques
throughout the life cycle and
þ approval, selection and implementation of appropriate
safeguards.
When properly implemented, the security risk management process helps
ensure that appropriate types and levels of protection are built in,
thus avoiding less effective and costly retro-fit situations. The
process also confirms the need for minimum safeguards and shows the need
for additional types or levels of safeguards. Finally, it provides
value-added by increasing awareness and support for the ITS program.
CHAPTER 2 - CONDUCTING THE AUDIT
Audit Objectives, Criteria and Detailed Criteria/Audit Procedures
This chapter identifies specific program objectives, criteria and audit
procedures to be used in performing ITS audits. They were chosen
because they best approximate the requirements of the Security Policy
and Operational Standards relating to establishing and maintaining an
effective and efficient ITS program and represent best practices of
previously audited security programs.
Auditors may wish to add, modify or delete the specific objectives,
criteria and detailed criteria in order to tailor the audit process to
their organization.
The following audit objectives are grouped based on the main sections of
the June, 1994 ITS Operational Standards:
Organizing and Administering ITS
1. Ensure that an ITS management structure is in place and meets the
needs of the department
2. Ensure that ITS safeguards are implemented, maintained, monitored and
adjusted, within a risk management environment.
3. Ensure that the information technology (IT) resources are
appropriately managed.
4. Ensure that ITS equipment is appropriately managed, repaired,
maintained and disposed.
5. Ensure that cryptographic materiel is appropriately managed,
repaired, maintained and disposed.
6. Ensure that departmental ITS undergoes regular monitoring and review.
Personnel Security
7. Ensure that personnel having access to IT systems/networks/
applications that process, transmit or store sensitive information
are appropriately screened before being given access and are aware of
their security-related responsibilities.
Physical Security
8. Ensure that IT is developed and maintained with consideration given
to its physical and environmental security requirements.
Hardware Security
9. Ensure that IT is developed and maintained with consideration given
to its hardware security requirements.
Software Security
10. Ensure that IT is developed and maintained with consideration
given to its software security requirements.
Communications Security
11. Ensure that IT is developed and maintained with consideration
given to its general communications security requirements.
12. Ensure that networks and network applications are developed and
maintained with consideration given to their security requirements.
13. Ensure that IT is developed and maintained with consideration
given to electronic authorization and authentication (EAA) security
requirements.
14. Ensure that IT is developed and maintained with consideration
given to emanations security requirements.
Operations Security
15. Ensure that ITS operations are in place and meet the needs of the
department.
ORGANIZING AND ADMINISTERING ITS
Objective #1
Ensure that an Information Technology Security management structure is
in place and meets the needs of the department.
Criterion 1.1 Security management responsibilities are
established, defined and assigned.
Detailed criteria/Audit Procedures:
1.1.1 Obtain a copy of the most recent departmental security
organization chart(s). Determine its adequacy in portraying
all security relationships (both line and functional).
1.1.2. Determine whether a senior official has been formally
appointed to represent the deputy head in dealings with the
Treasury Board Secretariat on matters concerning the security
policy and standards.
1.1.3. Determine whether a Departmental Security Officer (DSO) has
been formally appointed by the deputy head and if the DSO
position is sufficiently senior.
1.1.4. Determine whether an ITS Coordinator has been formally
appointed and if the ITS Coordinator has at least a
functional relationship with the DSO.
1.1.5. Determine whether a separate position for a Communications-
electronic Security (COMSEC) Authority has been formally
appointed, or if the Communication Security Establishment
(CSE) has been appointed to act on behalf of the department.
Assess whether the working relationship of this position with
the position of the ITS Coordinator is appropriate.
1.1.6. Review the key ITS position descriptions to determine if the
required duties and responsibilities have been included.
Determine whether the position descriptions reflect the
current organizational needs. Determine what priority and
percentage of time is allotted directly to security related
duties.
1.1.7. Interview key ITS personnel on their knowledge of the
security requirements of their positions. Determine the
actual percentage of time spent on ITS matters and compare
with that in the position description.
1.1.8. Interview selected middle and senior responsibility centre
managers, who are responsible for significant IT, such as
critical local area networks (LANs), wide-area networks
(WANs), or traditional datacentres, to determine their
knowledge of their ITS responsibilities. Determine if their
position descriptions include ITS duties and
responsibilities.
1.1.9. Interview select LAN/WAN/datacentre managers to determine
their knowledge of their ITS responsibilities. Determine if
their position descriptions include ITS duties and
responsibilities.
Criterion 1.2 An ITS planning process is in place.
Detailed Criteria/Audit Procedures:
1.2.1 Obtain copies of past security audits, management self-
assessment reviews, security program reviews, internal
security reviews, RCMP Security Evaluation and Inspection
Team (SEIT) reviews, CSE reports and any other related
security reports.
1.2.2 Determine whether there is a formal plan for ITS for the
current fiscal year or whether it is a sub-set of the overall
security plan. Determine whether the plan was developed in
concert with, and in consideration of, other critical
departmental plans and reports, such as: overall security
plans; IT plans and strategies; information management plans
(IMPs); the departmental business plan; RCMP SEIT reports;
CSE reports; and inter-departmental ITS committee
recommendations.
1.2.3 Review the level of funding of ITS in relation to the level
of funding for IT. Consider the implications of any
significant changes in the level of funding and whether the
level of funding is adequate.
1.2.4 Examine the plan for completeness, reasonableness of its time
frames, adequacy of resources (including financial,
personnel, and information) and authorization.
1.2.5 Ensure that the plan addresses the implementation of the
security policy, and the ITS standards.
1.2.6 Ensure that the plan addresses the management-accepted
recommendations of past security audits and reviews.
1.2.7 Verify that the plan addresses the requirement for developing
contingency plans to restore computer operations following an
interruption within the specified time as set out in the
statement of sensitivity.
1.2.8 Verify that the plan considers the whole of the
organization's ITS needs such that it would create economies
of scale (e.g. acquisition of computer virus software or
laptop computer access control software).
1.2.9 For interdepartmental activities requiring Treasury Board
submissions for IT systems, determine whether other
potentially affected departments were provided the
opportunity to help formulate security plans.
1.2.10 For departmentally shared IT systems, determine whether the
other departments were afforded the opportunity to jointly
assess threats and risks, agree on security requirements,
safeguards, terms and conditions.
1.2.11 For departmentally shared IT systems, determine whether
security terms and conditions are agreed to in a Memorandum
of Understanding.
Criterion 1.3 Necessary functional linkages exist.
Detailed Criteria/Audit Procedures:
1.3.1 Determine whether internal linkages exist between the ITS
function(s) and other administrative functions in the
organization, such as:
þ the EDP and/or telecommunications organization(s) (if
separate from ITS)
þ IT outsourcing contractor
þ information management (if separate from ITS)
þ materiel management
þ property management and
þ personnel management.
1.3.2 Verify whether the ITS Coordinator has instituted a
distributed network of formally appointed, local, part-time,
ITS officers (for example, LAN Administrators formally
appointed as local ITS officers, and having their ITS duties
incorporated into their position descriptions). Verify if
the network is kept current.
1.3.3 If an ITS personnel network exists, interview select local
ITS officers. Determine the extent to which they are given
adequate direction and support from the ITS Coordinator.
Assess if they know, and work with their local physical
security/personnel screening officer (if similar personnel
networks exist).
1.3.4 Determine the extent to which the ITS Coordinator
participates in intra-departmental IT committees, working
groups, and projects. Determine the level of visibility the
ITS function has in each of these committees, groups and
projects.
1.3.5 Determine whether external linkages exist between the ITS
function(s) and outside agencies such as:
þ Royal Canadian Mounted Police (lead security agency)
þ Communication Security Establishment (lead security
agency)
þ Canadian Security Intelligence Service (for specific
threat assessment information) and
þ Emergency Preparedness Canada (for specific emergency
planning information).
Contact the two lead ITS agencies. Determine their
involvement in the ITS activities of the organization being
audited during the past several years. Determine whether
departmental units contact the lead security agencies
directly and if the ITS Coordinator is aware of all security
lead agency involvement in the department.
