A woman uses a computer in Vancouver, Wednesday, Dec. 19, 2012. An internal review has uncovered weak security practices when it comes to information technology at Public Safety Canada -- from lax controls on the use of portable flash drives to inadequate awareness and training. THE CANADIAN PRESS/Jonathan Hayward

Audit finds ‘no formal tracking’ of IT security incidents at Public Safety Canada

OTTAWA — An internal review has uncovered weak security practices when it comes to information technology at Public Safety Canada — from lax controls on the use of portable flash drives to inadequate awareness and training.

The review found employees who were no longer with the department “still had privileged access to the network” and that some current employees had unnecessary administrative access to “mission critical applications.”

The little-noticed internal audit of information technology security was completed last April and made public in July.

It called for several improvements to ensure the security and integrity of information at Public Safety, the umbrella department for the RCMP, the Canadian Security Intelligence Service, the Correctional Service and the Parole Board of Canada.

The report was completed seven months after the arrest of a director of an RCMP intelligence centre made international headlines.

Cameron Jay Ortis is charged under the Security of Information Act for allegedly revealing secrets to an unnamed recipient and planning to give additional classified information to an unspecified foreign entity.

The Public Safety audit found there was no formal means within the federal department to systematically identify, analyze and evaluate information-technology security risks.

Officials did not conduct periodic reviews or ongoing monitoring of network access privileges, the report says.

Removal of access is dependent on a “departure form” being submitted by the employee upon leaving Public Safety, but the reviewers were told the forms are sometimes not filled out.

In addition, there was “no formal tracking” of technology-related security incidents at the department.

The audit team was advised that only four of five such incidents had been reported or investigated in the last two years, but “we could not confirm this because there are no documented files or report.”

“The audit could not confirm that all IT security incidents were recorded and acted upon through the appropriate channels to ensure that timely corrective actions were taken.”

There was limited awareness of requirements for handling electronic documents and the use of tools to ensure secure transmission of information by employees, the report says.

“Transmitting sensitive PS information or documents to personal email addresses without additional protection such as encryption is also not monitored.”

Federal policy drafted by the Treasury Board Secretariat requires that all departments maintain records of portable data storage devices, such as USB keys, issued within their organization. These devices are supposed to be password-protected and the information stored on them encrypted.

“The audit found that PS does not maintain records of USB keys that have been issued and that there are limited controls in place to identify if individuals are saving sensitive information on a USB key,” the report says.

“In addition, PS does not pick up USB keys during physical security sweeps to examine their content. There is thus a risk that USB keys contain unencrypted sensitive information that could constitute a security incident.”

The department intends to encrypt all data stored on desktops and laptops and disable all USB ports by default when a software upgrade is completed in the department, the report says.

Sweeps carried out to gauge security did not assess key controls, such as unattended and unprotected USB devices or laptop computers left logged in and unlocked by users.

“Security awareness and training should be conducted systematically and comprehensively to ensure that individuals are informed of their IT security responsibilities and maintain the necessary knowledge and skills to effectively carry out their functions,” the report says.

While some improvements were underway during the course of the audit, several others are to be put in place over the next two years.

Implementation of the new security plan is ongoing and will ensure consistency with Treasury Board policies, said Zarah Malik, a Public Safety spokeswoman.

Chris Schulz of Toronto-based company Etly Risk Management Solutions applauded the audit’s focus, given the importance of having measures in place to detect security vulnerabilities, including so-called insider threats.

Now that many people, including government employees, are working from home, someone logging on to a computer network late at night might not be considered so unusual, Schulz said.

The more important thing to consider is what the employee is actually doing, he said.

“So if they come in late and they download files or they’re also printing files, or they’re going to a place that they don’t normally go to” — a combination of such signs might “paint that picture of this person potentially being a threat.”

This report by The Canadian Press was first published Feb. 13, 2021.

