Canada Border Services Agency
Symbol of the Government of Canada
Skip to content | Skip to institutional links

Common menu bar links

Home > About the CBSA > Corporate documents > Audit and Evaluation Reports

Institutional links

ARCHIVED - Audit of Information Technology Infrastructure — General Controls

Internal Audit Report

Warning This page has been archived.

Archived Content

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

October 2008

Table of Contents

Return to Top of Page

Executive Summary

Background

The Canada Border Services Agency (CBSA) obtains information technology (IT) infrastructure services and support from two other government organizations. The scope of IT infrastructure services and support defined in the formal memorandums of understanding between the CBSA and these two organizations covers the major technology components of the infrastructure and the bulk of the business systems used at the CBSA.

The CBSA manages and controls the following IT infrastructure environments at CBSA Headquarters (HQ) that are not covered under the service arrangements with these two organizations:

  • HQ desktop and related network IT infrastructure environments;
  • Research, application development and testing environments for laboratory and scientific services, business applications and corporate applications; and
  • Specialized environments for publishing, communications, security, intranet/Internet, training and investigations.

This is the second of two audits identified in the CBSA Internal Audit Directorate Risk-based Multi-year Audit Plan 2007-2010 approved by the Audit Committee in October 2007. The CBSA identified the requirement for two audits aimed towards ensuring that the CBSA is getting the optimum level of IT services that provides for a fully secure working environment and that meets both current and future business needs.

The first audit was completed in February 2008 and focused on the governance arrangements for the delivery of IT services to the CBSA by the government organization service providers. This second audit focused on the adequacy and effectiveness of the control framework for the IT infrastructure under the management and control of the CBSA.

The audit was undertaken jointly by Interis Consulting and the CBSA’s Internal Audit Directorate. Audit planning took place between October 2007 and March 2008 and the audit was conducted at HQ between March and July 2008.

Objective and Scope

The audit objective was to provide assurance to senior management on the adequacy of the controls to ensure the IT infrastructure was planned, managed and maintained to support efficient operations.

The scope for the audit examination was the IT infrastructure managed and controlled by the CBSA and included the following:

  • CBSA IT infrastructure planning, investment management, technical standards, governance, roles and responsibilities, and processes and practices in support of CBSA business strategic and operational objectives, priorities or requirements.
  • The general controls associated with asset life-cycle management.
  • CBSA management activities (internal control practices, methods and procedures) implemented to avoid potential business impacts or change-related incidents associated with developing, implementing or changing the IT infrastructure.

Business applications, office automation software and data management were not included within the definition of IT infrastructure and were therefore outside the scope of the audit. IT infrastructure not connected to the network, such as specialized environments for security and publishing, was also excluded from the scope.

A separate audit of the adequacy and effectiveness of the CBSA’s business continuity plans is planned for 2008–2009.

Statement of Assurance

This audit engagement was planned and conducted in accordance with the Internal Auditing Standards for the Government of Canada.

Audit Opinion

The audit found that controls to plan, manage and maintain the IT infrastructure under the control of the CBSA were generally satisfactory and supported the Agency’s business strategic and operational objectives, requirements and priorities. The audit noted opportunities for business process improvements.

Main Observations

Approved technology standards were followed, and processes were in place to update the standards.

Roles and responsibilities for IT infrastructure development and maintenance functions were being reviewed and updated.

Appropriate safeguards existed to avoid potential business impacts or change-related incidents associated with developing, implementing or changing the IT infrastructure.

The audit observed that work was under way to develop an IT strategic plan and an IT infrastructure asset management policy, and to finalize the IT architecture governance model and processes. The outcomes of these activities should strengthen IT infrastructure planning, IT asset life-cycle management and IT architecture governance.

Management Response

The Innovation, Science and Technology Branch agrees with the recommendations in this report.

Return to Top of Page

Introduction

For the purposes of this audit, information technology (IT) infrastructure is defined as all of the components used for processing application systems and that allow end-user interaction with these systems. The components include computers, storage media, telecommunications networks, data storage, peripheral devices, operating systems, database management system software, security systems and the physical environment used to house and support these components.

