Groups 23 and 25
Date: 23 October 2020
Question and answers from previous committee
hearing
Ř Questions
related to information technology (IT)
·
Which of your IT systems are at the end of their
supported lives, and is there a concern in an age of cybersecurity and cyber espionage?
o We
monitor the aging of our applications via the TIME (tolerate, invest, migrate,
eliminate) methodology prescribed by the Treasury Board of Canada Secretariat.
Several systems have been identified as being end-of-life and have been included
in our 3-year plan for IT investments.
·
Examples
of back-end systems that need upgrades
o
Windows
server upgrades (2008)
o
Oracle
Linux upgrades
o
Database
upgrades (Oracle)
o
.NET
Core upgrade (Development)
·
Examples
of applications that are end-of-life
o
Auditing:
auditing working paper file (TeamMate) and report communication application (Controlled
Document Interface (CODI))
o
Communications:
replace correspondence tracking system
o
Human
Resources (HR): applicant tracking system (Monster)
o
Finance:
financial system (GX) and product costing
·
Is your IT software behind the private sector’s?
o We do not
currently benchmark our software against the private sector. We are working on
implementing enterprise architecture processes that will help us to understand
auditor needs and will likely include comparing our target state with private
sector firms.
·
Do the weaknesses in your IT systems affect
productivity? Has some audit work been affected as a result?
o We are
interested in modernizing our IT systems in order to achieve benefits for our
business, which includes improving productivity. We do not have any specific
instances in which audit work was affected.
·
Would you be able to get more audits done with more
sophisticated, up-to-date IT software?
o We are
interested in modernizing our IT systems in order to achieve benefits for our
business, which includes improving productivity. However, technology is only 1 facet
of productivity, and it would be premature to state what the impact will be on
the number of audits completed. The return on investment for IT software
modernization is on average 2 to 3 years after the investment is made.
·
Would you be able to attract more recent graduates
if you had the more advanced and current software that they are trained on?
o We are
working on implementing enterprise architecture processes that will help us to
understand auditor needs. This will allow us to revisit the current tools and
applications available to auditors and determine what changes are needed. We
are not in a position to say how this will affect recruiting. However, having
more advanced tools may provide an incentive for recent graduates.
·
Do you have contingency plans in the event of a
cybersecurity event, based on the current technology you have?
o Yes, we
do have contingency plans and an incident management response plan in place. We
have a recovery site that is tested regularly. Work continues in order to
strengthen our security posture and improve our resiliency to potential
security incidents.
·
The Office of the Auditor General of Canada (OAG)
will replace the HR management systems and audit software. What safeguards do
you have to ensure you don’t encounter issues such as those that arose with the
Phoenix experience?
o We will
follow strong practices to ensure that the HR system meets our needs and is
secure. The OAG is also a direct-entry client, where there is no automated link
with the pay system.
o
What are you deferring in terms of support services
(for example, IT software and security, HR systems) because of lack of funding,
and what are the potential consequences (for example, on the security of your
computer systems)?
o
Investment decisions are made over a 3-year period. These
decisions are being risk managed. For example, we have prioritized the
implementation of security software, but the implementation of a new financial
system, communications systems, learning management systems, and human capital
management systems have been delayed. We have also not been able to fully
maintain our legacy systems and have many unsupported systems, which increases
security risks. We have also not been able to make investments to modernize our
processes and systems (for example, we still rely on manual processes instead
of automation, and we do not leverage cloud and open source).
Departmental plans and departmental
results reports
|
2020–21 Departmental
Plan |
||||||
|
No. |
Page |
Reference |
Question/comment |
Answer: Last year (from 2019–20 Departmental
Plan, where applicable) |
Answer: 2020–21 |
Key contact |
|
1 |
3 |
The key
risk that the OAG faces is our ability to effectively acquire, develop, and
use new technologies and methodologies to keep pace with the changing
environment. We recently received the report
from the international peer review team that audited the OAG at our request.