Jim Bronskill, The Canadian Press

Get local stories you won't find anywhere else right to your inbox.
Sign up here

Just Posted

Health Minister Tyler Shandro announced updated health measures Monday which are now in place for retail, hotels and community halls, performance groups, and youth sports as part of Step 2 of Alberta’s reopening plan. (File photo by Government of Alberta)
COVID restrictions for retail, sports and performers further eased

Occupancy in stores and malls boosted to 25 per cent from 15 per cent

The City of Red Deer sits at 249 active cases of the virus, after hitting a peak of 565 active cases on Feb. 22. (Black Press file image)
Active COVID cases in Red Deer continue to decline

249 cases in Red Deer, down from 565 peak on Feb. 22

(File photo)
Five Olds College students semi-finalists in marketing pitch competition

Winner of Second Annual UFA Student Pitch Competition to be announced April 13

Nordegg residents, including retired fisheries biologist Vance Buchwald, are concerned this kind of coal mining could start up in the wilderness area. (THE CANADIAN PRESS/AP/Mead Gruver, File).
Biologist urges Clearwater County to take a stand against Nordegg coal mining

Vance Buchwald said there’s no future in coal, the county should back eco-tourism

Quentin Lee Strawberry Photo from RCMP
Updated: Bleeding man came to door frantically calling for 911 help, neighbour testifies in murder trial

Quentin Strawberry on trial for second-degree murder accused of killing Joseph Gallant in 2019

Ben King scores for the Red Deer Rebels during the third period of a Western Hockey League game against the Calgary Hitmen at the Westerner Park Centrium Saturday. (Photo by Rob Wallator/Red Deer Rebels)
Rebels complete comeback to pick up first win of season

Rebels 3 Hitmen 2 (OT) The Red Deer Rebels were able to… Continue reading

Edmonton Oilers' Connor McDavid (97) checks Ottawa Senators' Chris Tierney (71) during third-period NHL action in Edmonton on Monday, March 8, 2021. THE CANADIAN PRESS/Jason Franson
Oilers open three-game homestand against Senators with 3-2 victory

Oilers open three-game homestand against Senators with 3-2 victory

Dave Mercer poses in this undated handout photo. Fishing is Dave Mercer's passion. When he's not taping episodes for his fishing show, 'Dave Mercer's Facts of Fishing,' doing his podcast and weekly fishing tips, he can usually be found on the water. Mercer is also in his 11th year as an MC for the Bassmasters Classic and Elite Series and after watching Canadians Chris Johnston, of Peterborough, Ont., and Jeff Gustafson, of Kenora, Ont., capture tournament this in less than a year, Mercer is confident the third Canadian on the tour, Johnston's older brother, Cory, will win a circuit event either this year or next. THE CANADIAN PRESS/HO - Dave Mercer Outdoors Inc.
Bassmasters Elite Series MC Dave Mercer enjoying Canadians’ success on circuit

Bassmasters Elite Series MC Dave Mercer enjoying Canadians’ success on circuit

Meghan McPeak, left, and Randy Urban do play-by-play for the Raptors 905 team in Mississauga, Ont., on Wednesday, January 25, 2017. THE CANADIAN PRESS/Nathan Denette
Toronto Raptors using all-female broadcast crew for televised game later this month

Toronto Raptors using all-female broadcast crew for televised game later this month

Toronto Six get another crack at Isobel Cup women’s hockey championship

Toronto Six get another crack at Isobel Cup women’s hockey championship

Canada's Mikael Kingsbury celebrates after finishing first in the final of the World Cup men's dual moguls skiing competition, Friday, Feb. 5, 2021, in Deer Valley, Utah. Canadian moguls star Kingsbury captured a gold medal for the fifth time at the world championships today.THE CANADIAN PRESS/AP/Rick Bowmer
Mikael Kingsbury wins world men’s moguls championship

Mikael Kingsbury wins world men’s moguls championship

A Canadian Premier League soccer ball is shown on a podium in this undated handout photo. THE CANADIAN PRESS/HO, Canadian Premier League/Chant Photography *MANDATORY CREDIT*
Canadian Premier League offers first look at its bottom line

Canadian Premier League offers first look at its bottom line

Team Manitoba skip Jason Gunnlaugson directs his team as he plays Team Wild Card One at the Brier in Calgary, Alta., Monday, March 8, 2021.THE CANADIAN PRESS/Jeff McIntosh
Alberta’s Bottcher hands Wild Card Three’s Middaugh his first loss at the Brier

Alberta’s Bottcher hands Wild Card Three’s Middaugh his first loss at the Brier

Rheal Cormier, left, receives his jacket from Ferguson Jenkins during his induction to the Canadian Baseball Hall of Fame in St. Marys, Ont., on June 23, 2012. THE CANADIAN PRESS/Dave Chidley
Former Canadian major-leaguer Rheal Cormier dies after battle with cancer

Former Canadian major-leaguer Rheal Cormier dies after battle with cancer

Most Read