1.3.6 Determine the extent to which the ITS Coordinator
participates in inter-departmental ITS committees such as the
Information Technology Security Committee (ITSC) and the
Communications-Electronic Security Committee (CSC).
1.3.7 Determine if committee representatives are appropriate.
Consider the technical expertise of representatives,
experience in such roles, and authority levels of
representatives.
Criterion 1.4 ITS policies, practices, standards, procedures,
directives, and bulletins are current and
communicated to all personnel.
Detailed Criteria/Audit Procedures:
1.4.1 Examine the departmental security policies, practices and
procedures documentation to determine if they adequately
address the ITS component and if they are current. Ensure
that policies address, as a minimum, the requirements of
Chapter 2-3 of the Security Policy. More specifically,
determine if policies, practices and procedures exist for the
following areas:
þ Organizing and Administering ITS
- organizing
- responsibilities and accountabilities
- planning including contingency planning
- security risk management
- certification and accreditation
- maintenance
- managing cryptographic materiel
- monitoring and reviewing
þ Personnel Security
þ Physical Security
þ Hardware Security
þ Software Security
þ Communications Security and
þ Operations Security.
1.4.2 Determine whether departmental policies, practices and
procedures for planning, implementing and maintaining
information management and IT reflect current ITS policies,
practices and procedures. Determine whether they include
requirements for consultation with departmental security
officials and for the timely use of security documentation
such as statements of sensitivity, threat and risk
assessments, and security requirements checklists (SRCLs) for
use in contracting. Assess whether they emphasize the use of
ITS minimum standards and risk management.
1.4.3 Determine whether the ITS-related policies, practices and
procedures contain adequate information to allow key
personnel to carry out their ITS-related duties.
1.4.4 Ensure that the policies and practices emphasize the
importance of balancing the need for security with
associated costs.
1.4.5 Determine whether the ITS-related policies, practices and
procedures refer readers to the third-tier documents (as
described in the security documentation model), such as the
Technical Security Standards for Information Technology
(TSSIT).
1.4.6 Determine whether the ITS policies, practices and procedures
have been formally promulgated by senior management.
1.4.7 Determine whether the policies, practices and procedures have
been communicated to all personnel. Interview select
responsibility centre managers and personnel to determine
their knowledge and understanding of them.
1.4.8 Determine whether TBS Security Policy Implementation Notices
(SPINs), RCMP ITS Bulletins, and CSE Information Bulletins
and Advisories are regularly distributed to departmental
managers and others with a need-to-know.
1.4.9 Determine the extent to which departmental security bulletins
are being developed and regularly distributed to all
personnel.
Objective #2
Ensure that Information Technology Security safeguards are implemented,
maintained, monitored and adjusted, within a risk management
environment.
Criteria 2.1 Adequate ITS risk management methodology,
procedures and capability exist.
Detailed Criteria/Audit Procedures:
2.1.1 Determine if the department uses a system development life
cycle approach to designing, building and maintaining IT.
Assess how formal it is. Verify if the System Development
Life Cycle contains directions for developing and maintaining
security. (Chapter 2-3, Article 2.2) and if it provides for
the development of security related deliverables including:
þ system security plan
þ statements of sensitivity
þ mode of operation
þ threat and risk assessment
þ system security requirements
þ system security safeguards
þ safeguard certification and
þ system accreditation.
Assess whether the system provides a methodology for ensuring that
electronic privacy concerns are addressed and if the system being
developed processes personal information.
Determine the extent to which the departmental ITS Coordinator has
participated in the development of these requirements. Verify if these
are based on a risk management approach.
2.1.2 Determine whether ITS personnel have adequate knowledge,
experience and capability in the area of security risk
management. Determine if personnel have attended training
courses covering security risk management which are offered
by the lead security agencies, private training institutions
or other organizations.
2.1.3 Determine whether the ITS function by itself, or through the
IT unit, has developed and distributed ITS risk management
methodology and procedures to those who need it.
2.1.4 Determine whether the ITS Coordinator regularly provides
security risk management training and awareness to IT
developers and maintainers.
2.1.5 Verify whether each security deliverable is reviewed and
signed-off by the appropriate Responsibility Centre Manager
and Security Officer.
Criterion 2.2 Risk decisions are based on adequate
information.
Detailed Criteria/Audit Procedures:
2.2.1 Determine whether the threat assessment process begins with
the identification and scoping of information and assets,
with a focus on those which are sensitive and/or valuable.
2.2.2 Ensure that statements of sensitivity (containing
confidentiality, integrity and availability requirements) are
developed as a precursor to threat and risk assessment, for
all systems, applications, and networks.
2.2.3 Determine whether the following sources are consulted for
current threat information:
þ RCMP (threat information related to criminal matters,
computer and physical security)
þ CSIS (threat information related to terrorism,
espionage, and sabotage)
þ CSE (threat and vulnerability information related to
telecommunications, and electronic information
processing)
þ Emergency Preparedness Canada (threat information
related to civil disaster)
þ Natural Resources Canada (threat information related
to earthquakes, wind, tornado, flooding and other
natural threats)
þ Local police forces (threat information related to
local criminal matters)
þ Local fire departments (threat information related to
local fire statistics) and
þ Departmental internal affairs/investigation units
(threat information related to local criminal
matters).
2.2.4 Determine whether the departmental ITS Coordinator maintains
a repository of current ITS threat information for use by
security officials, IT managers, and others.
Criterion 2.3 All new IT is developed under the departmentally
approved ITS risk management framework.
Detailed Criteria/Audit Procedures:
2.3.1 Obtain a list of all current IT development projects. Select
a sampling of varying size and complexity to examine. Also
select for analysis a shared government system which the
department will be or is using.
2.3.2 Determine whether project planning includes scheduling and
budgeting for security.
2.3.3 For departmental systems, interview the project managers.
Review key development deliverables. Determine the extent to
which the projects are following the approved method(s) for
defining and implementing security requirements. Determine
if deliverables such as the following were produced:
þ system security plan
þ statements of sensitivity
þ mode of operation
þ threat and risk assessment
þ system security requirements
þ system security safeguards
þ safeguard certification and
þ system accreditation.
2.3.4 Determine whether the Departmental Security Officer or
Information Technology Security (ITS) personnel are consulted
at the beginning of IT development projects. Determine the
extent to which they become involved during the course of the
project. If ITS personnel are unable to handle all requests
for ongoing project assistance, determine if they are able to
assist in the hiring and monitoring of ITS contractors.
2.3.5 Interview the departmental Office of Primary Interest
relative to the security of the shared government system.
Assess if security safeguards which the department had to
implement were provided or described by the sponsoring
department. Determine if these safeguards were agreed upon by
the department and the sponsoring department in a formal
document, such as a security memorandum of understanding.
Determine the extent to which the department has implemented
these safeguards.
2.3.6 For systems requiring Electronic Authorization and
Authentication (EAA) security services, determine whether CSE
has been consulted through the DSO, and has approved all
related EAA cryptography and key management systems. (EAA
Policy, Financial Management Volume, Treasury Board Manual;
Chapter 2-3, Article 5.3.3)
Criterion 2.4 All operational IT is maintained under the
departmentally approved ITS risk management
framework.
Detailed Criteria/Audit Procedures:
2.4.1 Acquire a list of all operational IT systems, networks and
applications. Select several of varying size and complexity
to examine.
2.4.2 Interview the responsibility centre managers. Determine the
extent to which the projects are following the approved
method(s) for maintaining security requirements.
Determine whether threat risk assessments are updated on the
following conditions:
þ whenever there is a major security policy change
þ on an ongoing basis (usually annually)
þ whenever a security breach occurs and
þ whenever there is significant change in the IT or
business environment.
Determine the extent to which the security officer
responsible for the IT is involved in the configuration
management process. Ensure that this person signs-off any
substantive change, after analyzing its possible impacts, and
provides recommendations for security safeguard change.
2.4.3 Interview the manager from the project office of primary
interest (OPI) for the shared government system. Determine
the extent to which the department has continued to
implement, monitor and modify as necessary the agreed upon
safeguards.
Objective #3
Ensure that access to Information Technology resources is appropriately
managed.