Return to Top of Page

Background

The Canada Border Services Agency (CBSA) obtains IT infrastructure services and support from two other government organizations. The CBSA also manages and controls IT infrastructure items not covered under the service arrangements with these two organizations. Service arrangements with one government organization provides CBSA users with access to and support for the use of business delivery systems that operate on infrastructure components owned and controlled by the government organization. The second government organization manages and controls a shared IT infrastructure with the CBSA. The scope of IT infrastructure services and support defined in the formal memorandums of understanding (MOUs) between the CBSA and the government organization service providers covers the major technology components of the infrastructure and the connectivity to some of the business systems used at the CBSA.

The CBSA manages and controls the IT infrastructure environments at CBSA Headquarters (HQ) relating to the following:

  • HQ desktop and related network IT infrastructure environments;
  • Research, application development and testing environments for laboratory and scientific services, business applications and corporate applications; and
  • Specialized environments for publishing, communications, security, intranet/Internet, training and investigations.

This is the second of two audits identified in the CBSA Internal Audit Directorate Risk-based Multi-year Audit Plan 2007-2010 approved by the Audit Committee in October 2007. The requirement for two audits was identified towards ensuring that the CBSA is getting the optimum level of IT services that provides for a fully secure working environment and that meets both current and future business needs.

The first audit was completed in February 2008 and focused on the governance arrangements for the delivery of IT services to the CBSA by the government organization service providers. The audit found that CBSA service expectations and delivery were met and monitored against the MOUs and related documents (service level agreements, service delivery agreements and management frameworks). These agreements were cyclically reviewed and controls existed to manage operational risks associated with service delivery agreements. Opportunities were identified to better define services and service levels, align business and IT strategic directions, and improve risk-management practices.

This second audit focused on the adequacy and effectiveness of the control framework for the IT infrastructure under the management and control of the CBSA. To this end, this report refers strictly to the relationship with the government organization service provider that manages the shared infrastructure with the CBSA.

The audit also considered the October 2007 Report of the Auditor General of Canada. At that time, the Auditor General found that while “investments have been guided by business plans and government priorities, these IT projects have not been guided by a strategic plan for information technology or information management….” The Agency has initiated work on developing an IT strategic plan.

Return to Top of Page

Risk Assessment

During the planning phase of the audit, risks were assessed to determine potential areas for the audit. Key inherent risks to the development, maintenance and safeguarding of the IT infrastructure managed by the CBSA included the following:

  • The development of an IT strategic plan that needs to be accepted and understood by both the user community and the Innovation, Science and Technology Branch (ISTB) to align IT infrastructure investments and resource allocations with the strategic direction and business priorities of the Agency;
  • The roles and responsibilities for the management of IT infrastructure assets that need to be defined, current and communicated to facilitate the planning and management of infrastructure costs and the realization of benefits;
  • The CBSA’s need for unique IT infrastructure equipment and services that require effective approval and certification of new technology to meet operational requirements;
  • The changes to the IT infrastructure that need to be well managed to maximize infrastructure availability and to support operational requirements as a border protection agency; and
  • The business and IT continuity plans that are needed to ensure that critical operations continue to be available during a disruption.
Return to Top of Page

Audit Objective and Scope

The audit objective was to provide assurance to senior management on the adequacy of the controls to ensure the IT infrastructure was planned, managed and maintained to support efficient operations.

The scope for the audit examination was the IT infrastructure managed and controlled by the CBSA and included the following:

  • CBSA IT infrastructure planning, investment management, technical standards, governance, roles and responsibilities, and processes and practices in support of CBSA business strategic and operational objectives, priorities or requirements.
  • The general controls associated with asset life-cycle management.
  • CBSA management activities (internal control practices, methods and procedures) implemented to avoid potential business impacts or change-related incidents associated with developing, implementing or changing the IT infrastructure.

Business applications, office automation software and data management were not included within the definition of IT infrastructure and were therefore outside the scope of the audit. IT infrastructure not connected to the network, such as specialized environments for security and publishing, was also excluded from the scope.

