An internal review has uncovered weak security practices when it comes to information technology at Public Safety Canada — from lax controls on the use of portable flash drives to inadequate awareness and training.
The review found employees who were no longer with the department “still had privileged access to the network” and that some current employees had unnecessary administrative access to “mission critical applications.”
The little-noticed internal audit of information technology security was completed last April and made public in July.
It called for several improvements to ensure the security and integrity of information at Public Safety, the umbrella department for the RCMP, the Canadian Security Intelligence Service, the Correctional Service and the Parole Board of Canada.
The report was completed seven months after the arrest of a director of an RCMP intelligence centre made international headlines.
Cameron Jay Ortis is charged under the Security of Information Act for allegedly revealing secrets to an unnamed recipient and planning to give additional classified information to an unspecified foreign entity.
The Public Safety audit found there was no formal means within the federal department to systematically identify, analyze and evaluate information-technology security risks.
Officials did not conduct periodic reviews or ongoing monitoring of network access privileges, the report says.
Removal of access is dependent on a “departure form” being submitted by the employee upon leaving Public Safety, but the reviewers were told the forms are sometimes not filled out.
In addition, there was “no formal tracking” of technology-related security incidents at the department.
The audit team was advised that only four of five such incidents had been reported or investigated in the last two years, but “we could not confirm this because there are no documented files or report.”
“The audit could not confirm that all IT security incidents were recorded and acted upon through the appropriate channels to ensure that timely corrective actions were taken.”
There was limited awareness of requirements for handling electronic documents and the use of tools to ensure secure transmission of information by employees, the report says.
“Transmitting sensitive PS information or documents to personal email addresses without additional protection such as encryption is also not monitored.”
Federal policy drafted by the Treasury Board Secretariat requires that all departments maintain records of portable data storage devices, such as USB keys, issued within their organization. These devices are supposed to be password-protected and the information stored on them encrypted.
“The audit found that PS does not maintain records of USB keys that have been issued and that there are limited controls in place to identify if individuals are saving sensitive information on a USB key,” the report says.
“In addition, PS does not pick up USB keys during physical security sweeps to examine their content. There is thus a risk that USB keys contain unencrypted sensitive information that could constitute a security incident.”
The department intends to encrypt all data stored on desktops and laptops and disable all USB ports by default when a software upgrade is completed in the department, the report says.
Sweeps carried out to gauge security did not assess key controls, such as unattended and unprotected USB devices or laptop computers left logged in and unlocked by users.
“Security awareness and training should be conducted systematically and comprehensively to ensure that individuals are informed of their IT security responsibilities and maintain the necessary knowledge and skills to effectively carry out their functions,” the report says.
While some improvements were underway during the course of the audit, several others are to be put in place over the next two years.
Implementation of the new security plan is ongoing and will ensure consistency with Treasury Board policies, said Zarah Malik, a Public Safety spokeswoman.
Chris Schulz of Toronto-based company Etly Risk Management Solutions applauded the audit’s focus, given the importance of having measures in place to detect security vulnerabilities, including so-called insider threats.
Now that many people, including government employees, are working from home, someone logging on to a computer network late at night might not be considered so unusual, Schulz said.
The more important thing to consider is what the employee is actually doing, he said.
“So if they come in late and they download files or they’re also printing files, or they’re going to a place that they don’t normally go to” — a combination of such signs might “paint that picture of this person potentially being a threat.”