Criterion 3.1 Departmental procedures are in place to control
the authorization and access to IT systems.
Detailed criteria/Audit procedures
3.1.1 Using a sample of IT areas or systems, determine whether
policies and procedures exist to control the following:
þ issuing of IT access privileges
þ withdrawing access privileges when employees conclude
their employment and
þ withdrawing these privileges when employees' duties
no longer require them.
3.1.2 Determine whether access control records for sensitive
material, keys, codes, combinations, badges and system
passwords are appropriately managed.
Objective #4
Ensure that Information Technology Security equipment is appropriately
managed, repaired, maintained and disposed.
Criterion 4.1 Policies, practices and procedures for proper
ITS equipment management, repair, maintenance and disposal are in
place.
Detailed Criteria/Audit Procedures:
4.1.1 Examine the departmental security policies, practices and
procedures documentation to determine if it adequately
addresses the management, repair, maintenance and disposal of
ITS equipment.
4.1.2 Determine whether these policies, practices and procedures
contain adequate information to allow key personnel to carry
out their ITS-related duties.
Criterion 4.2Personnel responsible for repair and maintenance of ITS
equipment have undergone appropriate training, are aware
of current issues, and are following departmental policies,
practices and procedures.
Detailed Criteria/Audit Procedures:
4.2.1 Determine whether ITS policies, practices and procedures have
been communicated to all personnel concerned. Interview
selected responsibility centre managers and repair and
maintenance personnel to determine their knowledge of them.
4.2.2 Determine the extent to which personnel responsible for
repair and maintenance of ITS equipment receive regular and
current training. Verify if the level of training is
commensurate with the level of complexity and sophistication
of the work environment.
4.2.3 Obtain the personnel security screening requirements for
repair and maintenance positions and compare them to the
level of status or clearance for the incumbents of these
positions.
4.2.4 Determine whether the ITS Coordinator or the COMSEC Authority
is consulted before TEMPEST and COMSEC equipment and
material, including Controlled Cryptographic Items (CCI), is
repaired. (Note: for definitions of COMSEC and TEMPEST, see
Appendix C.)
4.2.5 Determine if IT systems' electronic media is removed or
sanitized in accordance with policies, practices and
procedures before being sent out for repair.
4.2.6 Analyze the most recent COMSEC Authority's account inventory
to determine if any outstanding problems exist in the COMSEC
handling capability.
4.2.7 Determine whether repair and maintenance of ITS equipment is
carried out only by qualified and properly screened or
supervised personnel.
Objective #5
Ensure that cryptographic materiel is appropriately managed, repaired,
maintained and disposed.
Criterion 5.1 Policies, practices and procedures for proper
cryptographic materiel management, repair, maintenance and disposal are in
place.
Detailed Criteria/Audit Procedures:
5.1.1 Examine the departmental security policies, practices and
procedures documentation to determine if they adequately
address the management of cryptographic equipment and
materiel in accordance with instructions issued by the
National Central Record of Office (NCOR) of CSE.
5.1.2 Determine whether these policies, practices and procedures
contain adequate information to allow key personnel to carry
out their COMSEC disposal and destruction related duties.
Criterion 5.2 Personnel responsible for the disposal and destruction
of cryptographic materiel and publications have undergone appropriate
training, are aware of current issues, and are following departmental
policies, practices and procedures.
Detailed Criteria/Audit Procedures:
5.2.1 Determine whether the policies, practices and procedures have
been communicated to all personnel concerned. Interview
selected responsibility centre managers and the ITS
Coordinator or COMSEC Authority to determine their knowledge
and understanding of them.
5.2.2 Determine the extent to which personnel charged with
cryptographic materiel related to disposal and destruction
receive regular and current training.
5.2.3 Determine whether disposal of cryptographic materiel and
publications is carried out according to instructions issued
by CSE.
5.2.4 Analyze several recent disposal or destruction records to
determine if proper practices and procedures were followed.
Objective #6
Ensure that the departmental Information Technology Security undergoes
regular monitoring and review.
Criterion 6.1 The department conducts an internal audit of
security, including ITS, at least once every five years.
Detailed Criteria/Audit Procedures:
6.1.1 Verify if management supports regular monitoring of security
operations or activities.
6.1.2 Determine when the last internal audit of security (including
ITS) was conducted, and if one was conducted during the five
years preceding the end of 1993. Determine if management-
accepted recommendations were acted upon.
6.1.3 Determine whether an ITS operational standards audit is
planned for during the 1994 to 1998 time period, and every
five years there after.
Criterion 6.2 A review of the department's IT security is
conducted on a scheduled basis by the RCMP SEIT.
Detailed Criteria/Audit Procedures:
6.2.1 Interview the ITS Coordinator to determine whether an action
plan and schedule have been developed to track and coordinate
RCMP reviews as required.
6.2.2 Determine whether all IT systems, networks and applications
are inspected on the following basis:
þ at least once every three years for ones processing,
transmitting or storing classified information
þ at least once every five years for ones processing
designated information and
þ immediately on the basis of a TRA related to such
events as reconfiguration, change in operation or a
probable breach of security.
6.2.3 Determine whether an action plan and schedule have been
developed to implement the recommendations of each RCMP
review and forwarded to RCMP within six months of the review.
6.2.4 Determine whether RCMP recommendations have been implemented,
and whether annual progress reports have been provided to
RCMP.
6.2.5 Determine whether the deputy head is provided with an annual
summary of RCMP recommendations review activity.
Criterion 6.3 The department periodically requests CSE to review
departmental communications security procedures and telecommunications
systems.
Detailed Criteria/Audit Procedures:
6.3.1 Interview the ITS Coordinator or COMSEC Authority to
determine whether an action plan and schedule have been
developed to track and coordinate CSE reviews, as required.
6.3.2 Determine the conditions under which CSE is requested to
perform these reviews.
6.3.3 Determine whether an action plan and schedule have been
developed to implement the recommendations of each CSE
review.
6.3.4 Determine whether CSE recommendations have been implemented,
and whether regular progress reports are provided to CSE.
Determine what actions management intends to take before
recommendations are fully implemented.
Criterion 6.4 For contracts containing ITS requirements, the
department arranges ITS reviews by the RCMP (when the department is the
contracting authority) or by PWGSC (when it is the contracting authority).
Detailed Criteria/Audit Procedures:
6.4.1 Review several recent contracts containing security
requirements (refer to Chapter 2-5). Ensure that a security
requirements checklist (SRCL) was raised to cover the
requirements. For those discovered to have SRCLs attached
and found to contain ITS requirements, determine whether the
RCMP was requested to conduct an ITS review.
For those contracts containing ITS requirements where Public
Works and Government Services Canada (PWGSC) is the
contracting authority, determine whether the RCMP was
requested by PWGSC to conduct an ITS review.
6.4.2 Determine whether all RCMP recommendations were implemented
by the contractor.
6.4.3 Determine the extent to which re-inspections are requested
when the contract substantively changes, requiring
substantive changes in the use of IT.
Criterion 6.5 Other groups conduct program self-assessments.
Detailed Criteria/Audit Procedures:
6.5.1 Determine the extent to which other groups, such as
management or the security organization(s) itself conducts
pro-active self-assessments or security reviews.
PERSONNEL SECURITY
Objective #7
Ensure that personnel having access to Information Technology
systems/networks/applications that process, transmit or store sensitive
information, are appropriately screened before being given access and
are aware of their security related responsibilities.
Criterion 7.1 Statements of Sensitivity and Modes of Operation
documents (which define the security parameters under which the
system operates) exist for systems, networks and applications.
Detailed Criteria/Audit Procedures:
7.1.1 Select and review the documentation for several systems of
varying size and complexity. Determine whether current
statements of sensitivity and modes of operation documents
exist.
7.1.2 Determine whether the statements of sensitivity contain
adequate confidentiality-related information so as to allow
system managers to determine the general personnel screening
requirements for access and access privileges.
7.1.3 Determine whether the modes of operation documents contain
adequate and specific confidentiality-related information and
personnel screening requirements.
Criterion 7.2 Personnel are screened before being given access
to systems/networks/applications processing sensitive
information.