As a separate audit of the adequacy and effectiveness of CBSA’s business continuity plans is planned for 2008–2009, IT continuity planning, testing and monitoring controls were not in the scope of this audit.

The audit was undertaken jointly by Interis Consulting and the CBSA’s Internal Audit Directorate. Audit planning took place between October 2007 and March 2008 and the audit was conducted at HQ between March and July 2008.

Return to Top of Page

Approach and Methodology

The methodology used to conduct the audit included the following:

  • A document review to assess the adequacy and effectiveness of the management control framework over the IT infrastructure.
  • An examination of a sample of IT infrastructure procurements in 2007–2008 to assess the planning and management of compliance against technology standards and controls. On-site verification of assets against IT asset inventory records for an Ottawa location was completed.
  • An assessment of IT architecture governance roles and responsibilities and scope of IT architecture-related issues.
  • A review of the roles and responsibilities for release management, change management, emergency fixes and project governance.
Return to Top of Page

Audit Criteria

Based on the results of a risk assessment of IT infrastructure management, IT criteria were developed using the Control Objectives for Information and related Technology (CobiT) framework issued by the IT Governance Institute.

The audit criteria used to assess the CBSA’s overall business practices, general controls and governance processes for IT infrastructure service delivery were organized into seven categories:

  • IT infrastructure planning
  • IT architecture governance
  • Technology standards
  • IT infrastructure asset life-cycle management
  • IT infrastructure investment management
  • Roles and responsibilities
  • IT infrastructure change management

Detailed criteria are provided in Appendix A.

Return to Top of Page

Statement of Assurance

This audit engagement was planned and conducted in accordance with the Internal Auditing Standards for the Government of Canada.

Return to Top of Page

Audit Opinion

The audit found that controls to plan, manage and maintain the IT infrastructure under the control of the CBSA were generally satisfactory and supported the Agency’s business strategic and operational objectives, requirements and priorities. The audit noted opportunities for business process improvements.

Return to Top of Page

Findings, Recommendations and Management Action Plan

The audit found that approved technology standards were followed, and processes were in place to update the standards. Roles and responsibilities for IT infrastructure development and maintenance functions were being reviewed and updated. Appropriate safeguards existed to avoid potential business impacts or change-related incidents associated with developing, implementing or changing the IT infrastructure.

The audit observed that work was under way to develop an IT strategic plan and an IT infrastructure asset management policy, and to finalize the IT architecture governance model and processes. The outcomes of these activities should strengthen IT infrastructure planning, IT asset life-cycle management and IT architecture governance.

Return to Top of Page

IT Infrastructure Planning

There was no CBSA IT strategic plan to guide the development of infrastructure plans for the shared infrastructure and for individual projects.

An IT strategic plan provides overall direction for the acquisition, implementation and maintenance of IT infrastructure components. The plan would document the IT vision, IT strategies and the principles for meeting the CBSA’s current business requirements and longer-term priorities. Typically, this plan would include a prioritized list of IT projects linked to plans and priorities, recommendations for the various architecture components (e.g. technology infrastructure, data applications), a high-level migration strategy and associated costs. The plan would be a key component of an IT governance structure that supports effective management of information and technology.

The audit observed that in the absence of an IT strategic plan, the CBSA has made IT infrastructure acquisitions to meet business priorities. These included capital replacements and work orders and change requests to meet new requirements. The CBSA conducted project analyses to determine infrastructure requirements and worked with the service provider to define requirements or changes. As well, infrastructure requirements that support more than one CBSA project were being identified.

There was no evidence to suggest that the IT infrastructure is not supporting the business applications. Technology architecture direction provided via the MOU with the service provider guided the acquisition, implementation and maintenance of infrastructure components. However, in the absence of an Agency-wide IT strategic plan, there is a risk that the Agency will miss opportunities to optimize performance, costs and new technologies to meet strategic priorities.