The peer review team found that our system of quality control was suitably
designed and effectively implemented and was impressed overall with the high
standard of work done by the OAG. The team also noted the need to address
emerging technologies. Managing this risk means that the
OAG must invest in its information technology security and architecture,
including the modernization of audit tools and emerging technologies. As a
result of this investment, the OAG is reducing the number of performance
audits that it conducts to remain within current funding levels. |
What is the OAG
doing to modernize?
|
We continue to have legacy systems that are no longer supported or that
will be out of support in the short or medium term. Examples include ·
correspondence
management software (where we track inquiries from the public) ·
INTRAnet
search engine (to search for internal information) ·
IT
ticketing system ·
financial
system ·
document
management system ·
CODI
(to secure our electronic documents), which needs to be migrated ·
reports
system, which needs to be upgraded ·
editorial
services systems (help with audit reporting) ·
OAG
learning management system (tracks our employee training) |
The OAG is focused
on modernizing our IT environment and processes. Additional funding
was requested to maintain legacy systems (keep the lights on) and to modernize:
·
Maintain
operations: An additional 12 IT full-time equivalents were requested in order
to address existing staffing shortfalls and maintain existing applications
and to support projected increases in employees. ·
Modernize:
14 additional full-time equivalents were requested in order to modernize and
find innovative ways of auditing. ·
An
additional $3 million in funding was requested for IT over the coming 5 years
to update systems and modernize. In 2020–21, the IT
budget is $7.56 million and 41 full-time equivalents; however, we are going
over this budget by 29 additional full-time equivalents and an additional $3
million in non-salary dollars (mostly going to consultant work). |
Nadine |
|
2 |
4 |
Modernizing the office focuses on
improving our tools and use of technology, and our processes and practices. |
Where would you say
your office is at in term of adapting to new technology? |
The OAG has been
focusing on modernizing our IT. We are also training staff and creating a
modernization working group with a focus on new technologies (such as cloud,
data analytics, and blockchain) to audit and use for auditing purposes. The focus
has also been to expose staff to these technologies (for example, a pilot
project on the Mindbridge data analytics tool). We are also in the process of
acquiring a new audit tool that will include disruptive technology. |
The OAG is focused on
modernizing our IT environment and processes. We have established
an innovation unit in a partnership between audit services and IT representatives.
This unit aims to modernize audit approaches and the use of new technologies. Enterprise
architecture as a process is being implemented, and we are looking at how
best to adopt new technologies. Efforts continue in
order to increase digital awareness and the use of new technologies and ways
of working (such as, agile and design thinking). We are focusing on
upskilling our employees (additional funding request). |
Nadine |
|
|
||||||
|
2019–20 Departmental
Plan |
||||||
|
No. |
Page |
Reference |
Question/comment |
Answer: Last year |
Answer for 2020–21 |
Key contact |
|
1 |
6 |
We need to improve our governance
and management of our information technology (IT). We recently completed an
IT self-assessment and internal audit, both of which identified that we had
not maintained our IT security controls well enough. We also need to renew
the IT infrastructure that supports our audits. |
a) What
improvements do you need? |
From the 2017–18
Q&A (answer from Nadine): a) What
improvements? We need to renew
our older IT and manage our security risks related to our IT systems. For
example, our older technologies are presenting some connectivity issues in
the regions. Another example is our HR system. It is an older technology,
which is presenting both an operational and security risk. We also have to
prepare for the new IT policies that are in force as of 1 April 2018. For
example, there is a new requirement for a cloud-first approach. |
The OAG is focused
on modernizing our IT environment and processes. Older technology is
being updated. For example, progress was made to ·
update
and replace networking equipment ·
improve
connectivity for regional offices ·
increase
network bandwidth ·
replace
firewalls and the virtual private network (VPN) with an interim solution ·
deploy
new human resources and timesheet systems ·
update
the data storage system In addition, there are plans that
include modernization initiatives, such as adopting a modern Human Capital Management
System (HCMS), a modern financial system, and content management system, as
well as adopting data analytics capabilities. We are also working
to align with the strategic direction of the Government of Canada, including
the use of cloud services first. |
Nadine |
|
|
|
|
b) You received $8 million—Is
that enough to implement your IT plan? |
b) You received $8
million—is that enough to implement your IT plan? We will continue
our work on security compliance for tier 1 applications and systems (for example,
implementing security tools, self-assessment) and address some key support