Detailed Criteria/Audit Procedures:
7.2.1 Determine whether policies and procedures are in place which
require that personnel have their status or clearance
verified by the Department Security Officer (DSO) before
being granted access to sensitive systems, networks or
applications.
7.2.2 Interview end-users and managers to determine their personnel
screening status or clearance. Verify them with the DSO's
assistance. Compare the verified status or clearance against
the position screening requirement and the system, network or
application mode of operation screening requirements.
Criterion 7.3 System access rights are revoked for personnel
when they leave the organization or when they lose their status or
clearance.
Detailed Criteria/Audit Procedures:
7.3.1 Determine whether policies and procedures are in place which
require that personnel have their system access privileges
revoked for particular events including leaving the
organization or losing their status or clearance.
7.3.2 Using a sample of cases where system access rights were
revoked, determine whether system access removal procedures
were followed.
Criterion 7.4 ITS training programs are prepared and given to
departmental personnel involved in the application and maintenance of
ITS.
Detailed Criteria/Audit Procedures:
7.4.1 Determine whether ITS personnel have been included in broader
departmental training on the security policy and its
application.
7.4.2 Determine whether ITS personnel is provided with regular
training on current information technology changes and
trends, and ITS as it applies to these.
7.4.3 Determine whether these training programs met the
requirements of the jobs and the needs of the organization.
Criterion 7.5 ITS security training and awareness programs are
prepared and given to personnel involved in using and managing IT.
Detailed Criteria/Audit Procedures:
7.5.1 Determine whether the ITS Coordinator has developed a formal
plan and schedule for ITS training for the department.
7.5.2 Interview end-users and managers of information technology to
determine their knowledge and understanding of ITS.
Determine the extent to which these personnel have received
ITS training or awareness material. Determine the extent to
which these personnel understand their individual
responsibilities.
7.5.3 Determine whether these training programs met the
requirements of the jobs and the needs of the organization.
PHYSICAL SECURITY
Objective #8
Ensure that Information Technology is developed and maintained with
consideration given to its physical and environmental security
requirements.
Criterion 8.1 Facilities and accommodations are designed with
consideration given to the physical and environmental ITS
requirements.
Detailed Criteria/Audit Procedures:
8.1.1 From the unit responsible for accommodations management,
gather several recent facilities design, renovation or
relocation files for review.
8.1.2 Determine whether security site briefs and design briefs were
developed. Determine the extent to which ITS was considered
in the briefs.
8.1.3 Determine whether the ITS Coordinator was consulted on the
physical design requirements for spaces containing
information technology.
8.1.4 Determine whether a budget was allocated for security
requirements and more specifically for ITS requirements.
Determine the extent to which the budget was based on minimum
requirements and threat and risk assessment results.
Determine whether the responsibility centre manager made
security cost decisions based on the risk assessment.
8.1.5 Determine whether cost-efficiency strategies were
investigated such as when costly, physical security
requirements are replaced by less costly logical security
safeguards (and vice-versa).
8.1.6 Determine whether consideration was given to the physical and
environmental security requirements, especially with respect
to the security zone requirements and environmental
safeguards contained in Chapter 2-2 and within TSSIT.
Determine whether the Fire Protection Standards for
Electronic Data Processing were taken into consideration.
Criterion 8.2 IT is designed with adequate consideration being given to
its physical and environmental security requirements.
Detailed Criteria/Audit Procedures:
8.2.1 Determine the extent to which IT requirements and
architecture (or profile), as identified in Criterion 2.1,
contain adequate information with respect to physical and
environmental security safeguards.
8.2.2 Determine whether departmental physical security specialists
are consulted by the ITS Coordinator when determining
physical and environmental security architecture.
HARDWARE SECURITY
Objective #9
Ensure that Information Technology is developed and maintained with
consideration given to its hardware security requirements.
Criterion 9.1 Polices, practices, and procedures for IT hardware
security are in place.
Detailed Criteria/Audit Procedures:
9.1.1 Examine the organization security policies, practices and
procedures documentation to determine if it adequately
addresses hardware security. As a minimum, the
organization's policies, practices and procedures should
address:
þ proper placement and installation of information
technology equipment to reduce the effects of
interference due to electromagnetic emanations
þ maintenance of an inventory and configuration chart
of hardware
þ identification and use of security features
implemented within hardware
þ authorization, documentation, and control of change
to the hardware
þ identification of support facilities including power
and air conditioning
þ provision of uninterruptable power supplies and
þ maintenance of IT equipment and services.
9.1.2 Determine whether these policies, practices and procedures
contain adequate information to allow key personnel to carry
out their ITS-related duties.
9.1.3 Determine whether the policies encourage the efficient use of
ITS equipment.
Criterion 9.2 Hardware security features are set appropriately.
Detailed Criteria/Audit Procedures:
9.2.1 From the list of all operational information technology
systems, networks and applications, found in Criterion 2.1,
review several of varying size and complexity.
9.2.2 From the information technology documentation, determine the
hardware security settings. Determine whether system
managers reviewed all default settings upon system
initialization.
9.2.3 Determine the basis for which hardware security settings are
reviewed.
Criterion 9.3 Access control for remote hardware diagnosis is managed
appropriately.
Detailed Criteria/Audit Procedures:
9.3.1 For the selected IT systems under review, determine the
conditions under which remote hardware diagnosis is
permitted. Determine the extent to which the security
practices and procedures are adequate.
9.3.2 Determine whether authorized remote diagnostic technicians
have the appropriate security screening status or clearance.
Criterion 9.4 Configuration management of hardware is adequately
controlled and managed appropriately.
Detailed Criteria/Audit Procedures:
9.4.1 Verify whether changes to the hardware configuration are duly
authorized prior to implementation.
9.4.2 Determine if a current hardware configuration chart including
all hardware and communications equipment is maintained.
SOFTWARE SECURITY
Objective #10
Ensure that Information Technology is developed and maintained with
consideration given to its software security requirements.
Criterion 10.1 Polices, practices and procedures for software
security are in place.
Detailed Criteria/Audit Procedures:
10.1.1 Examine the departmental security policies, practices and
procedures to determine if it adequately addresses software
security. As a minimum, the policies, practices and
procedures should address:
þ administrative controls including segregating the
duties of IT staff, keeping inventory and reviewing
security
þ development life cycle standards including design,
development and test standards, change control and
problem resolution
þ quality assurance
þ management of configuration
þ identification and authentication
þ isolation, encryption and access control
þ audit controls and surveillance
þ virus scanning.
10.1.2 Determine whether these policies, practices and procedures
contain adequate information to allow key personnel to carry
out their ITS-related duties.
Criterion 10.2 Privileged and powerful software is appropriately
controlled.
Detailed Criteria/Audit Procedures:
10.2.1 For the selected information technology systems under review,
determine the conditions under which privileged and powerful
software is authorized for use. Determine the extent to
which safeguards for the abuse of this software is used
including inventory control, physical access control, logical
access control, the establishment of resource limits and the
use of monitoring mechanisms.
COMMUNICATIONS SECURITY
Objective #11
Ensure that Information Technology is developed and maintained with
consideration given to its general communications security requirements.
Criterion 11.1 Polices, practices and procedures for general
communications security are in place.
Detailed Criteria/Audit Procedures:
11.1.1 Examine the departmental security policies, practices and
procedures to determine if they address communications
security. As a minimum, the policies, practices and
procedures need to address:
þ the mandatory use of encryption methods or other
measures endorsed or approved by CSE to protect
electronic communications that transmit classified or
extremely sensitive, designated information and
þ the use of cryptography to protect low-sensitive and
particularly sensitive, designated information
communicated electronically, when supported by a
treat risk assessment.
Criterion 11.2 Information Technology development projects consider
the requirements for communications security and utilize it where
appropriate.
Detailed Criteria/Audit Procedures:
11.2.1 Obtain a list of current Information Technology services such
as telephone networks, integrated voice-mail services, video-
conferencing, cellular and paging services, and facsimile
services. Select several of varying size and complexity.