The audit noted that the ISTB has begun work on the development of a CBSA IT strategic plan. The scope of the plan included the establishment and ongoing development of an IT strategy that defines the CBSA’s target state of technology for up to five years and provides a road map of how these changes will be implemented.

Recommendation:

1. The Vice-President of the Innovation, Science and Technology Branch should continue to develop and seek approval of the IT strategic plan.

Management Action Plan Completion Date

The initial draft of the CBSA IT strategic plan was provided to the Treasury Board of Canada Secretariat (TBS) as part of the Management Accountability Framework (MAF), Round 5. Steps have already been undertaken to address TBS feedback in order to finalize the plan.

  

The Innovation, Science and Technology Branch will have a complete and approved IT strategic plan.

 June 2009
Return to Top of Page

IT Architecture Governance

An IT architecture governance structure existed. The Architecture Review Board (ARB), a key component of the IT governance structure, had not met since November 2006, which affected governance objectives of facilitating stakeholder input and communicating IT architecture decisions.

IT architecture governance provides a mechanism for verifying compliance of IT infrastructure with CBSA standards and guidelines. This includes the organizational structure and processes established to review and approve IT infrastructure decisions, and the availability of technology guidelines against which compliance can be evaluated.

The CBSA had defined an architecture governance structure to guide the review and approval of architecture standards, guidelines and principles, as well as to approve project-specific architecture. The scope of architecture decisions included technology and other IT components such as data and application architecture.

The audit noted there were four CBSA oversight bodies with representation from the ISTB in the governance process:

  • The Enterprise Architecture Committee (EAC) reviews and endorses all architecture deliverables for the Strategic Planning and Integration Directorate before deliverables are taken to the next steps in the governance process.
  • The Technical Review Board (TRB) reviews and approves CBSA project technology documentation for compliance to architecture standards; reviews and endorses IT strategies, updates to technology standards and requests for technology architecture variances; and forwards endorsement decisions to the ARB.
  • The ARB reviews and approves standards and guidelines, technology architecture variances architecture projects; reviews and endorses architecture strategies, principles and issues relating to major projects and initiatives; and forwards endorsements to the Directors General Review Forum for approval.
  • The Directors General Review Forum reviews and approves change requests and process, strategy and concept documents.

The audit concluded that the CBSA architecture governance structure provided a mechanism to review IT architecture directions, to develop and maintain infrastructure architecture guidelines, to develop technical design recommendations for business requirements, and to verify compliance with technical infrastructure standards. Furthermore, architecture governance arrangements between the CBSA and its service provider established the mechanism to define technology standards, confirm that a proposed technical infrastructure design was in compliance with technology standards, and to review and approve a variance from standards.

The audit noted, however, that the ARB, one of the key controls in the governance process, had not met since November 2006. This Board provided an opportunity for management review and endorsement of preliminary architecture deliverables during the early stages of a project, as well as later in the project life-cycle when architecture recommendations move from concept to detail design and implementation.

While alternative architecture review and endorsement mechanisms were put in place, the audit found that there was lack of a clear understanding of the roles and responsibilities with respect to the review and approval of technology architecture decisions. As well, the review of meeting minutes found that the minutes did not always provide a clear indication of records of decision on technical architecture design recommendations.

Interviews indicated that the cessation of ARB meetings was attributed, in part, to organizational changes occurring in the ISTB that affected the Board’s membership and the coordination of its meetings. In the absence of ARB meetings, architecture decisions were managed by the IT Directors’ Committee (ITDC) and the Directors’ Project Forum, two other ISTB committees that have some of the same members as the ARB.

Confirming the roles of CBSA oversight bodies helps ensure that technical design decisions are approved with a full understanding of the impact of the recommendations on performance, availability or other technical issues and constraints when the technical solution is engineered. As well, a review of architecture products during the early stages of the project life-cycle helps identify design revisions when it is easier to make changes.

The audit noted that the ISTB has indicated it plans to complete an IT architecture governance review and have an approved structure in place by December 2008.

Recommendation:

2. The Vice-President of the Innovation, Science and Technology Branch should finalize and implement the new IT architecture governance structure with the approval of the appropriate executive committee.