and maintenance gaps (for example access and account management, maintaining
tier 1 application and systems compliance, and working on resolving key
technical issues with tier 1 systems). We will also replace some critical
end-of-life applications and systems (HR and timesheet system, data storage
system, and VPN/firewall). We will not be able
to complete the security self-assessment for all remaining (70+) applications
(all tier 2 and tier 3 applications and systems) |
The $8 million previously
received was invested to address critical end-of-life applications and
systems (HR and timesheet system, data storage system, and VPN/firewall). We
are also in the process of implementing important security tools. Additional funding
was requested in order to maintain legacy systems for existing operations and
to modernize. |
Nadine |
|
|
4 |
In addition, we are facing the
potential failure of some of our IT systems, with an immediate need to
replace our human resource management system. |
Is the $8 million sufficient
to cover this? What IT systems could potentially fail? |
From the 2017–18
Q&A (answer from Erin, Alain, and Nadine): Is the $8 million sufficient
to cover this? Refer to Q1-b. What IT systems
could potentially fail? Legacy systems that are no longer supported or that will be out of
support in the short or medium term. In addition, systems or
infrastructure that no longer meet the ever-increasing security requirements
of the Government of Canada, such as ·
HR
system ·
time
tracking system at the core of our audit management and operations ·
correspondence
management software (where we track inquiries from the public) ·
INTRAnet
search engine (to search for internal information) ·
IT
ticketing system ·
financial
system ·
firewall/VPN ·
document
management system ·
CODI
(to secure our electronic documents), which needs to be migrated ·
reports
system, which needs to be upgraded ·
editorial
services systems (which help with audit reporting) ·
OAG
learning management system (which tracks our employee training) Systems that need to be implemented as they fail to meet current or new
business needs or would favour a major cost savings: ·
Network
components need to be updated and bandwidth augmented to serve new
applications. ·
Internet
Protocol telephony would allow long-term savings compared with our current
telephone system. ·
Data
analytics tools are required to absorb the amount of data our auditors now
need to review. ·
Current
environmental petition system used by citizens is currently paper-based. ·
INTRAnet
platform. ·
Entities
database (to store knowledge and information from departments). ·
Internal
database systems need to be replaced and modernized (need an integrated and
accurate data model). In summary, we have
several factors that contribute to the revamping of our systems and
infrastructure: old legacy systems, systems that don’t meet new security
requirements, systems that no longer meet business requirements, new
technology that provides cost savings in the long run, becoming cloud-ready,
and so on. |
·
Examples
of back-end systems that need upgrades: o
Windows
server upgrades (2008) o
Oracle
Linux upgrades o
Database
upgrades (Oracle) o
.NET
Core upgrade (Development) ·
Examples
of applications that are end-of-life: o
auditing:
auditing working paper file (TeamMate) and report communication application
(CODI) o
communications:
correspondence tracking system o
HR:
applicant tracking system (Monster) o
finance:
financial system (GX) and product costing |
Nadine |
|
|
|
In 2019–20, we will complete the
replacement of our human resource management systems, begin to replace our
audit management software, and finalize a detailed IT maintenance and
operations plan. However, some IT systems that
will be at the end of their supported
lives in 2019–20 will not be replaced until 2021–22, and our management of IT security risk will not be
reduced to an acceptable level
until at least 2021. We will also not be able to
invest in new technologies or audit approaches that are necessary to prepare
the OAG for the future. |
Examples of
investments in new technologies that would be needed? Impact on your
business? |
Examples of investments
in new technologies that would be needed? Impact on your business? Systems that need
to be implemented as they fail to meet current or new business needs or would
favour a major cost savings: ·
Network
components need to be updated and bandwidth augmented to serve new
applications and increase connectivity with the regions and prepare for cloud
implementation. ·
Internet
Protocol telephony would allow long-term savings compared with our current
telephone system. ·
Data
analytics tools are required to absorb the amount of data our auditors now
need to review and bring efficiencies to corporate services groups. ·
INTRAnet
platform. ·
Entities
database (to store knowledge and information from departments). ·
Internal
database systems need to be replaced and modernized (need an integrated and
accurate data model). ·
Cloud. ·
Blockchain. ·
Artificial
intelligence (AI). In
summary, we have several factors that contribute to the revamping of our
systems and infrastructure: old legacy systems, systems that don’t meet new
security requirements, systems that no longer meet business requirements, new
technology that provides cost savings in the long run, becoming cloud ready,
and so on. |
New technologies
are being made available, such as ·
Power