11.2.2 Interview the responsibility centre manager(s). Determine
whether the manager(s) considered the need for security;
more specifically the need for communications security.
11.2.3 Determine whether the ITS Coordinator and/or the COMSEC
authority was consulted for communications security
requirements.
11.2.4 Review the statements of sensitivity for the Information
Technology confidentiality, integrity and availability
requirements.
11.2.5 For electronic transmissions containing classified or
extremely sensitive, designated information, determine
whether endorsed or approved cryptography, or other CSE
approved methods are used.
11.2.6 For low-sensitive, or particularly sensitive, designated
information, transmitted without approved cryptography,
determine whether this method is supported by an adequate
threat and risk assessment. Verify that the threat risk
assessment is signed by the appropriate manager and either by
the ITS Coordinator or COMSEC authority.
Objective #12
Ensure that networks and network applications are developed and
maintained with consideration given to their security requirements.
Criterion 12.1 Polices, practices and procedures for network security
are in place.
Detailed Criteria/Audit Procedures:
12.1.1 Examine the organization's security policies, practices and
procedures to determine if they address network security. As
a minimum, the policies, practices and procedures should
address:
þ ensuring that policy and standard requirements for
protecting sensitive information in networks and for
sensitive network assets are applied
þ maintaining network configuration charts and
inventories
þ ensuring networks are certified and accredited
þ obtaining the prior authorization of the ITS
Coordinator for all changes to the network
configuration and documenting these changes
þ reviewing threat and risk assessments and network
certification and accreditation after changes to the
configuration
þ monitoring network operations for security
irregularities and
þ identifying a formal approach for resolving security
problems.
Criterion 12.2 IT networks and network applications consider the
requirements for network security and use related safeguards where
appropriate.
Detailed Criteria/Audit Procedures:
12.2.1 Acquire a list of Information Technology services such as
those related to message handling, electronic data
interchange electronic funds transfer and wide-area data
transfer.
12.2.2 Interview the service responsibility centre manager(s).
Determine whether the manager(s) considered the need for
security.
12.2.3 Determine whether the ITS Coordinator or the COMSEC authority
was consulted for network security requirements.
12.2.4 Review the statements of sensitivity for the network
confidentiality, integrity and availability requirements.
12.2.5 Obtain a list of standards upon which the network service is
established. Determine whether the security profiles of each
applicable standard was considered and applied.
12.2.6 Determine whether classified and extremely sensitive
designated information is protected by approved cryptography.
12.2.7 Where approved cryptography is not being used to protect
lower sensitive designated information, determine whether
this is based on the results of a threat risk assessment.
12.2.8 For departments using value-added networks in their
electronic commerce services, determine whether the
confidentiality, integrity and availability security
requirements were included in the value added network service
contract.
12.2.9 In cases where the private sector provides network services,
determine whether security requirements were considered in
contracting those services and attached to the contract in a
security requirement check list.
12.2.10 Where network services involve more than one department (for
example, for message handling) determine whether the
departments worked cooperatively on security requirements for
best effectiveness, efficiency and economy.
Objective #13
Ensure that Information Technology is developed and maintained with
consideration given to electronic authorization and authentication (EAA)
security requirements.
Criterion 13.1 In responding to the need for transaction or document
authorization and authentication, or digital signatures, information
technology systems consider the requirement for EAA security and utilize
related safeguards where appropriate.
Detailed Criteria/Audit Procedures:
13.1.1 Based on the sensitivity of the information processed by the
application and the degree of accuracy of user identification
and authentication required, determine whether electronic
authorization and authentication procedures should be
implemented.
13.1.2 For systems using digital signatures, public-key cryptography
and key management systems, determine whether the
cryptography and key management structures are endorsed or
approved by CSE.
13.1.3 For applications using digital signatures and also using
cryptography for data confidentiality protection, determine
whether the two requirements were considered together when
being designed.
Objective #14
Ensure that InformationTechnology is developed and maintained with
consideration given to emanations security requirements.
Criterion 14.1 Information Technology systems, especially those
processing, transmitting or storing top secret or extremely sensitive
designated information, are/were developed and maintained with
consideration being given to the requirement for emanations security.
Detailed Criteria/Audit Procedures:
14.1.1 Obtain a list of current Information Technology systems.
Examine several which process, transmit and/or store top secret or
extremely sensitive designated information.
Interview the responsibility centre manager(s). Determine whether the
manager(s) considered the need for emanations security. Where TEMPEST
safeguards are in place, determine whether they were based on the results
of a threat risk assessment.
14.1.2 Determine whether the ITS Coordinator, COMSEC authority or
CSE were consulted for emanations security requirements.
14.1.3 For other systems processing, transmitting or storing low-
sensitive designated, particularly sensitive designated,
confidential or secret information, determine whether each
application's method is supported by an adequate threat and
risk assessment. Verify the threat risk assessment was signed
by the responsibility manager and by the ITS Coordinator or
COMSEC authority.
OPERATIONS SECURITY
Objective #15
Ensure that Information Technology Security operations are in place and
meet the needs of the department.
Criterion 15.1 Policies and procedures for ITS are in place.
Detailed Criteria/Audit Procedures:
15.1.1 Examine the departmental security policies and practices
documentation to determine if they adequately address the
requirement for Information Technology responsibility centres
to develop ITS security procedures. As a minimum, the
following procedures should be developed:
þ day-to-day operations activities
þ handling regularly scheduled production programs;
þ use of privileged equipment and software
þ systems authorization and access (passwords, tokens)
þ accountability and control within the operations
environment
þ authorization and control of access to and from
remote control centres
þ contingency, disaster recovery and business
resumption plans
þ sanitizing and disposing of electronic storage media
and
þ identification of problem resolution approaches.
15.1.2 For the selected Information Technology system environments
under review, determine whether these procedures are
developed.
15.1.3 Determine whether personnel have been appropriately trained
on the use of the procedures.
15.1.4 Determine the extent to which these procedures are followed.
LIST OF AUTHORITIES AND REFERENCES
Relevant Legislation
Access to Information Act
Canada Labour Code
Canadian Security Intelligence Service Act
Criminal Code
Criminal Records Act
Financial Administration Act
Interpretation Act
Official Secrets Act
Privacy Act
Public Service Employment Act
Public Service Staff Relations Act
Public Service Reform Act
Queen's Regulations and Orders
Young Offender's Act
Policy & Standards
- Government Security - 1st Tier Policy & 2nd Tier Operational
Standards
Security Volume, 1994, Treasury Board Manual.
- Government Security - 3rd Tier Technical Standards
Canadian Trusted Computer Product Evaluation Criteria, Version 3.0
(NITSM 8/93 and CID 09/19), CSE, 1993
Controlled Cryptographic Items Manual (CID/01/08), CSE, March 1992
Guide to Security Risk Management in Information Technology Systems
(draft), CSE, 1994
Certification and Accreditation (draft), CSE, 1994.
INFOSEC Materiel Control Manual (CID/01/10), (draft), CSE, September
1991
Trusted Systems Environment Guideline (CID/09/17), CSE, December 1992
Guide to Threat and Risk Assessment for Information Technology (SIP 5),
(draft), RCMP, June 1994
A Security Guide for the Electronic Office Environment (SIP 4), RCMP,
October 1992
Technical Security Standards for Information Technology (draft), RCMP,
1994
Treasury Board - Information Technology Related
Computers and Personal Information - Guidance for Systems Planners,
Treasury Board Secretariat, 1993
Electronic Authorization and Authentication, Chapter 3-2, "Financial
Management" volume, Treasury Board Manual
Electronic Data Interchange (EDI), (TBITS-10), "Information Management"
volume, Treasury Board Manual
Government of Canada Implementation Guideline for Electronic Data
Interchange (TBITS 10-1), "Information Management" volume, Treasury
Board Manual
Guide to Open Systems Security, Treasury Board Secretariat, November,
1993
Managing Your Computer Directories and Files, National Archives of
Canada and Treasury Board of Canada, 1993
Profile for Message Handling Service (TBITS 6.4), "Information
Management" volume, Treasury Board Manual
Security Profile (COSAC), Treasury Board Information Technology Standard
(TBITS 6.6), "Information Management" volume, Treasury Board Manual
Summary of Approved Treasury Board Information Technology Standards,
Treasury Board Secretariat, September, 1992
Losses of Money and Offenses and Illegal Acts Against The Crown,
Financial Management Volume, Treasury Board Manual, 1992.