Management Action Plan Completion Date

The Innovation, Science and Technology Branch has resumed the ARB in its governance process and will finalize and fully implement the full IT architecture governance structure.

 

Finalize the IT architecture governance model.

The IT architecture governance structure will be presented to the Executive Management Committee (EMC) for approval.

 December 2008

Fully implement approved IT architecture governance process.

 March 2009
Return to Top of Page

Technology Standards

Technology standards existed and were followed.

Technology standards enable the standardization of information and IT. Standardization objectives include simplified hardware and software environments and software selection, reduced software licensing and support costs, increased agility in taking advantage of new and emerging technologies, and improved business and IT alignment.

The audit found that technology standards were developed and followed within the Agency. The standards were developed primarily by the service provider and were adopted by the CBSA. The annual Technology Architecture Outlook, developed with input from the CBSA, provided high-level direction on technology architecture. The Approved Products List (APL) for certified equipment types, which is maintained by the service provider, was used to verify compliance of new infrastructure with technology standards.

Furthermore, processes existed to update the standards, including a CBSA review and assessment of technology solutions to meet evolving Agency business requirements, as well as joint initiatives with the service provider to make changes to the shared IT infrastructure. As a result, revised technology standards were identified to meet new requirements.

Return to Top of Page

IT Infrastructure Asset Life-cycle Management

Justification for IT infrastructure investments is provided and budgets for IT infrastructure investments were prepared and managed. However, there was no consolidated inventory of CBSA-managed and controlled IT infrastructure items that would provide a clear picture of IT asset holdings for asset replacement planning and budgeting.

Managing the IT infrastructure asset inventory through a life-cycle approach responds to the needs of replacing and upgrading an asset (“evergreening”), making changes to the assets and meeting the requirements of new initiatives. Resource management information systems enable the collection and generation of complete and accurate information on the use of IT infrastructure asset holdings and support the development of an asset replacement plan and budget.

The audit found that the inventory of CBSA-managed and controlled IT infrastructure assets was maintained and validated using multiple systems and processes. The ISTB managed HQ desktop, laptop and printer inventory data for 12 locations in the National Capital Region (NCR) and was in the process of adding asset inventory for additional NCR locations. Some IT infrastructure inventory data was maintained by individual organizations separately from this ISTB system.

The different inventory record-keeping systems reflect the fact that accountability for IT asset inventory management was dispersed within the CBSA. This was due in part to the lack of a CBSA materiel management framework that defines what asset inventory information is to be recorded, who is accountable for the inventory and how this information is to be validated.

The need for a materiel management framework was identified in two previous audits: the Audit of Fleet Management and the Audit of Asset Management - Detection Technology Equipment. In response to these audits, the Comptrollership Branch is initiating the development of a centralized total asset management framework, including accountabilities for asset management and roles and responsibilities. It is to be completed by December 2008. Further, the ISTB has drafted an IT asset management policy. The objective of this policy is to ensure the effective and efficient management of the CBSA IT end-user inventory while keeping expenditures and inventory levels to a minimum.

In the absence of a consolidated inventory, there is a potential risk that the Agency would not be making appropriate decisions regarding capital investments because there would be no clear picture of the total costs for IT asset replacement.

The audit found that justification for IT infrastructure investments was provided to support the approval decision of an investment. For new projects that include an infrastructure component or significant changes, business cases were developed and approved. Evergreening of infrastructure components was based on asset obsolescence, removal of vendor support and end-of-asset useful life. Procurement requests by cost centre managers were based on documented requirements provided by the manager.

The policy on acquisition of information technology hardware and software was drafted by the ISTB. The objective of the policy was to centrally manage IT procurement, enabling the CBSA to leverage buying power and mitigate contracting risks while allowing functional authorities to identify and manage these IT assets.

Budgets for IT infrastructure investment were prepared and managed. If the assets were part of a new project, the budget identification and approval processes followed the project life-cycle. The budget for the replacement of CBSA end-user assets, such as laptops, desktops or printers, was either included in the annual capital replacement plan or in the end-user budget. As well, end-users budgeted for the purchase of additional assets items that were not identified as part of a new initiative.