BI for data analysis ·
collaboration
tools, including BlackBerry dynamics and Microsoft Teams New systems are
also needed, such as a new HR system, financial system, learning management
system, data analytics tools, and automation tools. The innovation unit
is also investigating the use of technologies such as ·
mobile
applications for both Android and iOS ·
microservices
and containers ·
voice
assistants, like Siri and Hey Google ·
Azure
Cognitive Services (AI / machine learning) |
Nadine |
|
|
|
|
|
|
|
|
|
2 |
6 |
We need to improve our governance
and management of our information technology (IT). We recently completed an
IT self-assessment and internal audit, both of which identified that we had
not maintained our IT security controls well enough. We also need to renew
the IT infrastructure that supports our audits. |
What is missing in
your IT security controls? |
What is missing in
your IT security controls? Our IT security
self-assessment found that we do not have the measures in place for our
systems to be safeguarded at an acceptable risk level. We looked at 17 families
of controls based on guidance from the centre (Canadian Security
Establishment). Currently, for our tier 1 systems, 90% of the primary IT
security controls are in place (202/224 tasks identified in action plan now
completed). For our other systems, there is a calendar in place that extends
to 2020 to conduct self-assessments and implement action plans. |
Security
The OAG’s
cybersecurity risk remains at an unacceptable level, but activities are
underway to resolve the most significant gaps by the end of the fiscal year
(March 2021) and be at an acceptable level of risk by December 2021. |
Nadine |
|
2 |
6 |
In 2019–20, we will complete the
replacement of our human resource management systems, begin to replace our
audit management software, and finalize a detailed IT maintenance and
operations plan. However, some IT systems that
will be at the end of their supported
lives in 2019–20 will not be replaced until 2021–22, and our management of IT security risk will not be
reduced to an acceptable level
until at least 2021. We will also not be able to invest
in new technologies or audit approaches that are necessary to prepare the
Office for the future. |
What is an
acceptable level? How far are you from being at an acceptable level? |
What is an
acceptable level? How far are you from being at an acceptable level? Our IT security self-assessment for critical systems revealed
that we were not managing security risks at a level acceptable to the OAG. We
did our annual assessment based on Treasury Board of Canada Secretariat and
Canadian Security Establishment guidance (ITSG‑33 controls) and chose a
particular security profile in order to test our controls. We are currently
conducting a self-assessment of all of our systems that has revealed
that we are not managing risks at a level acceptable to the OAG. We have a
staggered plan that will get us to an acceptable level by 2021. |
Security The OAG’s
cybersecurity risk remains at an unacceptable level, but activities are underway
to resolve the most significant gaps by the end of the fiscal year (March
2021) and be at an acceptable level of risk by December 2021. The OAG is
making significant investments to address cybersecurity risks. The OAG
employs the ITSG-33 controls developed by the Government of Canada to manage
these risks, which mirror those provided by the US National Institute of
Standards and Technology (NIST) and the NIST Cybersecurity Framework. The
long-term objective is to complete this investment and move to a sustainable
management program of maintaining an acceptable risk posture at a balanced
cost. |
Nadine |
|
2018–19 Departmental
Results Report |
||||||
|
No. |
Page |
Reference |
Question/comment |
Answer: Last year |
Answer: 2020–21 |
Key contact |
|
1 |
6 |
We have been working to implement
both the plan we developed last year to reduce our information technology
(IT) security risk and the roadmap we prepared to maintain and update our IT
systems. We advanced the replacement of our human resource management
systems, which we will complete in the 2019–20 fiscal year. Although we
made progress on some projects for IT security, we do not expect to reduce
our risk to an acceptable level until at least 2021, because of funding
pressures. Similarly, we have had to postpone other IT projects until the
2019–20 fiscal year and beyond, also because of funding pressure. |
See above |
See above |
See above |
Nadine |
|
2 |
49 |
Some IT security and applications
projects were not completed, owing to a lack of resources. One of four
financial audit efficiency projects was not complete. |
What projects were
delayed? |
N/A |
Projects delayed for
this fiscal year (2020–21) include 4 projects that will move into next year,
including the audit working paper file replacement and C2 replacement, the data
program management, and the security self‑assessment. This list of
projects that were delayed because of a lack of resources in 2018–19 includes ·
time
sheet renewal ·
HR management information system (HRMIS) ·
VPN
and main firewall ·
Network
Access control (NAC) ·
survey
tool ·
business
data model ·
OAG
client connect |
Nadine |
|
2017–18 Departmental
Results Report |
||||||
|
No. |
Page |
Reference |
Question/comment |
Answer: Last year |
Answer: 2020–21 |
Key contact |
|
|
7 –exhibit 1 |
IT Roadmap and multi-year IT
security self-assessment plan |