Fire Protection Standards for Electronic Data Processing, Chapter 12,
Volume 7, Personnel Management Manual.
Audit Guides
Audit Guide to Risk Management, Evaluation, Audit and Review Group
(EARG), Treasury Board Secretariat, November 1994.
Guide To The Audit Of Systems Under Development (Series 500, Guide 507),
Working Draft, Office Of The Comptroller General,March, 1991.
Guide To The Audit Of End-User Computing (Series 500, Guide 508),
Working Draft, Office Of The Comptroller General, March, 1991.
Guide To The Audit Of Contingency And Disaster Recovery Planning (Series
500, Guide 509), Working Draft, Office Of The Comptroller General,
March, 1991.
Guide To The Audit Of Security (Series 400, Guide 406), Exposure Draft,
Office Of The Comptroller General, June 1990.
Guide To An Audit of the Management Process (Series 100, Guide 102),
Office Of The Comptroller General, February, 1987.
Audit Guides - Auditing EDP: Planning of the EDP Audit, Office Of The
Auditor General, 1983.
Government ITS - Information Related Publications
- CSE
National Information Technology Security Memorandum (NITSM)
COMSEC Technical Information Bulletin (CTIB)
Infosec Newsletter
- RCMP
ITS Bulletins
- TBS - Information, Communication & Security Policy Division
Security Policy Implementation Notices (SPINS) - (Regularly related to
ITS issues)
Government Information Technology Security Committees
- Communications-Electronic Security Committee (CSC)
Meets: Once per month
Chair: CSE
Membership: Departments with major COMSEC accounts: CSE, RCMP, DND,
PWGSC, CSIS, CC, HRD, FAIT, PCO, TC.
Role: Provides strategic direction to participating departments
on the management of COMSEC material and systems.
- Information Technology Security Committee (ITSC)
Meets: Once per month
Co-Chairs: Rotates Between RCMP and CSE
Membership: RCMP, CSE, TBS, TC, SC, CSIS, IC, HC, DND, HRD, EC, FAIT,
PWGSC, RC.
Role: Advises RCMP & CSE on ITS issues. Recommends and keeps
under review the GSP and ITS operational standard. Acts as a forum
for ITS information exchange. Fosters ITS cooperation among
departments. Communicates and coordinates with other committees on
matters of mutual interest.
SUGGESTED TABLE OF CONTENTS FOR ITS AUDIT REPORT
(Document Security Classification)
NOTICE TO THE READER
(Inside Front Cover)
FOREWORD
1.0 EXECUTIVE SUMMARY
1.1 Purpose
1.2 Objectives
1.3 Scope
1.4 Major Observations
1.5 Overall Assessment
- GSP Compliance Statement
- GSP Implementation Efficiency Statement
- GSP Implementation Effectiveness Statement
1.6 Major Recommendations
2.0 INTRODUCTION
2.1 Background/Purpose
2.2 Objectives
2.3 Scope
- Organizations Audited
- Business Functions Audited
- Locations
- Areas of Security Policy Covered
2.4 Approach and Methodology
2.5 Audit Team
2.6 Coverage Period
2.7 Acknowledgments
3.0 FINDINGS AND RECOMMENDATIONS
3.1 Organizing & Administering ITS
3.2 ITS and Personnel Security
3.3 ITS and Physical Security
3.4 ITS
3.4.1 Hardware Security
3.4.2 Software Security
3.4.3 Communications Security
3.4.4 Operations Security
(Management Response(s) For Each Finding)
Appendix A: Organization Chart
Appendix B: Security Budget
Appendix C: ITS Security Function vs. Security Responsibility Matrix
Appendix D: Summary of Past Reviews, Audits and SEIT Inspections
NOTICE TO THE READER
You may find it helpful to contact the head of the department/agency audit
unit responsible for this report to obtain further information concerning
the audit findings, scope, recommendations, or actions taken since the
audit.
AVIS AUX LECTEURS
Vous pouvez obtenir plus de renseignements concernant les constatations,
les recommandations et les actions prises depuis la vérification en
communiquant avec le chef de la vérification du ministére ou l'agence
responsable de ce rapport.
GLOSSARY
Access badge (insigne d'accès) ð document issued by a department to
indicate the zone or facility to which the bearer has authorized access.
Accreditation (accréditation) ð approval by the responsible manager for an
information technology system to operate using a particular set of
safeguards.
Availability (disponibilité) ð the condition of being usable on demand to
support business functions.
Basic reliability check (vérification de base de la fiabilité) ð an
assessment to determine the trustworthiness of individuals; condition for
being granted basic reliability status.
Basic reliability status (cote de fiabilité de base) ð the minimum type of
personnel screening; allows access to non-sensitive information and assets
only.
Breach of security (infraction à la sécurité) ð when any sensitive
information and assets have been compromised. Without restricting its
scope, a breach may include compromise in circumstances that make it
probable that a breach has occurred.
Business hours (heures d'ouverture) ð posted hours when reception zones are
open to the public, and when an authorized person or visitor may access the
controlled area.
Business resumption planning (planification de reprise des opérations) ð
the process of developing a plan to restore business operations in the
event of an interruption.
Certification (certification) ð an examination by qualified personnel of an
information technology system's implemented security safeguards against the
system's security requirements.
Circuits, approved (circuits approuvés) ð telecommunication links approved
by CSE into which electromagnetic and physical safeguards have been
incorporated to permit secure transmission of unencrypted sensitive
information.
Classification and designation guide (guide de classification et
désignation) ð a corporate document, approved by the deputy head of a
department or head of agency, that shows the various types of information
that must be either classified or designated.
Classified assets (biens classifiés) ð assets, other than information, that
are important to the national interest and therefore warrant safeguarding.
Classified information (renseignement classifié) ð information related to
the national interest that may qualify for an exemption or exclusion under
the Access to Information Act or Privacy Act and the compromise of which
would reasonably be expected to cause injury to the national interest.
Compromise (atteinte à l'intégrité) ð unauthorized disclosure,
destruction, removal, modification or interruption.
Compromising emanations (signaux de valeur) ð unintentionally radiated
intelligence-bearing signals that, if intercepted and analyzed, disclose
sensitive information emanating from any information processing system or
equipment.
COMSEC (COMSEC) ð protection resulting from applying cryptographic,
transmission and emission security measures to telecommunication emissions,
and information handling equipment, and from applying other measures
appropriate to COMSEC information and material. COMSEC also includes the
instruction required to effect this protection. These measures are
designed to prevent compromise of information stored, transmitted or
processed on an information technology system. COMSEC is also designed to
ensure the authenticity of telecommunications.
Confidential (confidentiel) ð level of classification that applies to
information and assets when compromise could reasonably be expected to
cause injury to the national interest; in capital letters, a mark to
indicate level of sensitivity.
Confidentiality (confidentialité) ð the sensitivity of information or
assets to unauthorized disclosure, recorded as classification or
designation, each of which implies a degree of injury should unauthorized
disclosure occur.
Consequence (conséquence) ð outcome, effect; used synonymously with impact.
Container (coffre) ð any enclosure, including a cabinet or a room, for the
storage of information and assets.
Contingency planning (planification des cas d'urgence) ð the process of
developing a plan to restore information technology operations in the event
of a disruption.
Contracting process (Processus de passation des marchés) ð includes
bidding, negotiating, awarding, performance and termination of contracts.
Controlled area (endroit contrôlé) ð an area comprised of any combination
of the three restricted zones.
Controlled cryptographic item (CCI) (pièce d'équipement de cryptographie
contrôlée) ð secure telecommunications or information handling equipment,
or associated cryptographic component or ancillary device that is
unclassified when unkeyed (or when keyed with an unclassified key) but
controlled through an accounting system.
Cryptographic (cryptographique) ð of, pertaining to, or concerned with
cryptography.