A review of the capital replacement plan noted that the plan did not include asset items replaced and funded by some of the user organizations that maintained their own inventory (e.g. the laboratory located on Bentley Avenue). As well, the scope of asset items covered in the plan did not align with the definition of assets provided in the IT asset management policy.

Recommendation:

3. The Vice-President of the Innovation, Science and Technology Branch, in collaboration with the Comptrollership Branch, should finalize the IT asset management policy in a way that is consistent with the overall materiel management framework.

Management Action Plan Completion Date
The Innovation, Science and Technology Branch will collaborate with the Comptrollership Branch to finalize the IT asset management policy.  
Finalize a draft policy that is consistent with the TBS’s Policy on Management of Materiel and the Comptrollership Branch’s centralized total asset management policy. The IT acquisition policy and IT asset management policy will be combined. September 2008
Continue and complete consultation phase. October 2008
Final policy approval and implementation. December 2008
Return to Top of Page

Roles and Responsibilities

Roles and responsibilities for IT infrastructure development and maintenance functions were being reviewed and updated.

Controls for achieving IT infrastructure development and maintenance objectives include defining and communicating roles and responsibilities, identifying the skills and experience needed to perform the roles, and providing training to employees to support the discharge of their responsibilities.

The audit found that many of the roles and responsibilities for IT infrastructure development and maintenance functions were documented. These included IT security, release management, IT project management, IT procurement, emergency fixes and change management. The shared roles and responsibilities with the service provider for assessing compliance of technology design recommendations with technology standards and approving variances from these standards were also documented.

At the time of the audit, other roles and responsibilities were at different levels of development. For example, the ISTB was developing and updating roles and responsibilities for IT asset management and IT architecture governance. Work on developing the roles and responsibilities for IT continuity and disaster recovery was planned to start once final funding approval was received.

The ISTB had several initiatives under way to identify skills, experience and training requirements, and to develop and manage staff training. For example, a new workforce development unit had been established in the ISTB to develop recruitment, retention and succession plans for people working in functional areas deemed to be of critical risk. This supports the Government of Canada’s public service renewal efforts.

The ISTB Branch Management Committee had approved a review of organizational readiness assessment to support the analysis of generic work descriptions used for the Branch. The review will provide a fit-gap analysis of the current ISTB organizational model compared to the recommended ISTB organization based on generic work streams. As part of the analysis of generic work descriptions, a certification model was being used to help identify the training requirements for ISTB staff. The completion of the assessment was targeted for August–September 2008.

In some cases, the definition of roles and responsibilities had not kept pace with the realignment of responsibilities in the ISTB. Without clearly defined roles and responsibilities, there is a potential risk that functions would be duplicated, that there would be increased reliance on staff corporate knowledge of what functions are to be performed, and that training time and effort for new staff would be increased.

IT Infrastructure Change Management

Procurement controls were defined and followed. Change management processes and responsibilities were defined, and revisions were being made to strengthen processes.

Change management controls for the procurement and upgrade of IT infrastructure items are designed to ensure that change initiatives are properly implemented in order to minimize production issues and achieve greater system availability.

The audit observed that controls in the procurement process were designed to ensure the following:

  • Compliance with technology standards;
  • On-hand inventory is used to meet new requirements before additional purchases are made;
  • Purchase approvals are justified; and
  • Budgeted resources are available to fund purchases.

Controls to manage changes to IT infrastructure items were in place and followed. The release management processes were well documented and releases were regularly reviewed by ISTB management. Emergency fix processes were documented and updates were made to discourage people from using the emergency fix processes as a means to bypass the regular change and release processes. Furthermore, a revised change management process was under development to introduce more rigour in the change request process and the impact analysis steps of the process.

