Halifax Regional Police are launching an internal investigation after an audit found it failed to provide accurate or adequate information to the organization charged with administrative oversight.
Halifax police confirmed that it has launched its internal investigation in response to a damning audit that found its management failed to provide the municipality’s Board of Police Commissioners with correct information about its actions regarding an internal information and technology (IT) risk assessment.
“Please note that we take any allegation of this nature very seriously. We go to great lengths to provide thorough and accurate information to the (Board of Police Commissioners),” said Cpl. John McLeod, a spokesperson for the police force on Thursday.
The audit, published by Evangeline Colman-Sadd, the Halifax Regional Municipality’s auditor general, on Thursday, found that Halifax Regional Police (HRP) has failed to effectively manage its IT service to adequately protect against internal-external threats.
That includes the force’s failure to address series of 67 recommendations made during an assessment by a security consultant in 2016/2017.
“The IT security environment at HRP needs significant improvement, from how risks are identified to how they are ultimately managed,” said Colman-Sadd.
Much of the specifics in the audit aren’t available to the public and that includes details on the 67 recommendations.
The nature of IT information means that some specific could “impact the safety and security of HRP operations,” the report reads.
However, an in-camera version of the audit has been prepared and is available to Halifax officials.
Board of Police Commissioners given incorrect information
One of the largest concerns highlighted by the audit is that the Board of Police Commissioners was given incorrect information by police management.
During a Board of Police Commissioner meeting on July 17, 2019 — the first to be held with current Halifax police chief Dan Kinsella — the board was provided with a detailed progress report on the 67 recommendations made in the 2016/2017 consultant’s report.
The board was told that 13 of 67 recommendations had been completed. But the audit shows otherwise.
Six of the 13 recommendations that the board had been told were completed are actually outstanding, the audit found.
Another of those 13 recommendations should have been categorized as something the force was not intending to implement. Instead, it was presented to the board as being completed.
An eighth recommendation was related to the Nova Scotia government and should not have been classified as being completed and instead should have been identified as not applying to the force.
That means only five of the 67 recommendations had been completed at the time the presentation was given to the Board of Police Commissioners.
Auditors also found that in 2018, the board was not briefed on recommendations considered to be part of the consultant’s recommendations made regarding covert systems.
As of October 2020, the board had not been informed of any of the recommendations applying to the police force’s covert systems, the audit found.
Colman-Sadd has recommended that police should implement a process to ensure “only complete and accurate information” on IT operations be provided to the board.
It’s something that the force has agreed to do in a bi-monthly update to the board starting in April.
But the errors highlighted by the auditor general have sparked another issue — the internal investigation by Halifax police.
“We have initiated an investigation and are looking to determine exactly what happened,” McLeod confirmed in a statement.
“We are unable to discuss further as it involves personnel matters.”
Limited improvement on consultant recommendations
The limited action taken to improve the police force’s IT security was consistently highlighted throughout the audit including a concerning lapse in reporting.
Colman-Sadd found that there was insufficient oversight of the covert IT systems.
The staff member who manages that technology was found to be supervised by someone without an IT background and had no reporting relationship with the police force’s information security officer.
Although the audit found only limited progress, many of the issues can be corrected by updating policies or modernizing and developing new practices, Colman-Sadd said.
She stressed that there is no major investment in infrastructure required.
“It is important to recognize the potential costs of not investing could include greater risks to information security,” her audit reads.
Kinsella confirmed he has agreed to all 12 of the recommendations made by auditors.
“HRP will focus immediately on the highest risk categories, and is committed to actioning all recommendations,” Kinsella said in a statement.
“We thank the auditors for their diligence and engagement, and for their focus on bringing important matters to the attention of HRP management.”