Cryptography (cryptographie) ð the discipline that treats the principles,
means, and methods for making plain information unintelligible. It also
means reconverting the unintelligible information into intelligible form.
Cryptography, approved (cryptographie approuvée) ð cryptography that has
been endorsed by allied nations such as the United States and is proposed
for use in specific, documented departmental applications. Approval for
use of this cryptography is obtained from CSE.
Cryptography, endorsed (cryptographique homologuée) ð cryptography that has
been evaluated by CSE and considered to meet accepted criteria. This
includes hardware, software and firmware implementations of cryptographic
algorithms.
Custodian departments (ministères gardiens) ð departments having
responsibility for the administration of a facility assigned to other
departments for the conduct of government programs.
Data (données) ð a representation of facts, concepts or instructions
arranged in a formalized manner suitable for telecommunications,
interpretation, or processing by humans or by automated means.
Declassification (déclassification) ð the decision, recorded in writing, of
the originator of classified information or another officer authorized by
the deputy head or head of agency, to remove the classified status of
information.
Defence of Canada or any state allied or associated with Canada (défense du
Canada ou de tout État allié ou associé) ð includes the efforts of Canada
and of foreign states to detect, prevent or suppress activities of any
foreign state directed toward actual or potential attack or other acts of
aggression against Canada or any state allied or associated with Canada.
Department (ministère) ð any federal institution subject to the Security
policy.
Departmental security officer (agent de sécurité du ministère) ð the
individual responsible for developing, implementing, maintaining,
coordinating and monitoring a departmental security program consistent with
the Security policy and standards.
Designated assets (biens désignés) ð assets, other than information, that
have been identified by the department as being important to operations by
virtue of the function performed, or as being valuable and therefore
warranting safeguarding; for example, cash and other negotiables; and
information technology systems that require protection to ensure the
confidentiality, integrity and availability of the information stored in
them.
Designated information (renseignements désignés) ð information related to
other than the national interest that may qualify for an exemption or
exclusion under the Access to Information Act or Privacy Act.
Designation guide (guide de désignation) ð see classification and
designation guide.
Digital signature (signature numérique) ð A cryptographic transformation of
data which, when appended to a data unit, provides the services of origin
authentication, data integrity, and signer nonrepudiation.
Downgrading (déclassement) ð the decision, recorded in writing, of the
originator of sensitive information or another officer authorized by the
deputy head or head of agency, to lower the classification level of
information or remove the designated status.
Electronic authorization and authentication (autorisation et
authentification électroniques) ð an electronic means of identifying and
verifying the rights or authorities of a legitimate user of a network
application (authorization), and of identifying and verifying legitimate
application users and devices (authentication).
Emanation security (sécurité des signaux de valeur) ð the discipline of
reducing electromagnetic interference between information technology and
telecommunications equipment, as well as reducing unintentional
electromagnetically radiated signals, that, when intercepted, divulge
sensitive information.
Encryption (cryptage) ð the transformation of readable data into an
unreadable stream of characters using a reversible coding process.
Enhanced reliability check (vérification approfondie de la fiabilité) ð an
assessment to determine an individual's trustworthiness; condition for
enhanced reliability status.
Enhanced reliability status (cote de fiabilité approfondie) ð the type of
personnel screening that, with a need to know, is required for access to
designated information and assets.
Extremely sensitive, designated information (renseignements désignés de
nature extrêmement délicate) ð a sub-set of designated information that
could reasonably be presumed to cause extremely serious injury, such as
loss of life, if compromised; may be marked PROTECTED C.
Facility (installation) ð a physical setting used to serve a specific
purpose. A facility may be part of a building, a whole building, or a
building plus its site; or it may be a construction that is not a building.
The term encompasses both the physical object and its use.
For cause (avec motif) ð a determination based on available information,
whether a greater degree of screening is required. This may be determined
by the department or the investigative agency in individual cases, or
jointly for a particular group or category.
Identification card (carte d'identité) ð document issued by a department
to identify the bearer as an employee of that department.
Information holdings (Renseignements détenus) ð all information under the
control of a department, regardless of physical mode or medium in which the
information is stored. Materials held by federal libraries that were not
prepared or produced by or for the governments are excluded from this
definition.
Information technology (technologies de l'information) ð the scientific,
technological and engineering disciplines and the management practices used
in electronic information handling, communication and processing; the
fields of electronic data processing, telecommunications, electronic
networks, and their convergence in systems; applications and associated
software and equipment together with their interaction with humans and
machines.
Information technology security (sécurité des technologies de
l'information) ð the protection resulting from an integrated set of
safeguards designed to ensure the confidentiality of information
electronically stored, processed or transmitted; the integrity of the
information and related processes; and the availability of systems and
services.
Integrity (intégrité) ð the accuracy and completeness of information and
assets and the authenticity of transactions.
Interruption (interruption) ð the non-availability of information, assets,
systems, or services. Interruption can be accidental or deliberate.
(Interruption)
Lead agency (organisme conseil) ð an agency with government-wide
responsibilities related to the Security policy, as defined in the Security
policy.
Limited-access hours (heures d'accès limité) ð periods outside business
hours, when access to the reception zones and controlled area is limited to
authorized persons, usually employees, and by exception to authorized
visitors.
Low-sensitive, designated information (renseignement désigné de nature peu
délicate) ð a sub-set of designated information that could reasonably be
presumed to cause injury if compromised; may be marked PROTECTED A.
Modification (modification) ð the alteration of information, data, software
or ITS equipment. Modification can be accidental or deliberate.
Monitor (surveiller) ð to ensure that information and assets, or the
safeguards protecting them, are checked by the personnel in control of the
information or assets, security staff or electronic means with sufficient
regularity to satisfy the threat and risk assessment.
National interest (intérêt national) ð concerns the defence and maintenance
of the social, political and economic stability of Canada.
Need-to-access principle (principe d'accès sélectif) ð limiting access to a
specific area to those who need to work there.
Need-to-know principle (principe de connaissance sélective) ð limiting
access to information to those whose duties require such access.
Network security (sécurité des réseaux) ð the protection of electronic
networks and their services, and the assurance that the network performs
its functions correctly and when needed.
Open-office area (bureau à aires ouvertes) ð an office comprised of many
work stations not separated by doors and walls.
Operations environment (environnement de travail) ð an area that is under
the control of computer operations personnel.
Particularly sensitive, designated information (renseignements désignés de
nature particulièrement délicate) ð a sub-set of designated information
that could reasonably be expected to cause serious injury if compromised;
may be marked PROTECTED B. See article 5.4 of Chapter 2-1 for a partial
list of possible personal information that may qualify to be designated as
particularly sensitive.
Personal information (renseignements personnels) ð any form of recorded
information about an identifiable individual. See Section 3 of the
Privacy Act for examples. The Act also includes some exceptions to the
definition. Personal information, a subset of other sensitive information,
deserves enhanced protection and may carry the marking "PROTECTEDþpersonal
information".
Physical security (sécurité matérielle) ð protection, detection and
response mechanisms used in the physical environment to control access to
sensitive information and assets.
Privileged and powerful software (logiciel privilégié et puissant) ð
software capable of bypassing, over-riding or altering controls.
PROTECTED (PROTÉGÉ) ð the marking that shows that the information qualifies
as designated information and requires more than basic protection.
Removal (suppression) ð loss of information or assets. Loss can be
accidental, as when information is discarded with waste, or deliberate as
in theft.
Risk (risque) ð (i) chance of vulnerabilities being exploited; (ii)
uncertainty.
Risk assessment (évaluation des risques) ð an evaluation, based on the
effectiveness of existing or proposed security safeguards, of the chance of
vulnerabilities being exploited.
Sanitization (démarquation) ð (i) altering or erasing recorded sensitive
information to prevent unauthorized disclosure; (ii) altering SIGNIT to
permit wider dissemination.
Secret (secret) ð level of classification that applies to information or
assets when compromise could reasonably be expected to cause serious injury
to the national interest.
Secure perimeter (périmètre de sécurité) ð continuous physical barriers
that can reasonably be expected to counter identified threats.