Return to Top of Page

Appendix A — Audit Criteria

Lines of Enquiry Audit Criteria
IT infrastructure planning
  • The Canada Border Services Agency (CBSA) has clearly defined and communicated strategic direction and technology plans that are aligned with its mandate:
    • strategic plans are developed and communicated [CobiT* reference PO1.4];
    • technological directions are monitored [CobiT reference PO3.1];
    • technological infrastructure plans are developed and maintained in accordance with the information technology (IT) strategic and tactical plans [CobiT reference PO3.2];
    • technological infrastructure acquisition plans are developed to identify the acquisition, implementation and maintenance of infrastructure for existing operational requirements [CobiT reference AI3.1]; and
    • infrastructure maintenance plans are developed to ensure that infrastructure is periodically reviewed against business needs, patch management and upgrade strategies, risks, vulnerabilities assessments and security requirements [CobiT reference AI3.3].
IT architecture governance
  • Effective IT architecture oversight bodies are established at the CBSA that undertake the following:
    • provide architecture guidelines and advice on their application;
    • verify compliance; and
    • provide overall direction for IT architecture design and ensure the design enables the business strategy, addresses regulatory and continuity requirements, and is linked to the information architecture [CobiT reference PO3.5].
Technology standards
  • Technical standards, policies and practices have been established to provide consistent, effective and secure technological enterprise-wide IT infrastructure solutions. The standards and policies: [CobiT reference PO3.4]:
    • direct technology standards and practices based on business relevance, risks and compliance with external requirements;
    • provide technology guidelines, guidance and advice on infrastructure products;
    • provide a framework to manage expectations and requirements regarding the delivery of value from IT investments;
    • support value delivery while managing significant risks;
    • provide the means to monitor and promote compliance; and
    • support continual process improvement.
IT infrastructure asset life-cycle management
  • IT infrastructure assets are operationally managed with a clear consideration of the asset life-cycle and to achieve the objectives of the organization:
    • CBSA IT infrastructure assets are inventoried and verified;
    • an IT infrastructure asset management policy is in place, monitored and applied for operational requirements; and
    • maintenance and evergreening of IT infrastructure is planned and sufficiently resourced.
IT infrastructure investment management
  • The activities, schedules and resources needed to achieve IT infrastructure objectives have been integrated into the budget.
  • Investments in IT infrastructure components are based on the strategic plan for information systems and the investments are responsive to achieving organizational strategic, business and operational objectives:
    • CBSA IT-enabled investments are made based on solid business cases;
    • budgets are prepared and managed;
    • resources are allocated based on priorities and risks; and
    • procurement is based on developed plans, established budgets, business cases, priorities and risks.
Roles and responsibilities
  • Roles and responsibilities related to the development and maintenance of the IT infrastructure are in place [CobiT reference PO4.6]:
    • they are defined, up-to-date, communicated and understood;
    • they give sufficient authority to the persons concerned to exercise their roles and responsibilities;
    • they include definitions of skills and experience needed; and
    • they define internal control responsibilities.
  • Accountability for achieving the benefits and controlling the costs with respect to the IT infrastructure is clearly assigned and monitored [CobiT reference PO1.1].
IT infrastructure change management

The development or implementation of, or a change made to, the IT infrastructure is based on a strategic plan for information systems and is responsive to achieving organizational, strategic and operational objectives. There are processes and practices in place to ensure change initiatives are properly implemented:

  • procurement controls [CobiT reference AI5.1];
  • change, configuration and problem management controls [CobiT reference DS10.4]; and
  • infrastructure maintenance controls [CobiT reference AI3.3 DS13.5].

*Control Objectives for Information and related Technology.

Return to Top of Page

Appendix B — List of Acronyms

APL Approved Products List
ARB Architecture Review Board
CBSA Canada Border Services Agency
CobiT Control Objectives for Information and related Technology
EAC Entreprise Architecture Committee
HQ

Headquarters
ISTB Innovation, Science and Technology Branch
ISTC Innovation, Science and Technology Committee
IT information technology
ITDC IT Directors Committee
MOU memorandum of understanding
NCR National Capital Region
TRB Technical Review Board
Date Modified: 2008-12-12

Top of Page
Important Notices