What are those? What progress has been made in
implementing the roadmap and the IT security plan? |
The IT Roadmap is a tool that
provides the OAG with a holistic view of all OAG systems and applications. It
is used to select the investments that will maximize the use of our IT
capacity while minimizing risk and addressing the highest business value
first. Features of the tool include ·
a
mapping of the recommended renewal and replacement lifecycle for each
application and system ·
forecasted
costs, IT developer capacity and business capacity to renew or replace
according to lifecycle ·
indicators
to help decisionmakers, such as end-of-life, manual process replacements,
pilots, and so on Business processes supported by
the tool include ·
strategic
planning and prioritization of projects based on risk, capacity, and business
need ·
transparent
and informed consultation with the business, aligning IT priorities with
business imperatives ·
short-term
planning, such as work plans, annual and quarterly budget reviews, and so on ·
medium-term
planning, such as 3- to 5-year investment plans and risk management
plans ·
compliance,
risk, and security assessments ·
enterprise
architecture planning and design ·
procurement
planning ·
IT
competencies development plan and succession planning The IT Roadmap was completed in
2017 and is currently used to support the processes listed above. Pursuant
to Treasury Board policy, the OAG must conduct an annual assessment of its IT security program and practices to monitor
compliance with government and departmental security policies and standards
using the IT Security Self‑Assessment methodology and guidance
developed by the Treasury Board of Canada Secretariat and the Canadian
Security Establishment. The purpose of an IT Security self‑assessment is
to help identify IT security deficiencies and recognize and implement
remedial action. On the basis of the results of the self-assessment,
departments must develop or update their IT security action plan and
determine the resources required to implement it. The OAG IT Security Self-Assessment Plan was developed following our
IT security self-assessment on OAG critical systems. We have implemented 98%
of the plan related to our assessment of OAG critical systems. The 2% that
still needs to be implemented is the acquisition of a new monitoring tool and
the completion of our security architecture. For the other OAG systems, we
will be conducting self‑assessments and developing implementation plans
that will be staggered for the next 3 years. |
We continue to leverage tools
such as the roadmap, and we have moved to align with Treasury Board of Canada
Secretariat direction and are conducting annual aging assessments on
applications based on the recommended TIME methodology. This analysis is a
primary input to the 3-year plan. Processes are also being revisited including
project management, IT investment planning, and performance management. |
Nadine |
|
|
9 |
… we noted that we are facing the
potential failure of some of our IT systems… Both the IT security plan and the
new HR management system will require additional resources to complete, some
of which we expect to come from the Budget 2018 increase to our funding. |
Elaborate on which systems and
potential impact on OAG’s operations Elaborate on additional funding
received and the extent to which it was used for IT security and HR systems. |
Which systems and potential
impacts on OAG’s operations We need to renew our older IT and
manage our security risks related to our IT systems. For example, our older
technologies are presenting some connectivity issues in the regions. Another
example is our HR system. It is an older technology, which is presenting both
an operational and security risk. Other systems that are no longer
supported or that will be out of support in the short or medium term, or that
no longer meet the security requirements, are as follows: ·
HR
system (as mentioned above) ·
time
tracking system (this is at the core of our audit management and operations) (addressed 2018–19) ·
correspondence
management software ·
INTRAnet
search engine ·
C2
(IT ticketing system), for 2021–22 ·
financial
system—for? ·
VPN
(addressed 2018–19) ·
firewall
(addressed 2018–19) ·
CODI
(document management system) ·
editorial
services systems ·
OAG
learning management system (to track our employee training) Additional funding received and
the extent to which it was used for IT security and HR system Additional funding is being used
to continue our work on security assessment and implementing our action
plans. Additional funding is also being used to replace some critical
end-of-life applications and systems (HR and timesheet system, data storage
system, and VPN/firewall). It is important to note that we
will continue to have a resource deficit as a result of at-risk applications
and systems (increased support requirements due to systems not being
adequately maintained, properly tested, inadequate knowledge transfer as
staff retire), services will continue to degrade as more resources are
redirected to support and maintain aging systems (business process
automation, corporate reporting, and so on), and we will not be able to
deliver 60% of the projects recommended on the applications and systems
roadmap (other end-of-life systems, systems required for treasury board
compliance, and so on) or invest in new technologies such as disruptive
technologies. |
See above |
Nadine |