Security assessment (évaluation sécuritaire) ð an appraisal of loyalty to
Canada and, so far as it is related thereto, the reliability of an
individual; condition for a security clearance.
Security clearance (cote de sécurité) ð the type of personnel screening
that, with a need to know, is required for access to classified information
and assets.
Security equipment (équipement de sécurité) ð equipment that has been
evaluated or tested against standards developed by the lead agency. The
Security Equipment Guide lists security equipment for use in the government
of Canada.
Security guard (garde de sécurité) ð person whose primary duties involve
the protection of information and assets.
Security standard (normes de sécurité) ð level of attainment regarded as a
measure of adequacy; security requirements and guidelines approved for
government-wide use. (Operational standards form part of the Treasury
Board Manual; technical standards are produced by the lead security
agencies).
Sensitive asset (Bien de nature délicate) ð classified or designated asset.
Sensitive discussion area (SDA) (aire insonorisée) ð specially designed and
managed area to prevent the overhearing, by electronic or other methods, of
discussions on classified and designated information.
Sensitive information (renseignement de nature délicate) ð classified or
designated information.
Service spaces (endroits de service) ð areas such as cloakrooms, toilets,
cafeterias, circulation routes, registries, as well as building service
areas such as telephone, electrical and janitorial closets.
Signals intelligence (SIGINT) (renseignement électromagnétique) ð term
given to information gathered about foreign countries by intercepting and
studying their radio, wire, radar and other electronic transmissions.
Site-access security clearance (cote de sécurité donnant accès aux sites) ð
type of personnel screening required in limited and specific circumstances
when duties of individuals require access to only sensitive
government-related sites or facilities, usually for a short time, and not
to information.
Sponsoring department (ministère tuteur) ð a department that makes
submissions to Treasury Board for approval of project objectives and
expenditure authority, and that is responsible for managing the project.
Statement of sensitivity (énoncés de la nature délicate) ð a description of
the confidentiality, integrity or availability requirements associated with
the information or assets stored or processed in or transmitted by an
information technology system.
Telecommunications (télécommunications) ð as defined in the Interpretation
Act, Chapter I-21 of the Revised Statutes of Canada, any transmission,
emission or reception of signs, signals, writing, images, sounds or
intelligence of any nature by wire, radio, visual, or other electromagnetic
systems. This includes telephone, telegraph, teletype, facsimile, data
transmissions, closed circuit television and remote dictation systems.
TEMPEST (TEMPEST) ð the discipline that deals with the suppression of
unintentionally radiated or conducted electromagnetic signals that divulge
information.
Threat (menace) ð any potential event or act that could cause one or more
of the following to occur: unauthorized disclosure, destruction, removal,
modification or interruption of sensitive information, assets or services,
or injury to people. A threat may be deliberate or accidental.
Threat assessment (évaluation de la menace) ð an evaluation of the nature,
likelihood and consequence of acts or events that could place sensitive
information and assets at risk.
Top secret (très secret) ð level of classification that applies to
information or assets when compromise could reasonably be expected to cause
exceptionally grave injury to the national interest.
Trusted product (produit éprouvé) ð component of an information technology
system that has been evaluated against specific criteria.
Trusted system (système éprouvé) ð information technology system with an
objective basis for the degree of confidence and assurance a user may have
in the security provided by technical means.
Value (valeur) ð estimated worth.
Violation of security (manquement à la sécurité) ð any act or omission that
contravenes any provision of the Security policy. Such acts may include
failure to classify or designate information in accordance with the policy;
classification or designation, or continuation of same, in violation of the
policy; unauthorized modification, retention, destruction or removal of
sensitive information; and unauthorized interruption of the flow of
sensitive information.
Vulnerability (vulnérabilité) ð (i) an inadequacy related to security that
could permit a threat to cause harm; (ii) an inherent weakness in
information technology that makes it.
COMMITTEES & STANDARDS
Standards
Government policy promotes the development, distribution and use of IT
standards to acquire, manage and use Information Technology effectively
and to protect investments. Among many other benefits, this process
promotes compatibility, inter-operability, minimizes duplication of data
and ensures proper security safeguards are in place. Wherever possible,
the government adopts national or international standards. The
government will develop new standards itself, but only when a need is
specific to the federal government.
Interdepartmental government Information Technology and ITS committees
exist to ensure that common problems and resolutions are addressed by
all government in a consistent manner. As well, these committees review
draft IT and ITS standards to ensure the practicality, completeness,
accuracy and viability of these standards.
The departmental organizational unit responsible for ITS should be aware
of and possibly even be participating in where appropriate, the Treasury
Board Information Technology Standards (TBITS) and committees program.
As a minimum, the ITS Coordinator should be knowledgeable of working
groups and standards related to ITS. This will help ensure that
economies of scale are realized, and that systems maintain their
required effectiveness and inter-operability.
The TBITS working groups that relate to security include:
þ Internal Government OSI Implementation Committee
þ Electronic Commerce Working Group
þ Integrated Circuit Cards / Smart Cards Working Group
þ Smart Card Security / Technical Sub-Group
þ Special Interest Group on Remote Access To Information Systems
Group
þ Core OSI Working Group
þ Special Focus Group on Network Security and
For detailed information on these and other Information
Management/Information Technology Committees and Groups, consult the Office
of the CIO, TBS.
ITS Committees
There are two primary inter-departmental committees that deal
specifically with ITS issues. These are:
þ Communications-Electronic Security Committee and
þ Information Technology Security Committee;
- Communications-Security Committee (CSC)
CSC provides strategic direction to participating departments on the
management of COMSEC material and systems. Because of sensitivities
involved, it is a committee with strict membership rules; only those
departments having a major COMSEC account under CSE may participate.
Most meeting discussions and resulting minutes are classified.
- Information Technology Security Committee (ITSC)
Under the guidance and direction of TBS, "T" Directorate RCMP and the
Director General, Security, CSE, the ITSC:
þ advises CSE, the RCMP and TBS on ITS
þ recommends and keeps under review policies, plans, procedures
and standards developed for ITS by the RCMP and CSE
þ reviews and advises on the implementation of ITS policy and
standards
þ reviews security standards which interrelate with ITS
þ institutes and maintains effective cooperation on ITS matters
among departments and agencies in order to ensure a consistent
application of security for the protection of information
þ considers issues which are brought to the attention of the
committee by members or by other departments or agencies of the
Government of Canada which impact on ITS and
þ communicates and coordinates with other committees on matters
of mutual interest.
ITSC is open to membership from those departments having substantial
amounts of Information Technology. Meeting minutes are available for
download from the RCMP Technical Security Services BBS.
The ITS Auditor should review past minutes of these committees, in order
to: determine current, common ITS issues; and ascertain whether
departmental knowledge, participation and resolution of the issues is
adequate.
BIBLIOGRAPHY
1. Audit, Control and Security of (Various Information Technology
Environments). Ernst & Young, The EDP Auditors Association, various
release dates.
2. Auditor General's Report ,1990,Office of the Auditor General.
3. Computer Auditing, Security, and Internal Control Manual, Javier F.
Kuong, Prentice-Hall, Inc., 1987.
4. Computerized Information Systems (CIS) Audit Manual, John Lainhart &
Michael Donahue, EDP Auditors Foundation, Inc, 1993.
5. Computers At Risk: Safe Computing in the Information Age, National
Research Council, U.S.A., National Academy Press, 1991
6. Handbook of EDP Auditing, Warren Gorham Lamont, 1994 Cumulative
Supplement.
7. Information Systems Management, Control and Audit, The Institute of
Internal Auditors, 1990.
8. Management Computer Ris, Gerald M. Ward & Jonathan D. Harris, John
Wiley & Sons, 1986.
9. Manifesto On Information Systems Control And Management: A New World
Order, Marshall Govindan & John Picard, McGraw-Hill Ryerson, 1990.
10. New Directions for Treasury Board: Guiding Principles
(Memorandum), Treasury Board of Canada, Secretary of the Treasury
Board, 1990.
11. Powering Up, Treasury Board of Canada, Communications and
Coordination Directorate, Treasury Board of Canada, 1993.
12. Systems Auditability and Control, The Institute of Internal
Auditors Research Foundation. �